Forums

In my old wondering around Ace of Aces I found something sorta interesting. Here is a short disassembly of Ace of Aces, startinf from the beginning of the file
00000000: DI
00000001: LD HL,C000h
00000004: LD A,(HL)
00000005: AND E0h
00000007: OR 08h
00000009: OUTA (3Eh)

To put this into english, put the address C000 into HL. Load the contents of C000 into A. And A with E0, then OR A with 8. Then put this value out to port $3E . Interesting, after reading through some posts on this board, with erics words I found this out. IT puts the value into $C000 which is used to try and find the SEGA TMR crap in a rom. In this case since the rom is 256kbytes it must be a cartridge so the bios would set C000 to AB, find SEGA TMR and do whatever else crap. It hands over power to the cartridge now, so we are at location 0 in rom
AB is in c000
It ands AB with E0, this results in A0
A0 is ORed with 8, effectively adding 8 to it, so its now A8
It writes A8 to port $3E
Now from what people have posted on this board A8 doesnt effect anything. So why would it write this value?
This rom writes 31 to FRAME1 register(FFFE) which when AND'd with 15 (rom pages in rom) gives 15. It is supposed to page in page1(0x4000-0x8000 in rom) into FRAME1, not page15(the last page in the rom), i know this because if i set it to page page1 in the rom works, otherwise it pages in page15 causing it not to work. What do you infophobes think? Bios does something here?
-Jason Starr-

After a few hours of getting the damned REAL sms bios to work I did it!
It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!!
WOooooooooo. More news to come.

-Jason Starr-

Quote

> It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!!
> WOooooooooo. More news to come.

Well... Don't get too excited. Three things.

1) I had the same thing happen. With MAMEZ80 Ace of Aces won't boot unless the BIOS is loaded first.
2) Remember that Power Base Converter, MasterGear Converter etc, don't HAVE BIOS, and they're supposed to run all games except F-16. So, I don't think it's proper that they need emulation.
3) Ace of Aces works without the BIOS on other CPU cores (in CHASMs anyway).

soo...... uhm.

- vecna

Quote

> After a few hours of getting the damned REAL sms bios to work I did it!
> It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!!
> WOooooooooo. More news to come.

Nice work Jason!

(I didn't actually know about the Ace of Aces issue, but that would explain why it doesn't work correctly on a Mega Drive w/PBC...)

Mike

Quote

> After a few hours of getting the damned REAL sms bios to work I did it!
> It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!!
> WOooooooooo. More news to come.

I've traced through some of Ace of Aces using MesaDX and this is what I've found:

Ace of Aces never initializes SP, and if your CPU emulator is anything like mine, SP at reset is 0x0000. Consequently, the first CALL instruction at 0x001C pushes the return address 0x001F to address 0xFFFE-0xFFFF, the paging registers. This is why page 15 was being mapped into frame 1, because of the implicit push. (This might also explain why Ace of Aces works with certain CPU cores and not others. For example, if a CPU core sets SP to 0xFFFF at reset, then 0x01FF gets pushed to 0xFFFD-0xFFFE. Notice that 0x01 is the still the value in 0xFFFE so everything still works correctly.)

I suspect that one (perhaps the only one) reason that Ace of Aces works when preceeded by BIOS is that BIOS sets up the SP. I suggest you try Ace of Aces again with your emulator, but this time make sure SP is not 0x0000 at reset (try 0xDFF0). Does Ace of Aces work now without the BIOS?

Some other things to consider are the settings of the VDP registers at reset in you emulator.

--
Eric Quinn

Quote

> -Jason Starr-

Quote

> ... (This might also explain why Ace of Aces works with certain CPU cores and not others. For example, if a CPU core sets SP to 0xFFFF at reset, then 0x01FF gets pushed to 0xFFFD-0xFFFE. Notice that 0x01 is the still the value in 0xFFFE so everything still works correctly.)

Oops. Scratch that remark about the other CPU cores and their SP reset values. 0x00 would be pushed to 0xFFFE resulting in page 0 being in frame 1 not page 1.

--
Eric Quinn

Well, sort of. You're right about if SP was initialized it to 0xFFFF.

But, when I set up chasms to initialize SP to 0xDFF0, Ace of Aces, Shadow Dancer and zoop's V31.SMS now work without needing the BIOS enabled in CHASMS. Mike G, you mentioned Ace of Aces doesn't work on on a MD/PBC ... Does Shadow Dancer? If not, that would be very.. interesting. That would mean that two commercial games don't initialize SP, which is .. strange. Technically speaking, then, James McKay's warning about initializing SP is unnecessary. ^_^

- vecna

Quote

> Well, sort of. You're right about if SP was initialized it to 0xFFFF.

> But, when I set up chasms to initialize SP to 0xDFF0, Ace of Aces, Shadow Dancer and zoop's V31.SMS now work without needing the BIOS enabled in CHASMS.

I know for sure that v31.sms doesn't initialize the stack pointer, I've bitched about it before.

I've also noticed a couple of games(can't remember which) that make a few calls (to shut off the sound channels, things like that) and -then- set the stack pointer.

Of course it would work on other cpu cores, it depends on how youve set up the emulation. In this case the stack and paging matters. I had ace of aces working in Marats core, but then it stopped working suddenly one day and i didnt realize what it was. Now I know what it was, the day it stopped working i switched to a new more accurate paging method with help from James McKays doc. This was in the first week of my emulator. Now ive tested it, setting frame1 paging to normal, loading ace of aces and watching it screw itself over by writing 31 to frame1 regs. NOW with the bios enabled which i guess you had before, except that it was hacked not to do checksums etc, it clears the ram to a KNOWN state for Ace of Aces which makes it work. So which is more accurate?

looks like some dodgy security or authentication. the AND masks the three slot enable bits. so if the start-up slot is not in $C000 then the cart isn't mapped in correctly. the OR just shadows the bios and enables the 8kB of RAM.

so the program doesn't explicitly set the stack pointer. this is not a big deal if a preceding program, ie BIOS, sets the stack pointer but if the stack pointer is not set, then all hell breaks loose.

two step security lockout in 9 bytes. not bad coding...

BTW Jason I got myself a SMS1 for $5 and a 3050 lightphaser for $3!!! now i just have to get around to locating one for you. =o)

a s out.

Um you better get me one that cheap you bastard!! :P
Hehehe. You'll end up getting one that costs 300 dollars for me wont you :P. Try and get any accesories or anything you can and my woman can pick it up from you sometime :), She going over there for easter so pick one up soon! Thanks again.
-Jason Starr-

I reckon I can get you one with joypad and cables etc for $10.

Of course I'll keep the best case and PCB for myself and send you the shabbier SMS of the two ;o) he he he

before easter won't be a problem.

cheers big-ears.

a s out.

Quote

> Um you better get me one that cheap you bastard!! :P
> Hehehe. You'll end up getting one that costs 300 dollars for me wont you :P. Try and get any accesories or anything you can and my woman can pick it up from you sometime :), She going over there for easter so pick one up soon! Thanks again.
> -Jason Starr-

Well, RAZE i assume sets Stack Pointer to 0x0000 at startup. I got V31.sms working, without setting the stack pointer, the problem i was having was with the value written to 0xFFFD, Zoops smspower demo needs have that value NOT ANDED when written to ram. I assume this is the behaviour of all roms, as when i switched all registers to not AND the value written to ram(unlike what james mckays doc says) no problems have arisen.
-Jason Starr-

Author	Message
PolestaR Guest	Bios Stuff Posted: Thu Mar 22, 2001 1:32 pm
PolestaR Guest	In my old wondering around Ace of Aces I found something sorta interesting. Here is a short disassembly of Ace of Aces, startinf from the beginning of the file 00000000: DI 00000001: LD HL,C000h 00000004: LD A,(HL) 00000005: AND E0h 00000007: OR 08h 00000009: OUTA (3Eh) To put this into english, put the address C000 into HL. Load the contents of C000 into A. And A with E0, then OR A with 8. Then put this value out to port $3E . Interesting, after reading through some posts on this board, with erics words I found this out. IT puts the value into $C000 which is used to try and find the SEGA TMR crap in a rom. In this case since the rom is 256kbytes it must be a cartridge so the bios would set C000 to AB, find SEGA TMR and do whatever else crap. It hands over power to the cartridge now, so we are at location 0 in rom AB is in c000 It ands AB with E0, this results in A0 A0 is ORed with 8, effectively adding 8 to it, so its now A8 It writes A8 to port $3E Now from what people have posted on this board A8 doesnt effect anything. So why would it write this value? This rom writes 31 to FRAME1 register(FFFE) which when AND'd with 15 (rom pages in rom) gives 15. It is supposed to page in page1(0x4000-0x8000 in rom) into FRAME1, not page15(the last page in the rom), i know this because if i set it to page page1 in the rom works, otherwise it pages in page15 causing it not to work. What do you infophobes think? Bios does something here? -Jason Starr-

PolestaR Guest	Well i'll be f*cked Posted: Thu Mar 22, 2001 3:13 pm
PolestaR Guest	After a few hours of getting the damned REAL sms bios to work I did it! It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!! WOooooooooo. More news to come. -Jason Starr-

vecna Guest	Re: Well i'll be f*cked Posted: Thu Mar 22, 2001 4:04 pm
vecna Guest	Quote > It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!! > WOooooooooo. More news to come. Well... Don't get too excited. Three things. 1) I had the same thing happen. With MAMEZ80 Ace of Aces won't boot unless the BIOS is loaded first. 2) Remember that Power Base Converter, MasterGear Converter etc, don't HAVE BIOS, and they're supposed to run all games except F-16. So, I don't think it's proper that they need emulation. 3) Ace of Aces works without the BIOS on other CPU cores (in CHASMs anyway). soo...... uhm. - vecna

Mike G Joined: 21 Apr 2000 Posts: 598 Location: Newcastle upon Tyne, England	Re: Well i'll be f*cked Posted: Thu Mar 22, 2001 6:30 pm
	Quote > After a few hours of getting the damned REAL sms bios to work I did it! > It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!! > WOooooooooo. More news to come. Nice work Jason! (I didn't actually know about the Ace of Aces issue, but that would explain why it doesn't work correctly on a Mega Drive w/PBC...) Mike

Eric R. Quinn Joined: 18 Sep 1999 Posts: 498 Location: Portland, Oregon USA	Re: Well i'll be f*cked Posted: Thu Mar 22, 2001 6:54 pm
	Quote > After a few hours of getting the damned REAL sms bios to work I did it! > It checksums the rom and everything, searches thruogh the pages adding up the checksum. Guess what with Ace of Aces. The bios now makes it work! The bios obviously sets up how the paging system should work , as Ace of Aces uses Ram addresses set by bios and MWAH it works. This is obviously going to have an effect on other roms but this is excellent!!!!!! > WOooooooooo. More news to come. I've traced through some of Ace of Aces using MesaDX and this is what I've found: Ace of Aces never initializes SP, and if your CPU emulator is anything like mine, SP at reset is 0x0000. Consequently, the first CALL instruction at 0x001C pushes the return address 0x001F to address 0xFFFE-0xFFFF, the paging registers. This is why page 15 was being mapped into frame 1, because of the implicit push. (This might also explain why Ace of Aces works with certain CPU cores and not others. For example, if a CPU core sets SP to 0xFFFF at reset, then 0x01FF gets pushed to 0xFFFD-0xFFFE. Notice that 0x01 is the still the value in 0xFFFE so everything still works correctly.) I suspect that one (perhaps the only one) reason that Ace of Aces works when preceeded by BIOS is that BIOS sets up the SP. I suggest you try Ace of Aces again with your emulator, but this time make sure SP is not 0x0000 at reset (try 0xDFF0). Does Ace of Aces work now without the BIOS? Some other things to consider are the settings of the VDP registers at reset in you emulator. -- Eric Quinn Quote > -Jason Starr-

Eric R. Quinn Joined: 18 Sep 1999 Posts: 498 Location: Portland, Oregon USA	Mistake Posted: Thu Mar 22, 2001 6:58 pm
	Quote > ... (This might also explain why Ace of Aces works with certain CPU cores and not others. For example, if a CPU core sets SP to 0xFFFF at reset, then 0x01FF gets pushed to 0xFFFD-0xFFFE. Notice that 0x01 is the still the value in 0xFFFE so everything still works correctly.) Oops. Scratch that remark about the other CPU cores and their SP reset values. 0x00 would be pushed to 0xFFFE resulting in page 0 being in frame 1 not page 1. -- Eric Quinn

vecna Guest	No mistake! Posted: Thu Mar 22, 2001 8:38 pm
vecna Guest	Well, sort of. You're right about if SP was initialized it to 0xFFFF. But, when I set up chasms to initialize SP to 0xDFF0, Ace of Aces, Shadow Dancer and zoop's V31.SMS now work without needing the BIOS enabled in CHASMS. Mike G, you mentioned Ace of Aces doesn't work on on a MD/PBC ... Does Shadow Dancer? If not, that would be very.. interesting. That would mean that two commercial games don't initialize SP, which is .. strange. Technically speaking, then, James McKay's warning about initializing SP is unnecessary. ^_^ - vecna

Heliophobe Site Admin Joined: 25 Oct 1999 Posts: 2029 Location: Monterey, California	Re: No mistake! Posted: Thu Mar 22, 2001 9:09 pm
	Quote > Well, sort of. You're right about if SP was initialized it to 0xFFFF. > But, when I set up chasms to initialize SP to 0xDFF0, Ace of Aces, Shadow Dancer and zoop's V31.SMS now work without needing the BIOS enabled in CHASMS. I know for sure that v31.sms doesn't initialize the stack pointer, I've bitched about it before. I've also noticed a couple of games(can't remember which) that make a few calls (to shut off the sound channels, things like that) and -then- set the stack pointer.

PolestaR Guest	Re: Well i'll be f*cked Posted: Fri Mar 23, 2001 1:32 am
PolestaR Guest	Of course it would work on other cpu cores, it depends on how youve set up the emulation. In this case the stack and paging matters. I had ace of aces working in Marats core, but then it stopped working suddenly one day and i didnt realize what it was. Now I know what it was, the day it stopped working i switched to a new more accurate paging method with help from James McKays doc. This was in the first week of my emulator. Now ive tested it, setting frame1 paging to normal, loading ace of aces and watching it screw itself over by writing 31 to frame1 regs. NOW with the bios enabled which i guess you had before, except that it was hacked not to do checksums etc, it clears the ram to a KNOWN state for Ace of Aces which makes it work. So which is more accurate?

asynchronous Joined: 14 Aug 2000 Posts: 742 Location: Adelaide, Australia	Re: dodgy authentication/security Posted: Fri Mar 23, 2001 2:57 am


asynchronous Joined: 14 Aug 2000 Posts: 742 Location: Adelaide, Australia	WOOPS! hit enter instead of tab Posted: Fri Mar 23, 2001 3:07 am
	looks like some dodgy security or authentication. the AND masks the three slot enable bits. so if the start-up slot is not in $C000 then the cart isn't mapped in correctly. the OR just shadows the bios and enables the 8kB of RAM. so the program doesn't explicitly set the stack pointer. this is not a big deal if a preceding program, ie BIOS, sets the stack pointer but if the stack pointer is not set, then all hell breaks loose. two step security lockout in 9 bytes. not bad coding... BTW Jason I got myself a SMS1 for $5 and a 3050 lightphaser for $3!!! now i just have to get around to locating one for you. =o) a s out.

PolestaR Guest	WTF!!!!!!!!!!! Posted: Fri Mar 23, 2001 4:47 am
PolestaR Guest	Um you better get me one that cheap you bastard!! :P Hehehe. You'll end up getting one that costs 300 dollars for me wont you :P. Try and get any accesories or anything you can and my woman can pick it up from you sometime :), She going over there for easter so pick one up soon! Thanks again. -Jason Starr-

asynchronous Joined: 14 Aug 2000 Posts: 742 Location: Adelaide, Australia	stop checking the forum and get back to work. Posted: Fri Mar 23, 2001 5:35 am
	I reckon I can get you one with joypad and cables etc for $10. Of course I'll keep the best case and PCB for myself and send you the shabbier SMS of the two ;o) he he he before easter won't be a problem. cheers big-ears. a s out. Quote > Um you better get me one that cheap you bastard!! :P > Hehehe. You'll end up getting one that costs 300 dollars for me wont you :P. Try and get any accesories or anything you can and my woman can pick it up from you sometime :), She going over there for easter so pick one up soon! Thanks again. > -Jason Starr-

PolestaR Guest	Re: No mistake! Posted: Mon Mar 26, 2001 4:01 am
PolestaR Guest	Well, RAZE i assume sets Stack Pointer to 0x0000 at startup. I got V31.sms working, without setting the stack pointer, the problem i was having was with the value written to 0xFFFD, Zoops smspower demo needs have that value NOT ANDED when written to ram. I assume this is the behaviour of all roms, as when i switched all registers to not AND the value written to ram(unlike what james mckays doc says) no problems have arisen. -Jason Starr-

Forums

View topic - Bios Stuff