SuperDisc BIOS released + analysis [attn: nocash]

Discussion of hardware and software development for Super NES and Super Famicom.

Moderator: Moderators

Forum rules
  • For making cartridges of your Super NES games, see Reproduction.
tepples
Posts: 21946
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by tepples » Mon Mar 07, 2016 8:36 pm

Yet the Sony design continues to show through, as VAG is BRR with a longer packet, different filter types, and a different Gaussian table.

nocash
Posts: 1200
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by nocash » Mon Mar 07, 2016 9:28 pm

CXD1196AR might be quite close to CXD1800Q. The chip seems to be fully controlled by the Main CPU (unlike the PSX's CXD1815Q and CXD1199BQ chips, which are accessed by Host CPU and Sub CPU). Would be still possibly that the NEC chip on the LCD daughterboard is also doing some CD related control. Anyways, there's probably no third CPU envolved (unless the SNES CD's 32bit CPU mentioned on some older webpages does still hide somewhere on the PCB back side).

The 48pin chip without visible markings might be the Servo Amplifier (like the CXA1782BR on PSX which is 48pin, too). PSX consoles are additionally having some 28pin chip for motor control (BA6297AFP,BA6398FP,BA6397FP,AN8732SB,etc.), something similar should exist here, too, but I couldn't see that thing on the photos. But I couldn't really see S-CPU, S-PPU2, S-WRAM, S-ENC chips either, which makes me think that the photos are only incomplete crap.

byuu
Posts: 1545
Joined: Mon Mar 27, 2006 5:23 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by byuu » Tue Mar 08, 2016 6:03 pm

Spent a few hours trying to figure out what the hell was going on with the "Now Loading" part of the BIOS. It's a complete fucking abortion of code.

It starts reading from $e8fc,x (eg in the first 32K of ROM), getting symbols, sometimes using those as new read indexes into the $e8fc table, writing to $21e1, reading from $21e1, and doing psychotic, batshit insane amounts of bit-blending on RAM values at $1f5f-$1f64 (AND #$77, OR #$20 if AND #$08 sets Z flag, OR #$10, branch if N flag set/clear, etc), and with some sort of table at $1f0f-$1f17. It is packed full of the 65816-equivalent of goto statements, nested subroutine calls, etc. And a lot of the magic happens inside the IRQ handler.

The pattern of bytes written to $21e1 are completely non-deterministic due to all of this. It's just a non-stop stream of gibberish. And I don't know what reading $21e1 is supposed to return at all. By using my current emulation of setting it to #$81 on IRQs when $21e4.d4 is set, it repeats the same INST, INCL, CHCT commands to the CXD1800 over and over, which obviously never does anything useful. Hangs at "Now Loading" forever. Nothing ever actually makes it into the 256KiB cart RAM area for execution.

It is the most grotesque code I've ever seen in SNES assembly hacking, and I've hacked probably a dozen commercial game engines in my years spent translating Japanese games to English.

I did my best to try and port the code to C to reproduce the stream of writes to $21e1, but I could only get the first six or so writes correct before becoming completely overwhelmed with all the interleaved code.

So I give up. Good luck to anyone who attempts this :/

tepples
Posts: 21946
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by tepples » Tue Mar 08, 2016 7:54 pm

Is it obfuscated like kevtris found a pirate original port of Earthworm Jim 2 to be as a means of making pirates' lives harder?

byuu
Posts: 1545
Joined: Mon Mar 27, 2006 5:23 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by byuu » Tue Mar 08, 2016 8:31 pm

tepples wrote:Is it obfuscated like kevtris found a pirate original port of Earthworm Jim 2 to be as a means of making pirates' lives harder?
Yes, it's extremely likely that they obfuscated the prototype BIOS heavily to prevent mass piracy of it. All you'd need is a cart with a ton of RAM, this ROM, and reverse engineer a new CD-ROM drive to connect to the expansion port, and it would be a free-for-all in pirating all of the content available for this prototype system.

Sik
Posts: 1589
Joined: Thu Aug 12, 2010 3:43 am

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by Sik » Wed Mar 09, 2016 5:37 am

But CDs themselves weren't easy to copy at the time either so I can't think this being likely, especially since you could probably get most (or all) of the way there by analyzing the PCB and dumping that ROM from that 4-bit controller (it's unlikely the cartridge alone without any knowledge of the PCB would be useful). It honestly sounds like either overengineering or that you're missing something critical (does anything there trigger some sort of DMA which would feed in the correct data, maybe?).

Also you should come up with a way to change the low nibble of $21E1 to make it look like it's accessing the disc. Heck, make it a debug button in the emulator temporarily if needed, just to see how it reacts =P

lidnariq
Posts: 9300
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by lidnariq » Wed Mar 09, 2016 11:28 am

Maybe they've embedded some kind of FSM for the CD-ROM decoder or controller in the tables...

nocash
Posts: 1200
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by nocash » Wed Mar 09, 2016 4:43 pm

That isn't obfuscated. The bios test function displays all mechacon commands with friendly names, and outgoing hex values, and with expected response hex values in plain text on the TV set. You don't even need to dump the bios cartridge (and least to disassemble the program code) for understanding how port 21E1h is working.

Code: Select all

  Access MM/SS/FF     BmmssffF                --> FFFFFFFF
  Access Track/Index  CttiiF                  --> FFFFFF
  Stop                D01F                    --> FFFF
  Play                D02F                    --> FFFF
  Pause               D03F                    --> FFFF
  Open/Close          D04F                    --> FFFF
  Fast Forward        D10F                    --> FFFF
  Fast Reverse        D11F                    --> FFFF
  Forward             D12F                    --> FFFF
  Reverse             D13F                    --> FFFF
  Key Direct          D40F                    --> FFFF
  Key Ignore          D41F                    --> FFFF
  Continous Play      D42F                    --> FFFF
  Auto Track Pause    D43F                    --> FFFF
  Auto Index Pause    D44F                    --> FFFF
  Normal Speed        D45F                    --> FFFF
  Double Speed        D46F                    --> FFFF
  Q-Data Request      D50F 0000000000000000F  --> FFFF ................F
  Status Request      D51F 01234F             --> FFFF .....F
Only problem are the variable response bits in the Q-Data and Status requests. 16-digit Q is probably 8 bytes straight from SubQ channel. And 5-digit status, well, that part might require disassembling the bios.

byuu
Posts: 1545
Joined: Mon Mar 27, 2006 5:23 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by byuu » Thu Mar 10, 2016 12:07 am

I see. Completely forgot about the "communication" test, whoops.

In that case ...
$21e1 is the NEC D75P308GF (4-bit microprocessor) interface.
$21e2+$21e3 is the Sony CXD1800Q interface.
$21e4 is the interrupt enable (d3 = NEC CPU, d2 = Sony CPU.)

$21e0 and $21e5 are unknown still.

byuu
Posts: 1545
Joined: Mon Mar 27, 2006 5:23 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by byuu » Thu Mar 10, 2016 2:20 am

Okay, I've implemented interfaces for both the NEC and Sony chips now.

We need to return "10100" from the status register for the BIOS to think there's a data CD present. Or "11000" for a music CD. I don't know what other values will work or not work.

This gets us "press start", and upon doing so, we get stuck in this loop forever:

1. poll one nibble from the NEC status register
2. write #$10 to INCL
3. read from STS six times (maybe it expects something other than #$00 ?)
3a. could be polling STS, HFLG, HMIN, HSEC, HBLK, HMOD possibly ... I believe $21e2 increments on $21e3 access
4. write #$00 to CHCT
5. repeat forever

Also, there's a nice datasheet on the CXD1803AQ that may be similar to the CXD1800Q. A lot of the register names look like non-abbreviated versions of the CXD1800 ones, but there's also a whole lot of entirely new stuff. And wow ... this chip is really, really complex :/ Not going to be fun to simulate at all. Especially if we have to guess most of the commands to it.

Code: Select all

command = d51f01234f
w21e1=0f
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d
w21e1=0d
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d5
w21e1=05
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d51
w21e1=01
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d51f
w21e1=0f
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d51f0
w21e1=00
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=81
command = d51f01
w21e1=01
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=80
command = d51f012
w21e1=02
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=81
command = d51f0123
w21e1=03
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=80
command = d51f01234
w21e1=04
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=80
command = d51f01234f

AWJ
Posts: 433
Joined: Mon Nov 10, 2008 3:09 pm

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by AWJ » Thu Mar 10, 2016 2:45 am

byuu wrote:Okay, I've implemented interfaces for both the NEC and Sony chips now.

We need to return "10100" from the status register for the BIOS to think there's a data CD present. Or "11000" for a music CD. I don't know what other values will work or not work.

This gets us "press start", and upon doing so, we get stuck in this loop forever:

1. poll one nibble from the NEC status register
2. write #$10 to INCL
3. read from STS six times (maybe it expects something other than #$00 ?)
3a. could be polling STS, HFLG, HMIN, HSEC, HBLK, HMOD possibly ... I believe $21e2 increments on $21e3 access
4. write #$00 to CHCT
5. repeat forever

Also, there's a nice datasheet on the CXD1803AQ that may be similar to the CXD1800Q. A lot of the register names look like non-abbreviated versions of the CXD1800 ones, but there's also a whole lot of entirely new stuff. And wow ... this chip is really, really complex :/ Not going to be fun to simulate at all. Especially if we have to guess most of the commands to it.

Code: Select all

command = d51f01234f
w21e1=0f
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d
w21e1=0d
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d5
w21e1=05
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d51
w21e1=01
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d51f
w21e1=0f
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=8f
command = d51f0
w21e1=00
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=81
command = d51f01
w21e1=01
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=80
command = d51f012
w21e1=02
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=81
command = d51f0123
w21e1=03
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=80
command = d51f01234
w21e1=04
w21e2=01
        r21e3=10
w21e2=05
w21e3=10
w21e2=02
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
        r21e3=00
w21e2=02
w21e3=00
        r21e1=80
command = d51f01234f
I think there has to be some code path that leads to setting up and triggering a standard SNES DMA from one of those B-bus registers into work RAM. The SNES has no bus mastering capability, so actually getting the data from the disc into SNES-accessible memory (either the onboard WRAM or the expansion RAM in the cartridge) has to involve S-CPU DMA at some point, just like how the SDD1 and MSU1 work.

nocash
Posts: 1200
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by nocash » Thu Mar 10, 2016 1:26 pm

tepples wrote:Yet the Sony design continues to show through, as VAG is BRR with a longer packet, different filter types, and a different Gaussian table.
Interesting. And unexpected. Does it seem to match-up with PSX adpcm samples (16-byte PSX blocks, instead of 9-byte SNES blocks)?
And did you see further differences, like more channels or whatever? There should be some way to switch to SNES-compatible mode; either via APU registers, or maybe via 21E4h.
The mainboard photos are in fact showing uncommon part numbers for both APU chips (so even the SPC700 CPU might be a bit different, it's clearly running SPC700 code though).
One weird thing is that the new APU couldn't be used in CDROM expansions (for existing SNES consoles), unless it where mapped to some other 21xxh addresses in case of expansion models.
byuu wrote:$21e4 is the interrupt enable (d3 = NEC CPU, d2 = Sony CPU.)
$21e0 and $21e5 are unknown still.
We need to return "10100" from the status register for the BIOS to think there's a data CD present. Or "11000" for a music CD. I don't know what other values will work or not work.
Also, there's a nice datasheet on the CXD1803AQ that may be similar to the CXD1800Q.
I didn't track down 21E4h bits yet, but yes, it should be probably something for disabling the new interrupts (or even disabling the whole new I/O ports for backwards compatibility with normal SNES carts).
21D0h, 21E0h, 21E5h seem to locking/unlocking the battery backed SRAM (ie. located in the BIOS cartridge, not related to the CDROM hardware).

The 5-digit status can be set to various values. The first two digits set to 00h or FFh switches between "Music Disc" and "Press Start" (for data discs). The middle digit set to 1..4 or so works, but bigger values give "Not Defined", 0 gives No Disc. In some cases, the middle digit seems to be ignored depending on first 2 digits though. The last two digits seem to have no effect on anything. Best might be to watch the status values on real hardware (if it would work), and check if how they are changing on inserting/ejecting different discs, and on sending different mechacon commands.

Why CXD1803AQ? Guess you missed the note about the CXD1196AR datasheet - it looks almost perfectly right to me (the only difference that I've spotted yet is related to some Test register, I haven't compared it to closely against the test screens yet though).
I've ported the relevant datasheet section to txt (see below). Some of sentences in there are really obfuscated (overcomplicated long sentences, formatted at 120-column width, and refusing to use terms like "0" and "1"). I am working on reversing what they wanted to say in that document. As by now, it's looking as if it'd be quite easy to emulate (when not emulating any read errors).

The biggest problem might be the user interface for loading cdrom images, and supporting all of the numerous different cdrom image formats (I might be able to clean-up the cdrom code from no$psx for re-using it in no$sns; oh, and I think other emu programmers completely got around cdrom-image decoding by simply prompting users to mount the cdrom image as virtual cdrom drive via external utilities).

Code: Select all

CXD1196AR - Write register
---------------------------

  REG        A0 RA bit7    bit6      bit5     bit4     bit3     bit2    bit1    bit0
  REGADR     L  X  L       L         L        RA4      RA3      RA2     RA1     RA0
  RESERVED   H  X0 L       L         L        L        L        L       L       L
  DRVIF      H  X1 XSLOW   C2PO L1st LCH LOW  BCK RED  BCK MD1  BCK MD0 LSB 1st CLKL
  CHPCTL     H  X2 L       L         CLR ADP  CHP RST  CDDA     SW OPEN RPSTART ADP EN
  DECCTL     H  X3 AUTO CI L         MODE SEL FORM SEL AUTODIST DEC MD2 DEC MD1 DEC MD0
  INTMSK     H  X4 ADP END DEC TOUT  DMA CMP  DEC INT  CI ERR   L       L       L
  INTCLR     H  X5 ADP END DEC TOUT  DMA CMP  DEC INT  CI ERR   L       L       L
  CI         H  X6 L       EMPH ASIS L        BIT L4H8 L        FS L3H1 L       MONO STE
  DMA ADRC-L H  X7 bit7    bit6      bit5     bit4     bit3     bit2    bit1    bit0
  DMA ADRC-H H  X8 L       bit14     bit13    bit12    bit11    bit10   bit9    bit8
  DMA XFRC-L H  X9 bit7    bit6      bit5     bit4     bit3     bit2    bit1    bit0
  DMACTL     H  XA xfrc11  xfrc10    xfrc9    xfrc8    DMA EN   L       L       L
  DRV ADRC-L H  XB bit7    bit6      bit5     bit4     bit3     bit2    bit1    bit0
  DRV ADRC-H H  XC L       bit14     bit13    bit12    bit11    bit10   bit9    bit8
  TEST2      H  1D L       L         L        L        L        L       L       L
  TEST1      H  1E L       L         L        L        L        L       L       L
  TEST0      H  1F L       L         L        L        L        L       L       L
                                      Write Registers

2.1.1 Register address (REGADR) register
 This register is used for selection of the internal registers.
 (1) When A0 = XCS = `L', the REGADR register is selected. When A0 = `H' and XCS = `L', the register
     specified by the REGADR is selected.
 (2) When the low order 4 bits of REGADR are not 0 (hex), and a register write or read is made by setting
     A0 = `H' and XCS = `L', the low order 4 bits of REGADR are incremented.
 (3) REGADR is cleared by rising edge of DMAEN bit (bit3) of the DMACTL register. (Cleared to 00 (hex).)

2.1.2 DRIVE Interface (DRVIF) register
  Bit7 XSLOW (/SLOW SPEED)
      `H' : A DMA cycle is performed in 4 clocks.
            In this case, a standard SRAM with an access time of less than 120 nsec can be connected
            to the CXD1196AR.
      `L' : A DMA cycle is performed in 12 clocks. When the CXD1196R is connected to an SRAM
            with a slower access time, set this bit at `L'. In this case, a standard SRAM with an access
            time of less than 320 ns can be connected to the CXD1196AR. For operation at VDD = 3.5
            V, set this bit to L.
  Bit6 C2PL1ST (C2PO Ler-byte 1st)
      `H' : To input two bytes of DATA input, each with a C2PO identifying the lower or upper byte, in
            the order of the lower and upper bytes
      `L' : To input two bytes of DATA input, each with a C2PO identifying the upper or lower byte, in
            the order of the upper and lower bytes.
    Here, the upper byte means the 8 (eight) upper bits including the MSB from the DSP for CD. And the lower
    byte means the 8 (eight) lower bits including the LSB from the DSP for CD. For example, the minute byte
    of the Header is a lower byte and the sec byte is a upper byte.
  Bit5 LCHLOW (LCH LOW)
      `H' : To determine that the data is Lch data when LRCK = `L'
      `L' : To determine that the data is Lch data when LRCK = `H'
  Bit4 BCKRED (BCLK Rising Edge)
      `H' : To strobe DATA by the rising edge of BCLK
      `L' : To strobe DATA by the falling edge of BCLK
  Bit3, 2 BCKMD1, 0 (BCLK Mode 1, 0)
      Set these bits, depending on the number of BCLK clocks output by the DSP for CD during a cycle of
      WCLK.
         BCKMD1   BCKMD0
         `L'      `L'     16BCLKs/WCLK
         `L'      `H'     24BCLKs/WCLK
         `H'      `X'     32BCLKs/WCLK
  Bit1 LSB 1ST (LSB First)
      `H' : To connect to a DSP for CD which outputs DATA on an LSB first basis
      `L' : To connect to a DSP for CD which outputs DATA on an MSB first basis
  Bit0 CLKLOW (CLK LOW)
      `H' : To fix CLK pin output at `L'
      `L' : To output 8.4672 MHz clock from CLK pin output
    The values of the individual bits of this register must be changed with the decoder in the disabled state.
    Table 2.1.1 shows the values of bits of bit 6 through 1 to be set when the CXD1196AR is connected to
    Sony DSPs for CD. Fig. 2.2.1 (1) through (3) show input timing charts.

                                 DRVIF register
   Sony DSP for CD             bit6 bit5 bit4 bit3 bit2 bit1    Timing chart
   -----------------------------------------------------------------------------
   CDL30 series                L    L    L    L    H    L       Fig. 2.1.1 (1)
   CDL35 series
   -----------------------------------------------------------------------------
   CDL40 series                L    L    H    L    H    L       Fig. 2.1.1 (2)
   (48-bit slot mode)
   -----------------------------------------------------------------------------
   CDL40 series                L    H    L    H    X    H       Fig. 2.1.1 (3)
   (64-bit slot mode)
                       Table 2.1.1 DRVIF Register Settings
  (Note 1)
   CDL30 series:  CXD1125Q/QZ, CXD1130Q/QZ, CXD1135Q/QZ,
                    CXD1241Q/QZ, CXD1245Q, CXD1246Q/QZ,
                    CXD1247Q/QZ/R, etc.
   CDL35 series   CXD1165Q, CXD1167Q/QZ/R, etc.
   CDL40 series   CXD2500Q/QZ, etc.

2.1.3 Chip Control (CHPCTL) register
  Bit7-5 RESERVED
  Bit4 CHPRST (Chip Reset)
    When this bit is set at `H', the CXD1196AR is internally initialized. The bit setting will automatically
    change to `L' when the internal initialization of the CXD1196AR is completed. Therefore, there is no
    need for the CPU to change the setting at `L'. Initialization of the CXD1196AR will be completed in
    500ns after the bit has been set at `H' by the CPU.
  Bit3 CD-DA (CD-Digital Audio)
    `H' : When a CD-DA disc is to be played back, this bit is set at `H'.
          The decoder must be placed in the disabled state (DECCTL register) when this bit is set at
          `H'.
    `L' : When a CD-ROM disc is to be played back, this bit is set at `L'.
  Bit2 SWOPN (Sync Window Open)
    `H' : When this bit is set at `H', the window for detection of SYNC mark will open. In this case,
          the SYNC protection circuit in the CXD1196AR will be disabled.
    `L' : When this bit is set at `L', the window for detection of SYNC mark will be controlled by the
          SYNC protection circuit in the CXD1196AR.
  Bit1 RPSTART (Repeat Correction Start)
          When the DECODER is placed in the repeat correction mode, and this bit set at `H', the error
          correction of the current sector will begin. The bit setting will automatically change to `L' when
          correction begins. Therefore, there is no need for the CPU to change the setting at `L'.
  Bit0 ADPEN (ADPCM Enable)
          When the current sector is an ADPCM sector, the CPU sets this bit at `H' in less than 11.5 ms after a
          decoder interrupt (DECINT). When the current sector is not an ADPCM sector, the CPU changes the
          bit setting at `L' in less than 11.5 ms after a decoder interrupt (DECINT).

2.1.4 DECODER CONTROL (DECCTL) Register
  Bit7 AUTOCI (Auto Coding Information)
    `H' : To perform ADPCM playback according to the coding information from the drive. In this
          case, the CI register need not be set.
    `L' : To perform ADPCM playback according to the value of the CI register.
  Bit6 RESERVED
          Should be kept at `L' at all times.
  Bit5 MODESEL (Mode Select)
  Bit4 FORMSEL (Form Select)
          When AUTODIST = `L', the sector is corrected as the following MODE and FORM.
               MODESEL     FORMSEL
               `L'         `L'          MODE1
               `H'         `L'          MODE2, FORM1
               `H'         `L'          MODE2, FORM2
  Bit3 AUTODIST (Auto Distinction)
    `H' : Errors are corrected according to the MODE byte and FORM bit read from the drive.
    `L' : Errors are corrected according to bit 5 MODESEL and bit4 FORMSEL.
  Bit2-0 : DECMD 2-0 (Decoder Mode 2-0)
         DECMD2  DECMD1  DECMD0
         `L'     `L'     `X'         Decoder disable
         `L'     `H'     `X'         Monitor only mode
         `H'     `L'     `L'         Write only mode
         `H'     `L'     `H'         Real time correction mode
         `H'     `H'     `L'         Repeat correction mode
         `H'     `H'     `H'         Inhibit
    These bits are set at `L' when the CDDA bit (bit3) of the CHPCTL register is `H'.

2.1.5 Interrupt Mask (INTMSK) Register
When the individual bits of this register are set at `H', an interrupt request from the CXD1196AR to the CPU
is enabled in response to the corresponding interrupt status. (That is, when the interrupt status is created,
the INT pin is made active.) The value of the individual bits of the register does not affect the
corresponding interrupt status.
  Bit7 ADPEND (ADPCM End)
    When this chip has completed the ADPCM decode for a sector, if the ADPCM decode for the next
    sector is not enabled, the ADPEND status is created.
  Bit6 DECTOUT (Decoder Time Out)
    If no SYNC mark is detected during a period of 3 sectors (40.6 ms in normal speed playback mode)
    after the DECODER has been set in the monitor only, and real time correction modes, the DECTOUT
    status is created.
  Bit5 DMACMP (DMA Complete)
    When DMA is ended by DMAXFRC, the DMACMP status is created.
  Bit4 DECINT (Decoder Interrupt)
    If a SYNC mark is detected or internally inserted during execution of the write only, monitor only and
    real time correction modes by the DECODER, the DECINT status is created. When the SYNC mark
    detected window is open, however, if the SYNC mark spacing is less than 2352 bytes, the DECINT
    status is not created. During execution of the repeat correction mode by the DECODER, the
    DECINT status is created each time a correction ends.
  Bit3 CIERR (Coding Information Error)
    When AUTOCI bit of DECCTL register is set at "H" and ADPCM decode playback is done, if there is
    an error in a CI byte of an ADPCM sector, the CIERR status is created. ADPCM decode playback of
    this sector will not be done.
  Bit2-0 RESERVED

2.1.6 Clear Interrupt Status (INCTCLR) Register   (uh, "INCT", not INT?)
When the individual bit of this register is set at `H', the corresponding interrupt status is cleared. The
individual bit is automatically set at `L' after the interrupt status has been cleared. Therefore, there is no
need for the CPU to change the setting at `L'.
  Bit7 ADPEND (ADPCM End)
  Bit6 DECTOUT (DECODER Time Out)
  Bit5 DMACMP (DMA Complete)
  Bit4 DECINT (DECODER Interrupt)
  Bit3 CIERR (Coding Information Error)
  Bit2-0 RESERVED

2.1.7 Coding Information (CI) Register
When ADPCM decoding is to be done by setting AUTOCI = `L', the coding information is written to this
register. The bit configuration is the same as that of the coding information byte of the sub header.

2.1.8 DMA Address Counter-L (DMAADRC-L)
2.1.9 DMA Address Counter-H (DMAADRC-H)
This counter retains the address to be used by the CPU when reading data from the buffer. When the data
to be sent to the CPU is read from the buffer, the contents of the DMAADRC are output from MA0-14.
Each time data to be sent to the CPU is read from the buffer, the DMAADRC is incremented.
The CPU sets the head address of DMA in the DMAADRC before starting DMA. The CPU can read and
set the contents of the DMAADRC at any time. Do not change the contents of the DMAADRC during
execution of DMA.

2.1.10 DMAXFRC-L
2.1.11 DMA Control (DMACTL) register
  Bit7 DMAXFRC11       Bit11 (MSB) of DMAXFRC (Transfer Counter)
  Bit6 DMAXFRC10       bit10 of DMAXFRC
  Bit5 DMAXFRC9        bit9 of DMAXFRC
  Bit4 DMAXFRC8        bit8 of DMAXFRC
  Bit3 DMAEN (CPU DMA Enable)
          `H' : To enable DMA
          `L' : To inhibit DMA
  Bit2-0 RESERVED
The DMAXFRC (DMA Transfer Counter) is a counter which indicates the number of DMA transfers. Each
time the data to be transferred to the CPU is read from the buffer, the counter is decremented. When the
value of the DMAXFRC reaches 0, DMA ends. At this point, interrupt request may be output to the CPU.
When data transfer is not to be ended by DMAXFRC as in the case of data transfer in the I/O mode,
DMAXFRC should be set at 0 when data transfer is started (when DMAEN bit is set at `H'). The CPU can
read and set the contents of DMAXFRC at any time. During execution of DMA, do not change the contents
of DMAXFRC.

2.1.12 DRVADRC-L (Drive Address Counter-L)
2.1.13 DRVADRC-H
The DRVADRC is a counter which retains the address for writing the data from the drive to the buffer.
When the drive data is written to the buffer, the value of DRVADRC is output from MA01-14 pins. Each
time a byte of data from the drive is written to the buffer, the DRVADRC is incremented.
Before execution of the write only mode and real time correction mode of the DECODER, the CPU sets the
buffer write head address in the DRVADRC.
The CPU can read and set the contents of DRVADRC at any time. During execution of DMA, do not
change the contents of DRVADRC.


CXD1196AR - Read register
----------------------------

  REG         A0 RA      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  REGADR      L  X       X       X        X        RA4      RA3     RA2      RA1      RA0
  DMA DATA    H  00      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  INTSTS      H  01      ADP END DEC TOUT DMA CMP  DEC INT  CI ERR  X        X        X
  STS         H  02      DRQ     ADP BSY  ERIN BLK COR INH  EDC OK  ECC OK   SHRT SCT NO SYNC
  HDRFLG      H  03      MIN     SEC      BLO CK   MODE     FILE    CHAN NEL SUB MODE CI
  HDR MIN     H  X4      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  HDR SEC     H  X5      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  HDR BLOCK   H  X6      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  HDR MODE    H  X7      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  SHDR FILE   H  08      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  SHDR CH     H  09      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  SHDR S-MODE H  0A      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  SHDR CI     H  0B      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  CMADR L     H  0C      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  CMADR H     H  0D      X       bit14    bit13    bit12    bit11   bit10    bit9     bit8
  MDFM        H  XE      X       X        X        RAW MD2  RAW MD1 RAW MD0  C MODE   C FORM
  ADPCI       H  XF      MUTE    EMPHASIS EOR      BIT L4H8 X       FS L3H1  X        MONO STE
  DMA XFRC-L  H  18      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  DMA XFRC-H  H  19      X       bit14    bit13    bit12    bit11   bit10    bit9     bit8
  DMA ADRC-L  H  1A      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  DMA ADRC-H  H  1B      X       bit14    bit13    bit12    bit11   bit10    bit9     bit8
  DRV ADRC-L  H  1C      bit7    bit6     bit5     bit4     bit3    bit2     bit1     bit0
  DRV ADRC-H  H  1D      X       bit14    bit13    bit12    bit11   bit10    bit9     bit8
  TEST 0 to 2 H  10 to 2 X       X        X        X        X       X        X        X
                                        Read Registers

In the descriptions of the registers STS, HDRFLG, HDR, SHDR and CMADR, what is referred to as the
current sector refers to the sector where registers are valid for a decoder interrupt (DECINT). In the monitor
only and write only modes, the sector from the DSP for CD just before a decoder interrupt is called the
current sector. In the real time correction mode and repeat correction mode, the sector that has gone
through error detection and correction is referred to as the current sector.

2.2.1 Register Address (REGADR) Register

2.2.2 DMADATA Register
When data transfer (buffer read) is to be made in the I/O mode, the CPU reads data from this register.

2.2.3 Interrupt Status (INTSTS) Register
The values of the individual bits of this register indicate the respective associated values of interrupt status.
These bits are not affected by the values of the individual bits of the INTMSK register.
  Bit7 ADPEND (ADPCM End)
  Bit6 DECTOUT (DECODER Time Out)
  Bit5 DMACMP (DMA Complete)
  Bit4 DECINT (DECODER Interrupt)
  Bit3 CIERR (Coding Information Error)

2.2.4 Status (STS) Register
  Bit7 DRQ (Data Request)
    This bit indicates the value of the DRQ pin.
  Bit6 ADPBSY (ADPCM BUSY)
    This bit goes `H' during ADPCM playback.
  Bit5 ERINBLK (Erasure in Block)
    On all the bytes of the current sector except the SYNC byte, this bit goes `H' if there is one or more
    bytes from the DSP for CD whose C2 pointer is ON.
  Bit4 CORINH (Correction Inhibit)
    When the DECCTL register is set AUTODIST bit = `H', this bit goes `H' if the error flag is ON in the
    MODE (and FORM) byte.
  Bit3 EDCOK
    Indicates EDC check showed there were no errors in the current sector.
  Bit2 ECCOK
    Indicates there are no more errors from the Header to P parity bytes in the current sector. (In the
    MODE2, FORM2 sector, this bit is treated as a DON'T CARE bit.)
  Bit1 SHRTSCT (Short Sector)
    Indicates the Sync Mark interval was less than 2351 bytes. On this sector, neither ECC nor EDC is
    executed.
  Bit0 NOSYNC
    Indicates that the SYNC Mark, not detected in the predetermined position, is one internally inserted.

2.2.5 Header Flag (HDRFLG) Register
Indicates the value of the error pointer of the Header and Sub Header registers.

2.2.6 Header (HDR) Register
It is a 4-byte register indicating the Header byte of the current sector. The CPU can find the value of the
Header byte of the current sector from the Minute byte as it sets the REGADR register at X4 hex and
successively reads data.

2.2.7 Sub Header (SHDR) Register
It is a 4-byte register indicating the Sub Header byte of the current sector. The CPU can find the value of
the Sub Header byte of the current sector from the File byte as it sets the REGADR register at 08 hex and
successively reads data.

2.2.8 Current Minute Address L (CMADR-L) Register
2.2.9 Current Minute Address H (CMADR-H) Register
Indicates the buffer memory address where the Minute bytes of the current sector (after correction) is in
store.

2.2.10 MODE/FORM (MDFM) Register
  Bit4-2 RMODE2-0
    RMODE2 : Indicates the logic sum of the value of the high-order 6 bits of the raw MODE byte and the
    pointer.
    RMODE1, 0 : Respectively indicate the values of the low-order 2 bits of the raw MODE byte.
  Bit1 CMODE (Correction Mode)
  Bit0 CFORM (Correction Form)
    These bits indicate which of the MODEs and FORMs this IC determined that the current sector was
    associated with when it corrected errors.
         CFORM   CMODE
         `X'     `L'      MODE1
         `L'     `H'      MODE2, FORM1
         `H'     `H'      MODE2, FORM2

2.2.11 ADPCI (ADPCM Coding Information) Register
  Bit7 MUTE
    This bit goes `H' when the DA data is muted on.
  Bit6 EMPHASIS
    This bit goes `H' when the ADPCM data is emphasized.
  Bit5 EOR (End of Record)
    This bit goes `H' when the Sub Mode byte bit0 = `H' and there is no error in the Sub Mode byte.
  Bit4 BITLNGTH (Bit Length)
    This bit indicates the bit length of ADPCM playback coding information.
    `H' : 8 bits
    `L' : 4 bits
  Bit2 FS (Sampling Frequency)
    This bit indicates the ADPCM playback sampling frequency.
    `H' : 18.9 kHz
    `L' : 37.8 kHz
  Bit0 M/S (MONO/STEREO)
    This bit indicates "monaural" or "stereo" of ADPCM playback coding information.
    `H' : Stereo
    `L' : Monaural

2.2.12 DMAXFRC-L
2.2.13 DMAXFRC-H
2.2.14 DMAADRC-H   ;uh, "-H", not "-L"?
2.2.15 DMAADRC-H
2.2.16 DRVADRC-L
2.2.17 DRVADRC-H

nocash
Posts: 1200
Joined: Fri Feb 24, 2012 12:09 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by nocash » Thu Mar 10, 2016 2:17 pm

byuu wrote:I'm afraid this is all we were given by the owners:http://luigiblood.tumblr.com/post/13273 ... laystation
That webpage doesn't allow browsing to higher resolution images for me. But, I've just figured out that one can manually change the image URLs from "_500.jpg" to "_1280.jpg". With that trick, I can now confirm that the mainboard does really contain S-CPU and S-PPU2 chips (surprise), and they seem to be just normal SNES chips without cdrom specific revisions.
LuigiBlood wrote:No there's even more, I've just put out a quick album: http://imgur.com/a/2PGcU
That webpage shows only 10 images for me (the last two pics being the BIOS cart, and a closeup of the CXDxxx APU chips), then followed by 3 gray fields that do look as they should contain 3 further images. Is that intended to look as so, or am I missing some pictures?
TriMesh wrote: [ from http://assemblergames.com/l/threads/sne ... ost-842450 ]
based on the on photos that have been posted [...] There are also 5 visible ICs on the back of the CD-ROM control board - one of them is a Rohm BTL driver another looks like a Sony CXA1272 (old CD drive focus / tracking servo) - the other chips are small SOP devices with numbers I can't read.
What photos is that referring to? I haven't seen any such chips. And what is "the CD-ROM control board"? It's apparently not the board that TriMesh is calling "The top board has a 4-bit MCU and a liquid crystal display".
Last edited by nocash on Thu Mar 10, 2016 2:29 pm, edited 1 time in total.

User avatar
LuigiBlood
Posts: 62
Joined: Thu Jul 29, 2010 2:24 pm

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by LuigiBlood » Thu Mar 10, 2016 2:24 pm

nocash wrote:
LuigiBlood wrote:No there's even more, I've just put out a quick album: http://imgur.com/a/2PGcU
That webpage shows only 10 images for me (the last two pics being the BIOS cart, and a closeup of the CXDxxx APU chips), then followed by 3 gray fields that do look as they should contain 3 further images. Is that intended to look as so, or am I missing some pictures?
You're indeed missing out. Because 2 of those are the images I used in my blog without any tagging on it.
I'll link those if you're having trouble for those:
http://imgur.com/pLmPX2g
http://imgur.com/c3gLJXT
http://imgur.com/5mzKNVO

byuu
Posts: 1545
Joined: Mon Mar 27, 2006 5:23 pm
Contact:

Re: SuperDisc BIOS released + analysis [attn: nocash]

Post by byuu » Thu Mar 10, 2016 2:51 pm

> 21D0h, 21E0h, 21E5h seem to locking/unlocking the battery backed SRAM (ie. located in the BIOS cartridge, not related to the CDROM hardware).

Three registers to toggle SRAM?

They are clearly using the expansion pins on the cartridge (although I can't really see the traces to know if all the right signals are connected for that), but it's kind of increduluos they're doing so just for a SRAM disable, instead of putting that onto $008000 (or $004000 or whatever) writes. I also can't really spot any components on the cart that could hold state based on decoded writes to B-bus 'registers'.

$21d0 would probably be the most likely. Feels weird to have it on the edges of the $21ex registers, however the disassembly only revealed a single stz $21d0 and nothing more. I am not even sure where that stz $21d0 is executed yet.

> One weird thing is that the new APU couldn't be used in CDROM expansions (for existing SNES consoles), unless it where mapped to some other 21xxh addresses in case of expansion models.

I don't see why they'd bother to make such a minor enhancement to the APU, break this design for expansion port mode yet add no significant new base CPU power, and have no evidence of it in the sound test.

Are you thinking the SuperDisc allowed decoding digital ADPCM data as an alternative to redbook audio playback? That would be ... very unfun to try to emulate with no source data whatsoever.

> Why CXD1803AQ? Guess you missed the note about the CXD1196AR datasheet

Didn't look at the 1196 yet, sorry. 1803 was closer to 1800, but apparently part numbers are psychotic. That's an awesome find again, thank you!

> I think other emu programmers completely got around cdrom-image decoding by simply prompting users to mount the cdrom image as virtual cdrom drive via external utilities).

It's just going to be you and me this time, most definitely. I'd be floored if anyone else ever emulates this. I wouldn't even do it if it weren't such an incredibly major part of gaming history lore. The whole thing is horrendously crippled by the absence of extra CPU processing power. I am very much certain that had the Sony partnership stayed in-tact, that the hardware design would have changed/extended. This was clearly an early proto (maybe they didn't get far into protos), just to prove that "yes, we can load CD game content onto an SNES system."

All the same, I need to understand what all can be done with this drive first.

I very much doubt I'll try and support physical CDs. Especially since these may use weird format discs (unlikely, and we don't have to emulate the weird bits, but why have CDs that don't really work on the zero working hardware prototypes?)

What's going to be tricky is if you can play back redbook audio tracks while game data is loaded in and executing. In that case, we can't use just plain ISO. I am kind of regretting that I used "MSU1" for the signature of my .pcm files now :/

What's going to be even harder is simulating all the CD interface stuff: disc eject, disc swap, the six physical buttons on the front for sending CD player commands, etc. We can't even tell from the BIOS screen if those front-facing buttons actually let you play a music CD. But it's a good guess that they do.

Glancing at your CXD1196 doc, it looks like it is indeed using some custom ADPCM format =(

By the way, have you figured out what the X's mean in addresses yet? Eg X4 HDRMIN. Does that mean the register mirrors at 04,14,(24,34,...f4)? Or that there are two (or more) HDRMIN registers? Or just that you're intended to read it sequentially?

> I'll link those if you're having trouble for those:

I wonder what the unlabeled square IC is above the MA-15 PCB text?

Post Reply