| |
6R6
Registered: Feb 2002
Posts: 245 |
Disabling AR freeze button
Is it possible to disable the Action
Replay freeze function 100% ?
In that case, please enlighten me... :)
|
|
... 83 posts hidden. Click here to view all posts....
|
| |
Frantic
Registered: Mar 2003
Posts: 1648 |
@AlexC: Looking forward to that codebase article! ;) |
| |
AlexC
Registered: Jan 2008
Posts: 299 |
Ok, here it is - please post your comments as it still needs a lot of work to be finished.
0. Versions used
Vice 1.22
C64C Pal
Action Replay MK VI
1. Detecting cartridges
Most cartridges (including RR if active) can be detected by writing to range DE00-DEFF and checking if value written there will be persistent. This allows to detect: Action Replay MK VI, Final Cartridge III and Retro Replay. This method will fail against Trilogic Expert.
start: lda $de10
ldx #$0a
ldy #$00
compare:
cmp $de10
bne nocart
delay: dey
bne delay
dex
bne compare
cartfound:
jsr print
rts
nocart: rts
1.1 FCIII
FCIII can also be detected by analyzing system vectors starting from $0302:
$0302 = $DE41
$0304 = $DF8D
$0306 = $DE49
$0308 = $DE73
$030a = $DE4F
$0330 = $DE21 (LOAD)
$0332 = $DE35 (SAVE)
Following code can be use to detect FCIII vectors:
lda #$de
cmp $0303
beq crtfound
rts
crtfound: jsr $fce2
The following code will restart system into clean basic FCIII extensions will not be available until freeze, however cartridge led will be lit.
Another methods to detect FCIII can be based on its control register: $DFFF.
Bit 0: number of bank to show at $8000 ($3)
Bit 1: unused
Bit 2: unused
Bit 4-5: 00 turn all 16kb of ROM
01 start freezer
10 enable first 8kb of ROM
11 disable FCIII ROM
Bit 6: unused
Bit 7: 1 (always show 16kb of bank 0)
FCIII has following banks:
0 BASIC, Monitor
1 Notepad, BASIC (Bar)
2 Desktop, Freezer/Print
3 Freezer
To jump into freezer you can use following code:
lda #$9f
sta $dfff
The above code works however only in Vice on real C64 (at least on my original copy of FCIII this enters freezer and hangs system). [this needs further research]
Using #$B3 value instead will give you interesting result on real C64 and will jam CPU if you are using Vice.
How to use FCIII control register for detection? Simple: you can read from it, however it will not return the value that has been written to it. Instead in case of default system start it will always return #$FF. This leads us to following code:
10 for i = 1 to 10: print peek(57343):next
Both on real C64 and Vice in case of FCIII you will get ten $FF results. This allows to detect cart even if kill command has been used. If you disconnect the cartridge you will get different results: at least two 0 values from above basic test (other values than 0 and FF are possible too!). Check it out yourself!
$DFFF read value can differ if any writes has been done to it besides normal system start (using BASIC option from System menu).[this needs further research]
Another detection method is based on the fact that 512 bytes of FCIII ROM cant be turned off this code is always there at $DE00-DFFF. At $DE01 you will find following code:
DE01 8D FF DF STA $DFFF
DE04 60 RTS
So to detect FCIII you can check if those bytes are there. If not FCIII is not connected to the system.
1.2 Action Replay
Original Action Replay on real C64 will crash system if its control register at $DE00 is being read. Check the following code:
start: ldy #$0a
lda $de00
dey
bne start
rts
Actually one read is enough to crash system in case of all AR and its clones I have.
Ever tough INC $D020 can be dangerous for AR? I must be kidding right? Than check the following code on real C64:
$9000 nop
$9001 inc $d020
$9004 jmp $9000
Now try to freeze it few time. You will quickly find out that usually either the PC value is incorrect or after restarting you will hit BRK and enter monitor again.
As stated above AR has control resister at $DE00. Here is a list of possible values you can write to it:
$00 enable bank 0
$06 disable cart and I/O area for it
$08 enable bank 1
$0A disable cart
$10 enable bank 2
$18 enable bank 3
$20 enable RAM at $8000 - $9FFF write to C64 memory underneath is enabled
$23 enable RAM at $8000 - $9FFF write to C64 memory underneath is disabled
Writing $23 to $DE00 will result in jump to the freezer if PC is above $0FFF.
Here is the meaning of bits:
Bit 0: Game low (=1)
Bit 1: Exrom high (=1)
Bit 2: disable cart (=1) turns off $de00 register
Bit 3: Rom bank selector low
Bit 4: Rom bank selector high
Bit 5: enable ram at $8000 and I/O
Bit 6: resets freeze mode
Bit 7: unused
1.3 Retro Replay
Detection unless ZAP command has been used is quite easy: use the code from section 1.
You can use following routine to jump into main menu (works with AR too):
sei
lda #$00
sta $de00
jmp $fce2
You can disable it (works with AR too) by following code:
sei
lda #$14
sta $de00
jsr $e453
cli
rts
Please note that this will not affect freeze button.
RR has in fact 2 control registers (from official RR manual): $DE00 and $DE01. There is theoretically possibility of disabling freeze button due to bit 2 of DE01. Bit 2 has NoFreeze name and can disable freeze button if set to 1 but can be written only once. RR 3.8 set it to 0 (enables freeze) at $817F.
Consult RR manual for further Information: http://rr.c64.org/rr_manual.html#appb
1.3.2 Freeze vs breakpoint
If you ever wondered about differences between freezepoints and breakpoint here it is: breakpoint will work only if vector at $FFFE and $0316 has not been changed (it uses BRK). Freezepoint is using however JSR $DFD3. [this needs further explenation]
|
| |
AlexC
Registered: Jan 2008
Posts: 299 |
Quote: ar also freezes with irq+nmi disabled, it only fails if you enable the ultimax mode. then, however, your code must run from $0000-$0fff. quite a pain in the ass to code ;)
According to my experiments this is not entarly true. Take a look at following example (KickAssembler):
.pc = $1000
start: sei
lda #$35
sta $01
jsr disirq
jsr disnmi
loop: jmp *
disirq: lda #$7f
sta $dc0d
sta $dd0d
lda $dc0d
lda $dc0d
//disable screen
sta $d011
ora %00010000
sta $d011
//read VIC IIR
lda $d019
//no irq's from vic
lda #$00
sta $d01a
//setup own handler
ldx #<irq
ldy #>irq
stx $fffe
sty $ffff
rts
disnmi: lda #$00
sta $dd0e
sta $dd04
sta $dd05
lda #$81
sta $dd0d
lda #$01
sta $dd0e
//setup own handler
ldx #<nmi
ldy #>nmi
stx $fffa
sty $fffb
rts
irq: rti
nmi: rti
Run it with sys 4096 and try to use freeze RR or AR button. The interesting part is that Expert has no problems with it - actually this code will enter Expert monitor during execution. If you have Expert you can test ESM led by setting cart into OFF position and running this code. |
| |
chatGPZ
Registered: Dec 2001
Posts: 11386 |
Quote:
Ever tough INC $D020 can be dangerous for AR? I must be kidding right? Than check the following code on real C64:
$9000 nop
$9001 inc $d020
$9004 jmp $9000
Now try to freeze it few time. You will quickly find out that usually either the PC value is incorrect or after restarting you will hit BRK and enter monitor again.
did you actually check this on a real c64? never forget, the freezer stuff in vice is BROKEN. atleast with emulated AR or RR, repeatedly freezing and restarting _anything_ will fail (and it works just fine on the real thing). |
| |
AlexC
Registered: Jan 2008
Posts: 299 |
Quote: Quote:
Ever tough INC $D020 can be dangerous for AR? I must be kidding right? Than check the following code on real C64:
$9000 nop
$9001 inc $d020
$9004 jmp $9000
Now try to freeze it few time. You will quickly find out that usually either the PC value is incorrect or after restarting you will hit BRK and enter monitor again.
did you actually check this on a real c64? never forget, the freezer stuff in vice is BROKEN. atleast with emulated AR or RR, repeatedly freezing and restarting _anything_ will fail (and it works just fine on the real thing).
According to my tests it works only on real C64. Could not reproduce the same effect on Vice even after switching to different AR ROMS.
Also please note the first line of quote - "on real c64" ;)
Speaking about broken freezer it also applies to Expert (at least NMI's are not emulated properly on hardware level). |
| |
chatGPZ
Registered: Dec 2001
Posts: 11386 |
Quote:
at least NMI's are not emulated properly on hardware level
yeah, NMI seems to be generally broken... i played around with some other stuff a while ago which used restore as a "panik" button, and on vice it would trigger the nmi only once (but on real c64 it worked like it should). |
| |
Martin Piper
Registered: Nov 2007
Posts: 722 |
Yes in VICE the NMI can only trigger once, which is a bug :) It also seems to always trigger from the restore key near the top of the screen raster. Unless it is triggered by a timer of course.
|
| |
AlexC
Registered: Jan 2008
Posts: 299 |
Quote: Yes in VICE the NMI can only trigger once, which is a bug :) It also seems to always trigger from the restore key near the top of the screen raster. Unless it is triggered by a timer of course.
That's interesting - I've never done much research on Vice after I've discovered that handling NMI is broken. Thanks for the tip Martin. |
| |
Martin Piper
Registered: Nov 2007
Posts: 722 |
You are very welcome. :) Like most things it was discovered by accident. I was testing my screen split and noticed the border colour change would trigger at the top of the screen raster time (viewable with full debug borders) when holding down the "restore" key. On the real C64 the restore key NMI is triggered on a logic edge, not logic state.
|
| |
Frantic
Registered: Mar 2003
Posts: 1648 |
@AlexC: Thanks for the article! Sorry that I didn't notice that you posted it until now. It is available here:
http://codebase64.org/doku.php?id=base:cartridge_detection |
| Previous - 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 - Next |
