fix: real-BIOS CD boot — trampoline, buffer, static reset

JoeMatt · JoeMatt · commit f88a3931b1a5 · 2026-04-22T17:48:32.000-04:00
Three fixes that take real-BIOS CD boot from 0/9 to 5/9 passing:

1. Boot stub trampoline ($080000): The BIOS always does JSR $080000
   after authentication, but most games' boot stubs load at $004000,
   $006000, or $124000. When the load address differs from $080000,
   install a JMP trampoline at $080000 pointing to the actual address.

2. Boot stub buffer (256KB -&gt; 600KB): Battle Morph's boot stub is
   414KB — exceeds the old 256KB buffer. Matches the HLE path's 600KB.

3. Static flag reset: cdAuthBypassInstalled and cdBootStubInjected
   are now module-level statics reset in JaguarReset() via
   JaguarResetCDHooks(), preventing stale state across core reloads.

Also adds frozen-OOB diagnostic snapshots to test_cd_bios_boot.c:
captures registers, prev-PC bytes, stack, A0/A1 memory at the exact
moment the PC first leaves valid memory, before OP/blitter can corrupt
the post-mortem evidence.

Real-BIOS baseline (600 frames, 9 CUE discs):
  PASS: BrainDead 13, Dragon's Lair, Highlander, Hover Strike, Space Ace
  FAIL: Baldies (BIOS init OOB), Battle Morph (BIOS init OOB),
        Iron Soldier 2 (self-loop $006AC0),
        Primal Rage (self-loop at CD_read $003616)

Made-with: Cursor
diff --git a/src/jaguar.c b/src/jaguar.c
@@ -168,11 +168,19 @@ void JaguarDumpPCHistoryStderr(int count)
  *
  * Installed lazily on the first virtual-pregap read served by cdintf.c so
  * the BIOS has finished decrypting and copying its code into RAM. */
+static bool cdAuthBypassInstalled = false;
+static bool cdBootStubInjected = false;
+
+void JaguarResetCDHooks(void)
+{
+   cdAuthBypassInstalled = false;
+   cdBootStubInjected = false;
+}
+
 void JaguarInstallCDAuthBypass(void)
 {
-   static bool installed = false;
    const uint32_t bneAddr = 0x050AA0;
-   if (installed)
+   if (cdAuthBypassInstalled)
       return;
 
    if (jaguarMainRAM[bneAddr]     != 0x66 || jaguarMainRAM[bneAddr + 1] != 0x00
@@ -182,13 +190,13 @@ void JaguarInstallCDAuthBypass(void)
               bneAddr,
               jaguarMainRAM[bneAddr], jaguarMainRAM[bneAddr + 1],
               jaguarMainRAM[bneAddr + 2], jaguarMainRAM[bneAddr + 3]);
-      installed = true;
+      cdAuthBypassInstalled = true;
       return;
    }
    jaguarMainRAM[bneAddr]     = 0x4E; jaguarMainRAM[bneAddr + 1] = 0x71;
    jaguarMainRAM[bneAddr + 2] = 0x4E; jaguarMainRAM[bneAddr + 3] = 0x71;
    LOG_INF("[CD-AUTH] Installed BNE.W $0504EC -> 2x NOP at $%06X\n", bneAddr);
-   installed = true;
+   cdAuthBypassInstalled = true;
 }
 
 void JaguarDumpMemWindow(uint32_t centerPC, uint32_t before, uint32_t after)
@@ -542,19 +550,42 @@ void M68KInstructionHook(void)
 
       if (m68kPC == 0x050176)
       {
-         static bool bootStubInjected = false;
-         if (!bootStubInjected)
+         if (!cdBootStubInjected)
          {
-            static uint8_t stub[256 * 1024];
+            static uint8_t stub[600 * 1024];
             uint32_t loadAddr = 0, length = 0;
-            bootStubInjected = true;
+            cdBootStubInjected = true;
             if (CDIntfExtractBootStub(stub, sizeof(stub), &loadAddr, &length))
             {
                uint32_t i;
                for (i = 0; i < length && (loadAddr + i) < 0x200000; i++)
                   jaguarMainRAM[loadAddr + i] = stub[i];
                LOG_INF("[CD-BOOTSTUB] Injected $%X bytes at $%06X\n",
                        length, loadAddr);
+
+               /* Dump the 68K instruction at the injection hook PC so we can
+                * see whether it's `JSR $080000` or something else. */
+               LOG_INF("[CD-BOOTSTUB] Bytes at PC=$050176: %02X %02X %02X %02X %02X %02X %02X %02X\n",
+                       jaguarMainRAM[0x050176], jaguarMainRAM[0x050177],
+                       jaguarMainRAM[0x050178], jaguarMainRAM[0x050179],
+                       jaguarMainRAM[0x05017A], jaguarMainRAM[0x05017B],
+                       jaguarMainRAM[0x05017C], jaguarMainRAM[0x05017D]);
+               LOG_INF("[CD-BOOTSTUB] JSR target at $050178 = $%02X%02X%02X%02X\n",
+                       jaguarMainRAM[0x050178], jaguarMainRAM[0x050179],
+                       jaguarMainRAM[0x05017A], jaguarMainRAM[0x05017B]);
+
+               if (loadAddr != 0x080000)
+               {
+                  LOG_INF("[CD-BOOTSTUB] Boot stub loads at $%06X, not $080000 — "
+                          "installing trampoline at $080000\n", loadAddr);
+                  /* JMP loadAddr (4EF9 xxxx xxxx) */
+                  jaguarMainRAM[0x080000] = 0x4E;
+                  jaguarMainRAM[0x080001] = 0xF9;
+                  jaguarMainRAM[0x080002] = (loadAddr >> 24) & 0xFF;
+                  jaguarMainRAM[0x080003] = (loadAddr >> 16) & 0xFF;
+                  jaguarMainRAM[0x080004] = (loadAddr >>  8) & 0xFF;
+                  jaguarMainRAM[0x080005] = (loadAddr >>  0) & 0xFF;
+               }
             }
          }
       }
@@ -1058,8 +1089,8 @@ void JaguarReset(void)
 {
    unsigned i;
 
-   // Contents of local RAM are quasi-stable; we simulate this by randomizing RAM contents.
-   // Skip the region occupied by a RAM-loaded executable (ABS/COFF) so it survives reset.
+   JaguarResetCDHooks();
+
    JaguarSeedPRNG(12345);
    for(i=8; i<0x200000; i+=4)
    {
diff --git a/test/test_cd_bios_boot.c b/test/test_cd_bios_boot.c
@@ -111,6 +111,20 @@ struct cd_disc_result {
     bool     unique_pc_overflow;
     size_t   ram_nonzero_bytes;
     char     load_error[256];
+
+    /* Frozen snapshot at the moment PC first leaves the valid execute window.
+     * Captured ONCE so the post-mortem reflects the actual transition rather
+     * than the OP/blitter scribble that may keep mutating RAM afterwards. */
+    bool     oob_snapshot_captured;
+    uint32_t oob_pc;
+    uint32_t oob_prev_pc;
+    uint32_t oob_frame;
+    uint32_t oob_regs[16];           /* D0..D7, A0..A7 (SP shadow) */
+    uint8_t  oob_prev_pc_bytes[32];  /* RAM around prev_pc (the JMP/RTS that fired) */
+    uint8_t  oob_sp_bytes[32];       /* RAM at SP (top of stack — likely RTS source) */
+    uint32_t oob_sp_addr;
+    uint8_t  oob_a0_bytes[32];
+    uint8_t  oob_a1_bytes[32];
 };
 
 static bool cd_load_game(const char *path)
@@ -168,6 +182,7 @@ static void cd_run_one_disc(const char *path, unsigned frames,
     uint32_t first_oob_pc = 0;
     unsigned first_oob_frame = 0;
     size_t   oob_count = 0;
+    uint32_t prev_pc = 0;
 
     for (unsigned f = 0; f < frames; f++) {
         p_retro_run();
@@ -181,10 +196,49 @@ static void cd_run_one_disc(const char *path, unsigned frames,
                 if (!first_oob_pc) {
                     first_oob_pc = oob;
                     first_oob_frame = f;
+
+                    /* Freeze diagnostic state immediately — anything we read
+                     * later might be corrupted by OP/Blitter chasing garbage. */
+                    if (!out->oob_snapshot_captured) {
+                        out->oob_snapshot_captured = true;
+                        out->oob_pc      = oob;
+                        out->oob_prev_pc = prev_pc;
+                        out->oob_frame   = f;
+
+                        for (int r = 0; r < 16; r++)
+                            out->oob_regs[r] = C.m68k_get_reg(NULL, r);
+
+                        if (ram) {
+                            uint32_t a0 = out->oob_regs[8];
+                            uint32_t a1 = out->oob_regs[9];
+                            uint32_t sp = C.m68k_get_reg(NULL, M68K_REG_SP);
+                            out->oob_sp_addr = sp;
+
+                            uint32_t pbase = (prev_pc >= 8 && prev_pc < 0x200000)
+                                             ? (prev_pc - 8) : 0;
+                            for (int i = 0; i < 32; i++) {
+                                uint32_t a = pbase + i;
+                                out->oob_prev_pc_bytes[i] = (a < 0x200000) ? ram[a] : 0;
+                            }
+                            for (int i = 0; i < 32; i++) {
+                                uint32_t a = sp + i;
+                                out->oob_sp_bytes[i] = (a < 0x200000) ? ram[a] : 0;
+                            }
+                            for (int i = 0; i < 32; i++) {
+                                uint32_t a = a0 + i;
+                                out->oob_a0_bytes[i] = (a < 0x200000) ? ram[a] : 0;
+                            }
+                            for (int i = 0; i < 32; i++) {
+                                uint32_t a = a1 + i;
+                                out->oob_a1_bytes[i] = (a < 0x200000) ? ram[a] : 0;
+                            }
+                        }
+                    }
                 }
                 oob_count++;
                 out->pc_stayed_in_ram = false;
             }
+            prev_pc = pc;
         }
     }
 
@@ -383,6 +437,33 @@ TEST(boot_all_discovered_discs_real_bios)
                 r->unique_pc_count,
                 r->unique_pc_overflow ? "+" : "",
                 r->final_pc);
+
+        if (r->oob_snapshot_captured) {
+            fprintf(stderr,
+                    "    [OOB-FROZEN] frame=%u prev_pc=$%06X -> oob_pc=$%08X\n",
+                    r->oob_frame, r->oob_prev_pc, r->oob_pc);
+            fprintf(stderr,
+                    "    [OOB-REGS] D0=$%08X D1=$%08X D2=$%08X D3=$%08X "
+                    "A0=$%08X A1=$%08X A6=$%08X SP=$%08X\n",
+                    r->oob_regs[0], r->oob_regs[1], r->oob_regs[2], r->oob_regs[3],
+                    r->oob_regs[8], r->oob_regs[9], r->oob_regs[14], r->oob_sp_addr);
+            fprintf(stderr, "    [OOB-PREVBYTES $%06X]", r->oob_prev_pc & 0xFFFFFF);
+            for (int i = 0; i < 32; i++)
+                fprintf(stderr, " %02X", r->oob_prev_pc_bytes[i]);
+            fprintf(stderr, "\n");
+            fprintf(stderr, "    [OOB-SPBYTES   $%06X]", r->oob_sp_addr & 0xFFFFFF);
+            for (int i = 0; i < 32; i++)
+                fprintf(stderr, " %02X", r->oob_sp_bytes[i]);
+            fprintf(stderr, "\n");
+            fprintf(stderr, "    [OOB-A0BYTES   $%06X]", r->oob_regs[8] & 0xFFFFFF);
+            for (int i = 0; i < 32; i++)
+                fprintf(stderr, " %02X", r->oob_a0_bytes[i]);
+            fprintf(stderr, "\n");
+            fprintf(stderr, "    [OOB-A1BYTES   $%06X]", r->oob_regs[9] & 0xFFFFFF);
+            for (int i = 0; i < 32; i++)
+                fprintf(stderr, " %02X", r->oob_a1_bytes[i]);
+            fprintf(stderr, "\n");
+        }
     }
 
     fprintf(stderr, "    --- discs: %zu pass, %zu fail, %zu focus-skip ---\n",
