---

Code readers:
- understand SNES asm
- understand C at a low level (We will be looking at the code in asm, but it was originally written in C and then compiled ... so it looks kinda weird unless you understand C at a low level.)
- goals are to figure out software protocals and hardware features so that we can make this puppy do whatever we want

---

Originally posted by XcomGS

---

Alrighty, this sounds like big news. Do you suppose we could add Broadband play also? I might be a bit confused.

---

Originally posted by XcomGS

---

Are you going to start producing these again? It would be nice to buy one. Maybe modify it a bit to allow modem and broadband play. I will try to find one so I can try it out.

---

We called an 800 number and we picked off caller ID to then
redial into your local X.25 POP. As long as your SRAM was good, we'd
keep using the X.25 dialup (this was cheaper for us than an 800# call
everytime). The protocol is custom of top of ADSP. It has specific
commands followed by data. You can probably find a big dispatch table
somewhere in the ROM for dispatching the commands. The server could
pretty much control everything on the box.

bank $E0.... 64kBytes of SRAM (battery backed)

banks $E1-$FA.... mirror of bank $E0

bank $FB
    0000-BFFF ... mirror of bank $E0
 
    C000-C1FF
        even and odd addresses are equivalent
 
        C0F8 ........unknown register
        C0FA ........unknown register
        C108 ........unknown register (deals with card register, bit0 = card insterted)
        C110 ........unknown register (changing rapidly)
        C112 ........unknown register (changing rapidly)
        C130 ........unknown register (changing rapidly)
        C138 ........unknown register (changing rapidly)
        C140 ........unknown register
        C168 ........unknown register
        C180-C1BF ...modem registers 
        C1C0-C1FF ...modem registers
 
        all addresses in this range not listed return FF
        (if a register is write only, or defaults to FF, I probably
        passed it up in this test)
 
    C200-C3FF - same as C000-C1FF
    C400-C5FF - "
    C600-C7FF - "
    C800-C9FF - "
    FA00-FBFF - "

    FC00-FDFF - this is all FF's
    FE00-FFFF - this is all FF's
 
banks $FC-$FF ... mirror of bank $E0

--------------
 
the lower banks $60-$7D mirror bank $E0
 
everything else appears normal (normal rom mapping)

NOTE: This was done by glancing through the data, using
the onboard memory viewer/hex-editor, but I believe it to be
correct.  However, the $FB:FC00-FFFF section caught me 
off guard.  So maybe there's something else I missed.

The Conexant RC2324DPL is a 2400 bps, low power, full-duplex, OEM, modem data pump in a single VLSI device. The RC2324DPL operates over the public switched telephone network (PSTN), as well as on point to point leased lines.
The RC2324DPL modem meets the requirements specified in ITU V22 bis, V.22 A/B, V.23, and V.21, as well as Bell 21 and Bell 103.

In addition, the SDLC/HDLC support eliminates the cost of an external serial Input/Output (SIO) device in products incorporating error correction protocols. The modem includes two CMOS VLSI functions - a digital signal processor (DSP) and an integrated analogue (IA). The RC2324DPL integrates these functions into a single device. The RC2324DPL is available in a 68-pin plastic leaded chip carrier (PLCC) or a 100-pin plastic Quad flat-pack (PQFP).

------------

http://www.comprel.it/Semiconduttori/conexant/CModem/LSpeed.HTM

ftp://ftp.esprinet.com/Componenti/DataSheet/Conexant/

http://cb-pr-highspeed.de.vu/highspeed/PDF-Dateien/D96V24~2.PDF

Hmm... yes, you probably did use a hack to get it to run on emulator. At the least it won't run in snes9x debug. Shame too, since it would probably be rather easy to hack out those button codes again.

---

Originally posted by spoondiddly

---

Do you remember when/where you needed to use the button codes? That would save an enormous amount of time.

---

Results in [] mean I didn't try to understand the specifics of the code here, 
and just tried out the command in the emulator.

The following are handled special (letters are capitalized before testing):
command starts with
  null - does nothing
  @ - do nothing leave with error
  B - no arguments, set memory viewer address = $E0FD98
  C - no arguments, [print register info and set viewer address to $E07438 ?]
  D - needs two arguments, [? moves viewer, not sure what arguments do yet ]  
  E - takes one argument
    ;  "EXIT" function ...
    ;	type "E?" where ? = any character
    ;	the ? character does not appear to be used, but is necessary
  G - takes one argument
    ;  "GOTO" function ...
    ;	type "G 1124" convert hex number to addr, go there
    ;	type "G #1234" convert decimal number to addr, go there
  H - no arguments, set memory viewer address = $E0FCE8
  M - no arguments, [changes "view mode", like pressing A]
  Q - no arguments, quit
  U - no arguments, code doesn't do much [? don't see much]
  V - no arguments, [? does some kind of check, prints "DB OK / BOXID OK" ]
  W - takes one argument, [? I was guessing this was some kind of write command
          but I have not been able to figure it out yet]

;-------------------------------
64kB mem

$E0001A - 1 byte - $4200 setting

E00040: 
	5CCE02D000 JML $D002CE

$E02DDC: table of routines???
	$E02ED0 - addr of GetJoyPad Data routine

$E02FF4 - 4 bytes - NMI, saved return address and P from stack
$E02FF0 - 2 bytes - NMI, a saved stack pointer ?

$E02FD4 - buffer end index
$E02F74 - 16 word buffer (routine request)
$E02F94 - 16 dword (24bit pointer + extra byte) buffer
	- this buffer basically holds a list of what routines were requested
	- and where they were called from
	(So you may be able to use this as a "stack trace" of sorts.)

$E039F7 - JoyPad1 reading
$E039F9 - JoyPad2 reading


$E03E4A - 10 byte buffer, holds results of reading modem registers FBC1B2-FBC1A0 (every other one)

$E03FD8 - 8 byte buffer holding results of test (multiple readings $FBC168 bit 2)


$E0ED16 - table of routine offsets  (-1 since RTL adds 1)
$E0F7A2 - table of routine banks

$E0FDA0 - "dialing prefix" setting... 0 = none, 1-A = 0-9
;-------------------------------

Routine that checks key patterns: $D391A6
;------------------------------------------
; Found requested pattern in key presses?
; parm
;	push pointer  (example D8:1C5E)
; return
;	A = 0(false), 1(true)
;
; routine #$03A0 from $E00040
;

Data at pointer:
first byte - number of button presses in the sequence
15 bytes - ??
list of words - button sequence data
4 words - ??
  guessing, looking at structure of data
  1 word - ??
  1 dword - address / pointer
  1 word - ??

===========================================================================

breakpoint on $D391A6, the following sequences were checked:

logo screen -
  $D8:1BFA
  $D8:1A82

player select -
  $D8:1B8C
  $D8:1B66
  $D8:1B40
  $D8:1B1A
  $D8:1BFA
  /enter a code name
    $D8:1BFA
  /choose a character
    $D8:1BFA

main menu -
  $D8:1C5E
  $D8:1BB2
  $D8:1AF8
  $D8:1AA2
  $D8:1A5E
  $D8:1B66
  $D8:1B40
  $D8:1B1A
  $D8:1B8C
  $D8:1BFA

  $D8:1BD6 <-- direct address changed,
          probably means called from a different routine than those above

challenge / "are you sure you want to register" screen -
  $D8:1C22

player list -
  $D8:1BFA
  /"enter a code name" - 
    $D8:1BFA

mailbox menu - 
  $D8:1A0E
  $D8:1BFA
  /X-Mail -
    /write message -
      $D8:1BFA
    /are you sure you want to connect
      $D8:1C22

Stats -  
  $D8:1BFA

Options - 
  $D8:1AC8
  $D8:1A30
  $D8:1BFA
  /XBAND Setup
    $D8:1BFA
  /Phone Setup
    $D8:1BFA
  /Sound Setup
    $D8:1BFA
  /Account Info
    $D8:1BFA
  /Player ID
    $D8:1BFA
    /Code Name
      $D8:1BFA
    /Character
      $D8:1BFA
    /Enter your taunt      
      $D8:1BFA
    /Personal Info
      $D8:1BFA
    /Password
      $D8:1BFA

===========================================================================

Okay, now looking at the ROM...

$D8:1A0E - 00 - left,right,down(2),R
$D8:1A30 - 01 - up(2),down(3),right,left,right,left,down,L
$D8:1A5E - 02 - up(3),down,up,B
$D8:1A82 - 03 - up(2),left,right
$D8:1AA2 - 04 - up(2),left,right,left,right,L
$D8:1AC8 - 05 - up,right,down,left,up,up,left,right,left,right,down,L
$D8:1AF8 - 06 - up,right,down,left,B
$D8:1B1A - 07 - impossible?
     structure looks fine, but button press bytes are reversed?
     0400,0400,0400,0400,0800,0800,0400
     would be: down(4),up(2),down
$D8:1B40 - 08 - down(2),left(2),up(2),right
$D8:1B66 - 09 - up(2),right(2),down(2),left
$D8:1B8C - 0A - left(2),up(2),right(2),down
$D8:1BB2 - 0B - down(2),left(2),right,B
$D8:1BD6 - 0C - impossible??
     structure looks fine, but button press bytes are reversed?  
     bytes are reversed?  0400,0800,0400,0100,0100,0100
     would be: down,up,down,right(3)
$D8:1BFA - 0D - impossible??
     structure looks fine, but button press bytes are reversed?
     0100,0100,0100,0400,0800,0400,0800,0100
     would be: right(3),down,up,down,up,right
$D8:1C22 - 0E - up(2),down
$D8:1C40 - 0F - up(3)  ... the "pointer data" is empty, 
     but the rest of the structure looks okay
     (Notice, no menu found yet where this one was used.)
$D8:1C5E - 10 - impossible?
     structure looks fine, but button press bytes are reversed?  
     0100,0100,0100,0100,0800,1000
     would be: right(4),up,start

===========================================================================
Identified sequences

-logo-
#03 - vomit vision

-main menu-
#04 - snake game
#08 - clear cycle font
#09 - green cycle font
#0A - rainbow cycle font
#0B - maze game

#06 - font test (removed? ... this showed up in an old X-Band FAQ)

-mail menu-
#00 - screen saver

-connecting screen-
#0E - brings up maze game while trying to connect?

-options menu-
#05 - memory viewer
#01 - remote diagnostic screen

======
Remote Diagnostic Screen.

Press any button to exit.

Your modem is waiting for a call from
XBAND Customer Service. If you were not
directed here by XBAND Customer
Service, please exit this screen.
======