3 * YOU ARE USING THIS SIMULATOR AT YOUR OWN RISK
4 * I DON'T RECOMMEND USING THIS SIMULATOR TO CREATE ANY REAL WORLD SOFTWARE,
5 * NOR USING TO DEVELOP COMMERCIAL SOFTWARES
7 * OTHERWISE USE IT AS OPENSOURCE (GPLv2 PREFERRED)
9 * ****************************************************
12 * ./mk.sh && ./disasm < ./MY_dump_code.bin > ./dump
16 * sim_breakpoint_check()
17 * do_cpu_reset() (input binary files)
18 * disasm.h (some flags)
19 * read rest of this comment block
20 * no complex user input
21 * uses fifo for command line SMB emulation
23 * SMB comm: look into rom_funcs.c (not 1:1 with SMB stream) or func test_buf()
24 * (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd" > ./000_smb_buf)
25 * enter bootrom (unusable no rom code):
26 * (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd\x70\x17\x05" > ./000_smb_buf)
28 * NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
29 * you must generate event 't'/'T' (will halt-loop MCU) and then ADC/CC/timer
30 * interrupt '2' and it will start doing things in halt-loop (SMB '3' too)
31 * NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
35 * TODO TODO TODO TODO TODO TODO TODO TODO TODO
37 * rewrite trace reg RW
38 * load files from command line
39 * runtime flag disable reg trace (for disassemble)
40 * maybe all registers right of disassm?
41 * ix write from ix pre/post access? collision?
42 * cat dump | grep "[+-]" | grep "i.*i" | grep -v "ip"
43 * partial static disassemble? (fcn header, footer, jump targets)
44 * noninitialised access (jumpstart mode?)
45 * ROM emulation assembler for better debug?
46 * some functions are not described (inout args ABI)
47 * original mask ROM probably impossible to readout
49 * add version + retbreak
50 * better user input control (commands?)
51 * validate opcodes with carry
52 * user documented code flash calls
53 * hw stack flags .. empty/full (seems to not using, but still)
55 * garden of forking paths
56 * disassembler to javascript :-D
58 * NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
59 * PFLAG(0x8090) special masking with zeroes???
62 [0xe2] flag level access?
63 26c7: if !xxxxxx00 -> NACK
65 (echo -n -e "\x71\xfd\x34" > ./000_smb_buf)
66 4e4b: 04af1d move a, 0xe2 ;R{RAM[0e2]=c0 } ;W{flags=02 a=c0 pc=4e4c }
67 4e4c: 0ebfbf or a, #0x40 ;R{a=c0 } ;W{flags=02 a=c0 pc=4e4d }
68 4e4d: 01bf1d move 0xe2, a ;R{a=c0 } ;W{RAM[0e2]=c0 pc=4e4e }
70 RAM[0e2] - access level variable
72 ===========================================
73 SMB commands, safe/testing mode (use code flash, but not in operation)
78 --- lut table <0x40, 0x4a>
82 (3) read ramblock (rom)
84 SMB receive 33 bytes: (row, 32x data)
87 receive SMB block (LO, HI, data byte)
88 prog byte into data flash FdataProgWord (rom)
89 won't pre-erase (old AND new)
91 receive word (row, 0), erase row of data flash
92 32b8: (7) mass erase if key
93 (echo -e -n "\x47\xde\x83" > ./000_smb_buf)
95 addition sum flash (0-0x7c0 (minus last row)), send word to SMB
96 266e: (9) soft reset if key
97 (echo -e -n "\x49\x02\x05" > ./000_smb_buf)
99 flush hw stack (8 entries, erase ram, jump vector 0)
101 transfer 6 fixed values to SMB host
102 42, 59, 00, 84, 56, 59,
103 ---------------------------------
104 lut table <0x50, 0x5a>
106 receive word into [byte1 0x99] [byte0 0x9a]
108 [266] set bit 7 (process table?)
110 (echo -e -n "\x50\x00\x01" > ./000_smb_buf)
111 [0x99] & 1 = 0x01 enables CC calibration
112 [0x99] & 1 = 0x00 don't enables CC cal
113 next runs enables adc conversion
114 [0x9a] is stored somewhere, test? 285b:
117 if ([0xe2] & 3) != 0 then NAK
118 else send [0x9a]*2 words [0x269] to smb host
119 simulator wont continue but IRL returns something (after a while)
120 most likely some interrupts?
121 cat dump | grep "0xe2, " -B 2
124 receives word do [0x99] [0x9a]
126 [266] set bit 7 (process table?)
130 [0x99] will be written to ADCTL0
132 26c5: (3) TODO? same as (1) o_O
133 if ([0xe2] & 3) != 0 then NAK
134 else send [0x9a]*2 words [0x269] to smb host
136 26d4: (4) set address (i2c or data flash)
137 //NOTICE there was a BUG in simulator, swapped values
138 stores received word to [REG:0xe6 ADDR:0xe7] for later
139 (echo -e -n "\x54\x40\x01" > ./000_smb_buf)
142 if ADDR = 0xa0 - access data flash
144 if ADDR = 0x40 - access i2c (bq29330)
145 (echo -e -n "\x54\x40\x02\x59\x02\x03" > ./000_smb_buf)
147 26dc: (5) write byte to i2c or data flash
148 use address from 0x54 command [REG:0xe6 ADDR:0xe7]
151 if ADDR = 0xa0 - access data flash
153 the flash addresses are weirdly sorted, TODO
154 NOTICE if ([0xa5] & 1) call 0x32e3 (data flash programming)
156 if ADDR = 0x40 - access i2c (bq29330)
157 (echo -e -n "\x54\x40\x01\x55\x02\x03" > ./000_smb_buf)
158 will write value 0x02
160 270a: (6) read i2c (ADDR=0x40) or data flash (ADDR=0xa0)
161 REG (i2c reg or 0x4600+REG flash address)
163 2733: (7) set byte count (for block RW access, i2c/flash)
164 CNT = [0xe5]= byte from received u16 (i2c count?)
165 (echo -e -n "\x57\x12\x34" > ./000_smb_buf)
168 2741: (8) block write to i2c (ADDR=0x40) or data flash (ADDR=0xa0)
170 [269]=received block from SMB
171 _something_ call 0x32e3 (data flash programming) + writes bq registers
173 2781: (9) block read from i2c or data flash
179 26dc:?? (perhaps more)
184 sends prog vector 6 (for key)
187 ==0 writes default values (dsg/chg off) to i2c reg1 + readback
190 ===========================================
193 0x3c - returns 0x13 bytes, part const, part from ram, ram differs on HW
196 test if \x0f\x51 (and other sequences)
199 0x3f - tests if equals last write, if not restarts SMB, if yes ??? TODO
200 real HW wont let force new value (0xa2 0x38 or 0x2c 0x38)
203 0x41 PokeByte() (rom)
204 only if (RAM[0e2] & 0x40) == must be unlocked with code@6 password (4e4b)
205 (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd" > ./000_smb_buf)
206 0x42 peekbyte() (rom)
207 i2ctransfer -y 0 "w1@0xb" 0x40 "w2@0xb" 0x00 0x40 ; i2ctransfer -y 0 "w1@0xb" 0x42 "r2@0xb"
209 0x43 ReadRAMBlk() (rom)
212 unknown function, probably writes dynamic flash config area at 4600
213 receives N bytes (TODO maybe non divisible by 32), can be more, like 64 etc..
214 TEST read 32B -> erase (2 rows), write first with new data, write second with backuped values
217 possible offset? RAM[004] (seems to used only in init)
220 sends 14 bytes of data, originating from flash (opposite of 0x44)
222 0x50 returns constant bytes (similar as 4a in safe mode)
226 4 bytes: 42, 59, 00, 84
227 0x51 returns 10 bytes from RAM[0ff] (address + len is permanent)
228 0x52 returns bytes from start of RAM (TODO)
230 dumps from real HW are different
233 4e6d: sends const 0000
236 expects 2 bytes (word)
238 (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd\x70\x02\x05" > ./000_smb_buf)
239 \x70\x17\x05 enter bootrom
241 part of unlock sequence, sends word key from code space @0x0006
244 can read or write word originating from flash[610]
246 read/write word from RAM[29b]
249 blocked acupack shows no change
251 R/W word from RAM[0e9]
254 R/W "ibm corporation" + 4B
255 4B created by some operations with RAM[0f0], RAM[0ec], RAM[0eb]
257 sends word from RAM[29d]
260 sends block of 10 bytes from RAM[02d]
261 originates from FLASH[616]
263 sends block of 16 bytes
264 computed from FLASH[480] and higher
266 sends block of 16 bytes
267 computed from FLASH[4c0] and higher
269 sends block of 24 bytes
270 zeroes 24 bytes in buffer o_O
272 sends battery serial value from length:FLASH[7a0], data:FLASH[7a1]
273 23: sends block of computed data, some variables are from static flash section
274 should be cell voltages
275 22: sends "lion" string from flash
276 21: sends part number string
277 20: sends manuf string
279 0: manuf access, not enabled by default ? enabled by FLASH[080]
283 46a2 call na i2c write
287 stack[0]=pointer to data
290 26dc jumped from 2922 (lut 5), dynamic trampoline? (call 27f2)
291 26e8 cannot jump (smb error)
292 26ec must jump ([0xe6]!=0xa0)
294 2741 ??? (+ receive block from smb, write to bq), jumped from 2925 (8) (call 27f2)
295 2756 cannot jump, must be [0xe7]==0x40 (adresa bq)
296 2759 CNT, anything always bigger than 0? (cannot be 0)
298 0cce: wait until masked BQ reg has two successive reads same
300 r2 = store ptr MSB read
301 r1 = store ptr LSB read
303 0d1b: write reg to BQ, readback and compare masked values
316 5618: 04bff7 or a, 0x08 ;R: a=02 RAM[008]=5a ;W: flags=02 a=5a a=5a pc=5619
320 005d: 058ea6 cpl1 r0, 0x59 ;R: r0=00 RAM[059]=00 ;W: flags=00 a=ff r0=ff pc=005e
321 005e: 058da7 cpl1 r1, 0x58 ;R: r1=b8 RAM[058]=00 ;W: flags=00 a=ff r1=ff pc=005f
323 0014: 0e1cfe cmp r2, #0x01 ;R: r2=00 ;W: flags=03 a=01 pc=0015
324 jumps to 0029: 6c b7 3a calls 0x4893
326 0075: ff 15 0e cmp i2h, #0x00
327 0076: 87 ff 32 jzc 0x0078 ;zero clear, !=
328 0077: 00 14 0e cmp i2l, #0xff
329 0078: 7c ff 34 jcs 0x0083 ;carry set, <=
340 trampoline 0x8009 for 2912/291d
342 [8013/data ready] vvv (else NAK)
344 27df: 0x40 = command in R3 <0x40, 0x4a> (table 2912)
345 27ea: 0x50 = command in R3 <0x50, 0x5a> (table 291d)
348 !!!!!! 2bb7 setup bitu 1
354 2bb7: important test?
356 [0x66] & 0x1e cannot equal i2h (cache?)
367 * 2bd4 maybe set here ? or i2h, r3, i2h
372 0x468f bq write R2=reg1
375 0x0cab want to write bq reg1
380 0cf5: register jump table?
387 write_data_flash(0x82, 0xf7);
388 writes to IO[0xb0] pflag?, IO[93]? wakeup?
389 if ((([0x82]*8)>>8)&1) -> ^^^
392 enable adc conversion register
393 cat dump | grep 'move i0h, #0x80' -A 1 -B 1 | grep 'move i0l, #0x30' -A 3
396 call@361d, entry@3611
397 possible indirect call set @ 4996, entry@493b??
399 call@0a30, entry@0976?
400 call@3623, entry@3611 ^^^
402 call@3625, entry@3611 ^^^
403 call@0baf, entry@0bad
404 call@36a8, entry@3696
405 call@3687, entry@3611 ^^^
407 call@35f8, entry@3566
408 call@3615, entry@3611 ^^^
419 load i2c/flash value into ram and do weird operations
425 adc@8030 possible IRL sequence
429 timers disabled (but not discharging)
431 rc_out sequence 0x5f (long) 0x5b (short)
434 RC_IN 0x0c, short 0x00
435 PIE 0xb8, timer enabled
437 SMBCTL !!! (simulator isolate=1, IRL=0x00)
440 process table @ RAM[25a]
441 0: u16 new process stack pointer
443 & 0x20 jump to irq return
444 & 0x40 don't set gie (maybe already set), if ==0 set stack from pointer?
445 |= 0x8 before call 0x4a2a
447 & 0x80 == 0 .. test if event .. else set this bit
451 i3 = 76c (boot constant), 73f (last set before main loop)
452 RAM[25c] bitfield stat related (in looping)
453 RAM[25d], RAM[25e] - unused
456 6ec - boot, 6e4 - last set, many uses then
457 RAM[261] bitfield mask stat related (in looping)
458 cat z01_vanilla.log | grep 'RAM\[261\]' -A 0 -B 2
459 RAM[262],RAM[262] unused
463 RAM[266] bitfield, stat related (in looping)
465 bitfields = maybe irq/event handlers?
467 NOTICE NOTICE NOTICE NOTICE
468 search for i2cwrite cals!
470 NOTICE only closest entry was found (theoretically can be jumped anywhere from entire prog space + dynamically)
471 "call 0x803c i2cwrite" @ 4740, entry @ 46da (R2 = i2c reg)
472 call @ 469c, entry @ 468f
473 call @ 0cf4, entry @ 0cce
474 call @ 0cff, entry @ 0cce
475 call @ 0d48, entry @ 0d1b
476 call @ 2726, entry @ 270a
477 call @ 2799, entry @ 2781
478 call @ 46af, entry @ 46a2
479 call @ 0d3d, entry @ 0d1b
480 call @ 2702, entry @ 26dc (contains smbSlaveRcvWord)
481 call @ 2766, entry @ 2741 (contains smbSlaveRcvBlock)
482 call @ 46c2, entry @ 46b5
483 safemode SMB 0x40 trampoline entry
484 call @ 46d4, entry @ 46c8
501 #include <sys/types.h>
505 #include "rom_funcs.h"
511 /** ****** tracers utils ******/
513 static enum interrupt_event do_event
= INT_NONE
;
515 static unsigned sim_breakpoint_flags
= 0;
517 void sim_breakpoint_set(unsigned flags
)
519 sim_breakpoint_flags
|= flags
;
522 /** ******** simulator *******/
524 extern void write_bq29330_reg(u8 reg
, u8 val
);
526 static void do_cpu_reset(void)
528 // sim_breakpoint_set(SIM_BREAKPOINT_STEP);
530 char * filename_ram
= NULL
;
531 char * filename_eeprom
= NULL
;
532 char * filename_prog
= NULL
;
533 char * filename_iospace
= NULL
;
535 // filename_ram = "./DUMP_ram.bin";
536 filename_eeprom
= "./DUMP_eeprom.bin";
537 filename_prog
= "./DUMP_code.bin";
538 // filename_iospace = "./DUMP_io.bin";
540 init_access(filename_ram
, filename_eeprom
);
541 init_isa(filename_prog
);
542 init_ioregs(filename_iospace
);
544 write_bq29330_reg(0, 0x18);
545 write_bq29330_reg(1, 0xff);
546 write_bq29330_reg(2, 0);
547 write_bq29330_reg(3, 0);
548 write_bq29330_reg(4, 0);
549 write_bq29330_reg(5, 0);
550 write_bq29330_reg(6, 0);
551 write_bq29330_reg(7, 0);
552 write_bq29330_reg(8, 0);
555 //bit 2 can enable smb call 0 write (manuf access)
557 write_data_flash(0x80, 0x34);
561 //erase parts of flash
562 for (addr
= 0x580; addr
< 0x600; addr
++) {
563 write_data_flash(addr
, 0xff);
569 // mem_flash[0x083] &= ~1;
570 // mem_flash[0x083] |= 1;
571 // mem_flash[0x083] |= 0xff;
574 //enters safemod with this
575 for (addr
= 0x60c; addr
< 0x60e; addr
++) {
576 write_data_flash(addr
, 0xff);
581 //default bq registers?
582 write_data_flash(0x601, 0xff);
586 //maybe bad description ???call function with discharge XOR bit, bud the call never returns
587 write_data_flash(0x60c, 0x3c); //pc=4926
588 write_data_flash(0x60d, 0x7e); //4928
589 write_data_flash(0x83, 0x12); //0c50
594 //ability to direct i2c write
595 write_data_flash(0x60c, 0x3c); //pc=4926
596 write_data_flash(0x60d, 0x7e); //4928
597 //unused write_data_flash(0x83, 0x12); //0c50
601 //manuf access? will enable word receive from host (instead transmit only) - still it does nothing special?
602 //(echo -e -n "\x00\xff\x00\x20" > ./000_smb_buf)
603 write_data_flash(0x80, 0x34);
606 // write_data_flash(0x80, 0x34);
608 // write_data_flash(0x58, 0xff);
609 // write_data_flash(0x59, 0xff);
612 //system config words (gpios ...)
613 // write_data_flash(0x80, 0xf7);
614 // write_data_flash(0x82, 0xf7);
615 // write_data_flash(0x83, 0xf7);
618 // write_data_flash(0x540, 0x30);
619 // write_data_flash(0x541, 0xcf);
621 // write_data_flash(0x700, 0xff);
622 // write_data_flash(0x701, 0xff);
623 // write_data_flash(0x702, 0xff);
624 // write_data_flash(0x703, 0xff);
627 //maybe correct watchdog startup?
628 write_io_lowlevel(0x60, 4 | 8);
632 //uninitialized read (test if unpowered reboot?)
633 write_ram(0x58, 0xff);
634 write_ram(0x59, 0xff);
638 //uninitialized read2 (test if unpowered reboot?)
639 //compared with checksum? compared with flash checksum too 0x4600
640 write_ram(0x57, 0x0);
642 write_ram(0x58, 0xa6);
643 write_ram(0x59, 0x70);
647 // write_io_lowlevel(0x30, 0x9d);
648 // write_io_lowlevel(0x91, 0xb8);
650 // for (unsigned addr=0x500;addr<0x520;addr++) {
651 // write_data_flash(addr+0x100, read_data_flash(addr));
655 // write_data_flash(0x60c, 0x30);
656 // write_data_flash(0x60d, 0xcf);
660 // write_data_flash(0x60c, 0x3c);
661 // write_data_flash(0x60d, 0x7e);
664 // write_data_flash(0x60c, 0x5a);
665 //write_data_flash(0x60d, 0x1f);
668 // sim_breakpoint_set(SIM_BREAKPOINT_STEP);
672 #define SMB_DATA_MAX 100
673 static u8 smb_data_val
[SMB_DATA_MAX
+1];
674 static unsigned smb_data_len
=0;
675 static unsigned myoff
=0;
679 u8
* ptr
= &smb_data_val
[myoff
];
682 if(myoff
>=smb_data_len
) {
689 // unsigned xxxxxx=0;
691 static void sim_breakpoint_check(u16 pc
)
696 sim_breakpoint_set(SIM_BREAKPOINT_CODE
);
702 if (sim_breakpoint_flags
== 0)
705 fprintf(stderr
, "Execution paused (%x): " , sim_breakpoint_flags
);
707 if (sim_breakpoint_flags
& SIM_BREAKPOINT_CODE
) {
708 fprintf(stderr
, "PC address breakpoint: %04hx, ", pc
);
711 if (sim_breakpoint_flags
& SIM_BREAKPOINT_HALT
) {
712 fprintf(stderr
, "Processor halted, ");
715 unsigned first_step
= 0;
716 if (sim_breakpoint_flags
& SIM_BREAKPOINT_STEP
) {
718 fprintf(stderr
, "Stepping, ");
722 if (sim_breakpoint_flags
& SIM_BREAKPOINT_DATA
) {
723 fprintf(stderr
, "Data breakpoint, ");
726 fprintf(stderr
, "\n");
728 static u32 adc_val
= 10;
729 static s16 cc_val
= -10;
732 //TODO TODO TODO better continue, (only enter/space?), readline!
733 while ((sim_breakpoint_flags
& (~SIM_BREAKPOINT_STEP
)) ||
739 fprintf(stderr
, "> ");
740 system("/bin/stty raw");
742 system("/bin/stty cooked");
744 sim_breakpoint_flags
&= SIM_BREAKPOINT_STEP
;
749 //NOTICE seems to end in infinite loop
753 //NOTICE seems to end in infinite loop
756 do_event
= INT_V0_RESET
;
759 do_event
= INT_V1_IN1
;
761 case '2': //ADC/coloumb/timer interrupt
763 write_io_lowlevel(0x32, (adc_val
>> 16) & 0xff);
764 write_io_lowlevel(0x33, (adc_val
>> 8) & 0xff);
765 write_io_lowlevel(0x34, (adc_val
>> 0) & 0xff);
767 write_io_lowlevel(0x41, (cc_val
>> 8) & 0xff);
768 write_io_lowlevel(0x42, (cc_val
>> 0) & 0xff);
771 write_io_lowlevel(0x31, read_io_lowlevel(0x31) | 1);
775 write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x20);
777 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x10);
779 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x8);
781 write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x4);
783 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x2);
785 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x1);
787 // fprintf(stderr, "dfgdfgd %x %x\n", write_io_lowlevel(0x90], write_io_lowlevel(0x91]);
788 //if enabled at least one
789 if ((read_io_lowlevel(0x90) & read_io_lowlevel(0x91)) & 0x3f) {
790 do_event
= INT_V2_IN2
;
793 case '3': //SMB interrupt (DRDY)
794 log_comment_add("=== Set IRQ values ===");
795 write_io_lowlevel(0x13, 0x24);
797 // smb_data_val = 0x0;
798 write_io_lowlevel(0x11, test_buf()[0]);
801 write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x80);
803 //write_io_lowlevel(0x90] |= 0x40;
805 //if enabled at least one
806 if ((read_io_lowlevel(0x90) & read_io_lowlevel(0x91)) & 0xc0) {
807 do_event
= INT_V3_IN0
;
809 log_comment_add("=== Run ===");
813 do_event
= INT_V4_SMB_WAIT
;
817 * vector 5: image signature, other values will stay in bootrom
818 * vector 6: security word (0x3fffff = undefined)
821 do_event
= INT_V7_XIN
;
824 do_event
= INT_V8_CIN
;
827 do_event
= INT_V9_CLKHI
;
830 do_event
= INT_VA_CLKLO
;
833 do_event
= INT_VB_WAIT_CLKHI
;
836 do_event
= INT_VC_DATAHI
;
839 do_event
= INT_VD_DATALO
;
842 do_event
= INT_VE_DATAIN
;
845 do_event
= INT_VF_WAIT
;
847 case 'R': //dump registers
848 fprintf(stderr
, "Dump regs:\n");
850 for (unsigned reg
=0;reg
<16;reg
++) {
851 fprintf(stderr
, "%s=%02hhx ",
856 fprintf(stderr
, "%s=%02hhx\n",
857 get_regs_name(UTIL_REG_FLAGS
),
858 read_reg8(UTIL_REG_FLAGS
, 0)
861 //don't continue in exec
862 sim_breakpoint_set(SIM_BREAKPOINT_STDIN
);
865 log_buf("Dump IO", 0x8000, 0x100);
867 //don't continue in exec
868 sim_breakpoint_set(SIM_BREAKPOINT_STDIN
);
871 fprintf(stderr
, "Quitting\n\n");
875 sim_breakpoint_flags
|= SIM_BREAKPOINT_STEP
;
878 sim_breakpoint_flags
&= ~SIM_BREAKPOINT_STEP
;
881 log_buf("Dump Flash", 0x4000, 0x800);
883 //don't continue in exec
884 sim_breakpoint_set(SIM_BREAKPOINT_STDIN
);
887 log_buf("Dump RAM", 0x000, 0x800);
889 //don't continue in exec
890 sim_breakpoint_set(SIM_BREAKPOINT_STDIN
);
892 case 'x': //SMB test extern
894 fd
= open("./000_smb_buf", O_RDONLY
/*| O_NONBLOCK*/);
895 fprintf(stderr
, "\nfd %i\n",fd
);
897 smb_data_len
= read(fd
, smb_data_val
, SMB_DATA_MAX
);
900 fprintf(stderr
, "%02hhx\n", smb_data_val
[0]);
901 fprintf(stderr
, "%02hhx\n", smb_data_val
[1]);
902 fprintf(stderr
, "%02hhx\n", smb_data_val
[2]);
903 fprintf(stderr
, "%02hhx\n", smb_data_val
[3]);
905 fprintf(stderr
, "l:%i errno:%i\n",
910 fprintf(stderr
, "\n!open error %i\n", errno
);
912 //don't continue in exec
913 sim_breakpoint_set(SIM_BREAKPOINT_STDIN
);
920 fprintf(stderr
, "\n");
922 //don't erase only stepping
923 sim_breakpoint_flags
&= SIM_BREAKPOINT_STEP
;
927 ////////////////////////////
928 ///////// MAIN /////////
929 ////////////////////////////
931 // unsigned xxxcount=0;
933 int main(int argc
, char *argv
[])
936 struct reg_stat stat
;
937 struct opcode_word opcode
;
942 stat
.raw
= read_reg8(MAIN_REG_STAT
, 0);
945 // if (xxxcount > 3000) {
946 // sim_breakpoint_set(SIM_BREAKPOINT_CODE);
956 write_reg8(MAIN_REG_STAT
, stat
.raw
, 0);
961 write_reg8(MAIN_REG_STAT
, stat
.raw
, 0);
968 write_reg8(MAIN_REG_STAT
, stat
.raw
, 0);
982 if (stat
.gie
&& stat
.ie1
) {
985 // mem_data[0x8090] |= 0xff;
987 //~ call jump (but return to this instruction, not next)
991 write_reg8(MAIN_REG_STAT
, stat
.raw
, 0);
993 case INT_V2_IN2
: //adc cc timer
996 if (stat
.gie
&& stat
.ie2
) {
1002 write_reg8(MAIN_REG_STAT
, stat
.raw
, 0);
1004 case INT_V3_IN0
: //smb
1005 do_event
= INT_NONE
;
1013 write_reg8(MAIN_REG_STAT
, stat
.raw
, 0);
1015 //TODO are these GIE dependant or just sw?
1016 case INT_V4_SMB_WAIT
:
1017 do_event
= INT_NONE
;
1022 do_event
= INT_NONE
;
1027 do_event
= INT_NONE
;
1032 do_event
= INT_NONE
;
1037 do_event
= INT_NONE
;
1041 case INT_VB_WAIT_CLKHI
:
1042 do_event
= INT_NONE
;
1047 do_event
= INT_NONE
;
1052 do_event
= INT_NONE
;
1057 do_event
= INT_NONE
;
1062 do_event
= INT_NONE
;
1072 //load new instruction (can be irq vector jump)
1073 curr_pc
= read_pc();
1074 opcode
= read_code(curr_pc
);
1079 curr_pc
= opcode_decode(opcode
);
1081 #ifndef JUST_DISASSEMBLE
1082 curr_pc
= check_rom_funcs(curr_pc
);
1085 #ifdef JUST_DISASSEMBLE
1086 curr_pc
= read_pc()+1;
1087 //TODO use code dump filesize
1088 if (read_pc() == 0x5680) //trailing NOPs
1089 // if (read_pc() == 0xffff) //not overflow
1095 #ifdef JUST_DISASSEMBLE
1102 // printf("XXXXXXXXX %i\n",sim_breakpoint_flags);
1104 #ifdef JUST_DISASSEMBLE
1105 sim_breakpoint_flags
= 0;
1108 sim_breakpoint_check(curr_pc
);