Loadram is a program written by Sprite_tm which allows to load and execute Z80 compiled binary code on your s1mp3 device over the USB-bus. It's meant to allow testing of an .AP without creating a completely new firmware image and re-flashing the player with it. It works under Linux as well as Windows.
Download loadram from the following location(s):
How to setup your system
The program is based on libusb, a portable open-source usb library.
- Uninstall the ADFU driver from Actions (if installed)
- Install the Swan ADFU driver supplied with the loadram package (/bin/driver/ folder)
On Linux and other *nixes:
- Install libusb on your system
How to use
The program can be used to upload small subroutines as well as large programs.
- Set your s1mp3 the the firmware upgrade mode on the SYS menu
- Subroutine upload: Run loadram program.bin - this will send the program.bin binary to the s1mp3 and execute it. The program should be linked to run from address 0x3400; that's where it's going to be put in ram. The upload will fail at least for programs >3072 (=0xc00) bytes; the secondary loader will be needed to exceed that limit.
- Application upload: Run loadram 2ndstage.bin program.bin - this will send the program.bin binary to the s1mp3 and execute it. The program should be linked to run from address 0x600; it's put in RAM starting at address 0, though, so a header of 0x600 bytes might be needed. This upload method supports binaries of up to 14K (14336 bytes, to be exact)
How does it work
When a player contains the wrong firmware in the flash chip, the ADFU driver uploads a few programs to the Z80 RAM and executes them in order to find out the flash type and re-load the proper firmware. Studying a plain USB dump of that process was possible to recreate this functionality. Loadram executes the following 2 steps:
- overwrite memory starting from address 0x3400 with the contents of the binary
- send an execute command to ATJ20xx to execute the uploaded binary
Version 0.2 supports the upload of larger programs through a second-stage loader implanted at 0x3800, which then proceeds to overwrite the memory under it with data read from the USB-port; finally the execution point is set to address 0x600 through a simple jump instruction. AP files generated by the s1sdk can be tested this way.
The package comes with two examples.