The boot ROM of the GB clone "Game Fighter" has been dumped.

Discussion of programming and development for the original Game Boy and Game Boy Color.
Post Reply
nitro2k01
Posts: 252
Joined: Sat Aug 28, 2010 9:01 am

The boot ROM of the GB clone "Game Fighter" has been dumped.

Post by nitro2k01 »

Blog spam!

http://blog.gg8.se/wordpress/2014/12/09 ... e-fighter/

tl;dr version: I gained access to the boot ROM of a Gameboy clone called Game fighter using a clock glitching method invented by BennVenn. (I've also done a teardown of the same unit.) Solder a wire to one side of the clock crystal and brush the other side of the wire against ground. This corrupts PC and/or other registers. Do this before the boot ROM shuts itself off and catch execution of the CPU, and you can access the ROM and dump it.

The interesting part is that the boot ROM checks for another logo apart from the Nintendo logo, but only half of that logo is present in the boot ROM. (The same is true for the Nintendo logo, it only checks half the logo.) It may say RIS or KIS or maybe K13 or R13. The bottom half of the logo is shown here. (Half the Nintendo logo is also visible because I just copied the half over the logo section of a ROM to be able to convert it to an image. It would of course never appear as it does in the image, in real life.) If anyone has a clue what the logo might be, it might give clues about who made this clone.

Image

The boot ROM is also attached to this post, and you can read my disassembly below.

Code: Select all

        ld   sp,$FFFE           ;  0000  Set up the stack pointer.

        ; Clear VRAM.
        xor  a                  ;  0003
        ld   hl,$9FFF           ;  0004
Addr_0007:
        ldd  [hl],a             ;  0007
        bit  7,h                ;  0008
        jr   nz,Addr_0007       ;  000A

        ; Set up sound.
        ld   hl,$FF26           ;  000C
        ld   c,$11              ;  000F
        ld   a,$80              ;  0011
        ldd  [hl],a             ;  0013  [$FF26] = $80 Turn on sound

        ld   [$ff00+c],a        ;  0014  [$FF11] = $80 Channel 1 wave duty
        inc  c                  ;  0015
        ld   a,$F3              ;  0016
        ld   [$ff00+c],a        ;  0018  [$FF12] = $F3 Channel 1 envelope
        ldd  [hl],a             ;  0019  [$FF25] = $F3 Channel routing
        inc  c                  ;  001A
        ld   a,$C1              ;  001B
        ld   [$ff00+c],a        ;  001D  [$FF13] = $C1 Channel 1 low frequency byte
        ld   a,$77              ;  001E 
        ld   [hl],a             ;  0020  [$FF24] = $77 Master volume
        
        ; Set up graphics.
        ld   a,$FC              ;  0021
        ldh  [$FF47],a          ;  0023  [$FF47] = $FC BG palette
        ld   a,$91              ;  0025
        ldh  [$FF40],a          ;  0027  [$FF40] = $91 Turn on LCD

        ; Compare the second half of the logo in the header against
        ; the second half of the Nintendo logo stored in the boot ROM.
        ld   de,Addr_0043       ;  0029
        call Addr_0073          ;  002C
        cp   a,$34              ;  002F  Will return $34 if successful.
        jr   nz,Addr_0036       ;  0031  If not, jump to a second compare operation.
        jp   Addr_00FC          ;  0033

        ; Compare the second half of the logo in the header against
        ; the second half of the mystery logo stored in the boot ROM.
Addr_0036:
        ld   de,Addr_005B       ;  0036
        call Addr_0073          ;  0039
        cp   a,$34              ;  003C  Will return $34 if successful.
Addr_003E:
        jr   nz,Addr_003E       ;  003E  If not, get stuck in an endless loop.
        jp   Addr_00FC          ;  0040

        ; Second half of the Nintendo logo, $18 bytes
Addr_0043:
        db   $DC, $CC, $6E, $E6, $DD, $DD, $D9, $99
        db   $BB, $BB, $67, $63, $6E, $0E, $EC, $CC
        db   $DD, $DC, $99, $9F, $BB, $B9, $33, $3E

        ; Second half of mysterious RIS or KIS logo, $18 bytes
Addr_005B:
        db   $00, $00, $00, $00, $76, $66, $C6, $31
        db   $00, $19, $66, $FF, $01, $88, $38, $C7
        db   $C6, $C8, $00, $00, $00, $00, $00, $00

        ; Subroutine: Compare the cartridge header's logo against 
        ; a given memory location
Addr_0073:
        ld   hl,$011C           ;  0073  Start comparing halfway into the logo
Addr_0076:
        ld   a,[de]             ;  0076
        inc  de                 ;  0077
        cp   [hl]               ;  0078
        jr   nz,Addr_0082       ;  0079
        inc  hl                 ;  007B
        ld   a,l                ;  007C
        cp   a,$34              ;  007D  $xx34 = The first byte after the header logo
        jr   nz,Addr_0076       ;  007F
        ret                     ;  0081
Addr_0082:
        ld   a,$85              ;  0082  Compare failed!
        ret                     ;  0084

        ; $77 filler bytes
Addr_0085:
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff

        ; Disable the boot ROM and hand over control to the game cartridge.
Addr_00FC:
        ld   a,$01              ;  00FC Write to the ROM disable register
        ldh  [$FF50],a          ;  00FE
Attachments
GAMEFIGHTER_ROM.zip
(308 Bytes) Downloaded 210 times
User avatar
mikejmoffitt
Posts: 1353
Joined: Sun May 27, 2012 8:43 pm

Re: The boot ROM of the GB clone "Game Fighter" has been dum

Post by mikejmoffitt »

That's such a neat clone! I've hoped I could find one for a long time and swap out the CPU with a proper DMG one. It would be a great LSDJ machine with that shape to it.
nitro2k01
Posts: 252
Joined: Sat Aug 28, 2010 9:01 am

Re: The boot ROM of the GB clone "Game Fighter" has been dum

Post by nitro2k01 »

mikejmoffitt wrote:That's such a neat clone! I've hoped I could find one for a long time and swap out the CPU with a proper DMG one. It would be a great LSDJ machine with that shape to it.
You mean to put a DMG CPU in this thing? No point. Iäve found the CPU to be functionally equivalent apart form the boot ROM so far. Which is an advantage since it boots instantly. I'd much sooner put a proper voltage regulator and audio amplifier in it (or prosound it). The thing is powered directly by the batteries, and the audio amplifier is discrete and complete crap (pretty much clips one side of the waveform). However, I don't really like the feel of the D-pad and select/start group of the GF.
User avatar
mikejmoffitt
Posts: 1353
Joined: Sun May 27, 2012 8:43 pm

Re: The boot ROM of the GB clone "Game Fighter" has been dum

Post by mikejmoffitt »

nitro2k01 wrote:
mikejmoffitt wrote:That's such a neat clone! I've hoped I could find one for a long time and swap out the CPU with a proper DMG one. It would be a great LSDJ machine with that shape to it.
You mean to put a DMG CPU in this thing? No point. Iäve found the CPU to be functionally equivalent apart form the boot ROM so far. Which is an advantage since it boots instantly. I'd much sooner put a proper voltage regulator and audio amplifier in it (or prosound it). The thing is powered directly by the batteries, and the audio amplifier is discrete and complete crap (pretty much clips one side of the waveform). However, I don't really like the feel of the D-pad and select/start group of the GF.
I thought one of your earlier tests revealed a minor graphical problem, something to do with timing for writes during a scanline.

Does it output actual 2bpp greyscale, and the LCD controller does the flicker-greyscale, or does it output a different signal?

You might be able to swap out D-pad parts with a DMG.
nitro2k01
Posts: 252
Joined: Sat Aug 28, 2010 9:01 am

Re: The boot ROM of the GB clone "Game Fighter" has been dum

Post by nitro2k01 »

mikejmoffitt wrote:I thought one of your earlier tests revealed a minor graphical problem, something to do with timing for writes during a scanline.

Does it output actual 2bpp greyscale, and the LCD controller does the flicker-greyscale, or does it output a different signal?

You might be able to swap out D-pad parts with a DMG.
The problem was regarding palette changes during the drawing of a scanline. This caused problems in Prehistorik Man and an artificial test ROM, only so far. Likely because the added circuitry triggers on the positive edge of the pixel clock instead instead of the negative or vice versa. I would expect the data coming out of the CPU to be identical to that coming out of a DMG, and that the mess-up happens later, but that remains to be confirmed.

And no, DMG parts don't fit. The reason is that the distance to the PCB is a few mm longer than on a DMG, and so are the buttons and the guides for the buttons. DMG buttons would otherwise fit if the case was modded, but I don't want to do destroy a unique piece like this. Maybe I should try to hunt down another one, and completely redesign the internals of one of them. :p
Post Reply