Casio PocketViewer

Table of Contents

Found one of these beauties on Vatera for real cheap, wanna do some homebrew for them: Pocket Viewer - Wikipedia

1. Disassembly

Not as simple as I first thought. But disassembly also wouldn't get me better access to the port. Sooo, pins it is. pictures of the inside of one model Finally carefully disassembled it. I used a blunt disassembly scalpel for most of it. The back panel has small plastic tabs with slits in them that the protrusions on the tabs of the front panel slot into.

1.1. steps

Start disassembly by taking off all the screws on the back. Also take out the stylus from its holder. There is a switch on the top that you can probably move with a thick pin or a ballpoint pen or one of those SIM tray removers that smartphones have. It requires a bit of force to move. It holds one side of the front flap's hinge. Once moved, the cover flap should fall off, making disassembly a lot easier. Use a disassembly scalpel and start from the bottom. Work on both sides, don't try to force one side on its own. On the side with the pen you can get leverage by putting the scalpel head against the pen holder's edge. Your goal is not to force the scalpel between the panels, but to gently flex the rear panel inside, so its connection flaps slide off.

2. Hardware

2.1. serial port

10 pins, hard to access without proper connector Oh, there seem 8 pins on the "back" of the PCB (the side on the front of the device) with 9 test pads. These are rather easily accessible. Pins, right to left (because I'm looking at it from the back): G98765G321

2.2. buttons, switches, mysteries

2.2.1. SW101

One of two round button pads on the PCB, resets the system to a factory default, likely by erasing a portion of flash.

2.2.2. SW102

The other round pad, labeled only as "P" on the back. Weirdly, it has a corresponding hole on the back, similar to the reset button, but there is no rubber dome and contact pad installed. Either it was removed by a previous owner or it's a vestigial feature that didn't make it into production.

2.2.3. SW103

There is the large battery replacement switch with big pads on the PCB, which presumably engage some capacitors so the system doesn't lose power while the new battery is inserted.

2.2.4. SW104

There is a hole on the back of my model where a switch would probably go, but it's taped over. Quite mysterious. There is definitely a switch on the PCB that matches it. Maybe another vestigial feature?

2.2.5. SW105

The thumb switch on the side, technically three switches. (up, down, click)

3. Important notes

Don't try to directly wire it to PC RS-232 port! Voltage levels are different! see build your own cable section, but this is for the diary models

4. community, links

4.1. link collection

I need to find archived copies of these.

4.2. pocketviewer.de

last archived version of pocketviewer.de Owner was still reachable 3 years ago, might still be.

4.3. pocketviewer.com

4.4. pocket-viewer

this site is still live in 2022!!! holy shit.

5. People

Fabio Fumi runs one of the last active Pocket Viewer sites.

6. Software

6.2. klaumit's stuff

6.2.2. GitHub - klaumit/CasioPocketEmu: Emulator for CASIO Pocket Viewer models

WIP emulator? Only has tests so far. Also has a bunch of apps!

7. SDK

There is an official SDK for Windows that sees to work fine in Wine. latest SDK download from Casio (still online!) other SDKs (seems to just be translations)

http://web.archive.org/web/20130302101001/https://world.casio.com/pv/download/en/ Can also extract files from the installers with a combination of unrar and unshield.

7.1. PV-S660/PV-S460/PV-S450/PV-S250/PV-450X/PV-250X/PV-750Plus/PV-750 SDK

SDKEN02V102.EXE

7.2. PV-S460 and S660

SDKEN03V100.exe

7.3. PV-750Plus and 750 Users

SDKEM02V100.exe

8. Reverse engineering

8.1. tools

8.1.1. Ghidra

  1. 16-bit support
    1. 2021 RE SE question

      https://reverseengineering.stackexchange.com/questions/27273/where-to-start-analyzing-a-16-bit-dos-program

      In my experience, the GHIDRA decompiler output on segmented 16-bit executables is mediodcre. I don't think I tried other decompilers on 16-bit executables seriously, yet.

8.2. compiler

Calling convention: file:///home/raingloom/Projects/Pocket%20Viewer/wine/drive_c/LSIJ/LSIC86pv/LSIC86MAN/chapter6x.html

Regardless of the memory model, the function, which is called up, does not break values in registers SS, CS, SP, BP, DI, SI, DX, and CX.    If necessary, the data in the registers is pushed to the stack area at the beginning of the function, and then popped at the last to restore the data in the registers.

8.3. hex format

$ hexdump wine/drive_c/CASIO/PV2EM02/C/BIN/pvforth.bin | head
0000000 ff00 4143 4953 034f 345a 3838 3130 3030
0000010 0101 08ff 5650 6f46 7472 0068 ffff ffff
0000020 ffff ffff 0714 0000 3032 3432 3730 3431
0000030 3132 3132 3130 3030 3032 3030 3230 3531
0000040 3930 3034 3130 3030 0610 0000 06c0 0000
0000050 ffff ffff ffff ffff ffff ffff ffff ffff
*
0000100 00b8 8e19 b8c0 8016 d88e f633 00bf b900
0000110 04a4 f3fc 06a4 bf1f 04a4 a4b9 2b04 32cf
0000120 f3c0 bbaa 0800 00b8 2b08 76c3 8b1c c1c8

$ head CASIO/PV2EM02/C/pvforth/obj/pvforth.hex
:0200000280007C
:1000000000FF434153494F035A34383830313030C0
:100010000101FF08FFFFFFFFFFFFFFFFFFFFFFFFE3
:10002000FFFFFFFF14070000323032343037313425
:1000300032313231303130303230303030323135AF
:10004000303934303031303010060000C006000046
:10005000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB0
:10006000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA0
:10007000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF90
:10008000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80

;; header?
:0200000280007C
;address  data                             ??
:10000000 00FF434153494F035A34383830313030 C0

8.4. BIOS

Has a lot of duplicated strings. References multiple serial port speed settings. Seems to support flashing and checksumming of partitions. Has a bunch of self tests.

8.4.1. memory map

Looking at the memory dump in the simulator to figure out where the BIOS is loaded. Hmm, there are memory banks? Let's use the simulator's search to find the offset. Hmm, string search didn't turn anything up. Wow the hex viewer in the simulator is buggy as fuck. Okay, paused sim, clicked the run/reset, looks like it starts at ffff:0000 (ffff0). Hmm, but its contents are not in BIOS.000. Oh I was using the wrong search function. Shoulda used search/memory in big endian mode. The first instruction is this, it comes from NC3022.BIN at offset 0ff0. 2eff2e0500 jmp far cs:[0005] which is an indirect far jump using an address from ROM: F0:F0 which is the MOV AX,0xf000 from the beginning of NC3022.BIN, so we know that's supposed to be mapped to F0:F0 (ff0)

8.4.2. TODO figure out what to set CS to in NC3022.BIN in Ghidra so that it decodes the indirect far jump correctly

8.4.3. initialization

IO calls: in al 13 out 10 ax oh, for some reason the call instructions are treated as calls in gdb and instruction stepping doesn't enter the function same for loop calls there are a bunch of nop loops, probably for sleep hmm, what are the 6 banks and why does bank6 get set to 1000? hmmmM, we can use the SIM3022 project settings to determine where chips are mapped in memory, i think… oh, right, and that is also what shows which chip corresponds to which ROM file Ahha, here is the:

8.5. chip config for the S260 model

8.5.1. config file

[CSGROUP0]
CHIPNAME0=SRAM
CHIPFILE0=SIM\Sram.bin
CHIPPROGAREA0=0
CHIPOFFSET0=0
CHIPKIND0=0
CHIPCODE0=
CHIPBUS0=8
[CSGROUP2]
CHIPNAME0=DD
CHIPFILE0=
CHIPPROGAREA0=0
CHIPOFFSET0=0
CHIPKIND0=5
CHIPCODE0=
CHIPBUS0=8
[CSGROUP5]
CHIPNAME0=SYSTEM00
CHIPFILE0=BIOS\BIOSBIN.00
CHIPPROGAREA0=0
CHIPOFFSET0=0
CHIPKIND0=1
CHIPCODE0=
CHIPBUS0=8
CHIPNAME1=Applications
CHIPFILE1=C\Bin\APLALL.BIN
CHIPPROGAREA1=0
CHIPOFFSET1=20000
CHIPKIND1=1
CHIPCODE1=
CHIPBUS1=8
CHIPNAME2=DUALFLASH
CHIPFILE2=Sim\DUFLASH32.BIN
CHIPPROGAREA2=200000
CHIPOFFSET2=0
CHIPKIND2=2
CHIPCODE2=MBM29DL324B
CHIPBUS2=16
CHIPNAME3=SAMPLE
CHIPFILE3=C\Bin\SAMPLE.BIN
CHIPPROGAREA3=0
CHIPOFFSET3=140000
CHIPKIND3=1
CHIPCODE3=
CHIPBUS3=8
[_INSIDE]
CHIPNAME0=INROM00
CHIPFILE0=SIM\inside\NC3022.BIN
CHIPPROGAREA0=0
CHIPOFFSET0=f000
CHIPKIND0=1
CHIPCODE0=
CHIPBUS0=8
CHIPNAME1=INVRAM
CHIPFILE1=SIM\INSIDE\Invram.bin
CHIPPROGAREA1=0
CHIPOFFSET1=0
CHIPKIND1=0
CHIPCODE1=
CHIPBUS1=8
CHIPNAME2=INRAM
CHIPFILE2=SIM\INSIDE\Inram.bin
CHIPPROGAREA2=0
CHIPOFFSET2=e000
CHIPKIND2=0
CHIPCODE2=
CHIPBUS2=8

8.6. serial protocol

  • 9600 bauds
  • output: 000000010000020000020101
  • PVM

Based on Ghidra decompilation. 

// what unit?
timeout_settings.ReadIntervalTimeout = 200;
timeout_settings.ReadTotalTimeoutMultiplier = 0;
timeout_settings.ReadTotalTimeoutConstant = 200;
timeout_settings.WriteTotalTimeoutMultiplier = 0;
timeout_settings.WriteTotalTimeoutConstant = 10000;

9. SIM3022

This is the simulator used to simulate all PV models. It seems to be same for all SDKs, just with different project files for different hardware configs.

9.1. files (SIM/)

9.1.1. ddconfig.ini

LCD simulator config

9.2. Chips

9.2.1. SIM\Sram.bin (CS0)

200000 size.

9.2.2. DD (CS2)

Memory IO, only chip not backed by any file.

9.2.3. CS5 chips

  1. BIOS\BIOSBIN.00

    Sim config calls it SYSTEM00. Seems to contain the genuine BIOS, with self-checks, serial comms, flashing, flash checksumming, etc. Configured as ROM. Offset: 0

  2. C\BIN\APLALL.BIN

    Offset: 00020000 (what's that in segment:offset?) Has all the default apps, I think.

  3. Sim\DUFLASH32.BIN

    Dual (port?) flash, a NOR flash chip, MBM29DL324B model, 16 bit connection, 00200000 program area size. 400000 size. (hex?)

  4. C\Bin\SAMPLE.BIN

    Sample app, offset 140000, ROM.

9.2.4. inside ROM chips

  1. SIM\inside\NC3022.BIN

    Some kind of ROM? Load offset f000. This is what has the startup code! ff9 size.

  2. SIM\INSIDE\Invram.bin

    RAM, probably NVRAM to be precise, load offset 0. 2680 size.

  3. SIM\INSIDE\Inram.bin

    RAM, load offset e000. 180 size.

10. Programming

10.1. general 8086 programming

Looks like I can't use dev86 because it doesn't understand the OMF object format, gonna have to use the official SDK.

10.3. addin format

startup.obj is the starting point, the linker uses it to create the flat binary, this is where things like C_INIT_ come from _DEF_FPE_ is pointed to by _fpe_handler_ in startup.obj

11. specs

from here

11.1. CPU

V30 processor (i80186 compatible) running at 20MHz (which means good old 64KB segmentation) 25 MHz according to simulator. (S250)

11.2. LCD

160x160 pixels with 1-bit "color" depth ;) touch-screen 70 Hz V-Sync according to simulator. (S250)

11.3. 4MB or 6MB flash memory (used as RAM sometimes) and 128KB RAM for dinamic application loading (where actually the application runs)

11.4. Casio OS developed by Casio specially for Pocket Viewer family of PDAs

There was also a SuperH based model late in the product line.

Author: Csepp

Created: 2025-01-22 sze 04:20

Validate