Nikon Emulator

All things embedded.
*NO FEATURE REQUESTS*

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby 4cc3ss » Sun Nov 24, 2013 1:34 am

I guess you have to look for solutions when running a 286DX, every bit of processing power counts.
Good job coderat. :clap:

Best regards,
4cc3ss
4cc3ss
 
Posts: 855
Joined: Fri Mar 23, 2012 11:38 am
Location: Uk
Been thanked: 216 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby coderat » Thu Dec 05, 2013 8:18 pm

Since Vicne has not time at the moment, I will follow in his footsteps and make release of emulator 2.50 https://nikon-firmware-tools.googlecode.com/files/NikonEmulator-2.50.zip. Still a lot of things in work, so it is not Christmas version yet ;)

New:
  • TX19A disassembler option -wmemory and GUI checkbox "memory" for activation. Evaluate constants in memory (load/save opcodes) and indirect addressing. Prints advanced comments for easy code reading.
  • TX19A disassembler recognizes now jump tables automatically.
  • New DFR/DTX file with new names and jump/call tables.
  • Disassembler never loads files "dtx.txt" and "dfr.txt" by default.
  • Optimized work with breaktriggers based on PC (execution address) results in more performance in Debug mode (at least 2x times).
  • Lens emulation prototype allowing testing plugin/standby situations and general communication: menu "TX19 serial devices" -> "F-mount". No other lens commands implemented yet.
  • Implemented edge interrupts latching for CG-routed interrupts on TX19A.

Bugfixes:
  • Disassembler option -i now processes non-continuos and not 64K aligned memory offsets without crash
  • Disassembler do not trys to load default options file if one is specified with -x option.
  • Standalone disassembler crash with -m? option.
  • Standalone disassembler was not displyaed errors sometimes with incorrect options file content.
  • Disassembler was silenlty ignoring -o option if name part of output filename was different from name of input binary.
  • Standalone disassembler was not able to disassemble TX19A code.
  • Correctly defined FR ports B, C, D as outputs. They were either inputs and nor outputs.
  • Incorrect interrupt prioritisation for same interrupt level on TX19A.
  • Emulator stall in case of low serial port baudrate set.
  • Free timer of Viewfinder if window closed.
  • "Jump here" menu action was not setting target ISA mode for TX CPU and lead to emulator exception.
  • Cursor in Source Code window was not positioned on "Explore address" or exploring from Task Table actions.

New TX19A disassembler option makes output text much more easier to read and understand. For example, look at this snippet from old disassembler:
Code: Select all
  1. BFC18080 64C1     save    r31, 0x08

  2. BFC18082 F7FF4AFF lui     r2, 0xFFFF

  3. BFC18086 F4CA9A54 lw      r2, 0x54D4(r2)

  4. BFC1808A F0002202 beqz    r2, loc_bfc18092_              ; (skip)

  5. BFC1808E EA40     jalr    r2

  6. BFC18090 6500      nop    


Using -wmemory produces following output:
Code: Select all
  1. BFC18080 64C1     save    r31, 0x08

  2. BFC18082 F7FF4AFF lui     r2, 0xFFFF

  3. BFC18086 F4CA9A54 lw      r2, 0x54D4(r2)          ; (FFFF54D4)

  4. BFC1808A F0002202 beqz    r2, loc_bfc18092_              ; (skip)

  5. BFC1808E EA40     jalr    r2

  6. BFC18090 6500      nop    


Now clearly reference handler function at address FFFF54D4. Now search for "FFFF54D4" in new .asm file and you get:
Code: Select all
  1. ...

  2. BFC1A67E F4CADB54 sw      r2, 0x54D4(r3) ; (FFFF54D4)=BFC1AB8D

  3. ...

  4. BFC1A95C F4CADB54 sw      r2, 0x54D4(r3) ; (FFFF54D4)=BFC1AAE1

  5. ...

  6. BFC1CF8A F4CADF74 sw      r3, 0x54D4(r7) ; (FFFF54D4)=BFC1D0DD

  7. ...

  8. BFC1D084 F4CADF74 sw      r3, 0x54D4(r7) ; (FFFF54D4)=BFC1D0DD


So you got all possible functions that can be set as interrupt handler. Pretty easy huh ? ;)

Another example with old disassembler:
Code: Select all
  1. BFC03202 9AE0     lw      r7, 0x00(r2)

  2. BFC03204 9A01     lw      r16, 0x04(r2)

  3. BFC03206 9A42     lw      r2, 0x08(r2)

  4. BFC03208 A037     lbu     r17, 0x17(r16)


:think:
But with -wmemory:
Code: Select all
  1. BFC03202 9AE0     lw      r7, 0x00(r2) ; (BFC046C8):FFFFF3E4

  2. BFC03204 9A01     lw      r16, 0x04(r2) ; (BFC046CC):BFC04648

  3. BFC03206 9A42     lw      r2, 0x08(r2) ; (BFC046D0):FFFFFFE8

  4. BFC03208 A037     lbu     r17, 0x17(r16)       ; (BFC0465F):01


Everything clear :cool:

Of course, producing extended output increases size of .asm file. So if you disassemble only for work in emulator and do not "write to disk" then you may omit this option to reduce memory usage (on my system it was not necessary).

Best regards,
coderat
coderat
Core Developer
 
Posts: 2283
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 450 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby 4cc3ss » Fri Dec 06, 2013 10:20 am

Good job coderat. :clap:

Best regards,
4cc3ss
4cc3ss
 
Posts: 855
Joined: Fri Mar 23, 2012 11:38 am
Location: Uk
Been thanked: 216 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby Vicne » Fri Dec 06, 2013 2:09 pm

coderat wrote:Since Vicne has not time at the moment, I will follow in his footsteps and make release of emulator 2.50 https://nikon-firmware-tools.googlecode.com/files/NikonEmulator-2.50.zip. Still a lot of things in work, so it is not Christmas version yet ;)


Wow, I admit I missed your message giving me the go for 2.50. Thanks for building and deploying the release.

And your disassembly changes are awesome, really. Excellent !

Best regards,

Vicne
Vicne
Core Developer
 
Posts: 1730
Joined: Tue Nov 29, 2011 2:30 pm
Been thanked: 167 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby coderat » Fri Dec 06, 2013 2:19 pm

Thanks for good words.
Vicne wrote:Wow, I admit I missed your message giving me the go for 2.50.

In fact I did (really ;) ) long time ago, but somehow it got lost. So I thought 4 weeks is long enough.
Thanks for building and deploying the release.

BTW one of changes was: if one executes "build.bat release" then it creates release bundle automatically similar to yours. So any devs can do release in future.

Best regards,
coderat
coderat
Core Developer
 
Posts: 2283
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 450 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby leegong » Mon Dec 09, 2013 5:44 am

@coderat,
Good work!
I usually search for specific RTOS sys call with UltraEdit , just find a bug in disassembler ,
input parameters for RTOS sys_call seem wrong somewhere in ASM , the following code is copied from ASM file .
BFC15C5C li $a1, 0x8000
BFC15C60 jal $v0=sys_wai_flg_00(flag_id=0x1, wai_pattern=0x8000, wait_flag_mode_or_if_set=0x1, p_return_flag_pattern=$a3)
BFC15C64 li $a0, 0x0D
BFC15C66 li $a1, 0x01
BFC15C68 jal $v0=sys_sta_tsk_00(tsk_id=0xd, tsk_param=0x1)
BFC15C6C li $a0, 0x09
leegong
Core Developer
 
Posts: 2141
Joined: Mon Mar 19, 2012 12:21 am
Location: Hangzhou , China
Been thanked: 551 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby coderat » Mon Dec 09, 2013 6:13 am

leegong wrote:I usually search for specific RTOS sys call with UltraEdit , just find a bug in disassembler ,
input parameters for RTOS sys_call seem wrong somewhere in ASM , the following code is copied from ASM file .
Code: Select all
  1. BFC15C5C                li      $a1, 0x8000

  2. BFC15C60                jal     $v0=sys_wai_flg_00([u]flag_id=0x1[/u], wai_pattern=0x8000, wait_flag_mode_or_if_set=0x1, p_return_flag_pattern=$a3)

  3. BFC15C64                 li     $a0, 0x0D

  4. BFC15C66                li      $a1, 0x01

  5. BFC15C68                jal     $v0=sys_sta_tsk_00([u]tsk_id=0xd[/u], tsk_param=0x1)

  6. BFC15C6C                 li     $a0, 0x09


Yes, the problem is that processing of delay-slot instruction is not done at the moment.
I am testing of some kind of fix, at least for jal/jalx instructions. Fix for other instructions is not so important for code understanding. Unfortunately here there is a code in disassembler that I do not understand yet.

Nice on FR side: "INT 0x40" doesn't have delay slot and system calls are easy to find.

Best regards,
coderat
coderat
Core Developer
 
Posts: 2283
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 450 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby leegong » Mon Dec 09, 2013 6:45 am

coderat wrote:Yes, the problem is that processing of delay-slot instruction is not done at the moment.
I am testing of some kind of fix, at least for jal/jalx instructions. Fix for other instructions is not so important for code understanding.

Nice on FR side: "INT 0x40" doesn't have delay slot and system calls are easy to find.


It isn't very important , for example i can search for "sys_sta_tsk_00(tsk_id=" instead of "sys_sta_tsk_00(tsk_id=0xd" .
I think that one thing is very important : is it possible to search for specific single bit in ASM ?
as you know , lots of clues for decoding depend on searching for specific bit , which is very difficult right now .

Best regards,
Leegong
leegong
Core Developer
 
Posts: 2141
Joined: Mon Mar 19, 2012 12:21 am
Location: Hangzhou , China
Been thanked: 551 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby coderat » Mon Dec 09, 2013 6:51 am

leegong wrote:It isn't very important , for example i can search for "sys_sta_tsk_00(tsk_id=" instead of "sys_sta_tsk_00(tsk_id=0xd" .

But this will bring too much results.
I think that one thing is very important : is it possible to search for specific single bit in ASM ?

You can clear see access to byte in parenthesis like search for "(FFFFFFE8)". Can you make a concrete example about bit ?

Best regards,
coderat
coderat
Core Developer
 
Posts: 2283
Joined: Fri Apr 26, 2013 10:21 am
Been thanked: 450 times

Re: Nikon Emulator [was: Fujitsu Fr Emulator]

Postby leegong » Mon Dec 09, 2013 7:37 am

coderat wrote:But this will bring too much results.
You can clear see access to byte in parenthesis like search for "(FFFFFFE8)". Can you make a concrete example about bit ?

Sure.
For example , shutter half press and full press are two bits inside stru_0xFFFF587C , but i have no idea where and how FW A
deals with them , there is no direct access to byte inside stru_0xFFFF587C , always indirect accessing with base address 0xFFFF587C.
Some time i want to find where one specific bit inside a large structure is set , but always got code which reads it instead of set it .

Best regards,
Leegong

Code: Select all
  1.  struFFFF587C    struc  # (sizeof=0x28)

  2. 00000000 field_0:        .byte ?                  # to @(FFFF8C4C)

  3. 00000001 shutter_full_pressing:.byte ?            # bit2:0 == field03.bit2:0

  4. 00000001                                          # bit5 = 1 :shutter full pressed

  5. 00000001                                          # bit7 from field03.bit7

  6. 00000002 field_2:        .byte ?

  7. 00000003 shutter_half_pressing:.byte ?            # bit2:0 come from buttons_stru.field00.bit2:0 ?

  8. 00000003                                          # bit3  from FR_set17.field0.bit2

  9. 00000003                                          # bit5  shutter button half press

  10. 00000004 field_4:        .byte ?

  11. 00000005 field_5:        .byte ?

  12. 00000006 field_6:        .byte ?

  13. 00000007 field_7:        .byte ?

  14. 00000008 field_8:        .byte ?

  15. 00000009 field_9:        .byte ?

  16. 0000000A field_A:        .byte ?

  17. 0000000B field_B:        .byte ?                  # bit5 = neg(struFFFF58E4.field_1.bit2) && @(FFFF6E92).bit7

  18. 0000000B                                          # bit6 = 1 - FocusDot on , from struFFFF6FB8.field07.bit5

  19. 0000000C field_C:        .byte ?                  # bit2 = field03.bit4

  20. 0000000D field_D:        .byte ?                  # bit7 = @(FFFF6E92).bit7 && lens_response.field_1.bit2

  21. 0000000D                                          # bit0 = neg(struFFFF6F04.field03.bit1) && (struFFFF587C.field02<>0)

  22. 0000000E field_E:        .byte ?

  23. 0000000F field_F:        .byte ?

  24. 00000010 field_10:       .byte ?                  # bit7 = Record

  25. 00000011 field_11:       .byte ?

  26. 00000012 field_12:       .byte ?

  27. 00000013 field_13:       .byte ?                  # = directions keys from struFFFF58D4.field00

  28. 00000013                                          # bit7:4 = right , down , left , up (maybe)

  29. 00000013                                          # bit3:0 = right , down , left , up (maybe)

  30. 00000014 field_14:       .byte ?

  31. 00000015 field_15:       .byte ?                  # bit0 = shutter full pressed = neg(struFFFF6FDC.field_1C.bit3)?

  32. 00000015                                          # bit4 = 1 :  error occurs

  33. 00000016 field_16:       .byte ?                  # bit0 = 1 : Flash ON

  34. 00000016                                          # bit4 = 1 : Flash ON

  35. 00000017 field_17:       .byte ?                  # bit4 : PG2 status

  36. 00000017                                          # bit0 : PE7 status

  37. 00000018 field_18:       .byte ?                  # bit0 : 1 = PG2 , PE7 active , 0 = not active

  38. 00000018                                          # bit1 = neg(bit0)

  39. 00000019 field_19:       .byte ?                  # bit4 : 1 = FNumber could be changed , PG2 not active ?

  40. 0000001A field_1A:       .byte ?

  41. 0000001B field_1B:       .byte ?

  42. 0000001C field_1C:       .byte ?

  43. 0000001D field_1D:       .byte ?

  44. 0000001E field_1E:       .byte ?

  45. 0000001F field_1F:       .byte ?

  46. 00000020 field_20:       .byte ?                  # bit6 : PG6 status

  47. 00000021 field_21:       .byte ?

  48. 00000022 field_22:       .byte ?

  49. 00000023 Scroll_dial_value:.byte ?                # value from @(FFFF58E0) from @(FFFF6EF4)

  50. 00000023                                          # used to calculate one index for table0xBFC98A08 to get JPG quality and size

  51. 00000024 field_24:       .byte ?

  52. 00000025 field_25:       .byte ?

  53. 00000026 field_26:       .byte ?

  54. 00000027 field_27:       .byte ?

  55. 00000028 struFFFF587C    ends

leegong
Core Developer
 
Posts: 2141
Joined: Mon Mar 19, 2012 12:21 am
Location: Hangzhou , China
Been thanked: 551 times

PreviousNext

Return to Firmware

Who is online

Users browsing this forum: No registered users and 1 guest