Boot-up data transferred to Real3D

Technical discussion for those interested in Supermodel development and Model 3 reverse engineering. Prospective contributors welcome.
Forum rules
Keep it classy!

  • No ROM requests or links.
  • Do not ask to be a play tester.
  • Do not ask about release dates.
  • No drama!

Re: Boot-up data transferred to Real3D

Postby Bart » Fri Sep 01, 2017 6:44 am

Right, that's what I'm seeing. LA Machineguns definitely set it well before any 3D graphics are displayed, after initially setting it to what appears to be the common default. I haven't checked any Step 1.x games yet.

Shift-DR, Exit1-DR, etc. are just states in the state machine. JTAG allows for arbitrary length data and instruction registers that are loaded up one bit at a time via a serial protocol that involves a clock to shift one bit at a time and then a signal called TMS which is used to transition to the next state. Shift-DR shifts into (and out of) whatever data register is selected by the current contents of the instruction register. My logging might be buggy. I'm incrementing a bit counter on each Shift-DR tick and each time it gets to 32, I print out the last 32 bits and reset. I also then do it again on Exit1-DR, which is an intermediate state when shifting is done, to log any remaining bits. I might need to rewrite the JTAG code from scratch to be a little clearer and more flexible. It's now only designed to shift out the ASIC ID codes.

The state machine is conceptually simple. The software makes two writes in order to drive the machine once: first, it writes data with the CLK bit 0 and then it writes it again with 1. The transition from 0->1 is what advances the machine (because underneath, that CLK bit is tied to an actual CLK signal in the digital logic that comprises the TAP port). In addition to the clock, there is a TDI bit which is the data being supplied as input (for those states that use it) and a TMS bit which determines where the state machine will go on the next clock cycle. Each state can advance to one of two next states based on TMS being 0 or 1. Often times, one of those two states is the current state (as in Shift-DR and Shift-IR).

The complexity lies in the fact that we have no idea how many data registers there are, what their sizes are, etc. The protocol doesn't define any of that. Theoretically should be possible to deduce with proper logging by seeing how many bits are shifted for a given instruction. But I think I've seen some weird behavior that doesn't make complete sense to me.

Here's the state machine:

Image

And here's the state machine with a schematic block diagram of what an actual implementation circuit would look like:

Image

Not sure how familiar you are with digital logic but this is really simple if you look carefully. The TDI bit is fed into all these shift registers simultaneously (instruction register and all data registers that the designers decide to create). As you clock the state machine in the shift IR or shift DR state, all the registers get loaded up simultaneously.

IR (instruction register) is fed into a decoder which looks at the value and produces a signal into the multiplexer that all data registers feed into. Only one of those data registers is selected and allowed to pass through. Lastly, even that is multiplexed with the instruction register based on whether you were in Shift-DR or Shift-IR to shift back out via a TDO bit to the CPU for when it wants to read. I think there is one thing missing here and that is the Capture/Update states. This diagram suggests the boundary scan registers, which would connect directly to device IO pins, are always connected, which cannot be correct. I think there is a state that happens after you finish shifting in the data register which then actually allows that register to output its values to whatever it's connected to.

With this simple scheme, the designers of an ASIC can implement any kind of debug functionality they want, including access to internal chip signals for hardware engineers to perform live testing on.
User avatar
Bart
Site Admin
 
Posts: 2058
Joined: Thu Sep 01, 2011 2:13 pm
Location: New York City

Re: Boot-up data transferred to Real3D

Postby Ian » Fri Sep 01, 2017 10:13 am

Bart, if you have some time log the rest of the games. Hopefully there won't be any anomolies :)
Ian
 
Posts: 1216
Joined: Tue Feb 23, 2016 9:23 am

Re: Boot-up data transferred to Real3D

Postby Bart » Fri Sep 01, 2017 12:24 pm

I'll try to do that tonight. What about the signed fixed shading values, by the way? I recall you and Harry discussing whether they are signed/unsigned varies for certain games? If you look at the values I posted, a couple games set other bits, too.

If we decide that this TAP instruction is really being used to modify the rendering pipeline, a method should be added to the IRender3D interface to control this setting dynamically at run-time. SetSunlightClampEnable(bool enable)?
User avatar
Bart
Site Admin
 
Posts: 2058
Joined: Thu Sep 01, 2011 2:13 pm
Location: New York City

Re: Boot-up data transferred to Real3D

Postby Ian » Fri Sep 01, 2017 1:10 pm

As far as i know it's only star wars that uses un signed values, no idea why.
Some interface like that would be perfect
Ian
 
Posts: 1216
Joined: Tue Feb 23, 2016 9:23 am

Re: Boot-up data transferred to Real3D

Postby Bart » Fri Sep 01, 2017 1:38 pm

Ian wrote:As far as i know it's only star wars that uses un signed values, no idea why.
Some interface like that would be perfect


That makes me nervous because it just so happens Star Wars has its JTAG stuff patched out. Most of it just inhibits the service menu from running but there's one patch that, if enabled, goes into some crazy JTAG-related loop and prevents the game from progressing. I can't know whether it will actually write the instructions we are looking for or not if this is fixed...
User avatar
Bart
Site Admin
 
Posts: 2058
Joined: Thu Sep 01, 2011 2:13 pm
Location: New York City

Re: Boot-up data transferred to Real3D

Postby Bart » Fri Sep 01, 2017 1:48 pm

Here's what the other Step 2.x games write to TAP. When I write "..." that means that some time has passed. I ran each game up until attract mode.

All Step 1.x games write these instructions as well but always write 0 for all bits.

Code: Select all
oceanhun

TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000001
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000002
TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000001
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000002


Code: Select all
harley

TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000001
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000002
TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000001
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000002


Code: Select all
fvipers2

TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000


Code: Select all
vs2v99a
vs299
vs298
vs2v991
vs2

TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000


Code: Select all
spikeout
spikeofe

TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000


Code: Select all
skichamp

TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000001
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000002
TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000001
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000002

...

TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFA3FFFE
TAP:Shift-DR: 02000000
TAP:Exit1-DR: 00000000
TAP: Update-IR 3FFFFFFD1FFE
TAP:Shift-DR: 04000000
TAP:Exit1-DR: 00000000
User avatar
Bart
Site Admin
 
Posts: 2058
Joined: Thu Sep 01, 2011 2:13 pm
Location: New York City

Re: Boot-up data transferred to Real3D

Postby Ian » Fri Sep 01, 2017 2:42 pm

Looks like no other games use that bit ? :)
Ian
 
Posts: 1216
Joined: Tue Feb 23, 2016 9:23 am

Re: Boot-up data transferred to Real3D

Postby Bart » Fri Sep 01, 2017 6:07 pm

Agreed. It looks very promising. Great job noticing these writes were being made! Give me a few days to rework the TAP code into its own, cleaner module. I know there are other important things lurking in there and I need better facilities to log and debug, too. A I'm a bit busy for that Sept. 15 VR festival deadline but I'll get this worked in.
User avatar
Bart
Site Admin
 
Posts: 2058
Joined: Thu Sep 01, 2011 2:13 pm
Location: New York City

Re: Boot-up data transferred to Real3D

Postby Bart » Sat Sep 23, 2017 10:15 am

New JTAG code is almost ready! I'll need to revert some changes in my local branch that I made to Model3.cpp and Real3D.cpp for frame timing because I don't think we want those submitted yet.
User avatar
Bart
Site Admin
 
Posts: 2058
Joined: Thu Sep 01, 2011 2:13 pm
Location: New York City

Re: Boot-up data transferred to Real3D

Postby Ian » Sat Sep 23, 2017 3:45 pm

Sounds good Bart :)
How much work you got left to finish it ?
Ian
 
Posts: 1216
Joined: Tue Feb 23, 2016 9:23 am

PreviousNext

Return to The Dark Room

Who is online

Users browsing this forum: YoYo09 and 4 guests