BIOS disassembly

[KanedaFr]

Hi,

I was pretty sure the SegaCD bios was disassembled....but I'm unable to find it, only SegaLoco's premilary work...
Perhaps I made a mistake...

EDIT : I loaded a bios in IDA....I'm still stuck...
CD Bios is called throught a jsr $5F22
....I don't understand how
I thought the first 1M was the BIOS rom so a call to 5F22 mean a call the BIOS's 5F22.... but there is nothing (usefull) at 5F22....
So, it seems I'm missing how the BIOS is loaded/used.....

[Chilly Willy]

I did a little disassembly of the CD BIOS many years back, when virtually nothing was known of the CD. There's a text file on the SCD over at Eidolon's Inn with that as part of it. Most of the work was geared towards trying to figure out the gfx asic, not the CD itself.

[TascoDLX]

I thought the first 1M was the BIOS rom so a call to 5F22 mean a call the BIOS's 5F22.... but there is nothing (usefull) at 5F22....
So, it seems I'm missing how the BIOS is loaded/used.....

The subcpu bios occupies 000000 thru 0057FF and uses ram space at 005800 thru 005FFF for stack and variables including the jump table where the cd bios call resides. If you trace through the disassembly, you should be able to find where the jump table is written. At the very least, you can check it out using KMod -- I'm pretty sure you know

BTW (public service announcement), anyone wanting to disassemble the bios should have The Manual (of course) and CDBIOS.INC, if nothing else.

[Chilly Willy]

The BIOS ROM is on the MD side, not the CD side. It decompresses the CD BIOS into the Program RAM from the MD side and then starts the CD CPU. The CD BIOS is as Tasco says, in RAM; the CD hardware has the ability to write protect the region of RAM the BIOS is stored in so it can't be changed after being loaded... well, not unless you turn off the write protection. The manual tells you which register you need to do that.

[KanedaFr]

Thanks....

I was using the decompressed Sega CD 68k BIOS from Eidolon which must be the CD Bios without the jump table...
I loaded a game on KMod...I finally saw the jump table

(Based on MegaCD disk format doc)
So, the BIOS is on Genny Side
It uncompresses a CD Bios on SubCPU side at 0->0x57FF
It patches jump table at 0x5EE0 .....
The BIOS on screen is Bios or SubCPU bios running ?
When you start a game, it loads code at 0x0800 (or what is defined at 0x30) and run it while loading code from 0x1000 (or what ever is defined at 0x40)...
how does it run a code it is currently deleting ?!
when does it execute code at 0x200 ?
then run code at 0x6000
The BIOS on Genny side is never updated (?)
When you play CDA or CD+G, is it the SubBios works or Main Bios works ?



SO, if I want to mod the bios behavior, I have to
1/ find where in the BIOS is compress the CD Bios
2/ make my own CD Bios
3/ compress the CD Bios in the BIOS


I'm alright ?


ps: totally newb is CD part...and I must say the doc isn't that clear on what is run from Genny part, from SubCPU part and loaded from CD

[Chilly Willy]

The "BIOS" is a combination of code running on the MD from the BIOS ROM (at 0 to 128KB in MD space), and the BIOS decompressed and stored in the CD Program RAM at 0 to $5XXX. The code in the CD is nearly all just CD handling, so probably most of the BIOS you interact with is on the MD side, sending commands to do stuff to the CD side.

When you run a CD game, the "boot" for the CD side of the game is loaded into $6000; that code then does any other loading needed and sets up a handler to respond to the MD side. Some of the code from the CD is also copied to the MD side in work ram at $FF0100 (IIRC) and allows the MD side to set up its own communication handler with the CD side. It can then send requests to the CD for stuff like data.

You might look over the source code for Frog Feast:
http://frogfeast.rastersoft.net/SegaCDSrc.html

[TascoDLX]

I was using the decompressed Sega CD 68k BIOS from Eidolon which must be the CD Bios without the jump table...

The "decompressed" file at Eidolon's is a bit misleading. It is actually a memory snapshot after all parts of the bios have been loaded to subcpu prg-ram. It is a combination of 3 decompressed files:
- subcpu bios (starting at 000000)
- boot SP a.k.a. 'MAINBOOTUSR' (starting at 006000)
- pcm module used by boot SP (starting at 018000)

The boot SP runs in the same manner that a game's SP would. The maincpu program runs in rom space.

When you start a game, it loads code at 0x0800 (or what is defined at 0x30) and run it while loading code from 0x1000 (or what ever is defined at 0x40)...
how does it run a code it is currently deleting ?!
when does it execute code at 0x200 ?

The maincpu code (IP) is loaded from the disc starting at 0x200 (always) to maincpu work ram at FF0000 -- that is where it runs. The subcpu code (SP) is loaded from the disc offset specified at 0x40 to subcpu prg-ram at 006000. The SP header is described in The Manual (see Mega-CD Bios Manual, section 4-3).

[KanedaFr]

thanks, I see now....
The fig 3-3 at page 7 of mega cd disk format doc isn't clear about Main CPU & Sub CPU part.

Time to experiment

[KanedaFr]

Ok...I found the encoded CD Bios, default SP and PCM
I also find the uncompress method (need to understand it)....
but I also notice the bios makes a lot of test with 400xxx
If I understood, it is reading data from the Cartridge...
It's not the Backup RAM since it tests 400100 for 'SEGA', check the valid security code at 400200 (not the one we use...something which start by 43FA...) and jmp 400200 (so a 200 from cart)

so, I assume MegaCD is able to launch a specific cart....but which one ?
32X cart and (Pro) Action Replay aren't valid (wrong 'SEGA' and/or wrong security code)
a dev cart ?

(done with an european model 1 bios)

[Chilly Willy]

Oh, the commented Sub-CPU BIOS disassembly can be found here:
http://www.megadrive.org/~elbarto/md/sc ... SEGACD.ASM

[KanedaFr]

some thing strange...
the bios loads its pal from 0x7FB80...which is an invalid area, no ?

[Chilly Willy]

some thing strange...
the bios loads its pal from 0x7FB80...which is an invalid area, no ?

Not if it's the sub-cpu. That would be the top of program ram.

[TascoDLX]

The fig 3-3 at page 7 of mega cd disk format doc isn't clear about Main CPU & Sub CPU part.

That figure isn't clear about anything.

Ok...I found the encoded CD Bios, default SP and PCM
I also find the uncompress method (need to understand it)....

Note: they are encoded in the LZSS-variant compression known to the Sonic Retro crowd as "Kosinski", which is described there.

If I understood, it is reading data from the Cartridge...
It's not the Backup RAM since it tests 400100 for 'SEGA', check the valid security code at 400200 (not the one we use...something which start by 43FA...)

It's the same boot code found on every European MegaCD disc. I don't know which one you use.

Cart boot is described in the BIOS Manual but in no great detail. I'm not aware of it ever being used in a commercial product.

the bios loads its pal from 0x7FB80...which is an invalid area, no ?

You miscalculated. It's loaded from FFFB80.

[KanedaFr]

ohh... thanks for the link, it will be easier to comment the uncompress method

yes, I see some thing about a cart on the manual...it's why I ask if someone got more info...

I need to check but the US, JP or EU model 2 don't use a security code start by 43FA....so perhaps EU model 1....
I checked a lot of roms, special roms and even the 32XBios but I didn't think about MegaCD one!
EDIT : write too fast, I meant MegaCD game not bios

You miscalculated. It's loaded from FFFB80.

first I think it was....but I checked and saw I made a mistake...
so I was right at first ?!

Not if it's the sub-cpu. That would be the top of program ram.

nope, I'm on the main cpu.....

[Chilly Willy]

Not if it's the sub-cpu. That would be the top of program ram.

nope, I'm on the main cpu.....

Just making sure. You either miscalculated the address, or were on the wrong cpu. Seems it was the former, not the latter.