Jul -- The Cutting Room Floor: Undocumented Mega CD BIOS functions

Sik

Level: 23

Posts: 65/107
EXP: 64770
For next: 2953

Since: 12-07-12

Since last post: 3.3 years
Last activity: 1.2 years

Posted on 11-18-13 06:58:42 PM

Link | Quote

Yesterday I was wondering about how does the Mega CD BIOS store filenames in the back-up RAM, since it only reserves 3 blocks (192 bytes) to store all that data (later it turned out to use only two blocks (128 bytes) for filenames, what?). At first I considered taking snapshots of the back-up RAM and looking at it to see if I could find a pattern to the data, but then I realized it'd be easier to just diassemble the BIOS.

So, I go dump the BIOS (savestate!), then load it in the disassembler, and look in cdbios.inc (the assembly file with all the BIOS definitions) to find where the back-up RAM functions are. I go there, and eventually end up in a jump table (one jump per function), but then...

ROM:00004836 @JumpTable:

ROM:00004836                 bra.w   BRMINIT

ROM:0000483A ; ---------------------------------------------------------------------------

ROM:0000483A                 bra.w   BRMSTAT

ROM:0000483E ; ---------------------------------------------------------------------------

ROM:0000483E                 bra.w   BRMSERCH

ROM:00004842 ; ---------------------------------------------------------------------------

ROM:00004842                 bra.w   BRMREAD

ROM:00004846 ; ---------------------------------------------------------------------------

ROM:00004846                 bra.w   BRMWRITE

ROM:0000484A ; ---------------------------------------------------------------------------

ROM:0000484A                 bra.w   BRMDEL

ROM:0000484E ; ---------------------------------------------------------------------------

ROM:0000484E                 bra.w   BRMFORMAT

ROM:00004852 ; ---------------------------------------------------------------------------

ROM:00004852                 bra.w   BRMDIR

ROM:00004856 ; ---------------------------------------------------------------------------

ROM:00004856                 bra.w   BRMVERIFY

ROM:0000485A ; ---------------------------------------------------------------------------

ROM:0000485A                 bra.w   BRMUNK1   ; Doesn't have a name

ROM:0000485E ; ---------------------------------------------------------------------------

ROM:0000485E                 bra.w   BRMUNK2   ; Doesn't have a name

Wut? There are two more functions in the jump table than are present in cdbios.inc. Huh, so yeah, looks like we have two "unused" functions in the Mega CD BIOS (this is from the "Mega-CD Model 1 BIOS V1.00 (J) [!].bin" firmware, just so you know).

Here's the code for the two functions. They're... pretty useless, and blatantly debug-like. BRMUNK1 simply reads the first block, while BRMUNK2 writes into it. This completely by-passes the filesystem, so you have been warned (though the BIOS seems to like skipping this block when storing files...)

ROM:00004862 ; BRMUNK1 (debug?)

ROM:00004862 ; Reads from the first block of BRAM

ROM:00004862 ;

ROM:00004862 ; in a0.l ... Buffer

ROM:00004862

ROM:00004862 ; =============== S U B R O U T I N E =======================================

ROM:00004862

ROM:00004862

ROM:00004862 BRMUNK1:                                ; CODE XREF: BURAM+3Cj

ROM:00004862                 movea.l BRAMAddr,a1

ROM:00004866                 move.w  #$40,d1 ; '@'

ROM:0000486A                 exg     a0,a1

ROM:0000486C                 bsr.w   LongUnmovep

ROM:00004870                 rts

ROM:00004870 ; End of function BRMUNK1

ROM:00004870

ROM:00004872 ; BRMUNK2 (debug?)

ROM:00004872 ; Writes into the first block of BRAM

ROM:00004872 ;

ROM:00004872 ; in a0.l ... Data

ROM:00004872

ROM:00004872 ; =============== S U B R O U T I N E =======================================

ROM:00004872

ROM:00004872

ROM:00004872 BRMUNK2:                                ; CODE XREF: BURAM+40j

ROM:00004872                 movem.l a2-a3,-(sp)     ; Save registers

ROM:00004876

ROM:00004876                 movea.l a0,a3           ; Write to the first block

ROM:00004878                 movea.l BRAMAddr,a1

ROM:0000487C                 movea.l a1,a2

ROM:0000487E                 move.w  #$40,d1 ; '@'

ROM:00004882                 exg     a0,a1

ROM:00004884                 bsr.w   LongMovep

ROM:00004888

ROM:00004888                 movep.l 0(a2),d0        ; Make sure the write worked

ROM:0000488C                 cmp.l   (a3),d0

ROM:0000488E                 beq.s   @Success

ROM:00004890                 move    #1,ccr

ROM:00004894

ROM:00004894 @Success:                               ; CODE XREF: BRMUNK2+1Cj

ROM:00004894                 movem.l (sp)+,a2-a3     ; Restore registers

ROM:00004898                 rts                     ; End of subroutine

ROM:00004898 ; End of function BRMUNK2

(ignore the names of LongMovep and LongUnmovep, those two are just functions that read/write arbitrary amount of data from every other byte, I called them like that because they are like the instruction MOVEP but for longer areas)

By the way, those addresses are from the viewpoint of the sub-CPU (i.e. the 68000 running in the Mega CD side). The BIOS is loaded at the beginning of PRG-RAM.

Register - Login
Views: 99390918	Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies	04-24-22 09:21:28 AM

Query execution time:	0.073384 seconds
Script execution time:	0.005428 seconds
Total render time:	0.078812 seconds