I tried my trick from before of setting the stack to a carefully chosen invalid location and it didn't work. Also I read the NMI vector and nothing happenned. So how does it know when to switch to bios mode?
Well it is amazingly specific. It looks to see 4 decreasing accesses to $00:0000-1FFF and then the NMI vector. Normal code running on the processor can't cause this to happen, only an interrupt.
However, a carefully chosen sequence of DMA can do it. Run this code (obviously best done from RAM) and you'll switch to "BIOS" mode.
Code: Select all
LDY #$3e90 STY $4300 ; (B) PPU -> (A) CPU, auto decrement, read 1 reg, $213e (ppu status flag) LDY #$1F00 STY $4302 ; (A) offset LDY #$0004 STY $4305 ; number of bytes to transfer LDA #$00 STA $4304 ; bank address = $00 LDY #$3e00 STY $4310 ; (A) CPU -> (B) PPU, auto increment, write 1 reg, $213e (ppu status flag) LDY #$FFEA STY $4312 ; (A) offset (native mode NMI vector) LDY #$0002 STY $4315 ; number of bytes to transfer LDA #$00 STA $4314 ; bank address = $00 LDA #$03 STA $420B ;start DMA transfer
..$8000-$8FFF appears to be the copier registers for $40 then repeated constantly.
bank $01-03: ROM
bank $04: ?? some memory
bank $05: ?? same memory as $04 ??
bank $06: probably copier SRAM
bank $07: probably DRAM
Everything else seems unmapped.
Some registers probably control mapping in of the external cartridge for dumping reasons.
EDIT: Here's an example of the exploit with a memory viewer, so you can play with the copier registers. Let me know what you find out.