It is currently Thu Nov 23, 2017 3:33 pm

All times are UTC - 7 hours





Post new topic Reply to topic  [ 28 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Wed Apr 16, 2014 5:50 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6450
Location: UK (temporarily)
BennVenn wrote:
Unless the real logo is located in the flash elsewhere and it just bankswitches automatically?
Well, that's easy to check, no? I don't see the bytes 0xCE 0xED 0x66 anywhere.
BennVenn wrote:
I wonder what triggers the logo swapping.
I'd guess it switches after reading the last byte of the logo (0x0133) ... and then I'm not certain exactly what triggers swapping back. Maybe the same thing.


Top
 Profile  
 
PostPosted: Wed Apr 16, 2014 5:51 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 19253
Location: NE Indiana, USA (NTSC)
If something requires an authentic Game Pak to be locked on in order to boot, it can switch to the logo on the inserted Game Pak.


Top
 Profile  
 
PostPosted: Sat Apr 19, 2014 5:20 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
So the logo is in the MBC. I've erased my flash and the Gameboy still boots with the correct logo. Also found out that a read to address 0150 deactivates the MBC's internal ROM. Sanqui's 2048 would not boot on my MX cart due to no jump to 0150 at startup. Sanqui added a jump to 0150 and now the ROM plays fine.

CLK is not connected so the MBC is more than likely watching the bus for a certain address read. Cant seem to replicate it with my cart reader though. Might try step through the gameboy's boot rom via my cart reader to see what activates the initial ROM swap.

I have also cut down my MX cart to fit inside a standard gamecart, however now i cant get the original MX ROM to boot. I'll double check my address lines have not detached from the sawing of the board. Odd because MegaMan2 (256kybte) runs fine in its entirety. My replacements should arrive after the easter break so i'll continue investigating then.

AND!

I now have 10 spare Gamecart Reader/Writers available if anyone is interested. Get yourself one, and a Shark MX and you have your self a cheap Development Kit! Custom flash carts are in the works. Check out http://www.bennvenn.com for details.

Image


Top
 Profile  
 
PostPosted: Sat Apr 19, 2014 5:26 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
[/quote]I'd guess it switches after reading the last byte of the logo (0x0133) ... and then I'm not certain exactly what triggers swapping back. Maybe the same thing.[/quote]

Just tried a read of a blank cart, before and after a read from 0x0133. Still reading 0xFF's. Even after a few consecutive cart dumps, still 0xFF's. So its looking for a particular sequence of events. OR perhaps a defined delay between one read and another (The MBC does have a xtal strapped to the side of it) Which i just noticed has lost a leg!

Edit:

Replaced the 4mhz xtal with a 4.9152 xtal borrowed from the si2400 IC. And this is the result!

Image

Half Flash Logo header, and half the MBC's Nintendo header... Must have in internal counter activated at the first bus RD, swapping in the Legit ROM at a number of cycles. Cool


Top
 Profile  
 
PostPosted: Sat Apr 19, 2014 6:25 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6450
Location: UK (temporarily)
Random thoughts that come to mind:
Have you tried dumping the MBC1's internal boot ROM? Is there anything interesting in it? (Or just the Nintendo logo?)
Do writes to any address below 0x3F00 do anything?
Given that the logo is half-and-half, it's gotta be timed from something earlier than the first fetch from 0x104, because 4MHz vs 5MHz isn't big enough. But to calculate how far back the timing should be, I'd have to understand how the logo is compressed...


Top
 Profile  
 
PostPosted: Sat Apr 19, 2014 6:36 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
Haven't tried dumping the internal ROM. I'd need to write some code on my reader to find out the timing specifics. I'd say its just the Logo stored on it though. What is interesting is that when booted on my GB pocket, even less of the GBMail logo is displayed. Looks like maybe 4 or 5 tiles from top left running right. This must mean the pocket runs a different boot rom. Must take up more clock cycles before it gets around to interrogating the cart.

Any writes below 0x3F00 are passed directly through the MBC to the Flash. Not to say that it isn't modifying any internal registers, but there is no sign of any output from the MBC.

is a read from 0x0104 the first time the cart bus is accessed?

I wonder if I force a reset via the RST line while the cart is on, if i'll get the same messed up logo or purely a Nintendo Logo.


Top
 Profile  
 
PostPosted: Sat Apr 19, 2014 8:07 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6450
Location: UK (temporarily)
BennVenn wrote:
is a read from 0x0104 the first time the cart bus is accessed?
In the original DMG, yes. Everything before that in the DMG bootstrap is clearing VRAM and sound registers. (0x0104 is the first byte of the copyright-used-as-licensing logo.) I can't trivially find anyone else's analysis of the later bootstraps, though, to compare.

Kinda fun to build your own replacement logo, although how much of it shows depends on which exact GB you're using.


Top
 Profile  
 
PostPosted: Sat Apr 19, 2014 8:17 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
I was just reading though the dump of the GB's ROM. looks like right from the start there is a write to $9FFF. Correct me if I'm wrong (haven't investigated) but this should be apparent on the Cart Bus? Or at least the /WR activity? looks like a good point to start an internal timer.

The original MX cart with the 4mhz Xtal booted fine on GB, GB pocket and GBC. Need to go find a 4mhz smd xtal to restore it to the way i found it...

Looks like I'm going to try dump the GB Pokects boot rom...


Top
 Profile  
 
PostPosted: Sat Apr 19, 2014 8:23 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6450
Location: UK (temporarily)
BennVenn wrote:
Correct me if I'm wrong (haven't investigated) but this should be apparent on the Cart Bus? Or at least the /WR activity? looks like a good point to start an internal timer.
Well, it writes to the entire area from $8000-$9fff. But I don't know what the protection register does: it could be as simple as just disabling the /RD strobe as seen by the cartridge... but it has to disable the data bus also, otherwise we wouldn't have needed to glitch it to get the bootstrap ROM out.


Top
 Profile  
 
PostPosted: Sun Apr 20, 2014 1:03 am 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
Good news is i've ripped the bootstrap ROM from the MGB - and it only took an afternoon!

Bad news is that it is almost identical to the DMG ROM, with the exception of the final write to 0xFF50.

http://www.bennvenn.com/MGB.ROM

So if that is not the reason behind the difference between the two consoles, What is?


Top
 Profile  
 
PostPosted: Sun Apr 20, 2014 2:26 am 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6450
Location: UK (temporarily)
BennVenn wrote:
So if that is not the reason behind the difference between the two consoles, What is?
The only remaining variable I can think of is things like power-on-reset timers... if the DMG starts executing the bootstrap a little earlier than the MGB (relative to when the 4MHz crystal's counter starts), then it will get just enough further into uploading the graphics before it's disabled.


Top
 Profile  
 
PostPosted: Sun Apr 20, 2014 2:36 am 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
ill piggyback a cap onto the reset line to see if it makes a difference

Edit:

And it does, 10uf begins to reverse the effect, we have 3 tiles nintendo, and the bulk of it GBMAIL. So simply timing bank swapping from the /RST line is enough to fool the Boot ROM.

While my DMG is open, might try to get the ROM out of that too

Edit again:

Well that was easy, within seconds, DMG Bootstrap ROM...


Top
 Profile  
 
PostPosted: Sun Apr 20, 2014 6:20 am 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 19253
Location: NE Indiana, USA (NTSC)
And then Sega v. Accolade destroyed Nintendo's little scheme. By early 1993, such circumventions of the trademark security system were no longer strictly necessary in the USA. Besides, the "Nintendo" logo is shown on the box. This would leave the reasonable user to believe that the logo identifies the maker of the hardware. It took until the 2004 release of the Nintendo DS for Nintendo to come up with something with slightly more legal teeth.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 28 posts ]  Go to page Previous  1, 2

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group