Routine to bypass a firmware

Page 5/10
1 | 2 | 3 | 4 | | 6 | 7 | 8 | 9 | 10

By gdx

Enlighted (5595)

gdx's picture

06-07-2022, 02:07

Have you tried writing the ROM with the routine I give in a separate FlashROM or SRAM cartidge and insert it in a slot other than carnivore2 to see if it works that way, and eventually reverse the cartridges?

By Wierzbowsky

Guardian (3443)

Wierzbowsky's picture

06-07-2022, 13:57

Not yet. What do you mean by "reverse the cartridges"?

By sdsnatcher73

Prophet (3406)

sdsnatcher73's picture

06-07-2022, 15:30

What gdx meant is flash the code into a simple ROM cart. Then try with the ROM in lower slot then C2/Nextor and vice versa (so ROM in higher slot).

By gdx

Enlighted (5595)

gdx's picture

07-07-2022, 02:40

This is to ensure that it is not the integration of the routine or the firmware that is causing the problem.

PS: I don't think Nextor not use the H_STKE hook.

By Wierzbowsky

Guardian (3443)

Wierzbowsky's picture

11-07-2022, 21:05

I've played around a bit with gdx's code and a few tools and came to the conclusion that this method indeed works, but it also disables Nextor. The firmware checks for the presence of C9 at the hook and copies its call there in case of a match. If we remove C9, then the firmware won't start, but at the same time Nextor will not find C9 and will pass control to the hook, assuming that something else needs to start. And the control is not passed back to Nextor after that "something" exits. As a result, we will have only Basic and no working drive(s).

The simpliest way out is to prevent Nextor from passing control in case C9 is not found. Simple patch - only 2 places to hack. But I want to have a more elegant solution than the bloody hack. A separate ROM starts too soon to overwrite the firmware's hook and too late, when Nextor has already exited.

By gdx

Enlighted (5595)

gdx's picture

12-07-2022, 02:09

I may have misdirected the hook or else it's the Carnivore2 who doesn't take this possibility into account. Could I try the ROM you created on OpenMSX to try to see what is causing the problem?

By Wierzbowsky

Guardian (3443)

Wierzbowsky's picture

12-07-2022, 19:33

By acet

Supporter (1)

acet's picture

13-07-2022, 03:48

DOS2/Nextor checks H.STKE in H.RUNC handler.
When H.STKE is hooked,
and if USRTAB == FCERR, then it run in DOS1 mode,
or if USRTAB != FCERR, then it run in DISK-BASIC2/Nextor-BASIC mode.

Nextor source link

H.RUNC is called after all slot initialization, before H.STKE by BIOS.

H.STKE is needed to set before build-in firmware initialization.
H.STKE is needed to clear before H.RUNC handler of DOS2/Nextor.

There is SKIPFIRM.ROM for bybassing firemware.
SKIPFIRM.ROM is needed to insert on slot after Nextor slot, before firmware slot.

For carnivore2 with default configration,
SKIPFIRM.ROM should be mapped to mapper slot X-2 or FMPAC slot X-3 or later another slot.

;sjasmplus
	output	"SKIPFIRM.ROM"

Z80_OPCODE_RET equ 0C9h
Z80_OPCODE_RST30 equ 0F7h
EXPTBL equ 0FCC1h
SLTTBL equ 0FCC5h
H.RUNC equ 0FECBh
H.STKE equ 0FEDAh

	org	4000h
	dw	4241h
	dw	init
	ds	4010h-$,0

init:
	; return if mirrored on 8000h
	ld	a,h
	or	a
	ret	m

	call	setupregs

;	; return if H.STKE is already hooked.
;	ld	a, (de)
;	cp	Z80_OPCODE_RET
;	ret	nz

	; return if H.RUNC is not hooked. (DOS is not initialized yet)
	ld	a, (hl)
	cp	Z80_OPCODE_RST30
	ret	nz

	; save original H.RUNC to H.STKE
	ldir

;	ld	a, Z80_OPCODE_RST30
;	ld	(H.RUNC+0),a
	call	getslotp1
	ld	(H.RUNC+1),a
	ld	hl, H.RUNC_handler
	ld	(H.RUNC+2),hl
;	ld	a, Z80_OPCODE_RET
;	ld	(H.RUNC+4),a

	ret

H.RUNC_handler:

	call	setupregs

	push	hl	; push H.RUNC
	push	de	; push H.STKE

	; restore original H.RUNC from H.STKE
	ex	de,hl
	ldir

	; clear H.STKE
	pop	hl
	ld	(hl), Z80_OPCODE_RET

	; chain to original H.RUNC
	ret

setupregs:
	ld	hl, H.RUNC
	ld	de, H.STKE
	ld	bc, 5
	ret

; [input] none
; [output] a:selected slot state of page1
; [work] hl,bc
getslotp1:
	; get primary slot state
	in	a, (0a8h)
	and	00001100b	; page1 mask
	rra
	rra
	ld	c, a

	add	a, low EXPTBL
	ld	l, a
	adc	a, high EXPTBL
	sub	l
	ld	h, a

	ld	a, (hl)

	and	80h	; bit7:1=slot is extended,0=not
	or	c
	ret	p

	; get extended slot state
	ld	b, a

	ld	a, c
	add	a, low SLTTBL
	ld	l, a
	adc	a, high SLTTBL
	sub	l
	ld	h, a

	ld	a, (hl)
	and	00001100b	; page1 mask
	or	b
	ret

	ds	6000h-$,0FFh

By gdx

Enlighted (5595)

gdx's picture

13-07-2022, 13:13

Normally, to use a hook, we have to copy the current hook somewhere in RAM when it's already in use, then place a new hook that calls it a routine that calls the moved hook and the routine you want to call by the hook. (I do not know if I'm clear)

By sdsnatcher73

Prophet (3406)

sdsnatcher73's picture

13-07-2022, 16:48

Basically build a chain from one hook to the previous one…

Page 5/10
1 | 2 | 3 | 4 | | 6 | 7 | 8 | 9 | 10