if you need help with disassembling and understanding the BIOS ROM itself, let me know and I'll be glad to help out.
That would be great!
I am not a romhacker by any means, and so therefore often get side tracked trying to understand some code that turns out not to even be useful. Years back when I looked into this, my goal was to understand the protocals and write an XBand server for the fun of it. That didn't get finished, and I definitely don't have time to try that again. Sure I'd love to understand how everything works, but goals now are more along the line of:
1) figure out how to bypass connecting to the server and jump straight to being setup to play and "waiting for opponent" (supposedly, if the server couldn't find you anyone to play with immediately it would just hang up and tell you to wait and then have another player's modem call you directly ... so figuring out how to force this "wait for opponent" mode would be great)
2) figure out where the patches are, and how they work
(Actually, according to this
http://saturnleague.com/board/viewtopic.php?p=1032#1032 , if you get step 1, you can already play games with people for reliving the fun and awe of this amazing engineering feat.)
In case it would be useful, I made some small rom hacks to allow Sleuth to consider "Super Mario Cart" or "Weaponlord" or "nothing" is attached in the external cartridge slot.
As for looking at the code:
This is one of the rare SNES programs that was written in C. All the stack frames and local variables take a bit getting used to. Also, they wanted to be able to update the system as the service grew. So there is a "dispatch system" which sends many requests through tables in the SRAM... this allows the operating system to be easily updated. (It also let us easily enumerate what they felt were common/important routines.)
The XBand also has a built in "debugger" (really just a kind of memory viewer) that I can show anyone how to activate if they'd like to play with the memory map on the real system and don't have a copier. (Actually, anyone with an XBand and working SNES can probably help out here, I can explain what to do if you have no technical experience ... it's just reading, recording, and comparing many things on the screen.) This device is like an ultra-game genie with a modem attached. The direct modem access is obvious given the datasheet and memory map, but I haven't figured out even the base features of the "patcher" part yet, but hopefully that will come later.
Here's my current understanding of the memory map to help out a bit:
bank $E0.... 64kBytes of SRAM (battery backed)
banks $E1-$FA.... mirror of bank $E0
bank $FB
0000-BFFF ... mirror of bank $E0
C000-C1FF
even and odd addresses are equivalent
C0F8 ........unknown register
C0FA ........unknown register
C108 ........unknown register (deals with card register, bit0 = card insterted)
C110 ........unknown register (changing rapidly)
C112 ........unknown register (changing rapidly)
C130 ........unknown register (changing rapidly)
C138 ........unknown register (changing rapidly)
C140 ........unknown register
C168 ........unknown register
C180-C1BF ...modem registers
C1C0-C1FF ...modem registers
all addresses in this range not listed return FF
(if a register is write only, or defaults to FF, I probably
passed it up in this test)
C200-C3FF - same as C000-C100
C400-C5FF - "
C600-C7FF - "
... etc
FA00-FBFF - "
FC00-FDFF - this is all FF's
FE00-FFFF - this is all FF's
banks $FC-$FF ... mirror of bank $E0
--------------
the lower banks $60-$7D mirror bank $E0
everything else appears as normal
For those wanting to follow the code even tighter, the modem is a RC2424DPL, and datasheets are available online. Be wary that, due to how everything is wired up, there probably is a FIFO for transferring data once the connection gets going... I don't know which regs these are. (Setup stuff all uses direct modem access though.)
One important thing I learned while pin mapping is that the controller chip does not use the A0 address line, and controls all other address lines to the ROM and SRAM. So it can't "trigger" patching on an opcode (sort of like game doctor sf7), but instead probably maps in whole sections of SRAM after certain address triggers. I was told by an employee of Catapult that they remember the device being able to handle 16 such trigger points or regions or however this thing works. They used the word vector so I'm guessing specific addresses trigger it, but who knows for sure.
The code usually only uses banks $00, $Dx,$E0 and stuff in $FB:C000-C1FF.
I've recently ran across across it writing to stuff at $004fxx, $FFC000, and $FB:FExx ... no idea at the moment.
For the hardware curious, here's an example of controlling mapping the cartridge in, copying some data to identify the cartridge later, and then returning to the normal mapping (this is all ran from WRAM):
Leaving out all the fluff
.8bit
$fbc070 = #$00
$fbc074 = #$00
$fbc072 = #$78
$fbfe00 = #$08
$fbc0da = #$80
lda $00f000 ; ??? not used
*I assume, Now we have cartridge mapped into $00:8000-$00:FFFF
copy 00:ffb0-00:ffdf to 7f:00b4
lda $00ffe0 ;?? not used
*I assume, Now we've returned to bios mode??
$004f02 = #$19
$fbc0da = #$00
.16bit
lda $00fff8
sta $001061 ;<--- in current traces at least, it is not used
.8bit
$fbc0e0 = #$FF
$fbc0f0 = #$FF
$ffc000 = #$01
lda $00f000 ;not used <-- maybe this returns us to normal maping?
return
Notice:
24bit pointer $fbc070 = #$007800 = #$00F000 / 2 (because no A0 line)
Of course that may just be a conincidence.
If it somehow becomes important to understand the communication protocal, I can explain what I've learned so far. (There can be an initial identification transaction, and then everything after that uses a kind of packet system which has a couple layers... I understand the base layers okay, but it gets fuzzy after that.) There is also a way, with a button sequence, to go to a "service mode" which waits for incoming calls for diagnostics. That may be another means to figure out the protocal if necessary.
RHDN Forum Archive
Author