UMDK manufacturing, part 2: Software

[Montserrat]

Tried to load a game with LA1 in Pal-1 asian JP REGION. Streets of rage 1, it has no regionlock.

Im not sure if syntax to load game was correct,( loader -v 1d50:602b -w sor.bin:0002 ) seems it wrote to sram but nothing happened, black screen.

Code: Select all

fran@debian:~$ flcli -v 1d50:602b -p J:A7A0A3A1:la.xsvf
Attempting to open connection to FPGALink device 1d50:602b...
Connected to FPGALink device 1d50:602b (firmwareID: 0xFFFF, firmwareVersion: 0x20140311)
Programming device...
fran@debian:~$ loader -v 1d50:602b -w sor.bin:0002
UMDKv2 Loader Copyright (C) 2014 Chris McClelland

Writing SDRAM...
fran@debian:~$ 

Also tried LA2 and no LA at all, but it gets stuck into "Writing SDRAM..." and never ends.

[prophet36]

Im not sure if syntax to load game was correct

I explained how to do it here.

As I said previously, these modified 1st-stage bootloaders in la.xsvf and la2.xsvf are not meant to do anything useful, they're just there to allow us to verify basic operation. The la-Pal-1-JP.bin file looks good, so try cold-booting your console (i.e just let it boot from flash) in that configuration, and then loading a game as described above, saving the trace.log and using logread to see if it's doing something sane.

It would be very helpful if you could spend some time learning what these commands I'm giving you actually do, and how to interpret the output. I'm happy to answer questions about what the various commands and options do, but I'd prefer it if we could get beyond me telling you precisely what commands to type, and then analysing the results for you. For example, the command you typed "loader -v 1d50:602b -w sor.bin:0002" loads the contents of sor.bin at address 0x000002 (I don't know why you'd want to do that), but does nothing to the MD's RESET (you need the -x option to control RESET). All of these commands have help-screens, which you will hopefully find helpful:

Code: Select all

$ loader -h
UMDKv2 Loader Copyright (C) 2014 Chris McClelland

Usage: loader [-crqh] [-i <VID:PID>] -v <VID:PID> [-p <progConfig>]
          [-r <file:addr>] [-w <file:addr:len>]

Load FX2LP firmware, load the FPGA, interact with the FPGA.

  -i <VID:PID>       initial vendor and product ID of the FPGALink device
  -v <VID:PID>       renumerated vendor and product ID of the FPGALink device
  -p <progConfig>    configuration and programming file
  -w <file:addr>     write data at the given address
  -r <file:addr:len> read data from the given address
  -c <file:addr>     compare the file with what's at the given address
  -x <0|1|2>         choose 0->reset, 1->execute, 2->reset then execute
  -t <traceFile>     save execution trace
  -h                 print this help and exit
$

[Montserrat]

I'm trying hard, Chris.

I did not read the load game part because i got stuck in the gdb-bridge integration tests, neither worked for me, so i skipped that part.

Code: Select all

fran@debian:~$ loader -w sonic2.bin:0 -x 2 -t tsonic.bin

Tried to load a game in cold same results.

then i did using LA1 first, got this trace file. It is in the LA1 > pal asian > JP folder:

https://mega.nz/#F!rYcmibgJ!LSoq-rsXDk- ... w!6R9gzKoZ



Also some bits of information about TMSS, may be the Big endian string? font: (http://segaretro.org/TradeMark_Security_System):

In order for software to run on a Mega Drive/Genesis with a TMSS built in, the software must do two things:

1. have either the longword whose bytes represent ASCII string "SEGA" in big endian[/size] at ROM address $100 OR the five bytes " SEGA" at the same address — this is checked by the TMSS ROM and is the source of the "Produced By or Under License From Sega Enterprises Ltd." message.

2. write a long word containing "SEGA" (all caps) to address $A14000 before accessing the VDP data port ($C00000). If the game fails to do this, the next VDP data port access will cause the 68000 to lock up — this is done by the I/O controller.

The sample code in the official programmer documentation has this part skipped on boards that report themselves as revision 0 (byte at $A10001 & $F); the effect of doing this write on a revision 0 board is unknown.

[prophet36]

So by "same results", you mean the trace.log ends up empty?

Try repeating exactly the same thing you did to get la-Pal-1-JP.bin. Try running the resulting .bin file through WaveDrom. Do you see the correct sequence of reads interleaved with the writes to 0x3E? Or do you see some kind of stall happening? What about if you run the insn-trace.xsvf in the same console configuration? Does the trace log still come out empty? If it's not empty, if you run it through logread, does it show a sensible sequence of instruction-fetches?

Another thing we can try to eliminate the possibility that we're doing TMSS incorrectly is to turn off the 1st-stage bootloader altogether, meaning the MD cannot boot standalone at all, and must have code loaded over USB. For this purpose I built a noboot.xsvf design, which starts up with the SDRAM mapped in and the MD in RESET. Then I can load sonic1.bin and start it running:

Code: Select all

$ wget -q http://www.swaton.ukfsn.org/umdkv2/noboot.xsvf
$ wget -q http://www.swaton.ukfsn.org/umdkv2/sonic1.bin
$ flcli -v 1d50:602b -p J:A7A0A3A1:noboot.xsvf
Attempting to open connection to FPGALink device 1d50:602b...
Connected to FPGALink device 1d50:602b (firmwareID: 0xFFFF, firmwareVersion: 0x20140311)
Programming device...
$ loader -v 1d50:602b -w sonic1.bin:0 -x 2 -t trace.log
UMDKv2 Loader Copyright (C) 2014 Chris McClelland

Putting MD in reset...
Writing SDRAM...
Releasing MD from reset...
Dumping execution trace to trace.log
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^C.......................................................................................................................................................................................................................
Caught SIGINT, quitting...
$ logread sonic1.bin trace.log | head -32
                   0 C RD 000000 00FF 00FF
                  38 C RD 000002 FE00 FE00
                  63 C RD 000004 0000 0000
                  89 C RD 000006 0206 0206
                 114 C RD 000206 4AB9 4AB9
                 152 C RD 000208 00A1 00A1
                 177 C RD 00020A 0008 0008
                 202 C RD 00020C 6606 6606
                 240 C RD A10008 0000 XXXX
                 266 C RD A1000A 0000 XXXX
                 278 C RD 00020E 4A79 4A79
                 329 C RD 000210 00A1 00A1
                 354 C RD 000212 000C 000C
                 379 C RD 000214 667C 667C
                 417 C RD A1000C 0000 XXXX
                 430 C RD 000216 4BFA 4BFA
                 480 C RD 000218 007C 007C
                 506 C RD 00021A 4C9D 4C9D
                 531 C RD 00021C 00E0 00E0
                 556 C RD 00021E 4CDD 4CDD
                 581 C RD 000294 8000 8000
                 607 C RD 000296 3FFF 3FFF
                 632 C RD 000298 0100 0100
                 657 C RD 00029A 00A0 00A0
                 682 C RD 000220 1F00 1F00
                 708 C RD 000222 1029 1029
                 733 C RD 00029A 00A0 00A0
                 771 C RD 00029C 0000 0000
                 796 C RD 00029E 00A1 00A1
                 821 C RD 0002A0 1100 1100
                 847 C RD 0002A2 00A1 00A1
                 872 C RD 0002A4 1200 1200
$ ${HOME}/x-tools/m68k-megadrive-elf/bin/dis68 sonic1.bin 0x206 16
0x000206  tst.l 0xA10008
0x00020C  bne.s 0x214
0x00020E  tst.w 0xA1000C
0x000214  bne.s 0x292
0x000216  lea 0x294(pc), a5
0x00021A  movem.w (a5)+, d5-d7
0x00021E  movem.l (a5)+, a0-a4
0x000222  move.b -4351(a1), d0
0x000226  andi.b #15, d0
0x00022A  beq.s 0x234
0x00022C  move.l #1397049153, 12032(a1)
0x000234  move.w (a4), d0
0x000236  moveq #0, d0
0x000238  movea.l d0, fp
0x00023A  move.l fp, usp
0x00023C  moveq #23, d1
$

This "dis68" command is a simple disassembler; you can use it to follow the trace log. Does it make sense to you? Do you understand why the trace log shows reads of addresses 0, 2, 4, 6, then 0x206, 0x208, 0x20A, 0x20C, 0xA10008, 0xA1000A, 0x20E, etc?

Also, do you understand the difference between the la.bin traces and the regular UMDK trace-log like the one from Sonic above? I'm happy to explain this stuff if need be, but I don't want to wear out my keyboard if you already understand what's going on!

[Montserrat]

EDITED: continue reading

[Montserrat]

But before getting into that i was researching some more about the TMSS, seems that writing into 0xA14000 may cause crash if there is not TMSS present. Also got expanded comented code for TMSS, its interesting because seems to be 2 diferent test, i was not aware of that...check it,jump to test_cart label:

http://wiki.megadrive.org/index.php?title=TMSS

Gonna try to answer some questions, i've discovered that i was doing someting wrong in the sequence "plug usb, turn on MD, turn off, etc..." i'm idiot thats it.

I have now, build.log, trace.log, insn-trace.log, sonic's game trace.log and his .json file for WaveDrom. (game still not loading btw)

Ok, here we go...

Try repeating exactly the same thing you did to get la-Pal-1-JP.bin.

I need to program la.xsvf first. if i dont, cant do any trace, except for ins-trace.log.

What about if you run the insn-trace.xsvf in the same console configuration? Does the trace log still come out empty? If it's not empty, if you run it through logread, does it show a sensible sequence of instruction-fetches?

Yes, finally managed to obtain that log, and it seems to make sense. You can peek this, and other logs at:

https://mega.nz/#F!HclyCabb!GX3QSSoRyBDSP85WOsLtjw

Try running the resulting .bin file through WaveDrom. Do you see the correct sequence of reads interleaved with the writes to 0x3E? Or do you see some kind of stall happening?

I have generated the la.bin .json file, in the above link, but I dont know how to read / understand those diagrams its out of my reach im sorry.

For this purpose I built a noboot.xsvf design, which starts up with the SDRAM mapped in and the MD in RESET. Then I can load sonic1.bin and start it running:

Using noboot.xsvf instead of la.xsvf turns into a stall, i dont get the "...". Using the la.xdvf give me the same log and same dissasembly you've posted above.

This "dis68" command is a simple disassembler; you can use it to follow the trace log. Does it make sense to you? Do you understand why the trace log shows reads of addresses 0, 2, 4, 6, then 0x206, 0x208, 0x20A, 0x20C, 0xA10008, 0xA1000A, 0x20E, etc?

Those addresses are the ones the Program counter stores? i can recognize 0xA10008, 0xA1000A, those are for checking the controller ports i think. So its performing the console initialization?

Also, do you understand the difference between the la.bin traces and the regular UMDK trace-log like the one from Sonic above? I'm happy to explain this stuff if need be, but I don't want to wear out my keyboard if you already understand what's going on!

Mmm... im not sure, better to get an explanation (easy one xD)

[mikejmoffitt]

Unfortunately my TMSS-free Genesis is in storage and won't be available for about a month. If it's still helpful later on, then I'll see what difference it makes.

[prophet36]

Yes, finally managed to obtain that log, and it seems to make sense.

There's a very interesting thing going on in this log. Can you spot it?

Code: Select all

  0 C RD 000000 00FF 00FF
 38 C RD 000002 CAFE CAFE
 63 C RD 000004 0000 0000
 88 C RD 000006 0008 0008
113 C RD 000008 41F9 41F9
151 C RD 00000A 00FF 00FF
177 C RD 00000C 0000 0000
202 C RD 00000E 7000 7000
227 C RD 000010 3140 3140
252 C RD 000012 003E 003E
278 C RD 000014 2200 2200
311 C WB DF003E 0000 XXXX

This trace corresponds to the execution of this code:

Code: Select all

                            .text
                            .org    0x000000
0000 00FF CAFE       test:  dc.l    0xFFCAFE       /* Initial SSP */
0004 0000 0008              dc.l    0x000008       /* Initial PC */
0008 41F9 00FF 0000         lea     0xFF0000, a0
000e 7000                   moveq   #0, d0         /* Initialize D0 to zero */
0010 3140 003E       1:     move.w  d0, 0x3e(a0)   /* Save D0 to addr 0xFF003E */
0014 2200                   move.l  d0, d1         /* Run inner loop D0+1 times */

Notice that the first instruction loads the effective address 0xFF0000 into register a0. The third instruction writes a word to 0x3e(a0). So what we expect to see in the trace log is a sequence of fetches from addresses 0x0, 0x2, ... 0x14 (sequentially because there are no branch instructions). And we expect to see a write to 0xFF003E (i.e 0xFF0000 + 0x3E). Naively you might expect the write to come right after the write instruction ("move.w d0, 0x3e(a0)"), but you'll notice in your trace log the write actually comes a bit later. This is because the 68000 has a pipelined architecture. But the important thing to notice is that the address of the write is 0xDF003E, which is absurd because 0xFF0000 + 0x3E is obviously not 0xDF003E. This means that the fetch from address 0x00000A at timestamp 151 erroneously read 0x00DF, instead of 0x00FF. It means that, like Burbruee, you have at least one bad connection, on the D5 signal. Possibly more. Read through my previous suggestions for cleaning the cart-slot and the UMDK edge-connector (the thing which plugs into the console, not the connection between the LX9 board and the bridge-board), and try again.

I dont know how to read / understand those diagrams its out of my reach im sorry.

It's not that difficult to interpret. The MegaDrive+UMDK system is an example of digital electronics, where logical zeros and ones are physically represented by voltage levels (e.g 0V and +5V). A logic analyzer is a piece of equipment similar to an oscilloscope that can graph the behaviour of one or more signals in a digital system, with time on the horizontal axis. In our case, there is no external logic analyzer being used, there's just UMDK analyzing itself, allowing the state of three control signals (/OE, /LDSW and /UDSW) and five address lines (A[5:1]) to be sampled and sent over USB to the computer for analysis, resulting in these WaveDrom images. So you can think of time as a vertical line that sweeps from left to right of these timing diagrams drawn by WaveDrom.

You can find details about the 68000 bus operations here, but simplistically, the MegaDrive has two types of bus operation: reads and writes.

On a read operation, the address lines A[23:1] are driven with the binary representation of the address to be read, then the /OE ("output enable") signal goes low (it's "active" when it's low, and "inactive" when it's high). Under normal operation, the ROM in the game cart sees the address change, and some time afterwards, it responds on the data lines D[15:0] with the word stored at that address. When /OE goes high again, the MegaDrive looks at the binary value represented on the data lines, and uses that to complete the read:



On a write operation, the address lines A[23:1] are driven with the binary representation of the address to be written to, and the data lines D[15:0] are driven with the binary representation of the data to be written. Then, sometime later, one or the other or both of the /LDSW and /UDSW signals go low, signalling a write (this is why there is no A0 signal: writes to the "upper" byte strobe /UDSW whereas writes to the "lower" byte strobe /LDSW, and writes to the whole word strobe both):



The /OE, /LDSW, /UDSW and A[23:1] lines are all unidirectional: they are always driven by the MegaDrive and read by the cartridge ROM, whereas the data lines are bidirectional: data sometimes flows in one direction, sometimes in the other, but never both at the same time, a bit like a civilised phone conversation.

It would be nice if we could sample all these signals (23 address lines, 16 data lines, three control lines), but the UMDK's FPGA is only a small, cheap one (~$9), and the USB link is limited to about 42MiB/s. So the la.xsvf design makes a compromise: it samples /OE, /LDSW, /UDSW and five address lines A1-A5, making one byte of data, each of which ends up in the la.bin file on your computer. The FPGA makes 48,000,000 such samples of these signals every second, resulting in the WaveDrom files you've been looking at. You can't see the data being read or written, but you can see what the control signals are doing, and what the least-significant five bits of the address is doing, and if you know what code is being executed, you can get a pretty good idea of what's going on at the electrical level on the cart slot.

I guess this is what I meant when I said "you will probably need to learn at least some electronics if you're going to get your cart working"!

Those addresses are the ones the Program counter stores?

When the 68000 comes out of RESET, it reads a 32-bit value (two 16-bit reads, high word then low word) from address 0x000000, and loads it into the Supervisor Stack Pointer SSP (i.e register a7 when in supervisor mode). Then it reads a 32-bit value (two 16-bit reads, high then low) from address 0x000004, and loads it into the Program Counter PC, and then starts executing from there. In the case of Sonic 1, the initial PC is 0x000206, so after reading words from addreses 0, 2, 4 & 6, the next sequence of reads is from 0x000206, 0x000208, etc. The first instruction "tst.l 0xA10008" triggers a read of the longword at 0xA10008, which is executed as two word-wide reads from 0xA10008 and then 0xA1000A. These are "data" reads, as opposed to the others, which are instruction fetches. The data reads appear later than you might expect, because of the pipelining in the CPU.

im not sure, better to get an explanation

I think I've covered in the above text most of the details of the difference between the two types of trace logs. Each byte in the binary trace you get from running la.xsvf represents a sample of the /OE, /LDSW, /UDSW and A[5:1] signals. You get 48,000,000 such samples per second, irrespective of whether anything interesting is happening to those signals. The normal trace logs on the other hand are gathered by looking at the running CPU: a 9-byte record of all 23 address lines, all 16 data lines, and IIRC four control signals is sent over USB whenever the MegaDrive reads or writes: not just reads and writes to the cartridge region, but all[*] reads and writes in the system. Unfortunately, if the CPU stops executing (e.g it hits a double bus error, or it tries to access a region of the memory-map without automatic DTACK generation), there will no longer be any bus activity, and the current block of trace data never gets sent, and your trace operation hangs, forcing you to power off the MegaDrive. I'm fairly sure this is happening because of a bad connection somewhere, probably due to tarnished connectors on the cart slot.

I hope this helps you understand what's going on a little better.

[*]Actually, at least on the MD2, reads from onboard RAM (0xFF0000-0xFFFFFF) are not visible for some reason.

[MintyTheCat]

I can help with any testing and checking that needs to be done.

Ok, you need to check all your pins but check first again this:

0xFF0000 + 0x3E is obviously not 0x

24,20,16,12,8,4,
D,F,0,0,3,E <----------- actual
F,F,0,0,3,E <----------- expected

68K's external Address-Bus is A23-A01

23,22,21
A 1010
B 1011
C 1100
D 1101
..
F 1111

Your pin A22 looks like it has issues.

You could do with having a scope that you can see how the pin responds to signals injected.

Also, you need to subject your pins from the LX9 side to the stimulus and check to see how clean your signals are, then try the Bridge board from the MD cart connector side to the LX9 interface side, then repeat again your tests from the MD side to the LX9 side and the other way around.

I am not sure how much experience and knowledge you have wrt electronics, Montserrat but let's work things through from what we know and do not know - from that trace-log (which are bloody useful I can tell) we see the issue. One standard test is to repeatedly send 0x55.. and 0xAA.. for as many lines as you need to check and usually an issue appears.

Can you get us decent photos or the connections?

Anything I can do from my side, Chris?

[prophet36]

Your pin A22 looks like it has issues.

That's a good point. I assumed it was the instruction operand (for lea 0xFF0000, a0) which was being read incorrectly because of a bad D5 connection, but D5 suddenly starts working OK consistently after that, which is suspect. I think you may be right about A22. I can modify the FPGA boot ROM to write to 0x201000 repeatedly and then we can see if the trace sees 0x001000 instead.

[MintyTheCat]

I'm well outside my comfort-zone with the TMSS stuff, so we may have to ask someone with a bit more knowledge of it.

This is what you need to do to be compatible with first editions and later revisions:

Code: Select all

;#####################################
;	[MD Version-Number]
;#####################################

DL_Sys_IO_VersionNum:		equ	$A10000

....

DL_Sys_TMSS_ChkTMSS:
	move.W	DL_Sys_IO_VersionNum,d0
	andi.B	#$F,d0
	beq.s	DL_Sys_TMSS_ChkTMSS_Exit
	move.L	#'SEGA',DL_Sys_TMSS_TMSSWAddr
DL_Sys_TMSS_ChkTMSS_Exit:

You also need to configure some other peripherals too including the Z80 and the PSG - worry not about the 2612.
How are you people configuring the MD at cold and warm boot?

Can you show me your config please?

Something like this is fine and works:

Code: Select all

AXL_Sys_StdMDSetupValues_VDP:
	dc.b $00		; 0: H-Int: OFF, display: ON.
	dc.b $44		; 1: V-Int: OFF, screen blank: OFF, DMA: OFF, V28 mode (40 cells vertically), MD mode: ON.
	dc.b ($C000>>10)	; 2: Pattern table for Scroll Plane A at 0xC000.
	dc.b ($1000>>10)	; 3: Pattern table for Window Plane at 0x10000.
	dc.b ($A000>>13)	; 4: Pattern table for Scroll Plane B at 0xA000.
	dc.b ($E000>>9)		; 5: Sprite table at 0xE000.
	dc.b $00		; 6: Unused
	dc.b (($3<<4)|($F))	; 7: Background colour: palette=3, colour=$F.
	dc.b $00		; 8: Unused
	dc.b $00		; 9: Unused
	dc.b $00		; 10: Frequency of H-Int in Rasters.
	dc.b $00		; 11: Ext-Int: OFF, V-Scroll: fullscreen, H-Scroll: fullscreen.
	dc.b $81		; 12: Shadow/HiLight Mode: OFF, Interlace: OFF, H40 mode (64 cells horizontally).
	dc.b ($D000>>10)	; 13: Horiz. scroll table at 0xD000.
	dc.b $00		; 14: Unused
	dc.b $00		; 15: Auto-Increment: OFF.
	dc.b $01		; 16: Vert-Scroll 32, Horiz-Scroll 64.
	dc.b $00		; 17: Window Plane X pos 0 left.
	dc.b $00		; 18: Window Plane Y pos 0 up.
	dc.b $00		; 19: DMA length Low-Byte.
	dc.b $00		; 20: DMA length High-Byte.
	dc.b $00		; 21: DMA Source-Address Low-Byte.
	dc.b $00		; 22: DMA Source-Address Mid-Byte.
	dc.b $00		; 23: DMA Source-Address High-Byte, Memory-to-VRAM mode.

Init should be carried as:

Code: Select all

	lea	AXL_Sys_StdMDSetupValues_Z80,a0
	lea	AXL_CntlZ80_Z80_RAM_Base,a1
	moveq	#42,d0
	
DL_Sys_Init_InitMD_Z80Init_Loop:
	move.B	(a0)+,(a1)+
	dbf	d0,DL_Sys_Init_InitMD_Z80Init_Loop

	move.W	#$0000,AXL_CntlZ80_Z80_Reset			; Release Z80 from Reset State and start the Z80.
	move.W	#$0000,AXL_CntlZ80_Z80_BusReq			; Yield control of the Z80-Bus.

Any questions?

[prophet36]

The code we're testing is in this post. The TMSS thing is stolen directly from an Activision game (Altered Beast, perhaps?). I don't think any other init is strictly necessary for the 68000 to run, right?

[MintyTheCat]

The code we're testing is in this post. The TMSS thing is stolen directly from an Activision game (Altered Beast, perhaps?). I don't think any other init is strictly necessary for the 68000 to run, right?

NO! Do not bloody trust Altered-Beast! You just failed SEGA Megadrive 101 History - Chris - AB was the first MD title and it was made by SEGA - who had not added the TMSS security scheme at that time I know you are not a big SEGA fanboy, so we can let you off

You can get lockups and such according to the version of the MD Motherboard you are using - you will only see a blank screen and you will be puzzled as to why this is so.
The other big gotcha is not to enable the display - that gets a few people and even people who know what they are doing sometimes make this mistake

Please use the code I wrote earlier:

Code: Select all

;#####################################
;   [MD Version-Number]
;#####################################

DL_Sys_IO_VersionNum:      equ   $A10000

....

DL_Sys_TMSS_ChkTMSS:
   move.W   DL_Sys_IO_VersionNum,d0
   andi.B   #$F,d0
   beq.s   DL_Sys_TMSS_ChkTMSS_Exit
   move.L   #'SEGA',DL_Sys_TMSS_TMSSWAddr
DL_Sys_TMSS_ChkTMSS_Exit:

So if it is zero we do not write SEGA - as it was not required for the early revisions.
As such, later games are compatible with later revisions of the hardware if we test the location first. We are not writing the TMSS string every time - we are in fact *checking* to see if we need to write it first so we are cool for old and new using this approach.

You are meant to configure the PSG too - it has been so long that I have not ever done it differently but I do recall issues if you do not carry out this step.
Can someone chime in and help my memory: what happens when you do not config the PSG - recall that the PSG is built into the MD's VDP so you do it at the same time.

Let us run all tests from known, working hardware - version MD1, using known to work code as this will make the test start on an even footing.

I will generate the tests for you using a MD1 board tomorrow then we can check the logs that I get as I recall you only had a MD2, Chris and these chaps are using MD1 machines for their tests. As a rule, the MD1 is correct, the MD2 changed things a bit and the MD3 is different again.

Please use my code as this works.

I can throw something up tomorrow if you chaps are still struggling.

[prophet36]

Look again, my code is behaviourally identical to yours.

[MintyTheCat]

Look again, my code is behaviourally identical to yours.

Forgive my eyes - I was startled by the numbers and misses that.

Ok, this is not the issue then.

We have some work for Montserrat to do with checking his pins.

I need to work out if the config you are using is suitable before I can be sure though.