mirror of
https://github.com/dolphin-emu/dolphin.git
synced 2025-01-15 18:49:11 +01:00
873190d148
git-svn-id: https://dolphin-emu.googlecode.com/svn/trunk@3879 8ced0084-cf51-0410-be5f-012b33b47a6e
151 lines
2.8 KiB
Plaintext
151 lines
2.8 KiB
Plaintext
; This is the ucode used to "unlock" memcards
|
|
; RE purely out of interest, and hunch that it does trickies
|
|
|
|
IROM_BASE: equ 0x8000
|
|
|
|
; Exception vectors
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
halt ; Exception 0-6 nop slide to here
|
|
rti ; Exception 7
|
|
halt
|
|
|
|
; Entry point
|
|
; Standard init stuff
|
|
sbset #0x06
|
|
sbclr #0x03
|
|
sbclr #0x04
|
|
sbset #0x05
|
|
lri $CR, #0x00ff
|
|
lri $WR0, #0xffff
|
|
lri $WR1, #0xffff
|
|
lri $WR2, #0xffff
|
|
lri $WR3, #0xffff
|
|
set40
|
|
|
|
; 0xdcd10000 is the init mail
|
|
call wait_for_dsp_mbox
|
|
si @DMBH, #0xdcd1
|
|
si @DMBL, #0x0000
|
|
si @DIRQ, #0x0001
|
|
; Wait for cpu to say "go!" - i think
|
|
wait_for_start_cmd:
|
|
call wait_for_cpu_mbox
|
|
lrs $AC1.L, @CMBL
|
|
cmpi $AC1.M, #0xff00
|
|
jnz wait_for_start_cmd
|
|
|
|
dma_dram_and_prepare_for_crazy_irom_func:
|
|
call wait_for_cpu_mbox
|
|
mrr $AC0.M, $AC1.M
|
|
lrs $AC0.L, @CMBL ; main ram addr.l
|
|
andi $AC0.M, #0x0fff ; main ram addr.h & 0x0fff
|
|
lri $AX0.L, #0x0400 ; dsp addr
|
|
lri $AX0.H, #0x0010 ; length (bytes)
|
|
lri $AX1.L, #0x0000 ; dsp dram to cpu
|
|
set16
|
|
call do_dma
|
|
call IROM_BASE+0x0644; holy mother of jesus that func is gonna be hard
|
|
|
|
; 0xdcd10003 means finished unlocking?
|
|
call wait_for_dsp_mbox
|
|
si @DMBH, #0xdcd1
|
|
si @DMBL, #0x0003
|
|
si @DIRQ, #0x0001
|
|
set40
|
|
call wait_for_cpu_mbox
|
|
cmpi $AC1.M, #0xcdd1
|
|
jnz dma_dram_and_prepare_for_crazy_irom_func
|
|
lrs $AC1.M, @CMBL
|
|
cmpi $AC1.M, #0x0001
|
|
jz _005afunc
|
|
cmpi $AC1.M, #0x0002
|
|
jz IROM_BASE ; End of this ucode, wait for a new one
|
|
jmp dma_dram_and_prepare_for_crazy_irom_func
|
|
halt ; Prolly never reached
|
|
|
|
; 10 mails from cpu then irom func - looks interesting
|
|
_005afunc:
|
|
set16
|
|
call wait_for_cpu_mbox
|
|
lrs $AC1.L, @CMBL
|
|
call wait_for_cpu_mbox
|
|
lrs $AC1.L, @CMBL
|
|
call wait_for_cpu_mbox
|
|
lrs $AC1.L, @CMBL
|
|
call wait_for_cpu_mbox
|
|
lr $IX1, @CMBL
|
|
andi $AC1.M, #0x0fff
|
|
mrr $IX0, $AC1.M
|
|
call wait_for_cpu_mbox
|
|
lr $IX3, @CMBL
|
|
call wait_for_cpu_mbox
|
|
lr $IX2, @CMBL
|
|
call wait_for_cpu_mbox
|
|
lr $AR0, @CMBL
|
|
call wait_for_cpu_mbox
|
|
lrs $AX0.L, @CMBL
|
|
andi $AC1.M, #0x0fff
|
|
mrr $AX0.H, $AC1.M
|
|
call wait_for_cpu_mbox
|
|
lrs $AX1.L, @CMBL
|
|
call wait_for_cpu_mbox
|
|
lrs $AX1.H, @CMBL
|
|
sbclr #0x05
|
|
sbclr #0x06
|
|
jmp IROM_BASE+0x00b5; IROM - can dma stuff
|
|
halt
|
|
|
|
wait_for_dsp_mbox:
|
|
lrs $AC1.M, @DMBH
|
|
andcf $AC1.M, #0x8000
|
|
jlz wait_for_dsp_mbox
|
|
ret
|
|
|
|
wait_for_cpu_mbox:
|
|
lrs $AC1.M, @CMBH
|
|
andcf $AC1.M, #0x8000
|
|
jlnz wait_for_cpu_mbox
|
|
ret
|
|
|
|
do_dma:
|
|
srs @DSMAH, $AC0.M
|
|
srs @DSMAL, $AC0.L
|
|
sr @DSPA, $AX0.L
|
|
sr @DSCR, $AX1.L
|
|
sr @DSBL, $AX0.H
|
|
wait_dma:
|
|
lrs $AC0.M, @DSCR
|
|
andcf $AC0.M, #0x0004
|
|
jlz wait_dma
|
|
ret
|
|
|
|
; Trailing nops...pad to 32bytes
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
nop
|
|
|
|
; uCode is 0xb0 words
|