You know about the annoying bug, when you enter service menu then quit and get a cpu error
This is the little part of the cause, by I can't find why
Some datas overwrite at the start of the ram (0 to 3f), in other word, a little part of "boot code" is rewritten and produce ppc crash
Look in debugger
----long version----
set bp on ppc at 0x6c510, run it until here
the "culprit" is the instuction at this moment of time
lwz r9,$04(r28)
meaning
r9=content of r28+4
with r28=0x001e6900
-> r9=(0x001e6904)=0x00000000
some instructions after, there are some stfs that write datas at r9+offset (this produces the bug by overlaping the start of the ram)
now observe memory at r28+4 (0x001e6904)
continue running x18 always with bp activated
then again
continue running x18 always with bp activated
(sega logo 2D)
then once more
continue running x18 always with bp activated
(3D should start here - black screen)
now at (0x001e6904), a good address is initialized
(0x001e6904)=0x001da8f0 <- this is the right address now (instead of 0x00000000 at the beginning)
----short version----
you can also add memwatch to break when r/w at the right place
fff018ec W 0 at 1da8f0
fff018ec W 0 at 1e6904
16e0 W 0 at 1da8f0
16e0 W 0 at 1e6904 <- create potential error here (set pointer to 0)
6c510 R 0 at 1e6904 <- create error at this sub (overwrite ram 0-3a with 3d coord)
6c510 R 0 at 1e6904 <- create error at this sub (overwrite ram 0-3a with 3d coord)
6c510 R 0 at 1e6904 <- create error at this sub (overwrite ram 0-3a with 3d coord)
6b44c W 001da8f0 at 001e6904 <- good pointer value here but too late, ram is already overwritten
6b234 W 0 at 1da8f0
Apparently these values that overwrite ram are about camera coordinates (or at least something about 3d floating point values)
Personnally, I can't find where the bug is in C code, I'm stuck
If someone has an idea or had found the right spot....