AudioPoint Internals

AudioPoint E86MON HomeDirector Am186 Am186ES
AudioPoint Hackin'

                    Work in Progress!
                        The following is a step by step account of what I figured out and learned about this little thing as I went along. So the information might be                             right, wrong, obvious, stupid, unbeleivable, or useless. You decide.

       AudioPoint is a product made by HomeDirector, it plays MP3's stored on a PC or Shoutcast streams from the internet. It has an RJ-45 jack and is web enabled, more on that later.. When it was first on sale, it cost $200. I picked mine up for $30 at an Electronics surplus store. Why did it drop out of sight? Well, one person very closely related to the production of the AudioPoint told me they company ran out of money....but I also think it's the mere fact that a computer is REQUIRED to operate this thing (think of it this way, if I need a computer to control this little box, why not just have a computer do the streaming and output? Whats the need for a separate unit? Yeah...).
I still wish they would have added like 3 buttons, Stop, Pause, Play. This would have been just genius.

Some Pics:
This is what the unit looks like all nice and new:

Here it is opened up:

The circuit board (click on pic for fullsize image):

The Network chip:

And finally, the chip that does it all (AMD Am186ES Microcontroller):

Networking:
After opening the box, the instructions tell you to install the software to manage the MP3 stuff, but I decided not to. I wanted to see what I can find first.

The AudioPoint (from now on called just AP) uses DHCP to grab an IP from your router. In order for me to explore the unit further and not have to find it's IP each time, I decided to give a specific IP to the unit by setting up MAC matching on my router. I got the unit's MAC address by first letting the AP connect to my router and grab an IP by itself, I then checked my routers "currently connected" section and found the AP's MAC address. Then I set that MAC to get x.x.2.50 so that next time I want to connect to it, I'll know where it is.

Right away I decide to portscan it, nmap found only one interesting port, and thats 80. =) To my surprise, everything I needed to control the AP was right there on port 80. Not including any kind of security features. Oh well. Here's a screenshot of the web interface:

<pic>

Debug Port Info:

I had the rare opportunity to talk to the lead hardware designer for the AudioPoint and ask him some questions. This is as amazing because how often can you talk to the guy that actually worked and put in his blood and sweat into something and ask him questions?
I'm not going to give out his e-mail address. It took me a little backtracing to actually find the correct email as I had a few false positives. Anyway he gave me some interesting insights into the design and layout of this unit, he explained how most of the chips interact.
Here's just a snippet of the fun knowledge I obtained:

>What kind of specs are on the AudioPoint device? What OS is it
>running? Is there any way to reflash the unit with modified or updated
>firmware? I'd love to be able to add a little security feature for the
>web-based control.

We bought US Software's RTOS and their TCP/IP stack. The processor is an
AMD 186 microcontroller, but the mp3 decoding is done by a STA105 mp3 chip.
The 186 writes bytes into an IDT fifo, and I wrote some VHDL code on a
Cypress CPLD that takes the data out of the fifo and shifts it into the mp3
chip. There is also a pretty nice AKM DAC on there too.

You can reflash the device, but you'd have to be able to duplicate the
development environment in order to make a code load.

He did tell me that there is an RS232 serial debug port 4-pin header on the AP that I might be able to connect to, and sure enough a little while later I did it.
Here is the pin configuration for the 4-pin RS232 port:
RS232 Header pins

I used a MAX232 chip to provide the necessary 5V RS-232 signals for this connection to happen. Here is the schematic: (yep, these are stolen. I'm too lazy to draw my own. And heck, they work just fine if you can read schematics!)

Playing around with E86MON (on-board debugger):

In order to connect to the AP (this is what the lead hardware engineer told me), upon powering up of the unit (plugging in the cable) you have to press the "A" key on your keyboard while being connected to the COM port on your machine. This is how it went for me; I opened up HyperTerminal (yes, it sucks).
Connected to COM1 with "38400 N,1,N" as the settings, then I plugged in the power cord and immediately started pressing the A key on my keyboard and voila!, this popped up:

Welcome to AMD's EMon 186! (? <Enter> for help)

es86mon: ?

E86 Boot Monitor -- Version 3.42 1999/2/25
Copyright (C) 1994-1999 AMD, Austin, Texas, USA

Help not available -- use LL command to load extension with help.

es86mon:

I kept playing around and this is just another sampling of whats available in EMon:

es86mon: d
0/0000000   09 76 01 f8 f9 75 02 f8 e9 75 03 f8 a4 00 75 7f .v...u...u....u.
0/0000010   c9 75 05 f8 b9 75 06 f8 a9 75 07 f8 99 75 08 f8 .u...u...u...u..
0/0000020   89 75 09 f8 79 75 0a f8 69 75 0b f8 59 75 0c f8 .u..yu..iu..Yu..
0/0000030   49 75 0d f8 39 75 0e f8 29 75 0f f8 19 75 10 f8 Iu..9u..)u...u..
0/0000040   09 75 11 f8 6c 00 75 7f 94 00 75 7f d9 74 14 f8 .u..l.u...u..t..
0/0000050   c9 74 15 f8 b9 74 16 f8 a9 74 17 f8 99 74 18 f8 .t...t...t...t..
0/0000060   89 74 19 f8 79 74 1a f8 69 74 1b f8 59 74 1c f8 .t..yt..it..Yt..
0/0000070   49 74 1d f8 39 74 1e f8 29 74 1f f8 19 74 20 f8 It..9t..)t...t .
es86mon: p
    baudrate       = 19200
    cpuspeed       = 40000000
    led            = 1
    autorun        = 0
    monitorport    = 1
    protectflash   = 000e0000
es86mon:

"d" is to dump memory, it can take a single memory location or a range as the argument. It's pretty cool. Obviously the first column is the memory address, the second column is the hex display of the memory, and the last column is ASCII representation of the memory.

Changing settings seems to be pretty easy:

es86mon: P led 0
led = 1

You can make your system unbootable if you
program invalid values into the flash.

Would you like to test by rebooting with
this value before you make it permanent? (Y/N): y

Rebooting... (press 'A' to autobaud again)

Welcome to AMD's EMon 186! (? <Enter> for help)

es86mon:

After hitting "P" to get all the variables, I tried the typical steps to change a variable, and that is to give the "<command> <variable> <new value>" step, and what do you know, it works! After pressing "Y" to test the temporary changes, I pressed "a" again to go back into the debug mode and, the LED was off, neat! Normally the LED flashes about once every three seconds when you're in EMON mode. Now it's off. The interesting feature about this system is it lets you test out the variable changes before making them permanent. I have yet to test the permanent part.

I decide to play around more and see what the "S" (Search for List) command can do. It can search for a given list of bytes, such as a string. Here I am searchinf for the beginning of the word "address", just a random word i'm pretty sure will show up. And boy does it show up alot! I also decided to dump one of those memory locations as you can see:

es86mon: s 0000 FFFFFF "addr"
7041:db45
7041:dc08
7041:dd17
7041:f4df                         <-- Part of RAM?? Holds commands I've typed...
7041:f4f2
7041:f505
7041:f51a
7041:f541
7041:f6e6
7041:f6f5
8041:0470
8041:32b3
9041:ac6f
a041:99fd
b041:46e1
b041:9e2c
b041:c63f
f041:dbb5
f041:dc78
f041:dd87

Memory region out of range: f041:fbce 80
es86mon: d f041:dd87
f041:dd80                        61 64 64 72 65 73 73 20 28         address (
f041:dd90   73 65 67 3a 6f 66 66 73 65 74 20 6f 72 20 35 20 seg:offset or 5
f041:dda0   68 65 78 20 64 69 67 69 74 73 29 00 0a 0a 57 65 hex digits)...We
f041:ddb0   6c 63 6f 6d 65 20 74 6f 20 41 4d 44 27 73 20 45 lcome to AMD's E
f041:ddc0   4d 6f 6e 20 31 38 36 21 20 20 20 20 20 20 28 3f Mon 186!      (?
f041:ddd0   20 3c 45 6e 74 65 72 3e 20 66 6f 72 20 68 65 6c   <Enter> for hel
f041:dde0   70 29 0a 0a 00 0a 50 65 72 6d 61 6e 65 6e 74 20 p)....Permanent
f041:ddf0   76 61 72 69 61 62 6c 65 20 73 75 63 63 65 73 73 variable success
f041:de00   66 75 6c 6c 79 20 75                              fully u
es86mon:

Hmm...

es86mon: d 7041:f6e6
7041:f6e0                     64 20 37 30 34 31 3a 66 36 65        d 7041:f6e
7041:f6f0   36 00 46 20 22 61 64 64 72 22 00 00 00 00 00 00 6.F "addr"......
7041:f700   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
7041:f710   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
7041:f720   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
7041:f730   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
7041:f740   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
7041:f750   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
7041:f760   00 00 00 00 00 00                     ......
es86mon:

Ok, this is close to what I want. Looks like some stuff that has to do with the network part of the AP and possible even the web interface:

es86mon: d 8041:0470
8041:0470   61 64 64 72 65 73 73 3a 20 25 73 20 5b 25 73 5d address: %s [%s]
8041:0480   0a 00 20 57 69 6c 6c 20 73 74 61 72 74 20 25 73 .. Will start %s
8041:0490   20 25 64 20 25 73 20 00 6e 65 74 31 38 36 00 73   %d %s .net186.s
8041:04a0   65 72 76 65 72 00 0a 54 61 73 6b 20 52 65 63 65 erver..Task Rece
8041:04b0   69 76 65 20 53 74 72 65 61 6d 20 00 52 55 4e 54 ive Stream .RUNT
8041:04c0   41 53 4b 20 23 32 20 66 61 69 6c 73 0a 00 0a 54 ASK #2 fails...T
8041:04d0   61 73 6b 20 44 69 73 63 6f 76 65 72 79 20 00 52 ask Discovery .R
8041:04e0   55 4e 54 41 53 4b 20 23 31 20 66 61 69 6c 73 0a UNTASK #1 fails.
es86mon: d 8041:32b3
8041:32b0            61 64 64 72 65 73 73 3a 20 25 70 20 28     address: %p (
8041:32c0   25 6c 78 29 0a 00 25 30 32 78 25 30 32 78 25 30 %lx)..%02x%02x%0
8041:32d0   32 78 25 30 32 78 20 25 30 32 78 25 30 32 78 25 2x%02x %02x%02x%
8041:32e0   30 32 78 25 30 32 78 20 25 30 32 78 25 30 32 78 02x%02x %02x%02x
8041:32f0   25 30 32 78 25 30 32 78 20 25 30 32 78 25 30 32 %02x%02x %02x%02
8041:3300   78 25 30 32 78 25 30 32 78 20 3c 25 63 25 63 25 x%02x%02x <%c%c%
8041:3310   63 25 63 25 63 25 63 25 63 25 63 25 63 25 63 25 c%c%c%c%c%c%c%c%
8041:3320   63 25 63 25 63 25 63 25 63 25 63 3e 0a 00 ff ff c%c%c%c%c%c>....
8041:3330   56 57 c8           VW.
es86mon: d 9041:ac6f
9041:ac60                                     61         a
9041:ac70   64 64 72 65 73 73 20 69 6e 20 75 73 65 00 25 64 ddress in use.%d
9041:ac80   2e 25 64 2e 25 64 2e 25 64 00 0a 50 69 6e 67 20 .%d.%d.%d..Ping
9041:ac90   25 73 0a 00 62 61 64 20 73 6f 63 6b 65 74 0a 00 %s..bad socket..
9041:aca0   56 57 c8 04 00 00 c5 76 0c 8a 44 0e 2a e4 89 46 VW.....v..D.*..F
9041:acb0   fc c5 76 0c 8a 44 10 2a e4 89 46 fe ff 76 fe 0e ..v..D.*..F..v..
9041:acc0   68 dc 03 9a a5 04 4f ae 83 c4 06 c5 76 0c c7 44 h.....O.....v..D
9041:acd0   0c 3e 00 c5 76 0c c7 44 28 00 01 c5 76 0c c7 44 .>..v..D(...v..D
9041:ace0   22 00 01 c5 76 0c c7 44 24 08 00 c5 76 0c c6     "...v..D$...v..
es86mon: d b041:9e2c
b041:9e20                                      61 64 64 72 addr
b041:9e30   65 73 73 2e 20 5b 25 64 5d 0a 00 53 6f 63 6b 65 ess. [%d]..Socke
b041:9e40   74 53 65 6e 64 2c 20 6f 6e 6c 79 20 73 65 6e 74 tSend, only sent
b041:9e50   20 25 64 20 62 79 74 65 73 20 69 6e 73 74 65 61   %d bytes instea
b041:9e60   64 20 6f 66 20 25 64 20 62 79 74 65 73 2e 0a 00 d of %d bytes...
b041:9e70   53 6f 63 6b 65 74 52 65 63 65 69 76 65 2c 20 69 SocketReceive, i
b041:9e80   6f 63 74 6c 73 6f 63 6b 65 74 28 25 78 2c 46 49 octlsocket(%x,FI
b041:9e90   4f 4e 52 45 41 44 29 20 66 61 69 6c 65 64 2e 0a ONREAD) failed..
b041:9ea0   00 53 6f 63 6b 65 74 52 65 63 65 69      .SocketRecei
es86mon: d b041:c63f
b041:c630                                                 61             a
b041:c640   64 64 72 65 73 73 2e 0a 00 53 74 61 72 74 44 69 ddress...StartDi
b041:c650   73 63 6f 76 65 72 79 2c 20 66 61 69 6c 65 64 20 scovery, failed
b041:c660   74 6f 20 6f 70 65 6e 20 6d 75 6c 74 69 63 61 73 to open multicas
b041:c670   74 20 73 6f 63 6b 65 74 2e 0a 00 25 73 20 53 50 t socket...%s SP
b041:c680   20 25 30 32 78 3a 25 30 32 78 20 00 53 53 44 50   %02x:%02x .SSDP
b041:c690   00 68 74 74 70 3a 2f 2f 00 2f 44 65 76 44 65 73 .http://./DevDes
b041:c6a0   63 2e 78 6d 6c 00 75 75 69 64 3a 00 3a 3a 75 72 c.xml.uuid:.::ur
b041:c6b0   6e 3a 73 63 68 65 6d 61 73 2d 68 6f 6d 65 64     n:schemas-homed
es86mon:

Booting the AudioPoint after breaking into E86MON:
Breaking into E86MON basically prevents the AudioPoint from doing what its meant to do, it prevents the AudioPoint firmware from running and thus no Web interface or AP usage.. It breaks into the debug option and does not continue, so I had to figure out how to be able to continue normal operation after breaking into the debug monitor.
I forgot where, but I read somewhere that "G" loads a program stored in the flash, so I tried "G 1" and it asked for an address in memory. I remembered looking at the "I" printout and seeing a "Boot sectors:" line that held some addresses, and decided to give it ago. This is the HyperTerm log of that:

Welcome to AMD's EMon 186!      (? <Enter> for help)

es86mon: i

   Module Code Segment/Length   Data Segment/Length
E86MON         F800    779C          7F75    08B0

Free data paragraphs: 7f33
Current system time: 9.453

Flash device: 29F400T -- 512K bytes organized as 256K X 16
App sectors:   0 at 8000, 1 at 9000, 2 at A000, 3 at B000,
               4 at C000, 5 at D000, 6 at E000, 7 at F000

Boot sectors: 8 at F800, 9 at FA00, 10 at FC00   <--- Hmm, boot?

es86mon: p
    baudrate       = 19200
    cpuspeed       = 40000000
    led            = 1
    autorun        = 0
    monitorport    = 1
    protectflash   = 000e0000
es86mon: g 1
           ^ -- Error: expected address (seg:offset or 5 hex digits).
es86mon: g F800:0000
$áhùnúïíïíïíïíaûïíéaúïíaúïíïíïíïíïíïíïåïíïíïí   <---BINGO! This means AP is booting.

What's Next?
Well, I'd like to modify memory, then modify flash, then boot the AP. Sounds like fun. To start, I'm going to search for the string "HTTP_hostAddress" because it is in the index2.html file (on the AP control web interface) and it looks like a unique string that won't show up anywhere else. So here we go (we're going to start from 0xF8000 which is the memory location from which the AP boots, and will most likely hold the stuff I'm looking for):

es86mon: s f8000 fffff "HTTP_hostAddress"
es86mon:                   <---Hmm, nothing.

es86mon: s f800 ffffff "HTTP_hostAddress"
7041:f4e9
7041:f522
7041:f6e6
8041:f468                 <---Haha, BINGO!
8041:f4ad
9041:6595

Memory region out of range: f041:fbc2 80
es86mon:

Now to dump some of those memory locations:

// OH YES! BABY!
es86mon: d 8041:f468
8041:f460                            48 54 54 50 5f 68 6f 73          HTTP_hos
8041:f470   74 41 64 64 72 65 73 73 20 74 79 70 65 3d 74 65 tAddress type=te
8041:f480   78 74 20 73 69 7a 65 3d 33 32 20 76 61 6c 75 65 xt size=32 value
8041:f490   3d 3c 21 2d 2d 23 45 43 48 4f 20 46 4f 52 4d 41 =<!--#ECHO FORMA
8041:f4a0   54 3d 22 25 73 22 20 20 56 41 52 3d 22 48 54 54 T="%s" VAR="HTT
8041:f4b0   50 5f 68 6f 73 74 41 64 64 72 65 73 73 22 2d 2d P_hostAddress"--
8041:f4c0   3e 20 3e 20 0d 0a 3c 2f 74 64 3e 0d 0a 3c 2f 74 > > ..</td>..</t
8041:f4d0   72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 20 42 47 r>..<tr>..<td BG
8041:f4e0   43 4f 4c 4f 52 3d 22 23                   COLOR="#
es86mon:

// HOT
es86mon: d 8041:f4ad
8041:f4a0                                           48 54 54         HTT
8041:f4b0   50 5f 68 6f 73 74 41 64 64 72 65 73 73 22 2d 2d P_hostAddress"--
8041:f4c0   3e 20 3e 20 0d 0a 3c 2f 74 64 3e 0d 0a 3c 2f 74 > > ..</td>..</t
8041:f4d0   72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 20 42 47 r>..<tr>..<td BG
8041:f4e0   43 4f 4c 4f 52 3d 22 23 33 33 33 33 36 36 22 3e COLOR="#333366">
8041:f4f0   3c 42 3e 50 6f 72 74 3c 2f 42 3e 3c 2f 74 64 3e <B>Port</B></td>
8041:f500   0d 0a 3c 74 64 3e 3c 69 6e 70 75 74 20 6e 61 6d ..<td><input nam
8041:f510   65 3d 48 54 54 50 5f 70 6f 72 74 20 74 79 70 65 e=HTTP_port type
8041:f520   3d 74 65 78 74 20 73 69 7a 65 3d 35 20       =text size=5
es86mon:

//SOME INTERESTING STUFF FOR FUTURE REFERENCE:
es86mon: d 9041:6595
9041:6590                48 54 54 50 5f 68 6f 73 74 41 64       HTTP_hostAd
9041:65a0   64 72 65 73 73 00 48 54 54 50 5f 76 6f 6c 75 6d dress.HTTP_volum
9041:65b0   65 4c 65 76 65 6c 00 48 54 54 50 5f 6c 65 66 74 eLevel.HTTP_left
9041:65c0   56 6f 6c 75 6d 65 00 48 54 54 50 5f 72 69 67 68 Volume.HTTP_righ
9041:65d0   74 56 6f 6c 75 6d 65 00 48 54 54 50 5f 65 6e 61 tVolume.HTTP_ena
9041:65e0   62 6c 65 45 71 75 61 6c 69 7a 65 72 00 48 54 54 bleEqualizer.HTT
9041:65f0   50 5f 74 6f 6e 65 45 6e 68 61 6e 63 65 6d 65 6e P_toneEnhancemen
9041:6600   74 00 48 54 54 50 5f 62 61 73 73 45 6e 68 61 6e t.HTTP_bassEnhan
9041:6610   63 65 6d 65 6e                                  cemen
es86mon:

Getting Down to Business (editing some memory):
Ok, so now it's time to try some stuff out. I'm going to see if I can edit the AP's web-interface HTML code through the flash (hopefully temporarily at first).

es86mon: d 8041:ec19
8041:ec10                               54 49 54 4c 45 3e 48           TITLE>H
8041:ec20   6f 6d 65 44 69 72 65 63 74 6f 72 20 41 75 64 69 omeDirector Audi
8041:ec30   6f 50 6f 69 6e 74 20 37 30 30 30 3c 2f 54 49 54 oPoint 7000</TIT
8041:ec40   4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d LE>..<META HTTP-
8041:ec50   45 51 55 49 56 3d 22 52 65 66 72 65 73 68 22 20 EQUIV="Refresh"
8041:ec60   63 6f 6e 74 65 6e 74 3d 22 30 3b 20 55 52 4c 3d content="0; URL=
8041:ec70   69 6e 64 65 78 32 2e 68 74 6d 6c 22 3e 0d 0a 3c index2.html">..<
8041:ec80   2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 20 54 45 /HEAD>..<BODY TE
8041:ec90   58 54 3d 22 23 38 63 61 30                     XT="#8ca0
es86mon: d 8041:ec20
8041:ec20   6f 6d 65 44 69 72 65 63 74 6f 72 20 41 75 64 69 omeDirector Audi
8041:ec30   6f 50 6f 69 6e 74 20 37 30 30 30 3c 2f 54 49 54 oPoint 7000</TIT
8041:ec40   4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d LE>..<META HTTP-
8041:ec50   45 51 55 49 56 3d 22 52 65 66 72 65 73 68 22 20 EQUIV="Refresh"
8041:ec60   63 6f 6e 74 65 6e 74 3d 22 30 3b 20 55 52 4c 3d content="0; URL=
8041:ec70   69 6e 64 65 78 32 2e 68 74 6d 6c 22 3e 0d 0a 3c index2.html">..<
8041:ec80   2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 20 54 45 /HEAD>..<BODY TE
8041:ec90   58 54 3d 22 23 38 63 61 30 63 63 22 20 42 47 43 XT="#8ca0cc" BGC
es86mon: d 8041:ec1a
8041:ec10                                  49 54 4c 45 3e 48            ITLE>H
8041:ec20   6f 6d 65 44 69 72 65 63 74 6f 72 20 41 75 64 69 omeDirector Audi
8041:ec30   6f 50 6f 69 6e 74 20 37 30 30 30 3c 2f 54 49 54 oPoint 7000</TIT
8041:ec40   4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d LE>..<META HTTP-
8041:ec50   45 51 55 49 56 3d 22 52 65 66 72 65 73 68 22 20 EQUIV="Refresh"
8041:ec60   63 6f 6e 74 65 6e 74 3d 22 30 3b 20 55 52 4c 3d content="0; URL=
8041:ec70   69 6e 64 65 78 32 2e 68 74 6d 6c 22 3e 0d 0a 3c index2.html">..<
8041:ec80   2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 20 54 45 /HEAD>..<BODY TE
8041:ec90   58 54 3d 22 23 38 63 61 30 63                  XT="#8ca0c
es86mon: d 8041:ec1f
8041:ec10                                                 48               H
8041:ec20   6f 6d 65 44 69 72 65 63 74 6f 72 20 41 75 64 69 omeDirector Audi
8041:ec30   6f 50 6f 69 6e 74 20 37 30 30 30 3c 2f 54 49 54 oPoint 7000</TIT
8041:ec40   4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d LE>..<META HTTP-
8041:ec50   45 51 55 49 56 3d 22 52 65 66 72 65 73 68 22 20 EQUIV="Refresh"
8041:ec60   63 6f 6e 74 65 6e 74 3d 22 30 3b 20 55 52 4c 3d content="0; URL=
8041:ec70   69 6e 64 65 78 32 2e 68 74 6d 6c 22 3e 0d 0a 3c index2.html">..<
8041:ec80   2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 20 54 45 /HEAD>..<BODY TE
8041:ec90   58 54 3d 22 23 38 63 61 30 63 63 22 20 42 47     XT="#8ca0cc" BG
es86mon:

Here it took me a while to remember that after 0x1A (NOT 0x20) comes after 0x19 ...jeez THAT was dumb!

Now in order to edit some memory, we will have to Enter it with the "E" command: (A "." followed by an anter will exit that mode)

es86mon: d 8041:ec1f
8041:ec10                                                 48                 H
8041:ec20   6f 6d 65 44 69 72 65 63 74 6f 72 20 41 75 64 69 omeDirector Audi
8041:ec30   6f 50 6f 69 6e 74 20 37 30 30 30 3c 2f 54 49 54 oPoint 7000</TIT
8041:ec40   4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d LE>..<META HTTP-
8041:ec50   45 51 55 49 56 3d 22 52 65 66 72 65 73 68 22 20 EQUIV="Refresh"
8041:ec60   63 6f 6e 74 65 6e 74 3d 22 30 3b 20 55 52 4c 3d content="0; URL=
8041:ec70   69 6e 64 65 78 32 2e 68 74 6d 6c 22 3e 0d 0a 3c index2.html">..<
8041:ec80   2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 20 54 45 /HEAD>..<BODY TE
8041:ec90   58 54 3d 22 23 38 63 61 30 63 63 22 20 42 47     XT="#8ca0cc" BG
es86mon: e 8041:ec1f
8041:ec1f 48
"H"
8041:ec20 6f
"a"
8041:ec21 6d
"x"
8041:ec22 65
.
es86mon: d 8041:ec1f   <--CRAP! Didn't change anything...
8041:ec10                                                 48                 H
8041:ec20   6f 6d 65 44 69 72 65 63 74 6f 72 20 41 75 64 69 omeDirector Audi
8041:ec30   6f 50 6f 69 6e 74 20 37 30 30 30 3c 2f 54 49 54 oPoint 7000</TIT
8041:ec40   4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d LE>..<META HTTP-
8041:ec50   45 51 55 49 56 3d 22 52 65 66 72 65 73 68 22 20 EQUIV="Refresh"
8041:ec60   63 6f 6e 74 65 6e 74 3d 22 30 3b 20 55 52 4c 3d content="0; URL=
8041:ec70   69 6e 64 65 78 32 2e 68 74 6d 6c 22 3e 0d 0a 3c index2.html">..<
8041:ec80   2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 20 54 45 /HEAD>..<BODY TE
8041:ec90   58 54 3d 22 23 38 63 61 30 63 63 22 20 42 47     XT="#8ca0cc" BG
es86mon:

Shit. That sucks. Guess I can't edit memory....too bad.... 000e0000. I know there's someone out there who knows that this is not possible is laughing at me...heh...oh well, I'm a hobbyist. I'll learn.

Users Manual:
    I played around with this debug menu for a bit, figured out "d" is to dump memory and other stuff. But then I found this: E86MON(TM) Software User's Manual
available free on AMD's site. Thanks AMD! This little PDF is the whole users manual for E86MON, it actually describes the necessary steps one needs to take to connect to the debug port, and all the available commands. Awesome. This Amendment to the manual has some more interesting info. Am186™ES Microcontroller Info <-Interesting page.
    AMD's website is pretty informative. It includes the source code to E86MON, makehex (AMD's utility used to convert DOS programs to E86MON compatible apps), and other interesting files such as source code to a test program to configure and use the PCnet ISA AM79C961 ethernet chip on the AudioPoint board. Hmm....this thing is pretty damn powerful...And open!

To Do:
    Dump html and/or full firmware from "d"...then awk it to remove fields 1 and 4, combine fields 2 and 3 leave only hex values...copy into Hex Workshop, recreate html source code/firmware dump...

Internal Pictures:

Here is SW1:
You can see there are pin headers....SW1 is possibly a reset switch....lead designer told me it might be that (thats what I though) But I have yet to test it.

Here is the CPLD programming port (P1) that the lead engineer was talking about, 10 pins:

This is the Debug Port (HDR1) itself:

This is my temporary RS232 connection setup:

I have since updated this design with a resistor+transistor+LED for a "receiving" visual indicator light. I am also considering making an RS-232 PCB.

Full Memory/Flash Dump:
<TO BE DONE>

Custom AP Control Software:
<TO BE DONE?>

To Do:
* Write webpage to control AP from outside source. Let people dictate what I listen to.
* Again, try to edit flash data. Disable Data protect.

Created: January 6th, 2005
Update: January 25th, 2005