Thanks a lot Dave. Did you disassemble the ROM yourself? Are all the ROMs (or at least more parts of them) disassembled and available for download somewhere? I tried to search on Google some of the comments and all I could find where your other posts in this forum.
I don't think I'll have much time for this at least until the weekend, but I'm not sure what to do next.
Unfortunately UD6 is not socketed. The possibly affected ROM - UD7 - is, though. As well as the CPU, UA3, UD11, UD12 and UF11.
I've been comparing the expected values with the ones received:
but I don't see a clear pattern here. Apart from bits 1 and 5 that seem to be stuck high, there are other bits that go high when they should be low and vice versa (just in case someone is wondering, yes, I noticed in the code that the registers are initialised in reverse order, starting by 17 and ending by 0). I'll probably capture this a few more times again to make sure the corruption is not some random, but I did the least significant bits twice the other day and both reads were identical.
I've been recommended to build a NOP generator and exhaustively test all the paths of the address lines, between every IC and every buffer. But to be honest, I find a bit difficult to believe that there is something wrong with the address lines. After all, the CPU seems to be loading and executing the CRTC initialisation code (albeit this is receiving the wrong register addresses and values).
If the data is corrupted when the CPU is reading it from the ROM it makes more sense that it's corrupted in the actual ROM than getting corrupted on its way to the CPU. After all, the instructions came from the same place and through the same way.
The corruption could also happen between the CPU and the CRTC, but there is a direct connection between them; no possible broken buffers in between. So it could be that the CPU is outputting the wrong values (rare) or that the CRTC is corrupting its data inputs when it's enabled (maybe actioning a read instead of a write?).
There is also the possibility that any other IC connected to the data bus is getting enabled and outputting data when it shouldn't, but somehow conditioned to some signals that are enabled when writing to the CRTC, as it's obviously not interfering at other times, like, once again, when the CPU is fetching code. Maybe I should get the logic analyser, hook it again to the 4 control lines of the CRTC and use the other 4 inputs to check that no other IC gets enabled during writes to the CRTC?
Or take advantage of the Edit ROM being socketed, buy a cheap eprom programmer and read and compare its content to a dump. I guess they're on zimmers? Also, I'm not sure how many content variants there are... I think I read that some ROMs were different depending on things like the keyboard's language; I don't know if this is one of those that change. This is a computer built in Germany (I guess, SERIAL NO. WG) with an QWERTY keyboard).
Other option I just though: These CPUs are very simple. I guess that they don't have any kind of caches, instructions pipelines or anything like that. So in theory, I should be able to see the instructions and data coming into the CPU as it's executing this code. Probably using the CRCT's CS as a trigger to find the right point in time.
Anything that I might be missing? Any other suggestions? What would you do next?