Bueno, decir que es una parte del código, poco a poco se irá completando hasta tener la transcripción completa
...
ROM:000000E5 movbu D0, (word_D98C) ! D98C (internal/external data RAM) = 20
ROM:000000E8 clr D0
ROM:000000E9 movbu D0, (word_D98C+1) ! D98C (internal/external data RAM) = 0
ROM:000000EC rets
...
ROM:0000628E sub_628E: ! CODE XREF: sub_654A+10B�p
ROM:0000628E movhu (word_DC54), D1 ; (DC54) a timer? D1 = initial timer value
ROM:00006291 setlb ; set up loop registers
ROM:00006292 movhu (word_DC54), D0 ; read current timer value
ROM:00006295 mov D1, D2
ROM:00006296 sub D0, D2 ; calc difference between inital and current timer values
ROM:00006298 mov D2, D0
ROM:00006299 exthu D0
ROM:0000629A cmp 0x6A, D0 ! 'j'
ROM:0000629C llt ; Loop for 0x6A timer increments
ROM:0000629D retf [D2], 4
ROM:0000629D ! End of function sub_628E
...
ROM:000064E4 sub_64E4: ! CODE XREF: sub_1A1D5+3 p
ROM:000064E4 ! sub_1A22C+3 p ...
ROM:000064E4 movm [D0,D1,A0,A1,MDR,LIR,LAR], (SP) ; this function saves CPU state
ROM:000064E6 mov PSW, D0
ROM:000064E8 nop
ROM:000064E9 nop
ROM:000064EA movhu D0, (A0)
ROM:000064EC movm (SP), [D0,D1,A0,A1,MDR,LIR,LAR]
ROM:000064EE rets ; return to 33C1F
ROM:000064F0 sub_64F0: ! CODE XREF: sub_1A1D5+4D p
ROM:000064F0 ! sub_1A22C+39 p ...
ROM:000064F0 movm [D0,D1,A0,A1,MDR,LIR,LAR], (SP) ; this function restores CPU state
ROM:000064F2 movhu (A0), D0
ROM:000064F4 mov D0, PSW
ROM:000064F6 nop
ROM:000064F7 nop
ROM:000064F8 movm (SP), [D0,D1,A0,A1,MDR,LIR,LAR]
ROM:000064FA rets ; return to 33C45
ROM:0000664E mov 0xD98C, A2 ; A2 = D98C
ROM:00006651 mov 0x30, D0 ! '0' ; D0 = 0x30
ROM:00006653 movbu D0, (A2) ; set bit 4 and 5 at (D98C)
ROM:00006655 call sub_628E, [D2], 4 ; call timer delay function
ROM:0000665A movbu (word_D98C+1), D0 ; read (D98D)
ROM:0000665D btst 0x10, D0 ; Is bit 4 set?
ROM:00006660 beq loc_6669 ; No, branch
ROM:00006662 bclr 0x40, (word_598) ; Yes, so (598) bit 6 = 0 (modeA?)
ROM:00006667 bra loc_6680
ROM:00006669 ! ---------------------------------------------------------------------------
ROM:00006669
ROM:00006669 loc_6669: ! CODE XREF: sub_654A+116�j
ROM:00006669 bset 0x40, (word_598) ; (598) bit 6 = 1 (modeB?)
ROM:0000666E clr D0
ROM:0000666F movbu D0, (0x8003E6D8)
ROM:00006675 mov 1, D0
ROM:00006677 mov 0x64, D1 ! 'd'
ROM:00006679 call sub_1EEB3, [D2,D3,A2], 0x10
ROM:00006680
ROM:00006680 loc_6680:
ROM:00006680 mov 0x20, D0 ! ' ' ; D0 = 0x20
ROM:00006682 movbu D0, (A2) ; clear bit 4 at (D98C)
ROM:00006684 ret [D2,A2], 0xC
ROM:00006684 ! End of function sub_654A
ROM:0001B53B sub_1B53B: ! CODE XREF: sub_1A99A+C�p
ROM:0001B53B ! sub_1DE7B�p ...
ROM:0001B53B btst 0x40, (word_598) ! '@' ; is bit 6 of (598) clear?
ROM:0001B540 beq loc_1B546 ; yes so branch
ROM:0001B542 mov 1, D0 ; no, so D0 = 1
ROM:0001B544 bra locret_1B547 ; return
ROM:0001B546 ! ---------------------------------------------------------------------------
ROM:0001B546
ROM:0001B546 loc_1B546: ! CODE XREF: sub_1B53B+5�j
ROM:0001B546 clr D0 ; D0 = 0
ROM:0001B547
ROM:0001B547 locret_1B547: ! CODE XREF: sub_1B53B+9�j
ROM:0001B547
ROM:0001B547 locret_1B547: ! CODE XREF: sub_1B53B+9�j
ROM:0001B547 rets ; return to 24F68
ROM:0001B5FE sub_1B5FE: ! CODE XREF: sub_25420+9A p
ROM:0001B5FE ! sub_25781+4F p ...
ROM:0001B5FE movhu D0, (word_634) ; store transfer length in internal RAM
ROM:0001B601 mov A0, D0 ; D0 = 3CC00
ROM:0001B603 add 0x80000000, D0 ; D0 = 0x8003CC00 (address in RAM of our target data)
ROM:0001B609 mov D0, (word_630) ; store address in internal RAM
ROM:0001B60C bclr 2, (word_5A8+1) ; clear bit 2 of (5A9) in internal RAM
ROM:0001B611 mov 5, D0
ROM:0001B613 movbu D0, (word_6D8+1) ; (6D9) in internal RAM = 5
ROM:0001B616 clr D0
ROM:0001B617 movbu D0, (word_6DA+1) ; (6DB) in internal RAM = 0
ROM:0001B61A bset 8, (word_5A5+1) ; set bit 8 of (5A6) in internal RAM
ROM:0001B61F rets ; back to 254C1
ROM:0001B621 sub_1B621: ! CODE XREF: sub_25420+CA p
ROM:0001B621 ! sub_25781+66 p ...
ROM:0001B621 movhu D0, (word_634) ; this does the same job as sub_1B5FE for transfers over 0x400 bytes
ROM:0001B624 mov A0, D0
ROM:0001B626 add 0x80000000, D0
ROM:0001B62C mov D0, (word_630)
ROM:0001B62F bclr 2, (word_5A8+1)
ROM:0001B634 mov 5, D0
ROM:0001B636 movbu D0, (word_6D8+1)
ROM:0001B639 clr D0
ROM:0001B63A movbu D0, (word_6DA+1)
ROM:0001B63D bclr 8, (word_5A5+1)
ROM:0001B642 mov A1, (word_6DC) ; only difference between sub_1B5FE and this function
ROM:0001B646 rets ; return to 254F1
ROM:0001B646 ! End of function sub_1B621
...
ROM:00024F48 movm [D2,A2], (SP)
ROM:00024F4A add 0xF8, SP ! '°'
ROM:00024F4D btst 3, (word_5B9) ; check1: are bits 0 (EVPD) and 1 (CmdDt) of packet[1] clear?
ROM:00024F52 beq loc_24F57 ; yes, so branch
ROM:00024F54 jmp loc_25013 ; no, so bail out
ROM:00024F57 ! ---------------------------------------------------------------------------
ROM:00024F57
ROM:00024F57 loc_24F57: ! CODE XREF: ROM:00024F52�j
ROM:00024F57 movbu (word_5B9+1), D0
ROM:00024F5A cmp 0, D0 ; check2: is packet[2] (page/operation code) zero?
ROM:00024F5C beq loc_24F61 ; yes, so branch
ROM:00024F5E jmp loc_25013 ; no, so bail out
ROM:00024F61 ! ---------------------------------------------------------------------------
ROM:00024F61
ROM:00024F61 loc_24F61: ! CODE XREF: ROM:00024F5C�j
ROM:00024F61 call sub_1B53B, [], 0 ; check3: get bit 6 of (598) (internal data RAM) into D0
ROM:00024F68 extb D0
ROM:00024F69 cmp 0, D0 ; was bit 6 zero?
ROM:00024F6B bne loc_24F80 ; no, so branch
ROM:00024F6D movbu (word_5BD), D0 ; yes, D0 = packet[5]
ROM:00024F70 mov 0xC0, D1 ! '+'
ROM:00024F73 and D1, D0 ; set bits 6 and 7 (both vendor specific) of packet[5] (EDIT 16th March 2006: this is a mistake, see below)
ROM:00024F75 cmp D1, D0 ; check4: are all the other bits (NACA, flag, link) zero?
ROM:00024F76 beq loc_24F80 ; yes, so branch
ROM:00024F78 mov 0xD, D0 : no, so bail
ROM:00024F7A movbu D0, (word_5D8)
ROM:00024F7D jmp loc_25018
ROM:00024F80 movbu (word_5BB+1), D2 ; D2 = allocation length
ROM:00024F83 mov D2, D1
ROM:00024F84 exthu D1 ; D1 = allocation length
ROM:00024F85 cmp 0, D1 ; is alloc length zero?
ROM:00024F87 bne loc_24F8C ; nope, so branch
ROM:00024F89 jmp loc_25018 ; yes, bail
ROM:00024F8C ! ---------------------------------------------------------------------------
ROM:00024F8C
ROM:00024F8C loc_24F8C: ! CODE XREF: ROM:00024F87�j
ROM:00024F8C mov D2, D1 ; D1 = alloc length
ROM:00024F8D exthu D1
ROM:00024F8E cmp 0x60, D1 ! '`' ; is alloc length greater 0x60?
ROM:00024F90 ble loc_24F94 ; no, so branch
ROM:00024F92 mov 0x60, D2 ! '`' ; yes, so truncate it to 0x60
ROM:00024F94
ROM:00024F94 loc_24F94: ! CODE XREF: ROM:00024F90�j
ROM:00024F94 mov unk_3CC00, D0 ; D0 = 3CC00
ROM:00024F9A mov 0x60, D1 ! '`' ; D1 = 0x60
ROM:00024F9C mov unk_9003D47C, A0 ; A0 points to flash address 9003D47C (Inquiry response data)
ROM:00024FA2 call sub_33C12, [D2,D3,A2,A3], 0x18 ; Transfer 0x60 byts of response data to RAM
ROM:00024FA9 mov SP, A2
ROM:00024FAA inc4 A2 ; A2 = top of stack
ROM:00024FAB mov A2, A1 ; A1 = top of stack
ROM:00024FAC mov unk_9003D4A0, A0 ; points to flash address 9003D5A0
ROM:00024FB2 clr D0 ; D0 = 0
ROM:00024FB3 bra loc_24FBC ; branch
ROM:00024FB5 ! ---------------------------------------------------------------------------
ROM:00024FB5
ROM:00024FB5 loc_24FB5: ! CODE XREF: ROM:00024FBF�j
ROM:00024FB5 movbu (A0), D1 ; D1 = first byte of inquiry response (device type)
ROM:00024FB7 inc A0 ; advance source ptr
ROM:00024FB8 movbu D1, (A1) ; stick device type on stack
ROM:00024FBA inc A1 ; advance destination ptr
ROM:00024FBB inc D0 ; advance counter
ROM:00024FBC
ROM:00024FBC loc_24FBC: ! CODE XREF: ROM:00024FB3�j
ROM:00024FBC exthu D0
ROM:00024FBD cmp 4, D0 ; is D0 less than 4?
ROM:00024FBF blt loc_24FB5 ; loop copies first for bytes of inquiry data to stack
ROM:00024FC1 mov 0x41, D0 ! 'A' ; D0 = 0x41
ROM:00024FC3 movbu D0, (7,SP) ; put 41 on stack
ROM:00024FC6 mov unk_3CC24, D0 ; D0 = 3CC24
ROM:00024FCC mov 4, D1 ; D1 = 4
ROM:00024FCE mov A2, A0 ; A0 = ptr to the 4 bytes we just put on the stack
ROM:00024FCF call sub_33C12, [D2,D3,A2,A3], 0x18 ; copy those 4 bytes to 3CC24 in RAM (offset 36 into the inquiry response, vendor specific)
ROM:00024FD6 mov 0x5FFC, A0 ; A0 = 5FFC (address in internal data RAM)
ROM:00024FD9 call sub_33A84, [], 8 ; check5: D0 = make_litte_endian((5FFC));
ROM:00024FE0 cmp 0xEEF8EFFA, D0 ; is the result EEF8EFFA?
ROM:00024FE6 bne loc_24FFD ; no, so branch (skips revision level overwrite)
ROM:00024FE8 mov 0x5A, D0 ! 'Z' ; yes, D0 = 5A;
ROM:00024FEA movbu D0, (4,SP) ; put 5A on stack
ROM:00024FED mov unk_3CC20, D0 ; D0 = 3CC20 (offset 32 into inquiry response, product revision level)
ROM:00024FF3 mov 1, D1 ; D1 = 1 (copy one byte)
ROM:00024FF5 mov A2, A0 ; A0 = where we just put 0x5A
ROM:00024FF6 call sub_33C12, [D2,D3,A2,A3], 0x18 ; overwrite product revision level in RAM
ROM:00024FFD
ROM:00024FFD loc_24FFD: ! CODE XREF: ROM:00024FE6�j
ROM:00024FFD bclr 0x80, (word_59E) ! 'Ç' ; clear bit 7 of (59E)
ROM:00025002 mov unk_3CC00, A0 ; A0 = start of inquiry response in RAM
ROM:00025008 exthu D2 ; D2 = alloc length
ROM:00025009 mov D2, D0 ; D0 = alloc length
ROM:0002500A call sub_1B5FE, [], 0 ; set up control variables for ATAPI transfer?
ROM:00025011 bra locret_2501D ; return (this concludes the Inquiry handler)
ROM:00025013 ! ---------------------------------------------------------------------------
ROM:00025013
ROM:00025013 loc_25013: ! CODE XREF: ROM:00024F54�j
ROM:00025013 ! ROM:00024F5E�j
ROM:00025013 mov 0xA, D0
ROM:00025015 movbu D0, (word_5D8)
ROM:00025018
ROM:00025018 loc_25018: ! CODE XREF: ROM:00024F7D�j
ROM:00025018 ! ROM:00024F89�j
ROM:00025018 mov 4, D0
ROM:0002501A movbu D0, (word_6D8+1)
ROM:0002501D
ROM:0002501D locret_2501D: ! CODE XREF: ROM:00025011�j
ROM:0002501D ret [D2,A2], 0x10 ; The concludes the Inquiry handler
ROM:00025420 sub_25420: ! CODE XREF: sub_25D27 p
ROM:00025420 mov 0x5C2, A0 ; A0 = address of last two bytes of ATAPI packet, the transfer length input
ROM:00025423 call sub_33AD8, [], 8 ; 16bit big endian to little endian conversion
ROM:0002542A movhu D0, (word_8C4) ; store transfer length input at 8C4
ROM:0002542D mov 0x5BE, A0 ; A0 = address of the 32-bit address input in the ATAPI packet
ROM:00025430 call sub_33A84, [], 8 ; 32bit big endian to little endian conversion
ROM:00025437 mov D0, A0 ; our target address goes into A0
ROM:00025439 mov D0, (word_62C) ; and gets stored at 62C
ROM:0002543C mov 0xFF000000, D2 ;
ROM:00025442 mov word_90000000, D3 ; D3 = 90000000
ROM:00025448 mov D0, D1 ; target address into D1
ROM:00025449 and D2, D1 ; zero all but MSB of target address
ROM:0002544B cmp D3, D1 ; are we accessing range 90000000 to 90FFFFFF (flash address space)?
ROM:0002544C beq loc_25493 ; yes, so branch to 25493 (this ends the handler)
ROM:0002544E movhu (word_8C4), D0 ; get transfer length
ROM:00025451 mov A0, D1 ; get target address
ROM:00025453 add D0, D1 ; D1 = address of byte after last byte to be copied
ROM:00025454 and D1, D2 ; check that target + length doesn't go into firmware
ROM:00025456 cmp D3, D2 ; does it?
ROM:00025457 beq loc_25493 ; yes, so bail
ROM:00025459 mov 0x8002EC00, D2 ; RAM is believed to be mapped at 0x80000000
ROM:0002545F cmp A0, D2 ; are we trying to access above 0x8002EC00?
ROM:00025461 bhi loc_2546B ; no, so branch to 2546B
ROM:00025463 cmp 0x80037300, A0 ; are we trying to access range 0x8002EC00 - 0x80037300?
ROM:00025469 bcs loc_25493 ; yes, so bail.
ROM:0002546B
ROM:0002546B loc_2546B: ! CODE XREF: sub_25420+41 j
ROM:0002546B cmp D1, D2 ; does target address + transfer length take us above 0x8002EC00?
ROM:0002546C bhi loc_25476 ; no, so branch to 25476
ROM:0002546E cmp 0x80037300, D1 ; does target address + transfer length take us into 0x8002EC00 - 0x80037300?
ROM:00025474 bcs loc_25493 ; yes, so bail
ROM:00025476
ROM:00025476 loc_25476: ! CODE XREF: sub_25420+4C j
ROM:00025476 mov 0x8003A000, D2 ; Another check for range 0x8003A000 - 0x8003A300
ROM:0002547C cmp A0, D2
ROM:0002547E bhi loc_25488
ROM:00025480 cmp 0x8003A300, A0
ROM:00025486 bcs loc_25493
ROM:00025488
ROM:00025488 loc_25488: ! CODE XREF: sub_25420+5E j
ROM:00025488 cmp D1, D2 ; continuing check for range 0x8003A000 - 0x8003A300
ROM:00025489 bhi loc_2549B
ROM:0002548B cmp 0x8003A300, D1
ROM:00025491 bcc loc_2549B ; if we pass checks, branch to 2549B
ROM:00025493
ROM:00025493 loc_25493: ! CODE XREF: sub_25420+2C j
ROM:00025493 ! sub_25420+37 j ...
ROM:00025493 mov 4, D0
ROM:00025495 movbu D0, (word_6D8+1)
ROM:00025498 clr D0
ROM:00025499 bra locret_254F3 ; we failed checks so we're out
ROM:0002549B loc_2549B: ! CODE XREF: sub_25420+69 j
ROM:0002549B ! sub_25420+71 j
ROM:0002549B movhu (word_8C4), D1 ; get transfer length
ROM:0002549E mov 0x400, D2
ROM:000254A1 cmp D2, D1 ; is transfer length greater than 0x400?
ROM:000254A2 bhi loc_254C3 ; yes, so branch to 254C3
ROM:000254A4 mov unk_3CC00, D0 ; D0 = 3CC00
ROM:000254AA call sub_33C12, [D2,D3,A2,A3], 0x18 ; transfer data to RAM
ROM:000254B1 mov unk_3CC00, A0 ; A0 = 3CC00 (offset into RAM of our target data)
ROM:000254B7 movhu (word_8C4), D0 ; D0 = transfer length
ROM:000254BA call sub_1B5FE, [], 0 ; set up control variables for ATAPI data transfer?
ROM:000254C1 bra loc_254F1 ; and away we go
ROM:000254C3 ! ---------------------------------------------------------------------------
ROM:000254C3
ROM:000254C3 loc_254C3: ! CODE XREF: sub_25420+82 j
ROM:000254C3 mov D2, D1 ; D1 = 0x400
ROM:000254C4 sub D2, D0 ; D0 = 0x400
ROM:000254C6 movhu D0, (word_8C4) ; overwrite tranfer length with 0x400
ROM:000254C9 mov unk_3CC00, D0 ; D0 = 3CC00
ROM:000254CF call sub_33C12, [D2,D3,A2,A3], 0x18 ; transfer 0x400 bytes of target data to RAM
ROM:000254D6 mov (word_62C), D0 ; D0 = some value in internal RAM
ROM:000254D9 mov unk_3CC00, A0 ; A0 = 3CC00 (offset into RAM of our target data)
ROM:000254DF add D2, D0
ROM:000254E0 mov D0, (word_62C)
ROM:000254E3 mov D2, D0
ROM:000254E4 mov unk_900254F6, A1
ROM:000254EA call sub_1B621, [], 0 ; set up control variables for ATAPI data transfer?
ROM:000254F1
ROM:000254F1 loc_254F1: ! CODE XREF: sub_25420+A1 j
ROM:000254F1 mov 1, D0
ROM:000254F3
ROM:000254F3 locret_254F3: ! CODE XREF: sub_25420+79 j
ROM:000254F3 ret [D2,D3], 0xC ; back to 25D2C (this concludes the 0xE7 handler)
ROM:00025BC8 add 0xFC, SP ! '³'
ROM:00025BCB movbu (word_5B7+1), D0 ; get ATAPI command code (note: packet starts at 5B8)
ROM:00025BCE cmp 0xE7, D0 ! 'þ' ; is it 0xE7?
ROM:00025BD2 beq loc_25BD6 ; yes in our case, so branch to 25BD6
ROM:00025BD6 loc_25BD6: ! CODE XREF: ROM:00025BD2 j
ROM:00025BD6 movbu (word_5B9), D0 ; get 2nd byte of ATAPI packet
ROM:00025BD9 cmp 0xE, D0 ; is it 0xE?
ROM:00025BDB bne loc_25BF3 ; not in our case, so branch to 25BF3
ROM:00025BF3 loc_25BF3: ! CODE XREF: ROM:00025BDB j
ROM:00025BF3 ! ROM:00025BE2 j ...
ROM:00025BF3 movbu (word_5B9+1), D0 ; get third byte of ATAPI packet
ROM:00025BF6 cmp 0x52, D0 ! 'R' ; is it 'R'?
ROM:00025BF8 bne loc_25C2C ; not in our case, so brach to 25C2C
ROM:00025C2C loc_25C2C: ! CODE XREF: ROM:00025BF8 j
ROM:00025C2C ! ROM:00025BFF j ...
ROM:00025C2C movbu (word_5B9+1), D0 ; get third byte of ATAPI packet
ROM:00025C2F cmp 0x49, D0 ! 'I' ; is it 'I'?
ROM:00025C31 bne loc_25C3A ; yes in our case, so don't branch
ROM:00025C33 movbu (word_5BB), D0 ; get fourth byte of ATAPI packet
ROM:00025C36 cmp 0x54, D0 ! 'T' ; is it 'T'?
ROM:00025C38 beq loc_25C42 ; yes in our case, so brach to 25C42
ROM:00025C42 loc_25C42: ! CODE XREF: ROM:00025C38 j
ROM:00025C42 movbu (word_5BB+1), D0 ; get fifth byte of ATAPI packet (subcommand code)
ROM:00025C45 cmp 1, D0 ; is it 1?
ROM:00025C47 beq loc_25CA3 ; yes in our case, so branch to 25CA3
ROM:00025CA3 loc_25CA3: ! CODE XREF: ROM:00025C47 j
ROM:00025CA3 call sub_25D27, [], 4 ; call command 0xE7 subcommand 0x01 (dump internal memory) handler
ROM:00025CA8 bra loc_25D0A
ROM:00025D27 sub_25D27: ! CODE XREF: ROM:loc_25CA3 p
ROM:00025D27 call sub_25420, [D2,D3], 0xC ; off we go again
ROM:00025D2C mov 1, D0
ROM:00025D2E ret [], 4
...
ROM:00025FA7 loc_25FA7: ! CODE XREF: sub_25D86+C1 j
ROM:00025FA7 movbu (word_5BF+1), D0
ROM:00025FAA cmp 1, D0
ROM:00025FAC bne loc_25FF4
ROM:00025FAE movbu (word_598), D0
ROM:00025FB1 mov 0x64, D1 ! 'd'
ROM:00025FB3 or 0x40, D0 ! '@'
ROM:00025FB6 or 0x10, D0
ROM:00025FB9 movbu D0, (word_598)
ROM:00025FBC clr D0
ROM:00025FBD movbu D0, (0x8003E6D8)
ROM:00025FC3 mov 1, D0
ROM:00025FC5 call sub_1EEB3, [D2,D3,A2], 0x10
ROM:00025FCA bra loc_25FF4
...
ROM:00025FF4
ROM:00025FF4 loc_25FF4: ! CODE XREF: sub_25D86+102 j
ROM:00025FF4 ! sub_25D86+10A j ...
ROM:00025FF4 clr D0
ROM:00025FF5 ret [D2], 8
ROM:00025FF5 ! End of function sub_25D86
...
ROM:000265C8 call sub_1A1D5, [A2], 0b1100 ; set (24AC) and (24B4) based on (5A4) bit 4
ROM:000265CF call sub_1A27D, [A2], 0xC ; set (626) based on (6BF) and set (6BF) to 1
ROM:000265D6 movbu (word_643+1), D0 ; D0 = page code
ROM:000265D9 cmp 9, D0 ; is page code 9?
ROM:000265DB bne loc_265F2 ; no, so branch
ROM:000265DD btst 0x40, (word_598) ! '@' ; are we in modeB?
ROM:000265E2 beq loc_26646 ; no, so bail
ROM:000265E4 btst 0x10, (word_598) ; is (598) bit 4 clear?
ROM:000265E9 bne loc_26646 ; no, so bail
ROM:000265EB bset 0x10, (unk_5A5) ; if all requirements met, then it set (5A5) bit 4
ROM:000265F0 bra loc_2664B ; return
ROM:000265F2 loc_265F2: ! CODE XREF: sub_265C8+13�j
ROM:000265F2 movbu (word_643+1), D0 ; D0 = page code
ROM:000265F5 and 0x3F, D0 ! '?' ; zero bits 6 and 7 of (644) (PS and reserved bits)
ROM:000265F8 cmp 1, D0 ; page code 1 = Read/Write Error Recovery Parameters
ROM:000265FA beq loc_26612
ROM:000265FC cmp 0x20, D0 ! ' ' ; page code 20 = vendor specific
ROM:000265FE beq loc_2661A
ROM:00026600 cmp 0x3B, D0 ! ';' ; page code 3B = vendor specific
ROM:00026602 beq loc_26622
ROM:00026604 cmp 0x3C, D0 ! '<' ; page code 3C = vendor specific
ROM:00026606 beq loc_2662A
ROM:00026608 cmp 0x3E, D0 ! '>' ; page code 3D = vendor specific
ROM:0002660A beq loc_26632
ROM:0002660C cmp 0x3A, D0 ! ':' ; page code 3A = vendor specific
ROM:0002660E beq loc_26646
ROM:00026610 bra loc_2663A ; page code does not match any of the above
ROM:00026612 ! ---------------------------------------------------------------------------
ROM:00026612
ROM:00026612 loc_26612: ! CODE XREF: sub_265C8+32�j
ROM:00026612 call sub_26B40, [D2], 8
ROM:00026617 ret [], 4
ROM:0002661A ! ---------------------------------------------------------------------------
ROM:0002661A
ROM:0002661A loc_2661A: ! CODE XREF: sub_265C8+36�j
ROM:0002661A call sub_269BE, [], 4
ROM:0002661F ret [], 4
ROM:00026622 ! ---------------------------------------------------------------------------
ROM:00026622
ROM:00026622 loc_26622: ! CODE XREF: sub_265C8+3A�j
ROM:00026622 call sub_28239, [D2,D3,A2], 0x10
ROM:00026627 ret [], 4
ROM:0002662A ! ---------------------------------------------------------------------------
ROM:0002662A
ROM:0002662A loc_2662A: ! CODE XREF: sub_265C8+3E�j
ROM:0002662A call sub_281D6, [], 4
ROM:0002662F ret [], 4
ROM:00026632 ! ---------------------------------------------------------------------------
ROM:00026632
ROM:00026632 loc_26632: ! CODE XREF: sub_265C8+42�j
ROM:00026632 call sub_2709B, [A2], 8
ROM:00026637 ret [], 4
ROM:0002663A ! ---------------------------------------------------------------------------
ROM:0002663A
ROM:0002663A loc_2663A: ! CODE XREF: sub_265C8+48�j
ROM:0002663A call sub_1B53B, [], 0 ! get modeA/B flag
ROM:00026641 extb D0
ROM:00026642 cmp 0, D0 ! Are we in modeB?
ROM:00026644 bne loc_26653 ! yes, so branch (modeA returns)
ROM:00026646
ROM:00026646 loc_26646: ! CODE XREF: sub_265C8+1A�j
ROM:00026646 ! sub_265C8+21�j ...
ROM:00026646 mov 0xB, D0
ROM:00026648 movbu D0, (word_5D8)
ROM:0002664B
ROM:0002664B loc_2664B: ! CODE XREF: sub_265C8+28�j
ROM:0002664B ! sub_265C8+DD�j ...
ROM:0002664B mov 4, D0
ROM:0002664D movbu D0, (word_6D8+1)
ROM:00026650 ret [], 4
ROM:00026653 loc_26653: ! CODE XREF: sub_265C8+7C�j
ROM:00026653 movbu (word_5C0), D0 ; D0 = paramter list length
ROM:00026656 cmp 8, D0 ; is the PLL 8? (i.e. mode parameter header only, no mode pages)
ROM:00026658 beq loc_266A7 ; yes, so branch past the mode page transfer code
ROM:0002665A movbu (word_5C0), D0
ROM:0002665D cmp 8, D0
ROM:0002665F blt loc_2669B ; bail out if PLL is less than 8
ROM:00026661 movbu (word_5C0), D0
ROM:00026664 add 0xF8, D0 ! '°'
ROM:00026666 movbu D0, (word_5C0) ; PLL -= 2 (to account for length field)
ROM:00026669 clr D0
ROM:0002666A movbu D0, (word_5F4)
ROM:0002666D movbu D0, (word_5F4+1)
ROM:00026670 bra loc_2667D ; branch into transfer loop
ROM:00026672 ! ---------------------------------------------------------------------------
ROM:00026672
ROM:00026672 loc_26672: ! CODE XREF: sub_265C8+BA�j
ROM:00026672 call sub_266AE, [D2,D3], 0xC ; calls one of nine functions based on the page code
ROM:00026677 mov D0, D1
ROM:00026678 extbu D1
ROM:00026679 cmp 0, D1
ROM:0002667B bne loc_26684 ; break out of loop if error occured
ROM:0002667D
ROM:0002667D loc_2667D: ; transfer loop entry point
ROM:0002667D movbu (word_5C0), D1 ! D1 = remaining PLL
ROM:00026680 cmp 0, D1
ROM:00026682 bne loc_26672 ; loop until all data tranfered
ROM:00026684
ROM:00026684 loc_26684: ; loop drops out here
ROM:00026684 extbu D0
ROM:00026685 cmp 3, D0
ROM:00026687 beq loc_26693 ; bail if error
ROM:00026689 cmp 1, D0
ROM:0002668B beq loc_26697 ; bail if error
ROM:0002668D cmp 0, D0
ROM:0002668F beq loc_266A7 ; successful transfer, so branch
ROM:00026691 bra loc_2669B ; bail if error
ROM:00026693 ! ---------------------------------------------------------------------------
ROM:00026693
ROM:00026693 loc_26693: ! CODE XREF: sub_265C8+BF�j
ROM:00026693 mov 0x10, D0
ROM:00026695 bra loc_2669D
ROM:00026697 ! ---------------------------------------------------------------------------
ROM:00026697
ROM:00026697 loc_26697: ! CODE XREF: sub_265C8+C3�j
ROM:00026697 mov 0xA, D0
ROM:00026699 bra loc_2669D
ROM:0002669B ! ---------------------------------------------------------------------------
ROM:0002669B
ROM:0002669B loc_2669B: ! CODE XREF: sub_265C8+97�j
ROM:0002669B ! sub_265C8+C9�j
ROM:0002669B mov 0xB, D0
ROM:0002669D
ROM:0002669D loc_2669D: ! CODE XREF: sub_265C8+CD�j
ROM:0002669D ! sub_265C8+D1�j
ROM:0002669D movbu D0, (word_5D8)
ROM:000266A0 bclr 4, (word_59C+1)
ROM:000266A5 bra loc_2664B
ROM:000266A7 ! ---------------------------------------------------------------------------
ROM:000266A7
ROM:000266A7 loc_266A7: ! CODE XREF: sub_265C8+90�j
ROM:000266A7 ! sub_265C8+C7�j
ROM:000266A7 call sub_26C3B, [D2], 8 ; this function sets (59E) bit 3 :-)
ROM:000266AC bra loc_2664B ; this branch ends the routine
...
ROM:00026FC7 movm [D2,D3,A2,A3], (SP)
ROM:00026FC9 add 0xF0, SP ! ' '
ROM:00026FCC btst 0x10, (unk_5A5) ; is (5A5) bit 4 set?
ROM:00026FD1 bne loc_26FDB ; yes, so continue
ROM:00026FD3 mov 0xB, D0 ; no, so bail out with error
ROM:00026FD5 movbu D0, (word_5D8)
ROM:00026FD8 jmp loc_27093
...
ROM:00027093 loc_27093: ! CODE XREF: ROM:00026FD8 j
ROM:00027093 ! ROM:00026FF9 j ...
ROM:00027093 mov 4, D0
ROM:00027095 movbu D0, (word_6D8+1)
ROM:00027098 ret [D2,D3,A2,A3], 0x20 ! ' '
...
ROM:0002A5A1 btst 0x10, (word_5A5) ; is (5A5) bit 4 set?
ROM:0002A5A6 beq loc_2A5CC ; no, so branch (this exits the handler)
...
ROM:0002A5DC bset 8, (word_59E) ; set (59E) bit 3
...
ROM:0002A728 mov 0x5C0, A0 ; A0 = address of 32-bit value at packet[8]
...
ROM:0002A794 call sub_33A84, [], 8 ; D0 = 32 bit value at packet[8] in little endian
ROM:0002A79B mov D0, (word_924) ; store it at (924)
ROM:0002A79E cmp 0, D0 ; is 32-bit value zero?
ROM:0002A7A0 beq loc_2A7BF ; yes, exit (without error)
ROM:0002A7A2 btst 8, (word_59E) ; no, so is (59E) bit 3 set?
ROM:0002A7A7 beq loc_2A7BA ; no, so exit (with error)
ROM:0002A7A9 cmp 0x60000, D0 ; yes, so is 32-bit value > 0x60000?
ROM:0002A7AF bhi loc_2A7BA ; yes, so exit (with error)
ROM:0002A7B1 call sub_2A7C3, [], 4 ; the call to RAM is within this short function
ROM:0002A7B6 mov 1, D0
ROM:0002A7B8 bra locret_2A7C0 ; all done, return
ROM:0002A7BA ! ---------------------------------------------------------------------------
ROM:0002A7BA
ROM:0002A7BA loc_2A7BA: ! CODE XREF: sub_2A725+82 j
ROM:0002A7BA ! sub_2A725+8A j
ROM:0002A7BA mov 0xA, D0
ROM:0002A7BC movbu D0, (word_5D8)
ROM:0002A7BF
ROM:0002A7BF loc_2A7BF: ! CODE XREF: sub_2A725+7B j
ROM:0002A7BF clr D0
ROM:0002A7C0
ROM:0002A7C0 locret_2A7C0: ! CODE XREF: sub_2A725+93 j
ROM:0002A7C0 ret [], 4
...
ROM:0002fde7: fc dc 00 00 mov 0x90000000,a0 ;chip_base is 0x90000000
ROM:0002fdeb: 00 90
ROM:0002fded: fa d0 55 55 add 0x5555,a0 ;a0 now (chip_base + 0x5555)
ROM:0002fdf1: 2c aa 00 mov 0xaa,d0
ROM:0002fdf4: f0 50 movbu d0,(a0) ;write 0xaa to (chip_base + 0x5555) (start of "Product ID entry" sequence)
ROM:0002fdf6: fc dd 00 00 mov 0x90000000,a1
ROM:0002fdfa: 00 90
ROM:0002fdfc: fa d1 aa 2a add 0x2aaa,a1 ;a1 now (chip_base + 0x2aaa)
ROM:0002fe00: 80 55 mov 0x55,d0
ROM:0002fe02: f0 51 movbu d0,(a1) ;write 0x55 to (chip_base + 0x2aaa)
ROM:0002fe04: 2c 90 00 mov 0x90,d0
ROM:0002fe07: f0 50 movbu d0,(a0) ;write 0x90 to (chip_base + 0x5555) (end of "Product ID entry" sequence)
ROM:0002fe09: cb nop
ROM:0002fe0a: cb nop
ROM:0002fe0b: fc a8 00 00 movbu (0x90000000),d0 ;read manufacturer ID from flash chip
ROM:0002fe0f: 00 90
ROM:0002fe11: fc 82 20 10 movbu d0,(0x80001020) ;flash manufacturer ID stored here (RAM)
ROM:0002fe15: 00 80
ROM:0002fe17: fc a8 00 10 movbu (0x90001000),d0 ;hmm... reading device IDs at offset 0x1000 and 0x2000 as well??
ROM:0002fe1b: 00 90
ROM:0002fe1d: fc 82 24 10 movbu d0,(0x80001024)
ROM:0002fe21: 00 80
ROM:0002fe23: fc a8 00 20 movbu (0x90002000),d0
ROM:0002fe27: 00 90
ROM:0002fe29: fc 82 28 10 movbu d0,(0x80001028)
ROM:0002fe2d: 00 80
ROM:0002fe2f: fc a8 01 00 movbu (0x90000001),d0 ;read device ID from flash chip
ROM:0002fe33: 00 90
ROM:0002fe35: fc 82 04 10 movbu d0,(0x80001004)
ROM:0002fe39: 00 80
ROM:0002fe3b: 2c aa 00 mov 0xaa,d0 ;write 0xaa to (chip_base + 0x5555) (start of "Product ID exit" sequence)
ROM:0002fe3e: f0 50 movbu d0,(a0)
ROM:0002fe40: 80 55 mov 0x55,d0
ROM:0002fe42: f0 51 movbu d0,(a1) ;write 0x55 to (chip_base + 0x2aaa)
ROM:0002fe44: 2c f0 00 mov 0xf0,d0
ROM:0002fe47: f0 50 movbu d0,(a0) ;write 0xf0 to (chip_base + 0x5555) (end of "Product ID exit" sequence)
ROM:0002fe49: cb nop
ROM:0002fe4a: cb nop
ROM:0002fe4b: f8 fe fc add -4,sp
ROM:0002fe4e: fc ff 47 02 calls 0x30095 ;wait for flash to be ready for reads
ROM:0002fe52: 00 00
ROM:0002fe54: f8 fe 04 add 4,sp
ROM:0002fe57: 85 1f mov 0x1f,d1 ;1F is Atmel MFG ID
ROM:0002fe59: fc a8 20 10 movbu (0x80001020),d0 ;previously stored flash MFG ID stored here
ROM:0002fe5d: 00 80
ROM:0002fe5f: a4 cmp d1,d0
ROM:0002fe60: c9 19 bne 0x2fe79
ROM:0002fe62: fc a8 24 10 movbu (0x80001024),d0
ROM:0002fe66: 00 80
ROM:0002fe68: a4 cmp d1,d0
ROM:0002fe69: c9 10 bne 0x2fe79
ROM:0002fe6b: fc a8 28 10 movbu (0x80001028),d0
ROM:0002fe6f: 00 80
ROM:0002fe71: a4 cmp d1,d0
ROM:0002fe72: c9 07 bne 0x2fe79
ROM:0002fe74: c9 05 bne 0x2fe79
ROM:0002fe76: cc 6e 01 jmp 0x2ffe4
...
ROM:00033A84 sub_33A84: ! CODE XREF: sub_1A1D5+32�p
ROM:00033A84 ! sub_1A1D5+42�p ...
ROM:00033A84 mov SP, A1 ; A1 = top of stack
ROM:00033A85 mov A0, (SP) ; put 5FFC on stack
ROM:00033A87 mov (A1), A0 ; A0 = 5FFC
ROM:00033A89 movbu (A0), D0 ; D0 = (5FFC)
ROM:00033A8B movbu D0, (7,SP) ; store (5FFC) on stack
ROM:00033A8E mov (A1), D0 ; D0 = 5FFC
ROM:00033A8F inc D0 ; D0 = 5FFD
ROM:00033A90 mov D0, (A1) ; store 5FFD on stack
ROM:00033A91 mov D0, A0 ; A0 = 5FFD
ROM:00033A93 movbu (A0), D0 ; D0 = (5FFD)
ROM:00033A95 movbu D0, (6,SP) ; store (5FFD) on stack
ROM:00033A98 mov (A1), D0 ; D0 = 5FFD
ROM:00033A99 inc D0 : D0 = 5FFE
ROM:00033A9A mov D0, (A1) ; blah
ROM:00033A9B mov D0, A0 ; blah
ROM:00033A9D movbu (A0), D0
ROM:00033A9F movbu D0, (5,SP) ; store (5FFE) on stack
ROM:00033AA2 mov (A1), D0 ; blah
ROM:00033AA3 inc D0
ROM:00033AA4 mov D0, (A1)
ROM:00033AA5 mov D0, A0
ROM:00033AA7 movbu (A0), D0
ROM:00033AA9 movbu D0, (4,SP) ; store (5FFF) on stack
ROM:00033AAC mov (4,SP), D0 ; D0 = ((5FFC) << 24) | ((5FFD) << 16) | ((5FFE) << 8) | (5FFF);
ROM:00033AAE
ROM:00033AAE locret_33AAE:
ROM:00033AAE retf [], 8 ; return to 24FE0
...
ROM:00033AD8 sub_33AD8: ! CODE XREF: sub_2506C+3 p
ROM:00033AD8 ! sub_250FE+3 p ...
ROM:00033AD8 mov SP, A1 ; this function converts the big endian 16 bit
ROM:00033AD9 mov A0, (SP) ; value at (A0) to a little endian 32 bit value
ROM:00033ADB mov (A1), A0 ; and returns it in D0
ROM:00033ADD movbu (A0), D0 ;
ROM:00033ADF movbu D0, (5,SP) ;
ROM:00033AE2 mov (A1), D0 ;
ROM:00033AE3 inc D0 ;
ROM:00033AE4 mov D0, (A1) ;
ROM:00033AE5 mov D0, A0 ;
ROM:00033AE7 movbu (A0), D0 ;
ROM:00033AE9 movbu D0, (4,SP) ;
ROM:00033AEC movhu (4,SP), D0 ;
ROM:00033AEF retf [], 8 ; return to 2542A
...
ROM:00033C12 sub_33C12: ! CODE XREF: sub_100FF+2C p
ROM:00033C12 ! sub_100FF+51 p ...
ROM:00033C12 mov D1, D3 ; D3 = transfer length
ROM:00033C13 mov D0, D2 ; D2 = 3CC00
ROM:00033C14 mov A0, A2 ; A2 = target address
ROM:00033C15 mov SP, A3 ; A3 points to top entry of stack
ROM:00033C16 inc4 A3 ; A3 points to second to top entry of stack
ROM:00033C17 mov A3, A0 ; now so does A0
ROM:00033C18 call sub_64E4, [], 0 ; save CPU state
ROM:00033C1F and 0xFDFF, PSW ; clear interrupt mask 1 (IM1)
ROM:00033C23 nop
ROM:00033C24 nop
ROM:00033C25 or 0x80000000, D2 ; D2 = 8003CC00
ROM:00033C2B mov D2, A0 ; so does A0
ROM:00033C2D exthu D3 ; D3 = transfer length
ROM:00033C2E clr D0 ; zero D0
ROM:00033C2F cmp D0, D3 ; is transfer zero or negative?
ROM:00033C30 ble loc_33C3D ; yep, so branch to 33C3D (exit function)
ROM:00033C32 setlb ; setup loop registers
ROM:00033C33 movbu (A2), D1 ; D1 = byte at target address
ROM:00033C35 inc A2 ; advance source pointer
ROM:00033C36 movbu D1, (A0) ; copy to address 8003CC00 (RAM)
ROM:00033C38 inc A0 ; advance destination pointer
ROM:00033C39 inc D0 ; advance counter
ROM:00033C3A exthu D0
ROM:00033C3B cmp D3, D0 ; all bytes transfered?
ROM:00033C3C llt ; yes, so branch back to 33C33
ROM:00033C3D
ROM:00033C3D loc_33C3D: ! CODE XREF: sub_33C12+1E j
ROM:00033C3D mov A3, A0 ; (A3) is where saved PSW is stored
ROM:00033C3E call sub_64F0, [], 0 ; restore CPU state
ROM:00033C45 ret [D2,D3,A2,A3], 0x18 ; return to 254B1 or 254D6 (depending on transfer length)
...
ROM:0003D5EC .byte 0 ! vendor specific
ROM:0003D5ED .byte 1 ! Read/Write error recovery params
ROM:0003D5EE .byte 0xD ! reserved
ROM:0003D5EF .byte 0xE ! CD Audio control
ROM:0003D5F0 .byte 0x2A ! * ! C/DVD capabilities and mechanical status
ROM:0003D5F1 .byte 0x18 ! reserved
ROM:0003D5F2 .byte 0x1A ! power condition
ROM:0003D5F3 .byte 0x1D ! Timeout and protect
ROM:0003D5F4 .byte 0x21 ! ! ! vendor specific
ROM:0003D5F8 .long 0x900266E6
ROM:0003D5FC .long 0x90026715
ROM:0003D600 .long 0x90026795
ROM:0003D604 .long 0x900267E9
ROM:0003D608 .long 0x90026875
ROM:0003D60C .long 0x90026894
ROM:0003D610 .long 0x900268B3
ROM:0003D614 .long 0x90026929
ROM:0003D618 .long 0x90026982
![[+risas]](/images/smilies/nuevos/risa_ani3.gif "más risas")
![[triston]](/images/smilies/nuevos/triste_ani2.gif "tristón")
![[flipa]](/images/smilies/nuevos2/flipando.gif "flipando")
![[buaaj]](/images/smilies/nuevos2/vomitivo.gif "mas potas")
![[qmparto]](/images/smilies/net_quemeparto.gif "Que me parto!")
![[burla3]](/images/smilies/nuevos/burla_ani2.gif "burla3")
Como puedo hacerlo???
![[oki]](/images/smilies/net_thumbsup.gif "Ok!")
para cuando sacaras el firmware???
![[borracho]](/images/smilies/nuevos/borracho_ani1.gif "borracho")
![[noop]](/images/smilies/net_thumbsdown.gif "Nop")
y he dado motivos mas que suficientes para que asi lo sea 
![[tadoramo]](/images/smilies/adora.gif "Adorando")
![[beer]](/images/smilies/nuevos2/brindando.gif "brindis")