Handling banked ROM

[phaseseeker]

Hi, I'm trying to work on a system (based on an Hitachi HD6305Y2 MCU, basically a CMOS 6805 with a different memory map) where the ROM gets split in two banks mapped on addresses 0x01FF-0x3FFF and 0x41FF-0x7FFF selected by toggling a single bit in a register. The issue is that Ghidra obviously doesn't recognize the existence of two banks, so a lot of jump/branch addresses are completely wrong; what I was wondering is: is there any way (maybe by modifying the Sleigh spec) of making Ghidra recognize the different bank and recognize that the two instructions
BSET 0x0, 0x0024
and
BCLR 0x0, 0x0024
as bank switching instructions?
Thanks in advance

[GhidorahRex]

The easiest fix is to add a bank select context register value

define register offset=0x40 size=4 [ contextreg ];

define context contextreg
    bank=(0,0)
;

then specific constructors for BSET and BCLR for setting it:

:BCLR 0, DIRECT	is op4_7=1 & bit_0=1 & n=0; DIRECT & imm8=0x24
	[bank=0;]{
	local mask = ~1;
	DIRECT = DIRECT & mask;
}

:BSET 0, DIRECT	is op4_7=1 & bit_0=0 & n=0; DIRECT & imm8=0x24
	[bank=1;]{
	local mask = 1;
	DIRECT = DIRECT | mask;
}

You'll need to modify the addressing modes to account for the bit, as an example:

ADDR: addr 		is op4_6=3; imm8 [ addr=((bank << 14) | imm8);]	{ export *:1 addr; }
ADDR: addr 		is op4_6=4; imm16 [ addr=((bank << 14) | imm16);]		{ export *:1 addr; }

but there's more accesses that need to be done. You would want to make sure that you only update the addressing modes for instructions that use the paging. I haven't verified any of that, but this should at least address the jump instructions however.

[phaseseeker]

Thanks a lot!
I think only modifying the addressing modes for JMP/JSR instructions should be enough since in this specific system the only thing it's reading from ROM is code (excluding the ROM checksum calculation routine, but it's easy enough to handle that separately).

[phaseseeker]

I've doing some more testing, and it appears it doesn't work unfortunately... JMP/JSR instructions executed while in the high bank still point to addresses in the low bank, see attached screenshots:


I've also modified the two bank switch instructions (that I renamed BANKSET/BANKCLR, see the attached slaspec) to also act as jumps, because changing the bank effectively changes where the processor fetches the next instructions from.
hitachi.slaspec.txt