FirmwareDebugging

From ST2205u wiki
Jump to: navigation, search

Contents

Loading firmware under debugger

A good starting point is to look for Interrupt vector table.

It is supposed to be located at 0x7fda -> 0x7fff

Looking at file position + 0x4000, some data are at 0x7fda -> 0x7fff !

For example at [ 0x7ffd - 0x7ffx ] = 0x4049 <= RESET position....

Looking for my reset at 0x4049 :

ROM:000040D5 RESET:                                  ; 
ROM:000040D5                 SEI                     ; I <- 1
ROM:000040D6                 LDA     #$FF            ; A <- M
ROM:000040D8                 STA     byte_9          ; M <- (A)
ROM:000040DA                 LDA     #$77 ; 'w'      ; A <- M
ROM:000040DC                 STA     byte_1          ; M <- (A)

...a lot of JSR in the middle ... (ex : JSR     sub_4406 )

ROM:00004145                 STA     byte_879        ; M <- (A)
ROM:00004148                 LDA     #2              ; A <- M
ROM:0000414A                 STA     byte_34E        ; M <- (A)
ROM:0000414D                 LDA     #0              ; A <- M
ROM:0000414F                 STA     byte_356        ; M <- (A)
ROM:00004152                 LDA     #4              ; A <- M
ROM:00004154                 STA     byte_355        ; M <- (A)
ROM:00004157                 RMB6    byte_A4         ; Reset memory bit 6
ROM:00004159                 JSR     unk_820         ; Stack <- PC, PC <- Address
ROM:0000415C                 BRK                     

but i don't knwo how to interpret JSR unk_820 because loading adress is 0x4000 and nothing is at 0x820 !!!

  • IIRC, a far call routine gets copied to 0x820 somewhere in the initialisation of the device: the 6 or 8 bytes (can't remember anymore) following the JSR indicate the bank number and the address that will get called. -Sprite tm

Ben : interesting, i'm not sure to have understood how this routine is copied and how are used the 6 or 8 bytes, if you can give us some more details....

iirc the routine gets copied by using the built-in dma controller. Look for the dma address in the st2205 spec to find the exact location where this happens. --Jorik

Exact ! Found this, let's decode it ...

ROM:000040AF sub_40AF:                               ; CODE XREF: RESET+2E�p
ROM:000040AF                 SEI                     ; I <- 1
ROM:000040B0                 LDA     #0              ; A <- M
ROM:000040B2                 STA     DPTRL_source    ; M <- (A)
ROM:000040B4                 CLC                     ; C <- 0
ROM:000040B5                 LDA     #$40 ; '@'      ; A <- M
ROM:000040B7                 ADC     #$40 ; '@'      ; A <- (A) + M + C
ROM:000040B9                 STA     DPTRH_source    ; M <- (A)
ROM:000040BB                 STZ     DCTR_dmaselect  ; Store zero
ROM:000040BD                 STZ     DMOD            ; Store zero
ROM:000040BF                 LDA     #$20 ; ' '      ; A <- M
ROM:000040C1                 STA     DBKRL_bankreg   ; M <- (A)
ROM:000040C3                 LDA     #8              ; A <- M
ROM:000040C5                 STA     DBKRH_bankreg   ; M <- (A)
ROM:000040C7                 STZ     byte_34         ; Store zero
ROM:000040C9                 STZ     byte_35         ; Store zero
ROM:000040CB                 LDA     #0              ; A <- M
ROM:000040CD                 STA     DCNTH_length    ; M <- (A)
ROM:000040CF                 LDA     #$48 ; 'H'      ; A <- M
ROM:000040D1                 STA     DCNTL_length    ; M <- (A)
ROM:000040D3                 CLI                     ; I <- 0
ROM:000040D4                 RTS                     ; PC <- (Stack)
ROM:000040D4 ; End of function sub_40AF

copy 48 bytes from 0x8000 to 0x820 ...

but why do :
CLC                     ; C <- 0
LDA     #$40 ; '@'      ; A <- M
ADC     #$40 ; '@'
just to do an LDA #$0x80 ??

I'm not entirely sure. I recall that the DMA controller turned out to be slightly different than the one in the st2205u spec, as it doesn't work on the full memory range, but only on the banked memory. The emulator logs this particular transfer as: 'DMA copy 73 bytes from 82c3 to 0820' but this doesn't match your quoted code. --Jorik


A trace/trap of my (tomtec) firmware in the emulator shows:

4361 4361 :   78         sei
cpu state: A=ff X=ff Y=00 S=fd P=b5 PC=4362 ii=0
4362 4362 :   a9 c3      lda  #$c3
cpu state: A=c3 X=ff Y=00 S=fd P=b5 PC=4364 ii=0
4364 4364 :   85 58      sta  $58
cpu state: A=c3 X=ff Y=00 S=fd P=b5 PC=4366 ii=0
4366 4366 :   18         clc
cpu state: A=c3 X=ff Y=00 S=fd P=b4 PC=4367 ii=0
4367 4367 :   a9 42      lda  #$42
cpu state: A=42 X=ff Y=00 S=fd P=34 PC=4369 ii=0
4369 4369 :   69 40      adc  #$40
cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=436b ii=0
436b 436b :   85 59      sta  $59
cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=436d ii=0
436d 436d :   64 5e      stz  $5e
cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=436f ii=0
436f 436f :   64 5f      stz  $5f
cpu state: A=82 X=ff Y=00 S=fd P=f4 PC=4371 ii=0
4371 4371 :   a9 20      lda  #$20
cpu state: A=20 X=ff Y=00 S=fd P=74 PC=4373 ii=0
4373 4373 :   85 5a      sta  $5a
cpu state: A=20 X=ff Y=00 S=fd P=74 PC=4375 ii=0
4375 4375 :   a9 08      lda  #$08
cpu state: A=08 X=ff Y=00 S=fd P=74 PC=4377 ii=0
4377 4377 :   85 5b      sta  $5b
cpu state: A=08 X=ff Y=00 S=fd P=74 PC=4379 ii=0
4379 4379 :   64 34      stz  $34
memory at 8000--ffff changed bankSelectLo to 00
cpu state: A=08 X=ff Y=00 S=fd P=74 PC=437b ii=0
437b 437b :   64 35      stz  $35
memory at 8000--ffff changed bankSelectHi to 00
cpu state: A=08 X=ff Y=00 S=fd P=74 PC=437d ii=0
437d 437d :   a9 00      lda  #$00
cpu state: A=00 X=ff Y=00 S=fd P=76 PC=437f ii=0
437f 437f :   85 5d      sta  $5d
cpu state: A=00 X=ff Y=00 S=fd P=76 PC=4381 ii=0
4381 4381 :   a9 48      lda  #$48
cpu state: A=48 X=ff Y=00 S=fd P=74 PC=4383 ii=0
4383 4383 :   85 5c      sta  $5c
DMA copy 73 bytes from 82c3 to 0820

Hope this helps, --Jorik

Here is the disassembly of the tomtec firmware

ROM:00004361 sub_4361:                               ; CODE XREF: ROM:00004072�p
ROM:00004361                 SEI                     ; I <- 1
ROM:00004362                 LDA     #$C3 ; '+'      ; A <- M
ROM:00004364                 STA     DPTRL_source    ; M <- (A)
ROM:00004366                 CLC                     ; C <- 0
ROM:00004367                 LDA     #$42 ; 'B'      ; A <- M
ROM:00004369                 ADC     #$40 ; '@'      ; A <- (A) + M + C
ROM:0000436B                 STA     DPTRH_source    ; M <- (A)
ROM:0000436D                 STZ     DCTR_dmaselect  ; Store zero
ROM:0000436F                 STZ     DMOD            ; Store zero
ROM:00004371                 LDA     #$20 ; ' '      ; A <- M
ROM:00004373                 STA     DBKRL_bankreg   ; M <- (A)
ROM:00004375                 LDA     #8              ; A <- M
ROM:00004377                 STA     DBKRH_bankreg   ; M <- (A)
ROM:00004379                 STZ     byte_34         ; Store zero
ROM:0000437B                 STZ     byte_35         ; Store zero
ROM:0000437D                 LDA     #0              ; A <- M
ROM:0000437F                 STA     DCNTH_length    ; M <- (A)
ROM:00004381                 LDA     #$48 ; 'H'      ; A <- M
ROM:00004383                 STA     DCNTL_length    ; M <- (A)
ROM:00004385                 CLI                     ; I <- 0
ROM:00004386                 RTS                     ; PC <- (Stack)

That's effectively copy 0x48+1 bytes from 0x82c3 to x0820 !!
It's look like it's works as ST2205U .... with full memory...


How to know where RAM / ROM start offset is ?

  • RAM section is 0x00000 - 0x0ffff ?
  • ROM section is 0x01000 - 0xfffff ?

Finding some more space for Hack

Looking for DMA, i've found a quite interesting subroutine... in resume :

  • get source adress from byte 98 and 99
  • copy 0x200 bytes from previous source adress to RAM 0x580 (it can be at the bottom of the firmware)
  • JUMP to it
ROM:0000430C                 SEI                     ; I <- 1
ROM:0000430D                 LDA     byte_98         ; A <- M
ROM:0000430F                 STA     DPTRL_source    ; M <- (A)
ROM:00004311                 LDA     byte_99         ; A <- M
ROM:00004313                 STA     DPTRH_source    ; M <- (A)
ROM:00004315                 STZ     DCTR_dmaselect  ; Store zero
ROM:00004317                 STZ     DMOD            ; Store zero
ROM:00004319                 LDA     #$80 ; 'Ç'      ; A <- M
ROM:0000431B                 STA     DBKRL_bankreg   ; M <- (A)
ROM:0000431D                 LDA     #5              ; A <- M
ROM:0000431F                 STA     DBKRH_bankreg   ; M <- (A)
ROM:00004321                 STZ     byte_34         ; Store zero
ROM:00004323                 STZ     byte_35         ; Store zero
ROM:00004325                 LDA     #1              ; A <- M
ROM:00004327                 STA     DCNTH_length    ; M <- (A)
ROM:00004329                 LDA     #$FF            ; A <- M
ROM:0000432B                 STA     DCNTL_length    ; M <- (A)
ROM:0000432D                 CLI                     ; I <- 0
ROM:0000432E                 LDA     #$43 ; 'C'      ; A <- M
ROM:00004330                 PHA                     ; Stack <- (A)
ROM:00004331                 LDA     #$36 ; '6'      ; A <- M
ROM:00004333                 PHA                     ; Stack <- (A)
ROM:00004334                 JMP     unk_580         ; PC <- Address

So we just need few free byte to launch the hack we something like :

ROM:0000555F                 LDA     #2              ; A <- M
ROM:00005561                 STA     byte_30D        ; M <- (A)
ROM:00005564                 LDA     #0              ; A <- M
ROM:00005566                 STA     byte_30E        ; M <- (A)
ROM:00005569                 LDA     #$DC ; '_'      ; A <- M
ROM:0000556B                 STA     byte_98         ; M <- (A)
ROM:0000556D                 CLC                     ; C <- 0
ROM:0000556E                 LDA     #$55 ; 'U'      ; A <- M
ROM:00005570                 ADC     #$40 ; '@'      ; A <- (A) + M + C
ROM:00005572                 STA     byte_99         ; M <- (A)
ROM:00005574                 JSR     sub_430C        ; Stack <- PC, PC <- Address
ROM:00005577                 PLX                     ; Pull X register
ROM:00005578                 PLA                     ; A <- (Stack)
ROM:00005579                 RTS                     ; PC <- (Stack)

On this exemple we do a kind of launch of subroutine located at 0x95DC

so you know a good debugger?

  • just found one here. its a A 6502 processor simulator/development (not a 65c02). do you know a better one?
  • found a 65c02 emulator
  • some here
  • --Ben i have impression my device use 65CE02 ... i have CB opcode ....

I managed to write a pretty full fledged emulator, which currently can boot the tomtec firmware without any problems, and is suitable for development of alternate firmwares/custom code. I haven't added timer emulation, but DMA and almost all features of the LCD display work. I'll have to package up the sourcecode (+ a little devkit based on crasm) when I have some more time this month. See here for a quick demo [1] Jorik
--Looks VERY great! hope you can release it soon!
--Fantastic ! if you need any help.... Ben
--Nicely done, will be a great tool. RickG --Is it possible to have a beta release ? Ben

Possible RTOS?

  • Did some searching and found a product called AvSYS for the 6502 and it's US$95 and royalty free. Check it out here. They have a decent C compiler as well. Would be great to have a nice RTOS to interface with the firmware for driver usb, display, etc. Anybody check it out and get back to us?
    RickG
  • Would be worth checking out Contiki. It has some fantastic features including runtime downloading of elf executables and VNC server. Already ported to the 6502 and released under a BSD License. Info here.
    Finno

Button Reading

See Button Reading.

Personal tools