Part 7) In system reverse-engineering.

Love that part! Its the part that wakes up the real sleuth. No more guess work, lets see (with modern tools) what this thing is doing in real time!

This particular test is done to trace the instructions executed on the hardware itself. What you do is you place Logic Analyzer probes on the address pins of the EPROM (A0 to A13, and also on its !OE pin)
Sadly I only have a 16pin LA right now, so I could only spare ONE extra pin that used on the CPU's A15. Would have loved more but this will do.




You then decode this to a series of addresses reads:

FFFE
FFFF ; reads the RESET vector

4011 ; LDA #$C3
4012
(...) ; same as emu, no branch anyway

loopstart:

4026 ; LDB $F892
4027
4028
4029 ; ANDB #$40
402a
402b ; BEQ $4026
402c

4026
4027
4028
4029
402a
402b
402c

4026
4027
4028
4029
402a
402b
402c

402d ; loop is done, was done exactly 3 times.
402e
(...)

Remember the MAME debugger screenshot from earlier?
You can step in the initialization phase (and more) and see which branches the real device takes, and compare that to the steps taken by your emulators. This tells you a whole lots about everything! But to know everything I would need a 200 pin LA streaming live to my PC. no such thing exists.



Last edited by plgDavid; 05/29/15 01:33 AM.