|
Post by drekknni on Oct 19, 2005 15:33:09 GMT -5
After checking out the Turbo232 patch, I'm working on modifying the driver (0011 & DSC), so my custom made UART card will work. It uses a 16450 based UART, which was also in the HART card (but at different addresses).
I was wondering if anyone else already disassembled and commented the code for the QLink serial driver. If not, I plan to post the code after I figure it out.
Also, I'm not very familiar with the C64s "software" rs232 programming, does anyone have a good link describing how it works? And some sample code to using it?
THX,
Drekknni
|
|
|
Post by jefferysto on Oct 19, 2005 18:14:21 GMT -5
drekknni, I have "tried" to disassemble both DSC and 0011 so I could understand why the 2400 patch doesn't work with games and to see how Qlink loads its files. Here's some info for you: Using WinVice and its monitor I found out that the 0011 file loads in RAM from $0d03 - $0def. Looking at the file itself, you must skip the first ten bytes before disassembling it. Normally the first 2 bytes point to where the file will load (for example: $03 $0d (lo/hi) as the first 2 bytes would cause the file to load at $0d03). Most Qlink files, however, do not follow the standard file header in this respect. DSC loads itself into RAM starting at $9ff8. The DSC files first 2 bytes ($f8 $9f) DOES follow the standard. The program Quantum loads DSC into memory and then pokes the letters "ask" into RAM at 821-823 then does a JMP $9ff8 (starting point of DSC). The Change Access program is almost identical to Quantum except it pokes "reg" into RAM at 821-823 then does the jump. The 0011 file will be the easiest of the two to disassemble. The DSC is a beast as there are many jumps and intermixed code/data throughout. Here is an example of why the DSC is such a beast (this is only one example). I think the following was done to confuse disassembler programs: When the DSC program is run, it copies part of itself to another memory location and then copies the same data back to the original location. Starting at $a031, the code copies from ($a017 - $b016) to ($d000 - $dfff), then jmps to $d000, which does jsr $d006 - which copies the data back - from ($d000 - dfff) to ($a017 - $b016), then jmps to $a043. If you just look at the code, it does a jump out of the normal RAM that the program is running in. You must then simulate the copy of the data and disassemble $d000 - $dfff to see how the program will eventually do a JMP to $a043. I started using 64copy's (V4.2) disassembler, but I had a problem with my comments getting corrupt, so I stopped using that. It may be a good idea to read all of the forum posts about Cracking the Qlink Disk. It has helpful information from Keith Henrickson (sp?). If you succeed in commenting the disassembly these files, it will open the door to much more information about how the the Qlink disk operates. I have researched the CIA 6526 chip (as I was disassembling the original DSC and 0011 files) and have documents that I can email you regarding this chip. If I can help, please let me know. Sincerely, Jeffery S. Stone jefferystone@yahoo.com P.S. I do think that several people working together and sharing ideas/knowledge will help in the disassembling of these files. My request for help went unanswered, so I thought nobody was interested, until now.... jledger.proboards19.com/index.cgi?board=qlink&action=display&thread=1126652575
|
|
|
Post by drekknni on Oct 21, 2005 0:29:42 GMT -5
I started disassembling the modified QLink 0011 file included in the Swiftlink patch.
Disassembled with da65.
.setcpu "6502"
L0DE1 := $0DE1 brk bpl LFF0C brk
LFF0C: ora a:$F0 clc brk brk ldx #$FF ;%11111111 stx $A9 ;rs232 flag, check for start bit inx stx $B5 ;rs232 next bit to send lda #$08 ;%00001000 sta $A8 ;rs232 input bit count ldx #$4D ;%01001101 ldy #$0D ;%00001101 stx $0318 ;NMI vector ($0D4D) sty $0319 ;NMI vector lda #$3C ;%00111100 sta $C616 lda #$C5 ;%11000101 sta $C617 sta $DE01 ;status reg write (reset ACIA, data = don't care) lda $0D00 ;get data for ctrl reg sta $DE03 ;control reg write (baud, rcs, wl, stop bits) lda #$05 ;%00000101 sta $DE02 ;command reg write, no parity, dtr low, rx irq on, tx irq on lda #$50 ;%01010000 sta $DD05 ;timer A high byte lda #$01 ;%00000001 sta $DD0E ;CIA ctrl reg A lda #$81 ;%10000001 sta $DD0D ;CIA int ctrl reg, write mask lda #$00 sta $0297 ;put 0 in $297 (status reg) lda #$12 ;%00010010 sta $02A1 ;rs232 enables lda $DD0D ;CIA int ctrl reg, read NMIs rts
pha txa pha tya pha lda #$7F ;%01111111 sta $DD0D ;CIA int ctrl reg, write mask lda $DD0D ;CIA int ctrl reg, read NMIs ldx #$03 ;%00000011 stx $DE02 ;command reg write, dtr low, irq off, no parity lda $DE01 ;status reg read sta $A9 ;store status reg in rs232 flag, start bit and #$08 ;AND %00001000, receive data reg full? asl a ;a is now $10 or $00 and $02A1 ;rs232 enables beq LFFA8 lda $DE00 ;read data ldy $029B ;rs232 index to end of input buffer iny cpy $029C ;rs232 start of input buffer (page) beq LFF9E sty $029B ;rs232 index to end of input buffer dey sta ($F7),y ;rs232 input buffer pointer LFF8D: lda #$02 ;%00000010 sta $DD0D ;CIA int ctrl reg, write mask lda $02A1 ;rs232 enables and #$FD ora #$90 sta $02A1 ;rs232 enables bne LFFA8 LFF9E: lda #$04 ;%00000100 ora $0297 ;rs232 6551 status reg, OR %00000100 with $297 sta $0297 ;store result (either 0 or 4) bne LFF8D LFFA8: lda $02A1 ;rs232 enables and #$01 bne LFFB4 lda #$09 jmp L0DE1
LFFB4: lda $A9 ;rs232, check for start bit and #$10 bne LFFBF ;branch to transmit lda #$05 ;%00000101 jmp L0DE1
LFFBF: lda $DE01 ;status reg read and #$10 ;check if bit 4 is set (TR empty?) beq LFFBF ;if not set branch lda $B6 ;contains byte to send sta $DE00 ;write data and transmit ldy $029D ;rs232 start of output buffer (page) cpy $029E ;rs232 index to end of output buffer beq LFFDF lda ($F9),y ;rs232 output buffer pointer sta $B6 ;rs232 out byte buffer inc $029D ;rs232 start of output buffer (page) lda #$05 ;%00000101 jmp L0DE1
LFFDF: lda #$01 sta $DD0D ;CIA int ctrl reg, write mask lda $02A1 ;rs232 enables and #$FE ora #$80 sta $02A1 ;rs232 enables lda #$09 ;%00001001 inc $D020 sta $DE02 ;command reg write, no parity, dtr low, rx irq on, tx irq off lda $02A1 ;rs232 enables pla tay pla tax pla rti .byte $80
|
|