Hi,

When disassembling a cartridge ROM. one sees a header consisting of 16 bytes. Does anyone know what bytes 0-1 mean ? Bytes 2-3 are the execution start address, the rest (in my case) are all zero's.

What I also don't understand is why there's code below the startaddress.

In my case, execution address is 406AH, but code starts at 4010H. How does the disassembler know to start there ?

Regards,

pp

bytes 0 and 1: ROM signature, should be 40h, 41h - in ASCII "AB"
bytes 2 and 3: word pointing to start address

About the start point, you can define it. It is typical to include a ASCII header with some information and the the code starts. Or it is possible to have some routines that are secondary before the starting point.

db "AB"
dw INIT
db "This is my game"
INIT:
; Code begins here

Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares

Quote:

bytes 0 and 1: ROM signature, should be 40h, 41h - in ASCII "AB" bytes 2 and 3: word pointing to start address About the start point, you can define it. It is typical to include a ASCII header with some information and the the code starts. Or it is possible to have some routines that are secondary before the starting point. db "AB" dw INIT db "This is my game" INIT: ; Code begins here Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares

Okay,

But how does the disassembler know about these routines before the start point ? Apperently, the disassembler starts with inserting memory addresses before each instruction. How does it know where to start these memory addresses ?

Regards,

pp

I don't understand the question, pp. About what the disassembler does, just read the instructions. Are you sure that we are discussing a disassembler and not an assembler? In other words, what do you want to do exactly? Maybe we would be able to help you if you tell us what are you looking for.

Quote:

Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares

This is not the correct way!! You assume that the ROM takes control and never returns. But is only the case with games and programs that do not interact with other system expansions. The right definition of the ROM header is:

DEFB "AB" ; expansion ROM header
DEFW initcode ; start of the init code, 0 if no initcode
DEFW callstat; pointer to CALL statement handler, 0 if no such handler
DEFW device; pointer to expansion device handler, 0 if no such handler
DEFW basic ; pointer to the start of a tokenized basicprogram, 0 if no basicprogram
DEFS 6,0 ; room reserved for future extensions

Okay, sorry everyone, if I'm a bit chaotic. What I'm doing is disassembling a cartridge ROM with msxdasmw. Here's how the first lines of code looks:

;þ MSX DASM v0.9 for Win32 - CopyRight Fudeba Software, 2004

;File: p.rom
;DASM As: ROM Cartridge
;Init. Address: 406Ah
;Stat. Address: 0000h
;Device Address: 0000h
;Text Address: 0000h


;Addr Hexa ASCII Z80 Mnemonic Comments

T4010h 43...... C... LD B,E
T4011h 44...... D... LD B,H
T4012h 07...... .... RLCA
T4013h 43...... C... LD B,E
T4014h 60...... `... LD H,B
T4015h 00...... .... NOP
T4016h E0...... à... RET PO

T4017h 04...... .... INC B ;
T4018h 92...... ’... SUB D
T4019h E0...... à... RET PO

T401Ah 0D...... .... DEC C
T401Bh 90...... ?... SUB B
T401Ch E0...... à... RET PO

T401Dh 83...... ƒ... ADD A,E
T401Eh E0...... à... RET PO

T401Fh 86...... †... ADD A,(HL)
T4020h E0...... à... RET PO

T4021h F7...... ÷... RST 30h
T4022h 40...... @... LD B,B
T4023h CD3E01.. Í>.. CALL T013EH
T4026h F3...... ó... DI
T4027h 3E0E.... >... LD A,00Eh
T4029h 320080.. 2.€. LD (T8000H),A
T402Ch 3C...... <... INC A ;
T402Dh 3200A0.. 2. . LD (TA000H),A
T4030h CD8280.. Í‚€. CALL T8082H
T4033h F3...... ó... DI
T4034h 3AF2F0.. :òð. LD A,(TF0F2H)
T4037h 320080.. 2.€. LD (T8000H),A
T403Ah 3AF3F0.. :óð. LD A,(TF0F3H)
T403Dh 3200A0.. 2. . LD (TA000H),A
T4040h 2105E0.. !.à. LD HL,0E005h
T4043h CB46.... ËF.. BIT 0,(HL)
T4045h 200C.... .... JR NZ,00Ch ; Jump to 04053H
T4047h 34...... 4... INC (HL) ;
T4048h FB...... û... EI
T4049h CDBB44.. ͻD. CALL T44BBH
T404Ch CD0080.. Í.€. CALL T8000H
T404Fh AF...... ¯... XOR A ; Clear A and F
T4050h 3205E0.. 2.à. LD (TE005H),A
T4053h FB...... û... EI
T4054h C9...... É... RET

T4055h 87...... ‡... ADD A,A
T4056h 85...... …... ADD A,L
T4057h 6F...... o... LD L,A
T4058h D0...... Ð... RET NC

T4059h 24...... $... INC H ;
T405Ah C9...... É... RET

T405Bh 83...... ƒ... ADD A,E
T405Ch 5F...... _... LD E,A
T405Dh D0...... Ð... RET NC

T405Eh 14...... .... INC D ;
T405Fh C9...... É... RET

T4060h E1...... á... POP HL
T4061h 87...... ‡... ADD A,A
T4062h CD5640.. ÍV@. CALL T4056H
T4065h 5E...... ^... LD E,(HL)
T4066h 23...... #... INC HL ;
T4067h 56...... V... LD D,(HL)
T4068h EB...... ë... EX DE,HL
T4069h E9...... é... JP (HL)

T406Ah F3...... ó... DI
T406Bh ED56.... íV.. IM 1
T406Dh F3...... ó... DI


As you can see the cartridge header says start at 406AH, but there's code in front of it. How does the disassembler compute the first column memory addresses ? That's what I would like to know.

Hope you guys can help still.

pp

The disassembler apparently disassembles all the positions that are located between 4010h and the end of the file. But if you check the first disassembled opcodes you will see that they do not make sense. They are probably data and not code.

But also the start address, 406Ah, does not make much sense: DI: IM 1: DI. The 4060 part is valid code though.

This is a valid ROM, the ROM software works ! How can we explain this ? Am I using the wrong disassembler ?

pp

Is it a game? Maybe it would be easier if I could have a look into it.

Looks like a konami ROM to me.... They have a table at 04010H containing information about the game. This is used by the konami gamemaster (for cheating ect).

Quote:

Quote: Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares This is not the correct way!! You assume that the ROM takes control and never returns. But is only the case with games and programs that do not interact with other system expansions. The right definition of the ROM header is: DEFB "AB" ; expansion ROM header DEFW initcode ; start of the init code, 0 if no initcode DEFW callstat; pointer to CALL statement handler, 0 if no such handler DEFW device; pointer to expansion device handler, 0 if no such handler DEFW basic ; pointer to the start of a tokenized basicprogram, 0 if no basicprogram DEFS 6,0 ; room reserved for future extensions

Once again, I know all this. But we were talking of a ROM with only an executable machine code program, with only the first 4 bytes set up and the rest set to 0. Please read all the messages before

May be something like this:

T4010h DEFB "CD" ; Komani game identifier
T4012h DEFW 4307H
T4014h DEFB 060
T4015h DEFW 0E000H
T4017h DEFB 4
T4018h DEFW 0E092H
T401Ah DEFB 13
T401Bh DEFW 0E090H
T401Dh DEFW 0E083H
T401Fh DEFW 0E086H
T4021h DEFW 040F7H

But I am no konami expert.....

Yeah. A Konami game.

Okay, you are right. It is a Konami game.
Is it wrong to disassemble it ?
Anyway, did that already.
Does anyone know why it starts from 4010H ? It looks like it ends at BFFFH, to go further at again a 4000H till BFFFH and this totally 4 times ?

To me, it looks like it's four times pages 2 and 3 ??? This makes it 4 times 32K is a 128M game. Does it swap out pages 2 and 3 constantly ? They cannot be loaded all 4 at the same time ? Or is the slot expanded to 4 subslots (for pages 2 and 3) ?

So where's the start of the real code then ? Do we agree on 406AH ?

Regards,

pp

Quote:

Okay, you are right. It is a Konami game. Is it wrong to disassemble it ? Anyway, did that already. Does anyone know why it starts from 4010H ? It looks like it ends at BFFFH, to go further at again a 4000H till BFFFH and this totally 4 times ? To me, it looks like it's four times pages 2 and 3 ??? This makes it 4 times 32K is a 128M game. Does it swap out pages 2 and 3 constantly ? They cannot be loaded all 4 at the same time ? Or is the slot expanded to 4 subslots (for pages 2 and 3) ? So where's the start of the real code then ? Do we agree on 406AH ? Regards, pp

Well, the init routine is at 406AH, but I see code starting at 4023H. This is clearly the interrupt handler. Konami games are fully driven by the VDP interrupt.
Futhermore, Konami MEGAROMs have hardware for switching ´blocks´. This works like the pages in a slot, but instead of 16 Kb they are 8 Kb a piece. They are switched by writing in a special adres. There are two types, one with SCC and one without a SCC. Clearly you have one without the SCC. Switching with this type of MEGAROM:
6000H-7FFFH is switched by writing a blocknumber to 6000H
8000H-9FFFH is switched by writing a blocknumber to 8000H
A000H-BFFFH is switched by writing a blocknumber to A000H

Hope this helps...