Vakumat 500 Dental Vacuum Furnace
I obtainted a non-working Vakumat 500 dental vacuum furnace, and thought it would be fun to see what it takes to get it working. The control panel is missing, but it's connected via a DB9 connector - so my guess was that it probably uses a serial line. Maybe I can just extract the firmware, look at what the commands look like and make a replacement control panel?
1: Opening and Mechanical
The furnace itself came with some mechanical damage from shipping. I bent it back in shape at best as I could after removing the outer covers.
This is what it is supposed to look like when new, though:
And here is what the inside of mine looks like now:
Some cosmetic parts are going to be hard to get back into shape:
The way this furnace works, is that you place the part to be fired onto a pedastal and this is then moved into place using a motor. First, I checked that the motor still functions and is able to open and close the furnace, which checked out. Then I looked at the electronics and the brains of this operation is a Philips P80C552EBA
This particular micro does not have internal ROM, which means we should be able to get its program from an external chip. This chip is right next to it, an AM27C512 EPROM - made in 1986...
I temporarily extracted an Arduino Mega 2650 from a 3D printer - because I don't have an EPROM dumper and that is the only board I have on hand capable of the 5V levels necessary to drive this chip and sufficient number of pins. The program to extract the data is simple in principle, but even simpler in practice because someone else already wrote it for me :
To check that the data comes back properly, I read it twice. Let's look at the returned data in Meld:
Ugh! There is clearly some corruption in the ROM. Some data comes back differently every time I read it, but some data comes back consistently. I checked the connections, made sure all values from 0-255 are returned at least once. This proves that all the data lines are connected. I also made sure that there is not some sort of repetitive data coming back. That proves that all the address lines are connected. Lets check if at least some of the data is ok. First turn the text version of the hex data into an actual binary:
And then open the result in a hex editor:
Ok, we can see the copyright string and date. This gives us some confidence that the whole process was carried out correctly and the ROM truly is corrupted.
I contacted VITA Gmbh via their facebook page, not expecting much help. They were quite friendly and asked me for my email address, which I gave to them, again expecting things to stop there. To my surprise I got a response from their "Head of VITA Furnace After Sales Department and Furnace Production"
Wow, that is pretty nice. I contacted the reseller for my region to see if they can provide me with this chip and how much it would cost. If I can get this, then I will try the disassembly one more time. If not, I guess I'll figure out what the original circuit board does and make my own.
3: Distributor does not answer.
Well, the local distributor did not answer my question. But also, I started having doubts about my ROM dumping setup, and so I decided to buy a ROM reader that supports these chips - TL866.
This resulted in consistent, apparently error-free ROM dumps! Yay!
4: Not error free after all...
While the dumps from the TL866 provided the same binary every time, and the disassembly made a lot of sense, there were some code sections that made no sense at all.
There were a number of accesses of the type SUBB A,DAT_SFR_92 which access SFR 0x92. This register is not documented anywhere in the datasheets covering this chip. The binary ninja forum is awesome., as both amtal and zino made some very helpful comments in response to a question about this SFR.
Amtal pointed out the following:
Where there is a clear mistake when accessing bit 5. Also he says the nonsensical code usually look like errors in a lot of 5s and 3s in the low nibble.
zino pointed out "If you suspect rotting it's time to dump it at a few slightly lower voltages and see if it gets better.". This is a trick I did not know anything about. Apparently there is a programmer that can vary voltage and timing to attempt to read bad ROMs, the Glasgow
which was not available due to global chip supply issues. However, I can easily replace the voltage supply between the Vcc chip pin and the TL866 with a bench power supply and vary the voltage. Also, it turns out that I have another ROM reader that I got for a different project that also supports this chip, the RT809H.
So I tried this first. This appeared to produce an error free ROM (again). The remaining errors in the vertical bar in Ghidra all went away, though, so it's a good guess that the ROM is OK now: