Tried all sort of things here on the 4.11 card but i couldnt get the loopback working.
Mostly due to not wanting to blow up the card as it supplies voltage on the db62 connector.
(directly on the joystick didnt work, cable loopback didnt work either)
Excellent !
This information will be used at next stages.
ADDR1 is address inside F9 command. ADDR2 is address of main command loop.
Next stage will be evaluation of possible injection vectors.
In MPU loop, stack will be:
1C4 - 0C <- here we inject values from 0 to 3 2C3 - 17 3C2 - 04 <- here we inject values from 0 to 3 4C1 - 98 5C0
And memory at location 0xC0 and below fill be filled with 0x00, so after some code execution in interrupt handler, RETI will direct execution flow to address 0x0000 - Reset handler
After reset, fw outputs byte 0xAA to data port
So we will try to jump to address 0x0098, 0x0198, 0x0298, 0x0398, 0x0017, 0x0117,0x0217,0x0317, and see what happens
If SB hangs - its bad vector
If AA is in data port - its indication of possible good vector
S95Sedanwrote on 2023-10-04, 04:43:Tried all sort of things here on the 4.11 card but i couldnt get the loopback working.
Mostly due to not wanting to blow up the […] Show full quote
Tried all sort of things here on the 4.11 card but i couldnt get the loopback working.
Mostly due to not wanting to blow up the card as it supplies voltage on the db62 connector.
(directly on the joystick didnt work, cable loopback didnt work either)
sounds very promising and 4 addresses for 2 locations - it's not that many tries to see which one are potentially good.
It is only stage 1 to discard definitely bad variants.
Stage 2 will be more complex:
To determine stack structure for potentially good variants.
We already determined code position ADDR1 of read memory command.
So by bruteforcing, we can try to jump to this location.
So we try variants of stack structure:
C0 - 0A
BF - 66
then:
C0 - 0
BF - 0A
BE - 66
and so on, rolling down, on some reasonable range, until we get something from SB data port (not 0xAA)
repeat for all potentially good variants of injection
This is Stage 2. We determined where return address is placed on stack for each injection variant
Last edited by Maelgrum on 2023-10-04, 05:44. Edited 2 times in total.
Ultimate goal is to crack and dump 4.16. It fixes single cycle dma bug, and I think it may work on older SB/AWEs.
But does it really fix the single cycle DMA bug? Vibras don't have it and if they use the same v4.13 DSP, then the single cycle DMA bug is likely not a DSP bug but some hardware bug elsewhere. But hopefully some workaround hack can be made to the DSP code.
Ultimate goal is to crack and dump 4.16. It fixes single cycle dma bug, and I think it may work on older SB/AWEs.
But does it really fix the single cycle DMA bug? Vibras don't have it and if they use the same v4.13 DSP, then the single cycle DMA bug is likely not a DSP bug but some hardware bug elsewhere. But hopefully some workaround hack can be made to the DSP code.
that's kind off-topic here, but probably just custom-modified card by someone and then it was sold and ended up with you, because 5 years ago it was posted here "I de-CQMed my AWE32 PnP CT3990...!":
and such modification became popular among the retro-community, i.e. how to replace CQM with YMF289B on SB cards that have (unpopulated) pads for both those chips. I myself ordered back then all the necessary chips, but I did not actually do it...
Thanks for pointing to the thread. The post you mentioned showed greater detail about how to make cards use YMF289B instead of CQM.
I am 99% sure that @LSS10999 card was modified by someone and it's not manufactured like that by Creative, but in any way, it doesn't really matter as such modification is possible both ways and thus this off-topic is now settled.
I got my card a long time ago (long before that thread existed), and it was already like that -- having YMF289B instead of CQM. I couldn't find any trace of modifications... but it doesn't matter anyway.
The original question that led to this off-topic was about how the DSP would know whether there's a CQM or a real OPL (YMF289B in this case). I think the answer to it is also there from what I've read.
Still, I'm looking forward to seeing a proper dump of 4.16 FW.