Super Magic Drive research thread

Ask anything your want about Megadrive/Genesis programming.

Moderator: BigEvilCorporation

Post Reply
LocalH
Very interested
Posts: 152
Joined: Tue Dec 19, 2006 5:04 pm

Super Magic Drive research thread

Post by LocalH » Fri Dec 18, 2009 6:53 am

In a quest to get a working MS-DOS setup for my SMD800, I came across a few interesting things, and a need for a tool that I cannot find.

First of all, does anyone have a copy of Charles MacDonald's SMDUTIL? The link on his website is 404, and I can not find it anywhere (have done about two solid hours of Google scouring). I need it to dump my unit's BIOS, which reports onscreen to be v3.3 from 1992, and I have not seen any dumps of this version yet. I'd especially like to look inside it for an internal build date.

While searching for any information or tools, I came across five other BIOS dumps (although one isn't technically a "dump", more on this later):

* v3, 1991, available on the Sonic Retro wiki, internal date 8/17/91
* v3.1, 1991, available as part of "mdutils.zip" found here (see below), internal date 11/4/91
* v3.1g, 1992, available on the Sonic Retro wiki, no internal date
* v4.1a, 1993, available on the Sonic Retro wiki, "93-12-07" (ambiguous M/D ordering but based on v3 I will call it Dec 7, 1993)
* Magic Drive Plus BIOS, 1993, no internal date, no reference to either JSI or FFE, also includes anti-piracy message, available here

The 11/4/91 v3.1 version is quite interesting, as rather than being just a regular dump, it's a file of length $4200 (16896). In this file, it looks like the actual ROM begins at offset $1E00, and mirrors at $3E00 until the end of the file ($41FF). Within mdutils.zip, there is a "README!.MD" file which describes this file:

Code: Select all

MDOS31.PGM
==========

LOADS ON MEGADRIVE INSTEAD OF GAME

LATEST DOS 3.1, FULL VERSION.

ALLOWS YOU TO LOAD AND SAVE FILES TO RAM (IE.  LOAD A FILE BUT *NOT RUN*, THEN
SAVE TO ANOTHER DISK)
This seems to be pointing towards the "DOS can be updated by disk (ala Kickstart image files)" feature listed on the Retro wiki. My question is, has anyone ever found any other such upgrade files, and also has anyone ever taken a look to find out exactly how this type of upgrade works, such that one could upgrade their own unit to one of the other BIOS dumps available? I'd try merely replacing the 8K of data at $1E00 but I don't want to take a chance at bricking my unit. I don't have IDA installed right now so I can't check to see if there is any 68k code in there that would trigger the upgrade process once the data has been loaded into DRAM. It almost looks like there might be a speck of 68k in there at $0200, but I don't know enough about either the Z80 or the SMD's internal workings to make an educated guess.

LocalH
Very interested
Posts: 152
Joined: Tue Dec 19, 2006 5:04 pm

Post by LocalH » Fri Dec 18, 2009 8:24 am

Hm, the more I look at this, the more I think this just loads the "upgrade" into RAM temporarily, rather than doing any sort of permanent upgrade. Here's the entirety of the code at $0200, before a shitton of FF bytes and the actual ROM:

Code: Select all

ROM:0000                 ld      hl, 0A000h
ROM:0003                 ld      de, 0C000h
ROM:0006                 ld      bc, 2000h
ROM:0009                 ldir
ROM:000B                 jp      0C020h
According to what I have been able to find, this type of file is actually what would be considered an SMD file containing Z80 code (hence why it's not interleaved), and the byte at $02 denotes that it's a BIOS program to load at $8000. That code just copies $2000 bytes from $A000-$BFFF to $C000-$DFFF, which correspond to the $2000 bytes at offset $2200 (surprisingly from this, the bytes from $1E00 to $21FF seem to be the duplication, and the ones at $3E00 seem to be the ones that boot code actually uses). This makes me think that it won't be so easy to try to use these other dumps in this upgrade fashion.

LocalH
Very interested
Posts: 152
Joined: Tue Dec 19, 2006 5:04 pm

Post by LocalH » Tue Dec 22, 2009 5:18 am

Ok, Charles got in touch with me and sent me his smdutil, and I dumped my unit's BIOS. Here's the binary.

In the ROM is the following text:

Code: Select all

*** MAGIC DOS V4 *** PRODUCT MANAGER: LMM, DEBUG ENGINEER: JUS, BIOS PROGRAMMER: JSI, ALL RIGHTS RESERVED, COPYRIGHT 1992 BY JSI, CHINA COACH COMPANY LTD., FRONT FAREAST CORPORATION. 10/26/92
10/26/92, but what's this? It identifies here as V4? On screen it identifies at v3.3:

Code: Select all

MAGIC DOS V-3.3
Weird. Anyway, feel free to spread this ROM as far as you want, just make sure it's credited as coming from my unit (it's kind of nice to see your handle associated with the release of relatively uncommon dumps like these =P).

tcdev
Interested
Posts: 35
Joined: Sun Oct 26, 2008 9:25 pm
Location: Sydney, Australia
Contact:

SMD BIOS Disassembly

Post by tcdev » Wed Jan 05, 2011 3:15 pm

Hey, does anyone know if there's a (commented) disassembly of the SMD BIOS floating around the net? I gather Charles McDonald has done at least part of the ROM whilst writing his technical document and the SMD utilities, but I don't see any release of the actual BIOS disassembly from him.

I started disassembly of the v3 BIOS tonight, but obviously it would save me a lot of duplicated effort if there was already something out there?

Why? 1. My SMD is broken and I suspect faulty DRAM. 2. Might look at implementing it in the FPGA Genesis! 3. For fun.

Charles MacDonald
Very interested
Posts: 292
Joined: Sat Apr 21, 2007 1:14 am

Re: Super Magic Drive research thread

Post by Charles MacDonald » Thu Jan 06, 2011 4:43 am

First of all, does anyone have a copy of Charles MacDonald's SMDUTIL?
If you can't find something on my website feel free to send me an e-mail (and/or a followup if I forget to respond). I do try to answer every e-mail I get.

Here's the current version with the DRAM test:

http://cgfm2.emuviews.com/zip/smdutil-080503-src.zip
http://cgfm2.emuviews.com/zip/smdutil-080503-dos.zip

To add to the broken link bonanza here's my other SMD documentation:

http://cgfm2.emuviews.com/txt/smdtech.txt
http://cgfm2.emuviews.com/txt/smdform.txt

As usual everything is out of date so watch out for errors and faulty assumptions.
This seems to be pointing towards the "DOS can be updated by disk (ala Kickstart image files)" feature listed on the Retro wiki. My question is, has anyone ever found any other such upgrade files, and also has anyone ever taken a look to find out exactly how this type of upgrade works, such that one could upgrade their own unit to one of the other BIOS dumps available?
I remember seeing advertisements for the disk upgrade only for the earliest SMD units that came out around the time of the Super Magicom, but not later. I assumed it was sort of a bug-fix thing for people with very old/buggy BIOSes. Like an "oops we goofed" thing rather than an enhancement.
I'd try merely replacing the 8K of data at $1E00 but I don't want to take a chance at bricking my unit.
Nah, you can't brick the unit, it uses a EPROM to store the BIOS and the BIOS data is loaded in memory and lost as soon as the power is turned off. It's impossible to permanently upgrade the unit through a disk program, so don't worry about that.

I've gotten a lot of emails about people trying to fix their units and nobody has had one with an EEPROM or anything in it that could be altered. If you don't want to take any chances you could open it and check -- maybe replace the 3.3V battery which tends to get leaky by now too.

Charles MacDonald
Very interested
Posts: 292
Joined: Sat Apr 21, 2007 1:14 am

Re: SMD BIOS Disassembly

Post by Charles MacDonald » Thu Jan 06, 2011 5:11 am

My disassembly was for the "MAGIC DOS V-3.3" BIOS and it's pretty incomplete. I only went far enough to see how the PC<->SMD commands work. The 'smdtech.txt' file I linked to above describes the command in more detail.

I've pasted the relevant parts here. "getbyte" and "sendbyte" are the routines that talk to the LPT port. Sorry, I had hoped I had done more but this is pretty much worthless.

EDIT: If it is too spammy to have all this code listed, let me know and I'll do something about it.

Code: Select all

disp_exit:         
    ret                    ; 00197F C9

;----------------------------------------------------------------------------
; comms dispatch
;----------------------------------------------------------------------------

; Check ID0
    call   pio_getbyte     ; 001980 CD 6B 1A
    cp     $d5             ; 001983 FE D5 
    jr     nz, disp_exit   ; 001985 20 F8

; Check ID1
    call   pio_getbyte     ; 001987 CD 6B 1A 
    cp     $aa             ; 00198A FE AA 
    jr     nz,$1983        ; 00198C 20 F5

; Check ID2
    call   pio_getbyte     ; 00198E CD 6B 1A 
    cp     $96             ; 001991 FE 96 
    jr     z,$1998         ; 001993 28 03
    jp     $1a56           ; 001995 C3 56 1A

; Get command string
; DF00-DF04 = String
; D         = Checksum
;
    ld     d,$81           ; 001998 16 81
    ld     hl,$df00        ; 00199A 21 00 DF
    ld     b,$05           ; 00199D 06 05
    call   pio_getbyte     ; 00199F CD 6B 1A 
    ld     (hl),a          ; 0019A2 77 
    inc    l               ; 0019A3 2C 
    xor    d               ; 0019A4 AA 
    ld     d,a             ; 0019A5 57 
    djnz   $199f           ; 0019A6 10 F7

; Get checksum, if equal continue 
    call   $1a66           ; 0019A8 CD 66 1A
    jr     z,$19b0         ; 0019AB 28 03 
    jp     $1a56 ; bad xor ; 0019AD C3 56 1A

; Command dispatch begin
;
; DF00 = Command (db)
; DF01 = HL parameter (dw)
; DF03 = BC parameter (dw)
;
    ld     hl,($df01)      ; 0019B0 2A 01 DF
    ld     bc,($df03)      ; 0019B3 ED 4B 03 DF 
    ld     a,($df00)       ; 0019B7 3A 00 DF 
    cp     $00             ; 0019BA FE 00 
    jr     nz,$19d1        ; 0019BC 20 13

;----------------------------------------------------------------------------
; COMMAND $00 - Download memory
; 00 ll hh ll hh
;    addr  size
; hl = mem to read from 
; bc = length
;----------------------------------------------------------------------------
    ld     d,$81           ; 0019BE 16 81 
    call   pio_getbyte     ; 0019C0 CD 6B 1A 
    ld     (hl),a          ; 0019C3 77 
    xor    d               ; 0019C4 AA 
    ld     d,a             ; 0019C5 57 
    cpi                    ; 0019C6 ED A1 
    jp     pe,$19c0        ; 0019C8 EA C0 19
    call   $1a66           ; 0019CB CD 66 1A 
    jp     $1a5a           ; 0019CE C3 5A 1A

;----------------------------------------------------------------------------
; COMMAND $01 - Upload memory
;----------------------------------------------------------------------------
    cp     $01             ; 0019D1 FE 01 
    jr     nz,$19f2        ; 0019D3 20 1D 
    ld     d,$81           ; 0019D5 16 81 
    ld     a,(hl)          ; 0019D7 7E 
    ld     e,a             ; 0019D8 5F 
    xor    d               ; 0019D9 AA 
    ld     d,a             ; 0019DA 57 
    ld     a,e             ; 0019DB 7B 
    call   pio_sendbyte    ; 0019DC CD 76 1A 
    cpi                    ; 0019DF ED A1 
    jp     pe,$19d7        ; 0019E1 EA D7 19 
    ld     a,d             ; 0019E4 7A 
    call   pio_sendbyte    ; 0019E5 CD 76 1A 
    ld     a,($2003)       ; 0019E8 3A 03 20 
    bit    7,a             ; 0019EB CB 7F 
    jr     nz,$19e8        ; 0019ED 20 F9 
    jp     $1a60           ; 0019EF C3 60 1A

;----------------------------------------------------------------------------
; COMMAND $02 - Upload VRAM
;----------------------------------------------------------------------------
    cp     $02             ; 0019F2 FE 02 
    jr     nz,$1a16        ; 0019F4 20 20 
    in     a,($bf)         ; 0019F6 DB BF 
    ld     a,($df01)       ; 0019F8 3A 01 DF 
    out    ($bf),a         ; 0019FB D3 BF 
    ld     a,($df02)       ; 0019FD 3A 02 DF 
    out    ($bf),a         ; 001A00 D3 BF 
    ld     d,$81           ; 001A02 16 81 
    call   pio_getbyte     ; 001A04 CD 6B 1A 
    out    ($be),a         ; 001A07 D3 BE 
    xor    d               ; 001A09 AA 
    ld     d,a             ; 001A0A 57 
    cpi                    ; 001A0B ED A1 
    jp     pe,$1a04        ; 001A0D EA 04 1A 
    call   $1a66           ; 001A10 CD 66 1A 
    jp     $1a5a           ; 001A13 C3 5A 1A

;----------------------------------------------------------------------------
; COMMAND $03 - Download VRAM
;----------------------------------------------------------------------------
    cp     $03             ; 001A16 FE 03 
    jr     nz,$1a44        ; 001A18 20 2A 
    in     a,($bf)         ; 001A1A DB BF 
    ld     a,($df01)       ; 001A1C 3A 01 DF 
    out    ($bf),a         ; 001A1F D3 BF 
    ld     a,($df02)       ; 001A21 3A 02 DF 
    out    ($bf),a         ; 001A24 D3 BF 
    ld     d,$81           ; 001A26 16 81 
    in     a,($be)         ; 001A28 DB BE 
    ld     e,a             ; 001A2A 5F 
    xor    d               ; 001A2B AA 
    ld     d,a             ; 001A2C 57 
    ld     a,e             ; 001A2D 7B 
    call   pio_sendbyte    ; 001A2E CD 76 1A 
    cpi                    ; 001A31 ED A1 
    jp     pe,$1a28        ; 001A33 EA 28 1A 
    ld     a,d             ; 001A36 7A 
    call   pio_sendbyte    ; 001A37 CD 76 1A 
    ld     a,($2003)       ; 001A3A 3A 03 20 
    bit    7,a             ; 001A3D CB 7F 
    jr     nz,$1a3a        ; 001A3F 20 F9 
    jp     $1a60           ; 001A41 C3 60 1A 

;----------------------------------------------------------------------------
; COMMAND $04 - Exec (HL)
; 04 ll hh xx xx
;    exec
;----------------------------------------------------------------------------
    cp     $04             ; 001A44 FE 04
    jr     nz,$1a49        ; 001A46 20 01 
    jp     (hl)            ; 001A48 E9

;----------------------------------------------------------------------------
; COMMAND $05 - Set DRAM/ROM page
; 05 dd xx xx xx
;----------------------------------------------------------------------------
    cp     $05             ; 001A49 FE 05
    jr     nz,$1a56        ; 001A4B 20 09 
    ld     a,($df01)       ; 001A4D 3A 01 DF 
    ld     ($2000),a       ; 001A50 32 00 20 
    jp     $1a60           ; 001A53 C3 60 1A

;----------------------------------------------------------------------------
; Invalid command handler
;----------------------------------------------------------------------------
; Set DF05 to $01 and exit
    ld     a,$01           ; 001A56 3E 01
    jr     $1a62           ; 001A58 18 08

    jr     z,$1a60         ; 001A5A 28 04 
    ld     a,$02           ; 001A5C 3E 02 
    jr     $1a5c           ; 001A5E 18 FC

    ld     a,$00           ; 001A60 3E 00 
    ld     ($df05),a       ; 001A62 32 05 DF 
    ret                    ; 001A65 C9

    call   pio_getbyte     ; 001A66 CD 6B 1A 
    xor    d               ; 001A69 AA 
    ret                    ; 001A6A C9

KanedaFr
Administrateur
Posts: 1139
Joined: Tue Aug 29, 2006 10:56 am
Contact:

Post by KanedaFr » Thu Jan 06, 2011 8:05 am

perfect!
I was about to start my SMD USB project, exactly what I needed ;)

thanks

tcdev
Interested
Posts: 35
Joined: Sun Oct 26, 2008 9:25 pm
Location: Sydney, Australia
Contact:

Post by tcdev » Thu Jan 06, 2011 8:32 am

KanedaFr wrote:I was about to start my SMD USB project, exactly what I needed ;)
You too? ;)

KanedaFr
Administrateur
Posts: 1139
Joined: Tue Aug 29, 2006 10:56 am
Contact:

Post by KanedaFr » Thu Jan 06, 2011 9:05 am

oh oh!
Got a lot of others things planned so if you're able to send data from USB(PC) to Parallel(SMD), I'll let you do it ;)

What I planned :
- use a Teensy for easy update and already working usb support
- simulate SPP
- add SMD USB support to Ucon64 and/or Charles SMD utils and/or Alpha II's RBDutils

I'm pretty sure it's "easy" for anyone with basic electronics knowledge ... harder for newbie like me
I planed to learn some basics with this, and so use a lot of times I won't use for others projects...

tcdev
Interested
Posts: 35
Joined: Sun Oct 26, 2008 9:25 pm
Location: Sydney, Australia
Contact:

Post by tcdev » Thu Jan 06, 2011 10:20 am

KanedaFr wrote:Got a lot of others things planned so if you're able to send data from USB(PC) to Parallel(SMD), I'll let you do it ;)
I've got about 73 other projects planned too! :(

I wasn't going to do a 'commercial release'. I have an existing PCB with a USB chip and I/O I was going to use as a parallel-port emulator of sorts - provided the I/O is 5V tolerant (it may not be, I'll have to check). Then modify ucon64 to work via USB...

But it's a grand plan for the future, not in any immediate time-frame.

I suggest you press on with yours!

KanedaFr
Administrateur
Posts: 1139
Joined: Tue Aug 29, 2006 10:56 am
Contact:

Post by KanedaFr » Thu Jan 06, 2011 11:03 am

:lol:

You'll need to wait February, until I'll get some money to buy the last parts (and pay the bill for spritesmind hosting)

Damn, first month of the year is always hard with all these bills!!

tcdev
Interested
Posts: 35
Joined: Sun Oct 26, 2008 9:25 pm
Location: Sydney, Australia
Contact:

SMD BIOS Disassembly

Post by tcdev » Thu Jan 06, 2011 12:32 pm

I'm working my way through the disassembly of the SMD BIOS.

Some extra info:

$200B: FDC Control??? (WO)
$200C: FDC Data register (R/W)
$200D: FDC Status register (RO)
$200E: FDC output port??? (WO)

I've found the WRITE DATA and FORMAT TRACK routines... more to come as I learn more...

tcdev
Interested
Posts: 35
Joined: Sun Oct 26, 2008 9:25 pm
Location: Sydney, Australia
Contact:

More Disassembly WIP

Post by tcdev » Thu Jan 06, 2011 10:31 pm

Got two of the FDC registers back-to-front:

$2009: FDC input port??? (RO)
$200B: FDC output port (WO)
$200C: FDC Data register (R/W)
$200D: FDC Status register (RO)
$200E: FDC Control (WO)

Also, ports $BE,$BF are used for VDP access... more details to come.

I've done ~20-25% of the code now. Mostly the disk routines. Still yet to find the routine for reading the controller.

Chilly Willy
Very interested
Posts: 2984
Joined: Fri Aug 17, 2007 9:33 pm

Post by Chilly Willy » Fri Jan 07, 2011 12:03 am

Look at the IO for a "standard" PC FDC:
http://hackipedia.org/Platform/x86/FDC% ... tput_ports

The FDC itself only has two ports - the ones at 3f4 and 3f5. The port at 3f2 is a GPIO port in the mobo chipset used to control things like the motor lines and select lines.

Now look at how this thingy does things... does it look like two registers are the FDC and the others are just GPIOs for misc stuff? If not, it must be a custom FDC. Speaking of which, has anyone taken one apart to see what controller is in this thing?

tcdev
Interested
Posts: 35
Joined: Sun Oct 26, 2008 9:25 pm
Location: Sydney, Australia
Contact:

Post by tcdev » Fri Jan 07, 2011 12:13 am

Chilly Willy wrote:If not, it must be a custom FDC. Speaking of which, has anyone taken one apart to see what controller is in this thing?
It's a Motorola MCS3201 FDC controller. I have the datasheet. The only confusion is the address mapping for the registers - they're not at "expected" addresses. I've already commented a lot of the disk routines, so no mystery there...

Address $2009 is some general input, which is probably done via the FDC digital input register. This is normally connected to drive hardware, but the example in the application note does not gel with the code usage.

Post Reply