It is currently Tue Jul 16, 2019 10:19 pm

All times are UTC - 7 hours



Forum rules





Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Wed Sep 23, 2015 11:12 pm 
Offline
User avatar

Joined: Sat Oct 04, 2014 3:48 pm
Posts: 35
Hi All,

This is a project spun off from the SNES-Tap discussion in another thread. SNES-Hook is designed to be an extreme simplification of the hijack functionality of SNES-Tap. It is intended to work in conjunction with byuu's Controller Port Serial Cable to load executable code from the serial cable into WRAM and execute it prior to the processor ever executing any code in the cartridge slot. It is essentially a primary bootloader for the SNES.

It works like this:
1) SNES powers up with the SNES-Hook in the expansion port and any cart in the cartridge slot
2) At start the processor accesses $00:FFFC & $00:FFFD (emu reset vector located at cart) to jump to the initial code to execute
3) The CPLD on the snes-hook observes changes on the address bus B (specifically searching for $FC-$FD)
-- Address bus A addresses bits 7:0 are aliased onto address bus b
4) SNES-Hook performs a glitch on the DATA bus for those two bus cycles forcing the vector address to be $00:2184
5) The CPU jumps to $00:2184 to start execution (and not the cart)
-- $00:2184 is addressed to a RAM on the SNES-Hook which has 124 bytes of bootcode

All the board design files and verilog reference can be found here:
https://github.com/defparam/snes-hook

Here are the initial 3D models of the device:
http://i.imgur.com/t2GpvP1.png
http://i.imgur.com/vU9wJTo.png
http://i.imgur.com/ZlYJ9bf.png
http://i.imgur.com/cwqZKxj.png
http://i.imgur.com/mgFcYMA.png

UPDATE: Boards are back from OSHPark, components have been assembled on board, byuu's test bootloader tested WORKING on SNES console. (the bootcode takes over the console, paints the screen blue and stops the processor).

There are some CARTs which the glitch is working on (Rockman X, Jurassic Park, Megaman 7) and some carts which it isn't (Rockman X2, X3). This could just be a timing issue. I'm currently debugging.


Here are some pictures of the device fully assembled (sorry for the crappy camera):
https://raw.githubusercontent.com/defpa ... oard_1.bmp
https://raw.githubusercontent.com/defpa ... oard_2.bmp
https://raw.githubusercontent.com/defpa ... oard_3.bmp

If you would like to purchase the bareboard you can buy it from OSHPark here: (I believe its about $7 for 3 bareboards)
https://www.oshpark.com/shared_projects/TfNKjUM6

Host interfaces were not added to this board as it is intended to be extremely simple and leverage the controller port serial cable for host access. For a more complex expansion port loader with formal host interfaces stay tuned for updates to SNES-Tap in the next coming months.

I've built 9 of these boards to send to byuu. He can explain more details on how we can leverage these devices to quickly dump carts, test hardware co-processors and load home brew executable to leverage cart hardware.

Thanks!
defparam


Top
 Profile  
 
PostPosted: Thu Sep 24, 2015 10:23 am 
Offline

Joined: Mon Mar 27, 2006 5:23 pm
Posts: 1499
Ohhhhh, these look fantastic!! Thank you so much :D

> There are some CARTs which the glitch is working on (Rockman X, Jurassic Park, Megaman 7) and some carts which it isn't (Rockman X2, X3). This could just be a timing issue. I'm currently debugging.

Hmmm ... yeah, I can't think of why the Cx4 (in Rockman X2/X3) would cause the trick to stop working. They shouldn't be doing anything special with reset vectors, nor would they care what's in $2184-21ff.

> He can explain more details on how we can leverage these devices to quickly dump carts, test hardware co-processors and load home brew executable to leverage cart hardware.

In order to execute your own code, you need a flash cart or copier. But to dump a cart, that needs to be in the cart slot. So blargg devised a fun trick where you disable the CIC, and then run a long 10-second DMA (to minimize access to the cart bus), and quickly swap the cart out.

That's still dangerous, and fails ~20% of the time with a system lock-up. It also has a bad tendency to wipe the SRAM, which if your devcart stores the serial uploader in SRAM, means reprogramming that through a copier and floppy disks again >_>

This also fails for SA-1 and S-DD1 carts, because of their on-cart CICs that won't unlock the ROM.

ikari_01 made a modification of the SuperCIC for me that would unlock for this type of cart swap. But sadly, after dumping the entire US library, that SNES deck is almost dead. It gets bad connections on various address lines all the time now.

With SNES-Hook, we bypass the need to have the SuperCIC, and the need to do a risky cart swap.

Boot up, have the boot loader (with a timeout) try and pull a program into WRAM from controller port serial, and execute that. This program will now have full access to an unlocked cart (because the CIC is completely unmodified.)

From here, it's easy to dump carts, to execute code in BW-RAM for the SA1, or cartridge RAM for SFX, etc.


Top
 Profile  
 
PostPosted: Thu Sep 24, 2015 9:40 pm 
Offline
User avatar

Joined: Sat Oct 04, 2014 3:48 pm
Posts: 35
Well good news and bad news. The good news is that I fixed the issue that was causing x2 and x3 to not be properly "hooked". The bad news is that the fix requires 4 white wire mods to this current board rev.

The issue is with the glitching output cycle. Forcing a 1 to a 0 is OK to do because these data lines are tied high with a weak pull up when conveying a 1. Forcing a 0 to a 1 requires that your output buffer out drive the logical 0 high enough to be interpreted as a 1 by the processor. If you look at the values we are glitching we force an 0x84 on one cycle and 0x21 on another. In both instances there are 6 bits being forced low and 2 bits being forced high. Yesterday as I was trying to figure out why X2/X3 wasn't working but the other carts were I hypothesized that the output buffers on the non-working carts must be stronger than my output buffers. However with the snes-tap using the NXP translator we were able to hook X2/X3 perfectly. So I took a look at the datasheet for the NXP shifter and the datasheet for the MAX7000s and sure enough the per pin maximum output current on the NXP is 50mA while the per pin max output current on the MAX is 25mA (DOH!). So since we only have 4 different bits out of the 8 which we have to force from a 0 to a 1 the fix was to grab 4 more GPIO in the CPLD and connect them to those bits being forced 1 to help out out-drive the cart. I got those white wire mods soldered in this morning and tested the console working just now.

I will updated the board design and the FPGA firmware with the new fix when I get a chance.

defparam


Top
 Profile  
 
PostPosted: Thu Sep 24, 2015 11:03 pm 
Offline

Joined: Mon Mar 27, 2006 5:23 pm
Posts: 1499
Hmmm ...

If it's not too much trouble, would you be up for holding off on the assembly process for the other boards, and instead order a new set of nine PCBs from OSHPark with the new layout?

I can of course pay for the new set of boards in addition to the old ones; since the PCB portion alone is inexpensive. And I'm in no rush, so waiting another few weeks for those to be delivered is no problem here.


Top
 Profile  
 
PostPosted: Thu Sep 24, 2015 11:44 pm 
Offline
User avatar

Joined: Sat Oct 04, 2014 3:48 pm
Posts: 35
Yup! that's fine. It's a quick board fix and only 22 bucks for 9. The only issue I have is time/resources on my end as my next month or so will be very busy. I'll keep you up to date.

Thanks,
defparam


Top
 Profile  
 
PostPosted: Sat Sep 26, 2015 11:19 pm 
Offline

Joined: Mon Jul 02, 2012 7:46 am
Posts: 774
I need to redo the PCB layout on my serial port adapter (I made the original several years ago and my routing is pretty silly in a few places), but I should definitely get around to that now that there's a real use for it...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: Google [Bot] and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group