|
Help with Code disassembly
#174528 - 12/20/08 08:13 AM
|
|
|
Could someone please help me with understanding code disassembly? More specifically, why are there differences between disassembled code and whats in the debug window?
I have been wrestling with the Gunsmoke (U.S. Set 1) roms. Here is what I did and what I am seeing.
First, I combined the three program roms:
copy /b 9n_gs03.bin + 10n_gs04.bin + 12n_gs05.bin gscombined.bin
Then I disassembled gscombined.bin
The following the routine is ok:
0159: ld a,($C003) ; -- Read dipswitch 1 015C: and $80 015E: jp nz,$016C ; -- Check for service mode - Jump if not in service 0161: ld a,$0C 0163: ld ($C804),a 0166: ld ($E285),a 0169: jp $8000 ; -- Jump to service mode routines
Ok, now heres where things are different. On my disassembled code, the start of the service mode routines look like this:
8000 ld hl,$81ea 8003 ld de,$f780 8006 ld iy,$f780 800a call $0300 800d call $06c3 8010 call $0657 8013 ret
However, the dump from the debugger shows this code:
8000: ld sp,$E840 8003: di 8004: call $04C5 8007: ld hl,$865C 800A: call $03AF 800D: ld d,$FF 800F: ld hl,$E000 8012: ld bc,$2000 8015: ld (hl),d 8016: inc hl 8017: dec bc 8018: ld a,b 8019: or c 801A: jr nz,$8015
I must not be disassembling the roms properly. What am I doing wrong?
Thanks
|
|
|
|
Re: Help with Code disassembly
[Re: 60dBm]
#174531 - 12/20/08 11:43 AM
|
|
|
Banking? ROM loading addresses? Are you sure you're looking at the right place in your disassembly?
|
|
|
|
Re: Help with Code disassembly
[Re: Vas Crabb]
#174535 - 12/20/08 02:23 PM
|
|
|
Thanks for the reply.
From the driver:
static ADDRESS_MAP_START( gunsmoke_map, ADDRESS_SPACE_PROGRAM, 8 )
AM_RANGE(0x0000, 0x7fff) AM_ROM AM_RANGE(0x8000, 0xbfff) AM_ROMBANK(1) AM_RANGE(0xc804, 0xc804) AM_WRITE(gunsmoke_c804_w) // ROM bank switch, screen flip
and
ROM_START( gunsmoku )
ROM_REGION( 0x20000, "main", 0 )
ROM_LOAD( "9n_gs03.bin", 0x00000, 0x8000, CRC(592f211b) SHA1(8de44b3cafa3d2ce9aba515cf3ec4bac0bcdeb5b) ) /* Code 0000-7fff */
ROM_LOAD( "10n_gs04.bin", 0x10000, 0x8000, CRC(8d4b423f) SHA1(149274c2ed1526ca1f419fdf8a24059ff138f7f2) ) /* Paged code */
ROM_LOAD( "12n_gs05.bin", 0x18000, 0x8000, CRC(2b5667fb) SHA1(5b689bca1e76d803b4cae22feaa7744fa528e93f) ) /* Paged code */
ROM_LOAD 9n_gs03.bin is straight forward.
Why does ROM_LOAD gs04 and gs05 appear to be loaded 'backwards' into memory? i.e. 0x10000, 0x8000 and 0x18000, 0x8000.
Please help me understand whats going on here. From what I understand about ROM banking is that banking is fooling the CPU into executing two separate programs as a single program. Is this what is happening here?
How can the code be disassembled correctly?
Thanks for your time.
|
|
|
|
Re: Help with Code disassembly
[Re: 60dBm]
#174538 - 12/20/08 03:11 PM
|
|
|
The first number is the address to load at, the second number is the size to load:
9n_gs03.bin: load 0x8000 bytes starting at address 0x0000 10n_gs04.bin: load 0x8000 bytes starting at address 0x10000 12n_gs05.bin: load 0x8000 bytes starting at address 0x18000
(Note the "hole" ox 0x8000 bytes starting at address 0x8000.)
To see how banking is set up, look in video/gunsmoke.c at line 137 (at least that's the line number in 0.128u3 - it may have changed). There are four banks starting from 0x10000 with a stride of 0x4000. So depending on which bank is selected, the code seen by the machine at 0x8000 may come from one of four places: 0x10000, 0x14000, 0x18000 or 0x1C0000.
Since you don't have the "hole" in your concatenated ROM file, these will be 0x8000, 0xC000, 0x10000 0x14000. See if you can find the code you seek at one of these locations.
|
|
|
|
Re: Help with Code disassembly
[Re: Vas Crabb]
#174539 - 12/20/08 04:20 PM
|
|
|
Thanks!
I also noticed
0159: ld a,($C003) ; -- Read dipswitch 1 015C: and $80 015E: jp nz,$016C ; -- Check for service mode - Jump if not in service 0161: ld a,$0C
0163: ld ($C804),a ; -- write rombank
0166: ld ($E285),a 0169: jp $8000 ; -- Jump to service mode routines
Edited by 60dBm (12/20/08 04:35 PM)
|
|
|
|
Found at C000
[Re: 60dBm]
#174614 - 12/21/08 10:49 PM
|
|
|
Thanks again for your help.
I did find my code at C000 but only after I concatenated gs04 and gs05 separately from gs03. Keeping the main code separated from the paged code.
Ah ha! I can move on now.
I do have a question with:
extern WRITE8_HANDLER(gunsmoke_c804w);
This is obviously an external device and not an actual memory location. Possibly a demultiplexer (74138) that enables the correct banks and addresses on the eproms.
Is the c804 designation meaningful to what device on the board we are talking about here?
Just curious.
|
|
|
|
Re: Found at C000
[Re: 60dBm]
#174618 - 12/21/08 11:38 PM
|
|
|
I think c804 is just referring to the address the device is mapped at.
|
|
|