With the correct configuration on the logic analyzer, I was now able to capture the bytes from the firmware as they were checked by the CRC routine.

With a depth of only 1024 bytes, this took some time, but each capture was printed to my laptop.

A small script later, and I converted these into a binary dump of the firmware for disassembly.

Even though this didn’t give me the start-up firmware, it did give me useful tools to build that firmware as I captured traces with the logic analyzer.  As I worked my way through the initialization sequence, each trace performed was saved to the laptop, and all the traces were merged together to create an image that could be used concurrently in a disassembler.

Finally, I worked my way down through the initial sequence of keys used to navigate to the upload and download routines.  At this point, the terminal was displaying a prompt asking if I wanted it to send or receive the firmware.