search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
i2c tools better naming scheme
[cr816-sim.git] / disasm.c
blob10b8b1ee0ca8d96548b8853374525ae77ccb2735
1 /*
2 * NO WARRANTY
3 * YOU ARE USING THIS SIMULATOR AT YOUR OWN RISK
4 * I DON'T RECOMMEND USING THIS SIMULATOR TO CREATE ANY REAL WORLD SOFTWARE,
5 * NOR USING TO DEVELOP COMMERCIAL SOFTWARES
6 *
7 * OTHERWISE USE IT AS OPENSOURCE (GPLv2 PREFERRED)
8 *
9 * ****************************************************
10 *
11 * compilation:
12 * ./mk.sh && ./disasm < ./MY_dump_code.bin > ./dump
13 *
14 * Use:
15 * look into
16 * sim_breakpoint_check()
17 * do_cpu_reset() (input binary files)
18 * disasm.h (some flags)
19 * read rest of this comment block
20 * no complex user input
21 * uses fifo for command line SMB emulation
22 *
23 * SMB comm: look into rom_funcs.c (not 1:1 with SMB stream) or func test_buf()
24 * (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd" > ./000_smb_buf)
25 * enter bootrom (unusable no rom code):
26 * (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd\x70\x17\x05" > ./000_smb_buf)
27 *
28 * NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
29 * you must generate event 't'/'T' (will halt-loop MCU) and then ADC/CC/timer
30 * interrupt '2' and it will start doing things in halt-loop (SMB '3' too)
31 * NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
32 *
33 *
34 *
35 * TODO TODO TODO TODO TODO TODO TODO TODO TODO
36 * no central control
37 * rewrite trace reg RW
38 * load files from command line
39 * runtime flag disable reg trace (for disassemble)
40 * maybe all registers right of disassm?
41 * ix write from ix pre/post access? collision?
42 * cat dump | grep "[+-]" | grep "i.*i" | grep -v "ip"
43 * partial static disassemble? (fcn header, footer, jump targets)
44 * noninitialised access (jumpstart mode?)
45 * ROM emulation assembler for better debug?
46 * some functions are not described (inout args ABI)
47 * original mask ROM probably impossible to readout
48 * report single flag
49 * add version + retbreak
50 * better user input control (commands?)
51 * validate opcodes with carry
52 * user documented code flash calls
53 * hw stack flags .. empty/full (seems to not using, but still)
54 * genearte calltree
55 * garden of forking paths
56 * disassembler to javascript :-D
57 *
58 * NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
59 * PFLAG(0x8090) special masking with zeroes???
60
61 Reversed variables:
62 [0xe2] flag level access?
63 26c7: if !xxxxxx00 -> NACK
64
65 (echo -n -e "\x71\xfd\x34" > ./000_smb_buf)
66 4e4b: 04af1d move a, 0xe2 ;R{RAM[0e2]=c0 } ;W{flags=02 a=c0 pc=4e4c }
67 4e4c: 0ebfbf or a, #0x40 ;R{a=c0 } ;W{flags=02 a=c0 pc=4e4d }
68 4e4d: 01bf1d move 0xe2, a ;R{a=c0 } ;W{RAM[0e2]=c0 pc=4e4e }
69
70 RAM[0e2] - access level variable
71
72 ===========================================
73 SMB commands, safe/testing mode (use code flash, but not in operation)
74 needs to have set:
75 flash[0x60c]=0x3c
76 flash[0x60d]=0x7e
77
78 --- lut table <0x40, 0x4a>
79 (0) set addr (rom)
80 (1) poke byte (rom)
81 (2) peek byte (rom)
82 (3) read ramblock (rom)
83 328c: (4)
84 SMB receive 33 bytes: (row, 32x data)
85 prog data flash row
86 326e: (5)
87 receive SMB block (LO, HI, data byte)
88 prog byte into data flash FdataProgWord (rom)
89 won't pre-erase (old AND new)
90 32aa: (6)
91 receive word (row, 0), erase row of data flash
92 32b8: (7) mass erase if key
93 (echo -e -n "\x47\xde\x83" > ./000_smb_buf)
94 32cb: (8)
95 addition sum flash (0-0x7c0 (minus last row)), send word to SMB
96 266e: (9) soft reset if key
97 (echo -e -n "\x49\x02\x05" > ./000_smb_buf)
98 call 0x0040
99 flush hw stack (8 entries, erase ram, jump vector 0)
100 267f: (10)
101 transfer 6 fixed values to SMB host
102 42, 59, 00, 84, 56, 59,
103 ---------------------------------
104 lut table <0x50, 0x5a>
105 269a: (0)
106 receive word into [byte1 0x99] [byte0 0x9a]
107 [0xe2]=1
108 [266] set bit 7 (process table?)
109 first run enables CC
110 (echo -e -n "\x50\x00\x01" > ./000_smb_buf)
111 [0x99] & 1 = 0x01 enables CC calibration
112 [0x99] & 1 = 0x00 don't enables CC cal
113 next runs enables adc conversion
114 [0x9a] is stored somewhere, test? 285b:
115
116 26a8: (1) TODO
117 if ([0xe2] & 3) != 0 then NAK
118 else send [0x9a]*2 words [0x269] to smb host
119 simulator wont continue but IRL returns something (after a while)
120 most likely some interrupts?
121 cat dump | grep "0xe2, " -B 2
122
123 26b7: (2)
124 receives word do [0x99] [0x9a]
125 [0xe2]=2
126 [266] set bit 7 (process table?)
127 first run
128 enables ADC (only)
129 other runs
130 [0x99] will be written to ADCTL0
131
132 26c5: (3) TODO? same as (1) o_O
133 if ([0xe2] & 3) != 0 then NAK
134 else send [0x9a]*2 words [0x269] to smb host
135
136 26d4: (4) set address (i2c or data flash)
137 //NOTICE there was a BUG in simulator, swapped values
138 stores received word to [REG:0xe6 ADDR:0xe7] for later
139 (echo -e -n "\x54\x40\x01" > ./000_smb_buf)
140 i2c ADDR = 0x40
141 i2c REG = 0x01
142 if ADDR = 0xa0 - access data flash
143 (REG + 0x4600)
144 if ADDR = 0x40 - access i2c (bq29330)
145 (echo -e -n "\x54\x40\x02\x59\x02\x03" > ./000_smb_buf)
146
147 26dc: (5) write byte to i2c or data flash
148 use address from 0x54 command [REG:0xe6 ADDR:0xe7]
149 byte 0 - value
150 byte 1 - ??
151 if ADDR = 0xa0 - access data flash
152 (REG + 0x4600)
153 the flash addresses are weirdly sorted, TODO
154 NOTICE if ([0xa5] & 1) call 0x32e3 (data flash programming)
155 else exit
156 if ADDR = 0x40 - access i2c (bq29330)
157 (echo -e -n "\x54\x40\x01\x55\x02\x03" > ./000_smb_buf)
158 will write value 0x02
159
160 270a: (6) read i2c (ADDR=0x40) or data flash (ADDR=0xa0)
161 REG (i2c reg or 0x4600+REG flash address)
162
163 2733: (7) set byte count (for block RW access, i2c/flash)
164 CNT = [0xe5]= byte from received u16 (i2c count?)
165 (echo -e -n "\x57\x12\x34" > ./000_smb_buf)
166 byte count = 0x12
167
168 2741: (8) block write to i2c (ADDR=0x40) or data flash (ADDR=0xa0)
169 CNT=[0xe5]
170 [269]=received block from SMB
171 _something_ call 0x32e3 (data flash programming) + writes bq registers
172
173 2781: (9) block read from i2c or data flash
174 ADDR, REG, CNT
175
176 27bc: (10) ???
177 read out RAM[0x98]
178 send as u16
179 26dc:?? (perhaps more)
180
181 72:
182 27f7: const 1111
183 73:
184 sends prog vector 6 (for key)
185 80:
186 receive word
187 ==0 writes default values (dsg/chg off) to i2c reg1 + readback
188 !=0 enables timer
189
190 ===========================================
191 normal mode
192 which are SBS?
193 0x3c - returns 0x13 bytes, part const, part from ram, ram differs on HW
194 can read/write
195 0x3d - RW word
196 test if \x0f\x51 (and other sequences)
197 0x3e - RW word
198 test bitfields
199 0x3f - tests if equals last write, if not restarts SMB, if yes ??? TODO
200 real HW wont let force new value (0xa2 0x38 or 0x2c 0x38)
201
202 0x40 SetAddr() (rom)
203 0x41 PokeByte() (rom)
204 only if (RAM[0e2] & 0x40) == must be unlocked with code@6 password (4e4b)
205 (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd" > ./000_smb_buf)
206 0x42 peekbyte() (rom)
207 i2ctransfer -y 0 "w1@0xb" 0x40 "w2@0xb" 0x00 0x40 ; i2ctransfer -y 0 "w1@0xb" 0x42 "r2@0xb"
208 start of flash
209 0x43 ReadRAMBlk() (rom)
210 0x44 TODO
211 needs unlock
212 unknown function, probably writes dynamic flash config area at 4600
213 receives N bytes (TODO maybe non divisible by 32), can be more, like 64 etc..
214 TEST read 32B -> erase (2 rows), write first with new data, write second with backuped values
215 FdataEraseRow
216 FdataProgRow
217 possible offset? RAM[004] (seems to used only in init)
218 0x45 TODO
219 needs unlock
220 sends 14 bytes of data, originating from flash (opposite of 0x44)
221
222 0x50 returns constant bytes (similar as 4a in safe mode)
223 if RAM[0e2] & 0x40
224 3 bytes: 42, 59, 00
225 else
226 4 bytes: 42, 59, 00, 84
227 0x51 returns 10 bytes from RAM[0ff] (address + len is permanent)
228 0x52 returns bytes from start of RAM (TODO)
229 53,54 similar
230 dumps from real HW are different
231
232 72:
233 4e6d: sends const 0000
234 70:
235 needs unlock
236 expects 2 bytes (word)
237 \x70\x02\x05 reboot
238 (echo -e -n "\x71\x14\x02\x73\x71\x34\xfd\x70\x02\x05" > ./000_smb_buf)
239 \x70\x17\x05 enter bootrom
240 73:
241 part of unlock sequence, sends word key from code space @0x0006
242 FlashRdRow() (rom)
243 3f:
244 can read or write word originating from flash[610]
245 3e:
246 read/write word from RAM[29b]
247 unknown use
248 init to 1, 0
249 blocked acupack shows no change
250 3d:
251 R/W word from RAM[0e9]
252 0,0
253 3c:
254 R/W "ibm corporation" + 4B
255 4B created by some operations with RAM[0f0], RAM[0ec], RAM[0eb]
256 3b:
257 sends word from RAM[29d]
258 real hw differs
259 30:
260 sends block of 10 bytes from RAM[02d]
261 originates from FLASH[616]
262 31:
263 sends block of 16 bytes
264 computed from FLASH[480] and higher
265 32:
266 sends block of 16 bytes
267 computed from FLASH[4c0] and higher
268 33:
269 sends block of 24 bytes
270 zeroes 24 bytes in buffer o_O
271 2f:
272 sends battery serial value from length:FLASH[7a0], data:FLASH[7a1]
273 23: sends block of computed data, some variables are from static flash section
274 should be cell voltages
275 22: sends "lion" string from flash
276 21: sends part number string
277 20: sends manuf string
278
279 0: manuf access, not enabled by default ? enabled by FLASH[080]
280
281 ===========
282
283 46a2 call na i2c write
284 R3=adresa
285 R2=reg
286 R1=count
287 stack[0]=pointer to data
288 references from:
289 0d1b vvv
290 26dc jumped from 2922 (lut 5), dynamic trampoline? (call 27f2)
291 26e8 cannot jump (smb error)
292 26ec must jump ([0xe6]!=0xa0)
293
294 2741 ??? (+ receive block from smb, write to bq), jumped from 2925 (8) (call 27f2)
295 2756 cannot jump, must be [0xe7]==0x40 (adresa bq)
296 2759 CNT, anything always bigger than 0? (cannot be 0)
297
298 0cce: wait until masked BQ reg has two successive reads same
299 R3 = cislo registru
300 r2 = store ptr MSB read
301 r1 = store ptr LSB read
302 r0 = compare mask?
303 0d1b: write reg to BQ, readback and compare masked values
304 r3 = cmd
305 r2 = val
306 r1 = mask
307
308 4a7a:
309 lots of SMB calls
310 4cbd:
311 "ibm corp"
312 0ca0:
313 [0x66] ??
314
315 todo
316 5618: 04bff7 or a, 0x08 ;R: a=02 RAM[008]=5a ;W: flags=02 a=5a a=5a pc=5619
317 double
318
319 ??
320 005d: 058ea6 cpl1 r0, 0x59 ;R: r0=00 RAM[059]=00 ;W: flags=00 a=ff r0=ff pc=005e
321 005e: 058da7 cpl1 r1, 0x58 ;R: r1=b8 RAM[058]=00 ;W: flags=00 a=ff r1=ff pc=005f
322
323 0014: 0e1cfe cmp r2, #0x01 ;R: r2=00 ;W: flags=03 a=01 pc=0015
324 jumps to 0029: 6c b7 3a calls 0x4893
325
326 0075: ff 15 0e cmp i2h, #0x00
327 0076: 87 ff 32 jzc 0x0078 ;zero clear, !=
328 0077: 00 14 0e cmp i2l, #0xff
329 0078: 7c ff 34 jcs 0x0083 ;carry set, <=
330
331 282f:
332 XOR discharge bit
333 2b1a:
334 set bits?, [0x66]
335 call @2bd4
336
337 283b:
338 49c3: TODO
339
340 trampoline 0x8009 for 2912/291d
341 27c4 entry
342 [8013/data ready] vvv (else NAK)
343 [smb data] load data
344 27df: 0x40 = command in R3 <0x40, 0x4a> (table 2912)
345 27ea: 0x50 = command in R3 <0x50, 0x5a> (table 291d)
346
347
348 !!!!!! 2bb7 setup bitu 1
349 2bb4 must jump
350 [0x9f] musi byt
351 x1xx xx1x
352 x0xx xx1x
353 x0xx xx0x
354 2bb7: important test?
355 [0x6b] xxxx xx0x
356 [0x66] & 0x1e cannot equal i2h (cache?)
357
358 head?? 2b1a:
359 called from 5119:
360 510e
361 head? 5090:
362 indirect jump? 493b:
363
364
365 *
366 * 283b xor dsg
367 * 2bd4 maybe set here ? or i2h, r3, i2h
368 * 0c99
369 *
370 * 0x47aa call delay
371
372 0x468f bq write R2=reg1
373 0d48
374
375 0x0cab want to write bq reg1
376
377 0xcf4 call to 0x468f
378 0xcff
379
380 0cf5: register jump table?
381
382 how to get there?
383 2bd7:move 0x66, i2h
384 intro? 2b1a
385
386
387 write_data_flash(0x82, 0xf7);
388 writes to IO[0xb0] pflag?, IO[93]? wakeup?
389 if ((([0x82]*8)>>8)&1) -> ^^^
390 ekvivalent (& 0x20)
391
392 enable adc conversion register
393 cat dump | grep 'move i0h, #0x80' -A 1 -B 1 | grep 'move i0l, #0x30' -A 3
394 0610: b9 entry@05f7
395 call@096c,entry@093c
396 call@361d, entry@3611
397 possible indirect call set @ 4996, entry@493b??
398 call@002e
399 call@0a30, entry@0976?
400 call@3623, entry@3611 ^^^
401 call@0aea,entry@0a8c
402 call@3625, entry@3611 ^^^
403 call@0baf, entry@0bad
404 call@36a8, entry@3696
405 call@3687, entry@3611 ^^^
406 call@0c3a,entry@0bb5
407 call@35f8, entry@3566
408 call@3615, entry@3611 ^^^
409 063c: be entry@05f7
410 0641: b9 entry@05f7
411 06bc: b9 entry@05f7
412 06e4: b9 entry@05f7
413 06f2:
414 09cf:
415 09d4:
416 289e:
417 28e2:
418
419 load i2c/flash value into ram and do weird operations
420 0167:
421
422 stuck in halt
423 4a34: leave test?
424
425 adc@8030 possible IRL sequence
426 00 9d 1d c1 8d 00
427 TMRCTLW@8060
428 0x04
429 timers disabled (but not discharging)
430 ra_out 0x54
431 rc_out sequence 0x5f (long) 0x5b (short)
432 RA_IN 0x44
433 RB_IN 0x00
434 RC_IN 0x0c, short 0x00
435 PIE 0xb8, timer enabled
436 VTRIM 0x21
437 SMBCTL !!! (simulator isolate=1, IRL=0x00)
438
439
440 process table @ RAM[25a]
441 0: u16 new process stack pointer
442 2: u8 status?
443 & 0x20 jump to irq return
444 & 0x40 don't set gie (maybe already set), if ==0 set stack from pointer?
445 |= 0x8 before call 0x4a2a
446 & [+7] & [+0xc]
447 & 0x80 == 0 .. test if event .. else set this bit
448
449 RAM[25a] i3h
450 RAM[25b] i3l
451 i3 = 76c (boot constant), 73f (last set before main loop)
452 RAM[25c] bitfield stat related (in looping)
453 RAM[25d], RAM[25e] - unused
454
455 RAM[25f] RAM[260] i3
456 6ec - boot, 6e4 - last set, many uses then
457 RAM[261] bitfield mask stat related (in looping)
458 cat z01_vanilla.log | grep 'RAM\[261\]' -A 0 -B 2
459 RAM[262],RAM[262] unused
460
461 RAM[264] i3h
462 RAM[265] i3l
463 RAM[266] bitfield, stat related (in looping)
464
465 bitfields = maybe irq/event handlers?
466
467 NOTICE NOTICE NOTICE NOTICE
468 search for i2cwrite cals!
469 probably automate
470 NOTICE only closest entry was found (theoretically can be jumped anywhere from entire prog space + dynamically)
471 "call 0x803c i2cwrite" @ 4740, entry @ 46da (R2 = i2c reg)
472 call @ 469c, entry @ 468f
473 call @ 0cf4, entry @ 0cce
474 call @ 0cff, entry @ 0cce
475 call @ 0d48, entry @ 0d1b
476 call @ 2726, entry @ 270a
477 call @ 2799, entry @ 2781
478 call @ 46af, entry @ 46a2
479 call @ 0d3d, entry @ 0d1b
480 call @ 2702, entry @ 26dc (contains smbSlaveRcvWord)
481 call @ 2766, entry @ 2741 (contains smbSlaveRcvBlock)
482 call @ 46c2, entry @ 46b5
483 safemode SMB 0x40 trampoline entry
484 call @ 46d4, entry @ 46c8
485 no direct call
486
487
488 flash adresy dat
489 600/640/6c0
490 500
491
492 0x486c - memcpy
493
494 */
495
496 #include <stdio.h>
497 #include <stdlib.h>
498 #include <errno.h>
499 #include <unistd.h>
500 #include <fcntl.h>
501 #include <sys/types.h>
502 #include <string.h>
503 #include "disasm.h"
504 #include "log.h"
505 #include "rom_funcs.h"
506 #include "access.h"
507 #include "isa.h"
508 #include "ioregs.h"
509
510
511 /** ****** tracers utils ******/
512
513 static enum interrupt_event do_event = INT_NONE;
514
515 static unsigned sim_breakpoint_flags = 0;
516
517 void sim_breakpoint_set(unsigned flags)
518 {
519 sim_breakpoint_flags |= flags;
520 }
521
522 /** ******** simulator *******/
523
524 extern void write_bq29330_reg(u8 reg, u8 val);
525
526 static void do_cpu_reset(void)
527 {
528 // sim_breakpoint_set(SIM_BREAKPOINT_STEP);
529
530 char * filename_ram = NULL;
531 char * filename_eeprom = NULL;
532 char * filename_prog = NULL;
533 char * filename_iospace = NULL;
534
535 // filename_ram = "./DUMP_ram.bin";
536 filename_eeprom = "./DUMP_eeprom.bin";
537 filename_prog = "./DUMP_code.bin";
538 // filename_iospace = "./DUMP_io.bin";
539
540 init_access(filename_ram, filename_eeprom);
541 init_isa(filename_prog);
542 init_ioregs(filename_iospace);
543
544 write_bq29330_reg(0, 0x18);
545 write_bq29330_reg(1, 0xff);
546 write_bq29330_reg(2, 0);
547 write_bq29330_reg(3, 0);
548 write_bq29330_reg(4, 0);
549 write_bq29330_reg(5, 0);
550 write_bq29330_reg(6, 0);
551 write_bq29330_reg(7, 0);
552 write_bq29330_reg(8, 0);
553
554 #if 0
555 //bit 2 can enable smb call 0 write (manuf access)
556 //original = 0x30
557 write_data_flash(0x80, 0x34);
558 #endif
559
560 #if 0
561 //erase parts of flash
562 for (addr = 0x580; addr < 0x600; addr++) {
563 write_data_flash(addr, 0xff);
564 }
565 #endif
566
567 //HACK ing
568 //bit0 = 0
569 // mem_flash[0x083] &= ~1;
570 // mem_flash[0x083] |= 1;
571 // mem_flash[0x083] |= 0xff;
572
573 #if 0
574 //enters safemod with this
575 for (addr = 0x60c; addr < 0x60e; addr++) {
576 write_data_flash(addr, 0xff);
577 }
578 #endif
579
580 #if 0
581 //default bq registers?
582 write_data_flash(0x601, 0xff);
583 #endif
584
585 #if 0
586 //maybe bad description ???call function with discharge XOR bit, bud the call never returns
587 write_data_flash(0x60c, 0x3c); //pc=4926
588 write_data_flash(0x60d, 0x7e); //4928
589 write_data_flash(0x83, 0x12); //0c50
590 #endif
591
592 #if 0
593 //enter safe mode?
594 //ability to direct i2c write
595 write_data_flash(0x60c, 0x3c); //pc=4926
596 write_data_flash(0x60d, 0x7e); //4928
597 //unused write_data_flash(0x83, 0x12); //0c50
598 #endif
599
600 #if 0
601 //manuf access? will enable word receive from host (instead transmit only) - still it does nothing special?
602 //(echo -e -n "\x00\xff\x00\x20" > ./000_smb_buf)
603 write_data_flash(0x80, 0x34);
604 #endif
605
606 // write_data_flash(0x80, 0x34);
607 //
608 // write_data_flash(0x58, 0xff);
609 // write_data_flash(0x59, 0xff);
610
611 #if 0
612 //system config words (gpios ...)
613 // write_data_flash(0x80, 0xf7);
614 // write_data_flash(0x82, 0xf7);
615 // write_data_flash(0x83, 0xf7);
616 #endif
617
618 // write_data_flash(0x540, 0x30);
619 // write_data_flash(0x541, 0xcf);
620
621 // write_data_flash(0x700, 0xff);
622 // write_data_flash(0x701, 0xff);
623 // write_data_flash(0x702, 0xff);
624 // write_data_flash(0x703, 0xff);
625
626 #if 1
627 //maybe correct watchdog startup?
628 write_io_lowlevel(0x60, 4 | 8);
629 #endif
630
631 #if 0
632 //uninitialized read (test if unpowered reboot?)
633 write_ram(0x58, 0xff);
634 write_ram(0x59, 0xff);
635 #endif
636
637 #if 0
638 //uninitialized read2 (test if unpowered reboot?)
639 //compared with checksum? compared with flash checksum too 0x4600
640 write_ram(0x57, 0x0);
641
642 write_ram(0x58, 0xa6);
643 write_ram(0x59, 0x70);
644 #endif
645
646
647 // write_io_lowlevel(0x30, 0x9d);
648 // write_io_lowlevel(0x91, 0xb8);
649
650 // for (unsigned addr=0x500;addr<0x520;addr++) {
651 // write_data_flash(addr+0x100, read_data_flash(addr));
652 // }
653
654
655 // write_data_flash(0x60c, 0x30);
656 // write_data_flash(0x60d, 0xcf);
657
658 #if 0
659 //safe mode?
660 // write_data_flash(0x60c, 0x3c);
661 // write_data_flash(0x60d, 0x7e);
662 #endif
663
664 // write_data_flash(0x60c, 0x5a);
665 //write_data_flash(0x60d, 0x1f);
666
667
668 // sim_breakpoint_set(SIM_BREAKPOINT_STEP);
669 }
670
671
672 #define SMB_DATA_MAX 100
673 static u8 smb_data_val[SMB_DATA_MAX+1];
674 static unsigned smb_data_len=0;
675 static unsigned myoff=0;
676
677 u8 * test_buf(void)
678 {
679 u8 * ptr = &smb_data_val[myoff];
680
681 myoff++;
682 if(myoff>=smb_data_len) {
683 myoff=0;
684 }
685 return ptr;
686 }
687
688
689 // unsigned xxxxxx=0;
690
691 static void sim_breakpoint_check(u16 pc)
692 {
693 #if 0
694 switch(pc) {
695 case 0x0000:
696 sim_breakpoint_set(SIM_BREAKPOINT_CODE);
697
698 break;
699 }
700 #endif
701
702 if (sim_breakpoint_flags == 0)
703 return;
704
705 fprintf(stderr, "Execution paused (%x): " , sim_breakpoint_flags);
706
707 if (sim_breakpoint_flags & SIM_BREAKPOINT_CODE) {
708 fprintf(stderr, "PC address breakpoint: %04hx, ", pc);
709 }
710
711 if (sim_breakpoint_flags & SIM_BREAKPOINT_HALT) {
712 fprintf(stderr, "Processor halted, ");
713 }
714
715 unsigned first_step = 0;
716 if (sim_breakpoint_flags & SIM_BREAKPOINT_STEP) {
717 //spam?
718 fprintf(stderr, "Stepping, ");
719 first_step = 1;
720 }
721
722 if (sim_breakpoint_flags & SIM_BREAKPOINT_DATA) {
723 fprintf(stderr, "Data breakpoint, ");
724 }
725
726 fprintf(stderr, "\n");
727
728 static u32 adc_val = 10;
729 static s16 cc_val = -10;
730 int fd;
731
732 //TODO TODO TODO better continue, (only enter/space?), readline!
733 while ((sim_breakpoint_flags & (~SIM_BREAKPOINT_STEP)) ||
734 first_step) {
735
736 first_step = 0;
737
738 int val;
739 fprintf(stderr, "> ");
740 system("/bin/stty raw");
741 val = getchar();
742 system("/bin/stty cooked");
743
744 sim_breakpoint_flags &= SIM_BREAKPOINT_STEP;
745
746 switch (val) {
747 case 't':
748 do_event = INT_EV0;
749 //NOTICE seems to end in infinite loop
750 break;
751 case 'T':
752 do_event = INT_EV1;
753 //NOTICE seems to end in infinite loop
754 break;
755 case '0':
756 do_event = INT_V0_RESET;
757 break;
758 case '1':
759 do_event = INT_V1_IN1;
760 break;
761 case '2': //ADC/coloumb/timer interrupt
762 adc_val = 907874;
763 write_io_lowlevel(0x32, (adc_val >> 16) & 0xff);
764 write_io_lowlevel(0x33, (adc_val >> 8) & 0xff);
765 write_io_lowlevel(0x34, (adc_val >> 0) & 0xff);
766 cc_val--;
767 write_io_lowlevel(0x41, (cc_val >> 8) & 0xff);
768 write_io_lowlevel(0x42, (cc_val >> 0) & 0xff);
769
770 //ADC_DRDY
771 write_io_lowlevel(0x31, read_io_lowlevel(0x31) | 1);
772
773
774 //ADF
775 write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x20);
776 //CCF
777 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x10);
778 //TIMF
779 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x8);
780 //WKF
781 write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x4);
782 //TMAF
783 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x2);
784 //TMBF
785 // write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x1);
786
787 // fprintf(stderr, "dfgdfgd %x %x\n", write_io_lowlevel(0x90], write_io_lowlevel(0x91]);
788 //if enabled at least one
789 if ((read_io_lowlevel(0x90) & read_io_lowlevel(0x91)) & 0x3f) {
790 do_event = INT_V2_IN2;
791 }
792 break;
793 case '3': //SMB interrupt (DRDY)
794 log_comment_add("=== Set IRQ values ===");
795 write_io_lowlevel(0x13, 0x24);
796
797 // smb_data_val = 0x0;
798 write_io_lowlevel(0x11, test_buf()[0]);
799
800 //SMBF
801 write_io_lowlevel(0x90, read_io_lowlevel(0x90) | 0x80);
802 //HDQF
803 //write_io_lowlevel(0x90] |= 0x40;
804
805 //if enabled at least one
806 if ((read_io_lowlevel(0x90) & read_io_lowlevel(0x91)) & 0xc0) {
807 do_event = INT_V3_IN0;
808 }
809 log_comment_add("=== Run ===");
810
811 break;
812 case '4':
813 do_event = INT_V4_SMB_WAIT;
814 break;
815 /*
816 * NOTICE
817 * vector 5: image signature, other values will stay in bootrom
818 * vector 6: security word (0x3fffff = undefined)
819 */
820 case '7':
821 do_event = INT_V7_XIN;
822 break;
823 case '8':
824 do_event = INT_V8_CIN;
825 break;
826 case '9':
827 do_event = INT_V9_CLKHI;
828 break;
829 case 'a':
830 do_event = INT_VA_CLKLO;
831 break;
832 case 'b':
833 do_event = INT_VB_WAIT_CLKHI;
834 break;
835 case 'c':
836 do_event = INT_VC_DATAHI;
837 break;
838 case 'd':
839 do_event = INT_VD_DATALO;
840 break;
841 case 'e':
842 do_event = INT_VE_DATAIN;
843 break;
844 case 'f':
845 do_event = INT_VF_WAIT;
846 break;
847 case 'R': //dump registers
848 fprintf(stderr, "Dump regs:\n");
849
850 for (unsigned reg=0;reg<16;reg++) {
851 fprintf(stderr, "%s=%02hhx ",
852 get_regs_name(reg),
853 read_reg8(reg, 0)
854 );
855 }
856 fprintf(stderr, "%s=%02hhx\n",
857 get_regs_name(UTIL_REG_FLAGS),
858 read_reg8(UTIL_REG_FLAGS, 0)
859 );
860
861 //don't continue in exec
862 sim_breakpoint_set(SIM_BREAKPOINT_STDIN);
863 break;
864 case 'I': //dump IO
865 log_buf("Dump IO", 0x8000, 0x100);
866
867 //don't continue in exec
868 sim_breakpoint_set(SIM_BREAKPOINT_STDIN);
869 break;
870 case 'q':
871 fprintf(stderr, "Quitting\n\n");
872 exit(0);
873 break;
874 case 's':
875 sim_breakpoint_flags |= SIM_BREAKPOINT_STEP;
876 break;
877 case 'S':
878 sim_breakpoint_flags &= ~SIM_BREAKPOINT_STEP;
879 break;
880 case 'm':
881 log_buf("Dump Flash", 0x4000, 0x800);
882
883 //don't continue in exec
884 sim_breakpoint_set(SIM_BREAKPOINT_STDIN);
885 break;
886 case 'M':
887 log_buf("Dump RAM", 0x000, 0x800);
888
889 //don't continue in exec
890 sim_breakpoint_set(SIM_BREAKPOINT_STDIN);
891 break;
892 case 'x': //SMB test extern
893
894 fd = open("./000_smb_buf", O_RDONLY /*| O_NONBLOCK*/);
895 fprintf(stderr, "\nfd %i\n",fd);
896 if (fd != -1) {
897 smb_data_len = read(fd, smb_data_val, SMB_DATA_MAX);
898 close(fd);
899 myoff=0;
900 fprintf(stderr, "%02hhx\n", smb_data_val[0]);
901 fprintf(stderr, "%02hhx\n", smb_data_val[1]);
902 fprintf(stderr, "%02hhx\n", smb_data_val[2]);
903 fprintf(stderr, "%02hhx\n", smb_data_val[3]);
904
905 fprintf(stderr, "l:%i errno:%i\n",
906 smb_data_len,
907 errno
908 );
909 } else {
910 fprintf(stderr, "\n!open error %i\n", errno);
911 }
912 //don't continue in exec
913 sim_breakpoint_set(SIM_BREAKPOINT_STDIN);
914
915 break;
916 default:
917 break;
918 }
919 }
920 fprintf(stderr, "\n");
921
922 //don't erase only stepping
923 sim_breakpoint_flags &= SIM_BREAKPOINT_STEP;
924 }
925
926
927 ////////////////////////////
928 ///////// MAIN /////////
929 ////////////////////////////
930
931 // unsigned xxxcount=0;
932
933 int main(int argc, char *argv[])
934 {
935 u16 curr_pc;
936 struct reg_stat stat;
937 struct opcode_word opcode;
938
939 do_cpu_reset();
940
941 while (1) {
942 stat.raw = read_reg8(MAIN_REG_STAT, 0);
943
944 // xxxcount++;
945 // if (xxxcount > 3000) {
946 // sim_breakpoint_set(SIM_BREAKPOINT_CODE);
947 // xxxcount=0;
948 // }
949
950 curr_pc = read_pc();
951
952 switch(do_event) {
953 case INT_EV0:
954 do_event = INT_NONE;
955 stat.ev0 = 1;
956 write_reg8(MAIN_REG_STAT, stat.raw, 0);
957 break;
958 case INT_EV1:
959 do_event = INT_NONE;
960 stat.ev1 = 1;
961 write_reg8(MAIN_REG_STAT, stat.raw, 0);
962 break;
963 case INT_V0_RESET:
964 do_event = INT_NONE;
965 stat.gie = 0;
966 stat.ie1 = 0;
967 stat.ie2 = 0;
968 write_reg8(MAIN_REG_STAT, stat.raw, 0);
969
970 write_pc(0);
971 //init stack
972 //clear all regs
973 //modes disabeld
974 //do_cpu_reset(); ??
975 break;
976 case INT_V1_IN1:
977 do_event = INT_NONE;
978 stat.in1 = 1;
979
980 // stat.ie1 = 1;
981
982 if (stat.gie && stat.ie1) {
983 stat.gie = 0;
984
985 // mem_data[0x8090] |= 0xff;
986
987 //~ call jump (but return to this instruction, not next)
988 do_push(curr_pc);
989 write_pc(1);
990 }
991 write_reg8(MAIN_REG_STAT, stat.raw, 0);
992 break;
993 case INT_V2_IN2: //adc cc timer
994 do_event = INT_NONE;
995 stat.in2 = 1;
996 if (stat.gie && stat.ie2) {
997 stat.gie = 0;
998 //return to this
999 do_push(curr_pc);
1000 write_pc(2);
1001 }
1002 write_reg8(MAIN_REG_STAT, stat.raw, 0);
1003 break;
1004 case INT_V3_IN0: //smb
1005 do_event = INT_NONE;
1006 stat.in0 = 1;
1007
1008 if (stat.gie) {
1009 stat.gie = 0;
1010 do_push(curr_pc);
1011 write_pc(3);
1012 }
1013 write_reg8(MAIN_REG_STAT, stat.raw, 0);
1014 break;
1015 //TODO are these GIE dependant or just sw?
1016 case INT_V4_SMB_WAIT:
1017 do_event = INT_NONE;
1018 do_push(curr_pc);
1019 write_pc(4);
1020 break;
1021 case INT_V7_XIN:
1022 do_event = INT_NONE;
1023 do_push(curr_pc);
1024 write_pc(7);
1025 break;
1026 case INT_V8_CIN:
1027 do_event = INT_NONE;
1028 do_push(curr_pc);
1029 write_pc(8);
1030 break;
1031 case INT_V9_CLKHI:
1032 do_event = INT_NONE;
1033 do_push(curr_pc);
1034 write_pc(9);
1035 break;
1036 case INT_VA_CLKLO:
1037 do_event = INT_NONE;
1038 do_push(curr_pc);
1039 write_pc(0xa);
1040 break;
1041 case INT_VB_WAIT_CLKHI:
1042 do_event = INT_NONE;
1043 do_push(curr_pc);
1044 write_pc(0xb);
1045 break;
1046 case INT_VC_DATAHI:
1047 do_event = INT_NONE;
1048 do_push(curr_pc);
1049 write_pc(0xc);
1050 break;
1051 case INT_VD_DATALO:
1052 do_event = INT_NONE;
1053 do_push(curr_pc);
1054 write_pc(0xd);
1055 break;
1056 case INT_VE_DATAIN:
1057 do_event = INT_NONE;
1058 do_push(curr_pc);
1059 write_pc(0xe);
1060 break;
1061 case INT_VF_WAIT:
1062 do_event = INT_NONE;
1063 do_push(curr_pc);
1064 write_pc(0xf);
1065 break;
1066 case INT_NONE:
1067 default:
1068 //normal run
1069 break;
1070 }
1071
1072 //load new instruction (can be irq vector jump)
1073 curr_pc = read_pc();
1074 opcode = read_code(curr_pc);
1075
1076 log_addr(curr_pc);
1077 log_opcode(opcode);
1078
1079 curr_pc = opcode_decode(opcode);
1080
1081 #ifndef JUST_DISASSEMBLE
1082 curr_pc = check_rom_funcs(curr_pc);
1083 #endif
1084
1085 #ifdef JUST_DISASSEMBLE
1086 curr_pc = read_pc()+1;
1087 //TODO use code dump filesize
1088 if (read_pc() == 0x5680) //trailing NOPs
1089 // if (read_pc() == 0xffff) //not overflow
1090 return 0;
1091 #endif
1092
1093 write_pc(curr_pc);
1094
1095 #ifdef JUST_DISASSEMBLE
1096 log_flush(1);
1097 #else
1098 log_flush(0);
1099 #endif
1100
1101
1102 // printf("XXXXXXXXX %i\n",sim_breakpoint_flags);
1103
1104 #ifdef JUST_DISASSEMBLE
1105 sim_breakpoint_flags = 0;
1106 #endif
1107
1108 sim_breakpoint_check(curr_pc);
1109 }
1110
1111 return 0;
1112 }
coolrisc 816 simulator