Part 7) In system reverse-engineering.
Love that part! Its the part that wakes up the real sleuth. No more guess work, lets see (with modern tools) what this thing is doing in real time!
This particular test is done to trace the instructions executed on the hardware itself. What you do is you place Logic Analyzer probes on the address pins of the EPROM (A0 to A13, and also on its !OE pin)
Sadly I only have a 16pin LA right now, so I could only spare ONE extra pin that used on the CPU's A15. Would have loved more but this will do.
You then decode this to a series of addresses reads:
FFFF ; reads the RESET vector
4011 ; LDA #$C3
(...) ; same as emu, no branch anyway
4026 ; LDB $F892
4029 ; ANDB #$40
402b ; BEQ $4026
402d ; loop is done, was done exactly 3 times.
Remember the MAME debugger screenshot from earlier?
You can step in the initialization phase (and more) and see which branches the real device takes, and compare that to the steps taken by your emulators. This tells you a whole lots about everything! But to know everything I would need a 200 pin LA streaming live to my PC. no such thing exists.