It is currently Fri Nov 17, 2017 9:47 pm

All times are UTC - 7 hours



Forum rules


Related:



Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Sun Oct 22, 2017 3:36 pm 
Offline

Joined: Mon Nov 10, 2008 3:09 pm
Posts: 431
I've been looking at Game Boy stuff lately, and I noticed that most Super Game Boy-enhanced games send one or two standard sequences of DATA_SND command packets (the SGB command to transfer up to 11 bytes to an arbitrary SNES address) at startup when they detect they are running on a SGB. The payloads of these standard packets looked a lot like 65816 code to me, so I put them together and disassembled them. Interesting.

If anyone has reverse-engineered the SGB firmware sufficiently to tell what these apparent hotpatches are for, or is interested in doing so, I'd be interested in your findings. The first one appears to be sprite-related--$7EC000 is where the SGB has its shadow OAM. Maybe it's related to the SGB sprite functionality which was never used by any official game?


Top
 Profile  
 
PostPosted: Mon Oct 23, 2017 7:12 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 534
Interesting, I didn't knew about those patches. I've disassembled some small snippets of the SGB ROM some years ago, and disassembled the patches today. And this is what I came up with...

OBJ Patch
this patch somehow hides 25 OBJ's in whatever situation. unknown when/why this is needed, and unknown which situations are triggering the conditions like [C9h]=7E7E80h.
the patch is done by many/most games, and it's also done automatically by SGBv1/SGBv2/SGB2v1 (ie. games would need to apply the patch themselves only for SGBv1/SGBv0).
Code:
                      ;------------------
0000:0810 4C 20 08     jmp  0820 ;hide_obj_patch_cont
                      ;---
0000:0813 EA EA ..     nop (5x)
                      ;---
0000:0818 60           ret
                      ;---
0000:0819 EA EA ..     nop (7x)
                      ;---
                      hide_obj_patch_cont:
0000:0820 A9 01        mov  a,01
0000:0822 CD 4F 0C     cmp  a,[0C4F]            ;\check if [0C4Fh]=01h
0000:0825 D0 39        jnz  0860 ;@@exit        ;/
0000:0827 CD 48 0C     cmp  a,[0C48]            ;\check if [0C48h]=01h
0000:082A D0 34        jnz  0860 ;@@exit        ;/
0000:082C A5 C9        mov  a,[C9]              ;\
0000:082E C9 80        cmp  a,80                ;
0000:0830 D0 0C        jnz  083E ;@@try_other   ; check if [C9h]=7E7E80h
0000:0832 A5 CA        mov  a,[CA]              ;
0000:0834 C9 7E        cmp  a,7E                ;
0000:0836 D0 06        jnz  083E ;@@try_other   ;
0000:0838 A5 CB        mov  a,[CB]              ;
0000:083A C9 7E        cmp  a,7E                ;
0000:083C F0 12        jz   0850 ;@@match       ;/
                      @@try_other:              ;-or, alternately...
0000:083E A5 C9        mov  a,[C9]              ;\
0000:0840 C9 C8        cmp  a,C8                ;
0000:0842 D0 1C        jnz  0860 ;@@exit        ; check if [C9h]=05C4C8h
0000:0844 A5 CA        mov  a,[CA]              ;
0000:0846 C9 C4        cmp  a,C4                ;
0000:0848 D0 16        jnz  0860 ;@@exit        ;
0000:084A A5 CB        mov  a,[CB]              ;
0000:084C C9 05        cmp  a,05                ;
0000:084E D0 10        jnz  0860 ;@@exit        ;/
                      @@match:
0000:0850 A2 28        mov  x,28 ;dst           ;\
0000:0852 A9 E7        mov  a,E7 ;yloc/fillvalue; set Yloc=E7h for 25 OBJ's
                      @@lop:                    ; (aka set them offscreen in
0000:0854 9F 01 C0 7E  mov  [far 7EC001+x],a    ; NTSC mode)
0000:0858 E8           inc  x                   ; (buggy in PAL mode?)
0000:0859 E8           inc  x                   ; (25 OBJs are the 24 OBJs for
0000:085A E8           inc  x                   ; use by gameboy, plus one
0000:085B E8           inc  x                   ; extra OBJ?)
0000:085C E0 8C        cmp  x,8C ;dst.end       ;
0000:085E D0 F4        jnz  0854 ;@@lop         ;/
                      @@exit:
0000:0860 60           ret
                      ;------------------


SOU_TRN Patch
this patch disables H+V IRQ during SOU_TRN, unknown when/why this is needed.
this patch is done by WHICH games? I haven't tried, but it should be easy to find such games using a hex editor with "find in multiple files" function, and then searching for the patch/packets.
Code:
                      ;------------------
0000:0800              jmp  0900 ;cmd_hook_cont
                      ;---
[...]                  [...]
                      ;---
                      cmd_hook_cont:
0000:0900 AD C2 02     mov  a,[02C2]  ;cmd      ;\
0000:0903 C9 09        cmp  a,09      ;SOU_TRN  ; check if SOU_TRN (cmd 09h)
0000:0905 D0 1A        jnz  0921 ;@@exit        ;/
0000:0907 A9 01        mov  a,01                ;\disable H+V IRQ
0000:0909 8D 00 42     mov  [4200],a            ;/
0000:090C AF DB FF 00  mov  a,[far 00FFDB]      ;\check ROM version
0000:0910 F0 05        jz   0917 ;@@version_0   ;/
0000:0912 20 73 C5     call C573 ;SOU_TRN_v1_v2 ;\
0000:0915 80 03        jr8  091A ;@@finish      ; execute SOU_TRN for SGBv0
                      @@version_0:              ; or SGBv1/SGBv2/SGB2v1
0000:0917 20 76 C5     call C576 ;SOU_TRN_v0    ;
                      @@finish:                 ;/
0000:091A A9 31        mov  a,31                ;\enable H+V IRQ
0000:091C 8D 00 42     mov  [4200],a            ;/
0000:091F 68           pop  a                   ;\flush retadr
0000:0920 68           pop  a                   ;/(cmd 09h already executed)
                      @@exit:
0000:0921 60           ret
                      ;------------------


Last edited by nocash on Tue Oct 31, 2017 7:07 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Oct 23, 2017 6:28 pm 
Offline

Joined: Mon Nov 10, 2008 3:09 pm
Posts: 431
nocash wrote:
it's also done automatically by SGBv1/SGBv2/SGB2v1 (ie. games would need to apply the patch themselves only for SGBv0).


It's actually only SGBv2 and SGB2 that contain the patch (at offset $3F400 in the ROM) SGBv1 doesn't have it.

Quote:
SOU_TRN Patch
this patch disables H+V IRQ during SOU_TRN, unknown when/why this is needed.
this patch is done by WHICH games? I haven't tried, but it should be easy to find such games using a hex editor with "find in multiple files" function, and then searching for the patch/packets.


Today I learned GNU grep can be used to search for binary patterns via the switch -P (Perl-style regular expressions):

Code:
grep -P "\x79\x16\x09\x00\x0b\x03\x20\x76\xc5\xa9\x31\x8d\x00\x42\x68\x68" ~/ROMs/GB/*.gb*


I don't have a huge collection of GB ROMs, but I found one ROM that does contain this patch: Animaniacs. This game makes pretty nice use of the SGB sound functions: when run on a SGB, it uses the SNES hardware to play all its background music, and only uses the GB hardware to play sound effects.

On a related note (SGB features that are rarely/never used) there's a blog that claims that Mario's Picross uses SNES sprites on its title screen, but it turns out it's actually just displaying a border that intrudes into the GB screen area.


Top
 Profile  
 
PostPosted: Tue Oct 24, 2017 5:58 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 534
Oops, yes, SGBv0 and SGBv1 both don't have the OBJ patch built-in. Only SGBv2 and SGB2v1 do have it.

I've found a few more games that contain the SOU_TRN patch/packets (but don't know if they are actually using the patch) (and there are probably many more games, I don't have a complete collection of all SGB titles).
Code:
Searching for: 0BADC202C909D01AA9018D
  A Bug's Life (THQ 1998)
  Animaniacs (Factor 5/Konami 1995)
  Asteroids/Missile Command (1995)
  Centipede (1995)
  FIFA 98 (France 98) (THQ 1997)
  Olympic Summer Games (Atlanta 96) (found patch twice in there, at two different rom offsets)
  Small Soldiers (THQ 1998)

Searching was done using TextPad: Search --> Find in Files --> select Condition=Hex, File Type=Binary, specifiy a folder, and filename(s), eg. "*.*" or "*.gmb *.sgb *.cgb" etc. And, enter/paste the search expression, using old TextPad version from 1998, that's having some bugs/obstacles: Spaces between bytes aren't allowed (ie. 0BAD works, but 0B AD doesn't), and byte 00 is treated as EndOfLine (=ignoring all following bytes in the search expression, giving lots of false matches).

Btw. another SGB mystery would be the SGB Commander controller. I suspect that it's sending some sort of button-combos for the special functions, and it might have a nonstandard controller ID when in SGB mode. But so far nobody seems to have exeamined if it's really having such special features & how they work exactly.


Top
 Profile  
 
PostPosted: Tue Oct 24, 2017 6:56 am 
Offline

Joined: Mon Jul 14, 2008 4:02 pm
Posts: 85
nocash wrote:
But so far nobody seems to have exeamined if it's really having such special features & how they work exactly.


I did, back in 2010:
http://www.dforce3000.de/pub/d4s_super_gameboy_notes.pdf
This contains info on the special commands and a copy of the SGB commander manual (in japanese).
AFAIR, the SGB commander reports with the same ID as a standard joypad, but I'd have to check again to be sure.


Top
 Profile  
 
PostPosted: Tue Oct 24, 2017 10:14 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 534
d4s wrote:
http://www.dforce3000.de/pub/d4s_super_gameboy_notes.pdf
-toggle DMG speed normal/slow/very slow:
Press shoulder buttons l,r,r,l,l,r during gameplay.
This has to be entered extremely fast in order to work.
Used by Hori Super Gameboy Commander joypad.

Good that you mention that. I've tried to enter that button sequence a dozen of times some years ago, but never got it working.
Is it really possible to enter the sequence manually? Or, when saying "has to be entered extremely fast", did you mean that one would have to enter it at 50Hz/60Hz joypad reading rate?

And the SGB Commander joypad. I guess in "SFC" mode it's working just as normal, ie. the Y-button working as such. And in "SGB" mode it's issuing the above L,R,R,L,L,R sequence at that extremly fast rate when pressing Y-button?

Would be cool if you could verify the controller ID, especially with the joypad switched to "SGB" mode.


Top
 Profile  
 
PostPosted: Tue Oct 24, 2017 12:26 pm 
Offline

Joined: Tue Oct 06, 2015 10:16 am
Posts: 580
Sorry to derail, but is there a site listing SGB revision differences? I couldn't find one googling.


Top
 Profile  
 
PostPosted: Tue Oct 31, 2017 1:43 am 
Offline

Joined: Mon Mar 27, 2006 5:23 pm
Posts: 1339
Quote:
unknown when/why this is needed, and unknown which situations are triggering the conditions


Why don't we try patching the SGB emulation to reject DATA_SND patches (drop them before sending to the SGB BIOS), and see what the visible results are under emulation? Seeing the visible errors produced could help us understand the reasoning for the patches.

Quote:
there's a blog that claims that Mario's Picross uses SNES sprites on its title screen, but it turns out it's actually just displaying a border that intrudes into the GB screen area.


... wow, and here I thought that was the only game to use that command. So does that mean the SNES sprite functionality went completely unused? That's a real shame.

Quote:
And the SGB Commander joypad. I guess in "SFC" mode it's working just as normal, ie. the Y-button working as such. And in "SGB" mode it's issuing the above L,R,R,L,L,R sequence at that extremly fast rate when pressing Y-button?


The SGB Commander's special buttons basically send an extremely fast, super-human speed sequence of standard SNES controller button presses that trigger the functionality. You wouldn't be able to do it yourself by hand, as far as I recall. They seem to have been meant to sell an expensive (even to this day) additional controller.


Top
 Profile  
 
PostPosted: Tue Oct 31, 2017 7:13 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 534
sgb-bios-differences:
---
v0 vs v1:
18346 bytes changed; though main difference might be:
00:8177 --> "call+jmp" replaced by "jmp"
(thus causing all following code/addresses to be shifted by 3 bytes)
there seem to be at least some extra differences at begin/end of rom
---
v1 vs v2:
not too many differences (only 119 bytes changed)
one known difference is the additional OBJ patch
also, v2 is said to be used for "PAL" (dunno if it's really having PAL-specific changes, also possible that all versions are technically working in any region)
---
v2 vs SGB2:
2039 bytes changed in 1st 256Kbyte (plus extra 256Kbyte in SGB2)
SGB2 ROM has changed screen border, and ROM is twice as large
SGB2 PCB has extra crystal, and gameboy link-port connector


Last edited by nocash on Wed Nov 01, 2017 3:14 am, edited 2 times in total.

Top
 Profile  
 
PostPosted: Tue Oct 31, 2017 12:42 pm 
Offline

Joined: Tue Oct 06, 2015 10:16 am
Posts: 580
Thanks. Mine is PAL, so I was wondering what it had and how the others differed.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group