Jump to content
IGNORED

Tomy Tutor ROM - Community attempt to disassemble the System Rom


Recommended Posts

created a tool to remove the added screen bias from the binaries to reveal more ASCII Text.

Those texts can be nicely used as ankers for the comparisons and tell me how the memory locations need to be adapted.


Awesome that the GPL code is in CPU memory, even if it is within the rom chip I didn't initially expect.

Once we have the full picture, we will know if that advantage was optimally used or if it they still only called some complicated function to read a single GPL byte.

  • Like 3
Link to comment
Share on other sites

was a bit stuck with Gpl disassembling on tutor1.bin

finally made TIImageTool disassemble the whole 32K as GPL (not assembly!) and not stop handling the file on every occurence of a FMT command (byte >08).

tutor1.dis

 

Now the big step is to find which memory locations of the Rom1 (tutor1.bin) contain GPL code, which contain GPL DATA, which contain Assembly code, which contain Assembly DATA.

 

  • Like 2
Link to comment
Share on other sites

  • 2 weeks later...

Some updates happened...

On 23th october I created a 90 minute video, which was streamed last saturday by the Chicago TIUG:

 

Since the recording happened, the process continued and was covered here.

All the source code files have been published on github.

 

The ROM1 chip (>0000 to >7FFF, 32KByte) contains both GPL and Assembler code.
It is therefore setting some extra challenges identifying what is

- Tms9900 Assembler instructions

- DATA referred by Tms9900 Assembler instructions

- GPL instructions

- DATA referred by GPL instructions.

 

I identified only some GPL parts so far, having the fully adapted "BASIC KEYWORD TABLE" inside the ALCS GPL source code, the Tomy has that from >6A1A to >6BB2.

 

I created a list how many times each type of GPL instruction occurs in a potential GPL Disassembly of ROM1 and how many times that same type of GPL instruction is occuring in the XB Grom files, but this didn't help too much in finding similar sequences of instructions.

Then i explored the debugging features of MAME when running Tomy Tutor, i thought it would help knowing which different values the Tms9900 PC (Program Counter) has during the start of the machine and when using the system/basic. The PC is the CPU register that refers the address of the currently executed machine instruction. All those addresses the PC gets during runtime are for sure Assembly instructions, and are verified to not be GPL, and they are further verified to not be DATA but actual instructions. And they further verify that an instruction starts at this address; not a byte earlier or later but exactly at this byte, a big help in disassembling, when some instructions are one byte, some are two bytes and some are three bytes.

 

This is how you do that:

You start mame with the "-debug" option, and then in the debug window you enter trace mode by "trace tomytrace.log" to get a text file with a line for the address of each executed instruction. Then I played around in the emulator to use most of the system. The huge text file then got processed to have each address only once and sorted.

 

Now we have a nice list of 1705 CPU addresses which are verified addresses of assembler instructions in ROM1.

As a bonus we have 97 additional CPU addresses which are verified assembler instructions in the unexplored beginning and end of ROM2.

These are not just assumptions by a disassembler, these are verified to be assembler instructions because the PC (Program Counter) had their address in its register.

 

This will allow:

 - searching those sequences of assembler instructions in TI system source code.

 - not loosing time to try to identify GPL instructions within those ROM1 addresses.

 

Then i starting creating source code files from this text file to generate the binary content for ROM1. I have finished all from >2A4C and higher. Still need to do >0020 to >263A.

I did not add any disassembled instructions between the addresses the PC really was executing, even though if there is only a few bytes in between there is a high change we are talking about assembly code as well, but the point was to use only verified instructions. The process can be improved by playing around in the emulator and trying all features of the system to reach most of the used assembly instructions.

 

Here is the visual comparison of ROM1 from >2880 forward.

 

Even though I have identified some GPL parts in ROM1, this binary is the pure output of the tms9900 assembler.

 

>2880 to >2CFF

image.thumb.png.eb1fb912279915de224f2e77684ebc81.png

 

>2D00 to >317F

image.thumb.png.bc5eff3056c1089c4475ca68fc868d8a.png

 

>3180 to >35FF

image.thumb.png.966abfe36caeca93f485c4e6545ea9f1.png

 

>5100 to >557F

image.thumb.png.ac9a992b7a25f7f6b3650274c4284826.png

 

>5580 to >59FF

image.thumb.png.4f4e35c4ff3b69ae697fb4e13faaaa3e.png

 

>5A00 to >5E7F

image.thumb.png.31154a6c4247bfadcaacf8c455840762.png

 

>5E80 to >62FF

image.thumb.png.cac291c20d2088671dbe21ed69169a6f.png

 

>6300 to >677F

image.thumb.png.80a65c6dacdc4c9f4ab039833f28d581.png

 

>6780 to >6BFF

image.thumb.png.4c59bb46803d24cf18584451fed86869.png

 

>7080 to >74FF

image.thumb.png.20999dc489caeeff700bf28fe8fdf6a9.png

 

 

 

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...