Retro&Reverse

In the previous post I got the PSR-70 original firmware modified so that it dumps to serial port all register writes done to OPQ chip (YM3806). Now I’m getting the data I wanted and plenty of it! A simple keyboard key-down or key-up produce only under 20 register writes but changing sound from the front panel results in about 300 writes. Why 300, there are only 256 registers? Yes, but there are many registers which are written several times. T he raw dumps from the modified firmware are quite hard to read, they just list the register address and written value in hex in the order they happened: 1F=20 5E=1F 56=1F 4E=20 46=20 5E=81 56=81 4E=81 46=81 9E=1F … To make some sense out of this I wrote a small python script to analyze the dump. It lists all registers in numerical order and all writes done to that register. In the script output the first column is OPQ register number, second column is the number of writes to that register and then a list of the written values.

Now that we know enough of the PSR-70 hardware , it is time to start studying the firmware. It resides in one 32 KB EPROM, which is inconveniently soldered directly on the circuit board without any socket. Luckily the board is single-sided, so it was quite an easy task to remove it using a proper desoldering station. After this I soldered a socket in place of the EPROM. I have an old Stag EPROM programmer, so no problem in reading the EPROM. I programmed the contents in another EPROM and inserted it in the socket. The keyboard worked without problems with the copy, so the reading was successful. I have sometimes got incorrect reading results, so it is always worth checking. Stag can dump the EPROM contents in intel-hex format, which I disassembled with yazd . This is quite nice Z80 disassembler, it produces good cross-references, which help analyzing the software. Hex and disassembly listings are in my Github . Analyzing the disassembly Target is not to understand

  First step in the actual reverse engineering is to start studying the PSR-70 hardware. This is quite service-friendly (meaning hacker-friendly) device: all circuit boards are single-sided and copper side silkscreen has IC numbers and jumper wire positions marked. There are also many useful looking signal names marked, like “D7”, “A12”, “IOWR” etc. It would be possible to draw the whole schematic from one high-quality photo of the circuit board. My intention is not to draw the whole schematic, but at least the address maps should be figured out. It will make the interpretation of disassembly much easier. All address decoding is done with 7400-series discrete logic, no PAL-circuits or other nuisances used, this is very good.   Block diagram Most of the electronics is on the large main board . The other cards are: Power + audio board contains the audio amplifiers, some kind of analog chorus-effect based on a BBD-circuit, power amplifiers feeding the speakers, and voltage

One day at the Hacklab: “Hey, guys! I have an old Yamaha PSR-70 keyboard in my car trunk. Does anybody want it? If not, I will take it to e-waste today.” “ Don’t throw it away, I can take it and see if it’s any good”, I hear myself saying. Because of that careless reply, I discovered I have yet another keyboard filling up my crowded storage:   At least this is a dream for any push button and blinkenlights maniac. There is no display at all, but there are almos t 100 push buttons and even more leds. Nice looking front panel indeed. I’m not very familiar with Yamaha keyboards in general and especially this model I knew nothing. It is from year 1985, typical arranger keyboard of that time. It has a small selection of ready made auto accompaniments and you can also create new ones. There are 32 sounds which are not editable. It has also a midi interface, which was not so common at that time. An external cassette player can be used as a mass storage for your own rhythms.