Breaking Eggs And Making Omelettes

Topics On Multimedia Technology and Reverse Engineering


Archives:

Further Dreamcast Hacking

February 2nd, 2011 by Multimedia Mike

I’m still haunted by Sega Dreamcast programming, specifically the fact that I used to be able to execute custom programs on the thing (roughly 8-10 years ago) and now I cannot. I’m going to compose a post to describe my current adventures on this front. There are 3 approaches I have been using: Raw, Kallistios, and the almighty Linux.


Raw
What I refer to as “raw” is an assortment of programs that lived in a small number of source files (sometimes just one ASM file) and could be compiled with the most basic SH-4 toolchain. The advantage here is that there aren’t many moving parts and not many things that can possibly go wrong, so it provides a good functional baseline.

One of the original Dreamcast hackers was Marcus Comstedt, who still has his original DC material hosted at the reasonably easy-to-remember URL mc.pp.se/dc. I can get some of these simple demos to work, but not others.

I also successfully assembled and ran a pair of 256-byte (!!) demos from this old DC scene page.

KallistiOS
KallistiOS (or just KOS) was a real-time OS developed for the DC and was popular among the DC homebrew community. All the programming I did back in the day was based around KOS. Now I can’t get any of it to work. More specifically, KOS can’t seem to make it past a certain point in its system initialization.

The Linux Option
I was never that excited about running Linux on my Dreamcast. For some hackers, running Linux on a given piece of consumer electronics is the highest attainable goal. Back in the day, I looked at it from a much more pragmatic perspective– I didn’t see much use in running Linux on the DC, not as much as running KOS which was developed to be a much more appropriate fit.

However, I was able to burn a CD-R of an old binary image of Linux 2.4.5 compiled for the Dreamcast and boot it some months ago. So I at least have a feeling that this should work. I have never cross-compiled a kernel of my own (though I have compiled many, many x86 kernels in my time, so I’m not a total n00b in this regard). I figured this might be a good time to start.

The first item that worries me is getting a functional cross-compiling toolchain. Fortunately, a little digging in the Linux kernel documentation pointed me in the direction of a bunch of ready-made toolchains hosted at kernel.org. So I grabbed one of the SH toolchains (gcc-4.3.3-nolibc) and got rolling.

I’m well familiar with the cycle of 'make menuconfig' in order to pick configuration options, and then 'make' to build a kernel (or usually 'make zImage' or 'make bzImage' to create compressed images). For cross compiling, the primary difference seems to be editing the root Makefile in the Linux source code tree (I’m using 2.6.37, the latest stable as of this writing) and setting a value for the CROSS_COMPILE variable. Then, run 'make menuconfig' followed by 'make' as normal.

The Linux 2.6 series is supposed to support a range of Renesas (formerly Hitachi) SH processors and board configurations. This includes reasonable defaults for the Sega Dreamcast hardware. I got it all compiling except for a series of .S files. Linus Torvalds once helped me debug a program I work on so I thought I’d see if there was something I could help debug here.

The first issue was with ASM statements of a form similar to:

mov #0xffffffe0, r1

Now, the DC’s SH-4 is a RISC CPU. A lot of RISC architectures adopt a fixed instruction size of 32 bits. You can’t encode an entire 32-bit immediate value inside of a 32-bit instruction (there would be no room for the instruction encoding). Further, the SH series encoded instructions with a mere 16 bits. The move immediate data instruction only allows for an 8-bit, sign-extended value.

I decided that the above statement is equivalent to:

mov #-32, r1

I’ll give this statement the benefit of the doubt that it used to work with the gcc toolchain somewhere along the line. I assume that the assembler is supposed to know enough to substitute the first form with the second.

The next problem is that an ‘sti’ instruction shows up in a number of spots. Using Intel x86 conventions, this is a “set interrupt flag” instruction (I remember that the 6502 CPU had the same instruction mnemonic, though its interrupt flag’s operation was opposite that of the x86). The SH-4 reference manual lists no ‘sti’ instruction. When it gets to these lines, the assembler complains about immediate move instructions with too large data, like the instructions above. I’m guessing they must be macro’d to something else but I failed to find where. I commented out those lines for the time being. Probably not that smart, but I want to keep this moving for now.

So I got the code to compile into a kernel file called ‘vmlinux’. I’ve seen this file many times before but never thought about how to get it to run directly. The process has usually been to compress it and send it over to lilo or grub for loading, as that is the job of the bootloader. I have never even wondered what format the vmlinux file takes until now. It seems that ‘vmlinux’ is just a plain old ELF file:

$ file vmlinux
vmlinux: ELF 32-bit LSB executable, Renesas SH, 
version 1 (SYSV), statically linked, not stripped

The ‘dc-tool’ program that uploads executables to the waiting bootloader on the Dreamcast is perfectly cool accepting ELF files (and S-record files, and raw binary files). After a very lengthy upload process, execution fails (resets the system).

For the sake of comparison, I dusted off that Linux 2.4.5 bootable Dreamcast CD-ROM and directly uploaded the vmlinux file from that disc. That works just fine (until it’s time to go to the next loading phase, i.e., finding a filesystem). Possible issues here could include the commented ‘sti’ instructions (could be that they aren’t just decoration). I’m also trying to understand the memory organization– perhaps the bootloader wants the ELF to be based at a different address. Or maybe the kernel and the bootloader don’t like each other in the first place– in this case, I need to study the bootable Linux CD-ROM to see how it’s done.

Optimism
Even though I’m meeting with rather marginal success, this is tremendously educational. I greatly enjoy these exercises if only for the deeper understanding they bring for the lowest-level system details.

Posted in Sega Dreamcast | 2 Comments »

2 Responses

  1. igorsk Says:

    AFAIR mov (not mov.l/mov.w) is a pseudoinstruction and assembler should generate either a short move (if it fits in 16 bits) or a literal pool load. Try updating your binutils?
    As for sti/cli, I found them in arch/sh/include/asm/entry-macros.S:

    .macro cli
    stc sr, r0
    or #0xf0, r0
    ldc r0, sr
    .endm
    .macro sti
    mov #0xf0, r11
    extu.b r11, r11
    not r11, r11
    stc sr, r10
    and r11, r10
    #ifdef CONFIG_CPU_HAS_SR_RB
    stc k_g_imask, r11
    or r11, r10
    #endif
    ldc r10, sr
    .endm

  2. Multimedia Mike Says:

    @igorsk: Thanks for the tips. I have several versions of the GNU assembler for SH-4 laying around. I noticed that 2.15 and 2.19 don’t like the statement while 2.20 properly assembles it to the second form that I surmised.