1217 lines
34 KiB
Plaintext
1217 lines
34 KiB
Plaintext
SNES Kart v1.6
|
|
The most complete guide to a SNES cartridge worldwide
|
|
|
|
. .
|
|
|
|
______ ______ .
|
|
|
|
.:_\_ . \\_ .__\_::.
|
|
|
|
. .::./ ./ // ./__ .:::. .
|
|
|
|
:_<_____/<______>_:.
|
|
|
|
. .
|
|
|
|
Damaged Cybernetics Australia
|
|
|
|
It is a crime to redistribute this document in a commercial
|
|
|
|
venture of any kind without permission or a licensing agreement.
|
|
|
|
Contact us via email for more information on licensing.
|
|
|
|
This is freely distributable for non-commercial use, however we
|
|
|
|
require that you acknowledge the following:
|
|
|
|
SNES Kart 1.6 Copyright (c) 1995-1996 DiskDude. All rights reserved.
|
|
|
|
[Image]
|
|
|
|
None of the information contained in this text comes from any confidential
|
|
source. It was obtained from various sources on the Internet, but also the
|
|
product of my own investigation. Refer to the Acknowledgements section at
|
|
the end of this text.
|
|
|
|
Use this information for your own use, I will not take any responsibility
|
|
for your actions. All copyrights and trademarks are owned by their
|
|
respective owners, even if not acknowledged, no infringements intended.
|
|
|
|
I wrote this because all of this information is scattered in small files
|
|
everywhere, if existing at all, most of it outdated. This is an attempt to
|
|
conveniently bring all of the information to one place, and as up-to-date
|
|
as possible. If you find this useful, tell me! I love positive feedback.
|
|
|
|
Contents
|
|
|
|
Pin Layouts Cheat Device Decoding
|
|
|
|
* What is the cartridge pin * Pro Action Replay (hardware)
|
|
layout? * Gold Finger (software)
|
|
* What is the ROM pin layout? * Game Genie (hardware)
|
|
* What is the DSP1 pin layout? * Converting between CPU
|
|
* What is the MAD-1 and its pin addresses and ROM addresses
|
|
layout? * Easily converting between
|
|
* What is the pin layout of the codes
|
|
16kbit SRAM most commonly used
|
|
by Nintendo? SNES Copiers
|
|
|
|
Cartridge Addressing Schemes * What are copiers?
|
|
* Super Wild Card (SWC) header
|
|
* LoROM cartridges information
|
|
* HiROM cartridges * Pro Fighter (FIG) header
|
|
format
|
|
Embedded Cartridge Information * Game Doctor file name format
|
|
* Super Wild Card parallel port
|
|
* Game title (21 bytes) I/O protocol
|
|
* ROM makeup (1 byte)
|
|
* ROM type (1 byte) ROM Protection Schemes
|
|
* ROM size (1 byte)
|
|
* SRAM size (1 byte) * SlowROM checks
|
|
* Country (1 byte) * PAL/NTSC checks
|
|
* License (1 byte) * SRAM size checks
|
|
* Game Version (1 byte)
|
|
* Inverse ROM Checksum (2 bytes) IPS Patch Format
|
|
* ROM Checksum (2 bytes)
|
|
* Non Maskable Interrupt / VBL Acknowledgements
|
|
Vector (2 bytes)
|
|
* Reset Vector (2 bytes)
|
|
* How do I know if the ROM is
|
|
HiROM or LoROM?
|
|
|
|
Pin Layouts
|
|
|
|
What is the cartridge pin layout?
|
|
|
|
If the SNES doesn't detect the CIC while power is on, then it will not
|
|
continue to read the cartridge. Further details of this are not known to
|
|
me.
|
|
|
|
Super FX 01 32
|
|
|
|
02 33
|
|
|
|
03 34
|
|
|
|
04 35
|
|
|
|
GND 05 36 GND
|
|
|
|
F A11 06 37 A12
|
|
|
|
r A10 07 38 A13
|
|
|
|
o A9 08 39 A14
|
|
|
|
n A8 09 40 A15
|
|
|
|
t A7 10 41 BA0
|
|
|
|
A6 11 42 BA1
|
|
|
|
o A5 12 43 BA2
|
|
|
|
f A4 13 44 BA3
|
|
|
|
A3 14 45 BA4
|
|
|
|
c A2 15 46 BA5
|
|
|
|
a A1 16 47 BA6
|
|
|
|
r A0 17 48 BA7
|
|
|
|
t /IRQ 18 49 /CS
|
|
|
|
D0 19 50 D4
|
|
|
|
D1 20 51 D5
|
|
|
|
D2 21 52 D6
|
|
|
|
D3 22 53 D7
|
|
|
|
/RD 23 54 /WR
|
|
|
|
CIC out data (p1) 24 55 CIC out data (p2)
|
|
|
|
CIC in data (p7) 25 56 CIC in clock (p6)
|
|
|
|
RESET 26 57 nc
|
|
|
|
Vcc 27 58 Vcc
|
|
|
|
28 59
|
|
|
|
29 60
|
|
|
|
30 61
|
|
|
|
Left audio 31 62 Right audio
|
|
|
|
LoROM: 32kbyte pages/banks (A15 not used - assumed high)
|
|
|
|
HiROM: 64kbyte pages/banks
|
|
|
|
BA0-BA7 switch between a possible 256 banks/pages.
|
|
|
|
LoROM data is stored in the upper 32kbytes of the possible 64kbyte
|
|
bank/page (A15 is assumed high). Using 64kbyte pages, the SNES can address
|
|
a huge 16Mbytes or 128Mbits!
|
|
|
|
According to a SNES memory map, LoROM games can be as large as 16Mbit while
|
|
HiROM games are limited to 32Mbit... what about the 48Mbit game floating
|
|
around?
|
|
|
|
What is the ROM pin layout?
|
|
|
|
This pin layout was taken from a Donkey Kong Country 2 cartridge and seems
|
|
to be consistent with all their mask ROMs (some are 32pin, others 36pin).
|
|
|
|
A20 Vcc
|
|
|
|
A21 A22
|
|
|
|
A17 01 32 Vcc
|
|
|
|
A18 02 31 /OE
|
|
|
|
A15 03 30 A19
|
|
|
|
A12 04 29 A14
|
|
|
|
A7 05 28 A13
|
|
|
|
A6 06 27 A8
|
|
|
|
A5 07 26 A9
|
|
|
|
A4 08 25 A11
|
|
|
|
A3 09 24 A16
|
|
|
|
A2 10 23 A10
|
|
|
|
A1 11 22 /CS
|
|
|
|
A0 12 21 D7
|
|
|
|
D0 13 20 D6
|
|
|
|
D1 14 19 D5
|
|
|
|
D2 16 18 D4
|
|
|
|
Vss 16 17 D3
|
|
|
|
What is the DSP1 pin layout?
|
|
|
|
This was taken from a hacked Pilotwings cartridge with a switch on it -
|
|
possibly to select between HiROM and LoROM DSP1 games. I'm not 100% sure
|
|
that the following is correct or complete though.
|
|
|
|
Vcc 01 28 Vcc
|
|
|
|
Vcc 02 27 A14 (A12 - used for HiROM?)
|
|
|
|
nc 03 26 /CS
|
|
|
|
nc 04 25 /RD
|
|
|
|
nc 05 24 /WR
|
|
|
|
D0 06 23 ?
|
|
|
|
D1 07 22 ?
|
|
|
|
D2 08 21 Vcc
|
|
|
|
D3 09 20 Vcc
|
|
|
|
D4 10 19 Vcc
|
|
|
|
D5 11 18 Vcc
|
|
|
|
D6 12 17 GND
|
|
|
|
D7 13 16 /RESET (inverted RESET- SNES slot)
|
|
|
|
D8 14 15 CLOCK?
|
|
|
|
If you can verify/correct this, it would be greatly appreciated.
|
|
|
|
What is the MAD-1 and its pin layout?
|
|
|
|
The MAD-1 stands for Memory Address Decoder revision 1. It is used on the
|
|
Donkey Kong Country (1 and 2) cartridge and possibly other cartridges in
|
|
order to address one or two ROMs and a static RAM.
|
|
|
|
/HI 01 16 /LO
|
|
|
|
/SE 02 15 A13
|
|
|
|
03 14 A14
|
|
|
|
/RE 04 13 BA5
|
|
|
|
Vcc 05 12 A15
|
|
|
|
Vcc 06 11 /CS (p49 SNES slot)
|
|
|
|
Vcc 07 10 Vcc
|
|
|
|
GND 08 09 RESET (p26 SNES slot)
|
|
|
|
/RE - /CS on a 32Mbit ROM (possibly for MAD-1a only)
|
|
|
|
/LO - /CS on ROM1 (lower 16mbit)
|
|
|
|
/HI - /CS on ROM2 (upper 16mbit)
|
|
|
|
/SE - /CS on Static RAM
|
|
|
|
What is the pin layout of the 16kbit SRAM most commonly used by Nintendo?
|
|
|
|
It seems that Nintendo uses this SRAM in many of their games, mainly
|
|
because it is very cheap, only $A5 (retail) - much cheaper for Nintendo who
|
|
buys millions of them. It can address up to 2048 bytes or 16kbits.
|
|
|
|
A7 01 24 Vcc
|
|
|
|
A6 02 23 A8
|
|
|
|
A5 03 22 A9
|
|
|
|
A4 04 21 /WE
|
|
|
|
A3 05 20 /OE
|
|
|
|
A2 06 19 A10
|
|
|
|
A1 07 18 /CS
|
|
|
|
A0 08 17 D7
|
|
|
|
D0 09 16 D6
|
|
|
|
D1 10 15 D5
|
|
|
|
D2 11 14 D4
|
|
|
|
Vss 12 13 D3
|
|
|
|
Cartridge Addressing Schemes
|
|
|
|
LoROM cartridges: HiROM cartridges:
|
|
|
|
read ROM /RD, /CS, RESET low read ROM /CS, /RD, RESET low
|
|
|
|
/WR high /WR high
|
|
|
|
read SRAM /CS, /RD low read SRAM /RD low
|
|
|
|
RESET, /WR high RESET, /WR, /CS high
|
|
|
|
A15, BA4, BA5 high A13, A14, BA5 high
|
|
|
|
write SRAM /CS, /WR low write SRAM /WR low
|
|
|
|
RESET, /RD high RESET, /RD, /CS high
|
|
|
|
A15, BA4, BA5 high A13, A14, BA5 high
|
|
|
|
Would anyone like to verify this?
|
|
|
|
Embedded Cartridge Information
|
|
|
|
Most of the information in this section was obtained from Mindrape's SNES
|
|
ROM, available from http://www.futureone.com/~damaged/.
|
|
|
|
All values are in decimal unless specified with a trailing 'h'.
|
|
|
|
The starting offset for this information is located at the end of the first
|
|
page:
|
|
|
|
LoROM: offset 32704
|
|
|
|
HiROM: offset 65472
|
|
|
|
Game title (21 bytes)
|
|
|
|
The title is in upper case on most games.
|
|
|
|
ROM makeup (1 byte)
|
|
|
|
Upper nibble (4 bits):
|
|
|
|
Value ROM speed
|
|
|
|
0 SlowROM (200ns)
|
|
|
|
3 FastROM (120ns)
|
|
|
|
Lower nibble (4 bits):
|
|
|
|
Value Bank size
|
|
|
|
0 LoROM (32kb banks)
|
|
|
|
1 HiROM (64kb banks)
|
|
|
|
ROM type (1 byte)
|
|
|
|
Byte ROM type
|
|
|
|
0 ROM only
|
|
|
|
1 ROM and RAM
|
|
|
|
2 ROM and Save RAM
|
|
|
|
3 ROM and DSP1 chip
|
|
|
|
4 ROM, RAM and DSP1 chip
|
|
|
|
5 ROM, Save RAM and DSP1 chip
|
|
|
|
19 ROM and Super FX chip
|
|
|
|
227 ROM, RAM and GameBoy data
|
|
|
|
246 ROM and DSP2 chip
|
|
|
|
ROM size (1 byte)
|
|
|
|
Byte ROM size
|
|
|
|
8 2 MegaBits
|
|
|
|
9 4 MegaBits
|
|
|
|
10 8 MegaBits
|
|
|
|
11 16 MegaBits
|
|
|
|
12 32 MegaBits
|
|
|
|
At the time of writing, the largest SNES game is 48Mbit, while 8Mbit
|
|
cartridges are the most common. There are cartridge sizes of 10Mbit,
|
|
12Mbit, 20Mbit and 24Mbit, which are reported as 16Mbit, 16Mbit, 16Mbit and
|
|
32Mbit respectively.
|
|
|
|
Another way of calculating the ROM size is: 1 shl (ROMbyte-7) MegaBits
|
|
|
|
SRAM size (1 byte)
|
|
|
|
Byte SRAM size
|
|
|
|
0 (none)
|
|
|
|
1 16 KiloBits
|
|
|
|
2 32 KiloBits
|
|
|
|
3 64 KiloBits
|
|
|
|
64 KiloBit SRAM's are the largest Nintendo uses (except DOOM?), while most
|
|
copiers have 256 kiloBits on-board.
|
|
|
|
Another way of calculating the SRAM size is: 1 shl (SRAMbyte+3) KiloBits
|
|
|
|
Country (1 byte)
|
|
|
|
Byte Country Video system
|
|
|
|
0 Japan NTSC
|
|
|
|
1 USA NTSC
|
|
|
|
2 Australia, Europe, Oceania and Asia PAL
|
|
|
|
3 Sweden PAL
|
|
|
|
4 Finland PAL
|
|
|
|
5 Denmark PAL
|
|
|
|
6 France PAL
|
|
|
|
7 Holland PAL
|
|
|
|
8 Spain PAL
|
|
|
|
9 Germany, Austria and Switzerland PAL
|
|
|
|
10 Italy PAL
|
|
|
|
11 Hong Kong and China PAL
|
|
|
|
12 Indonesia PAL
|
|
|
|
13 Korea PAL
|
|
|
|
License (1 byte)
|
|
|
|
Byte Company Byte Company
|
|
|
|
1 Nintendo 131 Lozc
|
|
|
|
3 Imagineer-Zoom 132 Koei
|
|
|
|
5 Zamuse 134 Tokuma Shoten Intermedia
|
|
|
|
6 Falcom 136 DATAM-Polystar
|
|
|
|
8 Capcom 139 Bullet-Proof Software
|
|
|
|
9 HOT-B 140 Vic Tokai
|
|
|
|
10 Jaleco 142 Character Soft
|
|
|
|
11 Coconuts 143 I''Max
|
|
|
|
12 Rage Software 144 Takara
|
|
|
|
14 Technos 145 CHUN Soft
|
|
|
|
15 Mebio Software 146 Video System Co., Ltd.
|
|
|
|
18 Gremlin Graphics 147 BEC
|
|
|
|
19 Electronic Arts 149 Varie
|
|
|
|
21 COBRA Team 151 Kaneco
|
|
|
|
22 Human/Field 153 Pack in Video
|
|
|
|
23 KOEI 154 Nichibutsu
|
|
|
|
24 Hudson Soft 155 TECMO
|
|
|
|
26 Yanoman 156 Imagineer Co.
|
|
|
|
28 Tecmo 160 Telenet
|
|
|
|
30 Open System 164 Konami
|
|
|
|
31 Virgin Games 165 K.Amusement Leasing Co.
|
|
|
|
32 KSS 167 Takara
|
|
|
|
33 Sunsoft 169 Technos Jap.
|
|
|
|
34 POW 170 JVC
|
|
|
|
35 Micro World 172 Toei Animation
|
|
|
|
38 Enix 173 Toho
|
|
|
|
39 Loriciel/Electro Brain 175 Namco Ltd.
|
|
|
|
40 Kemco 177 ASCII Co. Activison
|
|
|
|
41 Seta Co.,Ltd. 178 BanDai America
|
|
|
|
45 Visit Co.,Ltd. 180 Enix
|
|
|
|
49 Carrozzeria 182 Halken
|
|
|
|
50 Dynamic 186 Culture Brain
|
|
|
|
51 Nintendo 187 Sunsoft
|
|
|
|
52 Magifact 188 Toshiba EMI
|
|
|
|
53 Hect 189 Sony Imagesoft
|
|
|
|
60 Empire Software 191 Sammy
|
|
|
|
61 Loriciel 192 Taito
|
|
|
|
64 Seika Corp. 194 Kemco
|
|
|
|
65 UBI Soft 195 Square
|
|
|
|
70 System 3 196 Tokuma Soft
|
|
|
|
71 Spectrum Holobyte 197 Data East
|
|
|
|
73 Irem 198 Tonkin House
|
|
|
|
75 Raya Systems/Sculptured Software 200 KOEI
|
|
|
|
76 Renovation Products 202 Konami USA
|
|
|
|
77 Malibu Games/Black Pearl 203 NTVIC
|
|
|
|
79 U.S. Gold 205 Meldac
|
|
|
|
80 Absolute Entertainment 206 Pony Canyon
|
|
|
|
81 Acclaim 207 Sotsu Agency/Sunrise
|
|
|
|
82 Activision 208 Disco/Taito
|
|
|
|
83 American Sammy 209 Sofel
|
|
|
|
84 GameTek 210 Quest Corp.
|
|
|
|
85 Hi Tech Expressions 211 Sigma
|
|
|
|
86 LJN Toys 214 Naxat
|
|
|
|
90 Mindscape 216 Capcom Co., Ltd.
|
|
|
|
93 Tradewest 217 Banpresto
|
|
|
|
95 American Softworks Corp. 218 Tomy
|
|
|
|
96 Titus 219 Acclaim
|
|
|
|
97 Virgin Interactive Entertainment 221 NCS
|
|
|
|
98 Maxis 222 Human Entertainment
|
|
|
|
103 Ocean 223 Altron
|
|
|
|
105 Electronic Arts 224 Jaleco
|
|
|
|
107 Laser Beam 226 Yutaka
|
|
|
|
110 Elite 228 T&ESoft
|
|
|
|
111 Electro Brain 229 EPOCH Co.,Ltd.
|
|
|
|
112 Infogrames 231 Athena
|
|
|
|
113 Interplay 232 Asmik
|
|
|
|
114 LucasArts 233 Natsume
|
|
|
|
115 Parker Brothers 234 King Records
|
|
|
|
117 STORM 235 Atlus
|
|
|
|
120 THQ Software 236 Sony Music Entertainment
|
|
|
|
121 Accolade Inc. 238 IGS
|
|
|
|
122 Triffix Entertainment 241 Motown Software
|
|
|
|
124 Microprose 242 Left Field Entertainment
|
|
|
|
127 Kemco 243 Beam Software
|
|
|
|
128 Misawa 244 Tec Magik
|
|
|
|
129 Teichio 249 Cybersoft
|
|
|
|
130 Namco Ltd. 255 Hudson Soft
|
|
|
|
Game Version (1 byte)
|
|
|
|
The version is stored as version 1.VersionByte and must be less than 128.
|
|
i.e. Less than 1.128.
|
|
|
|
Inverse ROM Checksum (2 bytes)
|
|
|
|
This is the same as XORing the two checksum bytes. i.e. The checksum bits
|
|
are inversed.
|
|
|
|
ROM Checksum (2 bytes)
|
|
|
|
The checksum is a 16bit word with the lower 8bits stored first, followed by
|
|
the upper 8bits.
|
|
|
|
The checksum is calculated by dividing the ROM into 4Mbit chunks then
|
|
adding all the bytes in these chunks together. Once you have the checksum
|
|
for each chunk, add them together and take the lower 32bits of the result.
|
|
|
|
With a non-standard image size, you do not get it equally divisible by
|
|
4Mbit (excluding 2Mbit images). e.g. 10Mbit = 4Mbit + 4Mbit + 2Mbit chunks.
|
|
|
|
Therefore, you must create a 4Mbit chunk from what is left over. Using the
|
|
same example, you would add the checksum of the following chunks to get the
|
|
ROM checksum:
|
|
|
|
4Mbit + 4Mbit + (2Mbit + 2Mbit)
|
|
or
|
|
4Mbit + 4Mbit + (2 x 2Mbit)
|
|
|
|
Non Maskable Interrupt / VBL Vector (2 bytes)
|
|
|
|
LoROM: at offset 33274
|
|
|
|
HiROM: at offset 66042
|
|
|
|
Reset Vector (2 bytes)
|
|
|
|
Where to start the ROM code.
|
|
|
|
LoROM: at offset 33276
|
|
|
|
HiROM: at offset 66042 [correction by Qwertie: 66044?]
|
|
|
|
How do I know if the ROM is HiROM or LoROM?
|
|
|
|
When you OR the checksum bytes of a disk image and the inverse checksum
|
|
bytes, the result should be FFFF hex. Therefore, to detect whether an image
|
|
is HiROM or LoROM, you must read those bytes, OR them, and see if they
|
|
equal FFFF hex.
|
|
|
|
The ROM's type depends at which location the OR'd bytes equal FFFF hex. If
|
|
it isn't found at either location, then the other way of checking is to see
|
|
at which location the title contains uppercase alphanumeric characters.
|
|
(But this fails with most Japanese cartridges)
|
|
|
|
Why don't you use the ROM Makeup Byte? You can, and some utilities do, but
|
|
some utilities allow you to change this byte, so incorrect results may
|
|
occur.
|
|
|
|
For the actual ROM, the embedded cartridge information is stored at the
|
|
same position for both LoROM and HiROM. In this case, you must use the ROM
|
|
Makeup Byte or read a 64kb page and see if both 32kb chunks (upper and
|
|
lower 32kb) are the same. If they are the same, it is LoROM (32kb pages -
|
|
A15 is not used, the data repeats itself) otherwise it is HiROM.
|
|
|
|
As a general rule of thumb, if you can't detect which ROM type it is,
|
|
default to LoROM, as these are the most common of cartridges.
|
|
|
|
Cheat Device Decoding
|
|
|
|
We'll start with the easiest first then work our way down. These codes work
|
|
by replacing a byte at a specific location in the ROM.
|
|
|
|
E.g. In the game F-Zero, at a particular position in the ROM, there is a
|
|
number 3 indicating 3 lives to start off with. What a cheat code will do is
|
|
replace this byte with, let's say, the number 9, so now when the game is
|
|
run, the player starts off with 9 lives.
|
|
|
|
Pro Action Replay (hardware)
|
|
|
|
Code format: AAAAAADD (8 digits)
|
|
|
|
A - Address
|
|
|
|
D - Data
|
|
|
|
These codes are in Hex, the address being a CPU address, not a direct ROM
|
|
location (more about this later).
|
|
|
|
Gold Finger (software)
|
|
|
|
Code format: AAAAADDDDDDCCW (14 digits)
|
|
|
|
A - Address
|
|
|
|
D - Data
|
|
|
|
C - Checksum
|
|
|
|
W - What to change (DRAM or SRAM)
|
|
|
|
This code was designed for the copiers, and are straight Hex characters.
|
|
Therefore the Address is a ROM address, not a CPU address. Data bytes are
|
|
arranged in 2 characters (2 D's per byte), which allows for 3 bytes. If a
|
|
byte is not being used, it is denoted by 'XX'. I have never seen a code
|
|
with three unused bytes - what's the point of one anyhow?
|
|
|
|
The address (A's) is a base address. The first data byte (D's) is to be
|
|
placed at this address. The second at address+1, the third at address+2 (if
|
|
to be used, that is, if they are not 'XX').
|
|
|
|
To calculate the checksum you must take the A's and D's, add a zero (0) to
|
|
the front of the shortened code, then divide into block's of 2 hex digits
|
|
(bytes). Add these hex digits together (2 characters per hex digit) then
|
|
minus 160 hex (352 decimal). Now AND this number by FF hex (255 decimal) to
|
|
get the lower 8 bits (byte). Convert this number to hex and you have your
|
|
checksum (C's).
|
|
|
|
W tells the copier whether to replace the byte in the DRAM (ROM image) or
|
|
the SRAM (Saved game static RAM) of the copier.
|
|
|
|
Value of W Where to place byte
|
|
|
|
0 DRAM (ROM image)
|
|
|
|
1 SRAM (Saved game image)
|
|
|
|
The rec.games.video FAQ specifies that there may be non- standard values of
|
|
2, 8, A, C, F for W, which may be converted to 0. I personally have only
|
|
seen Gold Finger codes with W = 0.
|
|
|
|
Game Genie (hardware)
|
|
|
|
Code format: DDAA-AAAA (8 digits)
|
|
|
|
A - Address
|
|
|
|
D - Data
|
|
|
|
This is the most difficult code to decipher out of the lot. It is as
|
|
follows:
|
|
|
|
First take the code in the form xxxx-xxxx and take out the dash ('-') to
|
|
form xxxxxxxx. Convert these characters (Genie Hex) to normal hex
|
|
characters using the following table:
|
|
|
|
Genie Hex: D F 4 7 0 9 1 5 6 B C 8 A 2 3 E
|
|
|
|
Normal Hex: 0 1 2 3 4 5 6 7 8 9 A B C D E F
|
|
|
|
The first two characters is the data byte in Hex. Now take the other 6
|
|
following characters (encoded address) and put it into it's binary form of
|
|
24 bits.
|
|
|
|
Now take each bit of the encoded address and rearrange to form the real
|
|
address:
|
|
|
|
24bit encoded address: ijklqrst opabcduv wxefghmn
|
|
|
|
8bit encoded data: ABCDEFGH
|
|
|
|
Rearrange as:
|
|
|
|
24bit address : 8bit data
|
|
|
|
abcdefgh ijklmnop qrstuvwx: ABCDEFGH
|
|
|
|
MSB LSB MSB LSB
|
|
|
|
Bit 23 of the encoded address (bit 15 of the real address) is always 1. The
|
|
reason being that the SNES CPU address must be 1 for it to access the ROM.
|
|
|
|
Converting between CPU addresses and ROM addresses
|
|
|
|
This is very easy once you understand how it is done. To convert from a CPU
|
|
address to a ROM address, all you need to do is remove bit 15. By doing
|
|
this, I don't mean just setting it to 0. I mean by removing it, then moving
|
|
all bits after it down one.
|
|
|
|
e.g. ROMaddress = (CPUaddress and 7FFFh) or ((CPUaddress and FF0000h) shl 1)
|
|
|
|
Therefore, to convert from a ROM address to a CPU address, you must insert
|
|
a high bit into position 15 (bit 15).
|
|
|
|
e.g. CPUaddress = (ROMaddress and 7FFFh) or ((ROMaddress and 7F8000h) shr 1) or 8000h
|
|
|
|
Easily converting between codes
|
|
|
|
I have made available two DOS programs with source code on my WWW pages
|
|
which allow you to convert between Game Genie and Gold Finger codes. These
|
|
are available freely from http://www.parodius.com/~diskdude/CartDisk/.
|
|
|
|
Note: Because the Gold Finger can only address upto 8Mbit of game data,
|
|
while other codes can address upto 64Mbit of game data, some Game Genie and
|
|
Action Replay codes may not be converted to Gold Finger.
|
|
|
|
SNES Copiers
|
|
|
|
What are copiers?
|
|
|
|
A copier is a device which sits on top of the SNES and allows you to backup
|
|
your cartridges as well as play your backed up games. It does this by
|
|
storing the ROM image of a cartridge to floppy disks via a 1.44Mb disk
|
|
drive. Most copiers also include a parallel PC port interface, allowing
|
|
your PC to control the unit and store images on your hard drive.
|
|
|
|
Copier's contain DRAM from 1 Megabyte to 16 Megabytes, 8MegaBits to
|
|
128MegaBits respectively. This is the reason why they are so expensive.
|
|
|
|
It is legal to own and use a copier for your own personal backup of
|
|
cartridges which you legally own in this point in time, although it is
|
|
illegal to distribute this copy (only one copy is allowed). This may vary
|
|
depending on where you live.
|
|
|
|
If you wish to make your own "home brew" copier for the SNES, and other
|
|
consoles, more information can be found at
|
|
http://www.parodius.com/~diskdude/CartDisk/.
|
|
|
|
Super Wild Card (SWC) header information
|
|
|
|
The SWC (Super Wild Card) image format consists of a 512 byte header. It's
|
|
layout is as follows (set unused bytes to 00h):
|
|
|
|
Offset Function
|
|
|
|
0 Lower 8 bits of size word
|
|
|
|
1 Upper 8 bits of size word
|
|
|
|
2 Image information byte
|
|
|
|
8 SWC header identifier (set to AAh)
|
|
|
|
9 SWC header identifier (set to BBh)
|
|
|
|
10 SWC header identifier (set to 04h)
|
|
|
|
The size word is calculated by multiplying the image size, not game size
|
|
(in MegaBits) by 16. e.g. Image is 4 Mbits, so size word would be 4*16=64.
|
|
|
|
Image information byte (in the form of 76543210):
|
|
|
|
Bit Description
|
|
|
|
7 1 - Run program in Mode 0 (JMP $8000)
|
|
|
|
0 - Run program in Mode 1 (JMP RESET Vector)
|
|
|
|
6 1 - Multi image (there is another split file to follow)
|
|
|
|
0 - Not multi image (no more split files to follow)
|
|
|
|
5 1 - SRAM memory mapping Mode 21 (HiROM)
|
|
|
|
0 - SRAM memory mapping Mode 20
|
|
|
|
4 1 - DRAM memory mapping Mode 21 (HiROM)
|
|
|
|
0 - DRAM memory mapping Mode 20
|
|
|
|
3/2 00: 256kbit SRAM
|
|
|
|
01: 65kbit SRAM
|
|
|
|
10: 16kbit SRAM
|
|
|
|
11: no SRAM
|
|
|
|
1/0 reserved
|
|
|
|
Pro Fighter (FIG) header format
|
|
|
|
This format is similar to the SWC. It consists of a 512byte header who's
|
|
layout is as follows (set unused bytes to 00h):
|
|
|
|
Offset Function
|
|
|
|
0 Lower 8 bits of size word
|
|
|
|
1 Upper 8 bits of size word
|
|
|
|
2 40h - Multi image
|
|
|
|
00h - Last image in set (or single image)
|
|
|
|
3 80h - if HiROM
|
|
|
|
00h - if LoROM
|
|
|
|
4 If using DSP1 microchip:
|
|
|
|
FDh - If using SRAM (SRAM size>0)
|
|
|
|
47h - If no SRAM (SRAM size=0)
|
|
|
|
77h - If not using DSP1 and no SRAM (SRAM size=0)
|
|
|
|
5 If using DSP1 microchip:
|
|
|
|
82h - If using SRAM (SRAM size>0)
|
|
|
|
83h - If no SRAM (SRAM size=0)
|
|
|
|
83h - If not using DSP1 and no SRAM (SRAM size=0)
|
|
|
|
Game Doctor file name format
|
|
|
|
The Game Doctor does not use a 512 byte header like the SWC, instead it
|
|
uses specially designed filenames to distinguish between multi files. I'm
|
|
not sure if it used the filename for information about the size of the
|
|
image though.
|
|
|
|
Usually, the filename is in the format of: SFXXYYYZ.078
|
|
|
|
Where SF means Super Famicon, XX refers to the size of the image in Mbit.
|
|
If the size is only one character (i.e. 2, 4 or 8 Mbit) then no leading "0"
|
|
is inserted.
|
|
|
|
YYY refers to a catalogue number in Hong Kong shops identifying the game
|
|
title. (0 is Super Mario World, 1 is F- Zero, etc). I was told that the
|
|
Game Doctor copier produces a random number when backing up games.
|
|
|
|
Z indicates a multi file. Like XX, if it isn't used it's ignored.
|
|
|
|
A would indicate the first file, B the second, etc. I am told 078 is not
|
|
needed, but is placed on the end of the filename by systems in Asia.
|
|
|
|
e.g. The first 16Mbit file of Donkey Kong Country (assuming it is cat. no.
|
|
475) would look like: SF16475A.078
|
|
|
|
Super Wild Card parallel port I/O protocol
|
|
|
|
I was given this information a while ago. It is supposed to be direct from
|
|
the company which makes SWC's and I have included this information because
|
|
a few people have been asking for it. If you have similar information for
|
|
other backup devices, it would be appreciated if you could send it to me.
|
|
|
|
[PROTOCOL USED IN PC]
|
|
|
|
* BYTE OUTPUT PROCEDURE
|
|
|
|
WAIT BUSY BIT = 1 STATUS PORT BIT7 (HEX n79, n7D)
|
|
|
|
WRITE ONE BYTE DATA LATCH (HEX n78, n7C)
|
|
|
|
REVERSE STROBE BIT CONTROL PORT BIT0 (HEX n7A, n7E)
|
|
|
|
* BYTE INPUT PROCEDURE
|
|
|
|
WAIT BUSY BIT = 0 STATUS PORT BIT7 (HEX n79, n7D)
|
|
|
|
READ LOW 4 BITS OF BYTE STATUS PORT BIT3-6 (HEX n79, n7D)
|
|
|
|
REVERSE STROBE BIT CONTROL PORT BIT0 (HEX n7A, n7E)
|
|
|
|
WAIT BUSY BIT = 0 STATUS PORT BIT7 (HEX n79, n7D)
|
|
|
|
READ HIGH 4 BITS OF BYTE STATUS PORT BIT3-6 (HEX n79, n7D)
|
|
|
|
REVERSE STROBE BIT CONTROL PORT BIT0 (HEX n7A, n7E)
|
|
|
|
* 5 TYPES OF COMMAND
|
|
|
|
* COMMAND LENGTH = 9 BYTES.
|
|
|
|
* COMMAND FORMAT
|
|
|
|
BYTE 1 D5 ID CODE 1
|
|
|
|
BYTE 2 AA ID CODE 2
|
|
|
|
BYTE 3 96 ID CODE 3
|
|
|
|
BYTE 4 00|01|04|05|06 COMMAND CODE
|
|
|
|
BYTE 5 al LOW BYTE OF ADDRESS
|
|
|
|
BYTE 6 ah HIGH BYTE OF ADDRESS
|
|
|
|
BYTE 7 ll LOW BYTE OF DATA LENGTH
|
|
|
|
BYTE 8 lh HIGH BYTE OF DATA LENGTH
|
|
|
|
BYTE 9 cc CHECKSUM = 81^BYTE4^BYTE5^BYTE6^BYTE7^BYTE8
|
|
|
|
* COMMAND [00] : DOWNLOAD DATA
|
|
|
|
al, ah = ADDRESS
|
|
|
|
ll, lh = DATA LENGTH
|
|
|
|
OUTPUT DATAS AFTER COMMAND
|
|
|
|
* COMMAND [01] : UPLOAD DATA
|
|
|
|
al, ah = ADDRESS
|
|
|
|
ll, lh = DATA LENGTH
|
|
|
|
INPUT DATAS AFTER COMMAND
|
|
|
|
* COMMAND [04] : FORCE SFC PROGRAM TO JMP
|
|
|
|
al, ah = ADDRESS
|
|
|
|
* COMMAND [05] : SET MEMORY PAGE NUMBER
|
|
|
|
al BIT0-1 = PAGE NUMBER
|
|
|
|
al BIT2-7 + ah BIT0-1 = BANK NUMBER
|
|
|
|
* COMMAND [06] : SUB FUNCTION
|
|
|
|
al = 0 INITIAL DEVICE
|
|
|
|
al = 1 PLAY GAME IN DRAM
|
|
|
|
al = 2 PLAY CARTRIDGE
|
|
|
|
ROM Protection Schemes
|
|
|
|
This section details ways of bypassing the FastROM, PAL/NTSC and SRAM size
|
|
checks implemented in many SNES games in order to stop people backing them
|
|
up using copiers.
|
|
|
|
Note: You don't necessarily have to find and replace all strings to remove
|
|
the check(s).
|
|
|
|
SlowROM checks
|
|
|
|
Most cartridges these days use 120ns ROM in order to get the most out of
|
|
the ageing SNES. However, there are still many copiers around which emulate
|
|
ROM at speeds of 200ns meaning they cannot backup the newer cartridges
|
|
correctly.
|
|
|
|
Changing the ROM code to bypass the SlowROM check, found in many, but not
|
|
all FastROM games, allows many people with SlowROM copiers to backup
|
|
FastROM games.
|
|
|
|
To patch a ROM and bypass the SlowROM check, you must find any of the
|
|
following strings in the image and replace it with the patch string: (all
|
|
codes in hex)
|
|
|
|
Search for Replace with
|
|
|
|
A9 01 8D 0D 42 A9 00 8D 0D 42
|
|
|
|
A9 01 8E 0D 42 A9 00 8E 0D 42
|
|
|
|
A2 01 8D 0D 42 A2 00 8D 0D 42
|
|
|
|
A2 01 8E 0D 42 A2 00 8E 0D 42
|
|
|
|
A9 01 00 8D 0D 42 A9 00 00 8D 0D 42
|
|
|
|
A9 01 8F 0D 42 00 A9 00 8F 0D 42 00
|
|
|
|
PAL/NTSC checks
|
|
|
|
Most SNES games have code which detects which video system the cartridge is
|
|
being played on and refuses to run if not in the right mode. This is to
|
|
stop people from buying games from other countries before they are released
|
|
locally.
|
|
|
|
To bypass the PAL/NTSC check the following patterns must be found and
|
|
replaced with the ones specified: (all codes in hex)
|
|
|
|
Search for Replace with
|
|
|
|
3F 21 29 10 C9 10 F0 3F 21 29 10 C9 10 80
|
|
|
|
3F 21 89 10 C9 10 F0 3F 21 89 10 C9 10 80
|
|
|
|
3F 21 29 10 F0 3F 21 29 10 80
|
|
|
|
3F 21 00 89 10 F0 3F 21 00 89 10 80
|
|
|
|
3F 21 00 29 10 F0 3F 21 00 29 10 80
|
|
|
|
3F 21 89 10 00 F0 3F 21 89 10 00 80
|
|
|
|
3F 21 29 10 00 F0 3F 21 29 10 00 80
|
|
|
|
AD 3F 21 29 10 00 D0 AD 3F 21 29 10 00 80
|
|
|
|
AF 3F 21 00 29 10 D0 AF 3F 21 00 29 10 80
|
|
|
|
AF 3F 21 00 29 10 00 D0 AF 3F 21 00 29 10 00 EA EA
|
|
|
|
AD 3F 21 29 10 D0 AD 3F 21 29 10 EA EA
|
|
|
|
AD 3F 21 29 10 F0 AD 3F 21 29 10 80
|
|
|
|
AD 3F 21 89 10 D0 AD 3F 21 89 10 80
|
|
|
|
AD 3F 21 29 10 C9 00 F0 AD 3F 21 29 10 C9 00 80
|
|
|
|
AF 3F 21 00 29 10 00 F0 AF 3F 21 00 29 10 00 80
|
|
|
|
AF 3F 21 00 89 10 00 F0 AF 3F 21 00 89 10 00 80
|
|
|
|
SRAM size checks
|
|
|
|
Some SNES games check to see how much SRAM is connected to the SNES as a
|
|
form of copy protection. As most copiers have 256kbits standard, the game
|
|
will know it's running on a backup unit and stop to prevent people copying
|
|
the games. However, the newer copiers get around this detection somehow.
|
|
|
|
To disable the SRAM size check in a ROM image, search for the following and
|
|
replace as appropriate.
|
|
|
|
Note: All codes are in hex, although 'xx' means anything, while a comma
|
|
means search for either of the two or more (enclosed in brackets).
|
|
|
|
Search for (8F, 9F) xx xx 70 (CF, DF) xx xx 70 D0
|
|
|
|
Replace with (8F, 9F) xx xx 70 (CF, DF) xx xx 70 EA EA (if SRAM size of game = 64kbit)
|
|
|
|
(8F, 9F) xx xx 70 (CF, DF) xx xx 70 80 (if SRAM size of game <> 64kbit)
|
|
|
|
Search for (8F, 9F) xx xx (30, 31, 32, 33) (CF, DF) xx xx (30, 31, 32, 33) D0
|
|
|
|
Replace with (8F, 9F) xx xx (30, 31, 32, 33) (CF, DF) xx xx (30, 31, 32, 33) 80
|
|
|
|
Search for (8F, 9F) xx xx (30, 31, 32, 33) (CF, DF) xx xx (30, 31, 32, 33) F0
|
|
|
|
Replace with (8F, 9F) xx xx (30, 31, 32, 33) (CF, DF) xx xx (30, 31, 32, 33) EA EA
|
|
|
|
Search for (8F, 9F) xx xx (30, 31, 32, 33) AF xx xx (30, 31, 32, 33) C9 xx xx D0
|
|
|
|
Replace with (8F, 9F) xx xx (30, 31, 32, 33) AF xx xx (30, 31, 32, 33) C9 xx xx 80
|
|
|
|
Many thanks to Chp for making his uCON v1.41 source publicly available,
|
|
from which these patterns came.
|
|
|
|
IPS Patch Format
|
|
|
|
This patch format is used a lot for patching SNES ROM images. Therefore I
|
|
have included it's format in this text. For a more detailed explanation of
|
|
the IPS format, please visit the Damaged Cybernetics WWW pages
|
|
http://www.futureone.com/~damaged/.
|
|
|
|
The format is as follows:
|
|
|
|
Description Size
|
|
|
|
IPS file identifier 5 bytes (characters PATCH)
|
|
|
|
Offset in file to place patch 3 bytes
|
|
|
|
Number of bytes in patch 2 bytes (allows 65535 patch bytes)
|
|
|
|
Patch byte(s) (specified by 'No. of bytes in patch')
|
|
|
|
. .
|
|
|
|
. .
|
|
|
|
Start again, looking 3 bytes (characters EOF)
|
|
|
|
for new offset, unless
|
|
|
|
and EOF is found.
|
|
|
|
Sample IPS file contents with 2 offset points:
|
|
|
|
PATCHooonn?ooonn?EOF
|
|
|
|
o - Offset in file
|
|
|
|
n - Number of bytes in patch
|
|
|
|
? - Data byte(s) (n number of bytes)
|
|
|
|
Acknowledgements
|
|
|
|
The following people have contributed to this text, whether they know it or
|
|
not. Many thanks to them for their wonderful contribution(s).
|
|
|
|
Donald Moore (moore@futureone.com)
|
|
Chp (ronaldm@netcom.com)
|
|
Thomas Rolfes (Thomas_Rolfes@ms.maus.de)
|
|
Jeremy Chadwick(yoshi@parodius.com)
|
|
Nigel Bryant (nbb@essex.ac.uk)
|
|
|
|
Also used for the creation of this text was the rec.games.video Frequently
|
|
Asked Questions (FAQ) file; a FAQ with a huge amount of information on
|
|
consoles in general.
|
|
|
|
[Image]
|
|
|
|
Special thanks to Mark for the midi!
|
|
[Image]
|
|
|
|
Questions, comments or complaints can be sent to DiskDude via e-mail.
|
|
Copyright © 1995-1996 DiskDude of Damaged Cybernetics. All rights reserved.
|
|
|
|
Last updated 1st January 1997
|
|
|
|
Damaged Cybernetics is not connected or affiliated with any mentioned
|
|
company in any way. The opinions of Damaged Cybernetics do not reflect the
|
|
views of the various companies mentioned here. Companies and all products
|
|
pertaining to that company are trademarks of that company. Please contact
|
|
that company for trademark and copyright information.
|