Part 8) Figuring out the exact address space (ROM)
People working in the Arcade repair business do it quite a lot. They replace the board's CPU by an In-Circuit Emulator, usually a commercial product, the oldest and most trusted of these being the good old Fluke 9010A
These machines are somewhat expensive, and well (not invented here). So for all my research I've made my own and I can drive any old computer bus from the "comfort of my own PC" (YES!). I've done this for TMS52XX's and Z80's mostly (and lots of things I cant say) and making a 6809E was just a matter of some signal reprogramming and pinout matching..
Ugly but works.
You may wonder what can I do with this?
Well it allows me to read and write single bytes or blocks of data visible to the - now removed - 6809.
This is the perfect tool to figure out the address space of the system: Exactly how the RAM/ROM and special devices are mapped, especially when its not just a matter of tracing a chain of 74LS138's but when a big proprietary chip does all the address decoding which is the case for the Videoway 100pin QFP LSI, which I'll call VideoBob from now on.
However there was a problem, all my reads were wonky with lots of bad bits. I _kind of_ figured out the memory map just by "bit density", but I needed something better. Upon boot, VideoBob has a mind of its own and doesn't let the CPU access the bus at will unless we tell it to. Which is of course the first line in the firmware!
A quick write to $F88D with a value of C3 has opened up the door, and let me get a clean read of the address space.
Saving all memory from 0 to FFFF gave me this
0000:0FFF Junk... RAM?
1000:3FFF Firmware [1000;3FFF] (Partial)
4000:7FFF Firmware [0000;3FFF] (Complete)
8000:F7FF Junk... RAM?
F880:F8FF Junk... well in fact VideoBob's lair.
F900:FFFF Firmware [3900:3FFF] (Partial, but enough for IRQ/RESET vectors)
So there are 3 spots with chunks of the main firmware. [1000:3FFF] seems like a perfectly good waste of space to me... unless its banked with RAM somehow?