If you'd like to support our preservation efforts (and this wasn't cheap), please consider donating or supporting us on Patreon. Thank you!
User:Andlabs/68000 ROM guide
This should go in Guides but I'm not sure where
Most, if not all, game systems that use the MC68000 as a main CPU run the game as a 68000 boot ROM, meaning you'll need to understand how a 68000 boot ROM is laid out. After the boot ROM, games will usually have a console-specific header that could also be interpreted (for instance, in the Neo-Geo's case, the four entry points to the game program are here).
All address ranges given are inclusive.
Contents
The 68000 Vector Table
The first $100 bytes of a ROM (at location $0) are split into 64 longword pointers to code. These are usually the target the CPU goes to in the case of an error.
$00 initial stack pointer
$04 entry point
$08 bus error handler
$0C address error handler
$10 illegal instruction handler
$14 division by zero handler
$18 CHK instruction handler
$1C TRAPV instruction handler
$20 privilege violation handler
$24 trace handler
$28 "line 1010 emulator"
This gets called when an opcode whose first nibble is $A (1010) is executed. It's meant for user programs of 68000-based computers to perform system calls, so isn't useful on console games (though some games, such as Star Cruiser on Genesis, define their own).
$2C "line 1111 emulator"
This gets called when an opcode whose first nibble is $F (1111) is executed. These opcodes are reserved for later M68000 family CPUs that can interface with coproocessors (like FPUs and MMUs). Most games don't use this (though there are exceptions, such as Twinkle Tale on Genesis).
$30...$5C reserved for future M68000 CPUs
$60 spurious exception handler
$64 IRQ 1 handler; called when an IRQ level 0 is triggered
$68...$7C 2..7
$80 trap #0 handler; called when trap #0 is executed
$84...$BC #1...#$F
$C0...$FC reserved for future use
Genesis/32X/Pico
IRQs
Only three IRQs are used on the Genesis.
IRQ ADDRESS DESCRIPTION IRQ2 $68 Used for external devices, like the Mega Modem, that plug into the DE-9 port on the back of Model 1 Mega Drives. IRQ4 $70 Horizontal blank handler. IRQ6 $78 Vertical blank handler.
ROM Header
This ROM header, which starts at $100, is purely for documentation purposes (though game code does look here for the checksum and region information). Each field is padded with spaces (ASCII $20).
$100-$10F the console ID as a string; "SEGA MEGA DRIVE ", for instance.
The "SEGA" at the start is the only mandatory part of the header.
$110-$11F copyright information; it usually consists of the publisher code and either the build or release date
$120-$14F the game's domestic (Japanese) name, usually as a Shift-JIS string
$150-$17F the game's international name
Some games (e.g. Sonic the Hedgehog) split these two into tuples of three 16-byte strings
$180-$18D the game's type code, serial number, and version (usually)
$18E word the game's checksum
$190-$19F peripheral support, one character per peripheral
$1A0 long the ROM start address (0)
$1A4 long the ROM end address (the byte where it ends, so $FFFFF for a 1MB ROM)
$1A8 long the RAM start address ($FF0000)
$1AC long the RAM end address ($FFFFFF)
$1B0 long save RAM flags, or $20202020 (four ASCII spaces) if no save RAM
$1B4 long save RAM start, or $20202020 (four ASCII spaces) if no save RAM
$1B8 long save RAM end, or $20202020 (four ASCII spaces) if no save RAM
$1BC-$1C7 modem information (if the game uses the Mega Modem)
$1C8-$1EF "notes"? typically blank
$1F0-$1FF allowed regions; most games use a string of J, U, or E, but later games use an ASCII-encoded hex bitfield (so F -> 1111 -> all regions)
Only on exception is there anything really notable in this header (for instance, Super Hang-On).
Neo-Geo
IRQs and Error Handlers
Only two IRQs are used on the Neo-Geo.
IRQ ADDRESS DESCRIPTION IRQ1 $64 Vertical blank handler. IRQ2 $68 Timer underflow handler.
In addition, SNK's Neo-Geo manual (NG.pdf) defines that the zero divide, CHK, TRAPV, line 1010 emulator, and line 1111 emulator vectors and all other IRQs (unused) be located in program ROM rather than in the BIOS.
ROM Header
This ROM header, which also starts at $100, is important, because it contains the four entry points that the Neo-Geo BIOS uses to jump into the game (printed in boldface below). In fact, the location at $4 will be the BIOS's own entry point, making it useless for reverse-engineering.
$100-$106 the string "NEO-GEO"
$107 byte the system version
$108 word the game's SNK-assigned ID number
$10A long ROM size (units unknown as the NG.pdf seems to think one longword is two bytes)
$10E long start address of "work-backup area"
$112 word size of work-backup area
$114 byte "eye catcher" (screen before attract loop)
0 - standard NEO-GEO screen
1 - custom (example: Psikyo screen in Strikers 1945 Plus) (TODO does this use 1 or 2)
2 - none
$115 byte defines where the game stores the standard Neo-Geo screen's tiles (apparently games needed to provide that themselves?)
$116 long location of Japan-region strings used by the BIOS (dipswitch names, etc.)
$11A long location of US-region strings used by the BIOS
$11E long location of Europe-region (not Japan/US) strings used by the BIOS
$122-$127 jmp instruction for "USER" entry point (main entry point for initialization, custom eye catcher, demo, game, and title screen)
$128-$12D jmp instruction for "PLAYER_START" entry point (used for when the player presses Start)
$12E-$133 jmp instruction for "DEMO_END" entry point (used for when the BIOS requests a demo to end so it can cycle to the next game)
$134-$139 jmp instruction for "COIN_SOUND" entry point (used for when a coin is inserted)
[$13A-$181 appears to be ignored]
$182 long location of "Recognition Code 2" (actual code used to verify that this is a legitimate Neo-Geo game)
