+HCU
Project 4: CD-ROM related reverse engineering
CD ROM from top to down
(MSCDEX, reversing drivers and CR-ROM related interrupts)
by +RCG
(13 October 1997)
Courtesy of Fravia's page
of reverse engineering
Well, a welcome "basic" addition by +Rcg, who clear things a little out on
such important matters like accessing the CD-ROM through the MSCDEX driver.
CD-ROM REVERSE ENGINEERING
Well under this generic title, I hope we will be able to
develop a good project, just like +HCU's Project 2 (Softice).
If you have read Project 2, you could see how many
different subjects are dealed there: Vxd, NT, CheckSums and
many others, would our objective only have been 'Crack', our
Project would have finished with Part 1 or 2.
Yet no! We want to learn as much as possible, so that when everyone of
us put his 'grain of sand', the result is a great project.
So thi is my own 'grain of sand' for project 4, and I wish we will have
a desert soon.
CD-ROM FROM TOP TO DOWN.
You know CD-ROM is a relatively 'new' hardware device, and it
has special characteristics that old MS-DOS can't use directly.
So, we need under MS-DOS a driver and a program called
MSCDEX (MS-CD-Extension).
For programmers, the CD drive is just like all the others drives
(this is the advantadges of a well designed OS, to isolate the
hard from de soft.
CD-ROM has another problem, it is a drive, so it must be
treated as a 'block device driver' but due to its capacity,
and the form it stores the information, it can't be
considered as a 'standart block device driver', so MS solved
this using MSCDEX, this program is a pseudoblockdevicedriver
that assings a 'letter' to the 'characther device driver',
to perform this action MSCDEX 'tells' MS-DOS CD-ROM it is a
net device, so MS-DOS accepts and gives it a 'letter'.
So we have two 'layers' between the hardware and the user:
net net
redirector call
Programm ----> DOS ----> MSCDEX -----> REDIRECTOR
Aplication KERNEL |
^ |
| |
| V
Commands ------- CD-DRIVER
|
|
V
CD-UNIT
MSCDEX is independent of the Hard, so the Device Driver must
be a standart IO device.
If we want to permorm an action on a CD-ROM we can do
it by diferents ways, using:
0) DOS FUNCTIONS or MSCDEX
1) DIRECTLY TO THE DRIVER
2) ACCESING DIRECTLY TO THE CD-ROM UNIT.
0) MSCDEX
MS-DOS and MSCDEX functions can be reversed and thus be
intercepted easily, just read Part 1 of this Project and
use the next information to develop our own protections/
cracks.
Extracted from Ralf Brown Interrupt List, thanks Ralf.
--------d-2F1500BX0000-----------------------
INT 2F - CD-ROM - INSTALLATION CHECK
AX = 1500h
BX = 0000h
Return: BX = number of CD-ROM drive letters used
CX = starting drive letter (0=A:)
Notes: this installation check DOES NOT follow the format
used by other software
this installation check conflicts with the DOS 4.00
GRAPHICS.COM installation check
BUG: this function may return an incorrect starting drive
letter when INTERLNK is installed
--------d-2F1501-----------------------------
INT 2F - CD-ROM - GET DRIVE DEVICE LIST
AX = 1501h
ES:BX -> buffer to hold drive letter list (5 bytes
per drive letter)
Return: buffer filled, for each drive letter
BYTE subunit number in driver
DWORD address of device driver header (see #1298)
Note: reportedly returns AX=0000h and an invalid address
under Windows95
SeeAlso: AX=1510h
--------d-2F1502-----------------------------
INT 2F - CD-ROM - GET COPYRIGHT FILE NAME
AX = 1502h
ES:BX -> 38-byte buffer for name of copyright file
CX = drive number (0=A:)
Return: CF set if drive is not a CD-ROM drive
AX = 000Fh (invalid drive)
CF clear if successful
SeeAlso: AX=1503h
--------d-2F1503-----------------------------
INT 2F - CD-ROM - GET ABSTRACT FILE NAME
AX = 1503h
ES:BX -> 38-byte buffer for name of abstract file
CX = drive number (0=A:)
Return: CF set if drive is not a CD-ROM drive
AX = 000Fh (invalid drive)
CF clear if successful
SeeAlso: AX=1502h,AX=1504h
--------d-2F1504-----------------------------
INT 2F - CD-ROM - GET BIBLIOGRAPHIC DOC FILE NAME
AX = 1504h
ES:BX -> 38-byte buffer for name of bibliographic
documentation file
CX = drive number (0=A:)
Return: CF set if drive is not a CD-ROM drive
AX = 000Fh (invalid drive)
CF clear if successful
SeeAlso: AX=1502h,AX=1503h
--------d-2F1505-----------------------------
INT 2F - CD-ROM - READ VTOC
AX = 1505h
ES:BX -> 2048-byte buffer
CX = drive number (0=A:)
DX = sector index (0=first volume descriptor,
1=second,...)
Return: CF set on error
AX = error code (15=invalid drive,21=not ready)
CF clear if successful
AX = volume descriptor type (1=standard,
FFh=terminator,0=other)
Note: This function was not supported by Novell DOS 7
NWCDEX prior to the 08/16/94 update
--------d-2F1506-----------------------------
INT 2F - CD-ROM - TURN DEBUGGING ON
AX = 1506h
BX = debugging function to enable
Note: reserved for development
SeeAlso: AX=1507h
--------d-2F1507-----------------------------
INT 2F - CD-ROM - TURN DEBUGGING OFF
AX = 1507h
BX = debugging function to disable
Note: reserved for development
SeeAlso: AX=1506h
--------d-2F1508-----------------------------
INT 2F - CD-ROM - ABSOLUTE DISK READ
AX = 1508h
ES:BX -> buffer
CX = drive number (0=A:)
SI:DI = starting sector number
DX = number of sectors to read
Return: CF set on error
AL = error code(0Fh invalid drive,15h not ready)
CF clear if successful
Note: reportedly returns error 15h (not ready) under
Windows95
SeeAlso: AX=1509h
--------d-2F1509-----------------------------
INT 2F - CD-ROM - ABSOLUTE DISK WRITE
AX = 1509h
ES:BX -> buffer
CX = drive number (0=A:)
SI:DI = starting sector number
DX = number of sectors to write
Note: corresponds to INT 26h and is currently reserved
and nonfunctional
SeeAlso: AX=1508h
--------d-2F150A-----------------------------
INT 2F - CD-ROM - RESERVED
AX = 150Ah
--------d-2F150B-----------------------------
INT 2F - CD-ROM v2.00+ - DRIVE CHECK
AX = 150Bh
CX = drive number (0=A:)
Return: BX = ADADh if MSCDEX.EXE installed
AX = support status
0000h if drive not supported
nonzero if supported
SeeAlso: AX=150Dh
--------d-2F150C-----------------------------
INT 2F - CD-ROM v2.00+ -GET MSCDEX.EXE VERSION (GET VERSION)
AX = 150Ch
Return: BH = major version
BL = minor version
Notes: MSCDEX.EXE versions prior to 2.00 return BX=0000h
Corel's CORELCDX.COM v1.01d returns 2.20
v1.12a returns 2.21
Meridian Data's CDNETEX.EXE returns its own version
Windows95 returns v2.95
SeeAlso: AX=1500h"CD-ROM"
--------d-2F150D-----------------------------
INT 2F - CD-ROM v2.00+ - GET CD-ROM DRIVE LETTERS
AX = 150Dh
ES:BX -> buffer for drive letter list
(1 byte per drive)
Return: buffer filled with drive numbers (0=A:).
Each byte corresponds to the drive in the same
position for function 1501h
SeeAlso: AX=150Bh
--------d-2F150E-----------------------------
INT 2F - CD-ROM v2.00+ -GET/SET VOLUME DESCRIPTOR PREFERENCE
AX = 150Eh
BX = subfunction
00h get preference
DX = 0000h
Return: DX = preference settings
01h set preference
DH = volume descriptor preference
01h = primary volume descriptor
02h = supplementary volume descriptor
DL = supplementary volume descriptor prefer.
01h = shift-Kanji
CX = drive number (0=A:)
Return: CF set on error
AX = error code(15=invalid drive,1=invalid function)
CF clear if successful
--------d-2F150F-----------------------------
INT 2F - CD-ROM v2.00+ - GET DIRECTORY ENTRY
AX = 150Fh
CL = drive number (0=A:)
CH bit 0 = copy flag
clear if direct copy
set if copy to structure which removes
ISO/High Sierra diffs
ES:BX -> ASCIZ path name
SI:DI -> buffer for directory entry
minimum 255 bytes for direct copy
Return: CF set on error
AX = error code
CF clear if successful
AX = disk format (0=High Sierra,1=ISO 9660)
Note: this function was not supported by Novell
DOS 7 NWCDEX prior to the 08/16/94 update
Format of CD-ROM directory entry (direct copy):
Offset Size Description
00h BYTE length of directory entry
01h BYTE length of XAR in Logical Block Numbers
02h DWORD LBN of data, Intel (little-endian) format
06h DWORD LBN of data, Motorola (big-endian) format
0Ah DWORD length of file, Intel format
0Eh DWORD length of file, Motorola format
---High Sierra---
12h 6 BYTEs date and time
18h BYTE bit flags
19h BYTE reserved
---ISO 9660---
12h 7 BYTEs date and time
(seventh byte is offset from GMT in
15-minute increments)
19h BYTE bit flags
---both formats---
1Ah BYTE interleave size
1Bh BYTE interleave skip factor
1Ch WORD volume set sequence number, Intel format
1Eh WORD volume set sequence number, Motorola format
20h BYTE length of file name
21h N BYTEs file name
BYTE (optional) padding if filename is odd length
N BYTEs system data
Format of CD-ROM directory entry (canonicalized):
Offset Size Description
00h BYTE length of XAR in Logical Block Numbers
01h DWORD Logical Block Number of file start
05h WORD size of disk in logical blocks
07h DWORD file length in bytes
0Bh 7 BYTEs date and time
12h BYTE bit flags
13h BYTE interleave size
14h BYTE interleave skip factor
15h WORD volume set sequence number
17h BYTE length of file name
18h 38 BYTEs ASCIZ filename
3Eh WORD file version number
40h BYTE number of bytes of system use data
41h 220 BYTEs system use data
--------d-2F1510-----------------------------
INT 2F - CD-ROM v2.10+ - SEND DEVICE DRIVER REQUEST
AX = 1510h
CX = CD-ROM drive letter (0 = A, 1 = B, etc)
ES:BX -> CD-ROM device driver request header
(see #2251 at AX=0802h)
Note: MSCDEX initializes the device driver request
header's subunit field based on the drive number
specified in CX
BUG: Novell DOS 7 NWCDEX prior to the 12/13/94 update did
not initialize the subunit field
SeeAlso: AX=0802h
--------d-2F15FFBX0000-----------------------
INT 2F - CD-ROM - CORELCDX - INSTALLATION CHECK
AX = 15FFh
BX = 0000h
Return: BX = ABCDh if CORELCDX loaded
Note: Corel's CORELCDX.COM is a replacement for MSCDEX.EXE
it also supports the standard MSCDEX installation
check calls AX=1500h and AX=150Ch
SeeAlso: AX=1500h"CD-ROM",AX=150Ch
1) CD-ROM DEVICE DRIVER
Values for device driver command code:
00h INIT
01h MEDIA CHECK (block devices)
02h BUILD BPB (block devices)
03h IOCTL INPUT
04h INPUT
05h NONDESTRUCTIVE INPUT, NO WAIT (character devices)
06h INPUT STATUS (character devices)
07h INPUT FLUSH (character devices)
08h OUTPUT
09h OUTPUT WITH VERIFY
0Ah OUTPUT STATUS (character devices)
0Bh OUTPUT FLUSH (character devices)
0Ch IOCTL OUTPUT
0Dh (DOS 3.0+) DEVICE OPEN
0Eh (DOS 3.0+) DEVICE CLOSE
0Fh (DOS 3.0+) REMOVABLE MEDIA (block devices)
10h (DOS 3.0+) OUTPUT UNTIL BUSY (character devices)
11h (European MS-DOS 4.0) STOP OUTPUT
12h (European MS-DOS 4.0) RESTART OUTPUT
13h (DOS 3.2+) GENERIC IOCTL
14h unused
15h (European MS-DOS 4.0) RESET UNCERTAIN MEDIA FLAG
16h unused
17h (DOS 3.2+) GET LOGICAL DEVICE
18h (DOS 3.2+) SET LOGICAL DEVICE
19h (DOS 5.0+) CHECK GENERIC IOCTL SUPPORT
80h (CD-ROM) READ LONG
81h (CD-ROM) reserved
82h (CD-ROM) READ LONG PREFETCH
83h (CD-ROM) SEEK
84h (CD-ROM) PLAY AUDIO
85h (CD-ROM) STOP AUDIO
86h (CD-ROM) WRITE LONG
87h (CD-ROM) WRITE LONG VERIFY
88h (CD-ROM) RESUME AUDIO
Bitfields for device request status:
Bit(s) Description
15 error
14-11 reserved
10 ??? set by DOS kernel on entry to some driver calls
9 busy
8 done (may be clear on return under Eur. MS-DOS 4.0)
7-0 error code if bit 15 set
Values for device driver error code:
00h write-protect violation
01h unknown unit
02h drive not ready
03h unknown command
04h CRC error
05h bad drive request structure length
06h seek error
07h unknown media
08h sector not found
09h printer out of paper
0Ah write fault
0Bh read fault
0Ch general failure
0Dh reserved
0Eh (CD-ROM) media unavailable
0Fh invalid disk change
Format of device driver request header:
Offset Size Description (Table 2251)
00h BYTE length of request header
01h BYTE subunit within device driver
02h BYTE command code
03h WORD status (filled in by device driver)
05h 4 BYTEs reserved (unused in DOS 2.x and 3.x)
09h DWORD (European MS-DOS 4.0 only) pointer to next
request header in device's request queue
(other versions) reserved
(unused in DOS 2.x and 3.x)
---command code 00h---
0Dh BYTE (ret) number of units
0Eh DWORD (call) pointer to DOS device helper function
(European MS-DOS 4.0 only)
(call) pointer past end of memory available
to driver (DOS 5+)
(ret) address of first free byte following
driver
12h DWORD (call) pointer to commandline arguments
(ret) pointer to BPB array (block drivers)
or 0000h:0000h (character drivers)
16h BYTE (DOS 3.0+) drive number for first unit of
block driver (0=A)
---European MS-DOS 4.0---
17h DWORD pointer to function to save regs. on stack
---DOS 5+ ---
17h WORD (ret) error-message flag
0001h MS-DOS should display error msg on
init failure
---command code 01h---
0Dh BYTE media descriptor
0Eh BYTE (ret) media status
00h don't know
01h media has not changed
FFh media has been changed
0Fh DWORD (ret, DOS 3.0+) pointer to previous volume
ID if the OPEN/CLOSE/RM bit in device header
is set and disk changed
---command code 02h---
0Dh BYTE media descriptor
0Eh DWORD transfer address
-> scratch sector if NON-IBM FORMAT bit in
device header set
-> first FAT sector otherwise
12h DWORD pointer to BPB (set by driver)
---command codes 03h,0Ch---
0Dh BYTE media descriptor (block devices only)
0Eh DWORD transfer address
12h WORD (call) number of bytes to read/write
(ret) actual number of bytes read or written
---command codes 04h,08h,09h ---
0Dh BYTE media descriptor (block devices only)
0Eh DWORD transfer address
12h WORD byte count (character devices) or sector
count (block devices)
14h WORD starting sector number (block devices only)
16h DWORD (DOS 3.0+) pointer to volume ID if error 0Fh
returned
1Ah DWORD (DOS 4.0+) 32-bit starting sector number
(block devices with device attribute word
bit 1 set only) if starting sector number
above is FFFFh.
---command code 05h---
0Dh BYTE byte read from device if BUSY bit clear
on return
---command codes 06h,07h,0Ah,0Bh,0Dh,0Eh,0Fh---
no further fields
---command code 10h---
0Dh BYTE unused
0Eh DWORD transfer address
12h WORD (call) number of bytes to write
(ret) actual number of bytes written
---command codes 11h,12h---
0Dh BYTE reserved
---command code 15h---
no further fields
---command codes 13h,19h---
0Dh BYTE category code
00h unknown
01h COMn:
03h CON
05h LPTn:
07h mouse (European MS-DOS 4.0)
08h disk
0Fh WORD copy of DS at time of IOCTL call
(apparently unused in DOS 3.3)
SI contents (European MS-DOS 4.0)
11h WORD offset of device driver header
DI contents (European MS-DOS 4.0)
13h DWORD pointer to parameter block from
INT 21/AX=440Ch or AX=440Dh
---command codes 80h,82h---
0Dh BYTE addressing mode
00h HSG (default)
01h Phillips/Sony Red Book
0Eh DWORD transfer address (ignored for command 82h)
12h WORD number of sectors to read
(if 0 for command 82h, request is an
advisory seek)
14h DWORD starting sector number
logical sector number in HSG mode
frame/second/minute/unused in Red Book mode
(HSG sector = minute * 4500 + second * 75 +
+ frame - 150)
18h BYTE data read mode
00h cooked (2048 bytes per frame)
01h raw (2352 bytes per frame,
including EDC/ECC)
19h BYTE interleave size (number of sectors stored
consecutively)
1Ah BYTE interleave skip factor
(number of sectors between consecutive
portions)
---command code 83h---
0Dh BYTE addressing mode
00h HSG (default)
01h Phillips/Sony Red Book
0Eh DWORD transfer address (ignored)
12h WORD number of sectors to read (ignored)
14h DWORD starting sector number (see also above)
---command code 84h---
0Dh BYTE addressing mode
00h HSG (default)
01h Phillips/Sony Red Book
0Eh DWORD starting sector number (see also above)
12h DWORD number of sectors to play
---command codes 85h,88h---
no further fields
---command codes 86h,87h---
0Dh BYTE addressing mode
00h HSG (default)
01h Phillips/Sony Red Book
0Eh DWORD transfer address (ignored in write mode 0)
12h WORD number of sectors to write
14h DWORD starting sector number (also see above)
18h BYTE write mode
00h mode 0 (write all zeros)
01h mode 1 (default) (2048 bytes per sector)
02h mode 2 form 1 (2048 bytes per sector)
03h mode 2 form 2 (2336 bytes per sector)
19h BYTE interleave size (number of sectors stored
consecutively)
1Ah BYTE interleave skip factor
(number of sectors between consecutive
portions)
Now, we have information enough to write a programm that
opens the CD-ROM (or closes it).
.model large
.stack 100h
blocks struc
lenght_block db 1Dh
disp_num db 0
funct_num db ?
status_word dw 0000
reserv db 8 dup ('?')
media_desc db 0
buffer_off dw 0
buffer_seg dw ?
sec_num dw ?
first_sec dw ?
dummy db 8 dup ('?')
blocks ends
.data
block blocks
More_Info_Block db 0,0,0,0,0,0,0,0
db 0,0,0,0,0,0,0,0
Buffer db 4096 dup ('?')
est_rout dw 0 ;off
dw 0 ;seg
int_rout dw 0 ;off
dw 0 ;seg
num_cd dw 0
err_code dd 0
text_code dd 0
text db '$'
db 'CD tester program',13,10,'$'
db 'CD was opened, now closing it',10,13,'$'
db 'CD was closed, now openning it',10,13,'$'
error db '$'
db 'Cannot allocate memory',10,13,'$'
db 'MSCDEX is not installed.',10,13,'$'
db 'You need MSCDEX 2.0 or greater',10,13,'$'
db 'No CD-ROM unit found.',13,10,'$'
db 'Function not sopported.',10,13,'$'
.code
.486
START:
pusha
mov ax,@DATA
mov ds,ax
mov text_code,1
call Show_Text
call Get_Mem
jc Show_Error
call Init_MSCDEX
jc Show_Error
call Get_Driver_Far_Calls
call Set_More_Info_Block
call Get_CD_Status
;call Read_Sector
;jmp finish
mov al,[More_Info_Block+1] ;Status returned
and al,1 ;in dword at
test al,al ;offset+1
jne @@1 ;(lower bytes first)
mov text_code,3
call Show_Text
call Open_CD
jmp @@2
@@1: mov text_code,2
call Show_Text
call Close_CD
@@2: jmp finish
finish:
;call Free_Mem
popa
mov ax,4C00h ;Back to DOS.
int 21h
;*************************************************
;****** Procedures ******
;*************************************************
Init_MSCDEX:
mov ax,1500h ;Is MDCDEX installed?
xor bx,bx ;First unit
int 2Fh
cmp bx,1
jae @1 ;MSCDEX to installed
mov num_cd,bx ;Stores gestioned CD_NUM
mov err_code,2 ;Mscdex not installed.
stc ;Set Error flag
ret
@1: mov ax,150Ch ;Get Version
xor bx,bx
int 2Fh
test bh,bh
jne @2
mov err_code,3 ;Version lower than 2.0
stc
ret
@2: mov es,[block.buffer_seg]
xor bx,bx
mov ax,150Dh ;Get unit letter.
int 2Fh
mov al,es:[bx] ;Store first unit
xor cx,cx
mov cl,al
mov ax,150Bh ;Is a CD-ROM unit?
int 2Fh
cmp bx,0ADADh
jne @3
test ax,ax
jne @4 ;Is a CD-ROM
@3: mov err_code,4
stc
ret
@4: clc ;No errors
ret
Get_Mem:
mov ax,@data
mov [block.buffer_seg],ax
lea si,Buffer
mov [block.buffer_off],si
ret
; Could someone tell me why I can't allocate memory
; using the function 48h????
; mov ah,48h
; mov bx,100h ;Allocate 4 Kb
; int 21h
; jc @5
; mov [block.buffer_seg],ax ;Stores alloc. segment
; clc
; ret
;@5: mov err_code,1
; stc
; ret
;Free_Mem:
; mov ah,49h
; mov es,[block.buffer_seg]
; int 21h
; jc @5
; clc
; ret
Get_Driver_Far_Calls:
les bx,dword ptr [block.buffer_off]
mov ax,1501h
int 2Fh
mov ax,es:[bx+3] ;Get Device Driver Segment
mov int_rout+2,ax
mov est_rout+2,ax
mov es,ax
mov ax,es:[8] ;Get Interrupt Routine offset
mov int_rout,ax
mov ax,es:[6] ;Get Estrategic Routine offset
mov est_rout,ax
ret
Set_More_Info_Block:
mov ax,@data
mov [block.buffer_seg],ax
lea di,More_Info_Block
mov [block.buffer_off],di
ret
Open_CD:
mov [block.funct_num],0Ch
mov ax,0 ;Open
mov [More_Info_Block],al
mov [More_Info_Block+1],ah
jmp Execute_Command
Close_CD:
mov [block.funct_num],0Ch
mov ax,5 ;Close
mov [More_Info_Block],al
mov [More_Info_Block+1],ah
jmp Execute_Command
Read_Sector:
mov [block.funct_num],80h
mov [block.media_desc],1 ;Red book
mov [block.sec_num],1 ;Read 1 sector
mov [block.first_sec],20h ;First sector is 20h
mov [block.dummy+2],0 ;Cooked (2048 bytes)
jmp Execute_Command
Get_CD_Status:
mov [block.funct_num],03h
mov ax,6 ;Get CD Status
mov [More_Info_Block],al
mov [More_Info_Block+1],ah
jmp Execute_Command
Execute_Command:
lea bx,block
mov ax,@data
mov es,ax
call dword ptr [est_rout]
call dword ptr [int_rout]
ret
Show_Error:
mov ax,@data
mov ds,ax
lea esi,error
mov ecx,err_code
cld
mov al,'$'
@6: mov ah,[esi]
inc esi
cmp ah,al
jne @6
loop @6
mov edx,esi
mov ah,9
int 21h ;Show error text
jmp finish
Show_Text:
mov ax,@data
mov ds,ax
lea esi,text
mov ecx,text_code
cld
mov al,'$'
@7: mov ah,[esi]
inc esi
cmp ah,al
jne @7
loop @7
mov edx,esi
mov ah,9
int 21h ;Show text
ret
END START
Only one commentary about this program because we will use
this info in the next section.
When you call the function 01h of MSCDEX, we get a struct
with the information about our CD driver this info is the
next (every 5 bytes):
offset meanning
00h Subunit number
01h-05h Far ptr to driver
..
..
Now, if we know that a MS-DEVICE-DRIVER has always a 00
offset, we can read the header info on the driver and get
the both FAR_CALLs, just like you can see in the routine
GET_FAR_CALLS.
Driver Header Struct
+00 Far Ptr to next device driver 1 ptr
+04 Device Attribute 1 word
+06 Offset of Strategic Routine 1 word
+08 Offset of Intrrupt Routine 1 word
+0A Device Driver Name 8 byte
+12 Reserver 1 word
+14 First letter assigned 1 byte
+15 Num. of cd-rom unit gestioned 1 byte
This info is used later to 'create' our driver.
2) REVERSING OUR DEVICE DRIVER
This part can be only aplied enterely to the
'CREATIVE CD_ROM UNIT 2x' whose driver is SBIDE.SYS, but you
can extract ideas and then use them on your own drivers.
We will try to find out how our hardware works and how our
controller gets or sends info to the CD_UNIT.
I though (what a stupid idea for my part) that visiting
the Panasonic Web I would obtain technical info about their
products, but no only info about their x24 CD-ROM and some
other things that zoombies search for on the web pages, so
I though that our Linux friends could give us more info, so
I searched for ATAPI.H and SBPCD.H files and I found an important
info for our purposes (thanks friends)
I will first introduce you some aspects of the PIC, BIOS
parameters and ATAPI definitions.
----------P0020003F--------------------------
PORT 0020-003F - PIC 1 - PROGRAMMABLE INTERRUPT CONTROLLER
(8259A)
0020 -W PIC initialization command word ICW1
0020 -W PIC output control word OCW2
0020 -W PIC output control word OCW3
0020 R- PIC interrupt request/in-service registers
after OCW3
request register:
bit 7-0 = 0 no active request for the
corresponding int. line
= 1 active request for
corresponding interrupt line
in-service register:
bit 7-0 = 0 corresponding line not
currently being serviced
= 1 corresponding int. line
currently being serviced
0021 -W PIC ICW2,ICW3,ICW4 immed after ICW1 to 0020
0021 RW PIC master interrupt mask register OCW1
Bitfields for PIC initialization command word ICW1:
Bit(s) Description
7-5 0 (only used in 8080/8085 mode)
4 ICW1 is being issued
3 (LTIM)
=0 edge triggered mode
=1 level triggered mode
2 interrupt vector size
=0 successive interrupt vectors use 8 bytes (8080/5)
=1 successive interrupt vectors use 4 bytes (80x86)
1 (SNGL)
=0 cascade mode
=1 single mode, no ICW3 needed
0 ICW4 needed
Bitfields for PIC initialization command word ICW2:
Bit(s) Description
7-3 address lines A0-A3 of base vector address for PIC
2-0 reserved
Bitfields for PIC initialization command word ICW3:
Bit(s) Description
7-0 =0 slave controller not attached to corresponding
interrupt pin
=1 slave controller attached to corresponding
interrupt pin
Bitfields for PIC initialization command word ICW4:
Bit(s) Description
7-5 reserved (0)
4 running in special fully-nested mode
3-2 mode
0x nonbuffered mode
10 buffered mode/slave
11 buffered mode/master
1 Auto EOI
0 =0 8085 mode
=1 8086/8088 mode
Bitfields for PIC output control word OCW1:
Bit(s) Description
7 disable IRQ7 (parallel printer interrupt)
6 disable IRQ6 (diskette interrupt)
5 disable IRQ5 (fixed disk interrupt)
4 disable IRQ4 (serial port 1 interrupt)
3 disable IRQ3 (serial port 2 interrupt)
2 disable IRQ2 (video interrupt)
1 disable IRQ1 (keyboard, mouse, RTC interrupt)
0 disable IRQ0 (timer interrupt)
Bitfields for PIC output control word OCW2:
Bit(s) Description
7-5 operation
000 rotate in auto EOI mode (clear)
001 (WORD_A) nonspecific EOI
010 (WORD_H) no operation
011 (WORD_B) specific EOI
100 (WORD_F) rotate in auto EOI mode (set)
101 (WORD_C) rotate on nonspecific EOI command
110 (WORD_E) set priority command
111 (WORD_D) rotate on specific EOI command
4-3 reserved (00 - signals OCW2)
2-0 interrupt request to which the command applies
(only used by WORD_B, WORD_D, and WORD_E)
Bitfields for PIC output control word OCW3:
Bit(s) Description
7 reserved (0)
6-5 special mask
0x no operation
10 reset special mask
11 set special mask mode
4-3 reserved (01 - signals OCW3)
2 poll command
1-0 function
0x no operation
10 read interrupt request register on next read
from PORT 0020h
11 read interrupt in-service register on next read
from PORT 0020h
Note: the special mask mode permits all other interrupts
(even those with lower priority) to be processed
while an interrupt is already in service, but will
not reissue an interrupt for a particular IRQ while
it remains in service
----------P00A000AF--------------------------
PORT 00A0-00AF - PIC 2 - PROGRAMMABLE INTERRUPT CONTROLLER
(8259A)
00A0 RW NMI mask register (XT)
bit 7 = 0 disabled
= 1 enabled
00A0 RW PIC 2 same as 0020 for PIC 1
00A1 RW PIC 2 same as 0021 for PIC 1 except for OCW1
Bitfields for PIC2 output control word OCW2:
Bit(s) Description
7 disable IRQ15 (reserved)
6 disable IRQ14 (fixed disk interrupt)
5 disable IRQ13 (coprocessor exception interrupt)
4 disable IRQ12 (mouse interrupt)
3 disable IRQ11 (reserved)
2 disable IRQ10 (reserved)
1 disable IRQ9 (redirect cascade)
0 disable IRQ8 (real-time clock interrupt)
----------M0040006C--------------------------
MEM 0040h:006Ch - TIMER TICKS SINCE MIDNIGHT
Size: DWORD
----------M00400070--------------------------
MEM 0040h:0070h - TIMER OVERFLOW
Size: BYTE
Desc: non-zero if timer has counted past midnight since
last call to INT 1A/AH=00h
Note: the original IBM BIOS, and thus most other BIOSes,
sets this byte to 01h at midnight; a few (such as
the Eagle PC-2) increment it each time midnight is
passed. The former behavior results in lost days
if multiple midnights pass between "get-time" calls
while the machine is powered up.
--------B-M0040008E--------------------------
MEM 0040h:008Eh - FIXED DISK - INTERRUPT CONTROL [not XT]
Size: BYTE
Note: cleared to 00h at start of disk operation, set to
FFh by IRQ14 handler when hard disk controller
completes command
This is our Linux developers friends help.
/*
* Device-independent level for ATAPI drivers.
*
* Copyright (C) 1995 Cronyx Ltd.
* Author Serge Vakulenko,
*
* This software is distributed with NO WARRANTIES, not even
* the implied warranties for MERCHANTABILITY or FITNESS FOR
* A PARTICULAR PURPOSE.
*
* Authors grant any other persons or organizations
* permission to use or modify this software as long as this
* message is kept with the software, all derivative works
* or modified versions.
*
* Version 1.9, Thu Oct 12 15:53:50 MSK 1995
*/
/*
* Disk Controller ATAPI register definitions.
*/
AR_DATA 0x0 /* RW - data register (16 bits) */
AR_ERROR 0x1 /* R - error register */
AR_FEATURES 0x1 /* W - features */
AR_IREASON 0x2 /* RW - interrupt reason */
AR_TAG 0x3 /* - reserved for SAM TAG byte */
AR_CNTLO 0x4 /* RW - byte count, low byte */
AR_CNTHI 0x5 /* RW - byte count, high byte */
AR_DRIVE 0x6 /* RW - drive select */
AR_COMMAND 0x7 /* W - command register */
AR_STATUS 0x7 /* R - immediate status */
/*
* Status register bits
*/
ARS_CHECK 0x01 /* error occured, see sense key/code */
/* bit 0x02 reserved */
ARS_CORR 0x04 /* correctable error occured */
ARS_DRQ 0x08 /* data request / ireason valid */
ARS_DSC 0x10 /* immediate operation completed */
ARS_DF 0x20 /* drive fault */
ARS_DRDY 0x40 /* ready to get command */
ARS_BSY 0x80 /* registers busy */
/* for overlap mode only: */
ARS_SERVICE 0x10 /* service is requested */
ARS_DMARDY 0x20 /* ready to start a DMA transfer */
ARS_BITS "\20\010busy\7ready\6fault\5opdone\4drq\3corr\
1check"
/*
* Error register bits
*/
AER_ILI 0x01 /* illegal length indication */
AER_EOM 0x02 /* end of media detected */
AER_ABRT 0x04 /* command aborted */
AER_MCR 0x08 /* media change requested */
AER_SKEY 0xf0 /* sense key mask */
AER_SK_NO_SENSE 0x00 /* no specific sense key info */
AER_SK_RECOVERED_ERROR 0x10 /* command succeeded, data recovered */
AER_SK_NOT_READY 0x20 /* no access to drive */
AER_SK_MEDIUM_ERROR 0x30 /* non-recovered data error */
AER_SK_HARDWARE_ERROR 0x40 /* non-recoverable hardware failure */
AER_SK_ILLEGAL_REQUEST 0x50 /* invalid command parameter(s) */
AER_SK_UNIT_ATTENTION 0x60 /* media changed */
AER_SK_DATA_PROTECT 0x70 /* reading read-protected sector */
AER_SK_ABORTED_COMMAND 0xb0 /* command aborted, try again */
AER_SK_MISCOMPARE 0xe0 /* data did not match the medium */
AER_BITS "\20\4mchg\3abort\2eom\1ili"
/*
* Feature register bits
*/
ARF_DMA 0x01 /* transfer data via DMA */
ARF_OVERLAP 0x02 /* release the bus until completion */
/*
* Interrupt reason register bits
*/
ARI_CMD 0x01 /* command(1) or data(0) */
ARI_IN 0x02 /* transfer to(1) or from(0) the host */
ARI_RELEASE 0x04 /* bus released until completion */
/*
* Drive register values
*/
ARD_DRIVE0 0xa0 /* drive 0 selected */
ARD_DRIVE1 0xb0 /* drive 1 selected */
/*
* ATA commands
*/
ATAPIC_IDENTIFY 0xa1 /* get drive parameters */
ATAPIC_PACKET 0xa0 /* execute packet command */
/*
* Mandatory packet commands
*/
ATAPI_TEST_UNIT_READY 0x00 /* check if the device is ready */
ATAPI_REQUEST_SENSE 0x03 /* get sense data */
ATAPI_START_STOP 0x1b /* start/stop the media */
ATAPI_PREVENT_ALLOW 0x1e /* prevent/allow media removal */
ATAPI_READ_CAPACITY 0x25 /* get volume capacity */
ATAPI_READ_BIG 0x28 /* read data */
ATAPI_READ_TOC 0x43 /* get table of contents */
ATAPI_READ_SUBCHANNEL 0x42 /* get subchannel info */
ATAPI_MODE_SELECT_BIG 0x55 /* set device parameters */
ATAPI_MODE_SENSE 0x5a /* get device parameters */
ATAPI_PLAY_CD 0xb4 /* universal play command */
/*
* Optional packet commands
*/
ATAPI_PLAY_MSF 0x47 /* play by MSF address */
ATAPI_PAUSE 0x4b /* stop/start audio operation */
/*
* Nonstandard packet commands
*/
ATAPI_PLAY_TRACK 0x48 /* play by track number */
ATAPI_PLAY_BIG 0xa5 /* play by logical block address */
And here more help of out friends:
And now, lets disasembler my SBIDE.SYS file and follow the
code when Function 3 and subfunction 6 is called
(Get CD_Status):
0000 FFFFFFFF BYTE 4 DUP(0ffh)
;Here DOS will put the next driver
;memory location.
0004 00C8 add al , cl
0006 C700D200 mov word ptr [bx+si], 00D2
;C700 is the Est. Routine offset
;D200 is the Int. Routine offset
000A 3132 xor [bp+si], si
000C 3334 xor si, [si]
000E 353637 xor ax, 3736
0011 3800 cmp [bx+si], al
0013 0000 add [bx+si], al
0015 0100 add [bx+si], ax
0017 000000 BYTE 3 DUP(0)
001A B704 mov bh, 04 ;Jump table
001C B704 mov bh, 04
001E B704 mov bh, 04
0020 6802B7 push B702 ;This is jmp for
;function 3. (0268h)
0023 04B7 add al, B7
0025 04B7 add al, B7
0027 048F add al, 8F
0029 04B7 add al, B7
002B 04B7 add al, B7
002D 04B7 add al, B7
002F 04B7 add al, B7
0031 0488 add al, 88
0033 029904A8 add bl , [bx+di+A804]
0037 04B7 add al, B7
0039 04B7 add al, B7
003B 041B add al, 1B
003D 01B7042F add [bx+2F04], si
0041 013D add [di], di
0043 016C01 add [si+01], bp
0046 DE01 fiadd word ptr [bx+di]
0048 B704 mov bh, 04
004A B704 mov bh, 04
004C 40 inc ax
004D 029802A3 add bl , [bx+si+A302]
0051 02B704B7 add dh, [bx+B704]
0055 04C9 add al, C9
0057 02CE add cl , dh
0059 02D3 add dl, bl ;jmp subfunction 6
005B 020E03EB add cl , [EB03] ; (02D3h)
005F 0229 add ch, [bx+di]
0061 036203 add sp, [bp+si+03]
0064 6D insw
0065 037803 add di, [bx+si+03]
0068 83038E add word ptr [bp+di], FF8E
006B 0399030B add bx, [bx+di+0B03]
006F 0439 add al, 39
0071 044D add al, 4D
0073 0462 add al, 62
0075 047B add al, 7B
0077 0485 add al, 85
0079 0400 add al, 00
007B 00000000000000000000 BYTE 10 DUP(0)
0085 00000000000000000000 BYTE 10 DUP(0)
008F 00000000000000000000 BYTE 10 DUP(0)
0099 00000000000000000000 BYTE 10 DUP(0)
00A3 00000000000000000000 BYTE 10 DUP(0)
00AD 00000000000000000000 BYTE 10 DUP(0)
00B7 00000000000000000000 BYTE 10 DUP(0)
00C1 000000000000 BYTE 6 DUP(0)
00C7 2E891E1600 mov cs:[0016], bx ;Strat. Rout.
00CC 2E8C061800 mov cs:[0018], es
00D1 CB retf
00D2 50 push ax ;Interrupt Routine
00D3 53 push bx
00D4 51 push cx
00D5 52 push dx
00D6 56 push si
00D7 57 push di
00D8 55 push bp
00D9 1E push ds
00DA 06 push es
00DB 2EC51E1600 lds bx, cs:[0016]
00E0 8A4701 mov al, [bx+01] ;Subunit number
00E3 98 cbw
00E4 2EA37C00 mov word ptr cs:[007C],ax
;Subunit
00E8 BE1A00 mov si, 001A ;Init table jmp
00EB 8A4702 mov al , [bx+02] ;Funct. number
00EE 3C10 cmp al, 10
00F0 760D jbe 00FF
00F2 3C80 cmp al, 80
00F4 7206 jb 00FC
00F6 2C6F sub al, 6F
00F8 3C19 cmp al, 19
00FA 7603 jbe 00FF
00FC E9B803 jmp 04B7
00FF 98 cbw ;Functions 0-10h
0100 D1E0 shl ax, 01 ; ax=3*2=6h
0102 03F0 add si, ax ;si=1A+6=20h
0104 0BC0 or ax, ax ;is ax=0?
0106 7403 je 010B ;yes jmp init
0108 2EFF24 jmp word ptr cs:[si] ;jmp 0268
010B B001 mov al, 01
010D 2E86067E00 xchg cs:[007E], al
0112 0AC0 or al , al
0114 75F2 jne 0108
0116 EA0B060000 jmp 0000:060B
011B E8BD03 call 04DB
011E 0BC9 or cx, cx
0120 7502 jne 0124
0122 EB05 jmp 0129
.
.
.
0268 BE4E00 mov si, 004E ;jmp base
026B B20F mov dl, 0F
026D C47F0E les di, [bx+0E] ;More_Info_Block
0270 268A05 mov al , es:[di] ;Subfunction 6
0273 47 inc di
0274 38D0 cmp al , dl
0276 7603 jbe 027B
0278 E93C02 jmp 04B7
027B 98 cbw
027C D1E0 shl ax, 01 ax=6*2=0Ch
027E 03F0 add si, ax si=4E+0C=5Ah
0280 2E8B1E7C00 mov bx, cs:[007C] ;Subunit
0285 2EFF24 jmp word ptr cs:[si] ;jmp 2D3h
0288 BE6E00 mov si, 006E
028B B205 mov dl, 05
028D EBDE jmp 026D
028F B80003 mov ax, 0300
0292 E8C302 call 0558
0295 E92902 jmp 04C1
.
.
.
02D3 06 push es
02D4 57 push di
02D5 E8B129 call 2C89
02D8 5F pop di
02D9 07 pop es
02DA 7209 jb 02E5
02DC 268905 mov es:[di], ax
02DF 26895502 mov es:[di+02], dx
02E3 EBAA jmp 028F
02E5 B80281 mov ax, 8102
02E8 E9D901 jmp 04C4
.
.
.
2C89 06 push es
2C8A 33C9 xor cx, cx
2C8C 0E push cs
2C8D 07 pop es
2C8E 53 push bx
2C8F 51 push cx
2C90 B02A mov al, 2A
2C92 2E80BFFA0700 cmp byte ptr cs:[bx+07FA], 00
2C98 7402 je 2C9C ;if subunit=0 =>al=2Ah
2C9A B00F mov al, 0F ;else al=>0Fh
2C9C B420 mov ah, 20 ;Set this values
2C9E BB2829 mov bx, 2928 ;always
2CA1 B91800 mov cx, 0018 ;why???
2CA4 9A20060000 call 0000:0620
;(at cs:620 we have a jmp 085E ==>
Get_CD_Status PROC??)
2CA9 59 pop cx
2CAA 5B pop bx
2CAB 7303 jnb 2CB0 ;any error?
2CAD E9E100 jmp 2D91 ;yes
2CB0 2E80BFFA0700 cmp byte ptr cs:[bx+07FA], 00
2CB6 7502 jne 2CBA
2CB8 EB65 jmp 2D1F
;This part sets the CD_Status bits
;according to the standart order.
2CBA 2EA02A29 mov al, cs:[292A]
2CBE 3C70 cmp al, 70
2CC0 7504 jne 2CC6
2CC2 81C90008 or cx, 0800
2CC6 3C71 cmp al, 71
2CC8 7504 jne 2CCE
2CCA 81C90108 or cx, 0801
2CCE 2EA03429 mov al, cs:[2934]
2CD2 81C90010 or cx, 1000
2CD6 A810 test al, 10
2CD8 7504 jne 2CDE
2CDA 81E1FFEF and cx, EFFF
2CDE 81C90004 or cx, 0400
2CE2 A802 test al, 02
2CE4 7504 jne 2CEA
2CE6 81E1FFFB and cx, FBFF
2CEA 83C910 or cx, 0010
2CED A801 test al, 01
2CEF 7503 jne 2CF4
2CF1 83E1EF and cx, FFEF
2CF4 2EA03529 mov al, cs:[2935]
2CF8 81C90001 or cx, 0100
2CFC A818 test al, 18
2CFE 7504 jne 2D04
2D00 81E1FFFE and cx, FEFF
2D04 83C902 or cx, 0002
2D07 2EF606342980 test byte ptr cs:[2934], 80
2D0D 741C je 2D2B
2D0F 83E1FD and cx, FFFD
2D12 2EF606362902 test byte ptr cs:[2936], 02
2D18 7511 jne 2D2B
2D1A 83C902 or cx, 0002
2D1D EB67 jmp 2D86
2D1F 2EA02A29 mov al, cs:[292A]
2D23 3C70 cmp al, 70
2D25 7504 jne 2D2B
2D27 81C90008 or cx, 0800
2D2B 3C71 cmp al, 71
2D2D 7504 jne 2D33
2D2F 81C90108 or cx, 0801
2D33 2EA03529 mov al, cs:[2935]
2D37 81C90010 or cx, 1000
2D3B A804 test al, 04
2D3D 7504 jne 2D43
2D3F 81E1FFEF and cx, EFFF
2D43 2EA03429 mov al, cs:[2934]
2D47 81C90004 or cx, 0400
2D4B A810 test al, 10
2D4D 7504 jne 2D53
2D4F 81E1FFFB and cx, FBFF
2D53 83C910 or cx, 0010
2D56 A801 test al, 01
2D58 7503 jne 2D5D
2D5A 83E1EF and cx, FFEF
2D5D 2EA03729 mov al, cs:[2937]
2D61 81C90001 or cx, 0100
2D65 A803 test al, 03
2D67 7504 jne 2D6D
2D69 81E1FFFE and cx, FEFF
2D6D 83C902 or cx, 0002
2D70 2EF606362901 test byte ptr cs:[2936], 01
2D76 740E je 2D86
2D78 83E1FD and cx, FFFD
2D7B 2EF606362902 test byte ptr cs:[2936], 02
2D81 7503 jne 2D86
2D83 83C902 or cx, 0002
2D86 81C98402 or cx, 0284
2D8A 8BC1 mov ax, cx ;ax=cd_status word
2D8C 33D2 xor dx, dx
2D8E F8 clc
2D8F 07 pop es
2D90 C3 ret
Let's put a bpx at call interrupt_routine of our program,
Sice must stop at 0001:00D2 (we are executing a get
cd_status command) and stepping a little through the code we
will arrive at the beginning of these function:
Get_CD_Status Proc ??? (Later we will see this is a common
procedure that uses the registers
to perform different operations)
085E FC cld
085F 1E push ds
0860 06 push es
0861 55 push bp
0862 53 push bx
0863 51 push cx
0864 52 push dx
0865 57 push di
0866 56 push si
0867 0E push cs
0868 1F pop ds
0869 E8410E call 16AD ;Save Registers
086C E86E10 call 18DD ;EOI if posible
086F 1E push ds
0870 B84000 mov ax, 0040
0873 8ED8 mov ds, ax
0875 BB8E00 mov bx, 008E
0878 80277F and byte ptr [bx], 7F ;Clears
;byte #7
087B 1F pop ds
087C C606EC0700 mov byte ptr [07EC], 00
0881 C606ED0701 mov byte ptr [07ED], 01 ;Driver
;in use
0886 E87110 call 18FA ;Store IRQ Mask
0889 E8DD0F call 1869 ;Enable CD IRQ
088C C706E8070000 mov word ptr [07E8], 0000
0892 C606C30600 mov byte ptr [06C3], 00
0897 1E push ds
0898 07 pop es
0899 FC cld ;Clears buffer
089A B90C00 mov cx, 000C ;where CD will
089D BF3C06 mov di, 063C ;store it status
08A0 B000 mov al, 00
08A2 F3AA repz stosb
08A4 8B1E7C00 mov bx, [007C]
08A8 D1E3 shl bx, 01
08AA 8B974C07 mov dx, [bx+074C] ;Get IO base
;(3F6h)
08AE B008 mov al, 08
08B0 EE out dx, al ; ????
08B1 8B972C07 mov dx, [bx+072C] ;Get IO base
;(1F6h)
08B5 8A879407 mov al, [bx+0794] ;Get drive
;(B0h)=>1
08B9 EE out dx, al ; Select drive 1
08BA A02706 mov al, [0627] ;Get initial al
(see call 16AD)
08BD D0E0 shl al, 01 ;Function*2
;20h*2=40h
08BF 8D3E1208 lea di, [0812] ;Get Jmp base
08C3 32E4 xor ah, ah ;ah=0
08C5 03F8 add di, ax ;Get Jmp address
;40h+812h=852h
08C7 FF25 jmp word ptr [di] ;Jump 1383h
;this is the point where
;different tasks are done.
08C9 32E4 xor ah, ah
08CB F8 clc
08CC 9C pushf
08CD 50 push ax
08CE E83C10 call 190D ;Restore Old IRQ Mask
08D1 58 pop ax
08D2 9D popf
08D3 2EC606ED0700 mov byte ptr cs:[07ED],00;Driver
;Free
08D9 FB sti
08DA 5E pop si
08DB 5F pop di
08DC 5A pop dx
08DD 59 pop cx
08DE 5B pop bx
08DF 5D pop bp
08E0 07 pop es
08E1 1F pop ds
08E2 CB retf
0842 81 0F E3 08 80 0B E3 08 E3 08 72 13 22 0E 6F 0F
0852 83 13 37 14 77 10 13 15 5A 15 BE 15 FC
^^^^^
Get_CD_Status ENDP ???
Now, we must try to discover what does mean every byte and
what action performs every call, and then, following the
Fravia's advices we will use our Word Processor and we will
replace numbers with letters.
call 16AD ===> Save Registers
16AD 88262706 mov [0627], ah
16B1 A22806 mov byte ptr [0628], al
16B4 882E2906 mov [0629], ch
16B8 880E2A06 mov [062A], cl
16BC 88362B06 mov [062B], dh
16C0 88162C06 mov [062C], dl
16C4 891E2306 mov [0623], bx
16C8 8C062506 mov [0625], es
16CC 893E2F06 mov [062F], di
16D0 89362D06 mov [062D], si
16D4 C3 ret
call 18DD ==> Get PIC Interrupt Service Register
18DD FA cli
18DE 50 push ax
18DF B00B mov al, 0B
18E1 E6A0 out A0, al ;Next read
;give me the
;ISR register
18E3 EB00 jmp 18E5 ;Give time
18E5 EB00 jmp 18E7 ;to PIC
18E7 E4A0 in al, A0 ;Get ISR
18E9 A810 test al, 10 ;Is IRQ.
;in service (CD)
18EB 740A je 18F7 ;Yes, do nothing
18ED B020 mov al, 20 ;EOI
18EF E6A0 out A0, al ;
18F1 EB00 jmp 18F3 ;Give time
18F3 EB00 jmp 18F5 ;to PIC
18F5 E620 out 20, al ;EOI
18F7 58 pop ax
18F8 FB sti
18F9 C3 ret
Bitfields for PIC output control word OCW3:
Bit(s) Description
7 reserved (0)
6-5 special mask
0x no operation
10 reset special mask
11 set special mask mode
4-3 reserved (01 - signals OCW3)
2 poll command
1-0 function
0x no operation
10 read interrupt request register on next read
from PORT 0020h
11 read interrupt in-service register on next read
from PORT 0020h
Remember that 0Bh=00001011b => 0 00 01 0 11
0=Reserved
00=no operation
01=OCW3
0=no polling command
11=read interrupt in service register on next read
of port A0h or 20h.
#10h=00010000==> CD-ROM
Master Slave
bit #0 Timer Real Time Clock
bit #1 Keyboard Free
bit #2 Real Time Clock Free
bit #3 2nd Serial Port Free (usually SB or CD)
bit #4 1st Serial Port Free (usually SB or CD)
bit #5 2nd Paral. Port Math Coprocessor
bit #6 Floppy disk Hard disk
bit #7 1st Paral. Port Free
Bitfields for PIC output control word OCW2:
Bit(s) Description
7-5 operation
000 rotate in auto EOI mode (clear)
001 (WORD_A) nonspecific EOI
010 (WORD_H) no operation
011 (WORD_B) specific EOI
100 (WORD_F) rotate in auto EOI mode (set)
101 (WORD_C) rotate on nonspecific EOI command
110 (WORD_E) set priority command
111 (WORD_D) rotate on specific EOI command
4-3 reserved (00 - signals OCW2)
2-0 interrupt request to which the command applies
(only used by WORD_B, WORD_D, and WORD_E)
And 20h=00100000 ==> 001 00 000
001=nonspecific EOI (end of interruption)
00=OCW2
000=Not used here
call 18FA ==> Get master and slave interrupt mask and stores
them at [6C9] and [6CA]
18FA FA cli
18FB 50 push ax
18FC E421 in al, 21 ;Get Master I.M.
18FE 2EA2C906 mov byte ptr cs:[06C9], al
1902 EB00 jmp 1904 ;Timing
1904 E4A1 in al, A1 ;Get Slave I.M.
1906 2EA2CA06 mov byte ptr cs:[06CA], al
190A 58 pop ax
190B FB sti
190C C3 ret
call 1869 ==> Enable CD interrupts
1869 50 push ax
186A 53 push bx
186B 51 push cx
186C 52 push dx
186D FA cli
186E E4A1 in al, A1 ;Get slave I.M.
1870 8AE0 mov ah, al
1872 EB00 jmp 1874
1874 E421 in al, 21 ;Get master I.M.
1876 2E8B1E7C00 mov bx, cs:[007C] ;Get Subunit
187B D1E3 shl bx, 01 ;Subunit*2
187D 2E8B97CC06 mov dx,cs:[bx+06CC] ;Get IO base
;for this
;subunit
;stored at
;init fase
1882 E81000 call 1895 ;Get CD IRQ
1885 0BC1 or ax, cx ;and enable it
1887 E621 out 21, al ;Set Master IRQ
1889 86E0 xchg al , ah
188B EB00 jmp 188D
188D E6A1 out A1, al ;Set Slave IRQ
188F FB sti
1890 5A pop dx
1891 59 pop cx
1892 5B pop bx
1893 58 pop ax
1894 C3 ret
call 1895 ==> Get CD Interrupt
1895 56 push si
1896 B90400 mov cx, 0004
1899 BEC407 mov si, 07C4
189C 2E3B14 cmp dx, cs:[si] ;dx=1F0h
189F 7408 je 18A9 ;Are equal?
18A1 83C605 add si, 0005 ;No, next posible
;IO base and Int.
18A4 E2F6 loop 189C
18A6 5E pop si
18A7 F9 stc
18A8 C3 ret
18A9 2E8B4C03 mov cx, cs:[si+03] ;Store IRQ
;for CD
18AD 5E pop si
18AE F8 clc
18AF C3 ret
And these are the bytes stored in the file:
(Buffer where the driver will store some important
values).
0623 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0633 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0643 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0653 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0663 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0673 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0683 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0693 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
06A3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
06B3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
06C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0691 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
069B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
06C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0691 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
069B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
.
.
07C4 F0 01 0E 00 40 70 01 0F 00 80 E8 01 0B 00 08 68
07D4 01 0A 00 04 00 00 00 00 00 00 00 00 00 00 00 00
07E4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0812 0D 0B E3 08 A9 0D E3 08 E3 08 E3 08 81 0C E3 08
0822 34 0E 93 0F 7E 10 9A 10 E8 10 E3 08 E3 08 03 11
call 1895 ==> Restore Old IRQ Mask (see Call 18FA)
190D FA cli
190E 50 push ax
190F 2EA0C906 mov al, cs:[06C9]
1913 E621 out 21, al
1915 EB00 jmp 1917
1917 2EA0CA06 mov al, cs:[06CA]
191B E6A1 out A1, al
191D 58 pop ax
191E FB sti
191F C3 ret
Jmp 1383 ==> Get_Device_Parameters
(action is defined in registers at entry
at address 85Eh)
1383 C706E8070000 mov word ptr [07E8], 0000
;# bytes??
1389 C6063C065A mov byte ptr [063C], 5A
;Mandatory packet
;get device parameters.
138E A02806 mov al, [0628]
1391 A23E06 mov byte ptr [063E], al
1394 A02906 mov al, [0629]
1397 A24306 mov byte ptr [0643], al
139A A02A06 mov al, [062A]
139D A24406 mov byte ptr [0644], al
13A0 8A262906 mov ah, [0629]
13A4 A02A06 mov al, [062A]
13A7 A3E607 mov word ptr [07E6], ax
13AA E86204 call 180F ;Create mandatory
;packet command
13AD E82503 call 16D5 ;Send mandatory packet
13B0 727A jb 142C
13B2 8B3E2306 mov di, [0623]
13B6 8E062506 mov es, [0625]
13BA E8B603 call 1773 ;Is command finished?
13BD 7275 jb 1434
13BF 8B97EC06 mov dx, [bx+06EC] ;dx=1F2h
13C3 EC in al, dx ;Get Int. reason
13C4 3C02 cmp al, 02 ;Was int. caused by
; a transfer?
13C6 7403 je 13CB
13C8 E98AF6 jmp 0A55
13CB 8B973C07 mov dx, [bx+073C] ;dx=1F7h
13CF EC in al, dx
13D0 A801 test al, 01 ;Any error?
13D2 7403 je 13D7
13D4 E929F5 jmp 0900
13D7 8B971C07 mov dx, [bx+071C] ;dx=1F5h
13DB EC in al, dx ;Get #bytes to receive
13DC 8AE0 mov ah, al
13DE 4A dec dx
13DF EC in al, dx
13E0 8BC8 mov cx, ax
13E2 010EE807 add [07E8], cx
13E6 FC cld
13E7 D1E9 shr cx, 01 ;bytes->words
13E9 8B97CC06 mov dx, [bx+06CC] ;Get base 3F7h
13ED F36D repz insw ;Get CD_Status bytes
13EF A1E807 mov ax, word ptr [07E8]
13F2 3906E607 cmp [07E6], ax ;correct #bytes
;received?
13F6 75C2 jne 13BA
13F8 E87803 call 1773 ;Dis/Enable CD irq
13FB 7237 jb 1434
13FD 53 push bx
13FE D1EB shr bx, 01
1400 80BFFA0700 cmp byte ptr [bx+07FA], 00
1405 5B pop bx
1406 740C je 1414
1408 8B973C07 mov dx, [bx+073C]
140C EC in al, dx
140D A808 test al, 08
140F 740F je 1420
1411 E941F6 jmp 0A55
1414 8B97EC06 mov dx, [bx+06EC]
1418 EC in al, dx
1419 3C03 cmp al, 03
141B 7403 je 1420
141D E935F6 jmp 0A55
1420 8B973C07 mov dx, [bx+073C]
1424 EC in al, dx
1425 A801 test al, 01
1427 7408 je 1431
1429 E9D4F4 jmp 0900
142C 7406 je 1434
142E E9BAF4 jmp 08EB
1431 E995F4 jmp 08C9
1434 E9BCF4 jmp 08F3
call 180F ==> Create a mandatory packet command (M.P.C.) and
store it at 648h.
180F FC cld
1810 BF4806 mov di, 0648 ;M.P.C.
1813 0E push cs
1814 07 pop es
1815 B000 mov al, 00
1817 AA stosb
1818 B000 mov al, 00
181A AA stosb
181B AA stosb
181C A1E607 mov ax, word ptr [07E6]
181F AA stosb
1820 86E0 xchg al , ah
1822 AA stosb
1823 8A879407 mov al ,[bx+0794] ;Drive (B0h=1)
1827 AA stosb
1828 B0A0 mov al, A0 ;Command (A0h=execute
;M.P.C.)
182A AA stosb
182B C3 ret
The result of this action is:
0648 00 00 00 ?? ?? B0 A0
where ???? is stored at [7E6] and you could see how [7E6] is
a copy of the memory location word [629]==> CX at entry (see
call 16AD).
call 16D5 ==> Send Mandatory packet
16D5 8B1E7C00 mov bx, [007C];get subunit
16D9 D1E3 shl bx, 01
16DB E8DD00 call 17BB ;Is drive busy?
16DE 7244 jb 1724 ;Any Error?
16E0 E84901 call 182C ;Initialize driver and
;prepare it to receive
;the M.P.C.
16E3 80BFA40700 cmp byte ptr [bx+07A4], 00
16E8 7502 jne 16EC
16EA EB19 jmp 1705
16EC E88400 call 1773 ;Is command finished?
16EF 7233 jb 1724
16F1 8B97EC06 mov dx, [bx+06EC]
16F5 EC in al, dx
16F6 3C01 cmp al, 01
16F8 752E jne 1728
16FA 8B973C07 mov dx, [bx+073C]
16FE EC in al, dx
16FF A808 test al, 08
1701 7425 je 1728
1703 EB05 jmp 170A
1705 E82400 call 172C ;Prepared to data
;request?
1708 721A jb 1724
170A 8B973C07 mov dx, [bx+073C]
170E EC in al, dx
170F A880 test al, 80 ;Is busy?
1711 7402 je 1715 ;No, send
1713 EBF5 jmp 170A ;Yes, try again
1715 FC cld
1716 BE3C06 mov si, 063C ;M.P.C. add.
1719 B90600 mov cx, 0006 ;Send 0Ch
;bytes
;(63Ch-647h)
171C 8B97CC06 mov dx, [bx+06CC];dx=1F0h
1720 F3 repz
1721 6F outsw
1722 F8 clc
1723 C3 ret
1724 32E4 xor ah, ah
1726 F9 stc ;Return with error
1727 C3 ret
1728 0BD2 or dx, dx
172A F9 stc
172B C3 ret
call 17BB ==> Is drive busy?
17BB C706C4060200 mov word ptr [06C4], 0002
17C1 2E803ECB0688 cmp byte ptr cs:[06CB], 88
;at init fase, we can set the drq
;type, on depending of this we set
;different timeouts values (I need
;more info of this phase)
17C7 7406 je 17CF
17C9 C706C406B400 mov word ptr [06C4],00B4 ;timeout
;value
17CF E8F101 call 19C3 ;Set timeout
17D2 E81202 call 19E7 ;Is timeout finished?
17D5 740B je 17E2 ;Yes, return with error
;we are tired of waiting
17D7 8B973C07 mov dx, [bx+073C] ;Get inmediate
17DB EC in al, dx ;status
17DC A880 test al, 80 ;Is busy?
17DE 75F2 jne 17D2 ;Yes, give it more time
17E0 F8 clc
17E1 C3 ret
17E2 F9 stc
17E3 C3 ret
call 19C3 ==> Set Timeout (get bios ticks counter, adds
the timeout value and stores it at
[6C4])
19C3 9C pushf
19C4 50 push ax
19C5 53 push bx
19C6 1E push ds
19C7 BB4000 mov bx, 0040
19CA 8EDB mov ds, bx
19CC BB6C00 mov bx, 006C ;Bios ticks
;count
19CF 8B07 mov ax, [bx]
19D1 8B5F02 mov bx, [bx+02]
19D4 1F pop ds
19D5 891EC606 mov [06C6], bx
19D9 0106C406 add [06C4], ax
19DD 7304 jnb 19E3
19DF FF06C606 inc word ptr [06C6]
19E3 5B pop bx
19E4 58 pop ax
19E5 9D popf
19E6 C3 ret
call 19E7 ==> Is timeout finished? (compare Bios ticks
counter with previously stored value)
19E7 50 push ax
19E8 53 push bx
19E9 1E push ds
19EA B84000 mov ax, 0040
19ED 8ED8 mov ds, ax
19EF BB6C00 mov bx, 006C
19F2 8B07 mov ax, [bx]
19F4 8B5F02 mov bx, [bx+02]
19F7 1F pop ds
19F8 3B1EC606 cmp bx, [06C6]
19FC 7208 jb 1A06
19FE 3B06C406 cmp ax, [06C4]
1A02 7202 jb 1A06
1A04 33C0 xor ax, ax ;Time finished
1A06 5B pop bx
1A07 58 pop ax
1A08 C3 ret
call 1773 ==> Is command finished?
1773 53 push bx
1774 E8C600 call 183D ;Disable CD irq
1777 C706C406B400 mov word ptr [06C4], 00B4
177D E84302 call 19C3 ;Set timeout
1780 E86402 call 19E7 ;Is timeout finished?
1783 7430 je 17B5
1785 F606EC0701 test byte ptr [07EC], 01
178A 751E jne 17AA
178C E82101 call 18B0 ;Get CD irq number
178F 3C0E cmp al, 0E ;Is 0Eh?
1791 75ED jne 1780
1793 1E push ds
1794 B84000 mov ax, 0040
1797 8ED8 mov ds, ax
1799 BB8E00 mov bx, 008E
179C F60780 test byte ptr [bx], 80
;irq sets this bit when the
;command is finished
179F 7406 je 17A7
17A1 80277F and byte ptr [bx], 7F ;Clear it
;for future uses.
17A4 1F pop ds
17A5 EB03 jmp 17AA
17A7 1F pop ds
17A8 EBD6 jmp 1780 ;Give it more time
;to end the command
17AA C606EC0700 mov byte ptr [07EC], 00
17AF E8B700 call 1869 ;Enable CD irq
17B2 5B pop bx
17B3 F8 clc ;No error returned
17B4 C3 ret
17B5 E8B100 call 1869 ;Enable CD irq
17B8 5B pop bx
17B9 F9 stc ;Error returned
17BA C3 ret
call 183D ==> Disable CD irq
183D 50 push ax
183E 53 push bx
183F 51 push cx
1840 52 push dx
1841 FA cli
1842 E4A1 in al, A1
1844 8AE0 mov ah, al
1846 EB00 jmp 1848
1848 E421 in al, 21
184A 8B1E7C00 mov bx, [007C] ;subunit
184E D1E3 shl bx, 01
1850 8B97CC06 mov dx, [bx+06CC]
1854 E83E00 call 1895 ;Get CD irq
1857 F7D1 not cx
1859 23C1 and ax, cx ;and clear it
185B E621 out 21, al ;send irq mask
185D 86E0 xchg al , ah
185F EB00 jmp 1861
1861 E6A1 out A1, al
1863 FB sti
1864 5A pop dx
1865 59 pop cx
1866 5B pop bx
1867 58 pop ax
1868 C3 ret
call 18D0 ==> Get CD irq number
18B0 56 push si
18B1 53 push bx
18B2 51 push cx
18B3 52 push dx
18B4 2E8B1E7C00 mov bx, cs:[007C] ;Subunit
18B9 D1E3 shl bx, 01
18BB 2E8B97CC06 mov dx, cs:[bx+06CC]
18C0 B90400 mov cx, 0004
18C3 BEC407 mov si, 07C4
18C6 2E3B14 cmp dx, cs:[si]
18C9 7408 je 18D3
18CB 83C605 add si, 0005
18CE E2F6 loop 18C6
18D0 F9 stc
18D1 EB05 jmp 18D8
18D3 2E8A4402 mov al , cs:[si+02] ;return irq
;number
18D7 F8 clc
18D8 5A pop dx
18D9 59 pop cx
18DA 5B pop bx
18DB 5E pop si
18DC C3 ret
call 182C ==> Prepare drive to receive the M.P.C.
182C FC cld
182D BE4806 mov si, 0648
1830 8B97DC06 mov dx, [bx+06DC]
1834 B90700 mov cx, 0007
1837 AC lodsb
1838 EE out dx, al
1839 42 inc dx
183A E2FB loop 1837
183C C3 ret
call 172Ch ==> Prepared to data request?
172C 803E3C0612 cmp byte ptr [063C], 12
;Was command 12h?
;What is this command????
1731 750E jne 1741
1733 C706C4060200 mov word ptr [06C4], 0002
1739 E88702 call 19C3
173C E8A802 call 19E7
173F 75FB jne 173C
1741 8B974C07 mov dx, [bx+074C]
1745 E87300 call 17BB ;Is drive busy?
1748 7225 jb 176F
174A C706C4060200 mov word ptr [06C4], 0002
1750 2E803ECB0688 cmp byte ptr cs:[06CB], 88
1756 7406 je 175E
1758 C706C406B400 mov word ptr [06C4], 00B4
175E E86202 call 19C3 ;Set timeout
1761 E88302 call 19E7 ;Is timeout finished?
1764 7409 je 176F
1766 EC in al, dx ;Get inmediate status
1767 2488 and al, 88
1769 3C08 cmp al, 08 ;Prepared for data
;request?
176B 7404 je 1771
176D EBF2 jmp 1761
176F F9 stc
1770 C3 ret
1771 F8 clc
1772 C3 ret
Well, sorry I know this doc is very disordered, but you can
print it and so it will be easier to understand.
The conclusions we can extract of this is how a CD_UNIT,
works and we can find some M.P.C. we can use either under
W95 (this will be the next step of this project).
The execution flow is:
*Get function to perform.
*Prepare drive to send M.P.C.
*Create the M.P.C. for this function
*Send M.P.C.
*Get Data sent by the drive.
Obviously we must check the drive status between steps,
to be sure we can send/receive correctly the data.
So we will try to find out all the M.P.C., and here we have
again the invaluable help of Linux developers.
This is part of the sbpcd.h file.
all numbers (lba, msf-bin, msf-bcd, counts) to transfer high byte first
mnemo 7-byte command #bytes response (r0...rn)
________ ____________________ ____
Read Status:
status: 81. (1) one-byte command, gives the main
status byte
Read Error:
check1: 82 00 00 00 00 00 00. (6) r1: audio status
Read Packet:
check2: 8e xx 00 00 00 00 00. (xx) gets xx bytes response, relating
to commands 01 04 05 07 08 09
Play Audio:
play: 0a ll-bb-aa nn-nn-nn. (0) play audio, ll-bb-aa: starting block (lba),
nn-nn-nn: #blocks
Play Audio MSF:
0b mm-ss-ff mm-ss-ff (0) play audio from/to
Play Audio Track/Index:
0c ...
Pause/Resume:
pause: 8d pr 00 00 00 00 00. (0) pause (pr=00)
resume (pr=80) audio playing
Mode Select:
84 00 nn-nn ??-?? 00 (0) nn-nn: 2048 or 2340
possibly defines transfer size
set_vol: 84 83 00 00 sw le 00. (0) sw(itch): lrxxxxxx (off=1)
le(vel): min=0, max=FF, else half
(firmware 2.11)
Mode Sense:
get_vol: 85 03 00 00 00 00 00. (2) tell current audio volume setting
Read Disc Information:
tocdesc: 8b 00 00 00 00 00 00. (6) read the toc descriptor ("msf-bin"-format)
Read TOC:
tocent: 8c fl nn 00 00 00 00. (8) read toc entry #nn
(fl=0:"lba"-, =2:"msf-bin"-format)
Read Capacity:
capacit: 88 00 00 00 00 00 00. (5) "read CD-ROM capacity"
Read Path Check:
ping: 00 00 00 00 00 00 00. (2) r0=AA, r1=55
("ping" if the drive is connected)
Read Drive Version:
ident: 83 00 00 00 00 00 00. (12) gives "MATSHITAn.nn"
(n.nn = 2.01, 2.11., 3.00, ...)
Seek:
seek: 01 00 ll-bb-aa 00 00. (0)
seek: 01 02 mm-ss-ff 00 00. (0)
Read Data:
read: 02 xx-xx-xx nn-nn fl. (??) read nn-nn blocks of 2048 bytes,
starting at block xx-xx-xx
fl=0: "lba"-, =2:"msf-bcd"-coded xx-xx-xx
Read XA-Data:
read: 03 xx-xx-xx nn-nn fl. (??) read nn-nn blocks of 2340 bytes,
starting at block xx-xx-xx
fl=0: "lba"-, =2:"msf-bcd"-coded xx-xx-xx
Read SUB_Q:
89 fl 00 00 00 00 00. (13) r0: audio status, r4-r7: lba/msf,
fl=0: "lba", fl=2: "msf"
Read Disc Code:
8a 00 00 00 00 00 00. (14) possibly extended "check condition"-info
Read Header:
04 00 ll-bb-aa 00 00. (0) 4 bytes response with "check2"
04 02 mm-ss-ff 00 00. (0) 4 bytes response with "check2"
Spin Up:
05 00 ll-bb-aa 00 00. (0) possibly implies a "seek"
Spin Down:
06 ...
Diagnostic:
07 00 ll-bb-aa 00 00. (2) 2 bytes response with "check2"
07 02 mm-ss-ff 00 00. (2) 2 bytes response with "check2"
Read UPC:
08 00 ll-bb-aa 00 00. (16)
08 02 mm-ss-ff 00 00. (16)
Read ISRC:
09 00 ll-bb-aa 00 00. (15) 15 bytes response with "check2"
09 02 mm-ss-ff 00 00. (15) 15 bytes response with "check2"
Set XA Parameter:
86 ...
Read XA Parameter:
87 ...
==============================================================================
============================================================================*/
/*
* commands
*
* CR-52x: CMD0_
* CR-56x: CMD1_
* CD200: CMD2_ <== This is my CD model. * LCS-7260: CMDL_ * TEAC CD-55A: CMDT_ * ECS-AT: CMDV_ */ #define CMD1_RESET 0x0a #define CMD2_RESET 0x01 #define CMDT_RESET 0xc0 #define CMD1_LOCK_CTL 0x0c #define CMD2_LOCK_CTL 0x1e #define CMDT_LOCK_CTL CMD2_LOCK_CTL #define CMDL_LOCK_CTL 0x0e #define CMDV_LOCK_CTL CMDL_LOCK_CTL #define CMD1_TRAY_CTL 0x07 #define CMD2_TRAY_CTL 0x1b #define CMDT_TRAY_CTL CMD2_TRAY_CTL #define CMDL_TRAY_CTL 0x0d #define CMDV_TRAY_CTL CMDL_TRAY_CTL #define CMD1_MULTISESS 0x8d #define CMDL_MULTISESS 0x8c #define CMDV_MULTISESS CMDL_MULTISESS #define CMD1_SUBCHANINF 0x11 #define CMD2_SUBCHANINF 0x?? #define CMD1_ABORT 0x08 #define CMD2_ABORT 0x08 #define CMDT_ABORT 0x08 #define CMD2_x02 0x02 #define CMD2_SETSPEED 0xda #define CMD0_PATH_CHECK 0x00 #define CMD1_PATH_CHECK 0x??? #define CMD2_PATH_CHECK 0x??? #define CMDT_PATH_CHECK 0x??? #define CMDL_PATH_CHECK CMD0_PATH_CHECK #define CMDV_PATH_CHECK CMD0_PATH_CHECK #define CMD0_SEEK 0x01 #define CMD1_SEEK CMD0_SEEK #define CMD2_SEEK 0x2b #define CMDT_SEEK CMD2_SEEK #define CMDL_SEEK CMD0_SEEK #define CMDV_SEEK CMD0_SEEK #define CMD0_READ 0x02 #define CMD1_READ 0x10 #define CMD2_READ 0x28 #define CMDT_READ CMD2_READ #define CMDL_READ CMD0_READ #define CMDV_READ CMD0_READ #define CMD0_READ_XA 0x03 #define CMD2_READ_XA 0xd4 #define CMD2_READ_XA2 0xd5 #define CMDL_READ_XA CMD0_READ_XA /* really ?? */ #define CMDV_READ_XA CMD0_READ_XA #define CMD0_READ_HEAD 0x04 #define CMD0_SPINUP 0x05 #define CMD1_SPINUP 0x02 #define CMD2_SPINUP CMD2_TRAY_CTL #define CMDL_SPINUP CMD0_SPINUP #define CMDV_SPINUP CMD0_SPINUP #define CMD0_SPINDOWN 0x06 /* really??? */ #define CMD1_SPINDOWN 0x06 #define CMD2_SPINDOWN CMD2_TRAY_CTL #define CMDL_SPINDOWN 0x0d #define CMDV_SPINDOWN CMD0_SPINDOWN #define CMD0_DIAG 0x07 #define CMD0_READ_UPC 0x08 #define CMD1_READ_UPC 0x88 #define CMD2_READ_UPC 0x??? #define CMDL_READ_UPC CMD0_READ_UPC #define CMDV_READ_UPC 0x8f #define CMD0_READ_ISRC 0x09 #define CMD0_PLAY 0x0a #define CMD1_PLAY 0x??? #define CMD2_PLAY 0x??? #define CMDL_PLAY CMD0_PLAY #define CMDV_PLAY CMD0_PLAY #define CMD0_PLAY_MSF 0x0b #define CMD1_PLAY_MSF 0x0e #define CMD2_PLAY_MSF 0x47 #define CMDT_PLAY_MSF CMD2_PLAY_MSF #define CMDL_PLAY_MSF 0x??? #define CMD0_PLAY_TI 0x0c #define CMD1_PLAY_TI 0x0f #define CMD0_STATUS 0x81 #define CMD1_STATUS 0x05 #define CMD2_STATUS 0x00 #define CMDT_STATUS CMD2_STATUS #define CMDL_STATUS CMD0_STATUS #define CMDV_STATUS CMD0_STATUS #define CMD2_SEEK_LEADIN 0x00 #define CMD0_READ_ERR 0x82 #define CMD1_READ_ERR CMD0_READ_ERR #define CMD2_READ_ERR 0x03 #define CMDT_READ_ERR CMD2_READ_ERR /* get audio status */ #define CMDL_READ_ERR CMD0_READ_ERR #define CMDV_READ_ERR CMD0_READ_ERR #define CMD0_READ_VER 0x83 #define CMD1_READ_VER CMD0_READ_VER #define CMD2_READ_VER 0x12 #define CMDT_READ_VER CMD2_READ_VER /* really ?? */ #define CMDL_READ_VER CMD0_READ_VER #define CMDV_READ_VER CMD0_READ_VER #define CMD0_SETMODE 0x84 #define CMD1_SETMODE 0x09 #define CMD2_SETMODE 0x55 #define CMDT_SETMODE CMD2_SETMODE #define CMDL_SETMODE CMD0_SETMODE #define CMD0_GETMODE 0x85 #define CMD1_GETMODE 0x84 #define CMD2_GETMODE 0x5a #define CMDT_GETMODE CMD2_GETMODE #define CMDL_GETMODE CMD0_GETMODE #define CMD0_SET_XA 0x86 #define CMD0_GET_XA 0x87 #define CMD0_CAPACITY 0x88 #define CMD1_CAPACITY 0x85 #define CMD2_CAPACITY 0x25 #define CMDL_CAPACITY CMD0_CAPACITY /* missing in some firmware versions */ #define CMD0_READSUBQ 0x89 #define CMD1_READSUBQ 0x87 #define CMD2_READSUBQ 0x42 #define CMDT_READSUBQ CMD2_READSUBQ #define CMDL_READSUBQ CMD0_READSUBQ #define CMDV_READSUBQ CMD0_READSUBQ #define CMD0_DISKCODE 0x8a #define CMD0_DISKINFO 0x8b #define CMD1_DISKINFO CMD0_DISKINFO #define CMD2_DISKINFO 0x43 #define CMDT_DISKINFO CMD2_DISKINFO #define CMDL_DISKINFO CMD0_DISKINFO #define CMDV_DISKINFO CMD0_DISKINFO #define CMD0_READTOC 0x8c #define CMD1_READTOC CMD0_READTOC #define CMD2_READTOC 0x??? #define CMDL_READTOC CMD0_READTOC #define CMDV_READTOC CMD0_READTOC #define CMD0_PAU_RES 0x8d #define CMD1_PAU_RES 0x0d #define CMD2_PAU_RES 0x4b #define CMDT_PAUSE CMD2_PAU_RES #define CMDL_PAU_RES CMD0_PAU_RES #define CMDV_PAUSE CMD0_PAU_RES #define CMD0_PACKET 0x8e #define CMD1_PACKET CMD0_PACKET #define CMD2_PACKET 0x??? #define CMDL_PACKET CMD0_PACKET #define CMDV_PACKET 0x??? And more defines: /* * bits of flags_cmd_out: */ #define f_respo3 0x100 #define f_putcmd 0x80 #define f_respo2 0x40 #define f_lopsta 0x20 #define f_getsta 0x10 #define f_ResponseStatus 0x08 #define f_obey_p_check 0x04 #define f_bit1 0x02 #define f_wait_if_busy 0x01 /* * diskstate_flags: */ #define x80_bit 0x80 #define upc_bit 0x40 #define volume_bit 0x20 #define toc_bit 0x10 #define multisession_bit 0x08 #define cd_size_bit 0x04 #define subq_bit 0x02 #define frame_size_bit 0x01 /* * the status_bits variable */ #define p_success 0x100 #define p_door_closed 0x80 #define p_caddy_in 0x40 #define p_spinning 0x20 #define p_check 0x10 #define p_busy_new 0x08 #define p_door_locked 0x04 #define p_disk_ok 0x01 With this info, we can work developing our own driver, with it we can control all, even we can create a virtual CD on any directory of your hard disk, simply returning the info that the program demands. W95 is the same, go to the iosubsys directory and find the vxd file that handles the CD (I'm working on it at this time). Comments, addings and corrections are welcomed (and needed) +Rcg 1997
(c) +Rcg, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to Project 4
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering illegal?