I finally found out how to trick the SF3 into letting a program running on the copier have access to all the copier memory and registers. The SF7 "super mode" injected code directly by injecting a brk statement, and then switching the memory mapping to "bios mode" temporarily. Instead the SF3 inserts code at every NMI.
I tried my trick from before of setting the stack to a carefully chosen invalid location and it didn't work. Also I read the NMI vector and nothing happenned. So how does it know when to switch to bios mode?
Well it is amazingly specific. It looks to see 4 decreasing accesses to $00:0000-1FFF and then the NMI vector. Normal code running on the processor can't cause this to happen, only an interrupt.
However, a carefully chosen sequence of DMA can do it. Run this code (obviously best done from RAM) and you'll switch to "BIOS" mode.
I haven't looked around much yet. But here's first impressions:
bank $00:
..$8000-$8FFF appears to be the copier registers for $40 then repeated constantly.
..$9000-$FFFF ROM
bank $01-03: ROM
bank $04: ?? some memory
bank $05: ?? same memory as $04 ??
bank $06: probably copier SRAM
bank $07: probably DRAM
Everything else seems unmapped.
Some registers probably control mapping in of the external cartridge for dumping reasons.
EDIT: Here's an example of the exploit with a memory viewer, so you can play with the copier registers. Let me know what you find out.
http://neviksti.com/SNES/SF2exp3
I tried my trick from before of setting the stack to a carefully chosen invalid location and it didn't work. Also I read the NMI vector and nothing happenned. So how does it know when to switch to bios mode?
Well it is amazingly specific. It looks to see 4 decreasing accesses to $00:0000-1FFF and then the NMI vector. Normal code running on the processor can't cause this to happen, only an interrupt.
However, a carefully chosen sequence of DMA can do it. Run this code (obviously best done from RAM) and you'll switch to "BIOS" mode.
Code:
LDY #$3e90
STY $4300 ; (B) PPU -> (A) CPU, auto decrement, read 1 reg, $213e (ppu status flag)
LDY #$1F00
STY $4302 ; (A) offset
LDY #$0004
STY $4305 ; number of bytes to transfer
LDA #$00
STA $4304 ; bank address = $00
LDY #$3e00
STY $4310 ; (A) CPU -> (B) PPU, auto increment, write 1 reg, $213e (ppu status flag)
LDY #$FFEA
STY $4312 ; (A) offset (native mode NMI vector)
LDY #$0002
STY $4315 ; number of bytes to transfer
LDA #$00
STA $4314 ; bank address = $00
LDA #$03
STA $420B ;start DMA transfer
STY $4300 ; (B) PPU -> (A) CPU, auto decrement, read 1 reg, $213e (ppu status flag)
LDY #$1F00
STY $4302 ; (A) offset
LDY #$0004
STY $4305 ; number of bytes to transfer
LDA #$00
STA $4304 ; bank address = $00
LDY #$3e00
STY $4310 ; (A) CPU -> (B) PPU, auto increment, write 1 reg, $213e (ppu status flag)
LDY #$FFEA
STY $4312 ; (A) offset (native mode NMI vector)
LDY #$0002
STY $4315 ; number of bytes to transfer
LDA #$00
STA $4314 ; bank address = $00
LDA #$03
STA $420B ;start DMA transfer
I haven't looked around much yet. But here's first impressions:
bank $00:
..$8000-$8FFF appears to be the copier registers for $40 then repeated constantly.
..$9000-$FFFF ROM
bank $01-03: ROM
bank $04: ?? some memory
bank $05: ?? same memory as $04 ??
bank $06: probably copier SRAM
bank $07: probably DRAM
Everything else seems unmapped.
Some registers probably control mapping in of the external cartridge for dumping reasons.
EDIT: Here's an example of the exploit with a memory viewer, so you can play with the copier registers. Let me know what you find out.
http://neviksti.com/SNES/SF2exp3