KOS glitch

If you have any questions on programming, this is the place to ask them, whether you're a newbie or an experienced programmer. Discussion on programming in general is also welcome. We will help you with programming homework, but we will not do your work for you! Any porting requests must be made in Developmental Ideas.
Post Reply
MetalliC
DCEmu Crazy Poster
DCEmu Crazy Poster
Posts: 28
https://www.artistsworkshop.eu/meble-kuchenne-na-wymiar-warszawa-gdzie-zamowic/
Joined: Wed Apr 23, 2014 3:04 pm
Has thanked: 0
Been thanked: 0

KOS glitch

Post by MetalliC »

\kernel\arch\dreamcast\kernel\execasm.s
starting from line 15:

Code: Select all

__arch_exec_template:
	mov.l		.ccraddr,r0	! Disable/invalidate cache
	mov.l		.ccrdata,r1
	mov.l		@r1,r1  <<< this is redundant opcode, it read some crap from bios addr @0x0808, and later used as cache control value
	mov.l		r1,@r0
....
.ccraddr:
	.long		0xff00001c
.ccrdata:
	.long		0x00000808
noticed this when was tracing "Orion Puzzle Collection" game code...
User avatar
BlueCrab
The Crabby Overlord
The Crabby Overlord
Posts: 5652
Joined: Mon May 27, 2002 11:31 am
Location: Sailing the Skies of Arcadia
Has thanked: 9 times
Been thanked: 69 times
Contact:

Re: KOS glitch

Post by BlueCrab »

Yeah... That definitely doesn't seem right. It's almost like the instruction before was supposed to be a mova instead of a mov.l (not that it'd make sense to turn it into a two instruction sequence there, but at least then the one you've pointed out would make sense)...
MetalliC
DCEmu Crazy Poster
DCEmu Crazy Poster
Posts: 28
Joined: Wed Apr 23, 2014 3:04 pm
Has thanked: 0
Been thanked: 0

Re: KOS glitch

Post by MetalliC »

it also worth insert a bunch of nop's after write to CCR register, at least Katana games always do it this way.

speaking more about this particular game, it does more weird things - after selecting one of 3 minigames it does
a) load game binary to upper RAM area
b) execute arch_exec_at routine, which copy loaded binary to start of RAM and jump there.

but between a) and b) executed another routine, which trashes very start of loaded game binary (there written 2x some pointers). that routine called not once but quite often, possible it is timer or sound/music player callback.

I'm not really sure how and why it works on real DC, possible thanks to not properly disabled/validated cache in mentioned earlier routine, so 2 bugs together makes somewhat working code :)

btw, something similar I've seen earlier in Sturmwind, and my thoughts was its some kind of anti-emulator protection, but here it more looks like just a glitch, so maybe they are similar glitches in both games.
User avatar
BlueCrab
The Crabby Overlord
The Crabby Overlord
Posts: 5652
Joined: Mon May 27, 2002 11:31 am
Location: Sailing the Skies of Arcadia
Has thanked: 9 times
Been thanked: 69 times
Contact:

Re: KOS glitch

Post by BlueCrab »

MetalliC wrote:it also worth insert a bunch of nop's after write to CCR register, at least Katana games always do it this way.
You don't have to put nops right after a write to the CCR register but you do need to have a minimum of 8 (IIRC) instructions executed before returning to execution in a cached area of memory.
MetalliC
DCEmu Crazy Poster
DCEmu Crazy Poster
Posts: 28
Joined: Wed Apr 23, 2014 3:04 pm
Has thanked: 0
Been thanked: 0

Re: KOS glitch

Post by MetalliC »

maybe, can't remember details right now.

as for memory trashing problem, it happen during arch_auto_shutdown -> fs_ramdisk_shutdown -> free(f1->data);
not yet sure if its caused by some bad emulation or other bugs in KOS

add: another option - this game have bugs itesf, but "trash" opcodes 0x8C0E actually some undocumented SH4 commands, possible BF or BF/S they have close numbers.
ughhh, I'm sic of this...
MetalliC
DCEmu Crazy Poster
DCEmu Crazy Poster
Posts: 28
Joined: Wed Apr 23, 2014 3:04 pm
Has thanked: 0
Been thanked: 0

Re: KOS glitch

Post by MetalliC »

long story short - it is not KOS issue, but game itself.

mentioned "Orion Puzzle Collection" first run game selector binary, and later one of selected minigames - it will load it's binary to ram disk, like /ram/game.bin, then pass data pointer to arch_exec() function.
wrong move, because during ram disk shutdown will be called free() of that ram disk file, and KOS free() function changes first 8 bytes of data area (2 pointers written there).

so in result it will be as such:

Code: Select all

AC010000  E5F8  MOV       #h'FFFFFFF8, R5
AC010002  8C0E  >WTF OPCODE?
AC010004  DD70  MOV.L     #h'D40BE101, R13
AC010006  8C0E  >WTF OPCODE?
AC010008  400E  LDC       R0, SR
AC01000A  D032  MOV.L     #h'8C010014, R0
AC01000C  D130  MOV.L     #h'A0000000, R1
AC01000E  201B  OR        R1, R0
AC010010  402B  JMP       R0
AC010012  0009  NOP
AC010014  D033  MOV.L     #h'8C077FC0, R0
AC010016  7002  ADD       #h'02, R0
AC010018  6001  MOV.W     @R0, R0
AC01001A  C801  TST       #h'01, R0
AC01001C  8B02  BF        h'AC010024
AC01001E  9165  MOV.W     #h'090D, R1
AC010020  A001  BRA       h'AC010026
note: at this point R0 have 0x8C18BDC0, so this crappy value may/will be written to SR register. have no ideas how and why this code does not hang on real Dreamcast :?:
Post Reply