Robopanda Hacks and mods

281 posts / 0 new
Last post
sevik
sevik's picture

heh :))

http://sevik.org/robopanda/panda.avi

cartridge contents: http://sevik.org/robopanda/test_mover.bin

cartridge source:

index 0x1000
cx_offset 0xC
#audio 1 a.aud
audio 1 dump_cartridge_black/00026.aud
audio 2 dump_cartridge_black/00017.aud

# ======== mover initialization from nvram presets ===========
# load data from nvram 00..15 to globals @10..25 (procedure at 05E7 in black carttridge, chunk from 05F5)
code A800   #              set       $00, #00             // set local 00 to 00
            #       L20_15:                                // xrefs: 05FC
code 2D00   #              push      $00                  // push local 00 to stack
code 0E16   #              cmp       #16                  // pop value from stack and compare with arg
code F009   #              rjump_f0  L20_18               // conditional jump to 0602
code E003   #              rjump     L20_17               // jump to 05FD
            #       L20_16:                                // xrefs: 0601
code 2EC0   #              inc       $00                  // increment local 00 and push old value to stack
code 297E   #              drop                           // pop and drop value from stack
code E7FA   #              rjump     L20_15               // jump to 05F6
            #       L20_17:                                // xrefs: 05F9
code 2D00   #              push      $00                  // push local 00 to stack
code 292A   #              nvram_read                      // pop nvram addres from stack, read and put result on stack
code 2D00   #              push      $00                  // push local 00 to stack
code 2510   #              pop       @0010+               // pop offset from stack, pop global 00E7+offset from stack
code E7F9   #              rjump     L20_16               // jump to 05FA
            #       L20_18:                                // xrefs: 05F8

# init mover from @10
code 0010        #     push #10
code 2935        #     init_mover

# set volume to 8
code 0008      #  push #08
code 291A      #  volume

# play audio 1 ("Yes")
code 0001      #  push #01
code 2928      #  play
code 2923      #  play_wait

#move
code 0001        #     push #1
code 292F        #     move

# play audio 2 ("Most likely")
code 0002      #  push #02
code 2928      #  play
code 2923      #  play_wait

#dead loop
code 0000      #  push #0
code 297E      #  drop
code E7FE      #  jump .-2

mover 610a 710a 08aa 18aa 287a 387a f002 f004 f005 000a 407a 507a f005 00b4 f00a # proper sitting initial state

sevik
sevik's picture
sevik
sevik's picture

basic mover codes:


 0AAA B00C CCCC DDDD - move motor AAA to position CCCCC with speed DDDD, meaning of B is not clear

    motors:
      0 - left hand up-down
      1 - right hand up-down
      2 - left foot up-down
      3 - right foot up-down
      4 - left hand forward-back
      5 - right hand forward-back
      6 - head up-down
      7 - head left-right

    useful speeds seems to be in range 2-10

milw
milw's picture

Cool. Do you think we could actually make Robopanda walk?! ;)
hm, couldn't see the video in your avi above? (is there a video track, or just audio?)

sevik
sevik's picture

I think it will be hard to make it walk due to physical constraints :))

With video - it has video and audio track... will check on WMP...

sevik
sevik's picture

grr, it works in media player classic and mplayer, but not in windows media player...

Will convert to some windows-friendly format :))

sevik
sevik's picture

recoded to windows media format:

http://sevik.org/robopanda/panda.wmv

sevik
sevik's picture
sevik
sevik's picture

Updated emulator to version based on universal decoder (one bytecode decoder for unbuild.py and emu.py).

Also fully emulated stack, locals, globals and spi_read.

Updated emulogs tarball with cartridge sources decoded with new decoder and emulator log for training trace (first 62ms for now).

http://sevik.org/robopanda/robopanda_tools-200807220047.tar.gz
http://sevik.org/robopanda/robopanda_emu_logs-200807220047.tar.gz

sevik
sevik's picture

Short introduction on programming model of Robopanda

From programmer point of view robopanda cartridge contains 3 types of information:

CPU program
Audio fragments
Mover scripts

Audiofragments is datablobs encoded using codec long discussed earlier :)) Robopanda identifies it using index located in beginning of cartridge (offset 0x5 to strng @PEND). There is cpu bytecode for starting playing of chunk number X, waiting for end of playing and some unknown for now bytecodes for checking current state of playing.

Mover scripts - it's chunks of commands for moving different motors, waiting for completion/etc. For now some basic bytecodes decoded and channel numbers corresponding to different motors known. Meaning of most control bytecodes is only guessed.

And most interesting but deeply hidden part is CPU :))
CPU is stack based, but also has local and global variables (like java VM).
CPU has access to mover, audioplayer, LEDs, sensors, nvram and cartridge.

Status of cpu bytecodes is mixed:
control flow (call, return, jump, conditional jump) bytecodes is mostly known and decoded
locals/globals/spi/nvram access known and decoded
logical/arithmetcs - some bytecodes known
sensors - only guess that it is 75XX series of codes
leds - known, but match between bits and physical devices not checked
controlling mover - calibration and start moving codes known, control/status - unknown
controlling audioplayer - start and wait known, other not known
many other unknown bytecodes - unknown :))

for decoding meaning of bytecodes meaning is established method using cartridge emulator with spi logger using spi_read instruction as printf equivalent :))

Most actual status of known bytecodes contained in cpu.py module in scripts subdirectory of tools tarball.

Emulogs tarball contains cartridge_black.src and cartridge_white.src files - it's disassembled cartridge sources.

Also there is training.log - it's emulator log output with comments of actions of each command and stack state after execution of each command.

Enjoy :))

sevik
sevik's picture

Readed NVRAM contents of my Robopanda:

0000: 3E 8D 37 88  22 CD 23 CD  67 AA 6A AB  5D 94 5A A1 
0010: 81 81 3B 00  B8 08 82 66  7A 48 44 44  38 5C 60 A6 
0020: FF 00 00 00  07 01 00 00  00 00 00 00  00 00 00 00 
0030: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 A6 00 
0040: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0050: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0060: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0070: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0080: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0090: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
00A0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
00B0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
00C0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
00D0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
00E0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
00F0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0100: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0110: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0120: AA 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0130: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0140: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0150: 00 00 00 00  00 00 00 00  00 00 00 E6  FF 00 00 00 
0160: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
0170: 3E 8D 37 88  22 CD 23 CD  67 AA 6A AB  5D 94 5A A1 
0180: FF FF FF FF  FF FF 82 66  7A 48 44 44  38 5C 60 FF 
0190: 3E 8D 37 88  22 CD 23 CD  67 AA 6A AB  5D 94 5A A1 
01A0: 81 81 3B 00  B8 08 82 66  7A 48 44 44  38 5C 60 A6 
01B0: FF 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
01C0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
01D0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
01E0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
01F0: 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

ranges 0x000-0x00F, 0x170-0x17F and 0x190-0x19A contains calibration values of mover. Defaults for these value present in cartridge too, but default values is slightly different:

43 99 5B A6  34 C4 2E BC  75 A3 75 A3  60 88 60 98

compare with nvram values:

3E 8D 37 88  22 CD 23 CD  67 AA 6A AB  5D 94 5A A1 

seems engeneering sample has something other mechanical characteristics comparing to production :))

sevik
sevik's picture

CPU code used to read nvram:


0020: 01FF 65DA            push      #65DA                // push 65DA to stack
0022: B000                 spi_read  000C+                // pop offset from stack, read data from spi rom and push to stack
0023: 297E                 drop                           // pop and drop value from stack
0024: A800                 set       $00, #00             // set local 00 to 00
                     L0_1:                                // xrefs: 002E
0025: 2D00                 push      $00                  // push local $00 to stack
0026: F801 0400            rjump_neq L0_2,0400            // if value on stack != 0400, jump to 0029, else pop, drop and continue
0028: F006                 rjump_f0  L0_3                 // conditional jump to 002F
                     L0_2:                                // xrefs: 0026
0029: 292A                 nvram_read                      // pop nvram addres from stack, read and put result on stack
002A: BF74                 spi_read  0F80+                // pop offset from stack, read data from spi rom and push to stack
002B: 297E                 drop                           // pop and drop value from stack
002C: 2EC0                 inc       $00                  // increment local $00 and push old value to stack
002D: 297E                 drop                           // pop and drop value from stack
002E: E7F7                 rjump     L0_1                 // jump to 0025
                     L0_3:                                // xrefs: 0028
002F: 01FF 65DA            push      #65DA                // push 65DA to stack
0031: B000                 spi_read  000C+                // pop offset from stack, read data from spi rom and push to stack
0032: 297E                 drop                           // pop and drop value from stack
                     L0_4:                                // xrefs: 0035
0033: 0000                 push      #0000                // push 0000 to stack
0034: 2440                 pop       @0040                // pop global 0040 from stack
0035: E7FE                 rjump     L0_4                 // jump to 0033

Sequence push #65DA; spi_read 000C+; drop reads spi from address 0xCCCC, wich interpreted by realtime tracer as linefeed.

Sequence spi_read 0F80+; drop pops value from stack and read spi at address 0x2000+value*2 which interpreted by tracer as printf("%02X",value).

So as end result we got:

[seva@sevasoft][/home/seva/src/ipnet/sandbox/seva/robopanda/data] cua0
Connected
URA!!!
Clear DRAM...done
Init SDCard...done, code: 00

Ok> r
SD Read...done, code: 00
Count: 0200
134C6F61 1364202E 122E2E00 3E000001 46000000 3E000080 42000000 36000000 50100000
 50000000 19000007 50300000 19000008 50300000 19000009 50300000 1900000A 3E00000
2 19000002 3E000001 19000003 18000004 26000001 20000015 18000005 26000000 200000
28 13657272 136F722C 1320636F 1364653A 10200000 17000000 13207365 1363746F 13723
A20 36000000 14000000 120D0A00 20000027 3E00007F 43000000 3E000000 18000010 5010
0000 18000010 50100000 18000010 50100000 18000010 49000000 2F00002A 36000000 516
00001 46000000 25000008 20000007 1320646F 136E650D 100A0000 130D0A4F 136B3E20 24
00003E 2200003F 30000000 40000000 120D0A00 26000077 20000076 26000069 200000CD 2
6000063 200000E2 26000072 200000F5 26000064 2000015D 26000074 20000181 26000054 
200001A2 26000030 20000150 26000031 20000150 26000032 20000150 26000033 20000150
 26000034 20000150 26000035 20000150 26000036 20000150 26000037 20000150 2600003
8 20000150 26000039 20000150 26000041 2000014D 26000042 2000014D 26000043 200001
4D 26000044 2000014D 26000045 2000014D 26000046 2000014D 2600005A 2000014A 13457
272 136F7221 2000003C 13534420 13777269 1374652E 132E2E0D 100A0000 3E00C000 4400
0000 3E00000A 46000000 3E000000 

Ok> g
Load ... done

Ok> c
Clear sniffer memory...done
Ok> r
Read cartridge data...
00003F54
aborted          

Ok> T

3E 8D 37 88 22 CD 23 CD 67 AA 6A AB 5D 94 5A A1 81 81 3B 00 B8 08 82 66 7A 48 44
 44 38 5C 60 A6 FF 00 00 00 07 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 A6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 E6 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 8D 37 88 22 C
D 23 CD 67 AA 6A AB 5D 94 5A A1 FF FF FF FF FF FF 82 66 7A 48 44 44 38 5C 60 FF 
3E 8D 37 88 22 CD 23 CD 67 AA 6A AB 5D 94 5A A1 81 81 3B 00 B8 08 82 66 7A 48 44
 44 38 5C 60 A6 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FFFF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF 
sevik
sevik's picture

heh :))

Some more experimenting shows that there are no flags (like C,Z, etc in other cpus) conditional jumps simple check LSB of value on stack, and cmp and like just put 0 or 1 on stack.

So there is 4 jump ops:
E0XX - simple jump - no stack activity
E8XX - pop value from stack, jump if bit0 == 1
F0XX - pop value from stack, jump if bit0 == 0
F8XX AAAA - peek value on stack, if val == AAAA, pop and drop value and continue, else - dont modify stack and jump

F8XX codes used for table jumps, like this:

0BC9: 2080                 push      @0080                // push global 0080 to stack
0BCA: F805 0000            rjump_neq L51_16,0000          // if value on stack != 0000, jump to 0BD1, else pop, drop and continue
0BCC: 2D00                 push      $00                  // push local $00 to stack
0BCD: CB54 0105            call      0B60(1,5)            // save 5 locals and call 0B60 with 1 args from stack)
0BCF: 2D83                 pop       $03                  // pop local $03 from stack
0BD0: E00F                 rjump     L51_19               // jump to 0BE0
                   L51_16:                                // xrefs: 0BCA
0BD1: F805 0001            rjump_neq L51_17,0001          // if value on stack != 0001, jump to 0BD8, else pop, drop and continue
0BD3: 2D00                 push      $00                  // push local $00 to stack
0BD4: CB58 0105            call      0B64(1,5)            // save 5 locals and call 0B64 with 1 args from stack)
0BD6: 2D83                 pop       $03                  // pop local $03 from stack
0BD7: E008                 rjump     L51_19               // jump to 0BE0
                   L51_17:                                // xrefs: 0BD1
0BD8: F805 0002            rjump_neq L51_18,0002          // if value on stack != 0002, jump to 0BDF, else pop, drop and continue
0BDA: 2D00                 push      $00                  // push local $00 to stack
0BDB: CB5C 0105            call      0B68(1,5)            // save 5 locals and call 0B68 with 1 args from stack)
0BDD: 2D83                 pop       $03                  // pop local $03 from stack
0BDE: E001                 rjump     L51_19               // jump to 0BE0
                   L51_18:                                // xrefs: 0BD8
0BDF: 297E                 drop                           // pop and drop value from stack
                   L51_19:                                // xrefs: 0BD0,0BDE,0BD7

sevik
sevik's picture

heh

A lot of 0XAA codes:

00XX,01XX - push immediate (was known)
02XX - AND stack with immediate and push result on stack
03XX - OR
04XX - XOR
05XX - MOD
06XX - ADD
07XX - SUB
08XX - MUL
09XX - DIV
0AXX - = (push 1 if true, 0 if false)
0BXX - !=
0CXX - >
0DXX - >=
0EXX - 

sevik
sevik's picture

296X codes - ops with stack arguments (very like to 0XAA codes)

2960 - AND
2961 - OR
2962 - XOR
2963 - MOD
2964 - ADD
2965 - SUB
2966 - MUL
2967 - DIV
2968 - =
2969 - !=
296A - >
296B - >=
296C - 
sevik
sevik's picture

tools updated with new bytecodes
http://sevik.org/robopanda/robopanda_tools-200807230000.tar.gz

emu_logs rebuilded by new tools
http://sevik.org/robopanda/robopanda_emu_logs-200807230000.tar.gz

audiochunks removed from emu_logs tarball - now it is only 500k

sevik
sevik's picture

This seems to be a software capable of programming Dataflash with simple LPT programmer from Windows:

http://dybkowski.net/elka/ispprog_en.html

Nocturnal
Nocturnal's picture

If you happen to have a AT45DB642D, or chip that uses the same programming algorithm, yes. Since the chips milw and I have use a different algorithm, no.

Devo
Devo's picture

Anyone can explain to me how the circuits inside the robopanda works? And what are the components inside it.

sevik
sevik's picture

Previous 10 pages of this thread is approximate answer to your question :))

About insides see Nocturnal's article http://www.robocommunity.com/article/12977/RoboPanda-Disassembled---A-Lo...

iquad
iquad's picture

the ropobanda has an IR transmitter and sensor.you could just hack the LED'S.

robobob
robobob's picture

I sure would like to get the two original cartridges that came with my robopanda. Any suggestions. WowWee said they would send me some but nevercame through.

 

robobob  shostett@earthlink.net

James Delia
James Delia's picture

Hi I just bought Robopanda, and with my little knowledge of robotics I think the motors and the good size of robot are great. It is such a shame that there is no more than 2 cartridges. My daughter who is 4 years old already got board of the two cartridges in less than 2 days. I had a look at the files at a link in the comments above. How to I copy the files to the chip of the Black and White. Is there a SD card to slot in the back of Robopanda and a software for people like me who have only a slight idea of programming ? The software will transfer all files and convert to proper format. Thank you for your help. I am sure there several hundreds of people who need this.

sevik
sevik's picture

There is no easy way to just transfer files to robopanda.

It's really an programmable interactive platform which needs real programming to get new content and behavior.

And It's really timeconsuming becouse you need to program all low-level behavior - like move right hand to position 70 degree, move left hand to 60, say something, look at sensors, do something if left hand touched, etc...

In short - it's a lot of work for a little compensation :))

I think WooWee got not enought sales on this thing, so all this work is not economicaly sensible for them.

Mister M
Mister M's picture

I've looked into swapping out the Robopanda head with a Baby Alive head a while back. I like the eyes and mouth movement.

Disappointed, the gearbox and motor to rotate the Robopanda's head is mounted inside the head and too big, which meant sacrificing the rotation of the head so the new head can be mounted. This mod is currently stalled. However, I'm looking into modding the panda head to combine with the baby head, so it looks like a baby is wearing a panda PJ.

Derivitiv
Derivitiv's picture

I just got one of these from a friend. I was hoping that someone would have gotten farther along in this. I think programming it to act like a zombie would be awesome.

sevik
sevik's picture

:) can you write an simple 10 actions story for zombielike Robopanda?

What exactly it will do, what it will say, how it will react to your touches?

It can be programmed to do anything, but you have to write down it exactly - all movements, all phrases, all interactions, all variants of storyline.

Original cartridges contain about 2 hours of audio files. Are you ready to make something like this?

ApplicationBistro
ApplicationBistro's picture

sevik,

Do you have a pinout of the RoboPanda cartridge?  Which pins do I need to connect to my dev board?

Pages