#
# VC1DEC.CTL -- Comments for the ROM contents of the 8052 controller
#               in a Videocrypt decoder.
#
# Use this control file together with Gary Morton's (gary@inmos.co.uk)
# GD8051 disassembler and the ROM contents of the decoder's 8052 in order
# to get a commented and disassembled listing.
#
# This version has only full comments for a few procedures related
# to the card reset and the card protocol and a few headers for other
# procedures. There are still huge gaps to be filled.
#
# Markus Kuhn, 1994-04-25
#
#---------------------------------------------------------------------
#
# Expected entry vectors at the bottom of memory.
#
en 0000
hd 0000 Reset entry point
en 0003
hd 0003 External interrupt 0 entry point
en 0013
hd 0013 External interrupt 1 entry point
#
# Entry points from indirect jump at 1709
#
en 108d
en 16d8
#
# Entry point from hacked reti at 16e6
#
en 1056
#
# Display messages
#
tx 1429 13
tx 1436 25
tx 144f 25
tx 1468 25
tx 1481 25
tx 149a 25
tx 14b3 25
tx 14cc 25
tx 14e5 1
tx 14e6 25
tx 14ff 25
tx 1518 25
tx 1531 25
#
# References to ROM display messages
#
cc 10d5 Msg1429="PLEASE WAIT"
cc 10ca Msg1436="WRONG CARD IS INSERTED"
cc 10a5 Msg144f="PLEASE INSERT CARD"
cc 10b7 Msg1468="YOUR CARD IS INVALID 99 TOKENS REMAINING"
cc 0b77 Msg149a="NO PROGRAMS REMAINING"
cc 097e Msg149a="NO PROGRAMS REMAINING"
cc 0b91 Msg14b3="INSUFFICIENT TOKENS"
cc 0bfd Msg14cc="PUSH BUTTON TO VIEW"
cc 0c6f Msg14e5="" (no visible message)
cc 11da Msg14e5="" (no visible message)
cc 0AAD Msg14e6="YOUR CARD IS BLOCKED"
cc 0ABB Msg14ff="THIS CHANNEL IS BLOCKED"
cc 0AC9 Msg1518="THIS PROGRAM IS BLOCKED"
cc 0Ad7 Msg1531="YOUR CARD HAS EXPIRED"
#
# Start addresses and comments of known procedures
#
hd 01b0 Change VPP, voltage: (11h)
hd 0176 Switch VCC (10h): 0=off, 1=on
hd 0205 Send (10h) CLK impulses to card
hd 0412 Send RST impulse to card
hd 0433 Change card CLK, frequency: (10h)
#
hd 0495 Read answer-to-reset from card
cc 0495 VPP default is undefined (-1)
cc 0498 Store here initial character TS
cc 04a7 TS=3b, but this doesn't mean card uses direct convention (bug!!!)
cc 04a9 developper didn't understand ISO 7816-3, clause 6.1.4.1
cc 04b1 abort, unknown TS byte
cc 04b3 format character T0
cc 04bf low nibble of T0: number of "historical characters" ...
cc 04c2 ... must be >= 7 (checked again below ;-)
cc 04c8 Interface character TA: default 0
cc 04cf read TA1 only if announced in T0
cc 04dd TA1 must be 11h (3.5712 MHz CLK, 9600 bits/s) ...
cc 04e3 ... or 31h (7.1424 MHz CLK, 9600 bits/s)
cc 04ea Interface character TB1: default 0
cc 04f1 read TB1 only if announced in T0
cc 04ff II < 2, i.e. max. programming current must be <= 50 mA
cc 0507 extract PI1 (programming voltage in Volt)
cc 050f PI1=0, i.e. VPP not connected on card
cc 0519 VPP needs 5V
cc 0523 VPP needs 15V
cc 052d VPP needs 21V
cc 0530 Interface character TC1: default 0
cc 0535 read TC1 only if announced in T0
cc 054a TC1=min(TC1,5) (TC is extra guard time)
cc 054d store extra guard time (= additional stop bits)
cc 0550 Interface character TD1: default 0
cc 0553 Interface character TB2: default 0
cc 0558 read TD1 only if announced in T0
cc 056a only protocol T=0 accepted, no PTS
cc 0570 no further TA, TC or TD allowed
cc 0578 is TB2 announced in TD1?
cc 0586 TB2 contains PI2 with VPP in 0.1V resolution (50-250)
cc 058a PI2=0, i.e. VPP not connected on card
cc 0594 PI2=50, i.e. VPP needs 5.0V
cc 059e PI2=125, i.e. VPP needs 12.5V
cc 05a8 PI2=150, i.e. VPP needs 15.0V
cc 05b2 PI2=210, i.e. VPP needs 21.0V
cc 05b8 abort if not 0 <= (26h) <= 4 (i.e. if no VPP was specified)
cb 05be now the "historic characters" are read
cc 05be historic characters read so far: 0
cc 05c7 have we read all of them?
cb 05d3 test 'MY' signature
cc 05da abort if 6th hist. char. isn't 'M'=77=4dh
cc 05e4 abort if 7th hist. char. isn't 'Y'=89=59h
cb 05ef now all historic characters have been read
cc 05f4 abort if there are less than 7 hist. char.
cc 05fd if TA1=31h then ...
cc 0608 answer-to-reset was ok
#
hd 060a Perform card reset
hd 0674 Display text in RAM on screen
#
hd 069d Display text in ROM on screen
#
hd 0c79 Send/receive full card data packet
cc 0c7b instruction class code
cc 0c87 instruction code
cc 0cab number of data bytes
cc 0cb7 procedure byte from card
cc 0cc7 60h from card means "please wait"
cb 0cd8 SW1 has been received
cc 0cdc SW1=90h -> wait for SW2
cc 0ce0 read SW2
cc 0cec SW2=00h -> card confirms everything ok
cc 0cf0 VPP will go idle
#
hd 0d6a Exchange packets 74/76/78/7a/7c with card
cc 0d6a code 74: send encrypted 32-byte message to card
cc 0d74 direction: to card
cc 0d7a skip 76 packet if button hasn't been pressed
cc 0d7d code 76: tell card that button has been pressed
cc 0d87 direction: to card
cc 0d8f check 3rd bit in 1st byte of 74 packet
cc 0d91 if zero, then don't fetch 78 answer
cc 0d93 code 78: request decrypted 8-byte random number seed from card
cc 0d9d direction: from card
cc 0da5 code 7a: request display message from card
cc 0daf direction: from card
cc 0dc5 direction: from card
#
hd 0dcc Exchange packets 7e/80/82 with card
cc 0ddc direction: from card
cc 0e0f direction: to card
cc 0eaf direction: from card
#
hd 0f3a Interrupt 0 handler: new card inserted
#
hd 0f46 Interrupt 1 handler: Signal from Motorola CPU
cb 0f46 This code exchanges 32/8-byte message/answer with Motorola CPU
cc 0f73 read 8-byte answer from this addr
cc 0fee addr where 32-byte message will be stored
cc 0ff1 init 32-byte message checksum
cc 1004 checksum
cc 1008 next interrupt, next byte
cc 100e get authorize button status
cc 1012 set "button has been pressed" flag 
#
hd 1029 General initialization after power-up
hd 1056 Inserting a new card causes INT0, stack reset and jump to here
hd 108d Start of main loop
cc 111b last 7ch instruction of previous card
cc 1121 direction: to card
cc 1165 direction: from card
#
hd 12e2 Interrupt 0 handler
hd 154a Init serial card I/O
hd 1552 Send byte (6f) to card
hd 15c6 Read byte from card -> ((6f))
hd 1688 Interrupt 1 handler
hd 16a3 Copy from (68)(69) in ROM (6b) bytes to (6a)
hd 16b8 Wait loop
hd 16c8 Copy from (68) in RAM (6a) bytes to (69)
hd 16d8 Reset stack and make hacked reti to 1056h
hd 16e7 Fill (6a) bytes at (68) with (69)
hd 16f5 A = A << R1
hd 16fd A = A >> R1
hd 1705 Init stack, longjump to DPTR
#
# Prominent RAM locations
#
NI 28 MSG32
#NI b1 ANSW8
