I enjoy programming CPUs and microcontrollers with nice instruction sets, such as the MC680x0, the ARM, the AVR and the MIPS.
I managed to get an NCD HMX X terminal that was going to junk (what a waste !) It has a 64-bit MIPS R4600 v1.7 CPU and 16MiB of RAM.
The terminal loads its firmware via TFTP at boot. The firmware is a program in ELF format. So it is theoretically possible to write your own firmware.
The problem is that the terminal won't load arbitrary ELF files. Replacing the firmware with another ELF file usually results in a "bad load address" or "CRC error" message.
Many people have spent time trying to get past the checksum, including myself. I have been unsuccessful at first.
The trick is deceptively simple : it is sufficient to have an ELF program with proper loading addresses and with a special 32-byte header, which just contains the string "XncdHMX" and a 1-byte filetype field (the rest is made of nops and branches). Changing the filetype to 0x20 disables the CRC control.
(I've copied this trick from the Linux Explora project.) t.
With this header, the terminal will gently run any ELF executable, provided it's physical loading address is 0, virtual address is 0x40020000. The header looks like this :
start: b .continue
nop
nop
dc.w $20 ; this value is important !
dc.b "XncdHMX", 0
dc.w 0
dc.w 0
dc.w .return, 0
.return: jr r31
.continue: nop
At boot (640x480) the frame buffer is at 0x80000800 (8 bpp, black is 0xff, white is 0x00). The ROM is at 0x9c000000.
The boot monitor is probably on a standard EPROM chip, plugged into a socket. However, I didn't want to open the terminal and read the chip for various reasons.
I managed to read the EPROM without opening the terminal using a (in my opinion) relatively sophisticated technique. I wrote a program to display the ROM contents on the screen in a 2D barcode format. Using a black and white camera and a framegrabber, I transferred the ROM at a speed of about 100 bytes per second.
It may sound simple to do, but I spent two full days and tried many approaches. The biggest problems were the curvature of the screen and the sphericity of the camera lens which severly distorted all but the smallest lines, and the incompatibilities between the refresh rate of the monitor and the sampling rate (50Hz) of the CCD camera, causing severe brightness variations accross frames.
The decoder was written in Objective Caml.
You can download the EPROM here. It probably is copyright Network Computing Devices or something (however there is no copyright notice inside it). It is provided for convenience only.
If you boot using the following image (instead of Xncdhmx), a Hello, world ! message will greet you. This may or may not work if your monitor is not configured at 640x480, 8 bits per pixel (For now I have a very old shitty monitor that can only do 640x480).
Boot using this image.
Attach the AUX port to a serial terminal (9600, 8N1). Type characters on the terminal ; they will appear on the screen.
I don't know how to read the keyboard on the HMX yet, so you can't see the characters typed on the HMX on your terminal.
These programs have been written in assembler.
All pictures have been taken by myself and are placed in the public domain.
