Thanks, RB!

====================================

Now we've got an AVG decoder let's see if we can figure out where those vectors are coming from.

The attract screen has some objects, and the cube to the right of center that's just below the horizon line could be useful to study.

[Linked Image from i.imgur.com]

We'll pause mame with "p" and take a look at the AVG display list disassembly.

Through process of elimination, looking at the first VCTR after a CNTR, we home in on 0x20e4. There's 8 possibilities and this one is most likely due to it being to the right of center and below the horizon.

Code
[MAME]> disavg(0x2000,260)

20e4: 8040 CMD=8 CNTR 
20e6: 1ff6 CMD=0  20e6:f6 1f 87 00 VCTR 1ff60087 0   x= 135  y=-10  i=0    ( 135,-10)
20ea: 6430 CMD=6 STAT 
20ec: 0000 CMD=0  20ec:00 00 11 20 VCTR 00002011 0   x= 17  y=  0  i=1    ( 17,  0)
20f0: 0000 CMD=0  20f0:00 00 0d 20 VCTR 0000200d 0   x= 13  y=  0  i=1    ( 13,  0)
20f4: 0000 CMD=0  20f4:00 00 ef 3f VCTR 00003fef 0   x=-17  y=  0  i=1    (-17,  0)
20f8: 0000 CMD=0  20f8:00 00 f3 3f VCTR 00003ff3 0   x=-13  y=  0  i=1    (-13,  0)
20fc: 0009 CMD=0  20fc:09 00 00 20 VCTR 00092000 0   x=  0  y=  9  i=1    (  0,  9)
2100: 0000 CMD=0  2100:00 00 11 20 VCTR 00002011 0   x= 17  y=  0  i=1    ( 17,  0)
2104: 0000 CMD=0  2104:00 00 0d 20 VCTR 0000200d 0   x= 13  y=  0  i=1    ( 13,  0)
2108: 0000 CMD=0  2108:00 00 ef 3f VCTR 00003fef 0   x=-17  y=  0  i=1    (-17,  0)
210c: 0000 CMD=0  210c:00 00 f3 3f VCTR 00003ff3 0   x=-13  y=  0  i=1    (-13,  0)
2110: 0000 CMD=0  2110:00 00 11 00 VCTR 00000011 0   x= 17  y=  0  i=0    ( 17,  0)
2114: 1ff7 CMD=0  2114:f7 1f 00 20 VCTR 1ff72000 0   x=  0  y= -9  i=1    (  0, -9)
2118: 0000 CMD=0  2118:00 00 0d 00 VCTR 0000000d 0   x= 13  y=  0  i=0    ( 13,  0)
211c: 0009 CMD=0  211c:09 00 00 20 VCTR 00092000 0   x=  0  y=  9  i=1    (  0,  9)
2120: 0000 CMD=0  2120:00 00 ef 1f VCTR 00001fef 0   x=-17  y=  0  i=0    (-17,  0)
2124: 1ff7 CMD=0  2124:f7 1f 00 20 VCTR 1ff72000 0   x=  0  y= -9  i=1    (  0, -9)
2128: 8040 CMD=8 CNTR 


Notice that all of the y moves are either 9 or -9. After the y coord goes -10 at 20e6, then at 20fc it comes back up +9, then goes -9 at 2114, +9 at 211c, and -9 at 2124.

The y coordinate stays below the horizon at y=0, going back between y=-10 and y=-1.

So let's do a trace.

First I'll set a watchpoint on writes to 0x2002 since that's where the displaylist starts (the displaylist alternates between 0x2002 and 0x2802).

Code
wp 2002,1,w
Watchpoint 1 set


In the debugger I'll enter these commands (or do a "source" from a file)

This is a good trace command because it shows you the status of the A,X,Y,P registers along with the status flags:

Code
trace bzone.tracenoloop2002.txt,0,noloop,{tracelog "A=%02x X=%02x Y=%02x P=%02x NV__DIZC\n                    %1x%1x__%1x%1x%1x%1x\n",A,X,Y,P,((p&0x80)!=0),((p&0x40)!=0),((p&0x8)!=0),((p&0x4)!=0),((p&0x2)!=0),((p&0x1)!=0);}


Let's reformat the tracelog statement a little bit so it's easier to digest:
Code
tracelog 
"A=%02x X=%02x Y=%02x P=%02x NV__DIZC\n
                    %1x%1x__%1x%1x%1x%1x\n",
A,X,Y,P,
((p&0x80)!=0),((p&0x40)!=0),((p&0x8)!=0),((p&0x4)!=0),((p&0x2)!=0),((p&0x1)!=0);}

The noloop is a useful parameter because we want to see all of the instructions executed.

I like to instrument all of the READ and WRITE activity which helps to show the actual data moving around in the system so we'll set some watchpoints to do it.

Code
wp 0,8000,r,1,{tracelog "READ addr=%02x data=%02x\n",wpaddr,wpdata;g}
wp 0,8000,w,1,{tracelog "WRITE addr=%02x data=%02x\n",wpaddr,wpdata;g}



Once we have these in place, we'll issue a "g" to get things started.
Code
Stopped at watchpoint 1 writing 00 to 00002002 (PC=7A70)
[MAME]> 
Stopped at watchpoint 1 writing 00 to 00002002 (PC=7A70)
[MAME]> 


It won't actually stop when it hits watchpoint 1 since there's another watchpoint that issues a "g" so we'll let it run after it hits watchpoint 1 a couple of times and then stop it with the enter key and then "trace off".

So our cube begins drawing at the location 20e4, let's search in our trace for a write to that location.
Using less on our trace file "less -n bzone.tracenoloop2002.txt" (-n for line numbers)


Code
/WRITE addr=20E4

  50378 7A6E: ldy #$00
  50381 A=40 X=80 Y=00 P=36 NV__DIZC
  50382                     00__0110
  50383 7A70: sta ($02), y
  50388 WRITE addr=20E4 data=40           <<<<<<<<<<<<< WRITE TO 20E4

Scanning backwards a little bit we can see an LDA ($3b), y
which looks interesting...

Code
  50235 5C68: ldy #$00
  50240 5C6A: lda ($3b), y
  50242 READ addr=3B data=D7
  50243 READ addr=3C data=74
  50244 READ addr=74D7 data=03


So let's see if we can find where $3b gets written:

Search backwards with less:
Code
? WRITE addr=3B

  50183 50B6: lda $0270, x
  50190 50B9: jsr $5c5c
  50199 5C5C: asl a
  50209 5C5E: lda $7472, y
  50212 READ addr=7490 data=D7
  50214 A=D7 X=06 Y=1E P=B4 NV__DIZC
  50216 5C61: sta $3b
  50218 WRITE addr=3B data=D7            <<<< write to 3B
  50222 5C63: lda $7473, y
  50225 READ addr=7491 data=74
  50229 5C66: sta $3c
  50231 WRITE addr=3C data=74           <<<<< write to 3C


so there's a lookup table at 7472 and the offset is 1E, the lookup address is 74D7

and let's do a hexdump on it using a couple of lua functions to hexdump:

Code
mem=manager:machine().devices[":maincpu"].spaces["program"]

function hexdump(adr,len,peritem,perrow) peritem=peritem or 1 perrow=perrow or 8 print("HEXDUMP addr="..hex(adr,4).."  len="..hex(len).."    peritem="..peritem) local rowcount=0 for i=adr,adr+(len-1)*peritem,peritem do if rowcount%perrow ==0 then io.write(hex(i,4)..": ") end local memval=0 for n=0,peritem-1 do memval=memval|(mem:read_u8(i+n)<<((n)*8)) end io.write(hex(memval,2*peritem).." ") if ((rowcount)%perrow) == (perrow-1) then print() end rowcount=rowcount+1 end print() end
function hexdump16(adr,len,perrow) hexdump(adr,len,2,perrow) end

Code
[MAME]> hexdump16(0x7472,16)
HEXDUMP16 addr=7472  len=10
7472: 74cb 74d7 74e9 7519 7525 7525 7525 7525 
7482: 7525 7525 7525 7525 74cb 752d 753b 74d7    <<< 74d7 at offset 1E

and let's look at 74d7
Code
[MAME]> hexdump(0x74d7,18)
HEXDUMP addr=74d7  len=12
74d7: 03 a1 0c 14 1c 04 24 2c 
74df: 34 3c 24 2a 0c 12 34 3a 
74e7: 1c ff 


What does this table do? I figured out what it does, it is the vertex table.

We'll analyze the vertex table later, but first I want to find the actual point data.

So we'll leave that for the next installment.