Threaded Mode | Linear Mode

Tugdual · (This post was last modified: 02-22-2015 07:26 PM by Tugdual.)

Using IDA you rapidly accumulate a lot legit 6502 fragments and it doesn't even look like it was compiled from C which I found surprising.
The difficulty is the ROM paging to know how to segment the file and detect ROM changes. There is a specific BANK register address (apparently $0000) where you select a segment and then it would map 2 blocks of 16kB respectively in $4000 and $8000.

I suspect that the ROM organization should be pretty much the same as for the 48g with basically a library by segment (I'm not an expert on 48g).

You can find SPLB31A datasheets here
There is a test ROM located in $C000-$C7FF (not sure if it is the something built in the processor) and then you can have another range from $C800-$FFFF for a custom ROM.
So this is a 16kB area.

If you open the 35s.sml file with a text editor, you find the settings of the emulator at the beginning of the file:

Code:

;==============================================================================

;                     SPLB31A.

;==============================================================================

[SPLB31A_MEMORYMAP]

REG_ADDR_START     =0x0000

REG_ADDR_END    =0x003F

RAM_ADDR_START    =0x0040

RAM_ADDR_END    =0x10FF

LCD_ADDR_START    =0x3E00

LCD_ADDR_END    =0x3FFF

BANK_ADDR_START =0x4000

BANK_ADDR_END     =0xBFFF

ROM_ADDRESS_START=0xC000

ROM_ADDRESS_END    =0xFFFF

MAX_ADDRESS_SPACE=0x10000

MAX_BANK_NUM    =8

[SPLB31A_IOPort]

Number=6

[SPLB31A_IOItem0]

Name=PortA

Address=0x08

Input  = 0xFF

Output = 0xFF

[SPLB31A_IOItem1]

Name=PortB

Address=0x0A

Input  = 0xFF

Output = 0xFF

[SPLB31A_IOItem2]

Name=PortC

Address=0x0B

Input  = 0xFF

Output = 0xFF

[SPLB31A_IOItem3]

Name=PortD

Address=0x09

Input  = 0x3F

Output = 0x3F

[SPLB31A_IOItem4]

Name=Keyscan1

Address=0x3B

Input  = 0x00

Output = 0xFF

[SPLB31A_IOItem5]

Name=Keyscan2

Address=0x3C

Input  = 0x00

Output = 0xFF

[SPLB31A_LCDSetting]

BaseAddress=0x3E00

SegmentNum=74

CommNum=32

Interval=16

bMinToMax=1

bVert=0

bMirror=1

ENDADDRESS=0x3FFF

[SPLB31A_BUSMEMORYINTERFACE]

BODYNAME    =SPLB01A

DLL        =BusMemoryInterface.DLL

BODYMAXSIZE    =7

BODYINFO    =SPLB30A_BUSMEMORYINTERFACE_BODY

ADDRESS_MAP    =SPLB30A_BUSMEMORYINTERFACE_ADDRESS_MAP

CONDITON    =SPLB30A_BUSMEMORYINTERFACE_COND

NOT_CONDITON    =SPLB30A_BUSMEMORYINTERFACE_NOT_COND

DVP        =OFF

DVP_RAM        =SPLB30A_BUSMEMORYINTERFACE_BODY_DVP_RAM

DVP_ROM        =SPLB30A_BUSMEMORYINTERFACE_BODY_DVP_ROM

BUSEXT_INTERFACE_COND=0x09

So with 8 banks (max) of 32K and 16K for the fixed ROM we're looking for a block of 272kB (278528 bytes) inside 35s.sml.
Now how is that organized? My best guess would be:

Code:

$C000 - $FFFF

BANK0-H -> remap to $8000

BANK0-L -> remap to $4000

BANK1-H -> remap to $8000

BANK1-L -> remap to $4000

...

BANK8-H -> remap to $8000

BANK8-L -> remap to $4000

That's all I know at the moment.
I wonder where the code is cold booting, possibly $C000, I wonder what registers are and how they work.