http://blog.gg8.se/wordpress/2014/12/09 ... e-fighter/
tl;dr version: I gained access to the boot ROM of a Gameboy clone called Game fighter using a clock glitching method invented by BennVenn. (I've also done a teardown of the same unit.) Solder a wire to one side of the clock crystal and brush the other side of the wire against ground. This corrupts PC and/or other registers. Do this before the boot ROM shuts itself off and catch execution of the CPU, and you can access the ROM and dump it.
The interesting part is that the boot ROM checks for another logo apart from the Nintendo logo, but only half of that logo is present in the boot ROM. (The same is true for the Nintendo logo, it only checks half the logo.) It may say RIS or KIS or maybe K13 or R13. The bottom half of the logo is shown here. (Half the Nintendo logo is also visible because I just copied the half over the logo section of a ROM to be able to convert it to an image. It would of course never appear as it does in the image, in real life.) If anyone has a clue what the logo might be, it might give clues about who made this clone.
The boot ROM is also attached to this post, and you can read my disassembly below.
Code: Select all
ld sp,$FFFE ; 0000 Set up the stack pointer.
; Clear VRAM.
xor a ; 0003
ld hl,$9FFF ; 0004
Addr_0007:
ldd [hl],a ; 0007
bit 7,h ; 0008
jr nz,Addr_0007 ; 000A
; Set up sound.
ld hl,$FF26 ; 000C
ld c,$11 ; 000F
ld a,$80 ; 0011
ldd [hl],a ; 0013 [$FF26] = $80 Turn on sound
ld [$ff00+c],a ; 0014 [$FF11] = $80 Channel 1 wave duty
inc c ; 0015
ld a,$F3 ; 0016
ld [$ff00+c],a ; 0018 [$FF12] = $F3 Channel 1 envelope
ldd [hl],a ; 0019 [$FF25] = $F3 Channel routing
inc c ; 001A
ld a,$C1 ; 001B
ld [$ff00+c],a ; 001D [$FF13] = $C1 Channel 1 low frequency byte
ld a,$77 ; 001E
ld [hl],a ; 0020 [$FF24] = $77 Master volume
; Set up graphics.
ld a,$FC ; 0021
ldh [$FF47],a ; 0023 [$FF47] = $FC BG palette
ld a,$91 ; 0025
ldh [$FF40],a ; 0027 [$FF40] = $91 Turn on LCD
; Compare the second half of the logo in the header against
; the second half of the Nintendo logo stored in the boot ROM.
ld de,Addr_0043 ; 0029
call Addr_0073 ; 002C
cp a,$34 ; 002F Will return $34 if successful.
jr nz,Addr_0036 ; 0031 If not, jump to a second compare operation.
jp Addr_00FC ; 0033
; Compare the second half of the logo in the header against
; the second half of the mystery logo stored in the boot ROM.
Addr_0036:
ld de,Addr_005B ; 0036
call Addr_0073 ; 0039
cp a,$34 ; 003C Will return $34 if successful.
Addr_003E:
jr nz,Addr_003E ; 003E If not, get stuck in an endless loop.
jp Addr_00FC ; 0040
; Second half of the Nintendo logo, $18 bytes
Addr_0043:
db $DC, $CC, $6E, $E6, $DD, $DD, $D9, $99
db $BB, $BB, $67, $63, $6E, $0E, $EC, $CC
db $DD, $DC, $99, $9F, $BB, $B9, $33, $3E
; Second half of mysterious RIS or KIS logo, $18 bytes
Addr_005B:
db $00, $00, $00, $00, $76, $66, $C6, $31
db $00, $19, $66, $FF, $01, $88, $38, $C7
db $C6, $C8, $00, $00, $00, $00, $00, $00
; Subroutine: Compare the cartridge header's logo against
; a given memory location
Addr_0073:
ld hl,$011C ; 0073 Start comparing halfway into the logo
Addr_0076:
ld a,[de] ; 0076
inc de ; 0077
cp [hl] ; 0078
jr nz,Addr_0082 ; 0079
inc hl ; 007B
ld a,l ; 007C
cp a,$34 ; 007D $xx34 = The first byte after the header logo
jr nz,Addr_0076 ; 007F
ret ; 0081
Addr_0082:
ld a,$85 ; 0082 Compare failed!
ret ; 0084
; $77 filler bytes
Addr_0085:
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
db $ff, $ff, $ff, $ff, $ff, $ff, $ff
; Disable the boot ROM and hand over control to the game cartridge.
Addr_00FC:
ld a,$01 ; 00FC Write to the ROM disable register
ldh [$FF50],a ; 00FE