Sub-CPU Jump Addresses

[segaloco]

Okay, I've been disassembling the May 10, 1993 Sonic CD prototype for a while today, and I've been following along with the Rex Sabio documents to see what all the stuff does as I'm not familiar with the Sega CD nearly as much as I am with the Mega Drive. Anyway, I'm good on BIOS calls, but what would a jsr to $7880 or $7800 do. I can't seem to find that anywhere in these documents but I see it several times in the (either IP or SP code, still figuring that one out).

Also, here's some examples of what I've disassembled so far, tell me how I'm doing on accuracy of commenting.

usercall0:

Code: Select all

INIT:
		lea	($FFFF8020).w,a0	; a0 -> Communication status
		moveq	#0,d0			; Clear	d0
		move.b	d0,-$11(a0)		; Clear	com from SubCPU	to MainCPU
		move.l	d0,(a0)+		; Clear	com status
		move.l	d0,(a0)+		; ""
		move.l	d0,(a0)+		; ""
		move.l	d0,(a0)+		; ""
		lea	startTNO,a0		; Tell system to read TOC
		move.w	#$10,d0			; move.w  #DRVINIT, d0	  ; BIOS_DRVINIT
		jsr	byte_333B+$2BE7		; jsr	  _CDBIOS

loc_1048:
		move.w	#$81,d0			; Check BIOS status
						; move.w  #CDBSTAT, d0	  ; BIOS_CDBSTAT
		jsr	byte_333B+$2BE7		; jsr	  _CDBIOS
		andi.b	#$F0,(byte_333B+$2B45).w ; andi.b  #$F0, (_CDSTAT).w
		bne.s	loc_1048
		andi.b	#$FA,($FFFF8003).w 	; Set memory	write DOWN mode
						; Main-CPU = WORD-RAM0 Sub-CPU = WORD-RAM1
		move.b	#0,($FFFF800F).w 	; Clear com from Sub-CPU to Main-CPU
		move.w	#0,d0			; d0 &=	0xFFFF0000
		jsr	(byte_333B+$4545).l

usercall3:
		rts

What I'm assuming is the entrypoint?

Code: Select all

		move.l	#$FF063E,($FFFFFD08).w
		move.w	#HINT,(word_A12006).l ;	Set HINT to loc_FD0C
		move.l	#$FF0646,($FFFFFD0E).w
		bset	#1,(byte_A12003).l ; Swap request to SUB-CPU
		lea	(word_A12010).l,a0 ; a0	-> Communication Command
		moveq	#0,d0		; Clear	d0
		move.b	d0,-2(a0)	; Clear	Main-CPU communication flag
		move.l	d0,(a0)+	; Clear	communication command
		move.l	d0,(a0)+	; ""
		move.l	d0,(a0)+	; ""
		move.l	d0,(a0)+	; ""
		lea	MAINOS,a0	; a0 ->	MAINOS
		lea	($FF1000).l,a1	; a1 ->	MainOS_Addr
		move.w	#$4B,d7		; Size of MAINOS

LoadMAINOS:
		move.b	(a0)+,(a1)+	; Load MAINOS byte by byte to MAIN-CPU
		dbf	d7,LoadMAINOS	; ""
		jmp	byte_FF1000	; Run MAINOS

One of the file entries:

Code: Select all

LEN_DR4:	dc.b 42			; ABS.TXT;1
ExtAttrRecLen4:	dc.b 0
LocExtent4:	dc.l $743E0000,	$3E74
DataLength4:	dc.l $39000000,	$39
Year4:		dc.b 93
Month4:		dc.b 5
Day4:		dc.b 10
Hour4:		dc.b 13
Minute4:	dc.b 19
Second4:	dc.b 12
TimeZone4:	dc.b 0
FileFlag4:	dc.b 0
FileUnitSize4:	dc.b 0
IntGapSz4:	dc.b 0
VolSeqNum5:	dc.l $1000001
LEN_FI4:	dc.b 9
FileIdent4:	dc.b 'ABS.TXT;1'

So yeah, long post is long, but if anyone could help I'd really appreciate it

[TascoDLX]

Anyway, I'm good on BIOS calls, but what would a jsr to $7880 or $7800 do. I can't seem to find that anywhere in these documents but I see it several times in the (either IP or SP code, still figuring that one out).

SP (subcpu boot code) loads to $6000, so it's probably right there. $7800 @ loc_2800, $7880 @ loc_2880, and so on.

Also, here's some examples of what I've disassembled so far, tell me how I'm doing on accuracy of commenting.

Okay.

Code: Select all

		andi.b	#$FA,($FFFF8003).w 	; Set memory	write DOWN mode
						; Main-CPU = WORD-RAM0 Sub-CPU = WORD-RAM1

No, check those bits again. It's just setting 2M mode. I'd also point out that you can't effectively setup 'write down' mode without setting a bit (nor would you have any good reason to in the boot code, for that matter).

What I'm assuming is the entrypoint?

You are correct in that assumption.

For reference, the IP loads to $FF0000, beginning with the region boot code (i.e., Sega logo routine). But afterwards, that is where it starts. Note, your address alignment may be off by $200 because the disc headers aren't ever loaded (which is generally why I disassemble the IP and SP separately).

You can determine the starting point based on the region: US discs start at $FF0584, JP discs start at $FF0156, EU discs start at $FF056E. But, it's easy enough just to look for the branch in the region code.

Code: Select all

		bset	#1,(byte_A12003).l ; Swap request to SUB-CPU

It gives up wordram to the subcpu. The "swap request" feature works with bit 0, not bit 1, but its usefulness is quite suspect at any rate.

One of the file entries:

Straight from the CDFS/ISO9660 directory. Way too much information for my taste. If I needed the sector numbers for a particular file, I'd probably just load the ISO into CDmage or UltraISO or whatever.

[segaloco]

Thanks for the reply. I'm just gonna disassemble the entire head of the CD, just to see what all is in there. Then I'm gonna rip each file up separately. What I really gotta figure out is how to make it build a new CD, because you obviously can't use the same TOC with altered data, which, if this disassembly ends up getting used for hacks, will definitely happen.

Edit: Re-read that, I think I see what you mean now.

[TascoDLX]

Some games, like this one, are quite friendly, allowing you to simply provide a filename and have that file loaded where you want it. Some games will index their files in a separate table, bypassing the ISO directory entirely, so that files are referred to by number, not name. It varies.

You can probably get away with building an entirely new ISO if you want, so long as you don't break the file naming scheme. Of course, there are other concerns/limitations you'll have to look out for, but this particular disc appears to be pretty straightforward.

[segaloco]

Ah, thanks for the info. What I'm thinking of for disassembly though is that, since there is a LOT of shared code between the level MMD files, I'll have a single art file that is incbin'd in every MMD source file so that way space is smaller and modifications are easier.