On 26 Mar 00, marcus@... (Marcus Comstedt) wrote:

> > Well, as it looks to me, you are pushing the 16 bit address onto the stack
> > which follows the JMPF instruction at address $0122. Since you said that
> > the "unlimited flash write" function in the firmware doesn't have code to
> > switch back to the game, I assume it just ends with a RET. So the address
> > you pushed onto the stack is used as a 'return address', thus continuing
> > execution at the point in the firmware where the documented routine for
> > "read flash rom" resides. And after that is done, it switches us back to
> > the game. Neat.
>
> Spot on. Almost. What you got wrong is just that $0123 is not
> precisely the location of the "read flash rom" function. The function
> starts at $0120 (which is why this is the target of the JMPF), and looks
> like this:
>
> 0120- 20 e0 27 | int120link: CALLF LE027
> 0123- b8 0d | NOT1 EXT, 0
> 0125- 21 01 25 | JMPF L0125

Uh... guess I simply read your code wrong, then. At first glance it
looked to me as if you were pushing the contents of Rom location $0123 and
$0124 onto the stack (which contain #$01 and #$20, the two values directly
following the #$21 value of the JMPF instruction), while actually you were
just pushing the lo- and hi-byte of the 16 bit value #$0123 onto the
stack...

The usage of your Assembler still confuses me at times. Is there a manual
available somewhere that describes its usage a little more detailled?

> Since the address that was pushed to the stack
> is $0123 and not $0120, the $E027 function is never called, and I only
> get the return back to the game.

Yup... now I see. ;)

Bye


Alessandro
---
You get what anyone gets. You get a lifetime.