Sunday, January 16, 2011

Cop challenge, part 1

1. Debug mode?

Check end of ROM space:

(r) 0x7ffee
(r) 0x7fff2
(r) 0x7fff6
(r) 0x7fffa
-----------------------



(r) 0xffff in all above cases = content of ROM (unused space filled with 0xff byte)

I bet that dev system has RAM in place of ROM, so "cop" reads data from end of ram, set by developer (debug mode, whatever).

Also, there's ROM mirror at 0x80000 (as exepcted = max rom is 0x100000)

2. Content of reg 1a4

(w) 0x10043e, 0x0000
(w) 0x100474, 0x0a00
(w) 0x10042c, 0x00ff
(w) 0x100436, 0x0003
(w) 0x10042c, 0x00ff
(r) 0x1005a4
(r) 0x1005a4
(r) 0x1005a4
(r) 0x1005a4
------------------------

1st test

no write = returns 0000

(w) 43e,0000 returns 0
(w) 43e,0000 (w)474,0a00 returns 0
(w) 43e,0000 (w)474,0a00 (w)42c,00ff returns:
0035,0055,0075,0095
00d9,00f9,0019,0039 (another read)
0043,0063,0083,00a3 (another read)

Difference between n and n+1 reads is always 0x20 (32 dec)


2nd test
(after 42c=ff):

(r) 5a0 = 0023
(r) 5a2 = 0043
(r) 5a4 = 0063
(r) 5a6 = 0083

Mirrored ?

3rd test
(after 42c=ff):

(r) 5a0 = 009b
(r) 000 = xxxx (result doesn't matter)
(r) 5a4 = 00db
(r) 5a6 = 00fb

Added "fake" ram read between cop regs read to check if data change is triggered by cop reg read. It's not (otherwise 5a4 should be = 00bb)

4th test
- same as above, just read from the same cop regs (5a4). Results identical.


68k code for read word:

move.l (a3)+,a4 12 cycles
move.w (a4),d2 8 cycles
move.l d2,(a3)+ 12 cycles

(four above reads = one unrolled loop, so no extra code between reads).

Each read takes 12+8+12 = 32 cycles. Sounds familiar ?


5th test


(w) 7f to 10042c reads changed - (to range 0-7f), so it's a counter mask. 8 bit (no difference between mask 0x1ff and 0xff)


6th test

Uhm.. is the above mask or maybe a max counter value ?



When 10042c is set to 0x89, data reads are : 003d 005d 007d 0013.
It's max counter val (after reach 0x89 it wraps back to 0)


7th test

Is reg 2c (10042c) readable ?



Yes, it is.


8th test

Is the reg $1a2 writable ? Nope. Nothing happens (no counter reset.. nothing).


9th test

writes to 43e,474,436 - no difference in results

Conclusion:
COP regs $1a0-$1a6:
4x mirrored cpu cycle counter mod ( ((reg $2c )&0xff) +1)


3. DMA register read-back

(r) 0x10047e
-------------

read 0x0015 as expected

Maybe it returns DMA num(or id) when data transfer is completed, otherwise - something else (0 ? ff ? )

No comments:

Post a Comment