Sorry for not getting back on this. I have been waiting for replies on the jbug11 mailing list. The program I use, jbug11, has recently came out in a new version, but after installing it, it doesn't work (getting segmentation violation), so I am waiting for some assistance myself.
Will give you an update when I've got something. Patience...
Will give you an update when I've got something. Patience...
Hello iampivot,
How about the SACD patch? And please help me one more thing. This is the program from Krell KAV-400xi amplifier. I bought this Krell amp and SACD from the US, but now I can't use both of them.
Please help me, cause Krell said that I must send SACD and Amp to the US for the conversion.
I'm very sorry for my bothers, but I can't ask help from another.
Thanks you so so much! And I'm waiting for you everyday.
How about the SACD patch? And please help me one more thing. This is the program from Krell KAV-400xi amplifier. I bought this Krell amp and SACD from the US, but now I can't use both of them.
Please help me, cause Krell said that I must send SACD and Amp to the US for the conversion.
I'm very sorry for my bothers, but I can't ask help from another.
Thanks you so so much! And I'm waiting for you everyday.
Amp dissassembly
Hi,
I dissassembled your s19 file and found the routine that checks the mains cycle
I dont have time to analyze which of the returns actually enables the amplifier. The thing that needs to be modified thoug is the instruction at address $D4FA.
The A accumulator contains either 0 or 1 after meassuring the cycle perid of the mains power.
When I get more time I will analyze how to change it to remove the "bug"
Regards /// Carl-Fredrik
Hi,
I dissassembled your s19 file and found the routine that checks the mains cycle
Code:
D4D4 3C LD4D4: pushX
D4D5 18 3C pushY
D4D7 CE 10 00 ldX #$1000
D4DA 18 CE 00 00 ldY #$0000
D4DE 1E 00 08 FC LD4DE: brset 0, X, #%00001000, LD4DE
D4E2 1F 00 08 FC LD4E2: brclr 0, X, #%00001000, LD4E2
D4E6 18 08 @0 incY
D4E8 01 nop
D4E9 01 nop
D4EA 1E 00 08 F8 brset 0, X, #%00001000, @0
D4EE 18 08 @1 incY
D4F0 01 nop
D4F1 01 nop
D4F2 1F 00 08 F8 brclr 0, X, #%00001000, @1
D4F6 18 8C 09 25 cmpY #$0925
D4FA 23 06 bls @2
D4FC 86 01 ldaA #$01
D4FE 18 38 popY
D500 38 popX
D501 39 ret
;
D502 4F @2 clrA
D503 18 38 popY
D505 38 popX
D506 39 retI dont have time to analyze which of the returns actually enables the amplifier. The thing that needs to be modified thoug is the instruction at address $D4FA.
The A accumulator contains either 0 or 1 after meassuring the cycle perid of the mains power.
When I get more time I will analyze how to change it to remove the "bug"
Regards /// Carl-Fredrik
Audio_cf,
thanks for disassembling this, I'm still waiting to get my jbug11 installation working..
Can you check the code that calls the subroutine you disassembled (a call like JSR $D4D4)? There's probably a conditional jump on the return value. The code can probably be patched in the same way as on the 300iL. It had the conditional jump at address D3B9.
This disassembly was for the 400xi code, right?
thanks for disassembling this, I'm still waiting to get my jbug11 installation working..
Can you check the code that calls the subroutine you disassembled (a call like JSR $D4D4)? There's probably a conditional jump on the return value. The code can probably be patched in the same way as on the 300iL. It had the conditional jump at address D3B9.
This disassembly was for the 400xi code, right?
This is the mains cycle check routine in the SACD player
Here its the instruction at address $D37A that needs to be changed. I will look at this when I get more time. It seems though that if execution jumps to @2 you will enter a infinite loop. So I assume that should be avoided.
/// Carl
Code:
D354 3C LD354: pushX
D355 18 3C pushY
D357 CE 10 00 ldX #$1000
D35A 18 CE 00 00 ldY #$0000
D35E 1E 0A 02 FC LD35E: brset 10, X, #%00000010, LD35E
D362 1F 0A 02 FC LD362: brclr 10, X, #%00000010, LD362
D366 18 08 @0 incY
D368 01 nop
D369 01 nop
D36A 1E 0A 02 F8 brset 10, X, #%00000010, @0
D36E 18 08 @1 incY
D370 01 nop
D371 01 nop
D372 1F 0A 02 F8 brclr 10, X, #%00000010, @1
D376 18 8C 09 23 cmpY #$0923
D37A 22 04 bhi @2
D37C 18 38 popY
D37E 38 popX
D37F 39 ret
;
D380 14 13 08 @2 bset L0013, #%00001000
D383 BD D0 D3 call LD0D3
D386 15 13 02 bclr L0013, #%00000010
D389 BD D0 D3 call LD0D3
D38C 0F @3 di
D38D 14 13 01 bset L0013, #%00000001
D390 BD D0 D3 call LD0D3
D393 18 CE FF FF ldY #$FFFF
D397 18 09 @4 decY
D399 26 FC bne @4
D39B 15 13 01 bclr L0013, #%00000001
D39E BD D0 D3 call LD0D3
D3A1 18 CE FF FF ldY #$FFFF
D3A5 18 09 @5 decY
D3A7 26 FC bne @5
D3A9 20 E1 jr @3Here its the instruction at address $D37A that needs to be changed. I will look at this when I get more time. It seems though that if execution jumps to @2 you will enter a infinite loop. So I assume that should be avoided.
/// Carl
Hi, iampivot
The subroutine in the 400ix is called below and then the result is checked
The subroutine in the SACD is called at initialization of the MCU. See the code below
Reagrds /// Carl-Fredrik
The subroutine in the 400ix is called below and then the result is checked
Code:
D3B5 BD D4 D4 call LD4D4
D3B8 4D tstA
D3B9 27 09 beq LD3C4
D3BB 18 CE D2 FE ldY #$D2FE
D3BF BD E7 AC call LE7ACThe subroutine in the SACD is called at initialization of the MCU. See the code below
Code:
D000 8E 01 FF @0 ldS #$01FF
D003 BD D5 8C call LD58C
D006 CE 10 00 ldX #$1000
D009 1D 00 08 bclr 0, X, #%00001000
D00C 1C 26 08 bset 38, X, #%00001000
D00F 14 13 08 bset L0013, #%00001000
D012 BD D0 D3 call LD0D3
D015 BD D3 54 call LD354Reagrds /// Carl-Fredrik
Hello audio_cf ,
Could you patch both of 2 files and convert it back to s19. And please send 2 files to my email: khoipham2007@gmail.com and
I will ask my friend to write 2 files to 68HC711 for me.
Thanks a lot!
Could you patch both of 2 files and convert it back to s19. And please send 2 files to my email: khoipham2007@gmail.com and
I will ask my friend to write 2 files to 68HC711 for me.
Thanks a lot!
I dont know if your planning on patching the existing MCU or use a new blank one? If youre using a new one you will have a backup but you need to dump the configuration registers from old one.
I am not uptodate with HC11, has been a while since I patched my fpb-200 so it will take some time before I can send you a patched file.
regards /// Carl-Fredrik
I am not uptodate with HC11, has been a while since I patched my fpb-200 so it will take some time before I can send you a patched file.
regards /// Carl-Fredrik
amp patch
The easiest way to patch the amp would be like iampivot did. in this case change the h'fe at address D3C3 to h'00.
D3C2 20 FE LD3C2: jr LD3C2
I dont have the time to make a s19 file for this. Maybe iampivot can provide the one he used and you just change the address and checksum.
BR /// Carl
The easiest way to patch the amp would be like iampivot did. in this case change the h'fe at address D3C3 to h'00.
D3C2 20 FE LD3C2: jr LD3C2
I dont have the time to make a s19 file for this. Maybe iampivot can provide the one he used and you just change the address and checksum.
BR /// Carl
SACD Patch
The SACD is a bit more tricky, I think I have an idea though
Am I correct to assume that if I change the h'F8 at address h'D36D to h'08 that jump would go to address h'D376?
This way only half cycle would be meassured and when comparing index Y with constant it should always be lower and the function will return.
/// Carl
The SACD is a bit more tricky, I think I have an idea though
Code:
D36A 1E 0A 02 F8 brset 10, X, #%00000010, @0
D36E 18 08 @1 incY
D370 01 nop
D371 01 nop
D372 1F 0A 02 F8 brclr 10, X, #%00000010, @1
D376 18 8C 09 23 cmpY #$0923
D37A 22 04 bhi @2
D37C 18 38 popY
D37E 38 popX
D37F 39 retAm I correct to assume that if I change the h'F8 at address h'D36D to h'08 that jump would go to address h'D376?
This way only half cycle would be meassured and when comparing index Y with constant it should always be lower and the function will return.
/// Carl
Both SACD and amp only work in 60Hz (US Frequency). But in Vietnam (my country) or Europe, the frequency is only 50Hz. So when I plug the power in, both of them don't work.
So I have several ideas to patch (but I don't know how to do):
1. Patch like iampivot: pass the infinite loop.
2. Change the constant value, from 60Hz to 50Hz. But my friend said that he can't find this constant.
Mr iampivot and mr audio_cf, please help me to patch these files.
I see that the result is coming.
I'm waiting for your infos everyday!
Many Thanks !
So I have several ideas to patch (but I don't know how to do):
1. Patch like iampivot: pass the infinite loop.
2. Change the constant value, from 60Hz to 50Hz. But my friend said that he can't find this constant.
Mr iampivot and mr audio_cf, please help me to patch these files.
I see that the result is coming.
I'm waiting for your infos everyday!
Many Thanks !
Re: SACD Patch
You might be correct. The constant could also be changed I guess. But is it correct to assume that returning there is what we want? It looks like initialisation might continue at @2. Can you check if there is an infinite loop happening somewhere in the code if the function actually returns at D37F.
Take a look at that BHI instruction, maybe we just need to make it unconditional.
My 68hc11 assembler is a bit rusty though, so I wont make any bold claims yet on the feasibility, but looking a bit on the opcode map (see http://home.earthlink.net/~tdickens/68hc11/68hc11_opcode_map.html) it looks like the BHI opcode can be changed into a BRA (branch always). The second argument to BHI is the number of bytes to jump, and I guess the BRA takes the same argument.
Handy reference here; http://www.freescale.com/files/microcontrollers/doc/ref_manual/M68HC11ERG.pdf
If my assumption is correct, we'd only need to change location D37A from h'22 to h'20.
audio_cf said:
You might be correct. The constant could also be changed I guess. But is it correct to assume that returning there is what we want? It looks like initialisation might continue at @2. Can you check if there is an infinite loop happening somewhere in the code if the function actually returns at D37F.
Take a look at that BHI instruction, maybe we just need to make it unconditional.
My 68hc11 assembler is a bit rusty though, so I wont make any bold claims yet on the feasibility, but looking a bit on the opcode map (see http://home.earthlink.net/~tdickens/68hc11/68hc11_opcode_map.html) it looks like the BHI opcode can be changed into a BRA (branch always). The second argument to BHI is the number of bytes to jump, and I guess the BRA takes the same argument.
Handy reference here; http://www.freescale.com/files/microcontrollers/doc/ref_manual/M68HC11ERG.pdf
If my assumption is correct, we'd only need to change location D37A from h'22 to h'20.
Welll we dont want to jump to @2 thats the start of infinite loop. We just want to restore index y and index and return from the function call.
We could change the h'22 to h'20 but in that case we would also have to change the following h'04 to h'00. That way it would become a nop.
The constant can't be changed to a bigger value. Can only change 1's to 0's. To solve our bug by changing the constant we would have to increase it in size.
/// Carl-Fredrik
We could change the h'22 to h'20 but in that case we would also have to change the following h'04 to h'00. That way it would become a nop.
The constant can't be changed to a bigger value. Can only change 1's to 0's. To solve our bug by changing the constant we would have to increase it in size.
/// Carl-Fredrik
- Status
- This old topic is closed. If you want to reopen this topic, contact a moderator using the "Report Post" button.