FirmwareDebugging
From ST2205u wiki
Contents |
Loading firmware under debugger
A good starting point is to look for Interrupt vector table.
It is supposed to be located at 0x7fda -> 0x7fff
Looking at file position + 0x4000, some data are at 0x7fda -> 0x7fff !
For example at [ 0x7ffd - 0x7ffx ] = 0x4049 <= RESET position....
Looking for my reset at 0x4049 :
ROM:000040D5 RESET: ; ROM:000040D5 SEI ; I <- 1 ROM:000040D6 LDA #$FF ; A <- M ROM:000040D8 STA byte_9 ; M <- (A) ROM:000040DA LDA #$77 ; 'w' ; A <- M ROM:000040DC STA byte_1 ; M <- (A) ...a lot of JSR in the middle ... (ex : JSR sub_4406 ) ROM:00004145 STA byte_879 ; M <- (A) ROM:00004148 LDA #2 ; A <- M ROM:0000414A STA byte_34E ; M <- (A) ROM:0000414D LDA #0 ; A <- M ROM:0000414F STA byte_356 ; M <- (A) ROM:00004152 LDA #4 ; A <- M ROM:00004154 STA byte_355 ; M <- (A) ROM:00004157 RMB6 byte_A4 ; Reset memory bit 6 ROM:00004159 JSR unk_820 ; Stack <- PC, PC <- Address ROM:0000415C BRK
but i don't knwo how to interpret JSR unk_820 because loading adress is 0x4000 and nothing is at 0x820 !!!
- IIRC, a far call routine gets copied to 0x820 somewhere in the initialisation of the device: the 6 or 8 bytes (can't remember anymore) following the JSR indicate the bank number and the address that will get called. -Sprite tm
Ben : interesting, i'm not sure to have understood how this routine is copied and how are used the 6 or 8 bytes, if you can give us some more details....
iirc the routine gets copied by using the built-in dma controller. Look for the dma address in the st2205 spec to find the exact location where this happens. --Jorik
Exact ! Found this, let's decode it ...
ROM:000040AF sub_40AF: ; CODE XREF: RESET+2E�p ROM:000040AF SEI ; I <- 1 ROM:000040B0 LDA #0 ; A <- M ROM:000040B2 STA DPTRL_source ; M <- (A) ROM:000040B4 CLC ; C <- 0 ROM:000040B5 LDA #$40 ; '@' ; A <- M ROM:000040B7 ADC #$40 ; '@' ; A <- (A) + M + C ROM:000040B9 STA DPTRH_source ; M <- (A) ROM:000040BB STZ DCTR_dmaselect ; Store zero ROM:000040BD STZ DMOD ; Store zero ROM:000040BF LDA #$20 ; ' ' ; A <- M ROM:000040C1 STA DBKRL_bankreg ; M <- (A) ROM:000040C3 LDA #8 ; A <- M ROM:000040C5 STA DBKRH_bankreg ; M <- (A) ROM:000040C7 STZ byte_34 ; Store zero ROM:000040C9 STZ byte_35 ; Store zero ROM:000040CB LDA #0 ; A <- M ROM:000040CD STA DCNTH_length ; M <- (A) ROM:000040CF LDA #$48 ; 'H' ; A <- M ROM:000040D1 STA DCNTL_length ; M <- (A) ROM:000040D3 CLI ; I <- 0 ROM:000040D4 RTS ; PC <- (Stack) ROM:000040D4 ; End of function sub_40AF
copy 48 bytes from 0x8000 to 0x820 ...
but why do :CLC ; C <- 0 LDA #$40 ; '@' ; A <- M ADC #$40 ; '@'just to do an LDA #$0x80 ??
I'm not entirely sure. I recall that the DMA controller turned out to be slightly different than the one in the st2205u spec, as it doesn't work on the full memory range, but only on the banked memory. The emulator logs this particular transfer as: 'DMA copy 73 bytes from 82c3 to 0820' but this doesn't match your quoted code. --Jorik
A trace/trap of my (tomtec) firmware in the emulator shows:
4361 4361 : 78 sei cpu state: A=ff X=ff Y=00 S=fd P=b5 PC=4362 ii=0 4362 4362 : a9 c3 lda #$c3 cpu state: A=c3 X=ff Y=00 S=fd P=b5 PC=4364 ii=0 4364 4364 : 85 58 sta $58 cpu state: A=c3 X=ff Y=00 S=fd P=b5 PC=4366 ii=0 4366 4366 : 18 clc cpu state: A=c3 X=ff Y=00 S=fd P=b4 PC=4367 ii=0 4367 4367 : a9 42 lda #$42 cpu state: A=42 X=ff Y=00 S=fd P=34 PC=4369 ii=0 4369 4369 : 69 40 adc #$40 cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=436b ii=0 436b 436b : 85 59 sta $59 cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=436d ii=0 436d 436d : 64 5e stz $5e cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=436f ii=0 436f 436f : 64 5f stz $5f cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=4371 ii=0 4371 4371 : a9 20 lda #$20 cpu state: A=20 X=ff Y=00 S=fd P=74 PC=4373 ii=0 4373 4373 : 85 5a sta $5a cpu state: A=20 X=ff Y=00 S=fd P=74 PC=4375 ii=0 4375 4375 : a9 08 lda #$08 cpu state: A=08 X=ff Y=00 S=fd P=74 PC=4377 ii=0 4377 4377 : 85 5b sta $5b cpu state: A=08 X=ff Y=00 S=fd P=74 PC=4379 ii=0 4379 4379 : 64 34 stz $34 memory at 8000--ffff changed bankSelectLo to 00 cpu state: A=08 X=ff Y=00 S=fd P=74 PC=437b ii=0 437b 437b : 64 35 stz $35 memory at 8000--ffff changed bankSelectHi to 00 cpu state: A=08 X=ff Y=00 S=fd P=74 PC=437d ii=0 437d 437d : a9 00 lda #$00 cpu state: A=00 X=ff Y=00 S=fd P=76 PC=437f ii=0 437f 437f : 85 5d sta $5d cpu state: A=00 X=ff Y=00 S=fd P=76 PC=4381 ii=0 4381 4381 : a9 48 lda #$48 cpu state: A=48 X=ff Y=00 S=fd P=74 PC=4383 ii=0 4383 4383 : 85 5c sta $5c DMA copy 73 bytes from 82c3 to 0820
Hope this helps, --Jorik
Here is the disassembly of the tomtec firmware
ROM:00004361 sub_4361: ; CODE XREF: ROM:00004072�p ROM:00004361 SEI ; I <- 1 ROM:00004362 LDA #$C3 ; '+' ; A <- M ROM:00004364 STA DPTRL_source ; M <- (A) ROM:00004366 CLC ; C <- 0 ROM:00004367 LDA #$42 ; 'B' ; A <- M ROM:00004369 ADC #$40 ; '@' ; A <- (A) + M + C ROM:0000436B STA DPTRH_source ; M <- (A) ROM:0000436D STZ DCTR_dmaselect ; Store zero ROM:0000436F STZ DMOD ; Store zero ROM:00004371 LDA #$20 ; ' ' ; A <- M ROM:00004373 STA DBKRL_bankreg ; M <- (A) ROM:00004375 LDA #8 ; A <- M ROM:00004377 STA DBKRH_bankreg ; M <- (A) ROM:00004379 STZ byte_34 ; Store zero ROM:0000437B STZ byte_35 ; Store zero ROM:0000437D LDA #0 ; A <- M ROM:0000437F STA DCNTH_length ; M <- (A) ROM:00004381 LDA #$48 ; 'H' ; A <- M ROM:00004383 STA DCNTL_length ; M <- (A) ROM:00004385 CLI ; I <- 0 ROM:00004386 RTS ; PC <- (Stack)
That's effectively copy 0x48+1 bytes from 0x82c3 to x0820 !!
It's look like it's works as ST2205U .... with full memory...
How to know where RAM / ROM start offset is ?
- RAM section is 0x00000 - 0x0ffff ?
- ROM section is 0x01000 - 0xfffff ?
Finding some more space for Hack
Looking for DMA, i've found a quite interesting subroutine... in resume :
- get source adress from byte 98 and 99
- copy 0x200 bytes from previous source adress to RAM 0x580 (it can be at the bottom of the firmware)
- JUMP to it
ROM:0000430C SEI ; I <- 1 ROM:0000430D LDA byte_98 ; A <- M ROM:0000430F STA DPTRL_source ; M <- (A) ROM:00004311 LDA byte_99 ; A <- M ROM:00004313 STA DPTRH_source ; M <- (A) ROM:00004315 STZ DCTR_dmaselect ; Store zero ROM:00004317 STZ DMOD ; Store zero ROM:00004319 LDA #$80 ; 'Ç' ; A <- M ROM:0000431B STA DBKRL_bankreg ; M <- (A) ROM:0000431D LDA #5 ; A <- M ROM:0000431F STA DBKRH_bankreg ; M <- (A) ROM:00004321 STZ byte_34 ; Store zero ROM:00004323 STZ byte_35 ; Store zero ROM:00004325 LDA #1 ; A <- M ROM:00004327 STA DCNTH_length ; M <- (A) ROM:00004329 LDA #$FF ; A <- M ROM:0000432B STA DCNTL_length ; M <- (A) ROM:0000432D CLI ; I <- 0 ROM:0000432E LDA #$43 ; 'C' ; A <- M ROM:00004330 PHA ; Stack <- (A) ROM:00004331 LDA #$36 ; '6' ; A <- M ROM:00004333 PHA ; Stack <- (A) ROM:00004334 JMP unk_580 ; PC <- Address
So we just need few free byte to launch the hack we something like :
ROM:0000555F LDA #2 ; A <- M ROM:00005561 STA byte_30D ; M <- (A) ROM:00005564 LDA #0 ; A <- M ROM:00005566 STA byte_30E ; M <- (A) ROM:00005569 LDA #$DC ; '_' ; A <- M ROM:0000556B STA byte_98 ; M <- (A) ROM:0000556D CLC ; C <- 0 ROM:0000556E LDA #$55 ; 'U' ; A <- M ROM:00005570 ADC #$40 ; '@' ; A <- (A) + M + C ROM:00005572 STA byte_99 ; M <- (A) ROM:00005574 JSR sub_430C ; Stack <- PC, PC <- Address ROM:00005577 PLX ; Pull X register ROM:00005578 PLA ; A <- (Stack) ROM:00005579 RTS ; PC <- (Stack)
On this exemple we do a kind of launch of subroutine located at 0x95DC
so you know a good debugger?
- just found one here. its a A 6502 processor simulator/development (not a 65c02). do you know a better one?
- found a 65c02 emulator
- some here
- --Ben i have impression my device use 65CE02 ... i have CB opcode ....
I managed to write a pretty full fledged emulator, which currently can boot the tomtec firmware without any problems, and is suitable for development of alternate firmwares/custom code. I haven't added timer emulation, but DMA and almost all features of the LCD display work. I'll have to package up the sourcecode (+ a little devkit based on crasm) when I have some more time this month. See here for a quick demo [1] Jorik
--Looks VERY great! hope you can release it soon!
--Fantastic ! if you need any help.... Ben
--Nicely done, will be a great tool. RickG
--Is it possible to have a beta release ? Ben
Possible RTOS?
- Did some searching and found a product called AvSYS for the 6502 and it's US$95 and royalty free. Check it out here. They have a decent C compiler as well. Would be great to have a nice RTOS to interface with the firmware for driver usb, display, etc. Anybody check it out and get back to us?
RickG - Would be worth checking out Contiki. It has some fantastic features including runtime downloading of elf executables and VNC server. Already ported to the 6502 and released under a BSD License. Info here.
Finno
Button Reading
See Button Reading.
