QUFB

@qufbee

Joined August 2022

0 Following

22 Followers

81 Posts

9 months ago

@lauriewired 2 Hitachi ISAs were mostly figured out by Piotr Piatek and Martin Poupe, although both seem to have relied on hardware testing. On early CPUs without pipelining, you can use a logic analyzer to infer instruction length + jumps from ROM accesses, along with R/W to RAM or I/O.

0

0

0

0

66

9 months ago

@netspooky @iximeow @phrack Nice writeup! I think there's a typo on one of the decodings: "e93cef ; r0<-[0xef3c]" should be r1?

0

1

0

1

293

over 1 year ago

@ByteOrderMarc @travisgoodspeed (typo: 8 x 64 bits)

0

1

0

0

20

over 1 year ago

@ByteOrderMarc @travisgoodspeed I was looking at your older thread with the decap, if I'm reading right, each internal ROM can hold 64 bits x 64 rows x 12 columns = 0xC000 bytes. The script only dumps segment 0, since I got mirrored bytes after 0xC000, I never found code references but should also do segment 1.

2

1

0

0

28

Who to follow

I post about retro hardware and console development kits from the past..

Verified account

🕹️ Choose your weapon! Pro arcade sticks, crafted for winners, guarantee you’re the one dishing out beatdowns. Crowdfunded $150k for the Octopus @indiegogo.

Father, Animator, Game Developer, “The Mechanic” of Arcade

over 1 year ago

@ByteOrderMarc @travisgoodspeed Here's a script that outputs a dumping binary, it just writes to a RAM address to be sniffed with a logic analyzer. Would be less cumbersome if it used the data port, but haven't yet checked which instructions are doing that. https://t.co/gyY9ueFp5r

1

1

0

0

28

over 1 year ago

@ByteOrderMarc @travisgoodspeed Some of these have interesting routines which just cycle through instructions, probably for testing memory access patterns... I think they are probably enabled from test pins but haven't traced which. Some models have test points labelled on the PCB.

0

1

0

0

18

over 1 year ago

@ByteOrderMarc @travisgoodspeed Also, all these models have an internal CPU ROM which can be directly read-out by setting data segment 0.

2

1

0

0

25

over 1 year ago

@GMMan_BZFlag Yeah I agree, doing it via UI is just cumbersome. Not allowing to edit bytes at defined instructions seems like protecting the user from errors needlessly. but at least all those memory operations can be scripted.

0

0

0

0

13

over 1 year ago

@GMMan_BZFlag In that case it's creating new memory regions, but you can avoid splitting and reuse an existing region with something like: currentProgram.getMemory().setBytes(address, bytes, startOffset, bytes.length)

1

0

0

0

20

over 1 year ago

@GMMan_BZFlag On loaders I usually prompt for some BIOS to set along with the loaded ROM, here's an example: https://t.co/NFVUOqhi5k

1

0

0

0

11

almost 2 years ago

@kasamikona Does the function table have a static address? You can try storing that mov in a context register and then computing the address to call in a context variable, as it avoids most of these indirection issues: https://t.co/l2Mh2XXTUx

1

1

0

0

15

almost 2 years ago

There's a variety of tests for memory, screen, networking, etc... Only first ROM test is passing at the moment.

qufbee's tweet photo. There's a variety of tests for memory, screen, networking, etc... Only first ROM test is passing at the moment. https://t.co/gvUo1tbyYV

0

0

0

0

26

almost 2 years ago

MAME emulation is still WIP, but you can already check out this unused debug screen in Casio Picky Talk Forest of Gurutan. On debugger run "bpset 20adb2,, { ip=20ad27; g; }", or if testing in hardware, apply patch "0xadb2 = 88 ad 27". It should show up after pen calibration.

qufbee's tweet photo. MAME emulation is still WIP, but you can already check out this unused debug screen in Casio Picky Talk Forest of Gurutan. On debugger run "bpset 20adb2,, { ip=20ad27; g; }", or if testing in hardware, apply patch "0xadb2 = 88 ad 27". It should show up after pen calibration. https://t.co/66sM1sP4OP

1

1

0

0

47

about 2 years ago

@angealbertini Ghidra's patch instruction does it, maybe it can be exposed in a programmable manner?

qufbee's tweet photo. @angealbertini Ghidra's patch instruction does it, maybe it can be exposed in a programmable manner? https://t.co/KmusjW6tFR

0

0

0

0

32

about 2 years ago

While reversing Tomy Prin-C keyboard-only model, I found these hidden developer credits: after power on, hold down keys "T" and "M". A few seconds later, the credits blink for a moment before showing the title screen.

0

1

0

0

66

over 2 years ago

I've patched Sega Ferie to load its (AFAIK unused) test functions: https://t.co/tFHFhXqLlD For example, here's the memory backup test with a hidden credits roll!

1

10

3

1

614

over 2 years ago

@biggestsonicfan Looks like it was the same pinout after all: https://t.co/HWvD7VROo2

1

2

0

0

348

over 2 years ago

@biggestsonicfan Nice, keep me updated. AFAIK there were 2 GG ROM variants, those less than 1Mb didn't use an external mapper, but maybe those dumpers support both variants.

1

0

0

0

50

Last Seen Users on Sotwe

Trends for you

Most Popular Users