don't click here

Z80 music driver disassembly

Discussion in 'Engineering & Reverse Engineering' started by Sik, Mar 18, 2006.

Thread Status:
Not open for further replies.
Page 1 of 2
  1. Mar 18, 2006 #1
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Well, this is my first disassembly and I didn't figure enough this about how it works, so it needs cleaning. But here you have. I disassembled the Z80 music driver used in most MegaDrive games! Now you can edit it, reassemble it and you them in your hacks/games! Maybe improve the sound? Unluckily we have the stupid issue of the lack of Z80 in the models 2 and later, where probably the driver was implemented inside the hardware... ;) Anyways, here you have it:

    http://www.sepwich.com/sonicaction/otherfi...iv_20060318.asm

    It needs cleaning BADLY. Can you help me with it? Thanks in advance. You'll have credit because of that. :) Well, at least it's an interesting disassembly...

    PS: maybe I uploaded the file with the wrong filename, I don't remember. Tell me if I did it. In any case, try z80driv_20061803.asm if it doesn't download.
     
  2. Mar 18, 2006 #2
    Tweaker

    Tweaker

    Banned
    12,387
    2
    0
    You need to be a fucking Tech Member. I love you. ;_;
     
  3. Mar 18, 2006 #3
    LocalH

    LocalH

    roxoring your soxors Tech Member
    3,310
    31
    28
    wouldn't you like to know
    v17
    All versions of the Genesis have a Z80 in some way, as otherwise they wouldn't even generate sound (as the games know nothing about some hardware driver, which doesn't even exist, so they would still try to use the Z80). Even Sonic 1 would fail to generate any samples, although the FM is driven by the 68k part of the driver.

    What the Gen3 lacks is the SMS compatibility mode. The Gen2 can easily run SMS software, the only reason the PBC fails to work is due to the physical case design. The SMD can run some, but not all, SMS software by using a custom loader such as Charles MacDonald's smd.exe, and I've had equal success with the same games on both my Gen1 and Gen2.

    Also, welcome to S2B.
     
  4. Mar 19, 2006 #4
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Wait a second, do you mean that the information I have is wrong and the Z80 is present in all the models? Oh, cool! OK, now hacking it will make sense for use in the real hardware being compatible with all the models :D Thanks for the information, LocalH! ;)

    EDIT: typo.
     
  5. Mar 19, 2006 #5
    LocalH

    LocalH

    roxoring your soxors Tech Member
    3,310
    31
    28
    wouldn't you like to know
    v17
    Yeah, many people equate no SMS compatibility with no Z80 for some reason.

    Also, this is an awesome development. There are now three separate efforts that basically make it possible to use your own custom music in homebrew code. There's your project, there's my extraction of the S1 music driver from Hivebrain's disassembly, and there's an effort to port MVS Tracker, originally for the Neo Geo, to the Genesis as well. It seems like this is the era of original music on the Genesis, and that makes me very happy.
     
  6. Mar 19, 2006 #6
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Oh, yeah, that sounds cool ;) And maybe I can take advantage of it when making my own amateur MegaDrive games... I was thinking that the Z80 driver disassembly can help in the following two ways:

    1. Improving the driver
    2. Getting the Z80 do more than just administrate the music (we have two processors, take advantage of it!)

    Anyways, it's pretty uncommented, and I need help commenting it... Except because of that detail, it's probably the best idea I had... I suggest to comment it and then edit it... Who wants to help? I'll see what I can do, but since it's my first disassembly I'll probably miss a lot...

    And all this only for a five-minutes thingy... XD Originally I tried to disassembly it manually because I didn't have any disassembler and I lacked of Internet in my house then, reading each opcode, but I made mistakes causing instruction displacements, so, now that I have Internet restored, I downloaded a disassembly and did the right thing. :) Yeah, that sounds crazy, but I did that...
     
  7. Mar 19, 2006 #7
    drx

    drx

    mfw Researcher
    2,254
    350
    63
    :rolleyes:
    LocalH: you're counting out my custom song player =P but seriously, I was thinking of some serious music driver, which would support all FM and PSG channels, with MIDI importing utility. What do you think? :D

    Sik, I was looking through your comments. The 0003-0045 part is used for variables. They didn't put it in the data section because of many things. First, the driver was a generic driver, programmed to be used in many games (and it was), and some programmers attempt to clear any data after loading the z80 driver, up to 1fff. Second, it's easier to mantain, really. I've programmed some z80 stuff in the past, it's easier to just declare the variables before everything, believe me.
     
  8. Mar 19, 2006 #8
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    DRX, I actually called DATA to the section where the variables are stored. I got that custom after reading some Intel ASM programs source codes. So, the CODE section is the driver by itself. OK? Anyways, it says "42 bytes" when it must be "$42 bytes", since I forgotten that the address were in hexadecimal when I made the substraction XD Fixed for the next time I release it...
     
  9. Mar 19, 2006 #9
    drx

    drx

    mfw Researcher
    2,254
    350
    63
    :rolleyes:
    You know what I find funny? Some drivers (not this one though), use the space between 0003 and 0040-0050, but they never use eg. 000a-000f (hexadecimal addresses). I have no idea why! It looks really strange, as if the programmer thought he was using decimal addresses, when he was actually addressing using hex numbers :P
     
  10. Mar 19, 2006 #10
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Hehe... But I noticed that only the first and last ones variable addresses are used ($0003 to $0007, $0040 to $0045). Dunno why...

    BTW, fixed the terms in the disassembly so they match with the ones you (indirectly) suggested... No, I didn't reuploaded it :P Anyways, I think we must first worry about cleaning it... I say "we" because, as I said before, surely I miss something... See how an ASM code works isn't easy, people...

    EDIT: I missed ungodly the addresses used! They're $0039 and $0040 to $0045 (like DRX said, they missed $003A to $003F).

    EDIT 2: Wait, DRX said "No this one though"... But I don't find any reference to those addresses in the disassembly... DRX, are you sure that this driver doesn't have that error?
     
  11. Mar 19, 2006 #11
    Aurochs

    Aurochs

    Единый, могучий Советский Союз! Tech Member
    2,343
    0
    0
    Whatever catches my fancy
  12. Mar 19, 2006 #12
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    A question: what's that file? Seems like I don't have anything in my computer to open them. :/

    BTW, I finally separated the two main loops in the code, as well the initialization code. I know that the one named "SendLoop" is wrongly named, but that's a provisory name for now. Well, at least it's something...

    http://www.sepwich.com/sonicaction/otherfi...iv_20060319.asm

    I think that the "SendLoop" is the one where the driver sends the data to the sound hardware, hence the name Send. So there you have something more. ;)
     
  13. Mar 19, 2006 #13
    ICEknight

    ICEknight

    Researcher Researcher
    11,780
    150
    43
    Spain
    Hmmm... Since that Sappy thing could export MIDIs from the Sonic Advance games, being possible to easily import MIDIs to the Genesis Sonics would be...



    Well, hmmmmMMMMMMMMmmmmm...
     
  14. Mar 20, 2006 #14
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Update:
    http://www.sepwich.com/sonicaction/otherfi...iv_20060320.asm

    The first part of the main loop, this is, everything before the second loop, is commented, so there you have a point for starting. Is it OK? Maybe I put a wrongly description about $0039 at the beginning, but just for cleaning: the $0039 is changed somewhere outside the driver, I don't know if the 68k or the sound hardware (probably it's the 68k). Oh, and DRX was right, $003A to $003F were used... But only it assings values to them at the beginning and does nothing more with them... Why?

    BTW, I have a problem with this group of instructions in the second loop, a group that appears seven times consecutively:

    LD (HL), A
    RRCA

    Can somebody explain to me what it suppodsely does? Because with the information I have about those instructions, it doesn't make sense to me :/
     
  15. Mar 20, 2006 #15
    LocalH

    LocalH

    roxoring your soxors Tech Member
    3,310
    31
    28
    wouldn't you like to know
    v17
    That's the code that chooses which 68k ROM bank will appear in the upper 32KB of the Z80's address space. It's basically writing the upper 9 bits of the starting bank address to $6000, beginning with bit 15 and ending with bit 23 (and the bottom 15 bits of course come from the actual Z80 memory access). Here's an excerpt from Charles MacDonald's Genesis docs:

    Code (Text):
    1. 2.3) Banking
    2.  
    3.  The Z80 can access the 68000's address space through a banking mechanism
    4.  which maps 32k pages to 8000-FFFFh on the Z80 side.
    5.  
    6.  Most games do this to get at large data chunks like YM2612 DAC samples.
    7.  However, you can access anything else the 68000 can. (I've tried reading
    8.  the version register and setting the VDP border color this way with
    9.  success - in fact some 32X sample code shows the PWM sound generator
    10.  programmed by the Z80 through banking)
    11.  
    12.  To specify which 32k section you want to access, write the upper nine
    13.  bits of the complete 24-bit address into bit 0 of the bank address
    14.  register, which is at 6000h (Z80) or A06000h (68000), starting with
    15.  bit 15 and ending with bit 23.
    16.  
    17.  For example:
    18.  
    19.         ld      ix, $6000      ;
    20.         xor     a              ;
    21.         ld      (ix), a        ; Bit 15 = 0
    22.         ld      (ix), a        ; Bit 16 = 0
    23.         ld      (ix), a        ; Bit 17 = 0
    24.         ld      (ix), a        ; Bit 18 = 0
    25.         ld      (ix), a        ; Bit 19 = 0
    26.         ld      (ix), a        ; Bit 20 = 0
    27.         ld      (ix), a        ; Bit 21 = 0
    28.         inc     a              ;
    29.         ld      (ix), a        ; Bit 22 = 1
    30.         ld      (ix), a        ; Bit 23 = 1
    31.  
    32.  After this routine executes, Z80 addresses 8000-FFFFh now correspond
    33.  to 68000 addresses C00000-C07FFFh.
    34.  
    35.  In my own tests, I've been unable to do the following:
    36.  
    37.  - Read banked 68000 RAM. (returns FFh)
    38.  - Find result of partial writes to the bank address register.
    39.  - Have the Z80 read A00000-A0FFFF through the banked memory area.
    40.    (locks up the machine)
    41.  
    42.  Steve Snake informed me that reading 68000 RAM is possible, but is not
    43.  a recommended practice by Sega. Perhaps only some models of the Genesis
    44.  allow for it.
     
  16. Mar 20, 2006 #16
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    Thanks, now that piece of code makes sense to me. Yeah, the complete code (not only those instructions) make nine moves in total. For some reason I though they were eight XD Thank you!

    EDIT: update AGAIN
    http://www.sepwich.com/sonicaction/otherfi...v_20060320b.asm

    Now I commented everything finally! Only that was getting me stuck. OK, now you get it! Complete! Not bad for being done in only two days ;) Now let's examine why the algorithm is done like that, this is, let's convert it into pseudo-code... And later let's disassembly the Z80 initialization code...
     
  17. Mar 20, 2006 #17
    Aurochs

    Aurochs

    Единый, могучий Советский Союз! Tech Member
    2,343
    0
    0
    Whatever catches my fancy
    You need IDA Pro to open it. A license costs about 500 USD. There are pirate copies, though.
     
  18. Mar 20, 2006 #18
    Tweaker

    Tweaker

    Banned
    12,387
    2
    0
    http://forums.sonicretro.org/index.php?showtopic=6194
     
  19. Mar 27, 2006 #19
    Sik

    Sik

    Sik is pronounced as "seek", not as "sick". Tech Member
    6,718
    1
    0
    being an asshole =P
    OK, I went a bit further with it. This is the pseudo-code:

    Code (Text):
    1. MAIN LOOP
    2.  
    3. Wait for $0039 to be non-zero (wait for some hardware to respond)
    4. Back up $0040 to $0045 in $003A to $003F
    5. Clear $0039
    6. Send $2B, $80, $B4 and $C0 to the sound hardware (initialization?)
    7. Back up $0044/$0043 in BC
    8.  
    9. INTERNAL LOOP
    10.  
    11. Perform sorta kind of large NOP
    12. Select banking switching
    13. Send $2A to port $4000
    14. Send the value in the address pointed by $0040-$0041 to $4001
    15. Increment $0040 to $0042 by two (next value?)
    16.  
    17. If $0039 is non-zero, exit from internal loop
    18. If BC - 1 is non-zero, restart internal loop
    19. If $0045 is zero, exit from internal loop
    20. Set all bits in BC and restart loop
    If we think a bit more, the first part of the main loop is just some kind of initialization to prepare to send the data, and the second part (the internal loop, which is inside it) is when it sends the data to the sound hardware. Well, I think that this might help.

    EDIT: hey, is it me or what it does is just send the samples to the DAC? If so, what a disapointment :(
     
  20. Mar 27, 2006 #20
    drx

    drx

    mfw Researcher
    2,254
    350
    63
    :rolleyes:
    You disassembled the Sonic 1 driver. Where all the stuff is done by 68k and only DAC is left for Z80 :P
     
Page 1 of 2
Thread Status:
Not open for further replies.