home | lewin's resume | contact lewin | larwe.com
capabilities & pricing | projects | about zws.com
|
home | lewin's resume | contact lewin | larwe.com |
Re39 On-Disk Documentation==============================================================================
= Re39 - An interactive disassembler for Rockwell C29 and C39 Microcomputers =
= (C) Copyright 1995 by Lewin A.R.W. Edwards =
= =
= WARNING : READ THE SECTION HEADED "COPYRIGHT" BEFORE USING THIS PRODUCT. =
= BY USING THIS PRODUCT YOU ARE AGREEING TO BE BOUND BY ITS TERMS. =
= =
= Trademarks used in this manual are the property of their repective owners. =
==============================================================================
Version 1.12 08/08/97
Abstract
==============================================================================
Re39 is a debugger-style disassembler for examining C29/C39 binaries. It was
developed to assist in modifying ROMs written by or customized for untracable
or truculent manufacturers. Although most OEMs (particularly Taiwanese) use
the Rockwell code verbatim, and simply patch the ATIx information, some insist
on shuffling subroutines around and some ROMs are even written from scratch.
Re39's features include :
* Full mnemonic disassembly to standard Rockwell mnemonics (as per
"C29/C39 Technical Reference Manual (Preliminary)", Order #414. Note
that there are some misprints in this document; I have endeavored to
correct the errors)
* ASCII dump facility
* An internal infobase of Cx9 internal hardware registers allows Re39
to supply comments on code which uses these registers - no need to keep
referring to the Technical Reference Manual
* An internal infobase of Rockwell datapump registers allows Re39 to
supply useful comments on the disassembly. Just tell Re39 which
datapump the target binary was shipped with, and where it is in the Cx9
memory map, and disassembly will include register names next to the
appropriate instructions. For example :
LDA $FF14 ;DPi handshake abort code (ABCODE)
* Can handle program images up to the size of available PC base memory
(The maximum addressing range of the C29/C39 without external logic is
512Kbyte. If you are running Re39 on a "bare" configuration, you will
be able to examine 512Kbyte ROMs).
* Small and fast
* Will run on 8088 and higher processors
Developers should also secure a copy of Asm39, the companion assembler.
Copyright
==============================================================================
Re39 is designed to combat the high cost of professional development kits. As
such it is freely redistributable. Just keep all the files together and don't
modify anything. (Any attempt to modify the executable will make it unusable).
Whatever application you're using Re39 for - including profit-making - you
don't have to pay a cent.
WARNING : Usage of this product implies your understanding and acceptance of
the copyright conditions detailed herein.
If you would like a (laser) printed manual and handy quick-reference card,
along with the latest version of Re39, send AUD$20 (inc P&P within Aust -
outside Aust add AUD$5 if you want airmail, otherwise it will go by surface
mail). Send your fee to :
Lewin A.R.W. Edwards
ATTN : Re39 Product
PO Box 590
Toorak Vic. 3142
(Specify disk size)
NOTE : It is ILLEGAL to use Re39 to assist you in "redeveloping"
copyrighted software. It is just as illegal to pirate software that's shipped
on ROM as it is to pirate software shipped on floppy disks or CD-ROM. Re39 is
for informational purposes only. Fair dealings may differ from location to
location - before using this product to examine copyrighted material, you
should check local statutes.
Command-Line Usage
==============================================================================
To start the program, run RE39.EXE from your command shell. Re39 will work
perfectly happily under OS/2, DesqView, Windows and most other timeslicers.
The Re39 command interpreter has the following rules :
* There must be a space between the command and its first parameter, and
between each parameter on the command line
* Commands and parameters are case-insensitive
* Only the first character of the command word is examined
* Extra parameters not required by a particular command are ignored
* All numbers are in hexadecimal. You do not need to precede numeric
parameters with '$' or '&' - if you do, it won't cause an error, but
it's not necessary.
* Pressing Escape will clear the command line.
* Pressing F3 will fill the command line with the previous command.
At all times, the bottom line of the screen shows the current Re39 status.
Reading from left to right, the status bar shows :
* the datapump comment mode and address, if datapump comments are enabled,
* the hardware comment status (off, general-purpose, or UART),
* the size of the currently loaded image file, in kilobytes,
* the current disassembly/dump address, in hex, and
* the Re39 version number.
On-Line Help
==============================================================================
Brief on-line help can be viewed by typing ? on a line by itself, and pressing
Enter.
Showing A Disk Directory
==============================================================================
You can view a disk directory in Re39 using the F command :
Command : F
Syntax : F [path]
Function : Shows a disk directory in wide-screen format, of the
specified directory (or current directory if none
specified). Subdirectories are shown in square brackets.
NOTE : Do NOT use wildcards in the directory name. Re39 attempts to search for
<your-input>\*.*, and will become confused if you try to a DOS command-line-
style search limiter like "F C:\TEST\*.S".
Loading An Image File
==============================================================================
Before you can make use of Re39, you must load a C29 or C39 compiled binary,
such as a ROM dump file. You can also load binaries intended for the 6502 and
6510, such as programs for the Commodore 64. However, the disassembly will
incorrectly decode C29/C39-specific instructions to their respective opcodes;
most of these instructions have odd effects on the 6510. Many programmers used
these instructions "because they could", and in a vain attempt to thwart
crackers, so Re39 is not an ideal tool for examining 6502/6510 binaries.
If there is sufficient memory available, Re39 will load the specified
binary file, and tell you how many bytes it read. It will also suggest an
EPROM type to use for re-burning the ROM image when you want to test it. This
is useful if you've downloaded a firmware upgrade dump from a manufacturer's
bulletin board, and you aren't sure what type of chip to use.
Disassembly & ASCII Dump
==============================================================================
Once you have loaded a ROM dump into memory, Re39 allows you to examine any
portion of the loaded file, either as straight ASCII and hex, or disassembled
to standard Rockwell opcode mnemonics. The commands to perform this are :
Command : D
Syntax : D [xxxxxx] [*]
Function : Dumps one page in ASCII and hex, starting at location
xxxxxxx within the loaded binary. If no location is
specified, the dump continues from the last point
examined (the current position is shown in the lower
right corner of the screen). Specifying '*' on the
command line will cause Re39 to dump continuously. At the
end of each page, you will be prompted to continue or
quit.
Command : U
Syntax : U [xxxxxx] [*]
Function : Disassembles one page starting at location xxxxxxx within
the loaded binary. If no location is specified,
disassembly continues from the last point examined (the
current position is shown in the lower right corner of the
screen). Specifying '*' on the command line will cause
Re39 to disassemble continuously. At the end of each
page, you will be prompted to continue or quit.
Note : You can direct the output of these commands to a disk file, for
modification and later reassembly. See the section headed "Sending Output To A
File", below.
Bank Switching & External Addressing Logic
==============================================================================
Re39 cannot guess at the bank register state, and therefore it cannot tell you
to which part of the loaded image file a particular memory access instruction
refers. Likewise, Re39 does not simulate any external logic which may map
hardware (such as the datapump) into and out of the address map as required.
It shouldn't be necessary to use external logic, since the C29 and C39 can
both address a 512K address space, but some designers like to be different.
Because there is no way Re39 can guess the state of any bank-switching
hardware at a particular point in the disassembly, there are no plans to
simulate this hardware at this time.
A future version of Re39 which supports the 'Go' command (code emulation)
may provide facilities for the user to set up virtual logic arrays used to
access external hardware. The 'Go' command is short-circuited out of this
version. (Any suggestions on elegant ways to input logic data are welcome).
Hardware Commentary
==============================================================================
By default, Re39 adds comments to all absolute or indexed absolute memory
accesses which refer to hardware registers inside the C29/C39 chip. This
behavior can be altered using the H (Hardware comments) command :
Command : H
Syntax : H [GP | UART | OFF]
Function : Turns C29/C39 internal hardware comments on or off, and
selects CPU mode.
GP = general-purpose mode (registers $20-$2E are
scratchpad locations)
UART = 16450 (C29) or 16550 (C39) UART emulation mode
OFF = Hardware commentary disabled
Hardware comments are all prefixed by "Cx9" to indicate which device contains
the register in question, e.g. :
STA $03 ;Cx9 port D (0-3), direction (4-7)
Generally speaking, internal modems operate in UART mode, whilst external
modems operate in GP mode - HOWEVER - some external modems do operate in UART
mode, and some internal modems, which have an on-board 16x50 chip, operate in
GP mode and use the external 16x50 device to interface with the host. This
scenario was most commonly seen in 14400bps modems based on the C29 processor-
they used an external 16550 for FIFOing. The C39 processor is now shipped on
most Rockwell-based modems as standard.
Using the In-Built Datapump Commenter
==============================================================================
Re39 can optionally add comments to indicate datapump register accesses for
all instructions that use absolute or indexed absolute addressing. All you
have to do is tell Re39 which datapump your code is intended for, and where in
the memory map the datapump resides. (Note : The datapump commentary feature
is unusable if your modem design uses clever logic to mix up the register
assignments. The datapump registers are expected to be in a contiguous block
starting at the specified base address). Also see the section above which
discusses bank switching. Re39 cannot guess the state of the bank registers at
any particular point in the disassembly, and will therefore record a datapump
hit for all memory accesses whose least significant 16 bits falls within the
configured datapump range.
Command : M
Syntax : M [datapump model | NONE]
Function : Enables datapump access comments and selects register name
set from internal database
Default : NONE (comments disabled)
Command : P
Syntax : P [datapump starting address]
Function : Sets base address for datapump comments
Default : $FF00
Comments About Comments
==============================================================================
There is only room on each line for one comment. Re39 therefore prioritizes
comments thus (from highest to lowest) :
* Datapump comments (if enabled)
* Internal C29/C39 hardware comments (if enabled)
* Offset translation
* Unknown instruction comment
For example, an instruction like BBR or BBS, which should have both an offset
translation and a datapump or hardware comment (since zero page lies inside
the internal register/scratchpad area in the C29/C39) will normally have a
hardware comment. If you disable hardware commentary, offset comments will
appear.
Sending Output To A File
==============================================================================
As Re39 does not use DOS calls for console I/O, you cannot use DOS redirection
commands to direct its output to a disk file. To overcome this, you can use
the T (sTream) command.
Command : T
Syntax : T [filename | <blank>]
Function : Enables streaming of dump and unassembly output to a text
file. Specify a filename to enable streaming, or use the
T command with no parameters to stop streaming. If you
try to stream to a file which already exists, you will be
given the option of appending to the file, overwriting
it, or canceling.
Default : none (streaming disabled)
Known Bug
==============================================================================
If the last two bytes of the image file contain a relative branch instruction,
and you attempt to disassemble it, the 'U' command will crash when it wraps
around. This bug appeared in V1.00 beta testing (the poweron vector for the
Boca 14.4 parallel ROM is $E030, which is, unfortunately, a BMI instruction)
and has resisted all attempts at fixing.
Release History (most recent item first)
==============================================================================
07/09/95 V1.02 released - fixed addressing bug
06/23/95 V1.01 released - fixed small cosmetic bugs and tidied
documentation inconsistencies.
06/18/95 V1.00 released.
Acknowledgements
==============================================================================
The author wishes to thank the following persons and organizations. Not all of
them contributed intentionally, but most of them have helped.
Askey Corp (Taiwan ROC) Testbed modems
Boca Research International (USA) Sample 144DPi ROM and testbed modems
(unfortunately tested to destruction)
Borland Development tools
CBM (nowhere) Commodore 64 used for cross-checking
Datel (UK) Disassembler in the C64 Action Replay, which
was used for cross-checking
Microcom (USA) Sample ROM
Motorola Semiconductor (USA) Databooks for TTL/LS and HC logic used in
some of the sample modems, and databook for
the MC68000 CPU
NetComm Pty Ltd (Aust) Motorola code for 288DPi-based testbed modem
PQS Creative Corp (Taiwan ROC) EPROM burner and PAL burner/analyzers
Rockwell International (USA) Various code, and of course, the chips
Tronic Bits Pty Ltd (Aust) C29/39 and RC288DPi databooks
Zoom Telephonics Australia Testbed modems and assorted chips
Zoom Telephonics (USA) Sample RC288DPi/VFC and V.34 ROMs and chips
|