We just released a Feb. 5 '89 prototype of DuckTales for the NES!
If you'd like to support our preservation efforts (and this wasn't cheap), please consider donating or supporting us on Patreon. Thank you!

User:Andlabs/68000 ROM guide

From The Cutting Room Floor
Jump to navigation Jump to search

This should go in Guides but I'm not sure where

Most, if not all, game systems that use the MC68000 as a main CPU run the game as a 68000 boot ROM, meaning you'll need to understand how a 68000 boot ROM is laid out. After the boot ROM, games will usually have a console-specific header that could also be interpreted (for instance, in the Neo-Geo's case, the four entry points to the game program are here).

All address ranges given are inclusive.

The 68000 Vector Table

The first $100 bytes of a ROM (at location $0) are split into 64 longword pointers to code. These are usually the target the CPU goes to in the case of an error. 

$00        initial stack pointer
$04        entry point
$08        bus error handler
$0C        address error handler
$10        illegal instruction handler
$14        division by zero handler
$18        CHK instruction handler
$1C        TRAPV instruction handler
$20        privilege violation handler
$24        trace handler
$28        "line 1010 emulator"
           This gets called when an opcode whose first nibble is $A (1010) is executed. It's meant for user programs of 68000-based computers to perform system calls, so isn't useful on console games (though some games, such as Star Cruiser on Genesis, define their own).
$2C        "line 1111 emulator"
           This gets called when an opcode whose first nibble is $F (1111) is executed. These opcodes are reserved for later M68000 family CPUs that can interface with coproocessors (like FPUs and MMUs). Most games don't use this (though there are exceptions, such as Twinkle Tale on Genesis).
$30...$5C  reserved for future M68000 CPUs
$60        spurious exception handler
$64        IRQ 0 handler; called when an IRQ level 0 is triggered
$68...$7C      1..7
$80        trap #0 handler; called when trap #0 is executed
$84...$BC       #1...#$F
$C0...$FC  reserved for future use

Genesis/32X/Pico

IRQs

Only thre IRQs are used on the Genesis. 

IRQ   ADDRESS  DESCRIPTION
IRQ2  $68      Used for external devices, like the Mega Modem, that plug into the DE-9 port on the back of Model 1 Mega Drives.
IRQ4  $70      Horizontal blank handler.
IRQ6  $78      Vertical blank handler.

ROM Header

This ROM header, which starts at $100, is purely for documentation purposes (though game code does look here for the checksum and region information). Each field is padded with spaces (ASCII $20). 

$100-$10F  the console ID as a string; "SEGA MEGA DRIVE ", for instance.
           The "SEGA" at the start is the only mandatory part of the header.
$110-$11F  copyright information; it usually consists of the publisher code and either the build or release date
$120-$14F  the game's domestic (Japanese) name, usually as a Shift-JIS string
$150-$17F  the game's international name
           Some games (e.g. Sonic the Hedgehog) split these two into tuples of three 16-byte strings
$180-$18D  the game's type code, serial number, and version (usually)
$18E word  the game's checksum
$190-$19F  peripheral support, one character per peripheral
$1A0 long  the ROM start address (0)
$1A4 long  the ROM end address (the byte where it ends, so $FFFFF for a 1MB ROM)
$1A8 long  the RAM start address ($FF0000)
$1AC long  the RAM end address ($FFFFFF)
$1B0 long  save RAM flags, or $20202020 (four ASCII spaces) if no save RAM
$1B4 long  save RAM start, or $20202020 (four ASCII spaces) if no save RAM
$1B8 long  save RAM end, or $20202020 (four ASCII spaces) if no save RAM
$1BC-$1C7  modem information (if the game uses the Mega Modem)
$1C8-$1EF  "notes"? typically blank
$1F0-$1FF  allowed regions; most games use a string of J, U, or E, but later games use an ASCII-encoded hex bitfield (so F -> 1111 -> all regions)

Only on exception is there anything really notable in this header (for instance, Super Hang-On).

Neo-Geo

IRQs

ROM Header

This ROM header, which also starts at $100, is important, because it contains the four entry points that the Neo-Geo BIOS uses to jump into the game (printed in boldface below). In fact, the location at $4 will be the BIOS's own entry point, making it useless for reverse-engineering. 

$100-$106  the string "NEO-GEO"
$107 byte  the system version
$108 word  the game's SNK-assigned ID number
$10A long  ROM size (units unknown as the NG.pdf seems to think one longword is two bytes)
$10E long  start address of "work-backup area"
$112 word  size of work-backup area
$114 byte  "eye catcher" (screen before attract loop)
           0 - standard NEO-GEO screen
           1 - custom (example: Psikyo screen in Strikers 1945 Plus) (TODO does this use 1 or 2)
           2 - none
$115 byte  defines where the game stores the standard Neo-Geo screen's tiles (apparently games needed to provide that themselves?)
$116 long  location of Japan-region strings used by the BIOS (dipswitch names, etc.)
$11A long  location of US-region strings used by the BIOS
$11E long  location of Europe-region (not Japan/US) strings used by the BIOS
$122-$127  jmp instruction for "USER" entry point (main entry point for initialization, custom eye catcher, demo, game, and title screen)
$128-$12D  jmp instruction for "PLAYER_START" entry point (used for when the player presses Start)
$12E-$133  jmp instruction for "DEMO_END" entry point (used for when the BIOS requests a demo to end so it can cycle to the next game)
$134-$139  jmp instruction for "COIN_SOUND" entry point (used for when a coin is inserted)
[$13A-$181 appears to be ignored]
$182 long  location of "Recognition Code 2" (actual code used to verify that this is a legitimate Neo-Geo game)
Retrieved from "https://tcrf.net/index.php?title=User:Andlabs/68000_ROM_guide&oldid=72240"