Here are more updates:
The partition which is loaded into the instrument RAM at the address 0x40000 is the Programmer Client. It has all the facilities to download from the HOST, erase and program the built-in FLASH memory. Its dynamic run-time code is combined from EXTENSION DATA sections in data.bin file at the start of the flashtool. The code to be flashed (the actual content of the FLASH ROM at the end of the DFU exercise), however, is usually limited to 4KBytes chunks and has a different header -> DATA BLOCK.
The EXTENSION COMMAND TABLE supplies the entry points inside Programmer Client sitting in the scopemeter RAM during the instrument update. It's interesting to find that not only Intel and Mitsubishi, but also AMD flash chips (not mentioned in the Service Manual) are supported.
These are the entry points:
- CF:GO00401780
- EO:GO0040170C
- FC:GO00401652
- FP:GO004006CA
- PF:GO00400C72
- QF:GO00400AB2
- TI:GO00400A7C
GO is the directive followed by 32 bit address
These entry point functions are yet unknown. At some point they are all called as functions in the single function one after another, which is a bit perplexing. Could this correspond to the DFU order of things? If so, then the "command master" is not the HOST, but the scopemeter itself requesting commanding the host.
The code is well structured, but not hand written in assembly.
It uses the mask ROM of the D-ASIC extensively (likely for optical interface COMM, LCD output etc) but entry points are to be analyzed.
Here is a little fragment of the sector erase as it resides inside the Programmer Client
00401C4C ; --------------------------------------------------------------------------------------
00401C4C ; D4 holds the Flash IC type: 1 - Intel 28F160, 2 - AMD 29LV160, 3 - Mitsubishi, 4 - Intel
00401C4C BlkEraseFLASH: ; CODE XREF: sub_0_401A94+8E
00401C4C lea $5E(a5),a1
00401C50 move.w #$FF,d3
00401C54 cmpi.b #2,d4
00401C58 bne.s BlkErase_CHK1
00401C5A
00401C5A BlkEraseI28F160:
00401C5A moveq #-2,d1
00401C5C move.l d6,d0
00401C5E add.l d5,d0
00401C60 and.l d0,d1
00401C62 move.l d1,(a1)
00401C64 movea.l (a1),a4
00401C66 move.w d3,(a4)
00401C68 movea.l (a1),a4
00401C6A move.w d3,(a4)
00401C6C movea.l (a1),a4
00401C6E move.w #$50,(a4) ; Clear status register
00401C72 movea.l (a1),a4
00401C74 move.w #$20,(a4) ; Erase setup
00401C78 movea.l (a1),a4
00401C7A move.w #$D0,(a4) ; Erase confirm
00401C7E lea $6A(a5),a2
00401C82
00401C82 loc_0_401C82: ; CODE XREF: sub_0_401A94+1F8j
00401C82 movea.l (a1),a4
00401C84 move.b 1(a4),(a2)
00401C88 btst #7,(a2)
00401C8C beq.s loc_0_401C82 ; Erase not finished
00401C8E movea.l (a1),a4
00401C90 move.w d3,(a4)
00401C92 movea.l (a1),a4
00401C94 move.w d3,(a4)
00401C96 move.b (a2),d2
00401C98 btst #3,d2
00401C9C bne.s loc_0_401CB4 ; VPP range error
00401C9E btst #6,d2
00401CA2 bne.s loc_0_401CB4
00401CA4 btst #5,d2
00401CA8 bne.s loc_0_401CB4 ; Block erase error
00401CAA clr.l d1
00401CAC move.b d2,d1
00401CAE btst #4,d1
00401CB2 beq.s loc_0_401CB8
00401CB4
00401CB4 loc_0_401CB4: ; CODE XREF: sub_0_401A94+208
00401CB4 ; sub_0_401A94+20E ...
00401CB4 moveq #1,d1
00401CB6 bra.s loc_0_401CBA ; Return error code D1=1
00401CB8 ; --------------------------------------------------------------------------------------
00401CB8
00401CB8 loc_0_401CB8: ; CODE XREF: sub_0_401A94+21E
00401CB8 clr.l d1 ; Erased successfully D1=0
00401CBA
00401CBA loc_0_401CBA: ; CODE XREF: sub_0_401A94+222
00401CBA move.l d1,d0
00401CBC bra.w loc_0_401BE2 ; Transfer the error code to D0
00401CC0 ; --------------------------------------------------------------------------------------
00401CC0
00401CC0 BlkErase_CHK1: ; CODE XREF: sub_0_401A94+1C4
00401CC0 move.l #-$10000,d2
00401CC6 cmpi.b #3,d4
00401CCA bne.s BlkErase_CHK2
00401CCC
00401CCC BlkErase29LV160:
00401CCC moveq #-2,d1