Disassembling Tennokoe Bank

hu, cd, scd, acd, supergrafx discussions.
Duchemole
Posts: 3
Joined: Tue Dec 23, 2014 8:50 am

Re: Disassembling Tennokoe Bank

Post by Duchemole » Thu Jan 01, 2015 10:47 pm

Wow, great job, thanks a lot !!
So they're in ROM ...
Good to know

User avatar
MooZ
Site Admin
Posts: 386
Joined: Sun Jun 22, 2008 3:19 pm
Location: Lvl 3
Contact:

Re: Disassembling Tennokoe Bank

Post by MooZ » Sat Aug 26, 2017 10:29 pm

I think I finally found it.
First let's start with $edea. This routine copy 8 bytes from $edf2 to $2755 in BSS RAM. $edf2 contains a dummy copy routine of $0800 bytes (which is the size of the BRAM).

Code: Select all

edea:
    tii     $edf2, $2755, $0008
    rts
edf2:
    tii     $0000, $0000, $0800
    rts
Now take a look at $eeac. The A register holds the box index. $edfa is the box address table ($8000, $8800, $9000, $9800).

Code: Select all

eeac:
    AND     #$03
    ASL     A
    TAX     
    
    INC     $260f           ; some kind of lock
    
    JSR     $edea           ; initialize memcpy ram code
    LDA     #$00
    STA     $2756
    LDA     #$38
    STA     $2757           ; the source will be $3800
    LDA     $edfa, X
    STA     $2758
    STA     <$0b
    LDA     $edfb, X        ; its destination (box address)
    STA     $2759
    STA     <$0c            ; zp pointer $0c will be used by $eef4 to 
                            ; verify if the box content was successfully written.
    
    JSR     $e686           ; "bind" box
    
    JSR     $2755           ; copy data from $3800 to box
    
    JSR     $e6ce           ; "unbind" box
    
    LDA     #$00
    STA     <$09
    LDA     #$38
    STA     <$0a
    STZ     <$0d
    LDA     #$08
    STA     <$0e
    
    JSR     $e686           ; "bind" box
    
    JSR     $eef4           ; compare the content of the box with $3800
    
    JSR     $e6ce           ; "unbind" box
    
    DEC     $260f           ; "release" lock
    RTS
    
The most intriging routines are $e686 and $e6ce. The weirdest part are the "bind" and "unbind" sequences. Withoug theses the storage area for the boxes is unreachable. It looks like the small sequence that needs to be written to $1807 before accessing the BRAM. This also explains when dumped the area $80000 (rom bank $40) is empty (filled with $ff).

Code: Select all

e686:
    SEI                     ; disable interrupts
    TMA     #$04
    STA     $2710           ; backup mpr#4
    LDA     #$68
    TAM     #$04            ; map page #$68 to mpr #4
    STA     $8000           ; write #$68 to $8000
    LDA     #$78
    TAM     #$04            ; map page #$78 to mpr #4
    LDA     #$73
    STZ     $8000
    STA     $8000
    STA     $8000
    STA     $8000           ; write the sequence #$00,#$73,#$73,#$73 to $8000
    LDA     #$40
    TAM     #$04            ; map page #$40 to mpr #4
    RTS     

Code: Select all

e6ce:
    LDA     #$68
    TAM     #$04            ; map page #$68 to mpr #4
    STA     $8000           ; write #$68 to $8000

    LDA     #$78
    TAM     #$04            ; map page #$78 to mpr #4
    STZ     $8000           ; write #$00 to $8000

    LDA     #$60
    TAM     #$04            ; map page #$60 to mpr #4
    STA     $8000           ; write #$60 to $8000

    LDA     $2710
    TAM     #$04            ; restore mpr#4
    CLI                     ; enable interrupts
    RTS     

User avatar
MooZ
Site Admin
Posts: 386
Joined: Sun Jun 22, 2008 3:19 pm
Location: Lvl 3
Contact:

Re: Disassembling Tennokoe Bank

Post by MooZ » Sun Aug 27, 2017 12:13 pm

Here's a little recap.
If you want to dump the content of the tennokoe bank boxes, you first have to issue this "bind" sequence:

Code: Select all

write( byte=0x68, addr=0xD0000 )
write( byte=0x00, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
You can now read (or write) box #1 at 0x80000, box #2 at 0x80800, box #3 at 0x801000 and box #4 at 0x801800.

When you are done the "unbind' sequence is:

Code: Select all

write( byte=0x68, addr=0xD0000 )
write( byte=0x00, addr=0xF0000 )
write( byte=0x60, addr=0xC0000 )

Post Reply