Despite the recent remarkable successes in the N2 sector,
the P4, P5/D1 research must not be negelected at all.

It is still half baked, but it may reveal some more details about
the inner structure of the RMS resp. SLE66C...P controller.

Take the following short .xpl script to enter 2 bytes in the
"Post ATR_DM Phase" to a 00'd P4 (of the 2001 or 2002 series):

1F ; packet length
10 ; set baud rate to 9600
01 ; power up
28 00 00 ; delay
01 ; power up again to enter the
; "Before Returning from ATR Hole"
20 03 C0 ; wait for ATR_DM
80 ; receive byte 0x33
28 00 00 ; delay
8c ; receive remainder of ATR_DM

c0 00 ; send one byte to card
20 t1 t1 ;
c0 k2 ; send one byte to card
20 t2 t2 ;

10 ; set baud rate to 9600
80 ; receive first byte of ATR
28 00 00 ; delay
8C ; receive remainder of ATR
00 ; packet end
R10There is an interval of 0x1E36 cycles which can be (sub)divided
in the following way:

k2 | intervals for t1 t1 - (n * 0x1E36)
----------------------------------------------------------
0x00 0x1E36
0x01 0x08C9 + 0x156D,
0x02 0x08C9 + 0x0107 + 0x1466
or more detailed

k2 | intervals for t1 t1 - (n * 0x1E36)
----------------------------------------------------------
0x00 0x0201 + (0x0010 * 0x01C3) + 0x0005

0x01 0x0201 + (0x0010 * 0x006C) + 0x0008 +
0x0107 + (0x0010 * 0x0146) + 0x0006

0x02 0x0201 + (0x0010 * 0x006C) + 0x0008 +
0x000D + (0x0010 * 0x000F) + 0x000A +
0x02EA + (0x0010 * 0x0117) + 0x000C
where n >= 1. For ranges of values for interval t1 t1 of: 0x0005
0x0006
0x0008
0x000A
0x000D
0x0010
0x0107
0x0201
0x02EA values for: a constant interval tc tc
a second interval t2 t2
do exist, which are fulfilling the following conditions:

t1 t1 + t2 t2 = constant
(tc tc + t1 t1), t2 t2 returns ATR_DM
(tc tc + t1 t1), (t2 t2 + 1) returns ATR_DM + ATRIn other words, during intervals counting that many clock cycles, either: the I/O line is seemingly not polled or
I/O interrupts are masked

First of all, a result line generally looks like this
interval-1, interval-2 * 0x10, interval-3[-interval-diff-4]
interval-diff-4 means: A sudden slump of the combined value t1 t1 + t2 t2.
Consequently a hike of the execution time.

Applying a (ppppppp,h) partition of k2, 3 cases can be distinguished: Partition (ppppppp,1):
Line 1 constantly starts with 0x0201, 0x006C, 0x8[...]
If (k2 != 0x03) then for each line the following rule applies:
(interval-2 + 1) * 0x10 == interval-diff-4

Partition (ooooooo,0) or value 0x03:
Line 1 constantly starts with 0x0201, 0x006C, 0x8[...]
For the combined interval values (aggregates marked blue) of
lines 1, 2 and for single line 3 the following rule applies:
(interval 2 + 1) * 0x10 == interval-diff-4

Partition (eeeeeee,0):
Line 1 constantly starts with 0x0201, (0x006C + X)
For each line the following rule applies:
(interval-2 + 1) * 0x10 == interval-diff-4

As a general rule of the thumb, the more bits are set in k2: the longer the intervals in result-column-1
the less 0x10 sized intervals are contained in result-column-2 On the other hand, the less bits are set in k2: the shorter the intervals in result-column-1
the more 0x10 sized intervals are contained in result-column-2

k1: 0x00 for all
k2: 0x00 - 0x03

00 00: eeeeeee,0
0x1e36

0x0201, 0x01C3, 0x5 [-0x1C40]

--------------
00 01: ppppppp,1

0x08C9 + 0x156D
0x0201, 0x006C, 0x8[-0x06D0],
0x0107, 0x0146, 0x6[-0x1470]

--------------
00 02: ooooooo,0
0x08C9 + 0x0107 + 0x1466

0x0201, 0x006C, 0x8[-0x04E0],
0x000D, 0x000F, 0xA[-0x02F0],
0x02EA, 0x0117, 0xC[-0x1180]

----------
00 03: ppppppp,1
0x08C9 + 0x156D

0x0201, 0x006C, 0x8[-0x1180],
0x03F1, 0x0117, 0xC[-0x06D0]


k2: 0x04 - 07

00 04: ooooooo,0
0x08C9 + 0x03F1 + 0x117C

0x0201, 0x006c, 0x8[-0x04E0],
0x000D, 0x003e, 0x4[-0x05E0],
0x02EA, 0x00e9, 0x2[-0x0EA0]

----------
00 05: ppppppp,1
0x08C9 + 0x03F1 + 0x117C

0x0201, 0x006c, 0x8[-0x06D0],
0x0107, 0x002e, 0xA[-0x02F0],
0x02EA, 0x00e9, 0x2[-0x0EA0]

----------
00 06: eeeeeee,0
0x09D0 + 0x1466

0x0201, 0x007C, 0xF[-0x07D0],
0x05D4, 0x00E9, 0x2[-0x0EA0]

----------
00 07: ppppppp,1
0x08C9 + 0x156D

0x0201, 0x006c, 0x8[-0x06D0],
0x06DB, 0x00E9, 0x2[-0x0EA0]


k2: 0x08 - 0x0B

00 08: ooooooo,0
0x08C9 + 0x06DB + 0x0E92

0x0201, 0x006C, 0x8[-0x04E0],
0x000D, 0x006C, 0xE[-0x08C0],
0x02EA, 0x00BA, 0x8[-0x0BB0]

----------
00 09: ppppppp,1
0x08C9 + 0x06DB + 0x0E92

0x0201, 0x006c, 0x8[-0x06D0],
0x0107, 0x005D, 0x4[-0x05E0],
0x02EA, 0x00BA, 0x8[-0x0BB0]

----------
00 0A: eeeeeee,0
0x9D0 + 0x05D4 + 0x0E92

0x0201, 0x007c, 0xF[-0x07D0],
0x02EA, 0x002e, 0xA[-0x02F0],
0x02EA, 0x00BA, 0x8[-0x0BB0]

----------
00 0B: ppppppp,1
0x08C9 + 0x6DB + 0x0E92

0x0201, 0x006c, 0x8[-0x06D0],
0x03F1, 0x002E, 0xA[-0x02F0],
0x02EA, 0x00BA, 0x8[-0x0BB0]



k2: 0x0C - 0x0F

----------
00 0C: eeeeeee,0
0x0CBA + 0x117C

0x0201, 0x00AB, 0x9[-0x0AC0],
0x05D4, 0x00BA, 0x8[-0x0BB0]

----------
00 0D: ppppppp,1
0x08C9 + 0x03F1 + 0x117C

0x0201, 0x006c, 0x8[-0x06D0],
0x0107, 0x002E, 0xA[-0x02F0],
0x05D4, 0x00BA, 0x8[-0x0BB0]

----------
00 0E: oooooooo,0
0x08C9 + 0x107 + 0x1466

0x0201, 0x006C, 0x8[-0x04E0],
0x000D, 0x000F, 0xA[-0x02F0],
0x08BE, 0x00BA, 0x8[-0x0BB0]

----------
00 0F: ppppppp,1
0x08C9 + 0x156D

0x0201, 0x006C, 0x8[-0x06D0]
0x09C5, 0x00BA, 0x8[-0x06D0]


k2: 0x10, 0xFF

00 0x10: oooooooo,0
0x08C9 + 0x09C5 + 0x0BA8

0x0201, 0x006C, 0x8[-0x04E0]
0x000D, 0x009B, 0x8[-0x0BB0]
0x02EA, 0x008B, 0xE[-0x08C0]
------------------------------

00 0xFF: ppppppp,1
0x08C9 + 0x156C

0x0201, 0x006C, 0x8[-0x06D0]
0x156C 0x0000 0x0[-0x0000]

Sh*t Lee, I wish I could understand, but I don't. I read it a couple of times and it is impressive. Yes a whole different level, I like the way you think, just wish I had more college behind me. Thanks

if anyone was still out there trying to hack Dave. Ive been looking for files to test and i cant find any. If anyone has info or files for DTV, let me know as im going to have alot of time this winter to test. I may not help at all but im going to try.

@sundeval,

You may try to verify this with a T911 or T6 flashed with UL4S on a 00'd P4,
optionally changing k1 to other values than 0x00 and compare the results.

------------------------------------------------------------------

First of all, a reminder from a previous post (on an other board). In the following text:
hhhh stands for a bit value where only the highest bit set counts
pppp stands for a bit value where odd/even parity counts
eeee stands for a bit value with even parity
oooo stands for a bit value with odd parity
If k1 == 0x00 and k2 == XX then,
the entire 0x1E36 cycles long interval is divided into 3 subintervals
of length (0x0201, 0x07CF, 0x1466):
range 0x0000 - 0x0200: a 0x0201 long (probably RMS + 1 delimiter)
range 0x0201 - 0x09CF: a 0x07CF long, depending on the pattern
ppppppp,h of k2
eeeeeee,0: divided into
0x007C intervals of length 0x10
+ 1 remainder of length 0x0F
ooooooo,0: divided into 0x6C intervals of length 0x10
+ 1 remainder of length 0x8
a single interval of length 0xD
(probably the ATR after TS, + 1 delimiter)
0x0f intervals of length 0x10
+ 1 remainder of length 0x0A

ppppppp,1: divided into 0x6C intervals of length 0x10
+ 1 remainder of length 0x8
a single interval of length 0x0107

range 0x09DF - 0x1E35: a 0x1466 long, equally divided into 7 * 0x02EA sized
subintervals, each directly corresponding to the bits 1-7 of k2
If bit i is set, interval is continuous, otherwhise subdivided into 0x10
cylce long intervals.


The combined value for t1 + t2 can be calculated the following way:
[i]continuous interval 0xD: 0xAF9E
all other continuous intervals (i.e. those not belonging to 0x10 or
to the remainder): 0xADAE
intervals of length 0x10 including the remainder:
value for the immideately preceding continuous interval (i.e. 0xADAE or 0xAF9E) +
10 * (number of intervals of length 0x10 between the immideately preceding
continuous interval, increased bv 1)

:) Thanks Lee, for sharing your insight into some of the inner workings of the sle66 processor.
I do appreciate reading your findings. Hopefully someday soon it will not be such an elusive creature.

The interval 0x02EA mentioned above is 746 (dec). 746/2 == 373 == 372 + 1.

372/clk is a typical (ATR) ETU, aka Elementary Time Unit.