MAME SVN History

199869 Revisions

r24640 Friday 2nd August, 2013 at 02:29:18 UTC by David Haywood
more puzzli2 findings (nw)

[src/mame/machine]

pgmprot_igs027a_type1.c

trunk/src/mame/machine/pgmprot_igs027a_type1.c
r24639	r24640
567	567	static int hackcount = 0;
568	568	static int hackcount2 = 0;
569	569	static int hack_47_value = 0;
570
	570	static int hack_31_table_offset = 0;
	571	static int hack_31_table_offset2 = 0;
571	572	void pgm_arm_type1_state::command_handler_puzzli2(int pc)
572	573	{
573		printf("%08x: %02x %04x\n",pc, m_ddp3lastcommand, m_value0);
574	574
575	575	switch (m_ddp3lastcommand)
576	576	{
577	577
578	578	// done before writes to 31 when getting level data, always just seems to return the 0x36 response.
579	579	case 0x54: // ??
	580	printf("%08x: %02x %04x\n",pc, m_ddp3lastcommand, m_value0);
	581
580	582	m_puzzli_54_trigger = 1;
581	583	hackcount2 = 0;
582	584	hackcount = 0;
r24639	r24640
586	588	case 0x31:
587	589	{
588	590	// how is this selected? command 54?
589		hackcount2++;
590	591
	592
591	593	/* writes the following sequence before how to play
592	594	each level has a different sequence written before it, size of sequence doesn't seem directly connected to level size (unlike the reads)
593	595	so it's probably compressed somehow as well as scrambled? 68k doesnt know in advance how big each lot of data is either, it only stops
r24639	r24640
636	638	00138278: 31 00b3 001387de: 31 00e7
637	639	00138278: 31 0034 001387de: 31 00a3
638	640
	641	the first step of decoding this is clearly a xor, with the first value written being an index
	642	into a 256 byte table..
	643
639	644	*/
640	645
	646	// these table aren't accurate yet, generated with analysis of data sent, we never
	647	// see the direct results of this operation (happens inside the MCU)
	648	/*
	649	UINT8 puzzli2_level_decode[256] = {
641	650
642		if (hackcount2<40)
	651	0x31, 0x3e, 0xb2, 0x35, 0x31, 0x22, 0xd7, 0x0d, 0x35, 0x5c, 0x8d, 0x3c, 0x79, 0x5f, 0xd4, 0xad,
	652	0x53, 0xff, 0xeb, 0x45, 0xec, 0x11, 0x68, 0x77, 0xd8, 0x34, 0x36, 0x45, 0xa6, 0xea, 0x1c, 0xc6,
	653	0x3b, 0xbd, 0xad, 0x2e, 0x18, 0xde, 0xa0, 0xa8, 0xdd, 0x52, 0x57, 0xc2, 0xe5, 0x0b, 0x00, 0x6d,
	654	0x67, 0x64, 0x14, 0x70, 0xb6, 0x39, 0x25, 0x79, 0x82, 0xd2, 0x70, 0xb9, 0x13, 0xf5, 0x92, 0x93,
	655	0xfa, 0xe5, 0x5e, 0xb0, 0xf6, 0xaf, 0x95, 0x8b, 0x7d, 0x73, 0xf9, 0x63, 0x86, 0xcb, 0x1a, 0x56,
	656	0xf1, 0x3a, 0xae, 0x62, 0x01, 0x29, 0x90, 0x22, 0x8f, 0x5c, 0x9a, 0x65, 0x74, 0x21, 0x20, 0x40,
	657	0xd3, 0x05, 0xa2, 0xe2, 0xbc, 0x9e, 0x1e, 0x10, 0x15, 0x0c, 0x8a, 0x9c, 0xec, 0x38, 0xb6, 0x9d,
	658	0x2a, 0xf5, 0x14, 0x0e, 0x85, 0xc7, 0x7d, 0xce, 0x94, 0x16, 0x48, 0xa8, 0x81, 0x6e, 0x7a, 0xd8,
	659	0xa6, 0x7f, 0x42, 0xe4, 0xa0, 0x2a, 0xef, 0xed, 0x24, 0xba, 0xb8, 0x7c, 0xcb, 0x2b, 0x90, 0xcc,
	660	0x59, 0xd1, 0xf3, 0xe2, 0x6f, 0xed, 0x9f, 0xf0, 0x4a, 0x54, 0x8d, 0x08, 0xf8, 0x51, 0x68, 0xc8,
	661	0x03, 0x0b, 0xbb, 0xc0, 0xe3, 0x4c, 0x05, 0xc5, 0x8c, 0x09, 0x0e, 0xbf, 0x62, 0x48, 0x75, 0x59,
	662	0x1d, 0x80, 0xdf, 0x60, 0x07, 0xe0, 0x1a, 0x67, 0xa5, 0xbf, 0xcd, 0x86, 0xdc, 0xc3, 0x6a, 0x4e,
	663	0xd0, 0xfc, 0xd5, 0x3f, 0x98, 0x96, 0x2f, 0x4c, 0xb3, 0xea, 0x2d, 0x75, 0xe4, 0xc0, 0x6c, 0x69,
	664	0x9b, 0xb7, 0x41, 0x8b, 0x41, 0x47, 0x02, 0xda, 0x99, 0x3d, 0xa3, 0x79, 0x10, 0x4f, 0xb4, 0x55,
	665	0x5a, 0x25, 0xf4, 0xca, 0x58, 0x30, 0xc4, 0x12, 0xa9, 0x45, 0xda, 0x91, 0xa4, 0xaa, 0xfc, 0x84,
	666	0xf8, 0x88, 0x06, 0xcf, 0xfe, 0x33, 0xd5, 0x28, 0x1c, 0x19, 0x4a, 0xb1, 0x83, 0xf3, 0x72, 0x26,
	667
	668	};
	669	*/
	670	/* alt table created with other data set, some bits differ, verify bits */
	671	UINT8 puzzli2_level_decode[256] = {
	672	0x31, 0x3e, 0xb2, 0x35, 0x31, 0x22, 0xd6, 0x0d, 0x37, 0x5c, 0x8d, 0x3c, 0x79, 0x5f, 0xd4, 0xad,
	673	0x53, 0xff, 0xe9, 0x45, 0xed, 0x11, 0x68, 0x77, 0xd8, 0x34, 0x36, 0x45, 0xa6, 0xeb, 0x1c, 0xc7,
	674	0x3b, 0xbd, 0xad, 0x2f, 0x18, 0xde, 0xa1, 0xaa, 0xdd, 0x50, 0x57, 0xc2, 0xe5, 0x0a, 0x01, 0x6d,
	675	0x67, 0x65, 0x14, 0x70, 0xb7, 0x39, 0x24, 0x79, 0x83, 0xd2, 0x71, 0xb9, 0x10, 0xf5, 0x92, 0x93,
	676	0xfa, 0xe4, 0x5e, 0xb0, 0xf6, 0xaf, 0x95, 0x8a, 0x7d, 0x73, 0xf9, 0x63, 0x86, 0xcb, 0x1a, 0x56,
	677	0xf1, 0x3a, 0xae, 0x63, 0x01, 0x29, 0x96, 0x22, 0x8f, 0x5d, 0x9a, 0x65, 0x74, 0x21, 0x20, 0x40,
	678	0xd3, 0x05, 0xa2, 0xe3, 0xbc, 0x9e, 0x1e, 0x10, 0x15, 0x0c, 0x8a, 0x9c, 0xec, 0x38, 0xb6, 0x9d,
	679	0x2a, 0xf7, 0x14, 0x0e, 0x85, 0xc7, 0x7f, 0xce, 0x94, 0x16, 0x48, 0xa9, 0x80, 0x6e, 0x78, 0xd8,
	680	0xa6, 0x7e, 0x42, 0xe4, 0xa2, 0x2b, 0xef, 0xed, 0x24, 0xba, 0xb8, 0x7e, 0xc9, 0x2b, 0x90, 0xcc,
	681	0x58, 0xd1, 0xf3, 0xe2, 0x6f, 0xed, 0x9f, 0xf0, 0x4a, 0x54, 0x8d, 0x08, 0xf8, 0x51, 0x68, 0xc8,
	682	0x03, 0x0b, 0xbb, 0xc1, 0xe2, 0x4c, 0x04, 0xc5, 0x8c, 0x09, 0x0e, 0xbf, 0x62, 0x48, 0x75, 0x59,
	683	0x1d, 0x80, 0xdf, 0x60, 0x07, 0xe2, 0x1b, 0x67, 0xa5, 0xbf, 0xcd, 0x86, 0xdc, 0xc3, 0x6a, 0x4e,
	684	0xd0, 0xfc, 0xd5, 0x3f, 0x98, 0x96, 0x2e, 0x4c, 0xb3, 0xea, 0x2d, 0x75, 0xe6, 0xc0, 0x6c, 0x69,
	685	0x9b, 0xb7, 0x43, 0x8b, 0x41, 0x47, 0x02, 0xda, 0x98, 0x3d, 0xa3, 0x79, 0x10, 0x4f, 0xb4, 0x55,
	686	0x5a, 0x25, 0xf4, 0xc8, 0x58, 0x30, 0xc4, 0x12, 0xa9, 0x45, 0xda, 0x91, 0xa4, 0xaa, 0xfc, 0x84,
	687	0xfa, 0x88, 0x06, 0xce, 0xfe, 0x32, 0xd5, 0x28, 0x1d, 0x19, 0x4b, 0xb1, 0x83, 0xf3, 0x72, 0x27,
	688	};
	689
	690	printf("%08x: %02x %04x \| ",pc, m_ddp3lastcommand, m_value0);
	691
	692
	693	// this shouldn't apply to the stuff written on startup, only the level data..
	694
	695	if (hackcount2==0)
643	696	{
	697	hack_31_table_offset = m_value0 & 0xff;
	698	hack_31_table_offset2 = 0;
	699	hackcount2++;
	700	m_valueresponse = 0x00d20000;
	701
	702	printf("(set xor table offset)\n");
	703	}
	704	else if (hackcount2<39) // how do we decide end?
	705	{
644	706	// always d2 0000 when writing doing level data
645	707	// but different for the writes on startup?
646	708	m_valueresponse = 0x00d20000;
	709	UINT8 xoredval = m_value0 ^ puzzli2_level_decode[(hack_31_table_offset + (hack_31_table_offset2&0xf))&0xff];
	710	printf("value %02x, after xor is %02x\n", m_value0, xoredval);
	711
	712	hackcount2++;
	713	hack_31_table_offset2++;
647	714	}
648	715	else
649	716	{
650	717	hackcount2=0;
651		printf("end\n");
652
	718
653	719	// 63 0006 after the last 31 write doing the how to play level data - the 06 is the width of the playfield, where does it come from?
654	720	m_valueresponse = 0x00630006;
	721
	722	UINT8 xoredval = m_value0 ^ puzzli2_level_decode[(hack_31_table_offset + (hack_31_table_offset2&0xf))&0xff];
	723	printf("value %02x, after xor is %02x (end, returning %02x as playfield width)\n", m_value0, xoredval, m_valueresponse);
	724
	725
655	726	}
656	727
657	728	}
r24639	r24640
661	732	// this is read immediately after the 31 writes before a level / how to play
662	733	case 0x13: // getting some kind of list maybe?
663	734	{
	735	printf("%08x: %02x %04x (READ LEVEL DATA) \| ",pc, m_ddp3lastcommand, m_value0);
664	736
665	737	// before how to play
666	738	// clearly the level layout, where does it come from?
667	739	UINT16 retvals[61] =
668		{ 0x0008,
	740	{ 0x0008, // depth (-2?)
669	741	0x0103, 0x0101, 0x0102, 0x0102, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, // first column
670	742	0x0103, 0x0100, 0x0101, 0x0105, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
671	743	0x0100, 0x0101, 0x0105, 0x0104, 0x0104, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
r24639	r24640
703	775
704	776
705	777	case 0x38: // Reset
	778	printf("%08x: %02x %04x (RESET)\n",pc, m_ddp3lastcommand, m_value0);
	779
706	780	m_valueresponse = 0x78<<16;
707	781	m_valuekey = 0x100;
708	782	m_puzzli_54_trigger = 0;
709	783	break;
710	784
711	785	case 0x41: // ASIC status?
	786	printf("%08x: %02x %04x (UNK)\n",pc, m_ddp3lastcommand, m_value0);
	787
712	788	m_valueresponse = 0x74<<16;
713	789	break;
714	790
r24639	r24640
717	793	// also some other gfx?
718	794	// logic here seems correct, not sure where the 0x19 and 0x5 etc. come from tho!
719	795	case 0x47:
	796	printf("%08x: %02x %04x (GFX OFF PART 1)\n",pc, m_ddp3lastcommand, m_value0);
	797
720	798	hack_47_value = ((m_value0 & 0x0700)>>8) * 0x19;
721	799	hack_47_value +=((m_value0 & 0x0007)>>0) * 0x05;
722	800	if (m_value0 & 0xf8f8) printf("unhandled 0x47 bits %04x\n", m_value0);
r24639	r24640
728	806	break;
729	807
730	808	case 0x52:
	809	printf("%08x: %02x %04x (GFX OFF PART 2)\n",pc, m_ddp3lastcommand, m_value0);
	810
731	811	//printf("which %04x\n", m_value0);
732	812
733	813	hack_47_value += m_value0 & 0x0007;
r24639	r24640
742	822
743	823
744	824	case 0x61: // ??
	825	printf("%08x: %02x %04x\n",pc, m_ddp3lastcommand, m_value0);
	826
745	827	m_valueresponse = 0x36<<16;
746	828	break;
747	829
r24639	r24640
796	878	// I think the values returned here must be connected to the values written to command 31 on startup
797	879	// 63/67 are used on startup to get the z80 music at least
798	880	case 0x63: // used as a read address by the 68k code (related to previous uploaded values like cave?) should point at a table of ~0x80 in size? seems to use values as further pointers?
	881	printf("%08x: %02x %04x (Z80 ADDR PART 1)\n",pc, m_ddp3lastcommand, m_value0);
	882
799	883	if (!strcmp(machine().system().name,"puzzli2"))
800	884	{
801	885	if (m_value0==0x0000)
r24639	r24640
856	940	break;
857	941
858	942	case 0x67: // used as a read address by the 68k code (related to previous uploaded values like cave?) directly reads ~0xDBE from the address..
	943	printf("%08x: %02x %04x (Z80 ADDR PART 2)\n",pc, m_ddp3lastcommand, m_value0);
	944
859	945	if (!strcmp(machine().system().name,"puzzli2"))
860	946	{
861	947	if ( (m_value0==0x0000) \|\| (m_value0==0x0001) \|\| (m_value0==0x0002) \|\| (m_value0==0x0003) )
r24639	r24640
891	977	break;
892	978
893	979	default:
	980	printf("%08x: %02x %04x\n",pc, m_ddp3lastcommand, m_value0);
	981
894	982	m_valueresponse = 0x74<<16;
895	983	break;
896	984	}

199869 Revisions