6502.org Forum  Projects  Code  Documents  Tools  Forum
It is currently Sun Nov 24, 2024 9:14 am

All times are UTC




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Sat Jan 20, 2018 9:07 am 
Offline

Joined: Wed Apr 27, 2016 2:15 pm
Posts: 141
Location: South Africa
I recently read that the Turbo Chameleon 64 Cartridge provides a VGA replica of the VIC-II via clever bus snooping.

Thinking about it for a while it make sense that you can get all the information you need to replicate a VIC-II display by just snooping on the expansion port.

There is however one thing I am curious about: Is it possible for a cardridge to tell whether the IO peripheral space (at d000- dffff) is switched in or out of cpu view?

Without this knowledge a cardridge would not be able to tell whether a write to the region D000-D029 was really meant for a VIC-II register or whether it was meant for the RAM underneath.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 20, 2018 10:01 am 
Offline

Joined: Sun May 07, 2017 3:59 pm
Posts: 21
Are the writes to the processor port register at $0001 (which seems to do the switching) not also snoopable? Another method would be to trace what instructions were fetched, but that would obviously be much more involved.

Related: The HiDef NES by Kevin Horton, aka kevtris. That is a HDMI mod for the NES, also implemented by snooping the bus. The development was chronicled in a series of videos on YouTube.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 20, 2018 11:02 am 
Offline

Joined: Wed Apr 27, 2016 2:15 pm
Posts: 141
Location: South Africa
That is a good question!

I know that read/writes to memory location 0 and 1 gets deligated to 2 registers living on the 6510 itself.

But can anyone tell if the deaigners of the 6510 actually bothered to disable the adrress bus and databus on the cpu when these two memory locations is accessed?


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 20, 2018 11:54 am 
Offline
User avatar

Joined: Thu Dec 11, 2008 1:28 pm
Posts: 10986
Location: England
I've a feeling writes to those two ports do go to RAM (and the values can be read back by some sprite collision trickery)


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 20, 2018 1:49 pm 
Offline
User avatar

Joined: Fri Dec 11, 2009 3:50 pm
Posts: 3367
Location: Ontario, Canada
BigEd wrote:
I've a feeling writes to those two ports do go to RAM
I have the same feeling. And I'll bet reads also go to RAM, but the value returned is ignored. That's alright, though. It's the writes which would interest you.

_________________
In 1988 my 65C02 got six new registers and 44 new full-speed instructions!
https://laughtonelectronics.com/Arcana/ ... mmary.html


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 20, 2018 2:28 pm 
Offline

Joined: Wed Apr 27, 2016 2:15 pm
Posts: 141
Location: South Africa
Thanks for the pointers BigEd and Dr Jefyll.

I actually found this post also mentioning the sprite collission trickery:

http://www.lemon64.com/forum/viewtopic. ... 2d4af65bda

Looks like with snooping on the expansion pirt you can indeed detect bank switching


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 21, 2018 4:11 pm 
Offline

Joined: Wed Apr 27, 2016 2:15 pm
Posts: 141
Location: South Africa
I actually spotted some useful info in Christian Bauer's VIC-II write-up(http://www.zimmers.net/cbmpics/cbm/c64/vic-ii.txt) regarding RAM locations 0 and 1 within a 6510 context.

Quote:
With a similar effect you can also write to RAM addresses 0 and 1 from the processor. They are normally not available as the internal data direction register and data register of the 6510 I/O port are mapped to these addresses, and the data bus drivers stay in tri-state on a write access. But the R/W line is set to low state (this can be explained as the I/O port has been integrated afterwards into the existing design of the 6502) and so the byte read by the VIC in the first clock phase is written to RAM. If you want to write a certain value to addresses 0 or 1 you only have to write an arbitrary value to these addresses and take care that the VIC read the desired value from RAM in the clock phase before.


So you would only see the address on the address bus for writing to memory location 0/1 and not the data to be written to this location.

It is a rather interesting anomaly where RAM locations 0/1 would be populated with the data that the VIC read in the previous cycle if you wrote to locations 0/1.

I wrote a assembly program to test this on the Vice emulator.

I started off by populating the first screen line with A's and then wait till the raster line approaches these A's. With the raster line at this location I do a couple of writes to memory location 1. According to the theory memory location 0 should be populated with an image line of an 'A'.

I then switch the location of screen memory to location 0. This will enable us to see memory locations 0 and 1 as the first 2 characters displayed on the screen.

Here is the assembly:

Code:
0000        SEI             78
0001        LDY #$07        A0 07
0003        LDA #$01        A9 01
0005        LDX #$27        A2 27
0007 LOOP   STA $0400,X     9D 00 04
000A        DEX             CA
000B        BPL LOOP        10 FA ; Populated the first screen line with 'A's
000D LOOP2  LDA $D011       AD 11 D0
0010        BMI LOOP2       30 FB
0012        LDA $D012       AD 12 D0
0015        CMP #$34        C9 34
0017        BNE LOOP2       D0 F4 ; Wait in a loop till we reached ratser line 52
0019        LDX #$03        A2 03
001B LOOP3  STY $0001       8C 01 00
001E        DEX             CA ; Write a value number of times to loc 1
001F        BNE LOOP3       D0 FA ; Hopefully at last read we are in visible char region
                                  ; where VIC-II read a value at first phase
0021        LDA #$05        A9 05
0023        STA $D018       8D 18 D0 ; Move screen memory to location 0
                                     ; first two chars on screen is locations 0
                                     ; and 1
0026 LOOP4  BNE LOOP4       D0 FE



At the bottom I have attached a screen shot how the screen looks like switching the location of screen memory to 0.

You will see that the second character from the left at the top row is a less than symbol which have the screen code $3C. $3C is the second image line of the character A, which is what we expect since we did the writes at scan line 52.

It would be interesting to know if you get the same result when running on a real C64.
Attachment:
test.png
test.png [ 153.6 KiB | Viewed 4206 times ]


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 21, 2018 5:31 pm 
Offline
User avatar

Joined: Fri Dec 11, 2009 3:50 pm
Posts: 3367
Location: Ontario, Canada
fastgear wrote:
Quote:
[...] the data bus drivers stay in tri-state on a write access. [...]

[...] So you would only see the address on the address bus for writing to memory location 0/1 and not the data to be written to this location. [...]

Alright, so it's not quite as Ed and I expected. But of course when they modified the 6502 to create the 6510 they would've done whatever seemed most expedient. It'd be acceptable to allow write data to drive the external bus, or not. What's mandatory is for read data from the external data bus NOT drive the internal data bus.

So, there are two ways they could've done it, equally acceptable (to them, at least :| ). While arranging to inhibit read data they apparently found it easiest to inhibit write data as well.


Interesting trick about writing to RAM at locations 0 and 1, BTW!

_________________
In 1988 my 65C02 got six new registers and 44 new full-speed instructions!
https://laughtonelectronics.com/Arcana/ ... mmary.html


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 21, 2018 7:00 pm 
Offline
User avatar

Joined: Thu Dec 11, 2008 1:28 pm
Posts: 10986
Location: England
Interestingly enough, hoglet's intelligent 6502 protocol analyser would be able to tell what value the CPU is writing, even if it doesn't appear on the bus.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 22, 2018 6:53 am 
Offline

Joined: Wed Apr 27, 2016 2:15 pm
Posts: 141
Location: South Africa
This is a very cool project!

Looks like when doing this kind of bus snooping it is unavoidable to have some kind of 6502 emulator available to assist in dissecting the snooped info.

This project have some interesting possibilities. I think with not too much effort, for instance, one should be able to replicate the screen output of your BBC Micro to a window on your computer screen!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: