help ! about R4000 Disassembler

Discuss the development of new homebrew software, tools and libraries.

Moderators: cheriff, TyRaNiD

Post Reply
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:
Contact 0okm0000

help ! about R4000 Disassembler

Post by 0okm0000 »

i hope to find a way to direct access PSP NAND Flash
when i use Hardware Registers to direct access NAND Flash
i just can Read NAND Flash ID
but can not output other Command DATA

Code: Select all

	LockFlash(0);
	*((int*)0xbd101008)=0x90; //Read ID CMD
	*((int*)0xbd10100c)=0x00;
	printf("0x%.8X\n", *((int*)0xbd101300));
	printf("0x%.8X\n", *((int*)0xbd101300));
	printf("0x%.8X\n", *((int*)0xbd101300));
	printf("0x%.8X\n", *((int*)0xbd101300));
	UnlockFlash();
so i hope to reverse engineering sceNandLock(), sceNandUnlock(), sceNandReadId() from emc_sm.prx
but i can't understand R4000 Assembler
please help ^^

Code: Select all

//FW1.50 emc_sm.prx
...
// is this mean *((int*)0xbd104104)=0x90 ?
     704&#58;  24030090  addiu      v1,zero,0x90 <- Read ID CMD ?
     708&#58;  3c01bd10  lui        at,0xbd10
     70c&#58;  ac231008  sw         v1,4104&#40;at&#41;

// *&#40;&#40;int*&#41;0xbd104108&#41;=??
     710&#58;  00003021  addu       a2,zero,32
     714&#58;  3c01bd10  lui        at,0xbd10
     718&#58;  ac20100c  sw         zero,4108&#40;at&#41;

// ??
     71c&#58;  18a0000b  blez       zero,a1,11

// t0=*&#40;&#40;int*&#41;0xbd104864&#41; ??
     720&#58;  24030001  addiu      v1,zero,0x01
     724&#58;  3c08bd10  lui        t0,0xbd10
     728&#58;  8d081300  lw         t0,4864&#40;t0&#41;

     72c&#58;  00863821  addu       a3,a2,32
     730&#58;  24c60001  addiu      a2,a2,1
     734&#58;  00c5182a  slt        v1,a1,32
     738&#58;  10800002  beq        zero,a0,2
     73c&#58;  310200ff  andi       v0,t0,255
     740&#58;  a0e20000  sb         v0,0&#40;a3&#41;
     744&#58;  1460fff7  bne        zero,v1,-9
     748&#58;  24030001  addiu      v1,zero,1
     74c&#58;  00001021  addu       v0,zero,32
     750&#58;  3c01bd10  lui        at,0xbd10
     754&#58;  03e00008  jr         zero,zero,32
...
PSP hardware hack
http://0okm.blogspot.com/
Top
User avatar
magiK
Posts: 21
Joined: Sun Apr 09, 2006 6:18 pm

Post by magiK »

Your disassembler's output is not very friendly :)

Code: Select all

     704&#58;  24030090  addiu      v1,zero,0x90       v1 = 0x90
     708&#58;  3c01bd10  lui        at,0xbd10          at = 0xbd100000
     70c&#58;  ac231008  sw         v1,4104&#40;at&#41;        *&#40;&#40;int*&#41;at+0x1008&#41; = v1
...
     714&#58;  3c01bd10  lui        at,0xbd10          at = 0xbd100000
     718&#58;  ac20100c  sw         zero,4108&#40;at&#41;      *&#40;&#40;int*&#41;at+0x100C&#41; = 0
The rest is a loop (size and buf are the parameters passed to sceNandReadId):

Code: Select all

for&#40;i=0;i<size;i++&#41;
    buf&#91;i&#93; = *&#40;&#40;int*&#41;0xbd101300&#41;;
sceNandLock calls sceNandSetWriteProtect(0 or 1, depending on writeFlag) and sceSysregEmcsmBusClockEnable. sceNandUnlock calls sceNandSetWriteProtect(1) and sceSysregEmcsmBusClockDisable.

sceNandSetWriteProtect(0) reads the value from 0xBD101004, sets bit 8 to 1 (OR 0x80), writes that back to the same address and then loops reading until the bit is set. sceNandSetWriteProtect(1) reads the value, clears bit 8 and writes back. I hope I got it right :)
Top
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:
Contact 0okm0000

Post by 0okm0000 »

magiK wrote:Your disassembler's output is not very friendly :)

Code: Select all

     704&#58;  24030090  addiu      v1,zero,0x90       v1 = 0x90
     708&#58;  3c01bd10  lui        at,0xbd10          at = 0xbd100000
     70c&#58;  ac231008  sw         v1,4104&#40;at&#41;        *&#40;&#40;int*&#41;at+0x1008&#41; = v1
...
     714&#58;  3c01bd10  lui        at,0xbd10          at = 0xbd100000
     718&#58;  ac20100c  sw         zero,4108&#40;at&#41;      *&#40;&#40;int*&#41;at+0x100C&#41; = 0
The rest is a loop (size and buf are the parameters passed to sceNandReadId):

Code: Select all

for&#40;i=0;i<size;i++&#41;
    buf&#91;i&#93; = *&#40;&#40;int*&#41;0xbd101300&#41;;
sceNandLock calls sceNandSetWriteProtect(0 or 1, depending on writeFlag) and sceSysregEmcsmBusClockEnable. sceNandUnlock calls sceNandSetWriteProtect(1) and sceSysregEmcsmBusClockDisable.

sceNandSetWriteProtect(0) reads the value from 0xBD101004, sets bit 8 to 1 (OR 0x80), writes that back to the same address and then loops reading until the bit is set. sceNandSetWriteProtect(1) reads the value, clears bit 8 and writes back. I hope I got it right :)
^O^ Thank You
PSP hardware hack
http://0okm.blogspot.com/
Top
User avatar
groepaz
Posts: 305
Joined: Thu Sep 01, 2005 7:44 am
Contact:
Contact groepaz

Post by groepaz »

dont forget to post what you find out so i can add it to my docs :=)
Top
User avatar
0okm0000
Posts: 116
Joined: Fri Jan 13, 2006 9:51 am
Contact:
Contact 0okm0000

Post by 0okm0000 »

groepaz wrote:dont forget to post what you find out so i can add it to my docs :=)
NAND Flash Hardware Registers

0xbd101000
0xbd101004
0xbd101008
0xbd10100c

0xbd101014

0xbd101020
0xbd101024
0xbd101028

0xbd101038

0xbd101200

0xbd101300
PSP hardware hack
http://0okm.blogspot.com/
Top
User avatar
groepaz
Posts: 305
Joined: Thu Sep 01, 2005 7:44 am
Contact:
Contact groepaz

Post by groepaz »

here is what i already identified a while ago btw: http://hitmen.c02.at/files/yapspd/psp_d ... tml#sec8.6

i would guess that 0xbd101200 is data(write) ... mmh
Top
Post Reply

Return to “PSP Development”