Super Game Boy enhanced games hotpatch the SGB firmware?
Moderator: Moderators
Forum rules
- For making cartridges of your Super NES games, see Reproduction.
Super Game Boy enhanced games hotpatch the SGB firmware?
I've been looking at Game Boy stuff lately, and I noticed that most Super Game Boy-enhanced games send one or two standard sequences of DATA_SND command packets (the SGB command to transfer up to 11 bytes to an arbitrary SNES address) at startup when they detect they are running on a SGB. The payloads of these standard packets looked a lot like 65816 code to me, so I put them together and disassembled them. Interesting.
If anyone has reverse-engineered the SGB firmware sufficiently to tell what these apparent hotpatches are for, or is interested in doing so, I'd be interested in your findings. The first one appears to be sprite-related--$7EC000 is where the SGB has its shadow OAM. Maybe it's related to the SGB sprite functionality which was never used by any official game?
If anyone has reverse-engineered the SGB firmware sufficiently to tell what these apparent hotpatches are for, or is interested in doing so, I'd be interested in your findings. The first one appears to be sprite-related--$7EC000 is where the SGB has its shadow OAM. Maybe it's related to the SGB sprite functionality which was never used by any official game?
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
Interesting, I didn't knew about those patches. I've disassembled some small snippets of the SGB ROM some years ago, and disassembled the patches today. And this is what I came up with...
OBJ Patch
this patch somehow hides 25 OBJ's in whatever situation. unknown when/why this is needed, and unknown which situations are triggering the conditions like [C9h]=7E7E80h.
the patch is done by many/most games, and it's also done automatically bySGBv1/SGBv2/SGB2v1 (ie. games would need to apply the patch themselves only for SGBv1/SGBv0).
SOU_TRN Patch
this patch disables H+V IRQ during SOU_TRN, unknown when/why this is needed.
this patch is done by WHICH games? I haven't tried, but it should be easy to find such games using a hex editor with "find in multiple files" function, and then searching for the patch/packets.
OBJ Patch
this patch somehow hides 25 OBJ's in whatever situation. unknown when/why this is needed, and unknown which situations are triggering the conditions like [C9h]=7E7E80h.
the patch is done by many/most games, and it's also done automatically by
Code: Select all
;------------------
0000:0810 4C 20 08 jmp 0820 ;hide_obj_patch_cont
;---
0000:0813 EA EA .. nop (5x)
;---
0000:0818 60 ret
;---
0000:0819 EA EA .. nop (7x)
;---
hide_obj_patch_cont:
0000:0820 A9 01 mov a,01
0000:0822 CD 4F 0C cmp a,[0C4F] ;\check if [0C4Fh]=01h
0000:0825 D0 39 jnz 0860 ;@@exit ;/
0000:0827 CD 48 0C cmp a,[0C48] ;\check if [0C48h]=01h
0000:082A D0 34 jnz 0860 ;@@exit ;/
0000:082C A5 C9 mov a,[C9] ;\
0000:082E C9 80 cmp a,80 ;
0000:0830 D0 0C jnz 083E ;@@try_other ; check if [C9h]=7E7E80h
0000:0832 A5 CA mov a,[CA] ;
0000:0834 C9 7E cmp a,7E ;
0000:0836 D0 06 jnz 083E ;@@try_other ;
0000:0838 A5 CB mov a,[CB] ;
0000:083A C9 7E cmp a,7E ;
0000:083C F0 12 jz 0850 ;@@match ;/
@@try_other: ;-or, alternately...
0000:083E A5 C9 mov a,[C9] ;\
0000:0840 C9 C8 cmp a,C8 ;
0000:0842 D0 1C jnz 0860 ;@@exit ; check if [C9h]=05C4C8h
0000:0844 A5 CA mov a,[CA] ;
0000:0846 C9 C4 cmp a,C4 ;
0000:0848 D0 16 jnz 0860 ;@@exit ;
0000:084A A5 CB mov a,[CB] ;
0000:084C C9 05 cmp a,05 ;
0000:084E D0 10 jnz 0860 ;@@exit ;/
@@match:
0000:0850 A2 28 mov x,28 ;dst ;\
0000:0852 A9 E7 mov a,E7 ;yloc/fillvalue; set Yloc=E7h for 25 OBJ's
@@lop: ; (aka set them offscreen in
0000:0854 9F 01 C0 7E mov [far 7EC001+x],a ; NTSC mode)
0000:0858 E8 inc x ; (buggy in PAL mode?)
0000:0859 E8 inc x ; (25 OBJs are the 24 OBJs for
0000:085A E8 inc x ; use by gameboy, plus one
0000:085B E8 inc x ; extra OBJ?)
0000:085C E0 8C cmp x,8C ;dst.end ;
0000:085E D0 F4 jnz 0854 ;@@lop ;/
@@exit:
0000:0860 60 ret
;------------------
this patch disables H+V IRQ during SOU_TRN, unknown when/why this is needed.
this patch is done by WHICH games? I haven't tried, but it should be easy to find such games using a hex editor with "find in multiple files" function, and then searching for the patch/packets.
Code: Select all
;------------------
0000:0800 jmp 0900 ;cmd_hook_cont
;---
[...] [...]
;---
cmd_hook_cont:
0000:0900 AD C2 02 mov a,[02C2] ;cmd ;\
0000:0903 C9 09 cmp a,09 ;SOU_TRN ; check if SOU_TRN (cmd 09h)
0000:0905 D0 1A jnz 0921 ;@@exit ;/
0000:0907 A9 01 mov a,01 ;\disable H+V IRQ
0000:0909 8D 00 42 mov [4200],a ;/
0000:090C AF DB FF 00 mov a,[far 00FFDB] ;\check ROM version
0000:0910 F0 05 jz 0917 ;@@version_0 ;/
0000:0912 20 73 C5 call C573 ;SOU_TRN_v1_v2 ;\
0000:0915 80 03 jr8 091A ;@@finish ; execute SOU_TRN for SGBv0
@@version_0: ; or SGBv1/SGBv2/SGB2v1
0000:0917 20 76 C5 call C576 ;SOU_TRN_v0 ;
@@finish: ;/
0000:091A A9 31 mov a,31 ;\enable H+V IRQ
0000:091C 8D 00 42 mov [4200],a ;/
0000:091F 68 pop a ;\flush retadr
0000:0920 68 pop a ;/(cmd 09h already executed)
@@exit:
0000:0921 60 ret
;------------------
Last edited by nocash on Tue Oct 31, 2017 7:07 am, edited 1 time in total.
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
It's actually only SGBv2 and SGB2 that contain the patch (at offset $3F400 in the ROM) SGBv1 doesn't have it.nocash wrote:it's also done automatically by SGBv1/SGBv2/SGB2v1 (ie. games would need to apply the patch themselves only for SGBv0).
Today I learned GNU grep can be used to search for binary patterns via the switch -P (Perl-style regular expressions):SOU_TRN Patch
this patch disables H+V IRQ during SOU_TRN, unknown when/why this is needed.
this patch is done by WHICH games? I haven't tried, but it should be easy to find such games using a hex editor with "find in multiple files" function, and then searching for the patch/packets.
Code: Select all
grep -P "\x79\x16\x09\x00\x0b\x03\x20\x76\xc5\xa9\x31\x8d\x00\x42\x68\x68" ~/ROMs/GB/*.gb*
On a related note (SGB features that are rarely/never used) there's a blog that claims that Mario's Picross uses SNES sprites on its title screen, but it turns out it's actually just displaying a border that intrudes into the GB screen area.
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
Oops, yes, SGBv0 and SGBv1 both don't have the OBJ patch built-in. Only SGBv2 and SGB2v1 do have it.
I've found a few more games that contain the SOU_TRN patch/packets (but don't know if they are actually using the patch) (and there are probably many more games, I don't have a complete collection of all SGB titles).
Searching was done using TextPad: Search --> Find in Files --> select Condition=Hex, File Type=Binary, specifiy a folder, and filename(s), eg. "*.*" or "*.gmb *.sgb *.cgb" etc. And, enter/paste the search expression, using old TextPad version from 1998, that's having some bugs/obstacles: Spaces between bytes aren't allowed (ie. 0BAD works, but 0B AD doesn't), and byte 00 is treated as EndOfLine (=ignoring all following bytes in the search expression, giving lots of false matches).
Btw. another SGB mystery would be the SGB Commander controller. I suspect that it's sending some sort of button-combos for the special functions, and it might have a nonstandard controller ID when in SGB mode. But so far nobody seems to have exeamined if it's really having such special features & how they work exactly.
I've found a few more games that contain the SOU_TRN patch/packets (but don't know if they are actually using the patch) (and there are probably many more games, I don't have a complete collection of all SGB titles).
Code: Select all
Searching for: 0BADC202C909D01AA9018D
A Bug's Life (THQ 1998)
Animaniacs (Factor 5/Konami 1995)
Asteroids/Missile Command (1995)
Centipede (1995)
FIFA 98 (France 98) (THQ 1997)
Olympic Summer Games (Atlanta 96) (found patch twice in there, at two different rom offsets)
Small Soldiers (THQ 1998)
Btw. another SGB mystery would be the SGB Commander controller. I suspect that it's sending some sort of button-combos for the special functions, and it might have a nonstandard controller ID when in SGB mode. But so far nobody seems to have exeamined if it's really having such special features & how they work exactly.
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
I did, back in 2010:nocash wrote:But so far nobody seems to have exeamined if it's really having such special features & how they work exactly.
http://www.dforce3000.de/pub/d4s_super_ ... _notes.pdf
This contains info on the special commands and a copy of the SGB commander manual (in japanese).
AFAIR, the SGB commander reports with the same ID as a standard joypad, but I'd have to check again to be sure.
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
Good that you mention that. I've tried to enter that button sequence a dozen of times some years ago, but never got it working.d4s wrote:http://www.dforce3000.de/pub/d4s_super_ ... _notes.pdf
-toggle DMG speed normal/slow/very slow:
Press shoulder buttons l,r,r,l,l,r during gameplay.
This has to be entered extremely fast in order to work.
Used by Hori Super Gameboy Commander joypad.
Is it really possible to enter the sequence manually? Or, when saying "has to be entered extremely fast", did you mean that one would have to enter it at 50Hz/60Hz joypad reading rate?
And the SGB Commander joypad. I guess in "SFC" mode it's working just as normal, ie. the Y-button working as such. And in "SGB" mode it's issuing the above L,R,R,L,L,R sequence at that extremly fast rate when pressing Y-button?
Would be cool if you could verify the controller ID, especially with the joypad switched to "SGB" mode.
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
Sorry to derail, but is there a site listing SGB revision differences? I couldn't find one googling.
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
Why don't we try patching the SGB emulation to reject DATA_SND patches (drop them before sending to the SGB BIOS), and see what the visible results are under emulation? Seeing the visible errors produced could help us understand the reasoning for the patches.unknown when/why this is needed, and unknown which situations are triggering the conditions
... wow, and here I thought that was the only game to use that command. So does that mean the SNES sprite functionality went completely unused? That's a real shame.there's a blog that claims that Mario's Picross uses SNES sprites on its title screen, but it turns out it's actually just displaying a border that intrudes into the GB screen area.
The SGB Commander's special buttons basically send an extremely fast, super-human speed sequence of standard SNES controller button presses that trigger the functionality. You wouldn't be able to do it yourself by hand, as far as I recall. They seem to have been meant to sell an expensive (even to this day) additional controller.And the SGB Commander joypad. I guess in "SFC" mode it's working just as normal, ie. the Y-button working as such. And in "SGB" mode it's issuing the above L,R,R,L,L,R sequence at that extremly fast rate when pressing Y-button?
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
sgb-bios-differences:
---
v0 vs v1:
18346 bytes changed; though main difference might be:
00:8177 --> "call+jmp" replaced by "jmp"
(thus causing all following code/addresses to be shifted by 3 bytes)
there seem to be at least some extra differences at begin/end of rom
---
v1 vs v2:
not too many differences (only 119 bytes changed)
one known difference is the additional OBJ patch
also, v2 is said to be used for "PAL" (dunno if it's really having PAL-specific changes, also possible that all versions are technically working in any region)
---
v2 vs SGB2:
2039 bytes changed in 1st 256Kbyte (plus extra 256Kbyte in SGB2)
SGB2 ROM has changed screen border, and ROM is twice as large
SGB2 PCB has extra crystal, and gameboy link-port connector
---
v0 vs v1:
18346 bytes changed; though main difference might be:
00:8177 --> "call+jmp" replaced by "jmp"
(thus causing all following code/addresses to be shifted by 3 bytes)
there seem to be at least some extra differences at begin/end of rom
---
v1 vs v2:
not too many differences (only 119 bytes changed)
one known difference is the additional OBJ patch
also, v2 is said to be used for "PAL" (dunno if it's really having PAL-specific changes, also possible that all versions are technically working in any region)
---
v2 vs SGB2:
2039 bytes changed in 1st 256Kbyte (plus extra 256Kbyte in SGB2)
SGB2 ROM has changed screen border, and ROM is twice as large
SGB2 PCB has extra crystal, and gameboy link-port connector
Last edited by nocash on Wed Nov 01, 2017 3:14 am, edited 2 times in total.
Re: Super Game Boy enhanced games hotpatch the SGB firmware?
Thanks. Mine is PAL, so I was wondering what it had and how the others differed.