Crashing and debugging Genesis ROMs

[Tom Maneiro]

How i add my own "debugger/error report tool" to my own BasiEgaXorz/custom ROM? I know that the first bits of the ROM are "interrupts for errors/exceptions" or something like that.

After my brief research, i can enumerate the following types of exception handlers:

1)Game simply frozes: Most Genesis games lacks of error reporting routines. For example, Rainbow Islands. Move the cart/play with Gens debugger for cause a exception and the game simply frozes
2)Froze with a error messase: Some games like Sonic does that: screen corrupts a litte, and outputs a error messag and a location, then froze.
3)Output a error message allowing the user to take an action: BasiEgaXorz compiled games does that: put the error, then ask user to press a key for reset/continue.
4)Display a register dump screen (AKA "cheap Dr. Watson clone"): Some games, like Robocop Vs Terminator, Zero Tolerance and some others output a "debugger screen", dumping the 68K registers, and such things. It sometimes even display a phone/fax for report that errors, like NBA Jam!. Do you remember "D.P's 68000 Crash Analysis 16/1/91"? If not, play with Robocop Vs Terminator.
5)Autoreset the game (a la WinXP): Few games does that (i cannot remember now what games are), it simply resets. Maybe a hard reset....
6)Jump to a custom routine (for example, a hidden feature): I've noticed that only in Sonic 3D Blast. When a exception occurs, S3D jumps to... secret level select screen!

So.. how can i made my own "crash analyzer"?

[oompa loompa]

its hard to do something like this in basiegaxorz because:

1) you need to know the address of the subroutine you want to jump to. after the rom is compiled, this is very hard to find
2) you need to insert this address into the exception table each time you compile
3) your exception subroutine is very limited, if you wanna continue execution, you're going to have to do some assembly to save the registers to their state before the exception occured to make it look like an exception didn't happen

something like custom exceptions will not happen in basiegaxorz. it is easier to do "goto myexception" instead of doing the above steps. and also, exceptions hardly ever occur in basiegaxorz, the most you'll get are divide by 0, sprite limit exceptions, or address errors.

[Tom Maneiro]

1) Maybe a independent proggy.... like that tacked intros. Welll, i may need to found a way to strip the init routines. Or put a label, then put a TrapCPU, go to Gens debugger, then take note of the address, then patch the ROM. Sounds hard
2) with a hexeditor, piece of cake
3) OK, assembly is not my favorite... but i may need to learn how to use "move".

EDIt: OK, i started with my wacky experiments. I have now a register dumper (still without PC and flags dumped.... 'cause regmove does not support dumping that registers). But now i have some questions:
a)What are the bytes in the ROM that defines exception handler entrypoints?
2)how u handle exceptions (like, how to get the type of a exception)?

[oompa loompa]

right after an exception occurs, you can get the PC and flag status from the stack, and by doing some assembly coding.

i think you can do this:
asm "move.w (a7),(__INT_yourvarname)" ' For the flags
asm "move.l 2(a7),(__LONG_yourvarname)" ' For the PC

dunno if it works, haven't tested it

and here's the exception table i took from my 32x guide:
Running 68k Address Cartridge Address Description
$880200 $200 Reset Code
$880206 $206 Bus Error
$88020C $20C Address Error
$880212 $212 Illegal Instruction
$880218 $218 Divide by 0
$88021E $21E CHK Instruction
$880224 $224 TRAPV Instruction
$88022A $22A Privilege Violation
$880230 $230 Trace
$880236 $236 Line 1010 Emulator
$88023C $23C Line 1111 Emulator
$880242 $242 RESERVED (Can actually be anything)
$880248 $248 RESERVED (Can actually be anything)
$88024E $24E RESERVED (Can actually be anything)
$880254 $254 RESERVED (Can actually be anything)
$88025A $25A RESERVED (Can actually be anything)
$880260 $260 RESERVED (Can actually be anything)
$880266 $266 RESERVED (Can actually be anything)
$88026C $26C RESERVED (Can actually be anything)
$880272 $272 RESERVED (Can actually be anything)
$880278 $278 RESERVED (Can actually be anything)
$88027E $27E RESERVED (Can actually be anything)
$880284 $284 RESERVED (Can actually be anything)
$88028A $28A Spurious Interrupt
$880290 $290 Level 1 Interrupt
$880296 $296 Level 2 Interrupt (TH)
$88029C $29C Level 3 Interrupt
$8802A2 $2A2 Level 4 Interrupt (H-Blank)
$8802A8 $2A8 Level 5 Interrupt
$8802AE $2AE Level 6 Interrupt (V-Blank)
$8802B4 $2B4 Level 7 Interrupt
$8802BA $2BA Trap #0 Instruction
$8802C0 $2C0 Trap #1 Instruction
$8802C6 $2C6 Trap #2 Instruction
$8802CC $2CC Trap #3 Instruction
$8802D2 $2D2 Trap #4 Instruction
$8802D8 $2D8 Trap #5 Instruction
$8802DE $2DE Trap #6 Instruction
$8802E4 $2E4 Trap #7 Instruction
$8802EA $2EA Trap #8 Instruction
$8802F0 $2F0 Trap #9 Instruction
$8802F6 $2F6 Trap #10 Instruction
$8802FC $2FC Trap #11 Instruction
$880302 $302 Trap #12 Instruction
$880308 $308 Trap #13 Instruction
$88030E $30E Trap #14 Instruction
$880314 $314 Trap #15 Instruction

the table starts at $004 in the cartridge. disregard the addresses in front of the descriptions, but the order of the table there is the order in which they go in the rom, but starting at $004 (wish i could make a better table)

[Tom Maneiro]

Let me see if i understand the table. So, $200 is $004 in ROM, and $206 is $00A?

This explains that lot of crap in a BIN header...

I have dumped this from a random ROM:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   00 FF F7 70 00 00 02 00  00 00 03 26 00 00 03 26   . ¸p.....&..&
00000010   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
00000020   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
00000030   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
00000040   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
00000050   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
00000060   00 00 03 26 00 00 03 26  00 00 03 30 00 00 03 26   ..&..&..0..&
00000070   00 00 03 34 00 00 03 26  00 00 03 38 00 00 03 26   ..4..&..8..&
00000080   00 00 03 2E 00 00 03 2E  00 00 03 2E 00 00 03 2E   ............
00000090   00 00 03 2E 00 00 03 2E  00 00 03 2E 00 00 03 2E   ............
000000A0   00 00 03 2E 00 00 03 2E  00 00 03 2E 00 00 03 2E   ............
000000B0   00 00 03 2E 00 00 03 2E  00 00 03 2E 00 00 03 2E   ............
000000C0   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
000000D0   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
000000E0   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
000000F0   00 00 03 26 00 00 03 26  00 00 03 26 00 00 03 26   ..&..&..&..&
00000100   53 45 47 41 20 4D 45 47  41 20 44 52 49 56 45 20   SEGA MEGA DRIVE
00000110   28 43 29 53 45 47 41 20  31 39 39 38 2E 4A 55 4E   (C)SEGA 1998.JUN
00000120   44 55 4B 45 20 4E 55 4B  45 4D 20 33 44 20 20 20   DUKE NUKEM 3D  
00000130   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
00000140   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
00000150   44 55 4B 45 20 4E 55 4B  45 4D 20 33 44 20 20 20   DUKE NUKEM 3D  
00000160   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
00000170   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
00000180   47 4D 20 54 2D 32 37 34  30 32 36 2D 30 31 BB EE   GM T-274026-01+¯
00000190   4A 36 20 20 20 20 20 20  20 20 20 20 20 20 20 20   J6              
000001A0   00 00 00 00 00 3F FF FF  00 FF 00 00 00 FF FF FF   .....?  . ...  
000001B0   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
000001C0   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
000001D0   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
000001E0   20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
000001F0   46 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20   F              

And... for example the reset code there is 0x00000200, and the bus error handler is 0x0326. Is that right?

EDIT: Your flags and Pc dumper instrucions works... partially: PC is not dumped, and Flags... well, i'm not sure

This is my "debugger":
dim epc as long
dim efl as integer

regdump:
locate 0,0
ink 1
print "68000 CRASH ANALYZER 0.00001"
print ""
regmove.l D0,dmp_0
regmove.l D1,dmp_1
regmove.l D2,dmp_2
regmove.l D3,dmp_3
regmove.l D4,dmp_4
regmove.l D5,dmp_5
regmove.l D6,dmp_6
regmove.l D7,dmp_7

regmove.l A0,amp_0
regmove.l A1,amp_1
regmove.l A2,amp_2
regmove.l A3,amp_3
regmove.l A4,amp_4
regmove.l A5,amp_5
regmove.l A6,amp_6
regmove.l A7,amp_7

asm "move.w (a7),(__INTEGER_efl)" ' For the flags
asm "move.l 2(a7),(__LONG_epc)" ' For the PC

print "D0=";hex$(dmp_0),"A0=";hex$(amp_0)
print "D1=";hex$(dmp_1),"A1=";hex$(amp_1)
print "D2=";hex$(dmp_2),"A2=";hex$(amp_2)
print "D3=";hex$(dmp_3),"A3=";hex$(amp_3)
print "D4=";hex$(dmp_4),"A4=";hex$(amp_4)
print "D5=";hex$(dmp_5),"A5=";hex$(amp_5)
print "D6=";hex$(dmp_6),"A6=";hex$(amp_6)
print "D7=";hex$(dmp_7),"A7=";hex$(amp_7)
print ""
print "PC=";epc
print "Flags=";bin$(efl)

time=time+1
print "Time:",time
sleep 60
goto regdump

I got this:

[GiGaBiTe]

i have a special version of gens (sega emulator) that allows you to read the registers and data that the genesis is currently processing while in-game.

debugger works with these processors:

68000
68000 (sega cd)
z80
vdp (tiles)
vdp (registers)
vdp (sprites)
YM2612
PSG

in the future it will debug the 32x sh2s, the 32x vdp, the pwm, and the sega cd sound hardware.

you can get the mod here (a compiled gens exe) www.consoledev.fr.st/

[Tom Maneiro]

Yes, but i want a CRASH ANALYZER into my ROM, not into emulators!!

PS: are u Kaneda?

[oompa loompa]

And... for example the reset code there is 0x00000200, and the bus error handler is 0x0326. Is that right?

EDIT: Your flags and Pc dumper instrucions works... partially: PC is not dumped, and Flags... well, i'm not sure

correct =P


      Vector      Address       Exception

       0       000000  RESET-Initial SSP
       1       000004  RESET-Initial PC
       2       000008  Bus error
       3       00000C  Address error
       4       000010  Illegal instruction
       5       000014  Division by zero
       6       000018  CHK instruction
       7       00001C  TRAPV instruction
       8       000020  Privilege violation
       9       000024  Trace
       10      000028  Unimplemented instruction
       11      00002C  Unimplemented instruction
       12      000030  
       13      000034     Reserved by Motorola
       14      000038  
       15      00003C  Uninitialised interrupt vector
       16      000040  Reserved by Motorola
       ..      ......     "     "     "
       23      00005C     "     "     "
       24      000060  Spurious interrupt
       25      000064  Level 1 interrupt autovector
       26      000068    "   2     "         "
       27      00006C    "   3     "         "
       28      000070    "   4     "         "
       29      000074    "   5     "         "
       30      000078    "   6     "         "
       31      00007C    "   7     "         "
       32      000080  TRAP #0 instruction
       33      000084   "   #1      "
       ..      ......   "           "
       47      0000BC  TRAP #15     "
       48      0000C0  Reserved by Motorola
       ..      ......     "     "     "
       63      0000FC     "     "     "
       64      000100  User interrupt vectors
       ..      ......   "       "        "
       255     0003FF   "       "        "


you need to save the registers immediately when an exception occurs. if you do cls then print immediately after, you risk the registers being destroyed already, since it takes regiters to use these instructions.