From: "Patrick R. Gili" <pg...@ix.netcom.com>
Subject: Inside RCX
Date: 1998/09/06
Message-ID: <6suflv$s2v@sjx-ixn4.ix.netcom.com>#1/1
X-Deja-AN: 388444226
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Organization: ICGNetcom
X-NETCOM-Date: Sun Sep 06 10:10:23 AM PDT 1998
Newsgroups: rec.toys.lego
Ahh, holiday weekends! I finally have a chance to sit down and really
start playing with my RCX.
After installing the software and going through the entire guided
setup (boring), I decided to really advance. So, I pulled out my
tools and carefully pulled the RCX apart.
I have some notes for anyone that wants to open up their RCX. This
task is non-trivial, as the battery holder is "clipped" to the PCB.
You can bend the clips back to release the battery holder. However,
this can damage the PCB and the clips. Or,...
Find yourself a very small flathead screwdriver, a jeweller's screw-
driver is preferable for this task. Carefully lift one side of the battery
holder and look for two "slots". Now gently insert the screwdriver into
these slots and "pop" the PCB off the clips holding it to the front cover.
You probably want to repeat this process on the other side of the
battery holder. The clips holding the PCB to the front cover are actually
the connectors between the PCB and the "port pads". Hint: keep the
front cover facing down; otherwise, when you remove the PCB the
buttons and "port pads" will fall out.
Now you have the battery holder and PCB--notice the power clips
holding the battery holder to the PCB. If you want to remove the PCB,
you can do this by gently rotating the PCB counterclockwise so as to
slide it out from underneath the power clips.
You can reassemble the RCX by following this process in reverse.
You might want to bend the power clips down a little with a small
pair of pliers before reattaching the PCB to the battery holder. This
ensures that the power clips contact the pads on the PCB.
From: "Todd Ogasawara" <Todd...@msn.com>
Subject: Re: Inside RCX
Date: 1998/09/06
Message-ID: <6suqfn$f11$1@news-2.news.gte.net>#1/1
X-Deja-AN: 388487120
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Organization: gte.net
X-Auth: C21C91150E8184C611918491
Newsgroups: rec.toys.lego
If you have some digital photos of the inside of the RCX, I'll be happy to
put them on my mini personal Mindstorms web site.
I would open up my RCX myself... but you know what they say about
programmers with screwdrivers :-)...todd
>Ahh, holiday weekends! I finally have a chance to sit down and really
>start playing with my RCX.
>
>After installing the software and going through the entire guided
>setup (boring), I decided to really advance. So, I pulled out my
>tools and carefully pulled the RCX apart.
>
>I have some notes for anyone that wants to open up their RCX. This
>task is non-trivial, as the battery holder is "clipped" to the PCB.
>
>You can bend the clips back to release the battery holder. However,
>this can damage the PCB and the clips. Or,...
>
>Find yourself a very small flathead screwdriver, a jeweller's screw-
>driver is preferable for this task. Carefully lift one side of the battery
>holder and look for two "slots". Now gently insert the screwdriver into
>these slots and "pop" the PCB off the clips holding it to the front cover.
>You probably want to repeat this process on the other side of the
>battery holder. The clips holding the PCB to the front cover are actually
>the connectors between the PCB and the "port pads". Hint: keep the
>front cover facing down; otherwise, when you remove the PCB the
>buttons and "port pads" will fall out.
>
>Now you have the battery holder and PCB--notice the power clips
>holding the battery holder to the PCB. If you want to remove the PCB,
>you can do this by gently rotating the PCB counterclockwise so as to
>slide it out from underneath the power clips.
>
>You can reassemble the RCX by following this process in reverse.
>You might want to bend the power clips down a little with a small
>pair of pliers before reattaching the PCB to the battery holder. This
>ensures that the power clips contact the pads on the PCB.
>
>
>
From: "Patrick R. Gili" <pg...@ix.netcom.com>
Subject: Re: Inside RCX
Date: 1998/09/07
Message-ID: <6t16os$gi7@sjx-ixn4.ix.netcom.com>#1/1
X-Deja-AN: 388763240
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<6suqfn$f11$1@news-2.news.gte.net>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Organization: ICGNetcom
X-NETCOM-Date: Mon Sep 07 10:56:44 AM PDT 1998
Newsgroups: rec.toys.lego
I have some pictures, but they suck. I don't know much about photography,
and can't seem to prepare the lighting correctly. I have a Sony DCS-F1
digital camera, which supports up a 640x480 mode of resolution.
What I would like to do, is take my RCX apart again, and this time take
pictures along the way. Perhaps someone can give me advice on how
to take good up-close pictures.
I have a Mindstorms web-site as well. However, Lego really does intend
someone to use these for pictures of their Mindstorms models. I don't
know how Lego would feel about me putting these kind of pictures up
there. Rather, I am going to put FrontPage 98 on my system and put
something of my own together. I do believe that Netcom (my ISP) gives
us 10 MB of space for serving our own web-page(s). I can also use
GeoCities or Tripod. Do these services limit you to 10 MB as well?
I'm wondering how far 10 MB will go. Pictures take up so much space,
unless you compress the crap out of them. I know I am not prepared
to pay someone to host my web-pages.
Todd Ogasawara wrote in message <6suqfn$f11$1...@news-2.news.gte.net>...
>If you have some digital photos of the inside of the RCX, I'll be happy to
>put them on my mini personal Mindstorms web site.
>
>I would open up my RCX myself... but you know what they say about
>programmers with screwdrivers :-)...todd
>
>>Ahh, holiday weekends! I finally have a chance to sit down and really
>>start playing with my RCX.
>>
>>After installing the software and going through the entire guided
>>setup (boring), I decided to really advance. So, I pulled out my
>>tools and carefully pulled the RCX apart.
>>
>>I have some notes for anyone that wants to open up their RCX. This
>>task is non-trivial, as the battery holder is "clipped" to the PCB.
>>
>>You can bend the clips back to release the battery holder. However,
>>this can damage the PCB and the clips. Or,...
>>
>>Find yourself a very small flathead screwdriver, a jeweller's screw-
>>driver is preferable for this task. Carefully lift one side of the battery
>>holder and look for two "slots". Now gently insert the screwdriver into
>>these slots and "pop" the PCB off the clips holding it to the front cover.
>>You probably want to repeat this process on the other side of the
>>battery holder. The clips holding the PCB to the front cover are actually
>>the connectors between the PCB and the "port pads". Hint: keep the
>>front cover facing down; otherwise, when you remove the PCB the
>>buttons and "port pads" will fall out.
>>
>>Now you have the battery holder and PCB--notice the power clips
>>holding the battery holder to the PCB. If you want to remove the PCB,
>>you can do this by gently rotating the PCB counterclockwise so as to
>>slide it out from underneath the power clips.
>>
>>You can reassemble the RCX by following this process in reverse.
>>You might want to bend the power clips down a little with a small
>>pair of pliers before reattaching the PCB to the battery holder. This
>>ensures that the power clips contact the pads on the PCB.
>>
>>
>>
>
>
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside RCX
Date: 1998/09/07
Message-ID: <6t17h7$feq@pixel.Stanford.EDU>#1/1
X-Deja-AN: 388763244
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<6suqfn$f11$1@news-2.news.gte.net> <6t16os$gi7@sjx-ixn4.ix.netcom.com>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Patrick R. Gili <pg...@ix.netcom.com> wrote:
> I have some pictures, but they suck. I don't know much about photography,
> and can't seem to prepare the lighting correctly. I have a Sony DCS-F1
> digital camera, which supports up a 640x480 mode of resolution.
I made some pictures and scans sometime last weekend and put the on the
web. See:
http://www-graphics.stanford.edu/~kekoa/rcx/
Also, you might be interested in visiting the following site if you haven't
already done so:
http://www.crynwr.com/lego-robotics/
-Kekoa
From: "Patrick R. Gili" <pg...@ix.netcom.com>
Subject: Re: Inside RCX
Date: 1998/09/07
Message-ID: <6t1ad9$io0@sjx-ixn4.ix.netcom.com>#1/1
X-Deja-AN: 388780424
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<6suqfn$f11$1@news-2.news.gte.net> <6t16os$gi7@sjx-ixn4.ix.netcom.com>
<6t17h7$feq@pixel.Stanford.EDU>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Organization: ICGNetcom
X-NETCOM-Date: Mon Sep 07 11:58:49 AM PDT 1998
Newsgroups: rec.toys.lego
Yes, I saw these pictures and became disappointed when I could not
read the markings on the chips. This caused a sudden need to tear
the thing open myself.
You identified the three chips on the right side of the "bottom" of the PCB
as latches, the chips marked ELEX 10402B. Who makes these chips?
In addition, there is a rather large component stuck between two components
that look like LEDs. I had one theory that the two LED-like components were
the IR transmitter and receiver, leaving me with the question, "What is that
rather large thing between them pointing out through the 'lens'?" I have
another
theory that the two LED-like components are transmitter, and the big
component
between them is an IR-receiver.
I believe that the F3055L in the lower-left corner is a 5V voltage
regulator.
If this is so, then this sucks. A linear voltage regulator has about a 50%
efficiency
rating--which means are our half of our battery juice is being thrown away
(well,
that which is being drawn by the circuitry, or that which is not being drawn
by the
motors).
It also looks like the running the H8/3294 at 16 MHz. The little device
mounted
above it looks like a 16 MHz crystal. This means that the board is operating
at
5V, since the spec says that the H8 can only be run at 16 MHz if it is
running
at 5V.
It looks like the RAM chip is a 32Kx8 bit RAM. The H8/3294 has 1K of RAM and
32K of ROM. There are no other memory devices on the PCB. Thus, the firmware
must reside in RAM, leaving little room for our programs when all is said
and done.
On the "bottom" you will note some rather large capacitors on the right side
of
the PCB--six in all. Given the small number of components and the
lower-power
nature of most of them, these capacitors are probably enought to provide the
memory with power when changing batteries. Has anyone successfully changed
their batteries yet without having to re-download the firmware again?
I think the component under the LCD is a display controller. Does anyone
think
that the display is custom? I mean it could be rip-off from a stop watch
assembly.
You know, the little man running can indicate that the stopwatch is running.
Kekoa Proudfoot wrote in message <6t17h7$f...@pixel.Stanford.EDU>...
>Patrick R. Gili <pg...@ix.netcom.com> wrote:
>> I have some pictures, but they suck. I don't know much about photography,
>> and can't seem to prepare the lighting correctly. I have a Sony DCS-F1
>> digital camera, which supports up a 640x480 mode of resolution.
>
>I made some pictures and scans sometime last weekend and put the on the
>web. See:
>
>http://www-graphics.stanford.edu/~kekoa/rcx/
>
>Also, you might be interested in visiting the following site if you haven't
>already done so:
>
>http://www.crynwr.com/lego-robotics/
>
>-Kekoa
>
From: "Ralph Hempel" <CanTh...@StopSpam.com>
Subject: Re: Inside RCX and RCX alone....
Date: 1998/09/07
Message-ID: <905201786.234702@Virginia>#1/1
X-Deja-AN: 388814168
Cache-Post-Path: Virginia!unk...@ts2-cp02.bmts.com
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<6suqfn$f11$1@news-2.news.gte.net> <6t16os$gi7@sjx-ixn4.ix.netcom.com>
<6t17h7$feq@pixel.Stanford.EDU> <6t1ad9$io0@sjx-ixn4.ix.netcom.com>
Organization: Bruce Municipal Telephone System
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Newsgroups: rec.toys.lego
NOTE. I'm an embedded elecronics engineer, but I do not have an RCX. I'm
just going by the pictures on Kekoa's excellent site...
>I believe that the F3055L in the lower-left corner is a 5V voltage
>regulator.
This is actually a 3055 logic level MOSFET. It's used for power switching
and may be used as part of a switching voltage regulator - much more
efficient
than a linear unit.
The caps are there to (probably) level out the spikes generated when
switching
motors for PWM. They may also probably provide some "backup" during
recharge.
The display is probably custom. It's hard to get exactly what you need
off the shelf.
Some of you may remember me as an engineer taht wanted to make a more
"packaged" version of a controller, then RCX was announced and I shelved
the plans. If you can get a huge pox ful of parts, plus motors, sensors,
and a controller for $200, you can NEVER make it for that yourself.
Having a huge whack of Technic and motors already, how long before S@H
offers
replacement RCXs and sensors.
Question? Can someone out there with a real RCX please ask LEGO for a
replacement? I'd just like to see the customer service response...
--
Cheers,
Ralph Hempel - P.Eng
------------------------------------------------------
The train stops at the train station,
The bus stops at the bus station,
So why am I sitting at a work station?
------------------------------------------------------
Reply to: rhempel at bmts dot com
------------------------------------------------------
From: "Patrick R. Gili" <pg...@ix.netcom.com>
Subject: Re: Inside RCX and RCX alone....
Date: 1998/09/07
Message-ID: <6t1p8q$ivn@sjx-ixn9.ix.netcom.com>#1/1
X-Deja-AN: 388850037
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<6suqfn$f11$1@news-2.news.gte.net> <6t16os$gi7@sjx-ixn4.ix.netcom.com>
<6t17h7$feq@pixel.Stanford.EDU> <6t1ad9$io0@sjx-ixn4.ix.netcom.com>
<905201786.234702@Virginia>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Organization: ICGNetcom
X-NETCOM-Date: Mon Sep 07 4:12:26 PM PDT 1998
Newsgroups: rec.toys.lego
Wow! This is great information. I searched high and low for data on some
of the parts in the RCX. Unfortunately, it goes rather slowly with 28.8K
modem.
I wish our town had cable modem.
It is nice to know that Lego is trying to make the best of our batteries by
using
a switched power supply. Why wouldn't they have just used an off-the-shelf
DC-to-DC converter? They have become so inexpensive over the past three
years.
On the subject of the caps. I believe some of them might be to provide
non-volatility between battery changes. I tried taking my batteries out
and putting them back today, and the firmware did not have to be
reloaded. This is trick we used at one company I worked for--using a
big cap to provide a "battery" to non-volatile memory. It was a pain
though, because we spent too much time trying to reduce the load
on the battery using all kinds of special circuitry to isolate the memory
that wanted to make non-volatile.
Any clue on the ELEX 10402B's. Kekoa claims these things are
latches. Who manufacturered these?
Lego does not use the full capabilities of the H8--there are left over
I/O ports. I wonder how hard it would be to expand the number of ports
the RCX supports. Unfortunately, this would undoubtedly require a
modification to firmware. It probably wouldn't be worth it.
Thanks for the information Ralph.
Patrick Gili
Ralph Hempel wrote in message <905201786.234702@Virginia>...
>NOTE. I'm an embedded elecronics engineer, but I do not have an RCX. I'm
>just going by the pictures on Kekoa's excellent site...
>
>>I believe that the F3055L in the lower-left corner is a 5V voltage
>>regulator.
>
>This is actually a 3055 logic level MOSFET. It's used for power switching
>and may be used as part of a switching voltage regulator - much more
>efficient
>than a linear unit.
>
>The caps are there to (probably) level out the spikes generated when
>switching
>motors for PWM. They may also probably provide some "backup" during
>recharge.
>
>The display is probably custom. It's hard to get exactly what you need
>off the shelf.
>
>Some of you may remember me as an engineer taht wanted to make a more
>"packaged" version of a controller, then RCX was announced and I shelved
>the plans. If you can get a huge pox ful of parts, plus motors, sensors,
>and a controller for $200, you can NEVER make it for that yourself.
>
>Having a huge whack of Technic and motors already, how long before S@H
>offers
>replacement RCXs and sensors.
>
>Question? Can someone out there with a real RCX please ask LEGO for a
>replacement? I'd just like to see the customer service response...
>
>--
>
>Cheers,
>
>Ralph Hempel - P.Eng
>
>------------------------------------------------------
>The train stops at the train station,
>The bus stops at the bus station,
>So why am I sitting at a work station?
>------------------------------------------------------
>Reply to: rhempel at bmts dot com
>------------------------------------------------------
>
>
>
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside RCX
Date: 1998/09/07
Message-ID: <6t1qdk$ha1@pixel.Stanford.EDU>#1/1
X-Deja-AN: 388856163
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<6t16os$gi7@sjx-ixn4.ix.netcom.com> <6t17h7$feq@pixel.Stanford.EDU>
<6t1ad9$io0@sjx-ixn4.ix.netcom.com>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Patrick R. Gili <pg...@ix.netcom.com> wrote:
> Yes, I saw these pictures and became disappointed when I could not
> read the markings on the chips. This caused a sudden need to tear
> the thing open myself.
My apologies for the unreadable ingraved markings that didn't scan well.
Let's see, you made a lot of interesting comments. For starters, I looked
up all the chip numbers at:
http://www.hitex.com/chipdir/chipdir.htm
I may have misidentified several of the chips.
Regarding the large component between the two components that look like
LEDs - the large component is the IR receiver and the two LEDs are simply
LEDs, IR of course. I verified this by looking at the PC base transceiver,
which uses the same components as the RCX, with a small video camera whose
lens was obscured by the IR filter from the RCX. Both LEDs light up during
a transmit, therefore the other element must be the receiver.
By the way, the insides of the PC transceiver are also somewhat neat to
look at; I took more pictures and put the along with the others at:
http://graphics.stanford.edu/~kekoa/rcx
As for the microcontroller, mine is labelled with a 3292, not a 3294.
Also, I couldn't find any information on the 32XX series; if anyone has a
spec, I'd like a pointer to where to get one for myself.
I agree that the capacitors are probably used for powering the board during
a battery change, I think 32K of is plenty considering the language we get
to program in, and I'm pretty sure the chip under the LCD is a standard LCD
controller. If I remember correctly, the part number on that chip was an
easy find.
-Kekoa
From: "Ralph Hempel" <CanTh...@StopSpam.com>
Subject: Re: Inside RCX and RCX alone....
Date: 1998/09/07
Message-ID: <905221697.863603@Virginia>#1/1
X-Deja-AN: 388891299
Cache-Post-Path: Virginia!unk...@ts2-ap59.bmts.com
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<6suqfn$f11$1@news-2.news.gte.net> <6t16os$gi7@sjx-ixn4.ix.netcom.com>
<6t17h7$feq@pixel.Stanford.EDU> <6t1ad9$io0@sjx-ixn4.ix.netcom.com>
<905201786.234702@Virginia> <6t1p8q$ivn@sjx-ixn9.ix.netcom.com>
Organization: Bruce Municipal Telephone System
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Newsgroups: rec.toys.lego
Patrick R. Gili wrote in message <6t1p8q$i...@sjx-ixn9.ix.netcom.com>...
>It is nice to know that Lego is trying to make the best of our batteries by
>using
>a switched power supply. Why wouldn't they have just used an off-the-shelf
>DC-to-DC converter? They have become so inexpensive over the past three
>years
Off the shelf DC-DC is expensive. In the world of consumer
electronics, you NEVER add cost (even pennies) without a very
good reason.
The 3055 is a great general purpose MOSFET switch. You can use it
to drive a motor, do power supply switching, or even for the
IR transmitter.
Without one of these darned things in front of me, I'm working
blind. Donations anyone? I'll buy fried units eventually if you keep
taking them apart :-)
The real beauty of Mindstorms is NOT the controller. It's the
visual programming paradigm of being able to "draw" the flowchart
and compile it and download it. Sort of reminds me of the mindshift
of using the $1 background debug port on Motorola controllers instead
of a $6000 in circuit emulator.
For too long, embedded products have been done by engineers
for engineers. Witness programming the VCR. With on-screen
programming it's easier than ever, we're just too damn lazy
to do it.
--
Cheers,
Ralph Hempel - P.Eng
------------------------------------------------------
The train stops at the train station,
The bus stops at the bus station,
So why am I sitting at a work station?
------------------------------------------------------
Reply to: rhempel at bmts dot com
------------------------------------------------------
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside RCX and RCX alone....
Date: 1998/09/08
Message-ID: <6t3cg3$lfk@pixel.Stanford.EDU>#1/1
X-Deja-AN: 389030253
References: <6suflv$s2v@sjx-ixn4.ix.netcom.com>
<905201786.234702@Virginia> <6t1p8q$ivn@sjx-ixn9.ix.netcom.com>
<905221697.863603@Virginia>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Ralph Hempel <CanTh...@StopSpam.com> wrote:
> The real beauty of Mindstorms is NOT the controller. It's the
> visual programming paradigm of being able to "draw" the flowchart
> and compile it and download it.
Personally, I would be much happier programming the controller in C.
Not that I'm trying to say that Lego Logo is a bad thing - it certainly
seems like a good way to introduce someone to programming, since a program
written in Lego Logo is very easy to understand - but the language itself
is quite limiting. In Lego Logo, variables are implicit, arrays don't
exist, control structures are overly simple, moving visual elements around
is slow, and (gasp) the size of a stack of commands is limited. Perhaps
this encourages better code organization through the use of My Commands
stacks, but it seems painful at times.
If I had a kid, though, I would definitely start them with something simple
and work up from there, and Mindstorms (not C!) would make an excellent
starting point. Not only is it easy to learn - there are practical things
you can do right from the start - note the how the tutorial is structured.
The system encourages creativity and can be a lot of fun.
-Kekoa
From: "Richard and Debora Everett" <eve...@oz.net>
Subject: Re: Inside the RCX
Date: 1998/09/11
Message-ID: <35fa142f.0@news.oz.net>#1/1
X-Deja-AN: 390356905
Organization: Sense Networking Seattle (http://www.oz.net)
Newsgroups: rec.toys.lego
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
The RCX has a Hitachi H8 family processor
There seems to be 32K or so of "program space", which I guess is shared by
the firmware bootstrap downloaded from the mindstorms Windows software.
There must be some sort of bios in the H8 rom (eprom?). I think the
possiblity of at least limited hacking exists, since there is that firmware
download...
Has anyone else started working on the lower level interfaces?
By the way, don't you think it is pretty impressive that lego can send power
to the light sensor led, reguardless of polarity, and get a signal back from
the phototransistor, all on two wires? I have heard there are quite a few
components inside that little blue block, and it seems quite an engineering
feat.
Rick
Here is some info on the H8:
H8/3292, H8/3294, H8/3296, H8/3297
The H8/3297 family is the first family of devices offered in the next
generation of 0.8um H8/300's. These devices offer higher performance than
the standard H8/300's and a higher level of peripheral integration. The
H8/3297 family are upwardly compatible with the existing H8/329 family of
devices, offering the user enhancements in both performance and
functionality. Its features include:-
16 KBytes to 60 KBytes ROM/PROM/EPROM
512 Bytes to 2 KBytes RAM
16 bit counter/timer - 1 channel
8 bit counter/timer - 2 channels
Watchdog/Interval Timer - 1 channel
10 bit A/D converter - 8 channels
Async/sync serial port - 1 channel
43 Input/Output lines
8 input only lines
64 pin package
From: ke...@candela.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside the RCX
Date: 1998/09/12
Message-ID: <6tddl4$17vk@candela.Stanford.EDU>#1/1
X-Deja-AN: 390379370
References: <35fa142f.0@news.oz.net>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Richard and Debora Everett <eve...@oz.net> wrote:
> The RCX has a Hitachi H8 family processor
>
> There seems to be 32K or so of "program space", which I guess is shared by
> the firmware bootstrap downloaded from the mindstorms Windows software.
> There must be some sort of bios in the H8 rom (eprom?). I think the
> possiblity of at least limited hacking exists, since there is that firmware
> download...
>
> Has anyone else started working on the lower level interfaces?
How low is lower level? At some point, I imagine someone will disassemble
the firmware, regardless of whether or not the software license agreement
allows it. Knowledge gained from the disassembly will allow people to get
as low level as the H8 itself.
But before that happens, there's the serial protocol/internal byte code to
figure out. Most of that work is almost done. See:
http://graphics.stanford.edu/~kekoa/rcx/
-Kekoa
From: "Patrick R. Gili" <pg...@ix.netcom.com>
Subject: Re: Inside the RCX
Date: 1998/09/12
Message-ID: <6tdtpa$53j@dfw-ixnews10.ix.netcom.com>#1/1
X-Deja-AN: 390419574
References: <35fa142f.0@news.oz.net>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Organization: ICGNetcom
X-NETCOM-Date: Sat Sep 12 8:43:06 AM CDT 1998
Newsgroups: rec.toys.lego
I would love to reverse engineer the PCB, it would give us tremendous
insight as to how to develop sensors. Much of the circuit can be deduced
from the parts, as the circuit contains few parts (ignoring all the caps,
many of which are for decoupling. However, the rest of the circuit would
have to be ohmed out, which places your RCX at tremendous risk.
First, there is the risk of static. This can be avoided through the use of
an antistatic wrist-strap and an antistatic pad on which to do the work.
However, one would also have to properly ground the instrument you
use to ohm out the circuit.
Second, the process of ohming out a circuit requires probes to come
into contact with components. You always run the risk of scratching etch,
even breaking it.
As for reverse engineering the firmware--this is a HUGE job. First,
I would think that you would want to find a way to disassemble the
firmware resident in the H8's ROM before anything. I agree that one
could probably gleen something about the "BIOS" from the firmware
that is downloaded to the RCX; however, to really gain an real good
understanding, you need to disassemble the "BIOS". So how do you
do this, especially without destroying the RCX?
Reverse engineering the downloaded firmware can't be that difficult.
All you have to do is find the file, dump it, figure out its encoding,
and run it through a disassembler. BTW, does anyone out there have
an H8 disassembler? If not, it can't be that difficult to conjure one up,
as the thing as so few instructions.
Developing our own sensors could be problematic, as the firmware
does a lot of work for us. Unless you developed sensors that behaved
just like one of the currently available sensors, you'd have big job
ahead of you.
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside the RCX
Date: 1998/09/12
Message-ID: <6teo3e$o8m@pixel.Stanford.EDU>#1/1
X-Deja-AN: 390516814
References: <35fa142f.0@news.oz.net> <6tdtpa$53j@dfw-ixnews10.ix.netcom.com>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Patrick R. Gili <pg...@ix.netcom.com> wrote:
> As for reverse engineering the firmware--this is a HUGE job. First,
> I would think that you would want to find a way to disassemble the
> firmware resident in the H8's ROM before anything. I agree that one
> could probably gleen something about the "BIOS" from the firmware
> that is downloaded to the RCX; however, to really gain an real good
> understanding, you need to disassemble the "BIOS". So how do you
> do this, especially without destroying the RCX?
>
> Reverse engineering the downloaded firmware can't be that difficult.
> All you have to do is find the file, dump it, figure out its encoding,
> and run it through a disassembler. BTW, does anyone out there have
> an H8 disassembler? If not, it can't be that difficult to conjure one up,
> as the thing as so few instructions.
I think the most feasible way to reverse engineer the firmware and the ROM
code would be to 1) figure out where the ROM code makes calls into the
firmware, 2) replace the firmware with code to capture a ROM image, 3)
transmit the ROM image over the IR link to be processed offline. Once the
ROM image has been obtained and analyzed, it will be possible to determine
how much flexibility the system has with regards to major modifications.
Step 1 sounds the hardest, because it requires in-depth knowledge about the
firmware code and a good amount of trial and error. Step 2 will require a
bit of care, since it's not clear how the ROM code, which probably drives
the RCX at a very low level, interacts with the firmware, which might not
have complete control over the processor and its memories. Step 3 will
probably not be too difficult; it will require some knowledge about how the
firmware interacts with the ROM code with regards to the IR link. My guess
is that by the time anyone gets to step 3, steps 1 and 2 will have made
that final step a cinch.
By the way, the firmware file is Firm/Firm0309.lgo. Someone pointed out
that it's in Motorola S-record format, which means that it shouldn't be too
difficult for someone so-inclined to make an image of the firmware software
that can then be disassembled.
-Kekoa
From: "Ralph Hempel" <CanTh...@StopSpam.com>
Subject: Re: Inside the RCX
Date: 1998/09/14
Message-ID: <905805381.375912@Virginia>#1/1
X-Deja-AN: 391108346
Cache-Post-Path: Virginia!unk...@ts2-ap16.bmts.com
References: <35fa142f.0@news.oz.net> <6tdtpa$53j@dfw-ixnews10.ix.netcom.com>
Organization: Bruce Municipal Telephone System
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Newsgroups: rec.toys.lego
I'm not sure about the H8, but most of the other
little MCUs I work with have a code protection scheme
that prevents reverse engineering of ON-CHIP resources.
I'd think that the better (and less expensive) way to figure
out how the sensors work is by taking apart sensors.
You can get clues by the number of wires. For example, a two
wire sensor is almost always resistive, that is given a constant
voltage to drive the sensor, it changes its impedance on
the line based on input conditions. A switch is a good
example of this as a digital value. A thermistor is another.
A three wire sensor is probably ratiometric. You put a voltage
across the supply terminals, and the third wire tells
you what portion of the range the sensor's value is in. A
trimpot is a good example of this. You might have a distance
sensor that works like this.
Is there any serious interest in hacking rotation sensors? I have
one design in my head that is a two or three wire sensor and is about the
size of the fibre optic box.
A two wire sensor is easiest since it can use standard LEGO
interconnects.
--
Cheers,
Ralph Hempel - P.Eng
------------------------------------------------------
The train stops at the train station,
The bus stops at the bus station,
So why am I sitting at a work station?
------------------------------------------------------
Reply to: rhempel at bmts dot com
------------------------------------------------------
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside the RCX
Date: 1998/09/14
Message-ID: <6tk5hb$8j6@pixel.Stanford.EDU>#1/1
X-Deja-AN: 391145636
References: <35fa142f.0@news.oz.net>
<6tdtpa$53j@dfw-ixnews10.ix.netcom.com> <905805381.375912@Virginia>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Ralph Hempel <CanTh...@StopSpam.com> wrote:
> I'd think that the better (and less expensive) way to figure out how the
> sensors work is by taking apart sensors.
I agree, but only partly. You will probably have to destroy the casing of
the sensor to open it. And at the going rate of a sensor, that's too
expensive for the knowledge I'd gain. (*)
As for the light sensor, I hooked the external leads up to a scope the
other day. Here are my notes:
Light sensor sampled approx every 3 ms. Waveform is high for all of 3
ms, except for a 0.1 ms period when the sensor is sampled, during which
period the voltage drops low. The low point is proportional to the
value on the sensor.
The sensor probably accumulates charge in a capacitor during the period
when the voltage is high, then, when the RCX drops the voltage low, the
capacitor discharges through an LED and a resistor connected to a
phototransistor. The voltage across the resistor keeps the low point above
zero, and the RCX/H8 samples the voltage sometime during the 0.1 ms.
At least, something along those lines is how I'd build a light sensor.
Oh, in case you didn't know already, all of the LEGO sensors have exactly
two leads. At least, the LEGO wire connectors that I have only support two
leads.
-Kekoa
(*) But feel free to send me a LEGO sensor and I will gladly crack it open,
analyze its contents, and report back to you.
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside the RCX
Date: 1998/09/14
Message-ID: <6tk7fm$8pa@pixel.Stanford.EDU>#1/1
X-Deja-AN: 391151987
References: <35fa142f.0@news.oz.net>
<6tdtpa$53j@dfw-ixnews10.ix.netcom.com> <905805381.375912@Virginia>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Ralph Hempel <CanTh...@StopSpam.com> wrote:
> I'm not sure about the H8, but most of the other little MCUs I work with
> have a code protection scheme that prevents reverse engineering of
> ON-CHIP resources.
Regarding this point, doesn't the feature you're talking only prevent you
from directly accessing the on-chip memories from the external pins? I
think the usefulness of this feature is limited once you can write additional
code for the processor.
I'm fairly confident that, if you can write new firmware, you can access
the ROM image - otherwise simple things would be hard to do - like creating
a static data segment in ROM.
-Kekoa
From: "Ralph Hempel" <CanTh...@StopSpam.com>
Subject: Re: Inside the RCX
Date: 1998/09/14
Message-ID: <905821613.920011@Virginia>#1/1
X-Deja-AN: 391189909
Cache-Post-Path: Virginia!unk...@ts2-dp31.bmts.com
References: <35fa142f.0@news.oz.net> <6tdtpa$53j@dfw-ixnews10.ix.netcom.com>
<905805381.375912@Virginia> <6tk7fm$8pa@pixel.Stanford.EDU>
Organization: Bruce Municipal Telephone System
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Newsgroups: rec.toys.lego
>Regarding this point, doesn't the feature you're talking only prevent you
>from directly accessing the on-chip memories from the external pins? I
>think the usefulness of this feature is limited once you can write
additional
>code for the processor.
>
>I'm fairly confident that, if you can write new firmware, you can access
>the ROM image - otherwise simple things would be hard to do - like creating
>a static data segment in ROM.
>
That's true. The problem is writing the firmware and getting "hooked"
into the internal workings. More to the point, how can you make sure
that your firmware gets run?
I guess I'm having trouble rationalizing the economics of fiddling
with the RCX when the real (to me) problem is making enough cheap
sensors.
Once again, it's hard to make stuff cheaper than LEGO does, but it
is fun and educational to do so. (Even if you learn, as I have, that it's
usually not worth it :-)
-
Cheers,
Ralph Hempel - P.Eng
------------------------------------------------------
The train stops at the train station,
The bus stops at the bus station,
So why am I sitting at a work station?
------------------------------------------------------
Reply to: rhempel at bmts dot com
------------------------------------------------------
From: Russell Nelson <nel...@crynwr.com>
Subject: Re: Inside the RCX
Date: 1998/09/15
Message-ID: <m2yarlihxa.fsf@desk.crynwr.com>#1/1
X-Deja-AN: 391357053
References: <35fa142f.0@news.oz.net>
<6tdtpa$53j@dfw-ixnews10.ix.netcom.com> <905805381.375912@Virginia>
Organization: Crynwr Software
Newsgroups: rec.toys.lego
"Ralph Hempel" <rhe...@bmts.com> writes:
> I'm not sure about the H8, but most of the other
> little MCUs I work with have a code protection scheme
> that prevents reverse engineering of ON-CHIP resources.
Yeah, but you can download code to the RCX, and the processor can read
the code, so there's no protecting the code.
> I'd think that the better (and less expensive) way to figure
> out how the sensors work is by taking apart sensors.
Ugh. I'd rather probe them with a scope/volt-ohm meter.
> You can get clues by the number of wires. For example, a two
> wire sensor is almost always resistive,
Not at all true. Dallas Semiconductor has two-wire devices which have
digital electronics. You can daisy-chain hundreds of them on the same
pair of wires.
> A three wire sensor is probably ratiometric.
Besides the point. The RCX only has two wire sensors. Based on what
Kekoa reports about the light sensor, it sounds like the RCX has a way
to source current to the sensor, then turn it off to get a
D/A measurement.
--
-russ nelson <rn-...@crynwr.com> http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok | Freedom is the primary
521 Pleasant Valley Rd. | +1 315 268 1925 voice | cause of Peace, Love,
Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | Truth and Justice.
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside the RCX
Date: 1998/09/15
Message-ID: <6tm37v$aua@pixel.Stanford.EDU>#1/1
X-Deja-AN: 391385629
References: <35fa142f.0@news.oz.net> <905805381.375912@Virginia>
<6tk7fm$8pa@pixel.Stanford.EDU> <905821613.920011@Virginia>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Ralph Hempel <CanTh...@StopSpam.com> wrote:
> That's true. The problem is writing the firmware and getting "hooked"
> into the internal workings. More to the point, how can you make sure
> that your firmware gets run?
I don't think that's a problem. Given about a week, it would be possible
to:
1) disassemble the firmware
2) annotate the disassembly, noting the major functions and entry points
3) make guesses as to what functions are stored in ROM
4) rewrite a portion of the firmware
> I guess I'm having trouble rationalizing the economics of fiddling
> with the RCX when the real (to me) problem is making enough cheap
> sensors.
Even if sensors were dirt cheap, you would only be able to use at most
three them (at any given time). That seems like a bigger limitation to me,
since once I've sunk the money to get enough sensors, I will still be
limited in what I can create with them.
The reasons I like hacking the RCX include:
* it's one of the first programmable, consumer, microcontroller products
- therefore a lot of people are going to have access to one
- people who haven't had or used a microcontroller before are suddenly
going to have a chance to program/hack the RCX
- the RCX become a "standard" microcontroller hacking platform
* it's in a clean, compact, container
- sure beats my 68hc11evb!
* it's made by LEGO
> Once again, it's hard to make stuff cheaper than LEGO does, but it
> is fun and educational to do so. (Even if you learn, as I have, that it's
> usually not worth it :-)
Depends on how you look at it. Educationally speaking, as an adult, it
might not be worth it. And whether or not you have fun depends on who you
are. [If you aren't enjoying your Technic, I'll buy your older sets off of
you...]
-Kekoa
From: ke...@pixel.Stanford.EDU (Kekoa Proudfoot)
Subject: Re: Inside the RCX
Date: 1998/09/15
Message-ID: <6tm3km$b0m@pixel.Stanford.EDU>#1/1
X-Deja-AN: 391391822
References: <35fa142f.0@news.oz.net> <6tk7fm$8pa@pixel.Stanford.EDU>
<905821613.920011@Virginia>
<dbaum-1309982359040001@max4k-2-10.chi-tcg.enteract.com>
Organization: Stanford University, CA 94305, USA
Newsgroups: rec.toys.lego
Dave Baum <db...@nospam.com> wrote:
> I looked at the first 20 or so lines of the firmware and it has the "feel"
> of an entry point - that is I'm pretty sure the ROM portion will call the
> start of the RAM firmware at some point during initialization. This
> wouldn't be too difficult to test with a scope - write a program that
> wiggles one of the GPIO lines in a tight loop, download it as firmware,
> and check the results.
I wouldn't do this. Instead, I'd disassemble and annotate the entire
firmware, find the "Play system sound" routine, and make that loop on
firmware startup. There's a lot to be gained from a complete, annotated
disassembly of the firmware, and proving that you can replace it is small
compared to providing a description of the firmware (and ROM routines).
I guess this is just my personal preference. Surely you could also proceed
by first proving that the firmware can be replaced.
-Kekoa