Personal tools

ES3B V02 12 disassembly

From Wij vertrouwen stemcomputers niet

Jump to: navigation, search


Contents

about 68000 assembler

instructions have the format 

mnemonic   srcoperand, dstoperand

so 

add   d0, d1

means 

d1 += d0

( this can be confusing when you are used to x86 or arm assembler )

the 'q' in mnemonics means it is the 'quick' variant, with an immediate value of 0 .. 7


devices

the hardware status list contains 21 entries, for the following devices:

0 memory module 0
1 memory module 2
2 memory module 1
3 memory module 3
4 system .. or maybe external switches
5 pc uart
6 modem uart
7 lpt2
8 lpt1
9 eeprom
A ram
B modem
C display
D display
E display
F keyboard
10 blindenbediening
11 power supply
12  ?
13  ?
14  ?

the bootup sequence

see ES3B Bootup Sequence

the menu system

see ES3B Menu System

random number generator 

short genrandom() {
    seed = seed*1103515245+12345;
    return (seed>>16)&0x7fff;
}

this is used to fill the unused space in the memory module between the candidate name strings, and the vote store.

eeprom contents

functions manipulating the eeprom:

00014B38 write_byte_to_eeprom
00014B7E eeprom_erase_byte
00014F48 eeprom_erase
00014FA4 eeprom_write_deviceid
00014FEC eeprom_read_deviceid
00015014 write_eeprom
000150AC read_eeprom

Election types

0 OFF (UIT)
1 NORMAL (GEWOON)
2 STAGED (GETRAPT)
3 REFERENDUM

Vote results

1 GESTEMD
2 GESTEMD ZONDER KEUZE
3 GEKOZEN
4 VRIJ VOOR KIEZEN
5 GEKOZEN VOOR ANDERE VERKIEZING
6 GEKOZEN VOOR PARTIJ
7 GEKOZEN VOOR KANDIDAAT

Machine type

0 stem machine
1 reader/writer unit

modes (0x00405F6C)

0
1 standby/fout
2
3 verkiezing
4 uitslagen / functies
5  ?
6 service mode
7 rwunit
8 demo

Remote commands

see Serial Communications Protocol

000002B0 cmd_N_event_history
0000034A cmd_O_error_history
000003E4 cmd_D_read_candidate_info
000004A2 cmd_E_read_candidate_entry
000005C4 cmd_I_set_votingdate
000006CA cmd_J_set_cand_list_numbers
0000082C cmd2_K_add_cand_to_list
00000934 cmd_K_add_candidate
00000A7A cmd_M_set_election_name
00000BB6 cmd_L_reinit_memmodule
00000C34 cmd_Q_duplicate_module
00000CF4 cmd_T_get_electiontype
00000D0C cmd_U_set_election_type
00000D52 cmd_V_select_prog_slot
00000DA6 cmd_W_set_electiontype
00000E56 cmd_X_moduletype
00000EAA cmd_Y_set_moduletype
00000F54 cmd_A_read_machine_config
0000100E cmd_B_machine_status
00001144 cmd_C_module_info
0000130A cmd_H_vote_closed_state
00001364 cmd_P_set_sys_params
00001470 cmd_R_hexdump_memory
00001502 cmd_F_list_totals
000015E8 cmd_G_candidate_totals

the memory module

see Memory Module Content

structures used in the disassembly 

00000000 struc_menuentry struc ; (sizeof=0x12)
00000000 id:             dc.b ?
00000001 whichdisplay:   dc.b ?
00000002 row:            dc.l ?
00000006 column:         dc.l ?
0000000A field_A:        dc.l ?
0000000E displaystring:  dc.l ?                  ; offset
00000012 struc_menuentry ends
00000012
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_electioninfo struc ; (sizeof=0x8)
00000000 field_0:        dc.b ?
00000001 field_1:        dc.b ?
00000002 active:         dc.b ?
00000003 field_3:        dc.b ?
00000004 totalvotes:     dc.l ?
00000008 struc_electioninfo ends
00000008
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_uart_info struc ; (sizeof=0x2A)
00000000 controlregister:dc.l ?
00000004 statusregister: dc.l ?
00000008 dataregister:   dc.l ?
0000000C ctlval_startsending:dc.b ?
0000000D ctlval_stopsending:dc.b ?
0000000E txbuffer:       dc.l ?
00000012 txbuffersize:   dc.l ?
00000016 txoutptr:       dc.l ?
0000001A txchar:         dc.w ?
0000001C rxbuffer:       dc.l ?
00000020 maxrxbuffer:    dc.l ?
00000024 rxbuffersize:   dc.l ?
00000028 rxdata:         dc.w ?
0000002A struc_uart_info ends
0000002A
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_votelight_state struc ; (sizeof=0xE)
00000000 curstate:       dc.b ?
00000001 togglevalue:    dc.b ?
00000002 timeoutval:     dc.l ?
00000006 t_statechange:  dc.l ?
0000000A countdown:      dc.l ?
0000000E struc_votelight_state ends
0000000E
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_scanstate struc ; (sizeof=0x8)
00000000 outline:        dc.b ?
00000001 inline:         dc.b ?
00000002 t_change:       dc.l ?
00000006 state:          dc.w ?
00000008 struc_scanstate ends
00000008
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_bfffff_values struc ; (sizeof=0x3)
00000000 uartbits:       dc.b ?
00000001 pieperflag:     dc.b ?
00000002 lpt1_control_values:dc.b ?
00000003 struc_bfffff_values ends
00000003
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_printer_info struc ; (sizeof=0x28)
00000000 lpt1_rdptr:     dc.l ?
00000004 lpt1_wrptr:     dc.l ?
00000008 lpt1_overflow:  dc.b ?
00000009 lpt1_field_9:   dc.b ?
0000000A lpt1_freespace: dc.l ?
0000000E lpt1_initialized:dc.b ?
0000000F lpt1_field_F:   dc.b ?
00000010 lpt1_field_10:  dc.l ?
00000014 lpt2_rdptr:     dc.l ?
00000018 lpt2_wrptr:     dc.l ?
0000001C lpt2_overflow:  dc.b ?
0000001D lpt2_field_9:   dc.b ?
0000001E lpt2_freespace: dc.l ?
00000022 lpt2_initialized:dc.b ?
00000023 lpt2_field_F:   dc.b ?
00000024 lpt2_field_10:  dc.l ?
00000028 struc_printer_info ends
00000028
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_scanned_key struc ; (sizeof=0xA)
00000000 keytype:        dc.w ?
00000002 row:            dc.l ?
00000006 column:         dc.l ?
0000000A struc_scanned_key ends
0000000A
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_systeminfo struc ; (sizeof=0xD2)
00000000 dev0_module0:   struc_device_status ?
0000000A dev1_module2:   struc_device_status ?
00000014 dev2_module1:   struc_device_status ?
0000001E dev3_module3:   struc_device_status ?
00000028 dev4_system_state:struc_device_status ?
00000032 dev5_pcuart:    struc_device_status ?
0000003C dev6_modemuart: struc_device_status ?
00000046 dev7_lpt2:      struc_device_status ?
00000050 dev8_lpt1:      struc_device_status ?
0000005A dev9_eeprom:    struc_device_status ?
00000064 devA_ram:       struc_device_status ?
0000006E devB_modem:     struc_device_status ?
00000078 devC_operatordisplay:struc_device_status ?
00000082 devD_voterdisplay_top:struc_device_status ?
0000008C devE_voterdisplay_bottom:struc_device_status ?
00000096 devF_keyboard:  struc_device_status ?
000000A0 dev10_blinden:  struc_device_status ?
000000AA dev11_power:    struc_device_status ?
000000B4 dev12:          struc_device_status ?
000000BE dev13:          struc_device_status ?
000000C8 dev14:          struc_device_status ?
000000D2 struc_systeminfo ends
000000D2
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_display_timeouts struc ; (sizeof=0xC)
00000000 field_0:        dc.w ?
00000002 timerval:       dc.l ?
00000006 field_6:        dc.l ?
0000000A field_A:        dc.w ?
0000000C struc_display_timeouts ends
0000000C
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_device_status struc ; (sizeof=0xA)
00000000 field_0:        dc.w ?
00000002 field_2:        dc.w ?
00000004 status:         dc.w ?
00000006 field_6:        dc.w ?
00000008 field_8:        dc.w ?
0000000A struc_device_status ends
0000000A
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 struc_candidate_info struc ; (sizeof=0x54)
00000000 keycolumn:      dc.b ?
00000001 keyrow:         dc.b ?
00000002 partynr:        dc.b ?
00000003 candidatenr:    dc.b ?
00000004 name:           dc.b 80 dup(?)
00000054 struc_candidate_info ends
00000054
Retrieved from "http://wijvertrouwenstemcomputersniet.nl/ES3B_V02_12_disassembly"