Code:
RESERVED:A4B3 ldaa #$40 ; '@'
RESERVED:A4B5 clrb
RESERVED:A4B6 std word_16FE
RESERVED:A4B9 nop
RESERVED:A4BA nop
RESERVED:A4BB nop
RESERVED:A4BC clra
RESERVED:A4BD ldab #3
RESERVED:A4BF std word_16F0
RESERVED:A4C2 ldx #$A87A
RESERVED:A4C5 ldy #$1400
RESERVED:A4C9
RESERVED:A4C9 loc_A4C9: ; CODE XREF: _TPU_scalar_resetsub_A4A4+46j
RESERVED:A4C9 ldd 0,x
RESERVED:A4CB std word_16E0
RESERVED:A4CE ldd 2,x
RESERVED:A4D0 std word_16E2
RESERVED:A4D3 ldd 4,x
RESERVED:A4D5 std word_16E4
RESERVED:A4D8 ldd 6,x
RESERVED:A4DA std word_16E6
RESERVED:A4DD sty 0,y
RESERVED:A4E0 iny
RESERVED:A4E2 iny
RESERVED:A4E4 ldab #8
RESERVED:A4E6 abx
RESERVED:A4E7 cpx #$B07A
RESERVED:A4EA bcs loc_A4C9
RESERVED:A4EC ldd #0
RESERVED:A4EF std word_16F0
Looking again at this code, It is the missing puzzle. I somehow under looked what it does.
Lets make a new brief analysis.
clra
ldab #$44 ; 'D'
std word_16FC
This is some form of soft reset. A pause is made after that, so that suggest that some time is needed for the TPU to finish the initiated task.
Than we have
ldaa #$40 ; '@'
clrb
std word_16FE
Some form of interrupt disable.
nop
nop
nop
small pause
clra
ldab #3
std word_16F0
The most important register. Some sort of switch that enables TPU config. Unlocking some config???
That part is really interesting
loc_A4C9:
ldd 0,x
std word_16E0
ldd 2,x
std word_16E2
ldd 4,x
std word_16E4
ldd 6,x
std word_16E6
sty 0,y
iny
iny
ldab #8
abx
cpx #$B07A
bcs loc_A4C9
We have $800 bytes that are stored to buffer[16e0-16e8] in 8bytes a cycle,
each cycle 8 bytes are written to the same buffer[16e0-16e8]. What is the purpose of it. The TPU reads the buffer each cycle and copies it to another location.
The most interesting part is that each cycle a word from 1400-1600 range is read and stored at the same location. For example the first cycle the eside reads the value of 1400 and than stores it again at 1400, 2nd cycle at 1402, 3rd cycle at 1404, and so on until the end of 1600 is reached.
The real reason for this sequence is hardly imaginable. Could this be some pointer for the TPU to store the buffer at specific location. 2 dword long.
When the $800 bytes are transferred to tpu the
ldd #0
std word_16F0
register is cleared. exiting setup mode.
Can we assume there is a backdoor for debugging. Bootstrap the tpu if it even exist might be the only option.
When you are doing the tpu testing, does the tpu gets initialized by the routine at A4A4.
I can`t think of any other unintrusive ways of hacking the chip.
Make a list of the more important registers and start setting them on a sequence base and check the 1700- range for any available data.
Bookmarks