need help at disassemble a cartridge DMS1 with music software for the CX5M

Page 1/9
| 2 | 3 | 4 | 5 | 6

By erwinmusik

Master (140)

erwinmusik's picture

19-05-2012, 21:57

Hi,

is anybody out there who can explain some machine code?

I´m trying to disassemble some code from a cratridge with the DMS1 Software

first:

Am I rgiht, the MSX standard for a ROM cartridge is:

4000 41
4001 42
4002 - ;the entry adress to start the software

these are the first 4 bytes of the cartridge:
41
42
EA
42

so I´m going to &H42EA

the Disassembler write this at these adress:

(note: the disassembly starts at &h0000, so it´s &H02EA instead of &H42EA)

0669 02EA 21 3C 40 LD HL,403CH
0670 02ED 11 DA FE LD DE,0FEDAH
0671 02F0 01 04 00 LD BC,0004H
0672 02F3 ED B0 LDIR
0673 02F5 21 19 42 LD HL,4219H
0674 02F8 11 05 80 LD DE,8005H
0675 02FB 01 D1 00 LD BC,00D1H
0676 02FE ED B0 LDIR
0677 0300 CD 38 01 CALL L0057 ; MSX BIOS CALL --- RSLREG reads the output to the primary slot register
0678 0303 32 D4 80 LD (80D4H),A : the Return in "A" goes to &H80D4
0679 0306 0F RRCA
0680 0307 0F RRCA
0681 0308 32 DB FE LD (0FEDBH),A
0682 030B C9 RET ;??????????????????????????

And the QUESTION is: to where goes this REturn? to Basic?
I guess it´s going back to the caller routine for inserted cartridges, but I haven´t any idea where it is

Please give me some help, I´m trying to find some tricks inside these software to de-magic the SFG05 BIOS

I got a full description already in a scanned PDF, but only absolutly dry explanation of the management and entries without any further explanation nor example code

Greetings from Berlin

Login or register to post comments

By RetroTechie

Paragon (1551)

RetroTechie's picture

20-05-2012, 02:38

(4002h) is called INIT entry, routine at that address should initialize the cartridge.
So it copies 4 bytes from 403Ch to FEDAh, which is a hook. Not sure when that hook is called, I'd put my money on it being called sometime when BASIC is started. You might want to check 403Ch contents to see where that hook is diverted to.
Then some code is copied from 4219h (ROM) to 8005h (RAM).
Then primary slot setting is read & poke'd into these routines, and we're done (for now).

No doubt this procedure serves to let other cartridges (read: disk interfaces!) initialize. When that's done, at the point where BASIC is about to start, that hook is called, this cartridge takes control again but now has the ability to use disk drives if present.

What happens next? Have a look at that code that was copied earlier... Smile2

By erwinmusik

Master (140)

erwinmusik's picture

29-06-2012, 18:00

OK. Weeks later I take time to go on with this project.In the last weeks I dissasembled the SFG05 Music Bios a little bit and learn (again) a lot of ASM. I wrote a lot of code and try to read and write the SFG05 registers. It´s magic, because of an undocumentated Bit in the STATUS Register #3FF0 and final some changes in the way to read out. It doesn´t matter wich address is read (#3FF0 or #3FF1) it delivers always the status. I´m working with the help of NYYRIKKI on this to make corrections of his very usefull explanation many years ago.

http://www.cx5m.net/fmunit.htm

AND I get these ROM start in the BlueMSX, indead, it works only with the SFG01!
So I have to change my memories, I thought I had a CX5M with SFG05 in 1986. But this can´t be.
The programmer of the DMS1 Software, Abduhl H. Ibrahim, has written a programm that works with SFG01 and a floppy drive - Yamaha never done this. But later with SFG05 and the YRM50x ROM´s the disc becomes to work.
And now it´s clear, the DMS1 works only with the Yamaha Keyboard, because of the partly disfunctional MIDI IN on the SFG01. I read something about these issue anywhere....correct me if I´m wrong.

Now, I follows the next step as described from RetroTechie above.
These are the four Bytes copied from #403C to #FEDA:

F7 00 0C 43

I don´t know how these hook works exactly, but I guess the last two bytes are the next address,
#430C
It´s exactly after the mysterious RET Call and I thinks that makes sense.

I will dissasmble from these code......... the next step.

Greetings from Berlin

By NYYRIKKI

Enlighted (5283)

NYYRIKKI's picture

29-06-2012, 19:20

This is easy one...

"RSLREG" reads the SlotID of current slot (see: http://www.msx.org/wiki/SlotID )
This is placed next to RST #30 that is interslot call. It works like this:
RST #30
DB [SlotID]
DW [Address to call]
[after call it continues from here]

This is normal way how hooks are handled on MSX. The hook it self has a name "HSTKE" and it is called when stack is reset.

By dms1guy

Resident (50)

dms1guy's picture

13-05-2014, 19:37

Hi Guys, I have just joined msx.org and came across your post on the DMS1 sequencer disassembly.
My name is Abdul Hafiz Ibrahim and I actually wrote the DMS1 software nearly 20 years ago.
I just wanted to share how impressed I am at your patience and skill in disassembling this software.
Well Done !

By Manuel

Ascended (15445)

Manuel's picture

13-05-2014, 22:43

Hey, great to hear from you! Can you tell us some more about this?
- why did you write it?
- how did you do it?
- where was it sold?
- how many?
- what else did you do with/for MSX?
- what happened after this project?
- do you still have the source code? Smile

By dms1guy

Resident (50)

dms1guy's picture

14-05-2014, 11:18

Hey Manuel,
I'll do my best to answer your questions. I'll do each one in a separate post:

1 - why did you write it?

I used to study Chemistry at Manchester University in the UK in early 1980's. At the same time I was working professionally as a session musician. I play (and still play) electric guitar (here is a my YouTube channel: https://www.youtube.com/user/cellman786/videos).

I saw an advert to work for Imagine Software in Liverpool, UK in 1983/84. The advert was for a "computer musician", and as I was learning Z80 assembler on the ZX Spectrum and was a professional working musician, it felt like an interesting direction, so I left University and went to Liverpool to work for Imagine Software (interestingly Ian Heatherington after Imagine later formed Psygnosis and was eventually bought out by Sony and became Sony Computer Entertainment Europe)

My main role at Imagine was to provide Z80 assembler based sound effects and music for Imagine games on the ZX Spectrum (also some work on the C64). ... wrote a lot of real-time assembler.

In my interview for the job I was told that they had finished the game: "Cosmic Cruiser" for the 48K Spectrum, but had run out of memory and so only had the 256 byte printer buffer left. If I could get the game music and 8 sound effects including all code and data into the printer buffer, then the job was mine.

They put me up at the Bradford hotel on Tithebarn street. In the morning I came back with the job done. I got it all inside 253 bytes, and my amazing journey as a games assembler programmer started.

After Imagine Software went under due to overextending themselves in trying to create the first catridge based software games (Psychlapse and Bandersnatch) for the ZX Spectrum and C64 which was a pure tape based market at that time, I was offered to consult with Yamaha Kemble, the UK based distributors for Yamaha music products in the UK.

The reason I was asked, was because at that time I was considered to be an authority on computer music and had worked on some of the best selling games. Yamaha were launching the CX5M, and Yamaha Kemble had never imported such a high-tech product. So they wanted advice. They gave me a CX5M with SFG-01 MIDI/Keyboard/Sound module together with the FM Composer software cartridge to review.

being a professional musician and working regularly in recording studios, it took me very little time to reach my conclusions and report to Yamaha that the FM Composer was rubbish, but that I saw tremendous potential for the CX5M hardware.

My main 2 main complaints with FM Composer cartrideg software were:

1) It did not keep accurate time. It speeded up and slowed down depending on the playback workload. No musician was going to tolerate that.

2) I had learned to play by ear and did not know any music theory, so it was very difficult to use the formal music notation that FM Composer demanded. I felt that many musicians play by ear and they would be alienated by the software.

At the same time I could see the amazing potential of the CX5M and was so excited at the thought of being able to program any backing and layer multiple parts. The problem was that I wanted to use it like a "multi-track tape recorder" where you just pressed RECORD and PLAY and it just recorded the parts ... just like in a real multi-track studio.

When I reported this back to Yamaha, they were not happy, as they just wanted me to sign-off on the evaluation. But I suggested that I could develop a real-time sequencer that would operate like a multi-track tape recorder. They faxed my technical proposal to Hammamatsu in Japan, and the technical team there said that my proposal was not technically possible as the CX5M only had a Z80 clocked at 3.5MHz, with a wait state per M1 cycle and only 32K of RAM, of which 16K was reserved by the MSX system. There were no interupts available from the MIDI port, which was quite fast at 31.25 KBits to poll using such a slow processor. Also you could not switch off the MSX interupts and they would interfere with the job scheduling. So they rejected my proposal.

I desperately wanted to realise my vision and to be able to use the software just for myself to be ablet o rehearse and compose and improvise over computer generated backing tracks. This was an amazing concept in those days and not imaginable for a budget system.

I disagreed that it was not possible as my games programming experience told me that although it would be tight, that it would just be possible to schedule the playback and recording workloads in real-time, even using polling.

So I decided to create the sequencer software I described in my proposal, which eventually became the real-time music sequencer called the DMS1.

In my next post I will address your next question: how did you do it?

By mtn

Master (248)

mtn's picture

14-05-2014, 12:05

dms1guy.

Thank you very much for sharing this!

Im looking forward to your next post!

By dms1guy

Resident (50)

dms1guy's picture

14-05-2014, 12:08

Response to Manuel's Question number:
2 - how did you do it?

I had no sponsor for the project, or money to invest. The only resources I had was the CX5M hardware.

At Imagine Software, we used Sage mini-computers as development machines. They were based on the 68000 processor running UNIX. Thye hosted the Z80 cross-assemblers were used at Imagine. But now I was on my own and did not have access to any development machines or cross-assemblers, as they were too expensive.

So I decided to acquire a development system and took out a bank loan out for £3,500 to buy an Apricot Xi10 desktop computer. It had a 9" green screen monitor, 256K RAM, 10MB hard-drive (yes 10MB not 10GB), and 720KB 3.5" floppy-drive and an 8086 processor clocked at around 5MHz. It also had an 8089 I/O processor. It ran MS-DOS.
(link to details of the Apricot Xi10 http://www.old-computers.com/museum/computer.asp?st=1&c=500)

An IBM PC of equivalent spec at that time was around £5,000 so this was considered a bargain.

Now I had development hardware, but needed a Z80 cross-assembler. So I used the 8086 assembler (MASM) that came with MS-DOS on the Apricot to write a Z80 cross-assembler from scratch.

My next problem was that I needed to be able to develop the target software as a cartridge product, and so I created a simple SRAM-based cartridge emulator that plugged into the CX5M as though it was a cartridge, and then created an interface board that plugged into the Apricot that connected to the cartridge emulator and could read and write the SRAM in the cartridge emulator.

So now I could generate Z80 code and write it into a catrtridge emulator that could boot as an MSX cartridge.

My next problem was that there was no documentation availbale for the SFG-01 sound module and Yamaha would not provide it. .... So I decided to reverse engineer the SFG-01 firmware.

For this I needed a Z80 disassembler, which again I wrote from scratch.

I generated miles and miles of Z80 disassembly, and worked every hour possible for over 6 months, gradually creating a map of how the SFG-01 firmware operated. At times, I felt like giving up as it looked like I would never reach the end, but then I stumbled across some routines that were actually talking to the I/O registers and eventualy could see how the system was being initialised.

At the end of this disassembly period, I finally gathered enough data to guess how to sound a note on the SFG-01. So I eventually wrote a test routine to test my understanding, but was so scared to press the return key to run it, as I felt that if it didn't work, I would be so demoralised after 6 months of back-breaking disassembly, that I would not know how to cope with such failure.

Eventually, I took a deep breath and pressed the return key, and immediately there was a DING sound as the SFG-01 came to life and clearly produce the note of a PIANO note being played.

I nearly went out of my mind .. I ran up and down the house just screaming .. everyone thought I had gone mad. I am not known for displays of emotion as I am quite an intense internal person. but this was just too much to contain.

At this point I knew I had cracked the core issue of whether or not it was possible, and so now I re-focused on the software I was going to create.

The first key problem was that there was only 16K of user RAM as MSX need the other 16K, and to create multiple tracks of real-time music in only 16K was a challenge. So I decided to use the same technique I used in my interview with Imagine to fit 8 sounds effects and a music track into the 256 bytes Spectrum printer buffer.

I decided to record short sequences of music, and then to manually sequence those segments so that each repetition of a recorded sequence only took a few bytes of memory to store. This meant that in practice you could get anywhere beteween 5 to 10 complete songs into the 16K memory.

Another key challenge was to avoid suffering the same problem of Yamaha's FM Composer of uneven playback due to poor workoad scheduling. My situation was even worse because I was also scanning the music keyboard and recording as well as playing back, all in real time.

To make matters worse, I also wanted to be able to allow the playback speed to be determined by a MIDI clock generated by a SMPTE hardware from a tape recorder or from a drum machine external to the CX5M. As the MIDI IN port did not generate interrupts and data was coming in at 31.25 Kbaud, I had no choice but to poll the MIDI IN port very very fast.

So in the end,l I decided to build the playback engine around a very fast interrupt timer, which accomodated the requirement to poll the MIDI IN port, as well as scanning the keyboard and playing backing tracks.

I found that all of this was just fractionally too much work to do within the very small time window available in the interrupt handler, so I had to 'cheat' by removing the volume scaling function to reduce the workload, which made the interrupt scheduled workload feasible and it worked beautifully. You could plug a drum machine into the MIDI IN port and manually change its tempo and the CX5M playback would stay synchronised to that tenpo, and still record and playback, with no timing loss.

The removal of the volume scaling function is the reason why the sound quality of the DMS1 sounds did not feel quite as nice as the original sounds, but without this compromise, it was not technically achievable.

The whole development took me about an additional 6 months of work on top of the 6 months of dissassembly.

In my next post I will address your next question: - where was it sold?

By dms1guy

Resident (50)

dms1guy's picture

14-05-2014, 12:47

Response to Manuel's Question numbers:
3 - where was it sold?
4 - how many?
5 - what else did you do with/for MSX?
6 - what happened after this project?

Once I completed the software, I had no idea what to do next, as the only reason I did it was the passion of creating my vision. I had no commercial or business knowledge and simply had no idea what to do next, so I just shared my sequencer capability with my musician friends who had never seen a computer-based system for generating backing tracks.

Eventually, the word spread and I was approached by a commercial party to distribute the product as the DMS1 sequencer. As I had no idea how to commercialise it, I felt that it could be an interesting journey to agree to its distribution.

The first thing that was done was that a half page black and white advert was placed in one of the top music journals. The ad was not clever, it simply said: "real-Time Sequencer for Yamaha CX5M .. please send £99.95"

Over £10,000 in cheques arrived in the mail over the next 7 days.

This proved something that I wrote in my original report to Yamaha. I told them them they would initially sell a certain number of CX5M units simply because of the Yamaha brand and the novelty. But that once customers had realised that the FM Composer software was not usable, that word would quickly spread and Yamaha would be left with a warehouse full of CX5M. Well this is exactly what happened. There were a lot of musicians, producers and studio owners who bought the CX5M as a professional tool, who realised that it was not usable, but had no 3rd party options.

As soon as people saw there was a 3rd party option, they didn't ask questions, they just posted their cheques.

For a while, Yamaha was telling their resellers that DMS1 was a hoax product, but eventually they changed their tune.

I started to get fan mail from all over the world, asking about the techniques I had used. I even got mail from
IRCAM (Institute for Research and Coordination in Acoustics and Music) in Paris, France, one of the world's leading public research institutes within the fields of musical expression, musical research, sound, and acoustics.

When the new CX5M with upgraded memory (up from 32K to 256K) and the new SFG-05 sound module was launched, Yamaha asked me to produce an upgraded DMS1 (mark 2) to handle the extra memory and the new sound module. So I significantly expande the display which was full graphics, added mouse support and scrolling messages.
It was now starting to look like what you would expect today from multi-tracking software.

The memory management on the Mark 2 was interesting, as the Z80 only has a 16-bit memory space and so can only address 64K of memory. So to access the 256K on the upgraded CX5M, a bank-switching scheme was used. So a memory manager that split everything into blocks was used and pointers were used to chain data. Also, you had to schedule which window within the 64K Z80 address space the banked memory was to appear in and if 2 or more were needed to be accessed at the same time.

I think the original DMS1 fitted inside an 8K EPROM and the MK 2 version needed a 32K EPROM.

Then the software started to get reviewed in professional music magazines like SOS (Sound-on-Sound). In a key review, it was compared to the Steinberg Pro 24, and the review was very heavily in favour of the DMS1.

About 6 months after this review, Steinberg launched their revised product, called "Cubase", which felt very much to me like I had designed it.. Such a strange feeling looking at a product that feels like it is your, but you know its not.

Cubase of course went on to become the worldwide defacto standard in sequencing.

DMS1 also inspired another product, called MIDI Studio which was written by an enthusiast who wrote to me often and often came around to my house for insights into how to write this type of software.

One of the niggles I had was that was never addressed was that there was a hardware bug in the SFG-01 and SFG-05 unit which caused my software to crash unexpectedly without warning. I didn't work this out until much later as it was so difficult to reproduce a crash and debu it.

After a few years of working on DMS1, I had a car accident which took me out of circulation for a while and made me lose interest in the project even after I had recovered.

I was eventually contacted by someone claiming to be the American distributor for the DMS1, which I had no idea about as I was not communicating with the DMS1 company. He told me that the DMS1 was sold via Yamaha into Japan in a special Christmas Bundle offer and that over 9 million units were shipped.

I have no idea if that is true, but I certainly have not missed the fact that after DMS1, there were lots of copycat sequencers borrowing from the basic idea. Once the Atari ST aand then PC compatibles came into being, it was much easier to write that type of application, and the rest is history as everyone uses sequencers. The main difference is that today, they use less MIDI and do more audio sequencing of sampled sounds.

After my accident I did not really keep in touch with the company selling DMS1, as I was not very commercially focused and was bored and just wanted to move on to another project. So I have no idea how much money was made as most of it happened without my knowledge.

It was certainly an amazing journey, and one that I have no regrets over. I used to think I was a nobody at that time, but came to realise that I had the ability to produce a world-class product even when Yamaha said it was not possible. That was worth more to me than the cash at that time in my life.

By dms1guy

Resident (50)

dms1guy's picture

14-05-2014, 12:56

Response to Manuel's final Question:
7- do you still have the source code?

I created DMS1 around 1983 which is a long time ago. I have moved around a lot since then, and it has been difficult to carry old source material forward. It used to be stored on 3.5" floppy disks, which eventually got mislaid and forgotten about over the years.

I would love to be able to lay my hands on that source code right now as I would simply release it into the public domain.

I don't remember detailed reference points like exactly which bits in which register, but I may be able to help with any architectural questions as I do fundamentally understand how the SFG-01 and SFG-05 work.

I hope I haven't bored anyone with too much irrelevant detail and am happy to help with anything that is within my power.

Page 1/9
| 2 | 3 | 4 | 5 | 6