Bootloader extraction
Guys, I need a sanity check for a second. I extracted the entire contents of memory (64kB) using a DMA engine I loaded at $d1e. (previous experiments showed this to be an unused region in memory) So, I get my dump, and try to extract the code at $1090 to $3FFF. The very first function looks familiar (BSS init) - except that the JMP instruction is L01009, not L01099 - which puts you into unitialized space. To compensate, I deleted everything from $1000 to $108f, and now when I disassemble, the function is functionally identical to the BSS init in firmware, except that the target address is pointing to a high memory address ($3a87) I even see the same "dead" jump vectors to L01000 in memory. It looks like I did have to remove some "dead air" to get the disassembly to work properly. I'm not sure if I could fix that in my firmware.comments file or not. Here is my firmware.comments for the dump:
Guys, I need a sanity check for a second. I extracted the entire contents of memory (64kB) using a DMA engine I loaded at $d1e. (previous experiments showed this to be an unused region in memory) So, I get my dump, and try to extract the code at $1090 to $3FFF. The very first function looks familiar (BSS init) - except that the JMP instruction is L01009, not L01099 - which puts you into unitialized space. To compensate, I deleted everything from $1000 to $108f, and now when I disassemble, the function is functionally identical to the BSS init in firmware, except that the target address is pointing to a high memory address ($3a87) I even see the same "dead" jump vectors to L01000 in memory. It looks like I did have to remove some "dead air" to get the disassembly to work properly. I'm not sure if I could fix that in my firmware.comments file or not. Here is my firmware.comments for the dump:
** memory weirdness: memcpy(&mem[0x90], &mem[00], 4096 - 0x90);
memcpy(0x90, 0, 3952) // This still seems necessary for correct disassembly
** put an RTS at 0000 to simulate reset/bootloading
** We do this because the firmware loaded with an offset of $90
**poke(0, 0xb9) <- no point in this poke, we have real memory
** Entry points:
** Common Code (always present)
**entry=0x00000, bank=0 // this doesn't do anything
**entry=0x00090, bank=0 // this points to my DMA routine
entry=0x01000, bank=0
entry=0x01017, bank=0
entry=0x0101c, bank=0
Does this seem reasonable? If so, the region from $1090 to $3fff appears to be valid code. So far, the functions all target familiar registers. If anyone wants to try to reproduce the experiment, PM me for the .s file.