Image Map Image Map
Results 1 to 5 of 5

Thread: Disassembling the GBC Boot ROM.

  1. #1

    Default Disassembling the GBC Boot ROM.

    Some time ago, the Boot ROM of the Gameboy Color was dumped. This was the first successful attempt after several failed attempts over the past 10 years. When it was put online, somebody did try to make a disassembly of it, however, that disassembly is not complete and rather badly comented/organized. That's why I try to make a more readable disassembly of the ROM myself.

    for those of you who have seen the original GB boot ROM disassembly, it seems rather simple. In the case of the original GB, it's in fact simple because it is made to only support GB games, hence no checks to see if the game has suppor for certain functions that appeared afterwards. The GBC boot code is ten times more complex, because it has to keep backwards-compability with GB games, SuperGB games, GBPocket games, partally colored GB games, and GBC games. In addition, the boot code also has a routine for selecting the palette for certain GB games, and the startup-screne which is far more complex than the startup-screne of the original GB.

    One odd thing is that it seems to contain some kind of database. What it does is that if the License within the header of the inserted cartridge equals 01, it calculates the sum of the title (also within the header) and looks it up in a table with 78 entries. If it is found, it's offset into the table is in most causes used as a pointer into a final table. In a few other causes, the 4th character of the title is compared with 2 or 3 different characters from a third table before setteling on a pointer to the final table. The final value returned is used when setting up the palette for original GB games. I have posted the tables below:
    Code:
    Explanation:
    "Checksum" is the sum of the 16 bytes making up the tiltle.
    "Compare" is what the 4th byte of the title is compared to, in the causes where it is compared.
    "C" is the pointer into the final table.
    
    How to use the tables:
    First find the sum of the title stored in the game cartridge.
    Look it up in the table of checksums.
    If the value in the thable doesn't have an "v" under itself, find the C number corresponding to the table offset.
    If there is a "v", compare the 4th byte of the header with the two or three values in the coloumn below the "v", and find the corresponding C number.
    Look up the value with the offset of C in the final table.
    The lower 5 bits of this value is stored in $D008, the upper 3 bits is rotated 3 to the left and stored in $D00B.
    
    ----------
    
    Anything not listed:                                                       C = 00
    
    Checksum:	db $00,$88,$16,$36,$D1,$DB,$F2,$3C,$8C,$92,$3D,$5C,$58,$C9 C = 00 -> 0D
    Checksum:	db $3E,$70,$1D,$59,$69,$19,$35,$A8,$14,$AA,$75,$95,$99,$34 C = 0E -> 1B
    Checksum:	db $6F,$15,$FF,$97,$4B,$90,$17,$10,$39,$F7,$F6,$A2,$49,$4E C = 1C -> 29
    Checksum:	db $43,$68,$E0,$8B,$F0,$CE,$0C,$29,$E8,$B7,$86,$9A,$52,$01 C = 2A -> 37
    Checksum:	db $9D,$71,$9C,$BD,$5D,$6D,$67,$3F,$6B                     C = 38 -> 40
    
    Checksum:	db $B3,$46,$28,$A5,$C6,$D3,$27,$61,$18,$66,$6A,$BF,$0D,$F4
                        v   v   v   v   v   v   v   v   v   v   v   v   v   v
    Compare:	db $42,$45,$46,$41,$41,$52,$42,$45,$4B,$45,$4B,$20,$52,$2D C = 41 -> 4E
    Compare:	db $55,$52,$41,$52,$20,$49,$4E,$41,$49,$4C,$49,$43,$45,$20 C = 4F -> 5C
    Compare:	db $52                                                     C = 5D
    
    
    Final table:	db $7C,$08,$12,$A3,$A2,$07,$87,$4B,$20,$12,$65,$A8,$16,$A9 C = 00 -> 0D
    		db $86,$B1,$68,$A0,$87,$66,$12,$A1,$30,$3C,$12,$85,$12,$64 C = 0E -> 1B
    		db $1B,$07,$06,$6F,$6E,$6E,$AE,$AF,$6F,$B2,$AF,$B2,$A8,$AB C = 1C -> 29
    		db $6F,$AF,$86,$AE,$A2,$A2,$12,$AF,$13,$12,$A1,$6E,$AF,$AF C = 2A -> 37
    		db $AD,$06,$4C,$6E,$AF,$AF,$12,$7C,$AC,$A8,$6A,$6E,$13,$A0 C = 38 -> 45
    		db $2D,$A8,$2B,$AC,$64,$AC,$6D,$87,$BC,$60,$B4,$13,$72,$7C C = 46 -> 53
    		db $B5,$AE,$AE,$7C,$7C,$65,$A2,$6C,$64,$85                 C = 54 -> 5D
    Last edited by per; January 30th, 2010 at 06:15 PM.
    Current systems owned by me:
    Vintage:IBM PC/XT submodel 087 ( 1983 ), [Kon]tiki-100 rev. C (1983), Compaq Portable I ( 1984 ), IBM PC/XT submodel 078 ( 1985 ), IBM PC/XT286 ( ~1986 ), 3x Nintendo Entertainement Systems ( 1987 ).
    Obsolete:Commodore A500 ( ~1990 ), IBM PS/2 model 70/386 type 8570-161 ( 1991 ), Atari Lynx II ( ~1992 ), Generic Intel 486SX PC ( ~1993 ), AT/T Globalyst Pentium w/FDIV bug MB ( 1994 ), Compaq 486DX4 laptop ( ~1995 ).

  2. #2

    Default

    I've finally figured what the numbers in the table means. It is used to select what palette to be used.

    The lower 5 bits of the byte derived from the final table is used as a pointer to an entry in a palette index table. Each entry in this index table refers to three different 8-byte (4 color) palettes in a big table containing raw palette-data, I have named them palette a, palette b, and palette c. There are a total of 28 entries in this table.

    The upper 3 bits are used to determin what of palette a/b/c to store where. Here is a table:

    Code:
    __0: OBJ0 = Palette c
    __1: OBJ0 = Palette a
    00_: OBJ1 = Palette c
    01_: OBJ1 = Palette a
    10_: OBJ1 = Palette b
    ___: BG0  = Palette c
    In other words:
    OBJ0 can be Palette a or c
    OBJ1 can be Palette a, b or c
    BG0 can only be Palette c

    Conclusion:
    So what this piece of code actually does is to:
    1. Determin if the game actually is from Nintendo.
    2. Identify the game based on the sum of the title, and eventually the 4th character of more than one game has the same sum.
    3. Look up palette details based on the game ID.
    4. Generate palettes for OBJ0, OBJ1 and BG0 based on the palette details.


    This thus proves that many older Nintendo-games got preset palettes buildt into the boot code of the GBC. In fact, according to the table of palette details, the exact number of games is 93 (not including "default"). However, it is to note that several of those actually does use the same palette details as the default palette.
    Last edited by per; February 1st, 2010 at 03:27 AM.
    Current systems owned by me:
    Vintage:IBM PC/XT submodel 087 ( 1983 ), [Kon]tiki-100 rev. C (1983), Compaq Portable I ( 1984 ), IBM PC/XT submodel 078 ( 1985 ), IBM PC/XT286 ( ~1986 ), 3x Nintendo Entertainement Systems ( 1987 ).
    Obsolete:Commodore A500 ( ~1990 ), IBM PS/2 model 70/386 type 8570-161 ( 1991 ), Atari Lynx II ( ~1992 ), Generic Intel 486SX PC ( ~1993 ), AT/T Globalyst Pentium w/FDIV bug MB ( 1994 ), Compaq 486DX4 laptop ( ~1995 ).

  3. #3
    Join Date
    Nov 2007
    Location
    minneapolis, MN
    Posts
    1,331

    Default

    what CPU is the GBC using? I've always loved doing things like this, but could only ever disassemble on x86 machines...
    I'm surprised that after all these years, no one else has worked on doing this. I think the world of emulation just got a bit better!

  4. #4

    Default

    Quote Originally Posted by hargle View Post
    what CPU is the GBC using? I've always loved doing things like this, but could only ever disassemble on x86 machines...
    I'm surprised that after all these years, no one else has worked on doing this. I think the world of emulation just got a bit better!
    Well, the GBC and the original GB uses a variation of the Z80 CPU, but some of the instructions have been changed/removed. There are lots of information on this online.

    The reason nobody has been able to dump the GBC boot code before this fall is because it is locked out of the memory-map before custom code can be run. Since the ROM is located within the CPU IC, you can't just connect a ROM-dumper to it either. They managed to dump the original GB boot code almost 10 years ago by using a microscope ans certain etching solutions, but the GBC uses NAND-based ROM where this procedure don't work.

    However, this fall somebody came up with the great idea of playing around with the clock input before the lockout instruction was reached, thus confusing the CPU to a degree where it just skipped the instruction. This way custom code could be run while the boot code still were mapped in memory.

    They have added support for the Boot-code in MESS, but it's currently the only emulator supporting it. This gives MESS a much closer-to-reality emulation of the games since the palettes are just as they are on a real GBC, in comparasion to the grayscale emulation in all other emulators.
    Current systems owned by me:
    Vintage:IBM PC/XT submodel 087 ( 1983 ), [Kon]tiki-100 rev. C (1983), Compaq Portable I ( 1984 ), IBM PC/XT submodel 078 ( 1985 ), IBM PC/XT286 ( ~1986 ), 3x Nintendo Entertainement Systems ( 1987 ).
    Obsolete:Commodore A500 ( ~1990 ), IBM PS/2 model 70/386 type 8570-161 ( 1991 ), Atari Lynx II ( ~1992 ), Generic Intel 486SX PC ( ~1993 ), AT/T Globalyst Pentium w/FDIV bug MB ( 1994 ), Compaq 486DX4 laptop ( ~1995 ).

  5. #5

    Default

    I'm just done with the disassembling and analysis of the code. It's really amazing how much they could actually fit within 1Kb.

    So, here is the boot process:
    1. Setup stack
    2. Initalize system (clear memory and turn sound-system on)
    3. Load old welcome splash (Load the "Nintendo" logo from the cartridge and store a 2x scaled version in video-RAM bank 0 at object 01h -> 0Ch for upper row and object 0Dh -> 18h for lower row. Load the "(R)" symbol to video-RAM bank 0 at object 19h).
    4. Load new welcome splash (Load the "GAME BOY" logo into video-RAM bank 1 (object 08 -> 17 for upper row, object 18 -> 27 for middle row and object 28 -> 37 for lower row) after scaling it 2x vertically. Load and translate the "Nintendo" logo unscaled into video-RAM bank 1 object 38 -> 3D. Load the (R) symbol to video-RAM bank 1 object 3E.)
    5. Map new welcome splash (assign the "GAME BOY" logo a palette making it the same color as used on the general background, and map it on the screen).
    6. Setup palettes to use durning the welcome splash.
    7. Identify game (using the title checksum and eventually the 4th character).
    8. Get spesific palette for that game, else get default palette.
    9. Turn on LCD and run welcome splash (At one point, map the "Nintendo(R)" part, then reassigning palettes to certain mapped objects in a certain way to get the "uncovering" effect, at last play two sounds). While running welcome splash, if a non-GBC game is used, the keypad will also be checked. If a valid keycombination is found, New palettes will be setup for the next frame of the welcome splash, and new palettes will be gotten for in-game use. In addition, there will be an eventual short delay added on the last frame (the last frame is being repeated) if the keypress was done toward the end of the animation, and durning this delay, another valid keypress can be done causing the delay to reset.
    10. Check the first half of the logo in the game-cartridge, halt if incorrect.
    11. Check general header checksum, halt if incorrect.
    12. White out the display by increasing the color-components of all palettes and reset data and maps in video-RAM bank 1, but only maps in video-RAM bank 0. The resets are done using DMA.
    13. Set system mode, if GBC flag is set in the header, just write 80h to port FF4Ch, if GBC-flag not set, write 04h to port FF4Ch and 01h to FF6Ch, then load palettes for use in-game, test if the game is one of two different titles, and if so, map the original scaled "Nintendo(R)" logo on the screen for compability.
    14. Write 11h to port FF50h to lock out the code from the memory-map.

    I only know one of the games that needs the original-style logo mapped, and that's "X - Xekkusu". When it starts, it takes wathever mapped to the screen and adds "Presents" under it, then it blanks out the display. When running in a regular emulator, it just starts by saying "Presents", but while using the boot rom (and the emulator supports it), it then says "Nintendo(R) Presents". I don't know the other game that does this, but it's 16-byte title field (in the header) sums up to 43h.
    Attached Images Attached Images
    Attached Files Attached Files
    Current systems owned by me:
    Vintage:IBM PC/XT submodel 087 ( 1983 ), [Kon]tiki-100 rev. C (1983), Compaq Portable I ( 1984 ), IBM PC/XT submodel 078 ( 1985 ), IBM PC/XT286 ( ~1986 ), 3x Nintendo Entertainement Systems ( 1987 ).
    Obsolete:Commodore A500 ( ~1990 ), IBM PS/2 model 70/386 type 8570-161 ( 1991 ), Atari Lynx II ( ~1992 ), Generic Intel 486SX PC ( ~1993 ), AT/T Globalyst Pentium w/FDIV bug MB ( 1994 ), Compaq 486DX4 laptop ( ~1995 ).

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •