S95Sedan wrote on 2023-09-30, 18:47:

CT1730, v404 CT2750 v411 CT3900 v413 (All original roms) […]
Show full quote

CT1730, v404
CT2750 v411
CT3900 v413
(All original roms)

Thanks, S95Sedan !
Looks like i coded all basic stuff good.
Next steps require a external midi loopback (MIDI OUT to MIDI IN).
Just bought D-SUB connector for gameport on SB, will solder 2 wires to do loopback. (MIDI cable from OUT to IN also can be used).

Maelgrum wrote on 2023-09-30, 18:53:

maxtherabbit wrote on 2023-09-30, 18:44:

Here's the output from one of my CT2230s running 4.13 patch3

RAM dump looks good, thank you maxtherabbit !

The method to change SP won't work on 8052 because SP is mapped at RAM address 182h while the SB function FA (and F9 for reading) accepts only byte as an address value and therefore is unable to access SFRs on 8052. I haven't looked at your SBDUMP but I guess it is reading only the first 256 bytes of RAM while SP lays beyond that address space.

Gmlb256 wrote on 2023-09-30, 19:01:

Here is a dump from the AWE64 CT4520, DSP v4.16.

Edit: Added LOG.TXT.

Thank you for testing, Gmlb256 !

[/quote]
The method to change SP won't work on 8052 because SP is mapped at RAM address 182h while the SB function FA (and F9 for reading) accepts only byte as an address value and therefore is unable to access SFRs on 8052. I haven't looked at your SBDUMP but I guess it is reading only the first 256 bytes of RAM while SP lays beyond that address space.
[/quote]

You are right, but attack via MIDI OUT to IN is possible.
R1 is accessible in RAM.

Maelgrum wrote on 2023-09-30, 19:02:

Next steps require a external midi loopback (MIDI OUT to MIDI IN).
Just bought D-SUB connector for gameport on SB, will solder 2 wires to do loopback. (MIDI cable from OUT to IN also can be used).

I am not sure about what is your idea, but do you know "awe_dump" and I don't mean the tool you made, but the almost 30 years old tool that makes dump of EMU8000 ROM - I am attaching it - it's written in Pascal thus the source code is a little hard for me to read. So, maybe if the DSP includes some EMU8000 commands or communication, you can use EMU8000 as entry point to execute code inside the DSP - maybe I am talking nonsense I don't know, but in any way, maybe in final version of your Dumper nice addition (for completeness of features) will be to include EMU8000 ROM dump as well, even if it's not usable for DSP attack.

Maelgrum wrote on 2023-09-30, 19:06:

The method to change SP won't work on 8052 because SP is mapped at RAM address 182h while the SB function FA (and F9 for reading) accepts only byte as an address value and therefore is unable to access SFRs on 8052. I haven't looked at your SBDUMP but I guess it is reading only the first 256 bytes of RAM while SP lays beyond that address space.
[/quote]

You are right, but attack via MIDI OUT to IN is possible.
R1 is accessible in RAM.
[/quote]
Yes, R1 is accessible but since it is initialized upon entry to UART mode with SB function 34h and UART mode is terminated only via 8052 reset there is no use of R1?

georgel wrote on 2023-09-30, 19:11:

Maelgrum wrote on 2023-09-30, 19:06:

The method to change SP won't work on 8052 because SP is mapped at RAM address 182h while the SB function FA (and F9 for reading) accepts only byte as an address value and therefore is unable to access SFRs on 8052. I haven't looked at your SBDUMP but I guess it is reading only the first 256 bytes of RAM while SP lays beyond that address space.

You are right, but attack via MIDI OUT to IN is possible.
R1 is accessible in RAM.
[/quote]
Yes, R1 is accessible but since it is initialized upon entry to UART mode with SB function 34h and UART mode is terminated only via 8052 reset there is no use of R1?
[/quote]

It must be initialized also by MPU init. A then we can modify it.

Maelgrum wrote on 2023-09-30, 19:02:

Thanks, S95Sedan ! Looks like i coded all basic stuff good. Next steps require a external midi loopback (MIDI OUT to MIDI IN). J […]
Show full quote

Thanks, S95Sedan !
Looks like i coded all basic stuff good.
Next steps require a external midi loopback (MIDI OUT to MIDI IN).
Just bought D-SUB connector for gameport on SB, will solder 2 wires to do loopback. (MIDI cable from OUT to IN also can be used).

Pin 15 <> Pin 12 i assume?

Here, i do initialization of MPU, and then read memory dump.
In second byte of dump, we must see 0x40

Maelgrum wrote on 2023-09-30, 19:19:

Here, i do initialization of MPU, and then read memory dump.
In second byte of dump, we must see 0x40

this one is meant to be used with MIDI loopback?

Maelgrum wrote on 2023-09-30, 19:14:

It must be initialized also by MPU init. A then we can modify it.

And then one must activate UART mode with SB command 34h which in turn will reinitialize R1 value.

S95Sedan wrote on 2023-09-30, 19:17:

Maelgrum wrote on 2023-09-30, 19:02:

Thanks, S95Sedan ! Looks like i coded all basic stuff good. Next steps require a external midi loopback (MIDI OUT to MIDI IN). J […]
Show full quote

Thanks, S95Sedan !
Looks like i coded all basic stuff good.
Next steps require a external midi loopback (MIDI OUT to MIDI IN).
Just bought D-SUB connector for gameport on SB, will solder 2 wires to do loopback. (MIDI cable from OUT to IN also can be used).

Pin 15 <> Pin 12 i assume?

15 <-> 12, and 4 <-> 5 (this may be unnessesary)

georgel wrote on 2023-09-30, 19:21:

Maelgrum wrote on 2023-09-30, 19:14:

It must be initialized also by MPU init. A then we can modify it.

And then one must activate UART mode with SB command 34h which in turn will reinitialize R1 value.

Why we need cmd 0x34 at all ?
MPU-401 is all that needed.

maxtherabbit wrote on 2023-09-30, 19:21:

Maelgrum wrote on 2023-09-30, 19:19:

Here, i do initialization of MPU, and then read memory dump.
In second byte of dump, we must see 0x40

this one is meant to be used with MIDI loopback?

No, its just like previous code, but with MPU init done before dump.
So it will work as before.

Maelgrum wrote on 2023-09-30, 19:24:

maxtherabbit wrote on 2023-09-30, 19:21:

Maelgrum wrote on 2023-09-30, 19:19:

Here, i do initialization of MPU, and then read memory dump.
In second byte of dump, we must see 0x40

this one is meant to be used with MIDI loopback?

No, its just like previous code, but with MPU init done before dump.
So it will work as before.

Ok here's the output from the AWE32 on this version of the dumper

maxtherabbit wrote on 2023-09-30, 19:35:

Ok here's the output from the AWE32 on this version of the dumper

Just as expected - second byte is 0x40.
Thanks, maxtherabbit !

Maelgrum wrote on 2023-09-30, 19:19:

Here, i do initialization of MPU, and then read memory dump.
In second byte of dump, we must see 0x40

Dump from CT4520 AWE64 with that version of SB16DUMP.

Maelgrum wrote on 2023-09-30, 19:22:

S95Sedan wrote on 2023-09-30, 19:17:

Maelgrum wrote on 2023-09-30, 19:02:

Thanks, S95Sedan ! Looks like i coded all basic stuff good. Next steps require a external midi loopback (MIDI OUT to MIDI IN). J […]
Show full quote

Thanks, S95Sedan !
Looks like i coded all basic stuff good.
Next steps require a external midi loopback (MIDI OUT to MIDI IN).
Just bought D-SUB connector for gameport on SB, will solder 2 wires to do loopback. (MIDI cable from OUT to IN also can be used).

Pin 15 <> Pin 12 i assume?

15 <-> 12, and 4 <-> 5 (this may be unnessesary)

4 and 5 seem to be ground;
http://midi.teragonaudio.com/hardware/pc_intfc.htm

Maelgrum wrote on 2023-09-30, 19:39:

maxtherabbit wrote on 2023-09-30, 19:35:

Ok here's the output from the AWE32 on this version of the dumper

Just as expected - second byte is 0x40.
Thanks, maxtherabbit !

Nothing unusual - it points to the beginning and end of an empty buffer 40h. When UART is initialized via SB command 34h that is its initial value too. Not sure about the MPU interface though, I made some manual tests but at one point the sound card entered the usual UART mode that can be exited via 8052 reset only.

Thank you all !
Now i can try to code real dumper. First version will be dedicated V4.13 dumper as proof of concept.