CIC-NUS
Notice: Everything on this page needs to be verified for accuracy. There are likely, errors or missing information here.
CIC
Disclaimer: All of the CIC actions described below have been done successfully as part of a University project. Some of the details are missing whether it was to avoid encouraging piracy, simply not required for the core of the paper or lost in the language translation (authors live in Germany) is unknown.
Variant | Used in | Real Entrypoint | Comment |
---|---|---|---|
5101 | Aleck 64 titles | u32@0x08 - 0x100000 | |
6101 | Starfox 64 | 0x80000480 |
|
7102 | Lylat wars | 0x80000480 |
|
6102 / 7101 | Most titles | u32@0x08 |
|
6103 / 7103 | Banjo-Kazooie, Diddy Kong Racing, ... | u32@0x08 - 0x100000 |
|
6105 / 7105 | Banjo-Tooie, Perfect Dark, ... | u32@0x08 |
|
6106 / 7106 | F-ZeroX, Yoshi's Story, ... | u32@0x08 - 0x200000 |
|
5167 | 64DD ROM conversion | u32@0x08 if u16@0x16 != 0
u32@0x101c if u16@0x16 == 0 |
|
8303 | 64DD IPL Retail (J) | u32@0x08 |
|
8401 | 64DD IPL Dev (J) | ||
8501 ? | 64DD IPL Retail (U) |
N64 Function | SM5 Function | Number | Number | SM5 Function | N64 Function | |
---|---|---|---|---|---|---|
VDD | VDD | Pin 1 | Pin 16 | VDD | VDD | |
P5:0 | Pin 2 | Pin 15 | P2:0 | Data I/O | ||
P5:1 | Pin 3 | Pin 14 | P2:1 | Data CLK | ||
P5:2 | Pin 4 | Pin 13 | P2:2 | GND | ||
P5:3 | Pin 5 | Pin 12 | P2:3 | |||
GND | TS:0 | Pin 6 | Pin 11 | CLK | CLK | |
GND | TS:1 | Pin 7 | Pin 10 | TIO | ||
GND | GND | Pin 8 | Pin 9 | Reset | !RESET |
The test modes of the CIC are available on most (all?) retail cartridges.
To Enable Test Mode(s)
Pulling TS:0 and/or TS:1 high before power on will place the SM5 controller in one of 3 test modes. (Which test modes and which pin states are unknown) It's also unclear if you can change between test modes while the unit is powered on.
The fourth state is standard usage with TS:0 and TS:1 tied to ground.
It's unknown how slowly you can clock the CIC.
In Test Mode
Which mode is still unclear but the following functionality is available.
Arbitrary Code Execution
Instructions can be set 1 nibble at a time on Port 5 pins, most instructions are 1 byte long so they must be entered 1 nibble at a time then toggle the clock line.
Halt Instruction
The Halt instruction is encoded as 0x77 which is nice because it doesn't matter which nibble you send first. This instruction also has a nice benefit of causing a clear external change, the TIO line defaults to the Clock signal but after the Halt instruction it stops outputting a clock signal.
Stop Instruction
The Stop instruction is encoded as 0x76 which will assist in determining if the high or low nibble should be input first. This instruction also stops the TIO clock upon execution, so we have a clear external indication of success.
Output Data
Port 2 of the CIC can be used to output either the AREG register or the Program Counter (PC), it's unclear at this time if the difference is achieved with different test modes or by modifying internal configuration registers.
NOTE: On power up Port 2 is configured for Input, an internal configuration register must be modified to make it output.
Load Constant into Accumulator LDX
The LDX instuction can be used to populate the AREG with a known value that can be checked on Port 2
Dumping the CIC code
This process is very confusing so it may take some experimentation to work out the exact steps and details, the original document tries to explain but it feels like some details are missing.
Jump Instructions are 2 bytes, the first nibble is the instruction and the following 12 bits are the destination address.
Being in test mode seems to have a side effect on this instruction, inputting only the Jump instruction followed by a zero nibble, the second byte is loaded from the ROM, which is an instruction but is treated as data. The Jump instruction is then executed and the PC can be viewed on Port 2, as well
References
https://sites.google.com/site/consoleprotocols/home/techinfo/lowlevel/pif12
https://code.google.com/archive/p/mupen64plus/wikis/SoftResetNotes.wiki