From 11eb1bba9b8d5b1eedf728117efd4aaf13563586 Mon Sep 17 00:00:00 2001 From: Shawn Hoffman Date: Mon, 22 Feb 2010 01:06:11 +0000 Subject: [PATCH] add example of how you can use dspspy to dump results from an entire ucode (commented out) git-svn-id: https://dolphin-emu.googlecode.com/svn/trunk@5107 8ced0084-cf51-0410-be5f-012b33b47a6e --- Source/DSPSpy/gba.txt | 608 +++++++++++++++++++++++++++++++++++++ Source/DSPSpy/main_spy.cpp | 46 +++ 2 files changed, 654 insertions(+) create mode 100644 Source/DSPSpy/gba.txt diff --git a/Source/DSPSpy/gba.txt b/Source/DSPSpy/gba.txt new file mode 100644 index 0000000000..a134626f56 --- /dev/null +++ b/Source/DSPSpy/gba.txt @@ -0,0 +1,608 @@ +incdir "tests" +include "dsp_base.inc" + +; We'll let dsp_base.inc catch exceptions +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;halt +;rti +;halt + +sbset #0x06 +sbclr #0x03 +sbclr #0x04 +sbset #0x05 +lri $CR, #0x00ff +lri $WR0, #0xffff +lri $WR1, #0xffff +lri $WR2, #0xffff +lri $WR3, #0xffff +set40 +m0 +clr15 + +;step 1: context setup +call send_back_40 + +call 0x807e ; loop until dsp->cpu mailbox is empty +si @DMBH, #0xdcd1 +si @DMBL, #0x0000 ; sendmail 0xdcd10000 +si @DIRQ, #0x0001 + +; wait for cpu mail == 0xabbaxxxx +wait_cpu_init: +call 0x8078 +lrs $AC0.L, @CMBL +cmpi $AC0.M, #0xabba +jnz wait_cpu_init + +; Next mail has the mram addr of the data to fetch +set16 +call 0x8078 +lrs $AX0.L, @CMBL +andi $AC0.M, #0x0fff +mrr $AX0.H, $AC0.M +lri $AX1.H, #0x0000 ; DSP-dram addr +lri $AX1.L, #0x0020 ; length (32 bytes = 16 words, word 9 and 10 are addr where result should DMA'd to in main mem) +lri $IX3, #0x0000 ; there will be no ucode/iram upload +lri $AR0, #do_main ; return addr after dram upload +jmp 0x80bc ; DRAM upload !! +; $AX0.H-$AX0.L - CPU(PPC) addr = mail & 0x0fffffff +; upload data from mainmem to dsp dram and jump to 0x41 after that + +; ucode addr 0x0041 +do_main: +;step 2: got data from cpu, before going into BigCrazyFunction +call send_back + +call BigCrazyFunction ; <<------------- main crap is here!!!!!!!!! +call 0x807e ; loop until dsp->cpu mailbox is empty + +si @DMBH, #0xdcd1 +si @DMBL, #0x0003 ; sendmail 0xdcd10003 (aka... calc is over, result is in main mem now) +si @DIRQ, #0x0001 +set40 + +; wait for cpu to tell us what to do after calc'ing +wait_cpu_end: +call 0x8078 +cmpi $AC0.M, #0xcdd1 +jnz wait_cpu_end + +lrs $AC0.M, @CMBL +cmpi $AC0.M, #0x0001 +jz PrepareBootUcode ; if cpu->dsp mail was 0xcdd10001 -> 005e_PrepareBootUcode() + +cmpi $AC0.M, #0x0002 +jz 0x8000 ; if cpu->dsp mail was 0xcdd10002 -> dsp reset ( jmp to irom(0x8000)) + +; THIS IS CUSTOM CODE +cmpi $AC0.M, #0xbabe +jz end_of_test ; wait for dsp to be reset by cpu + +jmp wait_cpu_end ; wait for next mail from cpu +halt + + +PrepareBootUcode: +set16 +call 0x8078 +lrs $AC0.L, @CMBL +call 0x8078 +lrs $AC0.L, @CMBL +call 0x8078 +lrs $AC0.L, @CMBL +call 0x8078 +lr $IX1, @CMBL +andi $AC0.M, #0x0fff +mrr $IX0, $AC0.M +call 0x8078 +lr $IX3, @CMBL +call 0x8078 +lr $IX2, @CMBL +call 0x8078 +lr $AR0, @CMBL +call 0x8078 +lrs $AX0.L, @CMBL +andi $AC0.M, #0x0fff +mrr $AX0.H, $AC0.M +call 0x8078 +lrs $AX1.L, @CMBL +call 0x8078 +lrs $AX1.H, @CMBL +sbclr #0x05 +sbclr #0x06 +jmp 0x80b5 ; BootUcode() +halt + + +; does some crazy stuff with data at dram @0x3/0x5/0x6/0x7 with help of some values from drom :) +; result is @0x22,@0x23 and written back to main memory to dmem-0x08:dmem-0x09 +BigCrazyFunction: +; { +clr $ACC0 +lri $AR1, #0x0010 +loopi #0x20 + srri @$AR1, $AC0.M +call send_back ;3 +lr $AC1.M, @0x1456 +call send_back +andi $AC1.M, #0xffd0 +call send_back +clrp'mv : $AX1.L, $AC1.M ; assembler doesn't like .m here +call send_back +lri $AR0, #0x0000 +call send_back +lri $IX2, #0x0000 +call send_back +lri $AR2, #0x001f +call send_back +lr $AC0.M, @0x15f6 +call send_back +lsl $ACC0, #8 +call send_back +lr $AC1.M, @0x1766 +call send_back +andi $AC1.M, #0x00ff +call send_back +mrr $AX0.H, $AC1.M +call send_back +call 0x88e5 +call send_back +mrr $AX0.L, $AC0.L +call send_back +clr'mv $ACC0 : $AX1.H, $AC0.M ; assembler doesn't like .m here +call send_back +lrri $AC0.M, @$AR0 +call send_back +lsr $ACC0, #-8 +call send_back +mrr $AC1.M, $AC0.L +call send_back +mrr $AX0.H, $AC0.M +call send_back +call 0x8809 +call send_back +call 0x8723 +call send_back +dar $AR2 +call send_back +clr'dr $ACC0 : $AR2 +call send_back +lr $AC0.M, @0x166c +call send_back +lsl $ACC0, #4 +call send_back +andi $AC0.M, #0xff00 +call send_back +lr $AC1.M, @0x1231 +call send_back +lsr $ACC1, #-8 +call send_back +andi $AC1.M, #0x00ff +call send_back +mrr $AX0.H, $AC1.M +call send_back +call 0x88e5 +call send_back +mrr $AX0.L, $AC0.L +call send_back +clr'mv $ACC0 : $AX1.H, $AC0.M ; assembler doesn't like .m here +call send_back +lrri $AC0.M, @$AR0 +call send_back +lsr $ACC0, #-8 +call send_back +mrr $AC1.M, $AC0.L +call send_back +mrr $AX0.H, $AC0.M +call send_back +call 0x8809 +call send_back +call 0x8723 +call send_back +clr $ACC0 +call send_back +clr $ACC1 +call send_back +lr $AC1.H, @0x0005 +call send_back +asr16 $ACC1 +call send_back +cmp +call send_back ;46 +jz Unk_00e5 +call send_back ;47 +jl Unk_00f3 +call send_back ;48 + +; if ( > ) { +; length 12 +lri $AR2, #0x0010 +call send_back +lri $IX2, #0x0001 +call send_back +lr $AC0.H, @0x171b +call send_back +asr16 $ACC0 +call send_back +neg $ACC1 +call send_back +add $ACC1, $ACC0 +call send_back +lsl $ACC1, #1 +call send_back +mrr $AX0.H, $AC1.M +call send_back +lr $AC1.M, @0x0003 +call send_back +lsl $ACC1, #4 +call send_back +call 0x8809 +call send_back +jmp Unk_0102 +call send_back ;60 + +; } else if ( == 0) { +; length 8 +Unk_00e5: +lri $AR2, #0x0011 +call send_back +lr $AC1.M, @0x0003 +call send_back +lsl $ACC1, #1 +call send_back +mrr $AX0.H, $AC1.M +call send_back +lr $AC0.M, @0x1043 +call send_back +andi $AC0.M, #0xfff0 +call send_back +call 0x88e5 +call send_back ;53 +jmp Unk_0102 + +; } else if ( < ) { +; length 10 +Unk_00f3: +lri $AR2, #0x0010 +call send_back +lri $IX2, #0x0001 +call send_back +lr $AC0.H, @0x1285 +call send_back +asr16 $ACC0 +call send_back +add $ACC1, $ACC0 +call send_back +lsl $ACC1, #1 +call send_back +lr $AC0.M, @0x0003 +call send_back +lsl $ACC0, #4 +call send_back +mrr $AX0.H, $AC0.M +call send_back +call 0x8809 +call send_back ;57 +; } + +Unk_0102: +lri $AR3, #0x0013 +call send_back ; either step 60, 53, 57 +srri @$AR3, $AC0.M +call send_back +clr's $ACC1 : @$AR3, $AC0.L +call send_back +lri $AR3, #0x0013 +call send_back +lr $AC1.M, @0x0007 +call send_back +lr $AC0.M, @0x11b8 +call send_back +andi $AC0.M, #0xfff0 ;66 +call send_back +mrr $AX0.H, $AC0.M +call send_back + +;call 0x81f4 +mulxac'mv $AX0.H, $AX1.L, $ACC1 : $AX1.H, $AC0.M +call send_back +asr16'ir $ACC1 : $AR1 +call send_back ;66 +srri @$AR3, $AC1.M +call send_back +clr's $ACC0 : @$AR3, $AC1.L + +call send_back +lsl16 $ACC1 +call send_back + +;call 0x8458 ;66 +mulxac'mv $AX0.H, $AX1.L, $ACC1 : $AX1.H, $AC0.M +call send_back +asr16 $ACC1 +call send_back +srri @$AR3, $AC1.M +call send_back +clr's $ACC0 : @$AR3, $AC1.L +call send_back + + +call send_back +set40 +call send_back_40 +lri $AR2, #0x0015 +call send_back_40 +lr $AC0.M, @0x0006 +call send_back_40 +lr $AX0.H, @0x165b +call send_back_40 +call 0x88e5 +call send_back_40 +asr $ACC0, #-3 +call send_back_40 +lsl $ACC0, #3 +call send_back_40 +srri @$AR2, $AC0.M +call send_back_40 +srri @$AR2, $AC0.L +call send_back_40 +lri $AR2, #0x0016 +call send_back_40 +lr $AC0.M, @0x1723 +call send_back_40 +asr $ACC0, #-12 +call send_back_40 +lr $AX0.H, @0x166b +call send_back_40 +call 0x88e5 +call send_back_40 +tst $ACC0 +call send_back_40 +jge Unk_012e +call send_back_40 + +clr $ACC0 +call send_back_40 + +Unk_012e: +asr $ACC0, #-3 +call send_back_40 +set16 +;step 4 +call send_back +lr $AC1.M, @0x1491 +call send_back +andi $AC1.M, #0xd0f0 +call send_back +mrr $IX1, $AC1.M +call send_back +lr $AC1.M, @0x1468 +call send_back +lr $AC1.H, @0x11fc +call send_back +lsr $ACC1, #-4 +call send_back +mrr $IX2, $AC1.M +call send_back +lr $AC1.H, @0x11b8 +call send_back +asr16 $ACC1 +call send_back +lsl $ACC0, #24 +call send_back +lsr $ACC0, #-8 +call send_back +mrr $AX0.H, $AC0.M +call send_back +mrr $AC1.M, $AC0.M +call send_back +mrr $AX1.H, $IX1 +call send_back +andr $AC0.M, $AX1.H +call send_back +lsl $ACC0, #2 +call send_back +mrr $AX1.H, $IX2 +call send_back +andr $AC1.M, $AX1.H +call send_back +lsl $ACC1, #1 +call send_back +add $ACC0, $ACC1 +call send_back +lsl $ACC1, #24 +call send_back +asr16 $ACC1 +call send_back +andr $AC1.M, $AX0.H +call send_back +add $ACC0, $ACC1 +call send_back +lr $AC1.M, @0x0012 +call send_back +orc $AC1.M, $AC0.M +call send_back +sr @0x0012, $AC1.M +call send_back +lsr $ACC0, #-16 +call send_back +lr $AC1.M, @0x0011 +call send_back +orc $AC1.M, $AC0.M +call send_back +sr @0x0011, $AC1.M +call send_back +mrr $AC1.L, $IX1 +call send_back +lsl $ACC1, #1 +call send_back +mrr $AC1.M, $IX2 +call send_back +lsl16 $ACC1 +call send_back +asr $ACC1, #-8 +call send_back +lsr16 $ACC1 +call send_back +mrr $AX0.H, $AC1.M +call send_back +mrr $AX1.H, $AC1.L +call send_back +clr $ACC0 +call send_back +lr $AC0.M, @0x0011 +call send_back +andr $AC0.M, $AX0.H +call send_back +clr $ACC1 +call send_back +lr $AC1.M, @0x0012 +call send_back +andr $AC1.M, $AX0.H +call send_back +add $ACC0, $ACC1 +call send_back +lr $AC1.M, @0x0012 +call send_back +lsr $ACC1, #-8 +call send_back +add $ACC0, $ACC1 +call send_back + +call send_back +clr $ACC1 +call send_back +mrr $AC1.M, $AC0.M +call send_back +lsl $ACC1, #8 +call send_back +orr $AC1.M, $AX1.H +call send_back +lr $AC0.M, @0x0011 +call send_back +orc $AC0.M, $AC1.M +call send_back +lr $AC1.M, @0x0012 +call send_back +orr $AC1.M, $AX1.H +call send_back +mrr $IX1, $AC1.M +call send_back +lr $AX0.H, @0x15f1 +call send_back +andr $AC1.M, $AX0.H +call send_back +jz else_0192 +call send_back +; if () { + + lr $AC1.M, @0x10e2 +call send_back + lsl $ACC1, #8 +call send_back + mrr $AX0.H, $AC1.M +call send_back + lr $AC1.M, @0x103b +call send_back + decm $AC1.M +call send_back + orr $AC1.M, $AX0.H +call send_back + xorc $AC0.M, $AC1.M +call send_back + sr @0x0022, $AC0.M +call send_back + lr $AC0.L, @0x1229 +call send_back + lr $AC1.L, @0x11f8 +call send_back + sub $ACC0, $ACC1 +call send_back + lsl16 $ACC0 +call send_back + mrr $AC1.M, $IX1 +call send_back + xorc $AC0.M, $AC1.M +call send_back + jmp Unk_01a5 +call send_back + +; } else { +else_0192: + lr $AC1.M, @0x10ca +call send_back + lsl $ACC1, #8 +call send_back + mrr $AX0.H, $AC1.M +call send_back + lr $AC1.M, @0x1043 +call send_back + incm $AC1.M +call send_back + orr $AC1.M, $AX0.H +call send_back + xorc $AC0.M, $AC1.M +call send_back + sr @0x0022, $AC0.M +call send_back + lr $AC0.L, @0x1259 +call send_back + lr $AC1.L, @0x16fe +call send_back + add $ACC0, $ACC1 +call send_back + lsl16 $ACC0 +call send_back + mrr $AC1.M, $IX1 +call send_back + xorc $AC0.M, $AC1.M +call send_back +; } + +Unk_01a5: +; this is where result is written to main memory +; dsp mem 0x20-0x23 (8 bytes) are written back (DMA limitation), +; but only values @22 and @23 were modified (result is 32bit) +sr @0x0023, $AC0.M +call send_back +lr $AX0.H, @0x0008 ; cpu addr high +call send_back +lr $AX0.L, @0x0009 ; cpu addr low +call send_back +lri $AX1.H, #0x0020 ; dsp addr +call send_back +lri $AX1.L, #0x0008 ; length +call send_back +lri $IX3, #0x0000 ; there will be no iram dma +call send_back +call 0x808b ; dram->cpu <<<--- important!! +call send_back +ret +; } + +; Free some space for the TROJAN CODEZ +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop +;nop diff --git a/Source/DSPSpy/main_spy.cpp b/Source/DSPSpy/main_spy.cpp index ad0b6d0c64..80221ec9ce 100644 --- a/Source/DSPSpy/main_spy.cpp +++ b/Source/DSPSpy/main_spy.cpp @@ -104,6 +104,27 @@ u16 dspreg_in[32] = { u16 dspreg_out[1000][32]; +/* +// gba ucode dmas result here +u32 SecParams_out[2] __attribute__ ((aligned (0x20))) = { + 0x11223344, // key + 0x55667788 // bootinfo +}; + +// ripped from demo +u32 SecParams_in[8] __attribute__ ((aligned (0x20))) = { + 0xDB967E0F, // key from gba + 0x00000002, + 0x00000002, + 0x00001078, + (u32)SecParams_out, //0x80075060, // ptr to receiving buffer + // padding? + 0x00000000, + 0x00000000, + 0x00000000 +}; +*/ + // UI (interactive register editing) u32 ui_mode; @@ -370,6 +391,8 @@ void handle_dsp_mail(void) real_dsp.SendMailTo(0x8000dead); while (real_dsp.CheckMailTo()); } + + // ROM dumping mails else if (mail == 0x8888c0de) { // DSP has copied irom to its dram...send address so it can dma it back @@ -388,6 +411,29 @@ void handle_dsp_mail(void) DumpDSP_ROMs(dspbufP, &dspbufP[0x1000]); } + // SDK status mails + /* + // GBA ucode + else if (mail == 0xdcd10000) // DSP_INIT + { + real_dsp.SendMailTo(0xabba0000); + while (real_dsp.CheckMailTo()); + DCFlushRange(SecParams_in, sizeof(SecParams_in)); + CON_PrintRow(4, 25, "SecParams_out = %x", SecParams_in[4]); + real_dsp.SendMailTo((u32)SecParams_in); + while (real_dsp.CheckMailTo()); + } + else if (mail == 0xdcd10003) // DSP_DONE + { + real_dsp.SendMailTo(0xcdd1babe); // custom mail to tell dsp to halt (calls end_of_test) + while (real_dsp.CheckMailTo()); + + DCInvalidateRange(SecParams_out, sizeof(SecParams_out)); + CON_PrintRow(4, 26, "SecParams_out: %08x %08x", + SecParams_out[0], SecParams_out[1]); + } + */ + CON_PrintRow(2, 1, "UCode: %d/%d %s, Last mail: %08x", curUcode + 1, NUM_UCODES, UCODE_NAMES[curUcode], mail); }