Test read:

[45] URB_FUNCTION_VENDOR_DEVICE 20070809131541.935 (+0)
Transfer flags: 0x00000001 (USBD_TRANSFER_DIRECTION_IN)
Transfer buffer length: 4
Request type reserved bits: 00
Request: FF
Value: 0007
Index: FFF0

[45] URB_FUNCTION_CONTROL_TRANSFER (SUCCESS/0x00000000) 20070809131541.935 (+0)
IRP status: 0x00000000 (STATUS_SUCCESS)
Pipe handle: 0x836DCBA8
Transfer flags: 0x0000000B (USBD_TRANSFER_DIRECTION_IN, USBD_SHORT_TRANSFER_OK)
Transfer buffer length: 4
Bytes transfered: 9F CF 00 E0 (.)
Setup packet: C0 FF 07 00 F0 FF 04 00 (....)

Request Type:
	0x40 = Host to device vendor @ device
	0xC0 = Device to host vendor @ device

	D7 Data Phase Transfer Direction
		0 = Host to Device
		1 = Device to Host
	D6..5 Type
		0 = Standard
		1 = Class
		2 = Vendor
		3 = Reserved
	D4..0 Recipient
		0 = Device
		1 = Interface
		2 = Endpoint
		3 = Other
		4..31 = Reserved

Fast I/O with USB scan codes:
   Read test:
	urb_function_vendor_device (0x17):
		Transfer flags:  0xB (
		request: FF
		value:	 0007
		Index:	 C028
	urb_function_control_transfer (0x8):
		Setup:	C0 FF 07 00 F0 FF 04 00
		Reply:	9F CF 00 E0
	Setup is FFC0, command 7 (read), address C028, bytes 4


   Read:
	urb_function_vendor_device:
		request: FF
		value:	 0007
		Index:	 C028
	urb_function_control_transfer:
		Setup:	C0 FF 07 00 28 C0 04 00
		Reply:	00 00 00 00
	Setup is FFC0, command 7 (read), address C028, bytes 4

   Write:
	urb_function_vendor_device:
		request: FF
		value:	 0000
		Index:	 304C
		Transfer:  B6 C3 04 00 00 28 C0 00 00 00
	urb_function_control_transfer:
		Setup:	40 FF 00 00 4C 30 0A 00
	B6C3, 4 bytes (total), command 0 (byte), addr C028, word 0

All of this is implemented in SUSB2_loader:
	Reads just return memory -- simple!
	Writes set load_do = 1, which makes SCAN_INT take over in idle.

	This calls down to scan:
		..which calls to scan_write_mem:
		..which does a call r7 (uli1:) per byte!
			this uses r13 (addr) and r6 (bytes left)
		..which is fed by uget_more:
			uget_more sets up a transfer into 64-byte o_ctl_buf @ 0x406
		..which is fed by SUSB2_RECEIVE:
			uget_more sets up callback, then enters wait loop
		..which arms the hardware DMA engine to receive the packet!

	It's sort of amazing it's as fast as it is...

	Crazy ultra-speed is simple:
		Override INT 101d (SUSB2_VENDOR) to call our custom routine
		Send data with request=0xFE instead of 0xFF
		In our custom routine, set up location and count and call SUSB2_RECEIVE
		If SUSB2_RECEIVE handles packet splitting (it might), we are done!!
		Pattern custom routine after send_data:

	The only tricky thing is that SCAN mode seems to send a 0 byte 'finished' packet
		I guess we don't really need that...

Jserve design:

	Uses 0x1800 and 0x2800 (just like jcp) for 'fast send'
		Fast send is used prior to program start

	Just like with jcp, all data is stored in 68K endian
	This means jserve swizzles and deswizzles bytes like JCP

Uses 0x1000-0x1FE0 for I/O:

	-3 means 'running'
		No commands can be sent at this time
	-2 means 'stopped on exception'
		This implicitly executes a #4
	-1 means 'ack' (finished command, waiting for next)
	0 means 'ping'
	1 means 'write memory' [X or M]
	2 means 'read memory' [m]
		0x1404 contains source address (dword)
		0x1408 contains longword count -1 (dword)
	3 means 'write registers' [G]
		0x1410 contains the registers
	4 means 'read registers' [g]
		0x1410 contains the registers when cmd = -1
	5 means 'set PC and OR flags' [part of c or s]
		0x1404 contains the new PC
		0x1408 contains the OR flag (to set single step)
	6 means 'continue' [part of c or s]
		Execution continues where it left off

Register details:
	180 register bytes -- see kgdb.h for a reference

	#define NUMREGSBYTES	180
	struct gdb_regs {
	    long		   regs[16];		/* d0-a7 */
	    unsigned	   format :  4; 	/* frame format specifier */
	    unsigned	   vector : 12; 	/* vector offset */
	    unsigned short sr;				/* status register */
	    unsigned long  pc;				/* program counter */
		unsigned long  fpregs[8*3];		/* fp0-fp7 */
		unsigned long  fpcntl[3];		/* fpcr, fpsr, fpiar */
	};

	Also from the m68k-stub.c exception handler:
		0-63 are registers d0-a7
		64-65 are ... 68020 fields -- leave them 0!
		66 is status reg
		68 is PC	

m68K


How to use it:
	trap #15 trips a breakpoint
