User:Andlabs/68000 ROM guide

This should go in Guides but I'm not sure where

This should probably be split into a master console-agnostic 68000 guide and a console-specific guide

Most, if not all, game systems that use the MC68000 as a main CPU run the game as a 68000 boot ROM, meaning you'll need to understand how a 68000 boot ROM is laid out. After the boot ROM, games will usually have a console-specific header that could also be interpreted (for instance, in the Neo-Geo's case, the four entry points to the game program are here).

All address ranges given are inclusive.

68000 Interrupts/Errors
Unlike many early CPUs, the MC68000 allows systems to catch a load of different possible errors. They are:
 * Bus Error: This gets raised when something happens with the system buses (connecting all the components of the system board, NOT in the 68000 itself) that causes an external device to assert the 68000's /BERR line.
 * Address Error: This gets raised when attempting to make a word or longword access (including fetching an instruction) from an odd address.
 * Illegal Instruction: Self-explanatory. For opcodes whose first nibble is either $A (1010) or $F (1111), see below.
 * Divide by Zero: Self-explanatory.
 * CHK: This gets raised by the chk instruction if it fails. The chk instruction performs bounds-checking: it raises this interrupt if the register to check (destination operand) is either less than zero or greater than the upper bound (source operand).
 * TRAPV: This gets raised by the trapv instruction. The trapv instruction does nothing but check if the overflow flag (V) in ccr is set; if it is, this interrupt is raised.
 * Privilege Violation: This gets raised when a user-mode program (such as software on a computer) tries to execute supervisor-level instructions, such as accessing sr.
 * Trace: This gets raised by external debuggers.
 * Line 1010 Emulator: This gets raised when an opcode whose first nibble is $A (1010) is executed. It's meant for user programs of 68000-based computers to perform system calls; the Macintosh system does this, for instance. It isn't useful on console games (though some games, such as the Genesis version of Star Cruiser on Genesis, define their own).
 * Line 1111 Emulator: This gets raised when an opcode whose first nibble is $F (1111) is executed. These opcodes are reserved for later M68000 family CPUs that can interface with coproocessors (like FPUs and MMUs). Most games built for MC68000-based systems don't use this (though there are exceptions, such as Twinkle Tale on Genesis), though the "Emulator" implies that the exception is meant for emulating the external hardware.
 * Spurious Interrupt: This gets raised when the system receives an interrupt trigger but the interrupting device has not properly set up the MC68000 for an interrupt (TODO elaborate; something about triggering a bus error at the same time?)

The 68000 Vector Table
The first $100 bytes of a ROM (at location $0) are split into 64 longword pointers to code. These are usually the target the CPU goes to in the case of an error. $00       initial stack pointer $04       entry point $08       bus error handler address $0C       address error handler $10       illegal instruction handler $14       division by zero handler $18       CHK instruction handler $1C       TRAPV instruction handler $20       privilege violation handler $24       trace handler $28       line 1010 emulator handler $2C       line 1111 emulator handler $30...$5C reserved for future M68000 CPUs $60       spurious exception handler $64       IRQ 1 handler; called when an IRQ level 1 is triggered $68...$7C     2..7 $80       trap #0 handler; called when trap #0 is executed $84...$BC      #1...#$F $C0...$FC reserved for future use

IRQs
Only three IRQs are used on the Genesis. IRQ  ADDRESS  DESCRIPTION IRQ2 $68      Used for external devices, like the Mega Modem, that plug into the DE-9 port on the back of Model 1 Mega Drives. IRQ4 $70      Horizontal blank handler. IRQ6 $78      Vertical blank handler.

ROM Header
This ROM header, which starts at $100, is purely for documentation purposes (though game code does look here for the checksum and region information). Each field is padded with spaces (ASCII $20). $100-$10F the console ID as a string; "SEGA MEGA DRIVE ", for instance. The "SEGA" at the start is the only mandatory part of the header. $110-$11F copyright information; it usually consists of the publisher code and either the build or release date $120-$14F the game's domestic (Japanese) name, usually as a Shift-JIS string $150-$17F the game's international name Some games (e.g. Sonic the Hedgehog) split these two into tuples of three 16-byte strings $180-$18D the game's type code, serial number, and version (usually) $18E word the game's checksum $190-$19F peripheral support, one character per peripheral $1A0 long the ROM start address (0) $1A4 long the ROM end address (the byte where it ends, so $FFFFF for a 1MB ROM) $1A8 long the RAM start address ($FF0000) $1AC long the RAM end address ($FFFFFF) $1B0 long save RAM flags, or $20202020 (four ASCII spaces) if no save RAM $1B4 long save RAM start, or $20202020 (four ASCII spaces) if no save RAM $1B8 long save RAM end, or $20202020 (four ASCII spaces) if no save RAM $1BC-$1C7 modem information (if the game uses the Mega Modem) $1C8-$1EF "notes"? typically blank $1F0-$1FF allowed regions; most games use a string of J, U, or E, but later games use an ASCII-encoded hex bitfield (so F -> 1111 -> all regions) Only on exception is there anything really notable in this header (for instance, Super Hang-On).

IRQs and Error Handlers
Only two IRQs are used on the Neo-Geo. IRQ  ADDRESS  DESCRIPTION IRQ1 $64      Vertical blank handler. IRQ2 $68      Timer underflow handler. In addition, SNK's Neo-Geo manual (NG.pdf) defines that the zero divide, CHK, TRAPV, line 1010 emulator, and line 1111 emulator vectors and all other IRQs (unused) be located in program ROM rather than in the BIOS.

ROM Header
This ROM header, which also starts at $100, is important, because it contains the four entry points that the Neo-Geo BIOS uses to jump into the game (printed in boldface below). In fact, the location at $4 will be the BIOS's own entry point, making it useless for reverse-engineering. $100-$106 the string "NEO-GEO" $107 byte the system version $108 word the game's SNK-assigned ID number $10A long ROM size (units unknown as the NG.pdf seems to think one longword is two bytes) $10E long start address of "work-backup area" $112 word size of work-backup area $114 byte "eye catcher" (screen before attract loop) 0 - standard NEO-GEO screen 1 - custom (example: Psikyo screen in Strikers 1945 Plus) (TODO does this use 1 or 2) 2 - none $115 byte defines where the game stores the standard Neo-Geo screen's tiles (apparently games needed to provide that themselves?) $116 long location of Japan-region strings used by the BIOS (dipswitch names, etc.) $11A long location of US-region strings used by the BIOS $11E long location of Europe-region (not Japan/US) strings used by the BIOS $122-$127 jmp instruction for "USER" entry point (main entry point for initialization, custom eye catcher, demo, game, and title screen) $128-$12D jmp instruction for "PLAYER_START" entry point (used for when the player presses Start) $12E-$133 jmp instruction for "DEMO_END" entry point (used for when the BIOS requests a demo to end so it can cycle to the next game) $134-$139 jmp instruction for "COIN_SOUND" entry point (used for when a coin is inserted) [$13A-$181 appears to be ignored] $182 long location of "Recognition Code 2" (actual code used to verify that this is a legitimate Neo-Geo game)