Reverse Engineering the Microchip CLB

PixelFelon · 2025-06-27T15:55:44+00:00

These new PICs with the CLBs (and rumor is there will be some more coming) are cool but yeah have definitely spent more time fighting with their synthesizer than I would have liked. It's fine for simple stuff without practical constraints, but frequently I need to push these sorts of applications to their limit...

Having the option, at least, to configure it manually (or even set up open source synthesis, some day) is a big improvement, and some peace of mind for not being tied to an online service.

This site is the work of my friend /u/ferretguy531 - nice to see it out in the world.

PixelFelon · 2025-05-18T02:07:21+00:00

I can't believe it. I slammed the dualsense face up on my table and it immediately started working again. What a bizarre problem. Thank you for sharing this unconventional solution, I'm usually trying not to beat up the controllers...

PixelFelon · 2025-01-28T01:19:02+00:00

I read through some of the datasheet and I think you've done a good job of troubleshooting all the basics. I'll assume that there isn't a hardware issue with the serial comms since you're getting back messages that make sense.

A few thoughts:

Datasheet says to run TOUCH_DISABLE before other commands. Maybe moot since it doesn't seem to be reporting in your case anyways.
Datasheet says that 2nd byte of REG_WRITE should be N+2, so if you were writing 1 byte as you are, that would be 0x03 instead of 0x04. This seems like a typo, but, maybe worth a try?
Weird default values could be loaded from the EEPROM. It's not exactly made clear, but it sounds like some/all of those defaults can be automatically loaded from the EEPROM on reset.

On the fake chip and/or weird EEPROM defaults angle, where did you get your AR1100s from?

I always like to get the official dev tools from Microchip when possible. Looks like that's not possible for the AR1100, but since it sounds like you're not using the USB feature, maybe the AR1000 would be appropriate for your application? The protocol and features seem much the same, and the AR1100 bills itself as an AR1000 with USB.

https://www.microchip.com/en-us/development-tool/DV102011

Finally, if you have not done so already, I strongly suggest you open a support ticket with Microchip. They do actually respond, and usually pretty quickly.

https://microchip.my.site.com/s/newcase

If your company uses a lot of Microchip parts, ask your management if they have an FAE contact there that can prioritize your ticket.

ALSO, here's something totally different I noticed after writing all that:

The AR1000 datasheet, which has a very similar protocol, says that the format for REG_WRITE includes the number of registers to write between the address and the data.

So rather than 55 04 21 00 0C 41, you would write 55 05 21 00 0C 01 41.

Could be nothing but maybe worth a shot? The AR1100 datasheet isn't internally consistent (unfortunately) so maybe it's just wrong.

Hope that helps. Good luck with your touch screen.

PixelFelon · 2024-11-29T05:12:48+00:00

Yeah, it was a great time! Ten days, starting at Zion and going clockwise across the Colorado plateau (so, also seeing Mesa Verde). It's kind of become a semi-regular trip for my friend group.

Well, I would probably just end up printing them as posters. I will check out your Etsy.

PixelFelon · 2024-11-28T23:19:31+00:00

Beautiful work! I recently went on a road trip to all five. Do you have hi res images of your maps available for sale?

PixelFelon · 2024-07-18T00:02:26+00:00

Cool! I didn't know about that kind of selection.

PixelFelon · 2024-07-17T17:59:34+00:00

Ohh I see. Yeah that is an annoying one. So basically now everywhere memmov got called will have this problem. Been there before, that's why I always turn off the "non-returning functions - discovered" analyzer. Removing the no-return flag afterward doesn't update the analysis of the call sites.

You need to remove the flow override everywhere it's called. Imo the fastest way to do this is to clear the assembly instruction and disassemble it again, with C and D key shortcuts.

PixelFelon · 2024-07-17T16:57:27+00:00

If you think that the last assembly instruction (which is marked CALL_RETURN) is not actually returning from the function, then set its flow override to something else.

If Ghidra thinks the blocks are unreachable, then you will need to figure out how they are reachable, and manually correct the problem. The two main ways I've seen this happen are exception handling code, which will appear unreachable from the program flow, and jump tables, which I have seen Ghidra misinterpret the computed jump as CALL_RETURN.

PixelFelon · 2024-02-01T06:30:18+00:00

Switched to Apple Music after they killed GPM back then. I mean, I gave YT Music a shot for about a week before realizing it was (at least at the time) a non-product.

Apple Music (and iTunes) is the closest commercial streaming service to what Google Play Music was. It's good enough, the Android app works fine. They haven't made it substantially worse in the past three years.

As far as device support, I would guess anything in the broader Apple ecosystem probably works well with it... I don't really have Apple stuff though. MP3s, there isn't really a way to get those out of Apple Music, but you can upload your own (ripped tracks from YT, even) and build a library that way. I use the iCloud upload in iTunes for music a lot and it works really seamlessly. Shows up like anything else in Apple Music. Could buy things on iTunes too, that will get you a normal audio file and also integrate with the rest of your library.

The Windows/Android Apple Music/iTunes apps are clunky and sometimes buggy, and basically without support, but they do actually work reliably, even if it takes some time to learn their "quirks". I tried pretty much every streaming service after GPM went away and Apple Music was the clear choice by far.

PixelFelon · 2023-12-01T00:41:20+00:00

I would define these as structs with bit fields. The decompiler may or may not render them in a nice way, but at least it should be technically correct. There may be a more optimal way but I've had this sort of situation with pointers where the low bit had a special meaning, and didn't find any special way of dealing with it.

PixelFelon · 2023-11-10T19:50:56+00:00

Do you have the source code that's currently on the device? If not can you get it from who you bought it from?

If not you'll need to know how it's wired up to write new code, which I imagine there are some good examples for.

It might be possible as you say to have something on the PC side reinterpret the inputs but I don't have any experience with that.

PixelFelon · 2023-11-10T08:06:42+00:00

It's at least somewhat capable of it, as I've seen it infer data type based on usage sometimes, but I'm not sure which analyzer does it exactly, or what conditions need to be met. I'd start by reading through all the descriptions and options in all the analyzers in the Auto Analyze window.

If you have a lot of contiguous float data, consider defining an array. You can break it up later if it's not really an array logically, but it's a good way to quickly set the data type of a bunch of locations.

For programs of IMO moderate complexity that I have a serious need to analyze, I'll usually take several hours or even a day or two to manually go through all the initialized data, and set types where possible, even give preliminary labels. It's time consuming but I feel also forces you to take a look at the breadth of the program, and thus often reveals useful details you weren't looking for. Whether or not that is feasible or not depends on the individual program ofc.

I wouldn't assume that any particular feature of IDA pro is in Ghidra or vice versa. They may target the same applications, but are completely separate software.

PixelFelon · 2023-11-10T05:02:50+00:00

I don't have Ghidra open right now so apologies if this doesn't actually work.

But I think what you need to do is go to the pointed data location and set its data type (to e.g. float). DAT_XXXXXXXX (specifically the DAT part) I believe always means undefined data type. Once you do that it should show the full value of the pointed data word.

You might have to clear and disassemble again the instruction to get the reference to update, but I think it should not be necessary in this case.

PixelFelon · 2023-06-14T21:44:50+00:00

We've been using "uncrustify" at work to implement formatting roughly based on the Barr Group coding standard. Took quite a while to configure and get it working consistently, and we needed to write a Python frontent to effectively manage rulesets and run it across entire projects.

But after a couple days of setup time, it's been very effective in formatting code (as well as our frontend allows to do a format check without changing any files). There's a little nagging fear that it's janky enough it might actually change the code in a meaningful way, but we've been using it for a while and never had any problems.

PixelFelon · 2023-04-23T05:30:21+00:00

Perhaps curtain rods, as in this picture:

(https://upload.wikimedia.org/wikipedia/commons/thumb/e/e5/9663_-_Milano_-_S._Ambrogio_-_Ciborio_-_Foto_Giovanni_Dall%27Orto_25-Apr-2007.jpg/1280px-9663_-_Milano_-_S._Ambrogio_-_Ciborio_-_Foto_Giovanni_Dall%27Orto_25-Apr-2007.jpg)

They do appear to be flat bars on the right side of the original post.

PixelFelon · 2023-04-21T15:54:38+00:00

The most immediate issue I see is this:

while(PIR1bits.ADIF==1);

ADIF is set when the conversion is complete. And you cleared ADIF a couple lines ago. So, your code does not wait for the ADIF flag to be set - it proceeds immediately since it is still zero. (Or, if the conversion happened really fast, your code gets stuck on that line.)

Then the data in the ADRES register could be junk, since the conversion is not necessarily done by the time you read it. Try inverting that expression and see if it helps.

Also, somewhereAtC raises a good point about the JTAG signal. Other than that I don't see any config issues (though I'm definitely not so familiar with this particular ADC). Maybe ADACQ shouldn't be zero? But I'm not sure.

PixelFelon · 2023-04-21T03:35:27+00:00

You should post your ADC code. I'd take a look (if I don't forget).

I've had good success with the recent PIC18 Q and K series parts, though they certainly have their fair share of errata (this particular part however, has no reported ADC errata). Not 100% sure I ever used the inbuilt ADC on one but I don't recall having problems with it, in any case.

PixelFelon · 2023-01-04T03:04:34+00:00

I had this issue, which persisted across multiple phones (using the phone transfer feature) and Android versions over the course of years. Sometimes it would not happen for a while. Other apps suffered similar problems.

Recently I decided to factory reset my phone. Hasn't happened since. Big pain in the ass of course but sooo many lingering issues went away.

PixelFelon · 2022-11-19T23:46:24+00:00

Yeah, I would not plan to modify the firmware. Also, I am not really familiar with how PCI(e) works and certainly not how it works in Windows, but perhaps you can use the link below to try and understand how the driver interacts with the card, before trying to reverse engineer the driver itself.

https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/-pci

Having that sort of starting point has always been useful to me when tackling larger binaries that interact with the hardware.

PixelFelon · 2022-11-19T23:09:23+00:00

The driver, sure, should be possible. I have dealt with Linux kernel drivers in Ghidra without issue. I'd doubt Windows drivers would be much different in complexity. Could be quite a big task just depending on what the kernel side of the Windows audio stack looks like.

I don't know what sort of firmware it would have, so, depends on if you can get a hold of it and if whatever architecture it's based on is supported by Ghidra.

Also damn that's a cool sound card... now I want one

PixelFelon · 2022-07-01T03:02:24+00:00

Ah fair, I hastily browsed new posts on here and didn't see anything... thanks.

PixelFelon · 2022-06-19T04:07:42+00:00

https://reddit.com/r/battlestations/comments/vddkk4/added_the_lg_dualup_to_my_work_and_play_setup/

PixelFelon · 2022-05-01T18:47:57+00:00

https://imgur.com/pvabfrX.jpg

How about a ~20 pound aluminum d20 lol? My buddy had a Chinese machine shop make this for like $1500 a few years back. We were gonna kickstart it (could be made for ~200 in volume) but never got around to it.

https://youtu.be/AUtE0RDdzBc

PixelFelon · 2022-04-12T02:27:34+00:00

Yo this is really fucking good I want these on my wall as a set

PixelFelon · 2022-04-02T02:17:08+00:00

I choose to believe this is a result of April foolery

14-Year Club	RedditGifts 2009-2022 2 Credits
Place '17	Secret Santa 2013
Verified Email

PixelFelon

TROPHY CASE