Wow, great job, thanks a lot !!
So they're in ROM ...
Good to know
Disassembling Tennokoe Bank
Re: Disassembling Tennokoe Bank
I think I finally found it.
First let's start with $edea. This routine copy 8 bytes from $edf2 to $2755 in BSS RAM. $edf2 contains a dummy copy routine of $0800 bytes (which is the size of the BRAM).
Now take a look at $eeac. The A register holds the box index. $edfa is the box address table ($8000, $8800, $9000, $9800).
The most intriging routines are $e686 and $e6ce. The weirdest part are the "bind" and "unbind" sequences. Withoug theses the storage area for the boxes is unreachable. It looks like the small sequence that needs to be written to $1807 before accessing the BRAM. This also explains when dumped the area $80000 (rom bank $40) is empty (filled with $ff).
First let's start with $edea. This routine copy 8 bytes from $edf2 to $2755 in BSS RAM. $edf2 contains a dummy copy routine of $0800 bytes (which is the size of the BRAM).
Code: Select all
edea:
tii $edf2, $2755, $0008
rts
edf2:
tii $0000, $0000, $0800
rts
Code: Select all
eeac:
AND #$03
ASL A
TAX
INC $260f ; some kind of lock
JSR $edea ; initialize memcpy ram code
LDA #$00
STA $2756
LDA #$38
STA $2757 ; the source will be $3800
LDA $edfa, X
STA $2758
STA <$0b
LDA $edfb, X ; its destination (box address)
STA $2759
STA <$0c ; zp pointer $0c will be used by $eef4 to
; verify if the box content was successfully written.
JSR $e686 ; "bind" box
JSR $2755 ; copy data from $3800 to box
JSR $e6ce ; "unbind" box
LDA #$00
STA <$09
LDA #$38
STA <$0a
STZ <$0d
LDA #$08
STA <$0e
JSR $e686 ; "bind" box
JSR $eef4 ; compare the content of the box with $3800
JSR $e6ce ; "unbind" box
DEC $260f ; "release" lock
RTS
Code: Select all
e686:
SEI ; disable interrupts
TMA #$04
STA $2710 ; backup mpr#4
LDA #$68
TAM #$04 ; map page #$68 to mpr #4
STA $8000 ; write #$68 to $8000
LDA #$78
TAM #$04 ; map page #$78 to mpr #4
LDA #$73
STZ $8000
STA $8000
STA $8000
STA $8000 ; write the sequence #$00,#$73,#$73,#$73 to $8000
LDA #$40
TAM #$04 ; map page #$40 to mpr #4
RTS
Code: Select all
e6ce:
LDA #$68
TAM #$04 ; map page #$68 to mpr #4
STA $8000 ; write #$68 to $8000
LDA #$78
TAM #$04 ; map page #$78 to mpr #4
STZ $8000 ; write #$00 to $8000
LDA #$60
TAM #$04 ; map page #$60 to mpr #4
STA $8000 ; write #$60 to $8000
LDA $2710
TAM #$04 ; restore mpr#4
CLI ; enable interrupts
RTS
Re: Disassembling Tennokoe Bank
Here's a little recap.
If you want to dump the content of the tennokoe bank boxes, you first have to issue this "bind" sequence:
You can now read (or write) box #1 at 0x80000, box #2 at 0x80800, box #3 at 0x801000 and box #4 at 0x801800.
When you are done the "unbind' sequence is:
If you want to dump the content of the tennokoe bank boxes, you first have to issue this "bind" sequence:
Code: Select all
write( byte=0x68, addr=0xD0000 )
write( byte=0x00, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
write( byte=0x73, addr=0xF0000 )
When you are done the "unbind' sequence is:
Code: Select all
write( byte=0x68, addr=0xD0000 )
write( byte=0x00, addr=0xF0000 )
write( byte=0x60, addr=0xC0000 )
Re: Disassembling Tennokoe Bank
I noticed the the Sani Carried Reader (https://github.com/sanni/cartreader) can dump the Tennokoe Bank "boxes" (see here).
I need to check why the last 2 writes of lock_tennokoe_bank_RAM (it's what I called "unbind") are at 0x0F0001 and 0x0C0001 instead of 0x0F0000 and 0x0C0000.
I need to check why the last 2 writes of lock_tennokoe_bank_RAM (it's what I called "unbind") are at 0x0F0001 and 0x0C0001 instead of 0x0F0000 and 0x0C0000.