Mydata how-to and bit of hacking .... Moderators: adafruit_support_bill, adafruit

[wileur]

Hi, I've been following the discussions on this board for a while now and it's been very helpful in fixing up my TP9-UFP machine.

At work we have a bunch of older magazines without button and LEDs, that physically and electrically fit in the TP9-UFP but are not fully recognized. I'm trying to upgrade them and if this works out I'm planning to make a small adapter that fits in the PAL socket. I'll make my source code and PCB files freely available and my company will sell assembled modules.

After a bit of sniffing with a logic analyzer and reading old service manuals I've pinned down the communication protocol used by the magazines and have replicated most of it with a microcontroller. I've added a button and the indicator LEDs and the machine accepts and controls that. Everything works fine in service mode, but TPSys sends a command that seems like some kind of authentication. This is a 32bit? (8 nibbles) word and the magazine replies with a similar word. Some kind of calculation seems to be going on there as it takes ca 90ms from the command to the reply, whereas the replies to other requests are instantaneous. To further complicate things the computer seems first to send one command without requesting an answer, an then a little bit later it sends a new sequence and gets the answer. I'm now trying to figure out how the magazine comes up with the reply.

Some sample data:
8abbbc9e Command 1
aaffd8de Command 2
fe8cc664 Reply from Magazine

eccddca9
9bd8c99d
f10b3d05

fbcead88
8adaebcc
fa30626a

fa99cfff
acead8ac
a2830f14

fc8cdac8
9aaf9ebc
e20f05fd

This processing is handled in one of the two Altera EPM7000 series CPLDs (MAX 7000 series) clocked from a 1MHz crystal oscillator.

Ideas I've considered so far:
-Based on serial model/numer. But this is stored in a different, simpler PAL.
-XORing the commands. Doesn't give the right numbers
-Reading actual status data from the magazine. Not much to read there, just a couple of position sensors.
-Some kind of delay/timing as a base for the calculation. Timing in the this part of the machine doesn't seem that exact, based on my sniffing.
-Some other cryptographic algorithm?
-Simple multiplication/division etc. or a combination?

Any ideas on what's going on here are greatly appreciated.

Best reagrds,
Wileur

[alphatronique]

Hi

That Great Idea :mrgreen: need more like this
you may check RussianSemiResearch.com that guy read chip code for decent price :shock:

i not yet play whit Feeder Board Myself ,but i almost sure it the CPLD was polling the serial number pal on insertion

and control CPLd have not big logic like a FPGA so i doubt it have crypto on it
maby a LSFR fist command was seed value second one was number of pulse and reply was the reply ?
that simple to implement on a CPLD and hard to find it tap configuration

not sure mydata will let you sell upgrade kit :? specially if it put kind of crypto on it
and for that kind of discussion it my better on yahoo gorup since it not wide open to googel search bot

p.s. i think it may good idea to make a news controller card whit a MCU like AVR or PIC instead of a socket adapter
The feeder logic was not to complex and most of that of feeder have gold finger worm so make a complete new
card solve many issue including bad contact

[alphatronique]

Hi

after fully wake up and finish my coffe

think beast approach was make a system that simulate the machine and let you talk to a feeder

so this way you mat send command you what and read result back

1-) send many time same first and segond commnad for see if result change
2-) play whit first and segond commnad for see result and put easy value like 0x00000000
3-) use hotswap power controller for power-up and dowd feeder whitout insertion
for make sure it true commnad not junk due to bad contact on insertion
4-) try to make feeder whitout send that first commnad

and finally have a offline feeder test tool may great ,for repair or just step part before load it on machine

[wileur]

Hi,

I'm actually making such a simulator, just finished writing the code for the uC:)

Based on the timing, which always seems to be ca 88.5ms it's probably running a fixed number of iterations. I'll hook it up to a magazine and see what I can get out of it. It'll probably be a couple days as this is a side project.

[alphatronique]

Hi

a idea just pop on my head ...

wly not let original PLD in place and your add MCU/PLDs only handle button related command ?

that will requite to make a new PCB whit bus buffer/switch but will remove all compatibility issue
and will also by reuse original PLDs make Mydata legal dept happy
and finally will make brand new set of gold plated contact :mrgreen:

cherry on top may add build in tool for set back timing of the optical shutter

i may interested to Design the PCB as long as it reuse the 3 original PALs
all my feeder have already the button ,but was worried that swap feeder many time a day will die gold finger ..

Best regard

[wileur]

That might work and is a lot easier to do. I was thinking along the lines of a small patch board that houses the original PAl and the new uC plus the required switches. This PCB would plug in to the 20 pin DIP socket and the uC would only chime in when asked about the button and LEDs.
The old magazines I'm talking about only has one PAL. The design is actually very simple, one input buffer and one for output, an XOR gate for adressing and the PAL chip. An array of diodes protects the feeder control lines and a few connectors completes it. I'll see I if I can make it work first and then decide which PCB version that makes the most sense.

How does the optical shutter work? Why would would you want to change the timing?

Best regards

[alphatronique]

Hi

ok never see that version of feeder ,all my one have 2 big Altera PALs and a smaller one for model and serial number

as for the optical shutter for now i never have yet to play whit but according to service manual
need a pulse counter for set back timing belt
if my memory was good it was 20 pulse from a determined feeder arm position

whit all that CPLD it may just fine to put the counter on one of it whit a reset SW and a led ..

may iteresting to probe the Xjtag conneter ;-)

[wileur]

After some testing I've found that the older feeders are not aware of the new commands that the PLDs handle. Not surprising as the PAL is just a bunch of stateless logic gates. The PLDs are clocked independently and has some limited processing power. I'll do some testing with a newer feeder to try to find out what's going on.

The XJTAG connector only goes to an empty spot on the board, so no luck there.

[tp9david]

stupid question.
How do you find the ip address the tp9-2u version 2.4.4c red hat

running a crossover cable from mydata to laptop.

and running WS_FTP LE on my laptop.

thanks

[alphatronique]

Hi

try port scanner (search Godel it have many ) and look for port 21 or 80

and may see in parameter if machine was in DHCP or set whit fixed adress

[tp9david]

Ok, new info. I took the whole cpu cage with the mot cards,bm3 and mot3 to one of my other machines and fired it up and after a couple of adjustments it did the exact same problem.

I am sure it is not any of the cables or head resistance, now that I know the problem moved with the cpu case.


I thought you could move mot1 cards around but is that true when you have a MOT3 card. None of my older machines have a MOT3.


Thoughts.

Thanks again for all your help...........

david d.

[alphatronique]

hi

mot sure to follow you whit mot3 card

you may swap any mot card whit no issue whit same type as original or a newer one

if upgrade for a newer one you meed to reconfigure machine

and if it a plain TP9 whit Z-phi head (no hydra) you may also downgrade to all mot 1 card to

mot-2 come for hydra ,and mot 3 appear on some older machine but for feeder card

and put few drop of stabilent-22 on card contact may also help allot

Best regard

[martinr112]

Hello TP9-x users,

we have an blue TP9 (the old one) and want to make it ready for using.
has anyone instructions/manuals/schematics.. to the machine?
we miss a Z-motor and the pump.
I would be grateful for advices.
CP/M 2.2 is running on this TP9, we still have the original disks if someone needs copies.

Thank you, stefan

Hello,
I have two running machines with CP/M. I have operator and service manual with all schematics. It is 10cm thick.
What disks you have and which version?

[JohanRuben]

Hi,

I have problems with the light curtains on my TP9-2. I have disabled the curtain boards with a jumper as shown in this thread before, but the systems still identify the curtains as affected. Do someone has any idea where to start looking? Can someone share the schematics related to the light curtain circuit?

The machine was working properly before is was moved to a new location, some parts was dissembled to be able to move the machine.

Thanks in advance!

[tp9david]

Has anyone had any luck using Ghost to copy a good hard drive to make a copy?

thanks