Page 2 of 2

Re: Disassembling Tennokoe Bank

Posted: Thu Jan 01, 2015 10:47 pm
by Duchemole
Wow, great job, thanks a lot !!
So they're in ROM ...
Good to know

Re: Disassembling Tennokoe Bank

Posted: Sat Aug 26, 2017 10:29 pm
by MooZ
I think I finally found it.
First let's start with $edea. This routine copy 8 bytes from $edf2 to $2755 in BSS RAM. $edf2 contains a dummy copy routine of $0800 bytes (which is the size of the BRAM).

Code: Select all

edea:
    tii     $edf2, $2755, $0008
    rts
edf2:
    tii     $0000, $0000, $0800
    rts
Now take a look at $eeac. The A register holds the box index. $edfa is the box address table ($8000, $8800, $9000, $9800).

Code: Select all

eeac:
    AND     #$03
    ASL     A
    TAX     
    
    INC     $260f           ; some kind of lock
    
    JSR     $edea           ; initialize memcpy ram code
    LDA     #$00
    STA     $2756
    LDA     #$38
    STA     $2757           ; the source will be $3800
    LDA     $edfa, X
    STA     $2758
    STA     <$0b
    LDA     $edfb, X        ; its destination (box address)
    STA     $2759
    STA     <$0c            ; zp pointer $0c will be used by $eef4 to 
                            ; verify if the box content was successfully written.
    
    JSR     $e686           ; "bind" box
    
    JSR     $2755           ; copy data from $3800 to box
    
    JSR     $e6ce           ; "unbind" box
    
    LDA     #$00
    STA     <$09
    LDA     #$38
    STA     <$0a
    STZ     <$0d
    LDA     #$08
    STA     <$0e
    
    JSR     $e686           ; "bind" box
    
    JSR     $eef4           ; compare the content of the box with $3800
    
    JSR     $e6ce           ; "unbind" box
    
    DEC     $260f           ; "release" lock
    RTS
    
The most intriging routines are $e686 and $e6ce. The weirdest part are the "bind" and "unbind" sequences. Withoug theses the storage area for the boxes is unreachable. It looks like the small sequence that needs to be written to $1807 before accessing the BRAM. This also explains when dumped the area $80000 (rom bank $40) is empty (filled with $ff).

Code: Select all

e686:
    SEI                     ; disable interrupts
    TMA     #$04
    STA     $2710           ; backup mpr#4
    LDA     #$68
    TAM     #$04            ; map page #$68 to mpr #4
    STA     $8000           ; write #$68 to $8000
    LDA     #$78
    TAM     #$04            ; map page #$78 to mpr #4
    LDA     #$73
    STZ     $8000
    STA     $8000
    STA     $8000
    STA     $8000           ; write the sequence #$00,#$73,#$73,#$73 to $8000
    LDA     #$40
    TAM     #$04            ; map page #$40 to mpr #4
    RTS     

Code: Select all

e6ce:
    LDA     #$68
    TAM     #$04            ; map page #$68 to mpr #4
    STA     $8000           ; write #$68 to $8000

    LDA     #$78
    TAM     #$04            ; map page #$78 to mpr #4
    STZ     $8000           ; write #$00 to $8000

    LDA     #$60
    TAM     #$04            ; map page #$60 to mpr #4
    STA     $8000           ; write #$60 to $8000

    LDA     $2710
    TAM     #$04            ; restore mpr#4
    CLI                     ; enable interrupts
    RTS     

Re: Disassembling Tennokoe Bank

Posted: Sun Aug 27, 2017 12:13 pm
by MooZ
Here's a little recap.
If you want to dump the content of the tennokoe bank boxes, you first have to issue this "bind" sequence:

Code: Select all

write( byte=0x68, addr=0xD0000 )
write( byte=0x00, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
You can now read (or write) box #1 at 0x80000, box #2 at 0x80800, box #3 at 0x801000 and box #4 at 0x801800.

When you are done the "unbind' sequence is:

Code: Select all

write( byte=0x68, addr=0xD0000 )
write( byte=0x00, addr=0xF0000 )
write( byte=0x60, addr=0xC0000 )

Re: Disassembling Tennokoe Bank

Posted: Tue Sep 13, 2022 4:37 pm
by MooZ
I noticed the the Sani Carried Reader (https://github.com/sanni/cartreader) can dump the Tennokoe Bank "boxes" (see here).

I need to check why the last 2 writes of lock_tennokoe_bank_RAM (it's what I called "unbind") are at 0x0F0001 and 0x0C0001 instead of 0x0F0000 and 0x0C0000.