SH68F881 Findings

[swiftgeek]

SH68F881-specific findings

Should be not related to firmware it's running (BYK801)
Normally LQFP64 package would have "SH68F881Q" marking (when chip package marking is not customized - like it is the case for BYK801)

• INSCON.BKS0 (SFR 0x86, bit6) is utilized in SH68F881
  • Most noticeable near routines using USB and in headers where mutliple peripheral SFRs points into the same SFR address
  • From ghidra:
    • uVar1 = read_volatile_1(0x86);
    • write_volatile_1(0x86, uVar1 | 0x40);
  • Some SFRs are present at the same address, in both banks, while others aren't despite lack of conflict. No rule whatsoever as seen in SH79F3283
  • G80F930A (sinowealth rebrand) likely shows banking split/location for FLASH/USB/EUART/SPI/PWM/CLOCK/WDT/BT/TIMER2/TIMER3/GPIO/Interrupt registers
    • Missing TIMER0/1 and ISP registers
• Due to above, from public datasheets, SH88F6161/6162 is likely most similar when it comes to how general memory map works (actual registers are different)

SFRs

• Current state of mapping registers in SH68F881 (as datasheet is not available)
• Some SFRs are missing from both headers and G80F930A datasheet, yet they are used in firmware. Though they are merely cleared during init (one function in ISP fw and one in main firmware):
  • 92h 93h 95h A2h AAh ABh ACh ADh
• Since SFRs are banked and I don't know how to deal with it, ghidra pspec uses format of BANK0_SFR__BANK1_SFR and BANK0_SFR__BANK1_SFR.BANK0_BIT__BANK1_BIT for bit addressable registers
• In disassembly SFR bank switching is done by single instruction:
  • Switch to bank 1: ORL INSCON,#0x40
  • Switch to bank 0: ANL INSCON,#0x3f (Bank selection field is 2 bit wide)

ISP

ISP is a firmware block typically at end of (flash/otp/mask) ROM memory space - last 1KiB sector. May use different storage technology to main code area depending on particular chip. There are also some logic features associated with it, allowing for:

• Starting on POR from main or ISP area depending on special area setting
• Entering ISP based on pin strapping. Typically two GPIO pins pulled to GND. Which ones depends on particular chip part number.
• Software reset to/from ISP area via ISPLO/ISPCON register write sequence.
  • Documented in SH88F6161/6162 (CN) and (EN)
• Jump from main FW to ISP entry point via instruction sequence (Documented in SH61F83)
• When MCU is strapped to run ISP code (either by pins or options), it will start from 0x7C00

8051 extensions

• 16-bit operand extension via AUXC and INSCON (MUL/DIV)
• Two data pointers - DPTR and DPTR1, selected via INSCON.DPS

KEIL summary

Contained in one of SH51.CDB μVision Device Databases:

8051 based Full Static CMOS controller with two-Level Program Memory Lock
72 I/O lines, 3 Timers/Counters, 13 Interrupts sources, 1 BaseTimer, 3 PWM, UART,
WDT, LVR, Regulator, SPI, Full Speed USB,
32K Flash Memory, 2560 Bytes On-chip RAM, 2048 Byte EEPROM

IRAM(0 - 0xFF) IROM(0-0x7FFF) XRAM(0-0x8FF) CLOCK(24000000)

strings SH51.CDB | grep '^SH68F881$' -A13
Though sinowealth's *.CDB files don't match datasheets perfectly, so take it with a grain of salt, especially on interrupt sources count

Pinout of MCU itself

• USB is likely to be on P0.2 and P0.3
• SET2/DG5 is likely also on P0 and likely provides EUART TXD/RXD. Which would be pretty convenient as it's N/C on this particular board.
• JTAG is on P4. One indication of that is in GPT/OPT files explicitly mentioning P4.7 having R̅E̅S̅E̅T̅ alt function.
  • P4.0 - TDO
  • P4.1 - TMS
  • P4.2 - TDI
  • P4.3 - TCK
  • P4.7 - R̅E̅S̅E̅T̅
• Indicator LEDs (BYK801):
  • Pin1 - P3.5 - SCRLOCK
  • Pin2 - P3.6 - CAPSLOCK
  • Pin3 - P3.7 - NUMLOCK
• So far it looks like pinout is going to roughly match LQFP64 SH79F6489. Previously BYK870 was identified to be that chip, but for LQFP80. Peripheral wise, SH68F881 doesn't have ADCs/LCD driver/OP/PGA. Headers would also indicate that SH68F881 has more timers, but that was not confirmed yet
• SP6/2.0 on PCB next to JTAG port means Pitch 2.00mm, and not GPIO Port P2.0. Schematics to be updated.

USB RAM

Likely 0A00H - 0AAFH , since XRAM and USB RAM ranges seem to be paired together. But that's just a guess for now
0A00H - 0AAFH - Confirmed with BYK801 firmware

[WinkelCode]

I am curious about

Entering ISP based on pin strapping. Typically two GPIO pins pulled to GND. Which ones depends on particular chip part number.

Any hints as to which pins that might be? Can this be achieved with a key combination?

[swiftgeek]

This would be useful only for new FW, as BYKxxx FW doesn't take advantage of this.

Regardless of that, it's likely pins 62/63, but that remains to be verified (by implementing new FLOSS bootloader)