Hi All,
This is a project spun off from the SNES-Tap discussion in another thread. SNES-Hook is designed to be an extreme simplification of the hijack functionality of SNES-Tap. It is intended to work in conjunction with byuu's Controller Port Serial Cable to load executable code from the serial cable into WRAM and execute it prior to the processor ever executing any code in the cartridge slot. It is essentially a primary bootloader for the SNES.
It works like this:
1) SNES powers up with the SNES-Hook in the expansion port and any cart in the cartridge slot
2) At start the processor accesses $00:FFFC & $00:FFFD (emu reset vector located at cart) to jump to the initial code to execute
3) The CPLD on the snes-hook observes changes on the address bus B (specifically searching for $FC-$FD)
-- Address bus A addresses bits 7:0 are aliased onto address bus b
4) SNES-Hook performs a glitch on the DATA bus for those two bus cycles forcing the vector address to be $00:2184
5) The CPU jumps to $00:2184 to start execution (and not the cart)
-- $00:2184 is addressed to a RAM on the SNES-Hook which has 124 bytes of bootcode
All the board design files and verilog reference can be found here:
https://github.com/defparam/snes-hook
Here are the initial 3D models of the device:
http://i.imgur.com/t2GpvP1.png
http://i.imgur.com/vU9wJTo.png
http://i.imgur.com/ZlYJ9bf.png
http://i.imgur.com/cwqZKxj.png
http://i.imgur.com/mgFcYMA.png
UPDATE: Boards are back from OSHPark, components have been assembled on board, byuu's test bootloader tested WORKING on SNES console. (the bootcode takes over the console, paints the screen blue and stops the processor).
There are some CARTs which the glitch is working on (Rockman X, Jurassic Park, Megaman 7) and some carts which it isn't (Rockman X2, X3). This could just be a timing issue. I'm currently debugging.
Here are some pictures of the device fully assembled (sorry for the crappy camera):
https://raw.githubusercontent.com/defpa ... oard_1.bmp
https://raw.githubusercontent.com/defpa ... oard_2.bmp
https://raw.githubusercontent.com/defpa ... oard_3.bmp
If you would like to purchase the bareboard you can buy it from OSHPark here: (I believe its about $7 for 3 bareboards)
https://www.oshpark.com/shared_projects/TfNKjUM6
Host interfaces were not added to this board as it is intended to be extremely simple and leverage the controller port serial cable for host access. For a more complex expansion port loader with formal host interfaces stay tuned for updates to SNES-Tap in the next coming months.
I've built 9 of these boards to send to byuu. He can explain more details on how we can leverage these devices to quickly dump carts, test hardware co-processors and load home brew executable to leverage cart hardware.
Thanks!
defparam
This is a project spun off from the SNES-Tap discussion in another thread. SNES-Hook is designed to be an extreme simplification of the hijack functionality of SNES-Tap. It is intended to work in conjunction with byuu's Controller Port Serial Cable to load executable code from the serial cable into WRAM and execute it prior to the processor ever executing any code in the cartridge slot. It is essentially a primary bootloader for the SNES.
It works like this:
1) SNES powers up with the SNES-Hook in the expansion port and any cart in the cartridge slot
2) At start the processor accesses $00:FFFC & $00:FFFD (emu reset vector located at cart) to jump to the initial code to execute
3) The CPLD on the snes-hook observes changes on the address bus B (specifically searching for $FC-$FD)
-- Address bus A addresses bits 7:0 are aliased onto address bus b
4) SNES-Hook performs a glitch on the DATA bus for those two bus cycles forcing the vector address to be $00:2184
5) The CPU jumps to $00:2184 to start execution (and not the cart)
-- $00:2184 is addressed to a RAM on the SNES-Hook which has 124 bytes of bootcode
All the board design files and verilog reference can be found here:
https://github.com/defparam/snes-hook
Here are the initial 3D models of the device:
http://i.imgur.com/t2GpvP1.png
http://i.imgur.com/vU9wJTo.png
http://i.imgur.com/ZlYJ9bf.png
http://i.imgur.com/cwqZKxj.png
http://i.imgur.com/mgFcYMA.png
UPDATE: Boards are back from OSHPark, components have been assembled on board, byuu's test bootloader tested WORKING on SNES console. (the bootcode takes over the console, paints the screen blue and stops the processor).
There are some CARTs which the glitch is working on (Rockman X, Jurassic Park, Megaman 7) and some carts which it isn't (Rockman X2, X3). This could just be a timing issue. I'm currently debugging.
Here are some pictures of the device fully assembled (sorry for the crappy camera):
https://raw.githubusercontent.com/defpa ... oard_1.bmp
https://raw.githubusercontent.com/defpa ... oard_2.bmp
https://raw.githubusercontent.com/defpa ... oard_3.bmp
If you would like to purchase the bareboard you can buy it from OSHPark here: (I believe its about $7 for 3 bareboards)
https://www.oshpark.com/shared_projects/TfNKjUM6
Host interfaces were not added to this board as it is intended to be extremely simple and leverage the controller port serial cable for host access. For a more complex expansion port loader with formal host interfaces stay tuned for updates to SNES-Tap in the next coming months.
I've built 9 of these boards to send to byuu. He can explain more details on how we can leverage these devices to quickly dump carts, test hardware co-processors and load home brew executable to leverage cart hardware.
Thanks!
defparam