└── index.md
/index.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # GBATEK - GBA Only
4 |
5 | Gameboy Advance Technical Info - Extracted from no$gba version 2.9b
6 |
7 | ## About This Fork
8 |
9 | **THIS DOCUMENT IS ONLY THE GBA PORTION OF GBATEK**
10 |
11 | * The [full markdown fork](https://mgba-emu.github.io/gbatek/) has the entire document in markdown form.
12 | * The [full original version](https://problemkaputt.de/gbatek.htm) is in HTML form.
13 |
14 | I started with the full markdown and then just deleted sections that were
15 | obviously not needed for GBA development. The goal is to have a significantly
16 | smaller document that's easier for browsers to render and search through.
17 | Without the DS and DSi content it's about 1/6th as large as the full thing.
18 |
19 | Not every non-GBA bit of info has been removed. [PRs
20 | welcome](https://github.com/rust-console/gbatek-gbaonly/pulls) if you want to
21 | improve this document further.
22 |
23 | [About this Document](#aboutthisdocument)
24 |
25 | ## GBA Reference
26 |
27 | ### Overview
28 |
29 | - [GBA Technical Data](#gbatechnicaldata)
30 | - [GBA Memory Map](#gbamemorymap)
31 | - [GBA I/O Map](#gbaiomap)
32 |
33 | ### Hardware Programming
34 |
35 | - [GBA LCD Video Controller](#gbalcdvideocontroller)
36 | - [GBA Sound Controller](#gbasoundcontroller)
37 | - [GBA Timers](#gbatimers)
38 | - [GBA DMA Transfers](#gbadmatransfers)
39 | - [GBA Communication Ports](#gbacommunicationports)
40 | - [GBA Keypad Input](#gbakeypadinput)
41 | - [GBA Interrupt Control](#gbainterruptcontrol)
42 | - [GBA System Control](#gbasystemcontrol)
43 | - [GBA Cartridges](#gbacartridges)
44 | - [GBA Unpredictable Things](#gbaunpredictablethings)
45 |
46 | ### Other
47 |
48 | - [ARM CPU Reference](#armcpureference)
49 | - [BIOS Functions](#biosfunctions)
50 | - [External Connectors](#externalconnectors)
51 |
52 | ## CPU Reference
53 |
54 | ### General ARM7TDMI Information
55 |
56 | - [ARM CPU Overview](#armcpuoverview)
57 | - [ARM CPU Register Set](#armcpuregisterset)
58 | - [ARM CPU Flags & Condition Field (cond)](#armcpuflagsconditionfieldcond)
59 | - [ARM CPU 26bit Memory Interface](#armcpu26bitmemoryinterface)
60 | - [ARM CPU Exceptions](#armcpuexceptions)
61 | - [ARM CPU Memory Alignments](#armcpumemoryalignments)
62 |
63 | ### Further Information
64 |
65 | - [ARM Pseudo Instructions and Directives](#armpseudoinstructionsanddirectives)
66 | - [ARM CP15 System Control Coprocessor](#armcp15systemcontrolcoprocessor)
67 | - [ARM CPU Instruction Cycle Times](#armcpuinstructioncycletimes)
68 | - [ARM CPU Versions](#armcpuversions)
69 | - [ARM CPU Data Sheet](#armcpudatasheet)
70 |
71 | ## CPU 32bit ARM Mode
72 |
73 | ### ARM 32bit Opcodes (ARM Code)
74 |
75 | - [ARM Instruction Summary](#arminstructionsummary)
76 | - [ARM Branch and Branch with Link (B, BL, BX, BLX, SWI, BKPT)](#armopcodesbranchandbranchwithlinkbblbxblxswibkpt)
77 | - [ARM Data Processing (ALU)](#armopcodesdataprocessingalu)
78 | - [ARM Multiply and Multiply-Accumulate (MUL, MLA)](#armopcodesmultiplyandmultiplyaccumulatemulmla)
79 | - [ARM Special ARM9 Instructions (CLZ, QADD/QSUB)](#armopcodesspecialarm9instructionsclzqaddqsub)
80 | - [ARM PSR Transfer (MRS, MSR)](#armopcodespsrtransfermrsmsr)
81 | - [ARM Memory: Single Data Transfer (LDR, STR, PLD)](#armopcodesmemorysingledatatransferldrstrpld)
82 | - [ARM Memory: Halfword, Doubleword, and Signed Data Transfer](#armopcodesmemoryhalfworddoublewordandsigneddatatransfer)
83 | - [ARM Memory: Block Data Transfer (LDM, STM)](#armopcodesmemoryblockdatatransferldmstm)
84 | - [ARM Memory: Single Data Swap (SWP)](#armopcodesmemorysingledataswapswp)
85 | - [ARM Coprocessor (MRC/MCR, LDC/STC, CDP, MCRR/MRRC)](#armopcodescoprocessorinstructionsmrcmcrldcstccdpmcrrmrrc)
86 |
87 | ## CPU 16bit THUMB Mode
88 |
89 | ### ARM 16bit Opcodes (THUMB Code)
90 |
91 | - When operating in THUMB state, cut-down 16bit opcodes are used.
92 | - THUMB is supported on T-variants of ARMv4 and up, ie. ARMv4T, ARMv5T, etc.
93 | - [THUMB Instruction Summary](#thumbinstructionsummary)
94 | - [THUMB Register Operations (ALU, BX)](#thumbopcodesregisteroperationsalubx)
95 | - [THUMB Memory Load/Store (LDR/STR)](#thumbopcodesmemoryloadstoreldrstr)
96 | - [THUMB Memory Addressing (ADD PC/SP)](#thumbopcodesmemoryaddressingaddpcsp)
97 | - [THUMB Memory Multiple Load/Store (PUSH/POP and LDM/STM)](#thumbopcodesmemorymultipleloadstorepushpopandldmstm)
98 | - [THUMB Jumps and Calls](#thumbopcodesjumpsandcalls)
99 |
100 | ## GBA Reference
101 |
102 | ### Overview
103 |
104 | - [GBA Technical Data](#gbatechnicaldata)
105 | - [GBA Memory Map](#gbamemorymap)
106 | - [GBA I/O Map](#gbaiomap)
107 |
108 | ### Hardware Programming
109 |
110 | - [GBA LCD Video Controller](#gbalcdvideocontroller)
111 | - [GBA Sound Controller](#gbasoundcontroller)
112 | - [GBA Timers](#gbatimers)
113 | - [GBA DMA Transfers](#gbadmatransfers)
114 | - [GBA Communication Ports](#gbacommunicationports)
115 | - [GBA Keypad Input](#gbakeypadinput)
116 | - [GBA Interrupt Control](#gbainterruptcontrol)
117 | - [GBA System Control](#gbasystemcontrol)
118 | - [GBA Cartridges](#gbacartridges)
119 | - [GBA Unpredictable Things](#gbaunpredictablethings)
120 |
121 | ### Other
122 |
123 | - [ARM CPU Reference](#armcpureference)
124 | - [BIOS Functions](#biosfunctions)
125 | - [External Connectors](#externalconnectors)
126 |
127 | ## GBA Technical Data
128 |
129 | ### CPU Modes
130 |
131 | ```
132 | ARM Mode ARM7TDMI 32bit RISC CPU, 16.78MHz, 32bit opcodes (GBA)
133 | THUMB Mode ARM7TDMI 32bit RISC CPU, 16.78MHz, 16bit opcodes (GBA)
134 | CGB Mode Z80/8080-style 8bit CPU, 4.2MHz or 8.4MHz (CGB compatibility)
135 | DMG Mode Z80/8080-style 8bit CPU, 4.2MHz (monochrome gameboy compatib.)
136 | ```
137 |
138 | ### Internal Memory
139 |
140 | ```
141 | BIOS ROM 16 KBytes
142 | Work RAM 288 KBytes (Fast 32K on-chip, plus Slow 256K on-board)
143 | VRAM 96 KBytes
144 | OAM 1 KByte (128 OBJs 3x16bit, 32 OBJ-Rotation/Scalings 4x16bit)
145 | Palette RAM 1 KByte (256 BG colors, 256 OBJ colors)
146 | ```
147 |
148 | ### Video
149 |
150 | ```
151 | Display 240x160 pixels (2.9 inch TFT color LCD display)
152 | BG layers 4 background layers
153 | BG types Tile/map based, or Bitmap based
154 | BG colors 256 colors, or 16 colors/16 palettes, or 32768 colors
155 | OBJ colors 256 colors, or 16 colors/16 palettes
156 | OBJ size 12 types (in range 8x8 up to 64x64 dots)
157 | OBJs/Screen max. 128 OBJs of any size (up to 64x64 dots each)
158 | OBJs/Line max. 128 OBJs of 8x8 dots size (under best circumstances)
159 | Priorities OBJ/OBJ: 0-127, OBJ/BG: 0-3, BG/BG: 0-3
160 | Effects Rotation/Scaling, alpha blending, fade-in/out, mosaic, window
161 | Backlight GBA SP only (optionally by light on/off toggle button)
162 | ```
163 |
164 | ### Sound
165 |
166 | ```
167 | Analogue 4 channel CGB compatible (3x square wave, 1x noise)
168 | Digital 2 DMA sound channels
169 | Output Built-in speaker (mono), or headphones socket (stereo)
170 | ```
171 |
172 | ### Controls
173 |
174 | ```
175 | Gamepad 4 Direction Keys, 6 Buttons
176 | ```
177 |
178 | ### Communication Ports
179 |
180 | ```
181 | Serial Port Various transfer modes, 4-Player Link, Single Game Pak play
182 | ```
183 |
184 | ### External Memory
185 |
186 | ```
187 | GBA Game Pak max. 32MB ROM or flash ROM + max 64K SRAM
188 | CGB Game Pak max. 32KB ROM + 8KB SRAM (more memory requires banking)
189 | ```
190 |
191 | ### Case Dimensions
192 |
193 | ```
194 | Size (mm) GBA: 145x81x25 - GBA SP: 82x82x24 (closed), 155x82x24 (stretch)
195 | ```
196 |
197 | ### Power Supply
198 |
199 | ```
200 | Battery GBA GBA: 2x1.5V DC (AA), Life-time approx. 15 hours
201 | Battery SP GBA SP: Built-in rechargeable Lithium ion battery, 3.7V 600mAh
202 | External GBA: 3.3V DC 350mA - GBA SP: 5.2V DC 320mA
203 | ```
204 |
205 | - ----------------------------------------------------------------------------
206 |
207 | ### Original Gameboy Advance (GBA)
208 |
209 | ```
210 | ____._____________...___.____
211 | ____/ : CARTRIDGE SIO : \____
212 | | L _____________________ LED R |
213 | | | | |
214 | | _||_ | 2.9" TFT SCREEN | (A) |
215 | | |_ _| | 240x160pix 61x40mm | (B) |
216 | | || | NO BACKLIGHT | :::: |
217 | | | | SPEAKR |
218 | | STRT() |_____________________| :::: |
219 | | SLCT() GAME BOY ADVANCE VOLUME |
220 | |____ OFF-ON BATTERY 2xAA PHONES _==_|
221 | \__.##.__________________,,___/
222 | ```
223 |
224 | ### GBA SP (GBA SP)
225 |
226 | ```
227 | _______________________ _
228 | | _____________________ | / /
229 | || || / /
230 | || 2.9" TFT SCREEN || / /
231 | || 240x160pix 61x40mm || / /
232 | || WITH BACKLIGHT || / /
233 | || || GBA SP SIDE VIEWS / /
234 | ||_____________________|| / /
235 | | GAME BOY ADVANCE SP | _____________________(_)
236 | |_______________________| |. . . . . . . .'.'. _|
237 | |_|________|________|_|_| |_CARTRIDGE_:_BATT._:_|_| <-- EXT1/EXT2
238 | |L EXT1 EXT2 R|
239 | | (*) LEDSo _____________________ _
240 | (VOL_||_ (A) o |_____________________(_)
241 | | |_ _| ,,,,,(B) | |. . . . . . . .'.'. _|
242 | | || ;SPK; | |_CARTRIDGE_:_BATT._:_|_| <-- EXT1/EXT2
243 | | ''''' ON # _ _____________________
244 | | SLCT STRT OFF# _____________________(_)_____________________|
245 | | CART. () () | |. . . . . . . .'.'. _|
246 | |_:___________________:_| |_CARTRIDGE_:_BATT._:_|_| <-- EXT1/EXT2
247 | ```
248 |
249 | ### Gameboy Micro (GBA Micro)
250 |
251 | ```
252 | ________________SIO_______________
253 | | L __________________ R |
254 | | | GBA-MICRO | |
255 | | _||_ | 2.0" TFT SCREEN | (A)| +
256 | ||_ _| |240x160pix 42x28mm| (B) |VOL
257 | | || | BACKLIGHT | | -
258 | | |__________________| ... |
259 | |___________SELECT__START__________|
260 | PWR <--- CARTRIDGE SLOT ---> PHONES
261 | ```
262 |
263 | ### Nintendo DS (NDS)
264 |
265 | ```
266 | _____________________________________
267 | | _____________________ |
268 | | | | |
269 | | | 3" TFT SCREEN | |
270 | | | 256x192pix 61x46mm | |
271 | | | BACKLIGHT | |
272 | | ::::: | Original NDS | ::::: |
273 | | ::::: |_____________________| ::::: |
274 | _| _ ______ _ |_ <-- gap between screens: 22mm
275 | |L|_______| |________| |_| |_______|R| (equivalent to 90 pixels)
276 | |_______ _____________________ _______|
277 | | PWR | | | |SEL STA|
278 | | _ | | 3" TFT SCREEN | | |
279 | | _| |_ | | 256x192pix 61x46mm | | X |
280 | ||_ _|| | BACKLIGHT | | Y A |
281 | | |_| | | TOUCH SCREEN | | B |
282 | | | |_____________________| | |
283 | |_______| NintendoDS |_______|
284 | | MIC LEDS |
285 | |_________________________________________|
286 | VOL SLOT2(GBA) MIC/PHONES
287 | ```
288 |
289 | ### Nintendo DS Lite (NDS-Lite)
290 |
291 | ```
292 | _____________________________________
293 | | _____________________ |
294 | | | | |
295 | | | 3" TFT SCREEN | |
296 | | ... | 256x192pix 61x46mm | ... |
297 | | ... | BACKLIGHT | ... |
298 | | | NDS-LITE | |
299 | | |_____________________| |
300 | |___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____| <-- gap between screens: 23mm
301 | L| _ |_____________MIC____________|LEDS|R
302 | | _ _____________________ |
303 | | _| |_ | | X |
304 | ||_ _|| 3" TFT SCREEN | Y A |PWR
305 | | |_| | 256x192pix 61x46mm | B |
306 | | | BACKLIGHT | |
307 | | | TOUCH SCREEN |oSTART |
308 | | |_____________________|oSELECT|
309 | |_____________________________________|
310 | VOL SLOT2(GBA) MIC/PHONES
311 | ```
312 |
313 | ### Nintendo DSi (DSi)
314 |
315 | ```
316 | _____________________________________
317 | | _____________________ |
318 | | | | O o | <-- CAM (O) and LED (o)
319 | | | 3.25" TFT SCREEN | | (on backside)
320 | | | 256x192pix 66x50mm | |
321 | | | BACKLIGHT | |
322 | | __ | DSi | __ |
323 | | (__) |_____________________| (__) |
324 | |___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____| <-- gap between screens: 23mm
325 | L|LEDS|__________CAM__MIC_________| __ |R (88 pixels)
326 | + | _ _____________________ |
327 | VOL| _| |_ | | X | <-- SD Card Slot
328 | - ||_ _|| 3.25" TFT SCREEN | Y A |
329 | | |_| | 256x192pix 66x50mm | B |
330 | | | BACKLIGHT | |
331 | | | TOUCH SCREEN |oSTART |
332 | | POWERo|_____________________|oSELECT|
333 | |_____________________________________|
334 | MIC/PHONES
335 | ```
336 |
337 | ### Nintendo DSi XL
338 |
339 | ```
340 | As DSi, but bigger case, and bigger 4.2" screens
341 | ```
342 |
343 | ### Gameboy Player (Gamecube Joypad) (GBA Player)
344 |
345 | ```
346 | _________
347 | L____------- -------____R
348 | / ___ \ / (Y) \Z
349 | / / O \ | (START) | (X)\ Z = Gameboy Player Menu
350 | | \___/ \_______/ (A) | X or Y = Select button
351 | |\ _ \ / (B) /|
352 | | \___ _| |_ \ / ___ ___/ | optionally X/Y can be
353 | | |\ |_ _| / \ / C \ /| | swapped with L/R (?)
354 | | | \ |_| / \ \___/ / | |
355 | | | \_____/ \_____/ | | analogue sticks = ?
356 | \__/ \__/
357 | ```
358 |
359 | ### Gameboy Player (Gamecube Bongos) (GBA Player)
360 |
361 | ```
362 | _______ _______
363 | / Y \ / X \ Y/B = left bongo rear/front side
364 | | . . . . |_| . . . . | X/A = right bongo rear/front side
365 | | B |R| A | S = start/pause button
366 | |\_______/|_|\_______/| R = microphone (triggers R button)
367 | |\_______/|S|\_______/|
368 | | |_| | (the X/Y inputs can be assigned to
369 | |\_______/| |\_______/| GBA R/L inputs in GBA player setup)
370 | \_______/ \_______/
371 | ```
372 |
373 | The GBA's separate 8bit/32bit CPU modes cannot be operated simultaneously.
374 | Switching is allowed between ARM and THUMB modes only (that are the two GBA
375 | modes).
376 |
377 | This manual does not describe CGB and DMG modes, both are completely different
378 | than GBA modes, and both cannot be accessed from inside of GBA modes anyways.
379 |
380 | ### Gameboy Player
381 |
382 | An GBA Adapter for the Gamecube console; allowing to play GBA games on a
383 | television set.
384 |
385 | - [GBA Gameboy Player](#gbagameboyplayer)
386 |
387 | ### GBA SP Notes
388 |
389 | Deluxe version of the original GBA. With backlight, new folded laptop-style
390 | case, and built-in rechargeable battery. Appears to be 100% compatible with
391 | GBA, there seems to be no way to detect SPs by software.
392 |
393 | ### Gameboy Micro (GBA Micro)
394 |
395 | Minituarized GBA. Supports 32bit GBA games only (no 8bit DMG/CGB games). The
396 | 256K Main RAM is a bit slower than usually (cannot be "overclocked via port
397 | 4000800h).
398 |
399 | ### Nintendo DS (Dual Screen) Notes
400 |
401 | New handheld with two screens, backwards compatible with GBA games, it is NOT
402 | backwards compatible with older 8bit games (mono/color gameboys) though..
403 |
404 | Also, the DS has no link port, so that GBA games will thus work only in single
405 | player mode, link-port accessoires like printers cannot be used, and most
406 | unfortunately multiboot won't work (trying to press Select+Start at powerup
407 | will just lock up the DS).
408 |
409 | ### iQue Notes
410 |
411 | iQue is a brand name used by Nintendo in China, iQue GBA and iQue DS are
412 | essentially same as Nintendo GBA and Nintendo DS.
413 |
414 | The iQue DS contains a larger firmware chip (the charset additionally contains
415 | about 6700 simplified chinese characters), the bootmenu still allows to select
416 | (only) six languages (japanese has been replaced by chinese). The iQue DS can
417 | play normal international NDS games, plus chinese dedicated games. The latter
418 | ones won't work on normal NDS consoles (that, reportedly simply due to a
419 | firmware-version check contained in chinese dedicated games, aside from that
420 | check, the games should be fully compatible with NDS consoles).
421 |
422 | ## GBA Memory Map
423 |
424 | ### General Internal Memory
425 |
426 | ```
427 | 00000000-00003FFF BIOS - System ROM (16 KBytes)
428 | 00004000-01FFFFFF Not used
429 | 02000000-0203FFFF WRAM - On-board Work RAM (256 KBytes) 2 Wait
430 | 02040000-02FFFFFF Not used
431 | 03000000-03007FFF WRAM - On-chip Work RAM (32 KBytes)
432 | 03008000-03FFFFFF Not used
433 | 04000000-040003FE I/O Registers
434 | 04000400-04FFFFFF Not used
435 | ```
436 |
437 | ### Internal Display Memory
438 |
439 | ```
440 | 05000000-050003FF BG/OBJ Palette RAM (1 Kbyte)
441 | 05000400-05FFFFFF Not used
442 | 06000000-06017FFF VRAM - Video RAM (96 KBytes)
443 | 06018000-06FFFFFF Not used
444 | 07000000-070003FF OAM - OBJ Attributes (1 Kbyte)
445 | 07000400-07FFFFFF Not used
446 | ```
447 |
448 | ### External Memory (Game Pak)
449 |
450 | ```
451 | 08000000-09FFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 0
452 | 0A000000-0BFFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 1
453 | 0C000000-0DFFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 2
454 | 0E000000-0E00FFFF Game Pak SRAM (max 64 KBytes) - 8bit Bus width
455 | 0E010000-0FFFFFFF Not used
456 | ```
457 |
458 | ### Unused Memory Area
459 |
460 | ```
461 | 10000000-FFFFFFFF Not used (upper 4bits of address bus unused)
462 | ```
463 |
464 | ### Default WRAM Usage
465 |
466 | By default, the 256 bytes at 03007F00h-03007FFFh in Work RAM are reserved for
467 | Interrupt vector, Interrupt Stack, and BIOS Call Stack. The remaining WRAM is
468 | free for whatever use (including User Stack, which is initially located at
469 | 03007F00h).
470 |
471 | ### Address Bus Width and CPU Read/Write Access Widths
472 |
473 | Shows the Bus-Width, supported read and write widths, and the clock cycles for
474 | 8/16/32bit accesses.
475 |
476 | ```
477 | Region Bus Read Write Cycles
478 | BIOS ROM 32 8/16/32 - 1/1/1
479 | Work RAM 32K 32 8/16/32 8/16/32 1/1/1
480 | I/O 32 8/16/32 8/16/32 1/1/1
481 | OAM 32 8/16/32 16/32 1/1/1 *
482 | Work RAM 256K 16 8/16/32 8/16/32 3/3/6 **
483 | Palette RAM 16 8/16/32 16/32 1/1/2 *
484 | VRAM 16 8/16/32 16/32 1/1/2 *
485 | GamePak ROM 16 8/16/32 - 5/5/8 **/***
486 | GamePak Flash 16 8/16/32 16/32 5/5/8 **/***
487 | GamePak SRAM 8 8 8 5 **
488 | ```
489 |
490 | Timing Notes:
491 |
492 | ```
493 | * Plus 1 cycle if GBA accesses video memory at the same time.
494 | ** Default waitstate settings, see System Control chapter.
495 | *** Separate timings for sequential, and non-sequential accesses.
496 | One cycle equals approx. 59.59ns (ie. 16.78MHz clock).
497 | ```
498 |
499 | All memory (except GamePak SRAM) can be accessed by 16bit and 32bit DMA.
500 |
501 | ### GamePak Memory
502 |
503 | Only DMA3 (and the CPU of course) may access GamePak ROM. GamePak SRAM can be
504 | accessed by the CPU only - restricted to bytewise 8bit transfers. The SRAM
505 | region is supposed for as external FLASH backup memory, or for battery-backed
506 | SRAM.
507 |
508 | For details about configuration of GamePak Waitstates, see:
509 |
510 | - [GBA System Control](#gbasystemcontrol)
511 |
512 | ### VRAM, OAM, and Palette RAM Access
513 |
514 | These memory regions can be accessed during H-Blank or V-Blank only (unless
515 | display is disabled by Forced Blank bit in DISPCNT register).
516 |
517 | There is an additional restriction for OAM memory: Accesses during H-Blank are
518 | allowed only if 'H-Blank Interval Free' in DISPCNT is set (which'd reduce
519 | number of display-able OBJs though).
520 |
521 | The CPU appears to be able to access VRAM/OAM/Palette at any time, a waitstate
522 | (one clock cycle) being inserted automatically in case that the display
523 | controller was accessing memory simultaneously. (Ie. unlike as in old 8bit
524 | gameboy, the data will not get lost.)
525 |
526 | ### CPU Mode Performance
527 |
528 | Note that the GamePak ROM bus is limited to 16bits, thus executing ARM
529 | instructions (32bit opcodes) from inside of GamePak ROM would result in a not
530 | so good performance. So, it'd be more recommended to use THUMB instruction
531 | (16bit opcodes) which'd allow each opcode to be read at once.
532 |
533 | (ARM instructions can be used at best performance by copying code from GamePak
534 | ROM into internal Work RAM)
535 |
536 | ### Data Format
537 |
538 | Even though the ARM CPU itself would allow to select between Little-Endian and
539 | Big-Endian format by using an external circuit, in the GBA no such circuit
540 | exists, and the data format is always Little-Endian. That is, when accessing
541 | 16bit or 32bit data in memory, the least significant bits are stored in the
542 | first byte (smallest address), and the most significant bits in the last byte.
543 | (Ie. same as for 80x86 and Z80 CPUs.)
544 |
545 | ## GBA I/O Map
546 |
547 | ### LCD I/O Registers
548 |
549 | ```
550 | 4000000h 2 R/W DISPCNT LCD Control
551 | 4000002h 2 R/W - Undocumented - Green Swap
552 | 4000004h 2 R/W DISPSTAT General LCD Status (STAT,LYC)
553 | 4000006h 2 R VCOUNT Vertical Counter (LY)
554 | 4000008h 2 R/W BG0CNT BG0 Control
555 | 400000Ah 2 R/W BG1CNT BG1 Control
556 | 400000Ch 2 R/W BG2CNT BG2 Control
557 | 400000Eh 2 R/W BG3CNT BG3 Control
558 | 4000010h 2 W BG0HOFS BG0 X-Offset
559 | 4000012h 2 W BG0VOFS BG0 Y-Offset
560 | 4000014h 2 W BG1HOFS BG1 X-Offset
561 | 4000016h 2 W BG1VOFS BG1 Y-Offset
562 | 4000018h 2 W BG2HOFS BG2 X-Offset
563 | 400001Ah 2 W BG2VOFS BG2 Y-Offset
564 | 400001Ch 2 W BG3HOFS BG3 X-Offset
565 | 400001Eh 2 W BG3VOFS BG3 Y-Offset
566 | 4000020h 2 W BG2PA BG2 Rotation/Scaling Parameter A (dx)
567 | 4000022h 2 W BG2PB BG2 Rotation/Scaling Parameter B (dmx)
568 | 4000024h 2 W BG2PC BG2 Rotation/Scaling Parameter C (dy)
569 | 4000026h 2 W BG2PD BG2 Rotation/Scaling Parameter D (dmy)
570 | 4000028h 4 W BG2X BG2 Reference Point X-Coordinate
571 | 400002Ch 4 W BG2Y BG2 Reference Point Y-Coordinate
572 | 4000030h 2 W BG3PA BG3 Rotation/Scaling Parameter A (dx)
573 | 4000032h 2 W BG3PB BG3 Rotation/Scaling Parameter B (dmx)
574 | 4000034h 2 W BG3PC BG3 Rotation/Scaling Parameter C (dy)
575 | 4000036h 2 W BG3PD BG3 Rotation/Scaling Parameter D (dmy)
576 | 4000038h 4 W BG3X BG3 Reference Point X-Coordinate
577 | 400003Ch 4 W BG3Y BG3 Reference Point Y-Coordinate
578 | 4000040h 2 W WIN0H Window 0 Horizontal Dimensions
579 | 4000042h 2 W WIN1H Window 1 Horizontal Dimensions
580 | 4000044h 2 W WIN0V Window 0 Vertical Dimensions
581 | 4000046h 2 W WIN1V Window 1 Vertical Dimensions
582 | 4000048h 2 R/W WININ Inside of Window 0 and 1
583 | 400004Ah 2 R/W WINOUT Inside of OBJ Window & Outside of Windows
584 | 400004Ch 2 W MOSAIC Mosaic Size
585 | 400004Eh - - Not used
586 | 4000050h 2 R/W BLDCNT Color Special Effects Selection
587 | 4000052h 2 R/W BLDALPHA Alpha Blending Coefficients
588 | 4000054h 2 W BLDY Brightness (Fade-In/Out) Coefficient
589 | 4000056h - - Not used
590 | ```
591 |
592 | ### Sound Registers
593 |
594 | ```
595 | 4000060h 2 R/W SOUND1CNT_L Channel 1 Sweep register (NR10)
596 | 4000062h 2 R/W SOUND1CNT_H Channel 1 Duty/Length/Envelope (NR11, NR12)
597 | 4000064h 2 R/W SOUND1CNT_X Channel 1 Frequency/Control (NR13, NR14)
598 | 4000066h - - Not used
599 | 4000068h 2 R/W SOUND2CNT_L Channel 2 Duty/Length/Envelope (NR21, NR22)
600 | 400006Ah - - Not used
601 | 400006Ch 2 R/W SOUND2CNT_H Channel 2 Frequency/Control (NR23, NR24)
602 | 400006Eh - - Not used
603 | 4000070h 2 R/W SOUND3CNT_L Channel 3 Stop/Wave RAM select (NR30)
604 | 4000072h 2 R/W SOUND3CNT_H Channel 3 Length/Volume (NR31, NR32)
605 | 4000074h 2 R/W SOUND3CNT_X Channel 3 Frequency/Control (NR33, NR34)
606 | 4000076h - - Not used
607 | 4000078h 2 R/W SOUND4CNT_L Channel 4 Length/Envelope (NR41, NR42)
608 | 400007Ah - - Not used
609 | 400007Ch 2 R/W SOUND4CNT_H Channel 4 Frequency/Control (NR43, NR44)
610 | 400007Eh - - Not used
611 | 4000080h 2 R/W SOUNDCNT_L Control Stereo/Volume/Enable (NR50, NR51)
612 | 4000082h 2 R/W SOUNDCNT_H Control Mixing/DMA Control
613 | 4000084h 2 R/W SOUNDCNT_X Control Sound on/off (NR52)
614 | 4000086h - - Not used
615 | 4000088h 2 BIOS SOUNDBIAS Sound PWM Control
616 | 400008Ah .. - - Not used
617 | 4000090h 2x10h R/W WAVE_RAM Channel 3 Wave Pattern RAM (2 banks!!)
618 | 40000A0h 4 W FIFO_A Channel A FIFO, Data 0-3
619 | 40000A4h 4 W FIFO_B Channel B FIFO, Data 0-3
620 | 40000A8h - - Not used
621 | ```
622 |
623 | ### DMA Transfer Channels
624 |
625 | ```
626 | 40000B0h 4 W DMA0SAD DMA 0 Source Address
627 | 40000B4h 4 W DMA0DAD DMA 0 Destination Address
628 | 40000B8h 2 W DMA0CNT_L DMA 0 Word Count
629 | 40000BAh 2 R/W DMA0CNT_H DMA 0 Control
630 | 40000BCh 4 W DMA1SAD DMA 1 Source Address
631 | 40000C0h 4 W DMA1DAD DMA 1 Destination Address
632 | 40000C4h 2 W DMA1CNT_L DMA 1 Word Count
633 | 40000C6h 2 R/W DMA1CNT_H DMA 1 Control
634 | 40000C8h 4 W DMA2SAD DMA 2 Source Address
635 | 40000CCh 4 W DMA2DAD DMA 2 Destination Address
636 | 40000D0h 2 W DMA2CNT_L DMA 2 Word Count
637 | 40000D2h 2 R/W DMA2CNT_H DMA 2 Control
638 | 40000D4h 4 W DMA3SAD DMA 3 Source Address
639 | 40000D8h 4 W DMA3DAD DMA 3 Destination Address
640 | 40000DCh 2 W DMA3CNT_L DMA 3 Word Count
641 | 40000DEh 2 R/W DMA3CNT_H DMA 3 Control
642 | 40000E0h - - Not used
643 | ```
644 |
645 | ### Timer Registers
646 |
647 | ```
648 | 4000100h 2 R/W TM0CNT_L Timer 0 Counter/Reload
649 | 4000102h 2 R/W TM0CNT_H Timer 0 Control
650 | 4000104h 2 R/W TM1CNT_L Timer 1 Counter/Reload
651 | 4000106h 2 R/W TM1CNT_H Timer 1 Control
652 | 4000108h 2 R/W TM2CNT_L Timer 2 Counter/Reload
653 | 400010Ah 2 R/W TM2CNT_H Timer 2 Control
654 | 400010Ch 2 R/W TM3CNT_L Timer 3 Counter/Reload
655 | 400010Eh 2 R/W TM3CNT_H Timer 3 Control
656 | 4000110h - - Not used
657 | ```
658 |
659 | ### Serial Communication (1)
660 |
661 | ```
662 | 4000120h 4 R/W SIODATA32 SIO Data (Normal-32bit Mode; shared with below)
663 | 4000120h 2 R/W SIOMULTI0 SIO Data 0 (Parent) (Multi-Player Mode)
664 | 4000122h 2 R/W SIOMULTI1 SIO Data 1 (1st Child) (Multi-Player Mode)
665 | 4000124h 2 R/W SIOMULTI2 SIO Data 2 (2nd Child) (Multi-Player Mode)
666 | 4000126h 2 R/W SIOMULTI3 SIO Data 3 (3rd Child) (Multi-Player Mode)
667 | 4000128h 2 R/W SIOCNT SIO Control Register
668 | 400012Ah 2 R/W SIOMLT_SEND SIO Data (Local of MultiPlayer; shared below)
669 | 400012Ah 2 R/W SIODATA8 SIO Data (Normal-8bit and UART Mode)
670 | 400012Ch - - Not used
671 | ```
672 |
673 | ### Keypad Input
674 |
675 | ```
676 | 4000130h 2 R KEYINPUT Key Status
677 | 4000132h 2 R/W KEYCNT Key Interrupt Control
678 | ```
679 |
680 | ### Serial Communication (2)
681 |
682 | ```
683 | 4000134h 2 R/W RCNT SIO Mode Select/General Purpose Data
684 | 4000136h - - IR Ancient - Infrared Register (Prototypes only)
685 | 4000138h - - Not used
686 | 4000140h 2 R/W JOYCNT SIO JOY Bus Control
687 | 4000142h - - Not used
688 | 4000150h 4 R/W JOY_RECV SIO JOY Bus Receive Data
689 | 4000154h 4 R/W JOY_TRANS SIO JOY Bus Transmit Data
690 | 4000158h 2 R/? JOYSTAT SIO JOY Bus Receive Status
691 | 400015Ah - - Not used
692 | ```
693 |
694 | ### Interrupt, Waitstate, and Power-Down Control
695 |
696 | ```
697 | 4000200h 2 R/W IE Interrupt Enable Register
698 | 4000202h 2 R/W IF Interrupt Request Flags / IRQ Acknowledge
699 | 4000204h 2 R/W WAITCNT Game Pak Waitstate Control
700 | 4000206h - - Not used
701 | 4000208h 2 R/W IME Interrupt Master Enable Register
702 | 400020Ah - - Not used
703 | 4000300h 1 R/W POSTFLG Undocumented - Post Boot Flag
704 | 4000301h 1 W HALTCNT Undocumented - Power Down Control
705 | 4000302h - - Not used
706 | 4000410h ? ? ? Undocumented - Purpose Unknown / Bug ??? 0FFh
707 | 4000411h - - Not used
708 | 4000800h 4 R/W ? Undocumented - Internal Memory Control (R/W)
709 | 4000804h - - Not used
710 | 4xx0800h 4 R/W ? Mirrors of 4000800h (repeated each 64K)
711 | ```
712 |
713 | All further addresses at 4XXXXXXh are unused and do not contain mirrors of the
714 | I/O area, with the only exception that 4000800h is repeated each 64K (ie.
715 | mirrored at 4010800h, 4020800h, etc.)
716 |
717 | ## GBA LCD Video Controller
718 |
719 | ### Registers
720 |
721 | - [LCD I/O Display Control](#lcdiodisplaycontrol)
722 | - [LCD I/O Interrupts and Status](#lcdiointerruptsandstatus)
723 | - [LCD I/O BG Control](#lcdiobgcontrol)
724 | - [LCD I/O BG Scrolling](#lcdiobgscrolling)
725 | - [LCD I/O BG Rotation/Scaling](#lcdiobgrotationscaling)
726 | - [LCD I/O Window Feature](#lcdiowindowfeature)
727 | - [LCD I/O Mosaic Function](#lcdiomosaicfunction)
728 | - [LCD I/O Color Special Effects](#lcdiocolorspecialeffects)
729 |
730 | ### VRAM
731 |
732 | - [LCD VRAM Overview](#lcdvramoverview)
733 | - [LCD VRAM Character Data](#lcdvramcharacterdata)
734 | - [LCD VRAM BG Screen Data Format (BG Map)](#lcdvrambgscreendataformatbgmap)
735 | - [LCD VRAM Bitmap BG Modes](#lcdvrambitmapbgmodes)
736 |
737 | ### Sprites
738 |
739 | - [LCD OBJ - Overview](#lcdobjoverview)
740 | - [LCD OBJ - OAM Attributes](#lcdobjoamattributes)
741 | - [LCD OBJ - OAM Rotation/Scaling Parameters](#lcdobjoamrotationscalingparameters)
742 | - [LCD OBJ - VRAM Character (Tile) Mapping](#lcdobjvramcharactertilemapping)
743 |
744 | ### Other
745 |
746 | - [LCD Color Palettes](#lcdcolorpalettes)
747 | - [LCD Dimensions and Timings](#lcddimensionsandtimings)
748 |
749 | ## LCD I/O Display Control
750 |
751 | ### 4000000h - DISPCNT - LCD Control (Read/Write)
752 |
753 | ```
754 | Bit Expl.
755 | 0-2 BG Mode (0-5=Video Mode 0-5, 6-7=Prohibited)
756 | 3 Reserved / CGB Mode (0=GBA, 1=CGB; can be set only by BIOS opcodes)
757 | 4 Display Frame Select (0-1=Frame 0-1) (for BG Modes 4,5 only)
758 | 5 H-Blank Interval Free (1=Allow access to OAM during H-Blank)
759 | 6 OBJ Character VRAM Mapping (0=Two dimensional, 1=One dimensional)
760 | 7 Forced Blank (1=Allow FAST access to VRAM,Palette,OAM)
761 | 8 Screen Display BG0 (0=Off, 1=On)
762 | 9 Screen Display BG1 (0=Off, 1=On)
763 | 10 Screen Display BG2 (0=Off, 1=On)
764 | 11 Screen Display BG3 (0=Off, 1=On)
765 | 12 Screen Display OBJ (0=Off, 1=On)
766 | 13 Window 0 Display Flag (0=Off, 1=On)
767 | 14 Window 1 Display Flag (0=Off, 1=On)
768 | 15 OBJ Window Display Flag (0=Off, 1=On)
769 | ```
770 |
771 | The table summarizes the facilities of the separate BG modes (video modes).
772 |
773 | ```
774 | Mode Rot/Scal Layers Size Tiles Colors Features
775 | 0 No 0123 256x256..512x515 1024 16/16..256/1 SFMABP
776 | 1 Mixed 012- (BG0,BG1 as above Mode 0, BG2 as below Mode 2)
777 | 2 Yes --23 128x128..1024x1024 256 256/1 S-MABP
778 | 3 Yes --2- 240x160 1 32768 --MABP
779 | 4 Yes --2- 240x160 2 256/1 --MABP
780 | 5 Yes --2- 160x128 2 32768 --MABP
781 | ```
782 |
783 | Features: S)crolling, F)lip, M)osaic, A)lphaBlending, B)rightness, P)riority.
784 |
785 | BG Modes 0-2 are Tile/Map-based. BG Modes 3-5 are Bitmap-based, in these modes
786 | 1 or 2 Frames (ie. bitmaps, or 'full screen tiles') exists, if two frames
787 | exist, either one can be displayed, and the other one can be redrawn in
788 | background.
789 |
790 | ### Blanking Bits
791 |
792 | Setting Forced Blank (Bit 7) causes the video controller to display white
793 | lines, and all VRAM, Palette RAM, and OAM may be accessed.
794 |
795 | "When the internal HV synchronous counter cancels a forced blank during a
796 | display period, the display begins from the beginning, following the display of
797 | two vertical lines." What ?
798 |
799 | Setting H-Blank Interval Free (Bit 5) allows to access OAM during H-Blank time
800 | - using this feature reduces the number of sprites that can be displayed per
801 | line.
802 |
803 | ### Display Enable Bits
804 |
805 | By default, BG0-3 and OBJ Display Flags (Bit 8-12) are used to enable/disable
806 | BGs and OBJ. When enabling Window 0 and/or 1 (Bit 13-14), color special effects
807 | may be used, and BG0-3 and OBJ are controlled by the window(s).
808 |
809 | ### Frame Selection
810 |
811 | In BG Modes 4 and 5 (Bitmap modes), either one of the two bitmaps/frames may be
812 | displayed (Bit 4), allowing the user to update the other (invisible) frame in
813 | background. In BG Mode 3, only one frame exists.
814 |
815 | In BG Modes 0-2 (Tile/Map based modes), a similar effect may be gained by
816 | altering the base address(es) of BG Map and/or BG Character data.
817 |
818 | ### 4000002h - Undocumented - Green Swap (R/W)
819 |
820 | Normally, red green blue intensities for a group of two pixels is output as
821 | BGRbgr (uppercase for left pixel at even xloc, lowercase for right pixel at odd
822 | xloc). When the Green Swap bit is set, each pixel group is output as BgRbGr
823 | (ie. green intensity of each two pixels exchanged).
824 |
825 | ```
826 | Bit Expl.
827 | 0 Green Swap (0=Normal, 1=Swap)
828 | 1-15 Not used
829 | ```
830 |
831 | This feature appears to be applied to the final picture (ie. after mixing the
832 | separate BG and OBJ layers). Eventually intended for other display types (with
833 | other pin-outs). With normal GBA hardware it is just producing an interesting
834 | dirt effect.
835 |
836 | The NDS DISPCNT registers are 32bit (4000000h..4000003h), so Green Swap doesn't
837 | exist in NDS mode, however, the NDS does support Green Swap in GBA mode.
838 |
839 | ## LCD I/O Interrupts and Status
840 |
841 | ### 4000004h - DISPSTAT - General LCD Status (Read/Write)
842 |
843 | Display status and Interrupt control. The H-Blank conditions are generated once
844 | per scanline, including for the 'hidden' scanlines during V-Blank.
845 |
846 | ```
847 | Bit Expl.
848 | 0 V-Blank flag (Read only) (1=VBlank) (set in line 160..226; not 227)
849 | 1 H-Blank flag (Read only) (1=HBlank) (toggled in all lines, 0..227)
850 | 2 V-Counter flag (Read only) (1=Match) (set in selected line) (R)
851 | 3 V-Blank IRQ Enable (1=Enable) (R/W)
852 | 4 H-Blank IRQ Enable (1=Enable) (R/W)
853 | 5 V-Counter IRQ Enable (1=Enable) (R/W)
854 | 6 Not used (0) / DSi: LCD Initialization Ready (0=Busy, 1=Ready) (R)
855 | 7 Not used (0) / NDS: MSB of V-Vcount Setting (LYC.Bit8) (0..262)(R/W)
856 | 8-15 V-Count Setting (LYC) (0..227) (R/W)
857 | ```
858 |
859 | The V-Count-Setting value is much the same as LYC of older gameboys, when its
860 | value is identical to the content of the VCOUNT register then the V-Counter
861 | flag is set (Bit 2), and (if enabled in Bit 5) an interrupt is requested.
862 |
863 | Although the drawing time is only 960 cycles (240\*4), the H-Blank flag is "0"
864 | for a total of 1006 cycles.
865 |
866 | ### 4000006h - VCOUNT - Vertical Counter (Read only)
867 |
868 | Indicates the currently drawn scanline, values in range from 160..227 indicate
869 | 'hidden' scanlines within VBlank area.
870 |
871 | ```
872 | Bit Expl.
873 | 0-7 Current Scanline (LY) (0..227) (R)
874 | 8 Not used (0) / NDS: MSB of Current Scanline (LY.Bit8) (0..262) (R)
875 | 9-15 Not Used (0)
876 | ```
877 |
878 | Note: This is much the same than the 'LY' register of older gameboys.
879 |
880 | ## LCD I/O BG Control
881 |
882 | ### 4000008h - BG0CNT - BG0 Control (R/W) (BG Modes 0,1 only)
883 |
884 | ### 400000Ah - BG1CNT - BG1 Control (R/W) (BG Modes 0,1 only)
885 |
886 | ### 400000Ch - BG2CNT - BG2 Control (R/W) (BG Modes 0,1,2 only)
887 |
888 | ### 400000Eh - BG3CNT - BG3 Control (R/W) (BG Modes 0,2 only)
889 |
890 | ```
891 | Bit Expl.
892 | 0-1 BG Priority (0-3, 0=Highest)
893 | 2-3 Character Base Block (0-3, in units of 16 KBytes) (=BG Tile Data)
894 | 4-5 Not used (must be zero) (except in NDS mode: MSBs of char base)
895 | 6 Mosaic (0=Disable, 1=Enable)
896 | 7 Colors/Palettes (0=16/16, 1=256/1)
897 | 8-12 Screen Base Block (0-31, in units of 2 KBytes) (=BG Map Data)
898 | 13 BG0/BG1: Not used (except in NDS mode: Ext Palette Slot for BG0/BG1)
899 | 13 BG2/BG3: Display Area Overflow (0=Transparent, 1=Wraparound)
900 | 14-15 Screen Size (0-3)
901 | ```
902 |
903 | Internal Screen Size (dots) and size of BG Map (bytes):
904 |
905 | ```
906 | Value Text Mode Rotation/Scaling Mode
907 | 0 256x256 (2K) 128x128 (256 bytes)
908 | 1 512x256 (4K) 256x256 (1K)
909 | 2 256x512 (4K) 512x512 (4K)
910 | 3 512x512 (8K) 1024x1024 (16K)
911 | ```
912 |
913 | In case that some or all BGs are set to same priority then BG0 is having the
914 | highest, and BG3 the lowest priority.
915 |
916 | In 'Text Modes', the screen size is organized as follows: The screen consists
917 | of one or more 256x256 pixel (32x32 tiles) areas. When Size=0: only 1 area
918 | (SC0), when Size=1 or Size=2: two areas (SC0,SC1 either horizontally or
919 | vertically arranged next to each other), when Size=3: four areas (SC0,SC1 in
920 | upper row, SC2,SC3 in lower row). Whereas SC0 is defined by the normal BG Map
921 | base address (Bit 8-12 of BGxCNT), SC1 uses same address +2K, SC2 address +4K,
922 | SC3 address +6K. When the screen is scrolled it'll always wraparound.
923 |
924 | In 'Rotation/Scaling Modes', the screen size is organized as follows, only one
925 | area (SC0) of variable size 128x128..1024x1024 pixels (16x16..128x128 tiles)
926 | exists. When the screen is rotated/scaled (or scrolled?) so that the LCD
927 | viewport reaches outside of the background/screen area, then BG may be either
928 | displayed as transparent or wraparound (Bit 13 of BGxCNT).
929 |
930 | ## LCD I/O BG Scrolling
931 |
932 | ### 4000010h - BG0HOFS - BG0 X-Offset (W)
933 |
934 | ### 4000012h - BG0VOFS - BG0 Y-Offset (W)
935 |
936 | ```
937 | Bit Expl.
938 | 0-8 Offset (0-511)
939 | 9-15 Not used
940 | ```
941 |
942 | Specifies the coordinate of the upperleft first visible dot of BG0 background
943 | layer, ie. used to scroll the BG0 area.
944 |
945 | ### 4000014h - BG1HOFS - BG1 X-Offset (W)
946 |
947 | ### 4000016h - BG1VOFS - BG1 Y-Offset (W)
948 |
949 | Same as above BG0HOFS and BG0VOFS for BG1 respectively.
950 |
951 | ### 4000018h - BG2HOFS - BG2 X-Offset (W)
952 |
953 | ### 400001Ah - BG2VOFS - BG2 Y-Offset (W)
954 |
955 | Same as above BG0HOFS and BG0VOFS for BG2 respectively.
956 |
957 | ### 400001Ch - BG3HOFS - BG3 X-Offset (W)
958 |
959 | ### 400001Eh - BG3VOFS - BG3 Y-Offset (W)
960 |
961 | Same as above BG0HOFS and BG0VOFS for BG3 respectively.
962 |
963 | The above BG scrolling registers are exclusively used in Text modes, ie. for
964 | all layers in BG Mode 0, and for the first two layers in BG mode 1.
965 |
966 | In other BG modes (Rotation/Scaling and Bitmap modes) above registers are
967 | ignored. Instead, the screen may be scrolled by modifying the BG
968 | Rotation/Scaling Reference Point registers.
969 |
970 | ## LCD I/O BG Rotation/Scaling
971 |
972 | ### 4000028h - BG2X\_L - BG2 Reference Point X-Coordinate, lower 16 bit (W)
973 |
974 | ### 400002Ah - BG2X\_H - BG2 Reference Point X-Coordinate, upper 12 bit (W)
975 |
976 | ### 400002Ch - BG2Y\_L - BG2 Reference Point Y-Coordinate, lower 16 bit (W)
977 |
978 | ### 400002Eh - BG2Y\_H - BG2 Reference Point Y-Coordinate, upper 12 bit (W)
979 |
980 | These registers are replacing the BG scrolling registers which are used for
981 | Text mode, ie. the X/Y coordinates specify the source position from inside of
982 | the BG Map/Bitmap of the pixel to be displayed at upper left of the GBA
983 | display. The normal BG scrolling registers are ignored in Rotation/Scaling and
984 | Bitmap modes.
985 |
986 | ```
987 | Bit Expl.
988 | 0-7 Fractional portion (8 bits)
989 | 8-26 Integer portion (19 bits)
990 | 27 Sign (1 bit)
991 | 28-31 Not used
992 | ```
993 |
994 | Because values are shifted left by eight, fractional portions may be specified
995 | in steps of 1/256 pixels (this would be relevant only if the screen is actually
996 | rotated or scaled). Normal signed 32bit values may be written to above
997 | registers (the most significant bits will be ignored and the value will be
998 | cut-down to 28bits, but this is no actual problem because signed values have
999 | set all MSBs to the same value).
1000 |
1001 | ### Internal Reference Point Registers
1002 |
1003 | The above reference points are automatically copied to internal registers
1004 | during each vblank, specifying the origin for the first scanline. The internal
1005 | registers are then incremented by dmx and dmy after each scanline.
1006 |
1007 | Caution: Writing to a reference point register by software outside of the
1008 | Vblank period does immediately copy the new value to the corresponding internal
1009 | register, that means: in the current frame, the new value specifies the origin
1010 | of the \ scanline (instead of the topmost scanline).
1011 |
1012 | ### 4000020h - BG2PA - BG2 Rotation/Scaling Parameter A (alias dx) (W)
1013 |
1014 | ### 4000022h - BG2PB - BG2 Rotation/Scaling Parameter B (alias dmx) (W)
1015 |
1016 | ### 4000024h - BG2PC - BG2 Rotation/Scaling Parameter C (alias dy) (W)
1017 |
1018 | ### 4000026h - BG2PD - BG2 Rotation/Scaling Parameter D (alias dmy) (W)
1019 |
1020 | ```
1021 | Bit Expl.
1022 | 0-7 Fractional portion (8 bits)
1023 | 8-14 Integer portion (7 bits)
1024 | 15 Sign (1 bit)
1025 | ```
1026 |
1027 | See below for details.
1028 |
1029 | ### 400003Xh - BG3X\_L/H, BG3Y\_L/H, BG3PA-D - BG3 Rotation/Scaling Parameters
1030 |
1031 | Same as above BG2 Reference Point, and Rotation/Scaling Parameters, for BG3
1032 | respectively.
1033 |
1034 | ### dx (PA) and dy (PC)
1035 |
1036 | When transforming a horizontal line, dx and dy specify the resulting gradient
1037 | and magnification for that line. For example:
1038 |
1039 | Horizontal line, length=100, dx=1, and dy=1. The resulting line would be drawn
1040 | at 45 degrees, f(y)=1/1\*x. Note that this would involve that line is magnified,
1041 | the new length is SQR(100^2+100^2)=141.42. Yup, exactly - that's the old a^2 +
1042 | b^2 = c^2 formula.
1043 |
1044 | ### dmx (PB) and dmy (PD)
1045 |
1046 | These values define the resulting gradient and magnification for transformation
1047 | of vertical lines. However, when rotating a square area (which is surrounded by
1048 | horizontal and vertical lines), then the desired result should be usually a
1049 | rotated \ area (ie. not a parallelogram, for example).
1050 |
1051 | Thus, dmx and dmy must be defined in direct relationship to dx and dy, taking
1052 | the example above, we'd have to set dmx=-1, and dmy=1, f(x)=-1/1\*y.
1053 |
1054 | ### Area Overflow
1055 |
1056 | In result of rotation/scaling it may often happen that areas outside of the
1057 | actual BG area become moved into the LCD viewport. Depending of the Area
1058 | Overflow bit (BG2CNT and BG3CNT, Bit 13) these areas may be either displayed
1059 | (by wrapping the BG area), or may be displayed transparent.
1060 |
1061 | This works only in BG modes 1 and 2. The area overflow is ignored in Bitmap
1062 | modes (BG modes 3-5), the outside of the Bitmaps is always transparent.
1063 |
1064 | --- more details and confusing or helpful formulas ---
1065 |
1066 | ### The following parameters are required for Rotation/Scaling
1067 |
1068 | ```
1069 | Rotation Center X and Y Coordinates (x0,y0)
1070 | Rotation Angle (alpha)
1071 | Magnification X and Y Values (xMag,yMag)
1072 | ```
1073 |
1074 | The display is rotated by 'alpha' degrees around the center.
1075 |
1076 | The displayed picture is magnified by 'xMag' along x-Axis (Y=y0) and 'yMag'
1077 | along y-Axis (X=x0).
1078 |
1079 | ### Calculating Rotation/Scaling Parameters A-D
1080 |
1081 | ```
1082 | A = Cos (alpha) / xMag ;distance moved in direction x, same line
1083 | B = Sin (alpha) / xMag ;distance moved in direction x, next line
1084 | C = Sin (alpha) / yMag ;distance moved in direction y, same line
1085 | D = Cos (alpha) / yMag ;distance moved in direction y, next line
1086 | ```
1087 |
1088 | ### Calculating the position of a rotated/scaled dot
1089 |
1090 | Using the following expressions,
1091 |
1092 | ```
1093 | x0,y0 Rotation Center
1094 | x1,y1 Old Position of a pixel (before rotation/scaling)
1095 | x2,y2 New position of above pixel (after rotation scaling)
1096 | A,B,C,D BG2PA-BG2PD Parameters (as calculated above)
1097 | ```
1098 |
1099 | the following formula can be used to calculate x2,y2:
1100 |
1101 | ```
1102 | x2 = A(x1-x0) + B(y1-y0) + x0
1103 | y2 = C(x1-x0) + D(y1-y0) + y0
1104 | ```
1105 |
1106 | ## LCD I/O Window Feature
1107 |
1108 | The Window Feature may be used to split the screen into four regions. The
1109 | BG0-3,OBJ layers and Color Special Effects can be separately enabled or
1110 | disabled in each of these regions.
1111 |
1112 | ### The DISPCNT Register
1113 |
1114 | DISPCNT Bits 13-15 are used to enable Window 0, Window 1, and/or OBJ Window
1115 | regions, if any of these regions is enabled then the "Outside of Windows"
1116 | region is automatically enabled, too.
1117 |
1118 | DISPCNT Bits 8-12 are kept used as master enable bits for the BG0-3,OBJ layers,
1119 | a layer is displayed only if both DISPCNT and WININ/OUT enable bits are set.
1120 |
1121 | ### 4000040h - WIN0H - Window 0 Horizontal Dimensions (W)
1122 |
1123 | ### 4000042h - WIN1H - Window 1 Horizontal Dimensions (W)
1124 |
1125 | ```
1126 | Bit Expl.
1127 | 0-7 X2, Rightmost coordinate of window, plus 1
1128 | 8-15 X1, Leftmost coordinate of window
1129 | ```
1130 |
1131 | Garbage values of X2>240 or X1>X2 are interpreted as X2=240.
1132 |
1133 | ### 4000044h - WIN0V - Window 0 Vertical Dimensions (W)
1134 |
1135 | ### 4000046h - WIN1V - Window 1 Vertical Dimensions (W)
1136 |
1137 | ```
1138 | Bit Expl.
1139 | 0-7 Y2, Bottom-most coordinate of window, plus 1
1140 | 8-15 Y1, Top-most coordinate of window
1141 | ```
1142 |
1143 | Garbage values of Y2>160 or Y1>Y2 are interpreted as Y2=160.
1144 |
1145 | ### 4000048h - WININ - Control of Inside of Window(s) (R/W)
1146 |
1147 | ```
1148 | Bit Expl.
1149 | 0-3 Window 0 BG0-BG3 Enable Bits (0=No Display, 1=Display)
1150 | 4 Window 0 OBJ Enable Bit (0=No Display, 1=Display)
1151 | 5 Window 0 Color Special Effect (0=Disable, 1=Enable)
1152 | 6-7 Not used
1153 | 8-11 Window 1 BG0-BG3 Enable Bits (0=No Display, 1=Display)
1154 | 12 Window 1 OBJ Enable Bit (0=No Display, 1=Display)
1155 | 13 Window 1 Color Special Effect (0=Disable, 1=Enable)
1156 | 14-15 Not used
1157 | ```
1158 |
1159 | ### 400004Ah - WINOUT - Control of Outside of Windows & Inside of OBJ Window (R/W)
1160 |
1161 | ```
1162 | Bit Expl.
1163 | 0-3 Outside BG0-BG3 Enable Bits (0=No Display, 1=Display)
1164 | 4 Outside OBJ Enable Bit (0=No Display, 1=Display)
1165 | 5 Outside Color Special Effect (0=Disable, 1=Enable)
1166 | 6-7 Not used
1167 | 8-11 OBJ Window BG0-BG3 Enable Bits (0=No Display, 1=Display)
1168 | 12 OBJ Window OBJ Enable Bit (0=No Display, 1=Display)
1169 | 13 OBJ Window Color Special Effect (0=Disable, 1=Enable)
1170 | 14-15 Not used
1171 | ```
1172 |
1173 | ### The OBJ Window
1174 |
1175 | The dimension of the OBJ Window is specified by OBJs which are having the "OBJ
1176 | Mode" attribute being set to "OBJ Window". Any non-transparent dots of any such
1177 | OBJs are marked as OBJ Window area. The OBJ itself is not displayed.
1178 |
1179 | The color, palette, and display priority of these OBJs are ignored. Both
1180 | DISPCNT Bits 12 and 15 must be set when defining OBJ Window region(s).
1181 |
1182 | ### Window Priority
1183 |
1184 | In case that more than one window is enabled, and that these windows do
1185 | overlap, Window 0 is having highest priority, Window 1 medium, and Obj Window
1186 | lowest priority. Outside of Window is having zero priority, it is used for all
1187 | dots which are not inside of any window region.
1188 |
1189 | ## LCD I/O Mosaic Function
1190 |
1191 | ### 400004Ch - MOSAIC - Mosaic Size (W)
1192 |
1193 | The Mosaic function can be separately enabled/disabled for BG0-BG3 by
1194 | BG0CNT-BG3CNT Registers, as well as for each OBJ0-127 by OBJ attributes in OAM
1195 | memory. Also, setting all of the bits below to zero effectively disables the
1196 | mosaic function.
1197 |
1198 | ```
1199 | Bit Expl.
1200 | 0-3 BG Mosaic H-Size (minus 1)
1201 | 4-7 BG Mosaic V-Size (minus 1)
1202 | 8-11 OBJ Mosaic H-Size (minus 1)
1203 | 12-15 OBJ Mosaic V-Size (minus 1)
1204 | 16-31 Not used
1205 | ```
1206 |
1207 | Example: When setting H-Size to 5, then pixels 0-5 of each display row are
1208 | colorized as pixel 0, pixels 6-11 as pixel 6, pixels 12-17 as pixel 12, and so
1209 | on.
1210 |
1211 | Normally, a 'mosaic-pixel' is colorized by the color of the upperleft covered
1212 | pixel. In many cases it might be more desireful to use the color of the pixel
1213 | in the center of the covered area - this effect may be gained by scrolling the
1214 | background (or by adjusting the OBJ position, as far as upper/left rows/columns
1215 | of OBJ are transparent).
1216 |
1217 | ## LCD I/O Color Special Effects
1218 |
1219 | Two types of Special Effects are supported: Alpha Blending (Semi-Transparency)
1220 | allows to combine colors of two selected surfaces. Brightness Increase/Decrease
1221 | adjust the brightness of the selected surface.
1222 |
1223 | ### 4000050h - BLDCNT - Color Special Effects Selection (R/W)
1224 |
1225 | ```
1226 | Bit Expl.
1227 | 0 BG0 1st Target Pixel (Background 0)
1228 | 1 BG1 1st Target Pixel (Background 1)
1229 | 2 BG2 1st Target Pixel (Background 2)
1230 | 3 BG3 1st Target Pixel (Background 3)
1231 | 4 OBJ 1st Target Pixel (Top-most OBJ pixel)
1232 | 5 BD 1st Target Pixel (Backdrop)
1233 | 6-7 Color Special Effect (0-3, see below)
1234 | 0 = None (Special effects disabled)
1235 | 1 = Alpha Blending (1st+2nd Target mixed)
1236 | 2 = Brightness Increase (1st Target becomes whiter)
1237 | 3 = Brightness Decrease (1st Target becomes blacker)
1238 | 8 BG0 2nd Target Pixel (Background 0)
1239 | 9 BG1 2nd Target Pixel (Background 1)
1240 | 10 BG2 2nd Target Pixel (Background 2)
1241 | 11 BG3 2nd Target Pixel (Background 3)
1242 | 12 OBJ 2nd Target Pixel (Top-most OBJ pixel)
1243 | 13 BD 2nd Target Pixel (Backdrop)
1244 | 14-15 Not used
1245 | ```
1246 |
1247 | Selects the 1st Target layer(s) for special effects. For Alpha
1248 | Blending/Semi-Transparency, it does also select the 2nd Target layer(s), which
1249 | should have next lower display priority as the 1st Target.
1250 |
1251 | However, any combinations are possible, including that all layers may be
1252 | selected as both 1st+2nd target, in that case the top-most pixel will be used
1253 | as 1st target, and the next lower pixel as 2nd target.
1254 |
1255 | ### 4000052h - BLDALPHA - Alpha Blending Coefficients (R/W) (not W)
1256 |
1257 | Used for Color Special Effects Mode 1, and for Semi-Transparent OBJs.
1258 |
1259 | ```
1260 | Bit Expl.
1261 | 0-4 EVA Coefficient (1st Target) (0..16 = 0/16..16/16, 17..31=16/16)
1262 | 5-7 Not used
1263 | 8-12 EVB Coefficient (2nd Target) (0..16 = 0/16..16/16, 17..31=16/16)
1264 | 13-15 Not used
1265 | ```
1266 |
1267 | For this effect, the top-most non-transparent pixel must be selected as 1st
1268 | Target, and the next-lower non-transparent pixel must be selected as 2nd
1269 | Target, if so - and only if so, then color intensities of 1st and 2nd Target
1270 | are mixed together by using the parameters in BLDALPHA register, for each pixel
1271 | each R, G, B intensities are calculated separately:
1272 |
1273 | ```
1274 | I = MIN ( 31, I1st*EVA + I2nd*EVB )
1275 | ```
1276 |
1277 | Otherwise - for example, if only one target exists, or if a non-transparent
1278 | non-2nd-target pixel is moved between the two targets, or if 2nd target has
1279 | higher display priority than 1st target - then only the top-most pixel is
1280 | displayed (at normal intensity, regardless of BLDALPHA).
1281 |
1282 | ### 4000054h - BLDY - Brightness (Fade-In/Out) Coefficient (W) (not R/W)
1283 |
1284 | Used for Color Special Effects Modes 2 and 3.
1285 |
1286 | ```
1287 | Bit Expl.
1288 | 0-4 EVY Coefficient (Brightness) (0..16 = 0/16..16/16, 17..31=16/16)
1289 | 5-31 Not used
1290 | ```
1291 |
1292 | For each pixel each R, G, B intensities are calculated separately:
1293 |
1294 | ```
1295 | I = I1st + (31-I1st)*EVY ;For Brightness Increase
1296 | I = I1st - (I1st)*EVY ;For Brightness Decrease
1297 | ```
1298 |
1299 | The color intensities of any selected 1st target surface(s) are increased or
1300 | decreased by using the parameter in BLDY register.
1301 |
1302 | ### Semi-Transparent OBJs
1303 |
1304 | OBJs that are defined as 'Semi-Transparent' in OAM memory are always selected
1305 | as 1st Target (regardless of BLDCNT Bit 4), and are always using Alpha Blending
1306 | mode (regardless of BLDCNT Bit 6-7).
1307 |
1308 | The BLDCNT register may be used to perform Brightness effects on the OBJ
1309 | (and/or other BG/BD layers). However, if a semi-transparent OBJ pixel does
1310 | overlap a 2nd target pixel, then semi-transparency becomes priority, and the
1311 | brightness effect will not take place (neither on 1st, nor 2nd target).
1312 |
1313 | ### The OBJ Layer
1314 |
1315 | Before special effects are applied, the display controller computes the OBJ
1316 | priority ordering, and isolates the top-most OBJ pixel. In result, only the
1317 | top-most OBJ pixel is recursed at the time when processing special effects. Ie.
1318 | alpha blending and semi-transparency can be used for OBJ-to-BG or BG-to-OBJ ,
1319 | but not for OBJ-to-OBJ.
1320 |
1321 | ## LCD VRAM Overview
1322 |
1323 | The GBA contains 96 Kbytes VRAM built-in, located at address 06000000-06017FFF,
1324 | depending on the BG Mode used as follows:
1325 |
1326 | ### BG Mode 0,1,2 (Tile/Map based Modes)
1327 |
1328 | ```
1329 | 06000000-0600FFFF 64 KBytes shared for BG Map and Tiles
1330 | 06010000-06017FFF 32 KBytes OBJ Tiles
1331 | ```
1332 |
1333 | The shared 64K area can be split into BG Map area(s), and BG Tiles area(s), the
1334 | respective addresses for Map and Tile areas are set up by BG0CNT-BG3CNT
1335 | registers. The Map address may be specified in units of 2K (steps of 800h), the
1336 | Tile address in units of 16K (steps of 4000h).
1337 |
1338 | ### BG Mode 0,1 (Tile/Map based Text mode)
1339 |
1340 | The tiles may have 4bit or 8bit color depth, minimum map size is 32x32 tiles,
1341 | maximum is 64x64 tiles, up to 1024 tiles can be used per map.
1342 |
1343 | ```
1344 | Item Depth Required Memory
1345 | One Tile 4bit 20h bytes
1346 | One Tile 8bit 40h bytes
1347 | 1024 Tiles 4bit 8000h (32K)
1348 | 1024 Tiles 8bit 10000h (64K) - excluding some bytes for BG map
1349 | BG Map 32x32 800h (2K)
1350 | BG Map 64x64 2000h (8K)
1351 | ```
1352 |
1353 | ### BG Mode 1,2 (Tile/Map based Rotation/Scaling mode)
1354 |
1355 | The tiles may have 8bit color depth only, minimum map size is 16x16 tiles,
1356 | maximum is 128x128 tiles, up to 256 tiles can be used per map.
1357 |
1358 | ```
1359 | Item Depth Required Memory
1360 | One Tile 8bit 40h bytes
1361 | 256 Tiles 8bit 4000h (16K)
1362 | BG Map 16x16 100h bytes
1363 | BG Map 128x128 4000h (16K)
1364 | ```
1365 |
1366 | ### BG Mode 3 (Bitmap based Mode for still images)
1367 |
1368 | ```
1369 | 06000000-06013FFF 80 KBytes Frame 0 buffer (only 75K actually used)
1370 | 06014000-06017FFF 16 KBytes OBJ Tiles
1371 | ```
1372 |
1373 | ### BG Mode 4,5 (Bitmap based Modes)
1374 |
1375 | ```
1376 | 06000000-06009FFF 40 KBytes Frame 0 buffer (only 37.5K used in Mode 4)
1377 | 0600A000-06013FFF 40 KBytes Frame 1 buffer (only 37.5K used in Mode 4)
1378 | 06014000-06017FFF 16 KBytes OBJ Tiles
1379 | ```
1380 |
1381 | ### Note
1382 |
1383 | Additionally to the above VRAM, the GBA also contains 1 KByte Palette RAM (at
1384 | 05000000h) and 1 KByte OAM (at 07000000h) which are both used by the display
1385 | controller as well.
1386 |
1387 | ## LCD VRAM Character Data
1388 |
1389 | Each character (tile) consists of 8x8 dots (64 dots in total). The color depth
1390 | may be either 4bit or 8bit (see BG0CNT-BG3CNT).
1391 |
1392 | ### 4bit depth (16 colors, 16 palettes)
1393 |
1394 | Each tile occupies 32 bytes of memory, the first 4 bytes for the topmost row of
1395 | the tile, and so on. Each byte representing two dots, the lower 4 bits define
1396 | the color for the left (!) dot, the upper 4 bits the color for the right dot.
1397 |
1398 | ### 8bit depth (256 colors, 1 palette)
1399 |
1400 | Each tile occupies 64 bytes of memory, the first 8 bytes for the topmost row of
1401 | the tile, and so on. Each byte selects the palette entry for each dot.
1402 |
1403 | ## LCD VRAM BG Screen Data Format (BG Map)
1404 |
1405 | The display background consists of 8x8 dot tiles, the arrangement of these
1406 | tiles is specified by the BG Screen Data (BG Map). The separate entries in this
1407 | map are as follows:
1408 |
1409 | ### Text BG Screen (2 bytes per entry)
1410 |
1411 | Specifies the tile number and attributes. Note that BG tile numbers are always
1412 | specified in steps of 1 (unlike OBJ tile numbers which are using steps of two
1413 | in 256 color/1 palette mode).
1414 |
1415 | ```
1416 | Bit Expl.
1417 | 0-9 Tile Number (0-1023) (a bit less in 256 color mode, because
1418 | there'd be otherwise no room for the bg map)
1419 | 10 Horizontal Flip (0=Normal, 1=Mirrored)
1420 | 11 Vertical Flip (0=Normal, 1=Mirrored)
1421 | 12-15 Palette Number (0-15) (Not used in 256 color/1 palette mode)
1422 | ```
1423 |
1424 | A Text BG Map always consists of 32x32 entries (256x256 pixels), 400h entries =
1425 | 800h bytes. However, depending on the BG Size, one, two, or four of these Maps
1426 | may be used together, allowing to create backgrounds of 256x256, 512x256,
1427 | 256x512, or 512x512 pixels, if so, the first map (SC0) is located at base+0,
1428 | the next map (SC1) at base+800h, and so on.
1429 |
1430 | ### Rotation/Scaling BG Screen (1 byte per entry)
1431 |
1432 | In this mode, only 256 tiles can be used. There are no x/y-flip attributes, the
1433 | color depth is always 256 colors/1 palette.
1434 |
1435 | ```
1436 | Bit Expl.
1437 | 0-7 Tile Number (0-255)
1438 | ```
1439 |
1440 | The dimensions of Rotation/Scaling BG Maps depend on the BG size. For size 0-3
1441 | that are: 16x16 tiles (128x128 pixels), 32x32 tiles (256x256 pixels), 64x64
1442 | tiles (512x512 pixels), or 128x128 tiles (1024x1024 pixels).
1443 |
1444 | The size and VRAM base address of the separate BG maps for BG0-3 are set up by
1445 | BG0CNT-BG3CNT registers.
1446 |
1447 | ## LCD VRAM Bitmap BG Modes
1448 |
1449 | In BG Modes 3-5 the background is defined in form of a bitmap (unlike as for
1450 | Tile/Map based BG modes). Bitmaps are implemented as BG2, with Rotation/Scaling
1451 | support. As bitmap modes are occupying 80KBytes of BG memory, only 16KBytes of
1452 | VRAM can be used for OBJ tiles.
1453 |
1454 | ### BG Mode 3 - 240x160 pixels, 32768 colors
1455 |
1456 | Two bytes are associated to each pixel, directly defining one of the 32768
1457 | colors (without using palette data, and thus not supporting a 'transparent' BG
1458 | color).
1459 |
1460 | ```
1461 | Bit Expl.
1462 | 0-4 Red Intensity (0-31)
1463 | 5-9 Green Intensity (0-31)
1464 | 10-14 Blue Intensity (0-31)
1465 | 15 Not used in GBA Mode (in NDS Mode: Alpha=0=Transparent, Alpha=1=Normal)
1466 | ```
1467 |
1468 | The first 480 bytes define the topmost line, the next 480 the next line, and so
1469 | on. The background occupies 75 KBytes (06000000-06012BFF), most of the 80
1470 | Kbytes BG area, not allowing to redraw an invisible second frame in background,
1471 | so this mode is mostly recommended for still images only.
1472 |
1473 | ### BG Mode 4 - 240x160 pixels, 256 colors (out of 32768 colors)
1474 |
1475 | One byte is associated to each pixel, selecting one of the 256 palette entries.
1476 | Color 0 (backdrop) is transparent, and OBJs may be displayed behind the bitmap.
1477 |
1478 | The first 240 bytes define the topmost line, the next 240 the next line, and so
1479 | on. The background occupies 37.5 KBytes, allowing two frames to be used
1480 | (06000000-060095FF for Frame 0, and 0600A000-060135FF for Frame 1).
1481 |
1482 | ### BG Mode 5 - 160x128 pixels, 32768 colors
1483 |
1484 | Colors are defined as for Mode 3 (see above), but horizontal and vertical size
1485 | are cut down to 160x128 pixels only - smaller than the physical dimensions of
1486 | the LCD screen.
1487 |
1488 | The background occupies exactly 40 KBytes, so that BG VRAM may be split into
1489 | two frames (06000000-06009FFF for Frame 0, and 0600A000-06013FFF for Frame 1).
1490 |
1491 | In BG modes 4,5, one Frame may be displayed (selected by DISPCNT Bit 4), the
1492 | other Frame is invisible and may be redrawn in background.
1493 |
1494 | ## LCD OBJ - Overview
1495 |
1496 | ### General
1497 |
1498 | Objects (OBJs) are moveable sprites. Up to 128 OBJs (of any size, up to 64x64
1499 | dots each) can be displayed per screen, and under best circumstances up to 128
1500 | OBJs (of small 8x8 dots size) can be displayed per horizontal display line.
1501 |
1502 | ### Maximum Number of Sprites per Line
1503 |
1504 | The total available OBJ rendering cycles per line are
1505 |
1506 | ```
1507 | 1210 (=304*4-6) If "H-Blank Interval Free" bit in DISPCNT register is 0
1508 | 954 (=240*4-6) If "H-Blank Interval Free" bit in DISPCNT register is 1
1509 | ```
1510 |
1511 | The required rendering cycles are (depending on horizontal OBJ size)
1512 |
1513 | ```
1514 | Cycles per Pixels OBJ Type OBJ Type Screen Pixel Range
1515 | n*1 cycles Normal OBJs 8..64 pixels
1516 | 10+n*2 cycles Rotation/Scaling OBJs 8..64 pixels (area clipped)
1517 | 10+n*2 cycles Rotation/Scaling OBJs 16..128 pixels (double size)
1518 | ```
1519 |
1520 | Caution:
1521 |
1522 | The maximum number of OBJs per line is also affected by undisplayed (offscreen)
1523 | OBJs which are having higher priority than displayed OBJs.
1524 |
1525 | To avoid this, move displayed OBJs to the begin of OAM memory (ie. OBJ0 has
1526 | highest priority, OBJ127 lowest).
1527 |
1528 | Otherwise (in case that the program logic expects OBJs at fixed positions in
1529 | OAM) at least take care to set the OBJ size of undisplayed OBJs to 8x8 with
1530 | Rotation/Scaling disabled (this reduces the overload).
1531 |
1532 | Does the above also apply for VERTICALLY OFFSCREEN (or VERTICALLY not on
1533 | CURRENT LINE) sprites ?
1534 |
1535 | ### VRAM - Character Data
1536 |
1537 | OBJs are always combined of one or more 8x8 pixel Tiles (much like BG Tiles in
1538 | BG Modes 0-2). However, OBJ Tiles are stored in a separate area in VRAM:
1539 | 06010000-06017FFF (32 KBytes) in BG Mode 0-2, or 06014000-06017FFF (16 KBytes)
1540 | in BG Mode 3-5.
1541 |
1542 | Depending on the size of the above area (16K or 32K), and on the OBJ color
1543 | depth (4bit or 8bit), 256-1024 8x8 dots OBJ Tiles can be defined.
1544 |
1545 | ### OAM - Object Attribute Memory
1546 |
1547 | This memory area contains Attributes which specify position, size, color depth,
1548 | etc. appearance for each of the 128 OBJs. Additionally, it contains 32 OBJ
1549 | Rotation/Scaling Parameter groups. OAM is located at 07000000-070003FF (sized 1
1550 | KByte).
1551 |
1552 | ## LCD OBJ - OAM Attributes
1553 |
1554 | ### OBJ Attributes
1555 |
1556 | There are 128 entries in OAM for each OBJ0-OBJ127. Each entry consists of 6
1557 | bytes (three 16bit Attributes). Attributes for OBJ0 are located at 07000000,
1558 | for OBJ1 at 07000008, OBJ2 at 07000010, and so on.
1559 |
1560 | As you can see, there are blank spaces at 07000006, 0700000E, 07000016, etc. -
1561 | these 16bit values are used for OBJ Rotation/Scaling (as described in the next
1562 | chapter) - they are not directly related to the separate OBJs.
1563 |
1564 | ### OBJ Attribute 0 (R/W)
1565 |
1566 | ```
1567 | Bit Expl.
1568 | 0-7 Y-Coordinate (0-255)
1569 | 8 Rotation/Scaling Flag (0=Off, 1=On)
1570 | When Rotation/Scaling used (Attribute 0, bit 8 set):
1571 | 9 Double-Size Flag (0=Normal, 1=Double)
1572 | When Rotation/Scaling not used (Attribute 0, bit 8 cleared):
1573 | 9 OBJ Disable (0=Normal, 1=Not displayed)
1574 | 10-11 OBJ Mode (0=Normal, 1=Semi-Transparent, 2=OBJ Window, 3=Prohibited)
1575 | 12 OBJ Mosaic (0=Off, 1=On)
1576 | 13 Colors/Palettes (0=16/16, 1=256/1)
1577 | 14-15 OBJ Shape (0=Square,1=Horizontal,2=Vertical,3=Prohibited)
1578 | ```
1579 |
1580 | Caution: A very large OBJ (of 128 pixels vertically, ie. a 64 pixels OBJ in a
1581 | Double Size area) located at Y>128 will be treated as at Y>-128, the OBJ
1582 | is then displayed parts offscreen at the TOP of the display, it is then NOT
1583 | displayed at the bottom.
1584 |
1585 | ### OBJ Attribute 1 (R/W)
1586 |
1587 | ```
1588 | Bit Expl.
1589 | 0-8 X-Coordinate (0-511)
1590 | When Rotation/Scaling used (Attribute 0, bit 8 set):
1591 | 9-13 Rotation/Scaling Parameter Selection (0-31)
1592 | (Selects one of the 32 Rotation/Scaling Parameters that
1593 | can be defined in OAM, for details read next chapter.)
1594 | When Rotation/Scaling not used (Attribute 0, bit 8 cleared):
1595 | 9-11 Not used
1596 | 12 Horizontal Flip (0=Normal, 1=Mirrored)
1597 | 13 Vertical Flip (0=Normal, 1=Mirrored)
1598 | 14-15 OBJ Size (0..3, depends on OBJ Shape, see Attr 0)
1599 | Size Square Horizontal Vertical
1600 | 0 8x8 16x8 8x16
1601 | 1 16x16 32x8 8x32
1602 | 2 32x32 32x16 16x32
1603 | 3 64x64 64x32 32x64
1604 | ```
1605 |
1606 | ### OBJ Attribute 2 (R/W)
1607 |
1608 | ```
1609 | Bit Expl.
1610 | 0-9 Character Name (0-1023=Tile Number)
1611 | 10-11 Priority relative to BG (0-3; 0=Highest)
1612 | 12-15 Palette Number (0-15) (Not used in 256 color/1 palette mode)
1613 | ```
1614 |
1615 | ### Notes:
1616 |
1617 | ### OBJ Mode
1618 |
1619 | The OBJ Mode may be Normal, Semi-Transparent, or OBJ Window.
1620 |
1621 | Semi-Transparent means that the OBJ is used as 'Alpha Blending 1st Target'
1622 | (regardless of BLDCNT register, for details see chapter about Color Special
1623 | Effects).
1624 |
1625 | OBJ Window means that the OBJ is not displayed, instead, dots with non-zero
1626 | color are used as mask for the OBJ Window, see DISPCNT and WINOUT for details.
1627 |
1628 | ### OBJ Tile Number
1629 |
1630 | There are two situations which may divide the amount of available tiles by two
1631 | (by four if both situations apply):
1632 |
1633 | 1. When using the 256 Colors/1 Palette mode, only each second tile may be used,
1634 | the lower bit of the tile number should be zero (in 2-dimensional mapping mode,
1635 | the bit is completely ignored).
1636 |
1637 | 2. When using BG Mode 3-5 (Bitmap Modes), only tile numbers 512-1023 may be
1638 | used. That is because lower 16K of OBJ memory are used for BG. Attempts to use
1639 | tiles 0-511 are ignored (not displayed).
1640 |
1641 | ### Priority
1642 |
1643 | In case that the 'Priority relative to BG' is the same than the priority of one
1644 | of the background layers, then the OBJ becomes higher priority and is displayed
1645 | on top of that BG layer.
1646 |
1647 | Caution: Take care not to mess up BG Priority and OBJ priority. For example,
1648 | the following would cause garbage to be displayed:
1649 |
1650 | ```
1651 | OBJ No. 0 with Priority relative to BG=1 ;hi OBJ prio, lo BG prio
1652 | OBJ No. 1 with Priority relative to BG=0 ;lo OBJ prio, hi BG prio
1653 | ```
1654 |
1655 | That is, OBJ0 is always having priority above OBJ1-127, so assigning a lower BG
1656 | Priority to OBJ0 than for OBJ1-127 would be a bad idea.
1657 |
1658 | ## LCD OBJ - OAM Rotation/Scaling Parameters
1659 |
1660 | As described in the previous chapter, there are blank spaces between each of
1661 | the 128 OBJ Attribute Fields in OAM memory. These 128 16bit gaps are used to
1662 | store OBJ Rotation/Scaling Parameters.
1663 |
1664 | ### Location of Rotation/Scaling Parameters in OAM
1665 |
1666 | Four 16bit parameters (PA,PB,PC,PD) are required to define a complete group of
1667 | Rotation/Scaling data. These are spread across OAM as such:
1668 |
1669 | ```
1670 | 1st Group - PA=07000006, PB=0700000E, PC=07000016, PD=0700001E
1671 | 2nd Group - PA=07000026, PB=0700002E, PC=07000036, PD=0700003E
1672 | etc.
1673 | ```
1674 |
1675 | By using all blank space (128 x 16bit), up to 32 of these groups (4 x 16bit
1676 | each) can be defined in OAM.
1677 |
1678 | ### OBJ Rotation/Scaling PA,PB,PC,PD Parameters (R/W)
1679 |
1680 | Each OBJ that uses Rotation/Scaling may select between any of the above 32
1681 | parameter groups. For details, refer to the previous chapter about OBJ
1682 | Attributes.
1683 |
1684 | The meaning of the separate PA,PB,PC,PD values is identical as for BG, for
1685 | details read the chapter about BG Rotation/Scaling.
1686 |
1687 | ### OBJ Reference Point & Rotation Center
1688 |
1689 | The OBJ Reference Point is the upper left of the OBJ, ie. OBJ X/Y coordinates:
1690 | X+0, Y+0.
1691 |
1692 | The OBJ Rotation Center is always (or should be usually?) in the middle of the
1693 | object, ie. for a 8x32 pixel OBJ, this would be at the OBJ X/Y coordinates:
1694 | X+4, and Y+16.
1695 |
1696 | ### OBJ Double-Size Bit (for OBJs that use Rotation/Scaling)
1697 |
1698 | When Double-Size is zero: The sprite is rotated, and then display inside of the
1699 | normal-sized (not rotated) rectangular area - the edges of the rotated sprite
1700 | will become invisible if they reach outside of that area.
1701 |
1702 | When Double-Size is set: The sprite is rotated, and then display inside of the
1703 | double-sized (not rotated) rectangular area - this ensures that the edges of
1704 | the rotated sprite remain visible even if they would reach outside of the
1705 | normal-sized area. (Except that, for example, rotating a 8x32 pixel sprite by
1706 | 90 degrees would still cut off parts of the sprite as the double-size area
1707 | isn't large enough.)
1708 |
1709 | ## LCD OBJ - VRAM Character (Tile) Mapping
1710 |
1711 | Each OBJ tile consists of 8x8 dots, however, bigger OBJs can be displayed by
1712 | combining several 8x8 tiles. The horizontal and vertical size for each OBJ may
1713 | be separately defined in OAM, possible H/V sizes are 8,16,32,64 dots - allowing
1714 | 'square' OBJs to be used (such like 8x8, 16x16, etc) as well as 'rectangular'
1715 | OBJs (such like 8x32, 64x16, etc.)
1716 |
1717 | When displaying an OBJ that contains of more than one 8x8 tile, one of the
1718 | following two mapping modes can be used. In either case, the tile number of the
1719 | upperleft tile must be specified in OAM memory.
1720 |
1721 | ### Two Dimensional Character Mapping (DISPCNT Bit 6 cleared)
1722 |
1723 | This mapping mode assumes that the 1024 OBJ tiles are arranged as a matrix of
1724 | 32x32 tiles / 256x256 pixels (In 256 color mode: 16x32 tiles / 128x256 pixels).
1725 | Ie. the upper row of this matrix contains tiles 00h-1Fh, the next row tiles
1726 | 20h-3Fh, and so on.
1727 |
1728 | For example, when displaying a 16x16 pixel OBJ, with tile number set to 04h;
1729 | The upper row of the OBJ will consist of tile 04h and 05h, the next row of 24h
1730 | and 25h. (In 256 color mode: 04h and 06h, 24h and 26h.)
1731 |
1732 | ### One Dimensional Character Mapping (DISPCNT Bit 6 set)
1733 |
1734 | In this mode, tiles are mapped each after each other from 00h-3FFh.
1735 |
1736 | Using the same example as above, the upper row of the OBJ will consist of tile
1737 | 04h and 05h, the next row of tile 06h and 07h. (In 256 color mode: 04h and 06h,
1738 | 08h and 0Ah.)
1739 |
1740 | ## LCD Color Palettes
1741 |
1742 | ### Color Palette RAM
1743 |
1744 | BG and OBJ palettes are using separate memory regions:
1745 |
1746 | ```
1747 | 05000000-050001FF - BG Palette RAM (512 bytes, 256 colors)
1748 | 05000200-050003FF - OBJ Palette RAM (512 bytes, 256 colors)
1749 | ```
1750 |
1751 | Each BG and OBJ palette RAM may be either split into 16 palettes with 16 colors
1752 | each, or may be used as a single palette with 256 colors.
1753 |
1754 | Note that some OBJs may access palette RAM in 16 color mode, while other OBJs
1755 | may use 256 color mode at the same time. Same for BG0-BG3 layers.
1756 |
1757 | ### Transparent Colors
1758 |
1759 | Color 0 of all BG and OBJ palettes is transparent. Even though palettes are
1760 | described as 16 (256) color palettes, only 15 (255) colors are actually
1761 | visible.
1762 |
1763 | ### Backdrop Color
1764 |
1765 | Color 0 of BG Palette 0 is used as backdrop color. This color is displayed if
1766 | an area of the screen is not covered by any non-transparent BG or OBJ dots.
1767 |
1768 | ### Color Definitions
1769 |
1770 | Each color occupies two bytes (same as for 32768 color BG modes):
1771 |
1772 | ```
1773 | Bit Expl.
1774 | 0-4 Red Intensity (0-31)
1775 | 5-9 Green Intensity (0-31)
1776 | 10-14 Blue Intensity (0-31)
1777 | 15 Not used
1778 | ```
1779 |
1780 | ### Intensities
1781 |
1782 | Under normal circumstances (light source/viewing angle), the intensities 0-14
1783 | are practically all black, and only intensities 15-31 are resulting in visible
1784 | medium..bright colors.
1785 |
1786 | Note: The intensity problem appears in the 8bit CGB "compatibility" mode
1787 | either. The original CGB display produced the opposite effect: Intensities 0-14
1788 | resulted in dark..medium colors, and intensities 15-31 resulted in bright
1789 | colors. Any "medium" colors of CGB games will appear invisible/black on GBA
1790 | hardware, and only very bright colors will be visible.
1791 |
1792 | ## LCD Dimensions and Timings
1793 |
1794 | ### Horizontal Dimensions
1795 |
1796 | The drawing time for each dot is 4 CPU cycles.
1797 |
1798 | ```
1799 | Visible 240 dots, 57.221 us, 960 cycles - 78% of h-time
1800 | H-Blanking 68 dots, 16.212 us, 272 cycles - 22% of h-time
1801 | Total 308 dots, 73.433 us, 1232 cycles - ca. 13.620 kHz
1802 | ```
1803 |
1804 | VRAM and Palette RAM may be accessed during H-Blanking. OAM can accessed only
1805 | if "H-Blank Interval Free" bit in DISPCNT register is set.
1806 |
1807 | ### Vertical Dimensions
1808 |
1809 | ```
1810 | Visible (*) 160 lines, 11.749 ms, 197120 cycles - 70% of v-time
1811 | V-Blanking 68 lines, 4.994 ms, 83776 cycles - 30% of v-time
1812 | Total 228 lines, 16.743 ms, 280896 cycles - ca. 59.737 Hz
1813 | ```
1814 |
1815 | All VRAM, OAM, and Palette RAM may be accessed during V-Blanking.
1816 |
1817 | Note that no H-Blank interrupts are generated within V-Blank period.
1818 |
1819 | ### System Clock
1820 |
1821 | The system clock is 16.78MHz (16\*1024\*1024 Hz), one cycle is thus approx.
1822 | 59.59ns.
1823 |
1824 | (\*) Even though vertical screen size is 160 lines, the upper 8 lines are not
1825 | \ visible, these lines are covered by a shadow when holding the
1826 | GBA orientated towards a light source, the lines are effectively black - and
1827 | should not be used to display important information.
1828 |
1829 | ### Interlace
1830 |
1831 | The LCD display is using some sort of interlace in which even scanlines are
1832 | dimmed in each second frame, and odd scanlines are dimmed in each other frame
1833 | (it does always render ALL lines in ALL frames, but half of them are dimmed).
1834 |
1835 | The effect can be seen when displaying some horizontal lines in each second
1836 | frame, and hiding them in each other frame: the hardware will randomly show the
1837 | lines in dimmed or non-dimmed form (depending on whether the test was started
1838 | in an even or odd frame).
1839 |
1840 | Unknown if it's possible to determine the even/off frame state by software (or
1841 | possibly to reset the hardware to this or that state by software).
1842 |
1843 | Note: The NDS is applying some sort of frameskip to GBA games, about every 3
1844 | seconds there will by a missing (or maybe: inserted) frame, ie. a GBA game that
1845 | is updating the display in sync with GBA interlace will get offsync on NDS
1846 | consoles.
1847 |
1848 | ## GBA Sound Controller
1849 |
1850 | The GBA supplies four 'analogue' sound channels for Tone and Noise (mostly
1851 | compatible to CGB sound), as well as two 'digital' sound channels (which can be
1852 | used to replay 8bit DMA sample data).
1853 |
1854 | - [GBA Sound Channel 1 - Tone & Sweep](#gbasoundchannel1tonesweep)
1855 | - [GBA Sound Channel 2 - Tone](#gbasoundchannel2tone)
1856 | - [GBA Sound Channel 3 - Wave Output](#gbasoundchannel3waveoutput)
1857 | - [GBA Sound Channel 4 - Noise](#gbasoundchannel4noise)
1858 | - [GBA Sound Channel A and B - DMA Sound](#gbasoundchannelaandbdmasound)
1859 |
1860 | - [GBA Sound Control Registers](#gbasoundcontrolregisters)
1861 | - [GBA Comparison of CGB and GBA Sound](#gbacomparisonofcgbandgbasound)
1862 |
1863 | The GBA includes only a single (mono) speaker built-in, each channel may be
1864 | output to either left and/or right channels by using the external line-out
1865 | connector (for stereo headphones, etc).
1866 |
1867 | ## GBA Sound Channel 1 - Tone & Sweep
1868 |
1869 | ### 4000060h - SOUND1CNT\_L (NR10) - Channel 1 Sweep register (R/W)
1870 |
1871 | ```
1872 | Bit Expl.
1873 | 0-2 R/W Number of sweep shift (n=0-7)
1874 | 3 R/W Sweep Frequency Direction (0=Increase, 1=Decrease)
1875 | 4-6 R/W Sweep Time; units of 7.8ms (0-7, min=7.8ms, max=54.7ms)
1876 | 7-15 - Not used
1877 | ```
1878 |
1879 | Sweep is disabled by setting Sweep Time to zero, if so, the direction bit
1880 | should be set.
1881 |
1882 | The change of frequency (NR13,NR14) at each shift is calculated by the
1883 | following formula where X(0) is initial freq & X(t-1) is last freq:
1884 |
1885 | ```
1886 | X(t) = X(t-1) +/- X(t-1)/2^n
1887 | ```
1888 |
1889 | ### 4000062h - SOUND1CNT\_H (NR11, NR12) - Channel 1 Duty/Len/Envelope (R/W)
1890 |
1891 | ```
1892 | Bit Expl.
1893 | 0-5 W Sound length; units of (64-n)/256s (0-63)
1894 | 6-7 R/W Wave Pattern Duty (0-3, see below)
1895 | 8-10 R/W Envelope Step-Time; units of n/64s (1-7, 0=No Envelope)
1896 | 11 R/W Envelope Direction (0=Decrease, 1=Increase)
1897 | 12-15 R/W Initial Volume of envelope (1-15, 0=No Sound)
1898 | ```
1899 |
1900 | Wave Duty:
1901 |
1902 | ```
1903 | 0: 12.5% ( -_______-_______-_______ )
1904 | 1: 25% ( --______--______--______ )
1905 | 2: 50% ( ----____----____----____ ) (normal)
1906 | 3: 75% ( ------__------__------__ )
1907 | ```
1908 |
1909 | The Length value is used only if Bit 6 in NR14 is set.
1910 |
1911 | ### 4000064h - SOUND1CNT\_X (NR13, NR14) - Channel 1 Frequency/Control (R/W)
1912 |
1913 | ```
1914 | Bit Expl.
1915 | 0-10 W Frequency; 131072/(2048-n)Hz (0-2047)
1916 | 11-13 - Not used
1917 | 14 R/W Length Flag (1=Stop output when length in NR11 expires)
1918 | 15 W Initial (1=Restart Sound)
1919 | 16-31 - Not used
1920 | ```
1921 |
1922 | ## GBA Sound Channel 2 - Tone
1923 |
1924 | This sound channel works exactly as channel 1, except that it doesn't have a
1925 | Tone Envelope/Sweep Register.
1926 |
1927 | ### 4000068h - SOUND2CNT\_L (NR21, NR22) - Channel 2 Duty/Length/Envelope (R/W)
1928 |
1929 | ### 400006Ah - Not used
1930 |
1931 | ### 400006Ch - SOUND2CNT\_H (NR23, NR24) - Channel 2 Frequency/Control (R/W)
1932 |
1933 | For details, refer to channel 1 description.
1934 |
1935 | ## GBA Sound Channel 3 - Wave Output
1936 |
1937 | This channel can be used to output digital sound, the length of the sample
1938 | buffer (Wave RAM) can be either 32 or 64 digits (4bit samples). This sound
1939 | channel can be also used to output normal tones when initializing the Wave RAM
1940 | by a square wave. This channel doesn't have a volume envelope register.
1941 |
1942 | ### 4000070h - SOUND3CNT\_L (NR30) - Channel 3 Stop/Wave RAM select (R/W)
1943 |
1944 | ```
1945 | Bit Expl.
1946 | 0-4 - Not used
1947 | 5 R/W Wave RAM Dimension (0=One bank/32 digits, 1=Two banks/64 digits)
1948 | 6 R/W Wave RAM Bank Number (0-1, see below)
1949 | 7 R/W Sound Channel 3 Off (0=Stop, 1=Playback)
1950 | 8-15 - Not used
1951 | ```
1952 |
1953 | The currently selected Bank Number (Bit 6) will be played back, while
1954 | reading/writing to/from wave RAM will address the other (not selected) bank.
1955 | When dimension is set to two banks, output will start by replaying the
1956 | currently selected bank.
1957 |
1958 | ### 4000072h - SOUND3CNT\_H (NR31, NR32) - Channel 3 Length/Volume (R/W)
1959 |
1960 | ```
1961 | Bit Expl.
1962 | 0-7 W Sound length; units of (256-n)/256s (0-255)
1963 | 8-12 - Not used.
1964 | 13-14 R/W Sound Volume (0=Mute/Zero, 1=100%, 2=50%, 3=25%)
1965 | 15 R/W Force Volume (0=Use above, 1=Force 75% regardless of above)
1966 | ```
1967 |
1968 | The Length value is used only if Bit 6 in NR34 is set.
1969 |
1970 | ### 4000074h - SOUND3CNT\_X (NR33, NR34) - Channel 3 Frequency/Control (R/W)
1971 |
1972 | ```
1973 | Bit Expl.
1974 | 0-10 W Sample Rate; 2097152/(2048-n) Hz (0-2047)
1975 | 11-13 - Not used
1976 | 14 R/W Length Flag (1=Stop output when length in NR31 expires)
1977 | 15 W Initial (1=Restart Sound)
1978 | 16-31 - Not used
1979 | ```
1980 |
1981 | The above sample rate specifies the number of wave RAM digits per second, the
1982 | actual tone frequency depends on the wave RAM content, for example:
1983 |
1984 | ```
1985 | Wave RAM, single bank 32 digits Tone Frequency
1986 | FFFFFFFFFFFFFFFF0000000000000000 65536/(2048-n) Hz
1987 | FFFFFFFF00000000FFFFFFFF00000000 131072/(2048-n) Hz
1988 | FFFF0000FFFF0000FFFF0000FFFF0000 262144/(2048-n) Hz
1989 | FF00FF00FF00FF00FF00FF00FF00FF00 524288/(2048-n) Hz
1990 | F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0 1048576/(2048-n) Hz
1991 | ```
1992 |
1993 | ### 4000090h - WAVE\_RAM0\_L - Channel 3 Wave Pattern RAM (W/R)
1994 |
1995 | ### 4000092h - WAVE\_RAM0\_H - Channel 3 Wave Pattern RAM (W/R)
1996 |
1997 | ### 4000094h - WAVE\_RAM1\_L - Channel 3 Wave Pattern RAM (W/R)
1998 |
1999 | ### 4000096h - WAVE\_RAM1\_H - Channel 3 Wave Pattern RAM (W/R)
2000 |
2001 | ### 4000098h - WAVE\_RAM2\_L - Channel 3 Wave Pattern RAM (W/R)
2002 |
2003 | ### 400009Ah - WAVE\_RAM2\_H - Channel 3 Wave Pattern RAM (W/R)
2004 |
2005 | ### 400009Ch - WAVE\_RAM3\_L - Channel 3 Wave Pattern RAM (W/R)
2006 |
2007 | ### 400009Eh - WAVE\_RAM3\_H - Channel 3 Wave Pattern RAM (W/R)
2008 |
2009 | This area contains 16 bytes (32 x 4bits) Wave Pattern data which is output by
2010 | channel 3. Data is played back ordered as follows: MSBs of 1st byte, followed
2011 | by LSBs of 1st byte, followed by MSBs of 2nd byte, and so on - this results in
2012 | a confusing ordering when filling Wave RAM in units of 16bit data - ie. samples
2013 | would be then located in Bits 4-7, 0-3, 12-15, 8-11.
2014 |
2015 | In the GBA, two Wave Patterns exists (each 32 x 4bits), either one may be
2016 | played (as selected in NR30 register), the other bank may be accessed by the
2017 | users. After all 32 samples have been played, output of the same bank (or other
2018 | bank, as specified in NR30) will be automatically restarted.
2019 |
2020 | Internally, Wave RAM is a giant shift-register, there is no pointer which is
2021 | addressing the currently played digit. Instead, the entire 128 bits are
2022 | shifted, and the 4 least significant bits are output.
2023 |
2024 | Thus, when reading from Wave RAM, data might have changed its position. And,
2025 | when writing to Wave RAM all data should be updated (it'd be no good idea to
2026 | assume that old data is still located at the same position where it has been
2027 | written to previously).
2028 |
2029 | ## GBA Sound Channel 4 - Noise
2030 |
2031 | This channel is used to output white noise. This is done by randomly switching
2032 | the amplitude between high and low at a given frequency. Depending on the
2033 | frequency the noise will appear 'harder' or 'softer'.
2034 |
2035 | It is also possible to influence the function of the random generator, so the
2036 | that the output becomes more regular, resulting in a limited ability to output
2037 | Tone instead of Noise.
2038 |
2039 | ### 4000078h - SOUND4CNT\_L (NR41, NR42) - Channel 4 Length/Envelope (R/W)
2040 |
2041 | ```
2042 | Bit Expl.
2043 | 0-5 W Sound length; units of (64-n)/256s (0-63)
2044 | 6-7 - Not used
2045 | 8-10 R/W Envelope Step-Time; units of n/64s (1-7, 0=No Envelope)
2046 | 11 R/W Envelope Direction (0=Decrease, 1=Increase)
2047 | 12-15 R/W Initial Volume of envelope (1-15, 0=No Sound)
2048 | 16-31 - Not used
2049 | ```
2050 |
2051 | The Length value is used only if Bit 6 in NR44 is set.
2052 |
2053 | ### 400007Ch - SOUND4CNT\_H (NR43, NR44) - Channel 4 Frequency/Control (R/W)
2054 |
2055 | The amplitude is randomly switched between high and low at the given frequency.
2056 | A higher frequency will make the noise to appear 'softer'.
2057 |
2058 | When Bit 3 is set, the output will become more regular, and some frequencies
2059 | will sound more like Tone than Noise.
2060 |
2061 | ```
2062 | Bit Expl.
2063 | 0-2 R/W Dividing Ratio of Frequencies (r)
2064 | 3 R/W Counter Step/Width (0=15 bits, 1=7 bits)
2065 | 4-7 R/W Shift Clock Frequency (s)
2066 | 8-13 - Not used
2067 | 14 R/W Length Flag (1=Stop output when length in NR41 expires)
2068 | 15 W Initial (1=Restart Sound)
2069 | 16-31 - Not used
2070 | ```
2071 |
2072 | Frequency = 524288 Hz / r / 2^(s+1) ;For r=0 assume r=0.5 instead
2073 |
2074 | ### Noise Random Generator (aka Polynomial Counter)
2075 |
2076 | Noise randomly switches between HIGH and LOW levels, the output levels are
2077 | calculated by a shift register (X), at the selected frequency, as such:
2078 |
2079 | ```
2080 | 7bit: X=X SHR 1, IF carry THEN Out=HIGH, X=X XOR 60h ELSE Out=LOW
2081 | 15bit: X=X SHR 1, IF carry THEN Out=HIGH, X=X XOR 6000h ELSE Out=LOW
2082 | ```
2083 |
2084 | The initial value when (re-)starting the sound is X=40h (7bit) or X=4000h
2085 | (15bit). The data stream repeats after 7Fh (7bit) or 7FFFh (15bit) steps.
2086 |
2087 | ## GBA Sound Channel A and B - DMA Sound
2088 |
2089 | The GBA contains two DMA sound channels (A and B), each allowing to replay
2090 | digital sound (signed 8bit data, ie. -128..+127). Data can be transferred from
2091 | INTERNAL memory (not sure if EXTERNAL memory works also ?) to FIFO by using DMA
2092 | channel 1 or 2, the sample rate is generated by using one of the Timers.
2093 |
2094 | ### 40000A0h - FIFO\_A\_L - Sound A FIFO, Data 0 and Data 1 (W)
2095 |
2096 | ### 40000A2h - FIFO\_A\_H - Sound A FIFO, Data 2 and Data 3 (W)
2097 |
2098 | These two registers may receive 32bit (4 bytes) of audio data (Data 0-3, Data 0
2099 | being located in least significant byte which is replayed first).
2100 |
2101 | Internally, the capacity of the FIFO is 8 x 32bit (32 bytes), allowing to
2102 | buffer a small amount of samples. As the name says (First In First Out), oldest
2103 | data is replayed first.
2104 |
2105 | ### 40000A4h - FIFO\_B\_L - Sound B FIFO, Data 0 and Data 1 (W)
2106 |
2107 | ### 40000A6h - FIFO\_B\_H - Sound B FIFO, Data 2 and Data 3 (W)
2108 |
2109 | Same as above, for Sound B.
2110 |
2111 | ### Initializing DMA-Sound Playback
2112 |
2113 | - Select Timer 0 or 1 in SOUNDCNT\_H control register.
2114 |
2115 | - Clear the FIFO.
2116 |
2117 | - Manually write a sample byte to the FIFO.
2118 |
2119 | - Initialize transfer mode for DMA 1 or 2.
2120 |
2121 | - Initialize DMA Sound settings in sound control register.
2122 |
2123 | - Start the timer.
2124 |
2125 | ### DMA-Sound Playback Procedure
2126 |
2127 | The pseudo-procedure below is automatically repeated.
2128 |
2129 | ```
2130 | If Timer overflows then
2131 | Move 8bit data from FIFO to sound circuit.
2132 | If FIFO contains only 4 x 32bits (16 bytes) then
2133 | Request more data per DMA
2134 | Receive 4 x 32bit (16 bytes) per DMA
2135 | Endif
2136 | Endif
2137 | ```
2138 |
2139 | This playback mechanism will be repeated forever, regardless of the actual
2140 | length of the sample buffer.
2141 |
2142 | ### Synchronizing Sample Buffers
2143 |
2144 | The buffer-end may be determined by counting sound Timer IRQs (each sample
2145 | byte), or sound DMA IRQs (each 16th sample byte). Both methods would require a
2146 | lot of CPU time (IRQ processing), and both would fail if interrupts are
2147 | disabled for a longer period.
2148 |
2149 | Better solutions would be to synchronize the sample rate/buffer length with
2150 | V-blanks, or to use a second timer (in count up/slave mode) which produces an
2151 | IRQ after the desired number of samples.
2152 |
2153 | ### The Sample Rate
2154 |
2155 | The GBA hardware does internally re-sample all sound output to 32.768kHz
2156 | (default SOUNDBIAS setting). It'd thus do not make much sense to use higher
2157 | DMA/Timer rates. Best re-sampling accuracy can be gained by using DMA/Timer
2158 | rates of 32.768kHz, 16.384kHz, or 8.192kHz (ie. fragments of the physical
2159 | output rate).
2160 |
2161 | ## GBA Sound Control Registers
2162 |
2163 | ### 4000080h - SOUNDCNT\_L (NR50, NR51) - Channel L/R Volume/Enable (R/W)
2164 |
2165 | ```
2166 | Bit Expl.
2167 | 0-2 R/W Sound 1-4 Master Volume RIGHT (0-7)
2168 | 3 - Not used
2169 | 4-6 R/W Sound 1-4 Master Volume LEFT (0-7)
2170 | 7 - Not used
2171 | 8-11 R/W Sound 1-4 Enable Flags RIGHT (each Bit 8-11, 0=Disable, 1=Enable)
2172 | 12-15 R/W Sound 1-4 Enable Flags LEFT (each Bit 12-15, 0=Disable, 1=Enable)
2173 | ```
2174 |
2175 | ### 4000082h - SOUNDCNT\_H (GBA only) - DMA Sound Control/Mixing (R/W)
2176 |
2177 | ```
2178 | Bit Expl.
2179 | 0-1 R/W Sound # 1-4 Volume (0=25%, 1=50%, 2=100%, 3=Prohibited)
2180 | 2 R/W DMA Sound A Volume (0=50%, 1=100%)
2181 | 3 R/W DMA Sound B Volume (0=50%, 1=100%)
2182 | 4-7 - Not used
2183 | 8 R/W DMA Sound A Enable RIGHT (0=Disable, 1=Enable)
2184 | 9 R/W DMA Sound A Enable LEFT (0=Disable, 1=Enable)
2185 | 10 R/W DMA Sound A Timer Select (0=Timer 0, 1=Timer 1)
2186 | 11 W? DMA Sound A Reset FIFO (1=Reset)
2187 | 12 R/W DMA Sound B Enable RIGHT (0=Disable, 1=Enable)
2188 | 13 R/W DMA Sound B Enable LEFT (0=Disable, 1=Enable)
2189 | 14 R/W DMA Sound B Timer Select (0=Timer 0, 1=Timer 1)
2190 | 15 W? DMA Sound B Reset FIFO (1=Reset)
2191 | ```
2192 |
2193 | ### 4000084h - SOUNDCNT\_X (NR52) - Sound on/off (R/W)
2194 |
2195 | Bits 0-3 are automatically set when starting sound output, and are
2196 | automatically cleared when a sound ends. (Ie. when the length expires, as far
2197 | as length is enabled. The bits are NOT reset when an volume envelope ends.)
2198 |
2199 | ```
2200 | Bit Expl.
2201 | 0 R Sound 1 ON flag (Read Only)
2202 | 1 R Sound 2 ON flag (Read Only)
2203 | 2 R Sound 3 ON flag (Read Only)
2204 | 3 R Sound 4 ON flag (Read Only)
2205 | 4-6 - Not used
2206 | 7 R/W PSG/FIFO Master Enable (0=Disable, 1=Enable) (Read/Write)
2207 | 8-31 - Not used
2208 | ```
2209 |
2210 | While Bit 7 is cleared, both PSG and FIFO sounds are disabled, and all PSG
2211 | registers at 4000060h..4000081h are reset to zero (and must be re-initialized
2212 | after re-enabling sound). However, registers 4000082h and 4000088h are kept
2213 | read/write-able (of which, 4000082h has no function when sound is off, whilst
2214 | 4000088h does work even when sound is off).
2215 |
2216 | ### 4000088h - SOUNDBIAS - Sound PWM Control (R/W, see below)
2217 |
2218 | This register controls the final sound output. The default setting is 0200h, it
2219 | is normally not required to change this value.
2220 |
2221 | ```
2222 | Bit Expl.
2223 | 0 - Not used
2224 | 1-9 R/W Bias Level (Default=100h, converting signed samples into unsigned)
2225 | 10-13 - Not used
2226 | 14-15 R/W Amplitude Resolution/Sampling Cycle (Default=0, see below)
2227 | 16-31 - Not used
2228 | ```
2229 |
2230 | Amplitude Resolution/Sampling Cycle (0-3):
2231 |
2232 | ```
2233 | 0 9bit / 32.768kHz (Default, best for DMA channels A,B)
2234 | 1 8bit / 65.536kHz
2235 | 2 7bit / 131.072kHz
2236 | 3 6bit / 262.144kHz (Best for PSG channels 1-4)
2237 | ```
2238 |
2239 | For more information on this register, read the descriptions below.
2240 |
2241 | ### 400008Ch - Not used
2242 |
2243 | ### 400008Eh - Not used
2244 |
2245 | ### Max Output Levels (with max volume settings)
2246 |
2247 | Each of the two FIFOs can span the FULL output range (+/-200h).
2248 |
2249 | Each of the four PSGs can span one QUARTER of the output range (+/-80h).
2250 |
2251 | The current output levels of all six channels are added together by hardware.
2252 |
2253 | So together, the FIFOs and PSGs, could reach THRICE the range (+/-600h).
2254 |
2255 | The BIAS value is added to that signed value. With default BIAS (200h), the
2256 | possible range becomes -400h..+800h, however, values that exceed the unsigned
2257 | 10bit output range of 0..3FFh are clipped to MinMax(0,3FFh).
2258 |
2259 | ### Resampling to 32.768kHz / 9bit (default)
2260 |
2261 | The PSG channels 1-4 are internally generated at 262.144kHz, and DMA sound A-B
2262 | could be theoretically generated at timer rates up to 16.78MHz. However, the
2263 | final sound output is resampled to a rate of 32.768kHz, at 9bit depth (the
2264 | above 10bit value, divided by two). If necessary, rates higher than 32.768kHz
2265 | can be selected in the SOUNDBIAS register, that would result in a depth smaller
2266 | than 9bit though.
2267 |
2268 | ### PWM (Pulse Width Modulation) Output 16.78MHz / 1bit
2269 |
2270 | Okay, now comes the actual output. The GBA can output only two voltages (low
2271 | and high), these 'bits' are output at system clock speed (16.78MHz). If using
2272 | the default 32.768kHz sampling rate, then 512 bits are output per sample
2273 | (512\*32K=16M). Each sample value (9bit range, N=0..511), would be then output
2274 | as N low bits, followed by 512-N high bits. The resulting 'noise' is smoothed
2275 | down by capacitors, by the speaker, and by human hearing, so that it will
2276 | effectively sound like clean D/A converted 9bit voltages at 32kHz sampling
2277 | rate.
2278 |
2279 | ### Changing the BIAS Level
2280 |
2281 | Normally use 200h for clean sound output. A value of 000h might make sense
2282 | during periods when no sound is output (causing the PWM circuit to output
2283 | low-bits only, which is eventually reducing the power consumption, and/or
2284 | preventing 32KHz noise). Note: Using the SoundBias function (SWI 19h) allows to
2285 | change the level by slowly incrementing or decrementing it (without hard
2286 | scratch noise).
2287 |
2288 | ### Low Power Mode
2289 |
2290 | When not using sound output, power consumption can be reduced by setting both
2291 | 4000084h (PSG/FIFO) and 4000088h (BIAS) to zero.
2292 |
2293 | ## GBA Comparison of CGB and GBA Sound
2294 |
2295 | The GBA sound controller is mostly the same than that of older monochrome
2296 | gameboy and CGB. The following changes have been done:
2297 |
2298 | ### New Sound Channels
2299 |
2300 | Two new sound channels have been added that may be used to replay 8bit digital
2301 | sound. Sample rate and sample data must be supplied by using a Timer and a DMA
2302 | channel.
2303 |
2304 | ### New Control Registers
2305 |
2306 | The SOUNDCNT\_H register controls the new DMA channels - as well as mixing with
2307 | the four old channels. The SOUNDBIAS register controls the final sound output.
2308 |
2309 | ### Sound Channel 3 Changes
2310 |
2311 | The length of the Wave RAM is doubled by dividing it into two banks of 32
2312 | digits each, either one or both banks may be replayed (one after each other),
2313 | for details check NR30 Bit 5-6. Optionally, the sound may be output at 75%
2314 | volume, for details check NR32 Bit 7.
2315 |
2316 | ### Changed Control Registers
2317 |
2318 | NR50 is not supporting Vin signals (that's been an external sound input from
2319 | cartridge).
2320 |
2321 | ### Changed I/O Addresses
2322 |
2323 | The GBAs sound register are located at 04000060-040000AE instead of at
2324 | FF10-FF3F as in CGB and monochrome gameboy. However, note that there have been
2325 | new blank spaces inserted between some of the separate registers - therefore it
2326 | is NOT possible to port CGB software to GBA just by changing the sound base
2327 | address.
2328 |
2329 | ### Accessing I/O Registers
2330 |
2331 | In some cases two of the old 8bit registers are packed into a 16bit register
2332 | and may be accessed as such.
2333 |
2334 | ## GBA Timers
2335 |
2336 | The GBA includes four incrementing 16bit timers.
2337 |
2338 | Timer 0 and 1 can be used to supply the sample rate for DMA sound channel A
2339 | and/or B.
2340 |
2341 | ### 4000100h - TM0CNT\_L - Timer 0 Counter/Reload (R/W)
2342 |
2343 | ### 4000104h - TM1CNT\_L - Timer 1 Counter/Reload (R/W)
2344 |
2345 | ### 4000108h - TM2CNT\_L - Timer 2 Counter/Reload (R/W)
2346 |
2347 | ### 400010Ch - TM3CNT\_L - Timer 3 Counter/Reload (R/W)
2348 |
2349 | Writing to these registers initializes the \ value (but does not
2350 | directly affect the current counter value). Reading returns the current
2351 | \ value (or the recent/frozen counter value if the timer has been
2352 | stopped).
2353 |
2354 | The reload value is copied into the counter only upon following two situations:
2355 | Automatically upon timer overflows, or when the timer start bit becomes changed
2356 | from 0 to 1.
2357 |
2358 | Note: When simultaneously changing the start bit from 0 to 1, and setting the
2359 | reload value at the same time (by a single 32bit I/O operation), then the newly
2360 | written reload value is recognized as new counter value.
2361 |
2362 | ### 4000102h - TM0CNT\_H - Timer 0 Control (R/W)
2363 |
2364 | ### 4000106h - TM1CNT\_H - Timer 1 Control (R/W)
2365 |
2366 | ### 400010Ah - TM2CNT\_H - Timer 2 Control (R/W)
2367 |
2368 | ### 400010Eh - TM3CNT\_H - Timer 3 Control (R/W)
2369 |
2370 | ```
2371 | Bit Expl.
2372 | 0-1 Prescaler Selection (0=F/1, 1=F/64, 2=F/256, 3=F/1024)
2373 | 2 Count-up Timing (0=Normal, 1=See below) ;Not used in TM0CNT_H
2374 | 3-5 Not used
2375 | 6 Timer IRQ Enable (0=Disable, 1=IRQ on Timer overflow)
2376 | 7 Timer Start/Stop (0=Stop, 1=Operate)
2377 | 8-15 Not used
2378 | ```
2379 |
2380 | When Count-up Timing is enabled, the prescaler value is ignored, instead the
2381 | time is incremented each time when the previous counter overflows. This
2382 | function cannot be used for Timer 0 (as it is the first timer).
2383 |
2384 | F = System Clock (16.78MHz).
2385 |
2386 | ## GBA DMA Transfers
2387 |
2388 | ### Overview
2389 |
2390 | The GBA includes four DMA channels, the highest priority is assigned to DMA0,
2391 | followed by DMA1, DMA2, and DMA3. DMA Channels with lower priority are paused
2392 | until channels with higher priority have completed.
2393 |
2394 | The CPU is paused when DMA transfers are active, however, the CPU is operating
2395 | during the periods when Sound/Blanking DMA transfers are paused.
2396 |
2397 | ### Special features of the separate DMA channels
2398 |
2399 | DMA0 - highest priority, best for timing critical transfers (eg. HBlank DMA).
2400 |
2401 | DMA1 and DMA2 - can be used to feed digital sample data to the Sound FIFOs.
2402 |
2403 | DMA3 - can be used to write to Game Pak ROM/FlashROM (but not GamePak SRAM).
2404 |
2405 | Beside for that, each DMA 0-3 may be used for whatever general purposes.
2406 |
2407 | ### 40000B0h,0B2h - DMA0SAD - DMA 0 Source Address (W) (internal memory)
2408 |
2409 | ### 40000BCh,0BEh - DMA1SAD - DMA 1 Source Address (W) (any memory)
2410 |
2411 | ### 40000C8h,0CAh - DMA2SAD - DMA 2 Source Address (W) (any memory)
2412 |
2413 | ### 40000D4h,0D6h - DMA3SAD - DMA 3 Source Address (W) (any memory)
2414 |
2415 | The most significant address bits are ignored, only the least significant 27 or
2416 | 28 bits are used (max 07FFFFFFh internal memory, or max 0FFFFFFFh any memory -
2417 | except SRAM ?!).
2418 |
2419 | ### 40000B4h,0B6h - DMA0DAD - DMA 0 Destination Address (W) (internal memory)
2420 |
2421 | ### 40000C0h,0C2h - DMA1DAD - DMA 1 Destination Address (W) (internal memory)
2422 |
2423 | ### 40000CCh,0CEh - DMA2DAD - DMA 2 Destination Address (W) (internal memory)
2424 |
2425 | ### 40000D8h,0DAh - DMA3DAD - DMA 3 Destination Address (W) (any memory)
2426 |
2427 | The most significant address bits are ignored, only the least significant 27 or
2428 | 28 bits are used (max. 07FFFFFFh internal memory or 0FFFFFFFh any memory -
2429 | except SRAM ?!).
2430 |
2431 | ### 40000B8h - DMA0CNT\_L - DMA 0 Word Count (W) (14 bit, 1..4000h)
2432 |
2433 | ### 40000C4h - DMA1CNT\_L - DMA 1 Word Count (W) (14 bit, 1..4000h)
2434 |
2435 | ### 40000D0h - DMA2CNT\_L - DMA 2 Word Count (W) (14 bit, 1..4000h)
2436 |
2437 | ### 40000DCh - DMA3CNT\_L - DMA 3 Word Count (W) (16 bit, 1..10000h)
2438 |
2439 | Specifies the number of data units to be transferred, each unit is 16bit or
2440 | 32bit depending on the transfer type, a value of zero is treated as max length
2441 | (ie. 4000h, or 10000h for DMA3).
2442 |
2443 | ### 40000BAh - DMA0CNT\_H - DMA 0 Control (R/W)
2444 |
2445 | ### 40000C6h - DMA1CNT\_H - DMA 1 Control (R/W)
2446 |
2447 | ### 40000D2h - DMA2CNT\_H - DMA 2 Control (R/W)
2448 |
2449 | ### 40000DEh - DMA3CNT\_H - DMA 3 Control (R/W)
2450 |
2451 | ```
2452 | Bit Expl.
2453 | 0-4 Not used
2454 | 5-6 Dest Addr Control (0=Increment,1=Decrement,2=Fixed,3=Increment/Reload)
2455 | 7-8 Source Adr Control (0=Increment,1=Decrement,2=Fixed,3=Prohibited)
2456 | 9 DMA Repeat (0=Off, 1=On) (Must be zero if Bit 11 set)
2457 | 10 DMA Transfer Type (0=16bit, 1=32bit)
2458 | 11 Game Pak DRQ - DMA3 only - (0=Normal, 1=DRQ Game Pak, DMA3)
2459 | 12-13 DMA Start Timing (0=Immediately, 1=VBlank, 2=HBlank, 3=Special)
2460 | The 'Special' setting (Start Timing=3) depends on the DMA channel:
2461 | DMA0=Prohibited, DMA1/DMA2=Sound FIFO, DMA3=Video Capture
2462 | 14 IRQ upon end of Word Count (0=Disable, 1=Enable)
2463 | 15 DMA Enable (0=Off, 1=On)
2464 | ```
2465 |
2466 | After changing the Enable bit from 0 to 1, wait 2 clock cycles before accessing
2467 | any DMA related registers.
2468 |
2469 | When accessing OAM (7000000h) or OBJ VRAM (6010000h) by HBlank Timing, then the
2470 | "H-Blank Interval Free" bit in DISPCNT register must be set.
2471 |
2472 | ### Source and Destination Address and Word Count Registers
2473 |
2474 | The SAD, DAD, and CNT\_L registers are holding the initial start addresses, and
2475 | initial length. The hardware does NOT change the content of these registers
2476 | during or after the transfer.
2477 |
2478 | The actual transfer takes place by using internal pointer/counter registers.
2479 | The initial values are copied into internal regs under the following
2480 | circumstances:
2481 |
2482 | Upon DMA Enable (Bit 15) changing from 0 to 1: Reloads SAD, DAD, CNT\_L.
2483 |
2484 | Upon Repeat: Reloads CNT\_L, and optionally DAD (Increment+Reload).
2485 |
2486 | ### DMA Repeat bit
2487 |
2488 | If the Repeat bit is cleared: The Enable bit is automatically cleared after the
2489 | specified number of data units has been transferred.
2490 |
2491 | If the Repeat bit is set: The Enable bit remains set after the transfer, and
2492 | the transfer will be restarted each time when the Start condition (eg. HBlank,
2493 | Fifo) becomes true. The specified number of data units is transferred
2494 | \ time when the transfer is (re-)started. The transfer will be
2495 | repeated forever, until it gets stopped by software.
2496 |
2497 | ### Sound DMA (FIFO Timing Mode) (DMA1 and DMA2 only)
2498 |
2499 | In this mode, the DMA Repeat bit must be set, and the destination address must
2500 | be FIFO\_A (040000A0h) or FIFO\_B (040000A4h).
2501 |
2502 | Upon DMA request from sound controller, 4 units of 32bits (16 bytes) are
2503 | transferred (both Word Count register and DMA Transfer Type bit are ignored).
2504 | The destination address will not be incremented in FIFO mode.
2505 |
2506 | Keep in mind that DMA channels of higher priority may offhold sound DMA. For
2507 | example, when using a 64 kHz sample rate, 16 bytes of sound DMA data are
2508 | requested each 0.25ms (4 kHz), at this time another 16 bytes are still in the
2509 | FIFO so that there's still 0.25ms time to satisfy the DMA request. Thus DMAs
2510 | with higher priority should not be operated for longer than 0.25ms. (This
2511 | problem does not arise for HBlank transfers as HBlank time is limited to
2512 | 16.212us.)
2513 |
2514 | ### Game Pak DMA
2515 |
2516 | Only DMA 3 may be used to transfer data to/from Game Pak ROM or Flash ROM - it
2517 | cannot access Game Pak SRAM though (as SRAM data bus is limited to 8bit units).
2518 | In normal mode, DMA is requested as long until Word Count becomes zero. When
2519 | setting the 'Game Pack DRQ' bit, then the cartridge must contain an external
2520 | circuit which outputs a /DREQ signal. Note that there is only one pin for /DREQ
2521 | and /IREQ, thus the cartridge may not supply /IREQs while using DRQ mode.
2522 |
2523 | ### Video Capture Mode (DMA3 only)
2524 |
2525 | Intended to copy a bitmap from memory (or from external hardware/camera) to
2526 | VRAM. When using this transfer mode, set the repeat bit, and write the number
2527 | of data units (per scanline) to the word count register. Capture works similar
2528 | like HBlank DMA, however, the transfer is started when VCOUNT=2, it is then
2529 | repeated each scanline, and it gets stopped when VCOUNT=162.
2530 |
2531 | ### Transfer End
2532 |
2533 | The DMA Enable flag (Bit 15) is automatically cleared upon completion of the
2534 | transfer. The user may also clear this bit manually in order to stop the
2535 | transfer (obviously this is possible for Sound/Blanking DMAs only, in all other
2536 | cases the CPU is stopped until the transfer completes by itself).
2537 |
2538 | ### Transfer Rate/Timing
2539 |
2540 | Except for the first data unit, all units are transferred by sequential reads
2541 | and writes. For n data units, the DMA transfer time is:
2542 |
2543 | ```
2544 | 2N+2(n-1)S+xI
2545 | ```
2546 |
2547 | Of which, 1N+(n-1)S are read cycles, and the other 1N+(n-1)S are write cycles,
2548 | actual number of cycles depends on the waitstates and bus-width of the source
2549 | and destination areas (as described in CPU Instruction Cycle Times chapter).
2550 | Internal time for DMA processing is 2I (normally), or 4I (if both source and
2551 | destination are in gamepak memory area).
2552 |
2553 | DMA lockup when stopping while starting ???
2554 |
2555 | Capture delayed, Capture Enable=AutoCleared ???
2556 |
2557 | ## GBA Communication Ports
2558 |
2559 | The GBAs Serial Port may be used in various different communication modes.
2560 | Normal mode may exchange data between two GBAs (or to transfer data from master
2561 | GBA to several slave GBAs in one-way direction).
2562 |
2563 | Multi-player mode may exchange data between up to four GBAs. UART mode works
2564 | much like a RS232 interface. JOY Bus mode uses a standardized Nintendo
2565 | protocol. And General Purpose mode allows to mis-use the 'serial' port as
2566 | bi-directional 4bit parallel port.
2567 |
2568 | Note: The Nintendo DS does not include a Serial Port.
2569 |
2570 | - [SIO Normal Mode](#sionormalmode)
2571 | - [SIO Multi-Player Mode](#siomultiplayermode)
2572 | - [SIO UART Mode](#siouartmode)
2573 | - [SIO JOY BUS Mode](#siojoybusmode)
2574 | - [SIO General-Purpose Mode](#siogeneralpurposemode)
2575 | - [SIO Control Registers Summary](#siocontrolregisterssummary)
2576 |
2577 | ### Wireless Adapter
2578 |
2579 | - [GBA Wireless Adapter](#gbawirelessadapter)
2580 |
2581 | ### Infrared Communication Adapters
2582 |
2583 | Even though early GBA prototypes have been intended to support IR
2584 | communication, this feature has been removed.
2585 |
2586 | However, Nintendo is apparently considering to provide an external IR adapter
2587 | (to be connected to the SIO connector, being accessed in General Purpose mode).
2588 |
2589 | Also, it'd be theoretically possible to include IR ports built-in in game
2590 | cartridges (as done for some older 8bit/monochrome Hudson games).
2591 |
2592 | ## SIO Normal Mode
2593 |
2594 | This mode is used to communicate between two units.
2595 |
2596 | Transfer rates of 256Kbit/s or 2Mbit/s can be selected, however, the fast
2597 | 2Mbit/s is intended ONLY for special hardware expansions that are DIRECTLY
2598 | connected to the GBA link port (ie. without a cable being located between the
2599 | GBA and expansion hardware). In normal cases, always use 256Kbit/s transfer
2600 | rate which provides stable results.
2601 |
2602 | Transfer lengths of 8bit or 32bit may be used, the 8bit mode is the same as for
2603 | older DMG/CGB gameboys, however, the voltages for "GBA cartridges in GBAs" are
2604 | different as for "DMG/CGB cartridges in DMG/CGB/GBAs", ie. it is not possible
2605 | to communicate between DMG/CGB games and GBA games.
2606 |
2607 | ### 4000134h - RCNT (R) - Mode Selection, in Normal/Multiplayer/UART modes (R/W)
2608 |
2609 | ```
2610 | Bit Expl.
2611 | 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode)
2612 | 4-8 Not used (Should be 0, bits are read/write-able though)
2613 | 9-13 Not used (Always 0, read only)
2614 | 14 Not used (Should be 0, bit is read/write-able though)
2615 | 15 Must be zero (0) for Normal/Multiplayer/UART modes
2616 | ```
2617 |
2618 | ### 4000128h - SIOCNT - SIO Control, usage in NORMAL Mode (R/W)
2619 |
2620 | ```
2621 | Bit Expl.
2622 | 0 Shift Clock (SC) (0=External, 1=Internal)
2623 | 1 Internal Shift Clock (0=256KHz, 1=2MHz)
2624 | 2 SI State (opponents SO) (0=Low, 1=High/None) --- (Read Only)
2625 | 3 SO during inactivity (0=Low, 1=High) (applied ONLY when Bit7=0)
2626 | 4-6 Not used (Read only, always 0 ?)
2627 | 7 Start Bit (0=Inactive/Ready, 1=Start/Active)
2628 | 8-11 Not used (R/W, should be 0)
2629 | 12 Transfer Length (0=8bit, 1=32bit)
2630 | 13 Must be "0" for Normal Mode
2631 | 14 IRQ Enable (0=Disable, 1=Want IRQ upon completion)
2632 | 15 Not used (Read only, always 0)
2633 | ```
2634 |
2635 | The Start bit is automatically reset when the transfer completes, ie. when all
2636 | 8 or 32 bits are transferred, at that time an IRQ may be generated.
2637 |
2638 | ### 400012Ah - SIODATA8 - SIO Normal Communication 8bit Data (R/W)
2639 |
2640 | For 8bit normal mode. Contains 8bit data (only lower 8bit are used). Outgoing
2641 | data should be written to this register before starting the transfer. During
2642 | transfer, transmitted bits are shifted-out (MSB first), and received bits are
2643 | shifted-in simultaneously. Upon transfer completion, the register contains the
2644 | received 8bit value.
2645 |
2646 | ### 4000120h - SIODATA32\_L - SIO Normal Communication lower 16bit data (R/W)
2647 |
2648 | ### 4000122h - SIODATA32\_H - SIO Normal Communication upper 16bit data (R/W)
2649 |
2650 | Same as above SIODATA8, for 32bit normal transfer mode respectively.
2651 |
2652 | SIOCNT/RCNT must be set to 32bit normal mode \ writing to
2653 | SIODATA32.
2654 |
2655 | ### Initialization
2656 |
2657 | First, initialize RCNT register. Second, set mode/clock bits in SIOCNT with
2658 | startbit cleared. For master: select internal clock, and (in most cases)
2659 | specify 256KHz as transfer rate. For slave: select external clock, the local
2660 | transfer rate selection is then ignored, as the transfer rate is supplied by
2661 | the remote GBA (or other computer, which might supply custom transfer rates).
2662 |
2663 | Third, set the startbit in SIOCNT with mode/clock bits unchanged.
2664 |
2665 | ### Recommended Communication Procedure for SLAVE unit (external clock)
2666 |
2667 | - Initialize data which is to be sent to master.
2668 |
2669 | - Set Start flag.
2670 |
2671 | - Set SO to LOW to indicate that master may start now.
2672 |
2673 | - Wait for IRQ (or for Start bit to become zero). (Check timeout here!)
2674 |
2675 | - Set SO to HIGH to indicate that we are not ready.
2676 |
2677 | - Process received data.
2678 |
2679 | - Repeat procedure if more data is to be transferred.
2680 |
2681 | (or is so=high done automatically? would be fine - more stable - otherwise
2682 | master may still need delay)
2683 |
2684 | ### Recommended Communication Procedure for SLAVE unit (external clock)
2685 |
2686 | - Initialize data which is to be sent to master.
2687 |
2688 | - Set Start=0 and SO=0 (SO=LOW indicates that slave is (almost) ready).
2689 |
2690 | - Set Start=1 and SO=1 (SO=HIGH indicates not ready, applied after transfer).
2691 |
2692 | ```
2693 | (Expl. Old SO=LOW kept output until 1st clock bit received).
2694 | (Expl. New SO=HIGH is automatically output at transfer completion).
2695 | ```
2696 |
2697 | - Set SO to LOW to indicate that master may start now.
2698 |
2699 | - Wait for IRQ (or for Start bit to become zero). (Check timeout here!)
2700 |
2701 | - Process received data.
2702 |
2703 | - Repeat procedure if more data is to be transferred.
2704 |
2705 | ### Recommended Communication Procedure for MASTER unit (internal clock)
2706 |
2707 | - Initialize data which is to be sent to slave.
2708 |
2709 | - Wait for SI to become LOW (slave ready). (Check timeout here!)
2710 |
2711 | - Set Start flag.
2712 |
2713 | - Wait for IRQ (or for Start bit to become zero).
2714 |
2715 | - Process received data.
2716 |
2717 | - Repeat procedure if more data is to be transferred.
2718 |
2719 | ### Cable Protocol
2720 |
2721 | During inactive transfer, the shift clock (SC) is high. The transmit (SO) and
2722 | receive (SI) data lines may be manually controlled as described above.
2723 |
2724 | When master sends SC=LOW, each master and slave must output the next outgoing
2725 | data bit to SO. When master sends SC=HIGH, each master and slave must read out
2726 | the opponents data bit from SI. This is repeated for each of the 8 or 32 bits,
2727 | and when completed SC will be kept high again.
2728 |
2729 | ### Transfer Rates
2730 |
2731 | Either 256KHz or 2MHz rates can be selected for SC, so max 32KBytes (256Kbit)
2732 | or 128KBytes (2Mbit) can be transferred per second. However, the software must
2733 | process each 8bit or 32bit of transmitted data separately, so the actual
2734 | transfer rate will be reduced by the time spent on handling each data unit.
2735 |
2736 | Only 256KHz provides stable results in most cases (such like when linking
2737 | between two GBAs). The 2MHz rate is intended for special expansion hardware
2738 | (with very short wires) only.
2739 |
2740 | ### Using Normal mode for One-Way Multiplayer communication
2741 |
2742 | When using normal mode with multiplay-cables, data isn't exchanged between
2743 | first and second GBA as usually. Instead, data is shifted from first to last
2744 | GBA (the first GBA receives zero, because master SI is shortcut to GND).
2745 |
2746 | This behaviour may be used for fast ONE-WAY data transfer from master to all
2747 | other GBAs. For example (3 GBAs linked):
2748 |
2749 | ```
2750 | Step Sender 1st Recipient 2nd Recipient
2751 | Transfer 1: DATA #0 --> UNDEF --> UNDEF -->
2752 | Transfer 2: DATA #1 --> DATA #0 --> UNDEF -->
2753 | Transfer 3: DATA #2 --> DATA #1 --> DATA #0 -->
2754 | Transfer 4: DATA #3 --> DATA #2 --> DATA #1 -->
2755 | ```
2756 |
2757 | The recipients should not output any own data, instead they should forward the
2758 | previously received data to the next recipient during next transfer (just keep
2759 | the incoming data unmodified in the data register).
2760 |
2761 | Due to the delayed forwarding, 2nd recipient should ignore the first incoming
2762 | data. After the last transfer, the sender must send one (or more) dummy data
2763 | unit(s), so that the last data is forwarded to the 2nd (or further)
2764 | recipient(s).
2765 |
2766 | ## SIO Multi-Player Mode
2767 |
2768 | Multi-Player mode can be used to communicate between up to 4 units.
2769 |
2770 | ### 4000134h - RCNT (R) - Mode Selection, in Normal/Multiplayer/UART modes (R/W)
2771 |
2772 | ```
2773 | Bit Expl.
2774 | 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode)
2775 | 4-8 Not used (Should be 0, bits are read/write-able though)
2776 | 9-13 Not used (Always 0, read only)
2777 | 14 Not used (Should be 0, bit is read/write-able though)
2778 | 15 Must be zero (0) for Normal/Multiplayer/UART modes
2779 | ```
2780 |
2781 | Note: Even though undocumented, many Nintendo games are using Bit 0 to test
2782 | current SC state in multiplay mode.
2783 |
2784 | ### 4000128h - SIOCNT - SIO Control, usage in MULTI-PLAYER Mode (R/W)
2785 |
2786 | ```
2787 | Bit Expl.
2788 | 0-1 Baud Rate (0-3: 9600,38400,57600,115200 bps)
2789 | 2 SI-Terminal (0=Parent, 1=Child) (Read Only)
2790 | 3 SD-Terminal (0=Bad connection, 1=All GBAs Ready) (Read Only)
2791 | 4-5 Multi-Player ID (0=Parent, 1-3=1st-3rd child) (Read Only)
2792 | 6 Multi-Player Error (0=Normal, 1=Error) (Read Only)
2793 | 7 Start/Busy Bit (0=Inactive, 1=Start/Busy) (Read Only for Slaves)
2794 | 8-11 Not used (R/W, should be 0)
2795 | 12 Must be "0" for Multi-Player mode
2796 | 13 Must be "1" for Multi-Player mode
2797 | 14 IRQ Enable (0=Disable, 1=Want IRQ upon completion)
2798 | 15 Not used (Read only, always 0)
2799 | ```
2800 |
2801 | The ID Bits are undefined until the first transfer has completed.
2802 |
2803 | ### 400012Ah - SIOMLT\_SEND - Data Send Register (R/W)
2804 |
2805 | Outgoing data (16 bit) which is to be sent to the other GBAs.
2806 |
2807 | ### 4000120h - SIOMULTI0 - SIO Multi-Player Data 0 (Parent) (R/W)
2808 |
2809 | ### 4000122h - SIOMULTI1 - SIO Multi-Player Data 1 (1st child) (R/W)
2810 |
2811 | ### 4000124h - SIOMULTI2 - SIO Multi-Player Data 2 (2nd child) (R/W)
2812 |
2813 | ### 4000126h - SIOMULTI3 - SIO Multi-Player Data 3 (3rd child) (R/W)
2814 |
2815 | These registers are automatically reset to FFFFh upon transfer start.
2816 |
2817 | After transfer, these registers contain incoming data (16bit each) from all
2818 | remote GBAs (if any / otherwise still FFFFh), as well as the local outgoing
2819 | SIOMLT\_SEND data.
2820 |
2821 | Ie. after the transfer, all connected GBAs will contain the same values in
2822 | their SIOMULTI0-3 registers.
2823 |
2824 | ### Initialization
2825 |
2826 | - Initialize RCNT Bit 14-15 and SIOCNT Bit 12-13 to select Multi-Player mode.
2827 |
2828 | - Read SIOCNT Bit 3 to verify that all GBAs are in Multi-Player mode.
2829 |
2830 | - Read SIOCNT Bit 2 to detect whether this is the Parent/Master unit.
2831 |
2832 | ### Recommended Transmission Procedure
2833 |
2834 | - Write outgoing data to SIODATA\_SEND.
2835 |
2836 | - Master must set Start bit.
2837 |
2838 | - All units must process received data in SIOMULTI0-3 when transfer completed.
2839 |
2840 | - After the first successful transfer, ID Bits in SIOCNT are valid.
2841 |
2842 | - If more data is to be transferred, repeat procedure.
2843 |
2844 | The parent unit blindly sends data regardless of whether childs have already
2845 | processed old data/supplied new data. So, parent unit might be required to
2846 | insert delays between each transfer, and/or perform error checking.
2847 |
2848 | Also, slave units may signalize that they are not ready by temporarily
2849 | switching into another communication mode (which does not output SD High, as
2850 | Multi-Player mode does during inactivity).
2851 |
2852 | ### Transfer Protocol
2853 |
2854 | Beginning
2855 |
2856 | - The masters SI pin is always LOW.
2857 |
2858 | - When all GBAs are in Multiplayer mode (ready) SD is HIGH.
2859 |
2860 | - When master starts the transfer, it sets SC=LOW, slaves receive Busy bit.
2861 |
2862 | Step A
2863 |
2864 | - ID Bits in master unit are set to 0.
2865 |
2866 | - Master outputs Startbit (LOW), 16bit Data, Stopbit (HIGH) through SD.
2867 |
2868 | - This data is written to SIOMULTI0 of all GBAs (including master).
2869 |
2870 | - Master forwards LOW from its SO to 1st childs SI.
2871 |
2872 | - Transfer ends if next child does not output data after certain time.
2873 |
2874 | Step B
2875 |
2876 | - ID Bits in 1st child unit are set to 1.
2877 |
2878 | - 1st Child outputs Startbit (LOW), 16bit Data, Stopbit (HIGH) through SD.
2879 |
2880 | - This data is written to SIOMULTI1 of all GBAs (including 1st child).
2881 |
2882 | - 1st child forwards LOW from its SO to 2nd childs SI.
2883 |
2884 | - Transfer ends if next child does not output data after certain time.
2885 |
2886 | Step C
2887 |
2888 | - ID Bits in 2nd child unit are set to 2.
2889 |
2890 | - 2nd Child outputs Startbit (LOW), 16bit Data, Stopbit (HIGH) through SD.
2891 |
2892 | - This data is written to SIOMULTI2 of all GBAs (including 2nd child).
2893 |
2894 | - 2nd child forwards LOW from its SO to 3rd childs SI.
2895 |
2896 | - Transfer ends if next child does not output data after certain time.
2897 |
2898 | Step D
2899 |
2900 | - ID Bits in 3rd child unit are set to 3.
2901 |
2902 | - 3rd Child outputs Startbit (LOW), 16bit Data, Stopbit (HIGH) through SD.
2903 |
2904 | - This data is written to SIOMULTI3 of all GBAs (including 3rd child).
2905 |
2906 | - Transfer ends (this was the last child).
2907 |
2908 | Transfer end
2909 |
2910 | - Master sets SC=HIGH, all GBAs set SO=HIGH.
2911 |
2912 | - The Start/Busy bits of all GBAs are automatically cleared.
2913 |
2914 | - Interrupts are requested in all GBAs (as far as enabled).
2915 |
2916 | ### Error Bit
2917 |
2918 | This bit is set when a slave did not receive SI=LOW even though SC=LOW
2919 | signalized a transfer (this might happen when connecting more than 4 GBAs, or
2920 | when the previous child is not connected). Also, the bit is set when a Stopbit
2921 | wasn't HIGH.
2922 |
2923 | The error bit may be undefined during active transfer - read only after
2924 | transfer completion (the transfer continues and completes as normal even if
2925 | errors have occurred for some or all GBAs).
2926 |
2927 | Don't know: The bit is automatically reset/initialized with each transfer, or
2928 | must be manually reset?
2929 |
2930 | ### Transmission Time
2931 |
2932 | The transmission time depends on the selected Baud rate. And on the amount of
2933 | Bits (16 data bits plus start/stop bits for each GBA), delays between data for
2934 | each GBA, plus final timeout (if less than 4 GBAs). That is, depending on the
2935 | number of connected GBAs:
2936 |
2937 | ```
2938 | GBAs Bits Delays Timeout
2939 | 1 18 None Yes
2940 | 2 36 1 Yes
2941 | 3 54 2 Yes
2942 | 4 72 3 None
2943 | ```
2944 |
2945 | (The average Delay and Timeout periods are unknown?)
2946 |
2947 | Above is not counting the additional CPU time that must be spent on initiating
2948 | and processing each transfer.
2949 |
2950 | ### Fast One-Way Transmission
2951 |
2952 | Beside for the actual SIO Multiplayer mode, you can also use SIO Normal mode
2953 | for fast one-way data transfer from Master unit to all Child unit(s). See
2954 | chapter about SIO Normal mode for details.
2955 |
2956 | ## SIO UART Mode
2957 |
2958 | This mode works much like a RS232 port, however, the voltages are unknown,
2959 | probably 0/3V rather than +/-12V ?. SI and SO are data lines (with crossed
2960 | wires), SC and SD signalize Clear to Send (with crossed wires also, which
2961 | requires special cable when linking between two GBAs ?)
2962 |
2963 | ### 4000134h - RCNT (R) - Mode Selection, in Normal/Multiplayer/UART modes (R/W)
2964 |
2965 | ```
2966 | Bit Expl.
2967 | 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode)
2968 | 4-8 Not used (Should be 0, bits are read/write-able though)
2969 | 9-13 Not used (Always 0, read only)
2970 | 14 Not used (Should be 0, bit is read/write-able though)
2971 | 15 Must be zero (0) for Normal/Multiplayer/UART modes
2972 | ```
2973 |
2974 | ### 4000128h - SCCNT\_L - SIO Control, usage in UART Mode (R/W)
2975 |
2976 | ```
2977 | Bit Expl.
2978 | 0-1 Baud Rate (0-3: 9600,38400,57600,115200 bps)
2979 | 2 CTS Flag (0=Send always/blindly, 1=Send only when SC=LOW)
2980 | 3 Parity Control (0=Even, 1=Odd)
2981 | 4 Send Data Flag (0=Not Full, 1=Full) (Read Only)
2982 | 5 Receive Data Flag (0=Not Empty, 1=Empty) (Read Only)
2983 | 6 Error Flag (0=No Error, 1=Error) (Read Only)
2984 | 7 Data Length (0=7bits, 1=8bits)
2985 | 8 FIFO Enable Flag (0=Disable, 1=Enable)
2986 | 9 Parity Enable Flag (0=Disable, 1=Enable)
2987 | 10 Send Enable Flag (0=Disable, 1=Enable)
2988 | 11 Receive Enable Flag (0=Disable, 1=Enable)
2989 | 12 Must be "1" for UART mode
2990 | 13 Must be "1" for UART mode
2991 | 14 IRQ Enable (0=Disable, 1=IRQ when any Bit 4/5/6 become set)
2992 | 15 Not used (Read only, always 0)
2993 | ```
2994 |
2995 | ### 400012Ah - SIODATA8 - usage in UART Mode (R/W)
2996 |
2997 | Addresses the send/receive shift register, or (when FIFO is used) the
2998 | send/receive FIFO. In either case only the lower 8bit of SIODATA8 are used, the
2999 | upper 8bit are not used.
3000 |
3001 | The send/receive FIFO may store up to four 8bit data units each. For example,
3002 | while 1 unit is still transferred from the send shift register, it is possible
3003 | to deposit another 4 units in the send FIFO, which are then automatically moved
3004 | to the send shift register one after each other.
3005 |
3006 | ### Send/Receive Enable, CTS Feedback
3007 |
3008 | The receiver outputs SD=LOW (which is input as SC=LOW at the remote side) when
3009 | it is ready to receive data (that is, when Receive Enable is set, and the
3010 | Receive shift register (or receive FIFO) isn't full.
3011 |
3012 | When CTS flag is set to always/blindly, then the sender transmits data
3013 | immediately when Send Enable is set, otherwise data is transmitted only when
3014 | Send Enable is set and SC is LOW.
3015 |
3016 | ### Error Flag
3017 |
3018 | The error flag is set when a bad stop bit has been received (stop bit must be
3019 | 0), when a parity error has occurred (if enabled), or when new data has been
3020 | completely received while the receive data register (or receive FIFO) is
3021 | already full.
3022 |
3023 | The error flag is automatically reset when reading from SIOCNT register.
3024 |
3025 | ### Init & Initback
3026 |
3027 | The content of the FIFO is reset when FIFO is disabled in UART mode, thus, when
3028 | entering UART mode initially set FIFO=disabled.
3029 |
3030 | The Send/Receive enable bits must be reset before switching from UART mode into
3031 | another SIO mode!
3032 |
3033 | ## SIO JOY BUS Mode
3034 |
3035 | This communication mode uses Nintendo's standardized JOY Bus protocol. When
3036 | using this communication mode, the GBA is always operated as SLAVE!
3037 |
3038 | In this mode, SI and SO pins are data lines (apparently synchronized by
3039 | Start/Stop bits?), SC and SD are set to low (including during active
3040 | transfer?), the transfer rate is unknown?
3041 |
3042 | ### 4000134h - RCNT (R) - Mode Selection, in JOY BUS mode (R/W)
3043 |
3044 | ```
3045 | Bit Expl.
3046 | 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode)
3047 | 4-8 Not used (Should be 0, bits are read/write-able though)
3048 | 9-13 Not used (Always 0, read only)
3049 | 14 Must be "1" for JOY BUS Mode
3050 | 15 Must be "1" for JOY BUS Mode
3051 | ```
3052 |
3053 | ### 4000128h - SIOCNT - SIO Control, not used in JOY BUS Mode
3054 |
3055 | This register is not used in JOY BUS mode.
3056 |
3057 | ### 4000140h - JOYCNT - JOY BUS Control Register (R/W)
3058 |
3059 | ```
3060 | Bit Expl.
3061 | 0 Device Reset Flag (Command FFh) (Read/Acknowledge)
3062 | 1 Receive Complete Flag (Command 14h or 15h?) (Read/Acknowledge)
3063 | 2 Send Complete Flag (Command 15h or 14h?) (Read/Acknowledge)
3064 | 3-5 Not used
3065 | 6 IRQ when receiving a Device Reset Command (0=Disable, 1=Enable)
3066 | 7-31 Not used
3067 | ```
3068 |
3069 | Bit 0-2 are working much like the bits in the IF register: Write a "1" bit to
3070 | reset (acknowledge) the respective bit.
3071 |
3072 | UNCLEAR: Interrupts can be requested for Send/Receive commands also?
3073 |
3074 | ### 4000150h - JOY\_RECV\_L - Receive Data Register low (R/W)
3075 |
3076 | ### 4000152h - JOY\_RECV\_H - Receive Data Register high (R/W)
3077 |
3078 | ### 4000154h - JOY\_TRANS\_L - Send Data Register low (R/W)
3079 |
3080 | ### 4000156h - JOY\_TRANS\_H - Send Data Register high (R/W)
3081 |
3082 | Send/receive data registers.
3083 |
3084 | ### 4000158h - JOYSTAT - Receive Status Register (R/W)
3085 |
3086 | ```
3087 | Bit Expl.
3088 | 0 Not used
3089 | 1 Receive Status Flag (0=Remote GBA is/was receiving) (Read Only?)
3090 | 2 Not used
3091 | 3 Send Status Flag (1=Remote GBA is/was sending) (Read Only?)
3092 | 4-5 General Purpose Flag (Not assigned, may be used for whatever purpose)
3093 | 6-31 Not used
3094 | ```
3095 |
3096 | Bit 1 is automatically set when writing to local JOY\_TRANS.
3097 |
3098 | Bit 3 is automatically reset when reading from local JOY\_RECV.
3099 |
3100 | Below are the four possible commands which can be received by the GBA. Note
3101 | that the GBA (slave) cannot send any commands itself, all it can do is to read
3102 | incoming data, and to provide 'reply' data which may (or may not) be read out
3103 | by the master unit.
3104 |
3105 | ### Command FFh - Device Reset
3106 |
3107 | ```
3108 | Receive FFh (Command)
3109 | Send 00h (GBA Type number LSB (or MSB?))
3110 | Send 04h (GBA Type number MSB (or LSB?))
3111 | Send XXh (lower 8bits of SIOSTAT register)
3112 | ```
3113 |
3114 | ### Command 00h - Type/Status Data Request
3115 |
3116 | ```
3117 | Receive 00h (Command)
3118 | Send 00h (GBA Type number LSB (or MSB?))
3119 | Send 04h (GBA Type number MSB (or LSB?))
3120 | Send XXh (lower 8bits of SIOSTAT register)
3121 | ```
3122 |
3123 | ### Command 15h - GBA Data Write (to GBA)
3124 |
3125 | ```
3126 | Receive 15h (Command)
3127 | Receive XXh (Lower 8bits of JOY_RECV_L)
3128 | Receive XXh (Upper 8bits of JOY_RECV_L)
3129 | Receive XXh (Lower 8bits of JOY_RECV_H)
3130 | Receive XXh (Upper 8bits of JOY_RECV_H)
3131 | Send XXh (lower 8bits of SIOSTAT register)
3132 | ```
3133 |
3134 | ### Command 14h - GBA Data Read (from GBA)
3135 |
3136 | ```
3137 | Receive 14h (Command)
3138 | Send XXh (Lower 8bits of JOY_TRANS_L)
3139 | Send XXh (Upper 8bits of JOY_TRANS_L)
3140 | Send XXh (Lower 8bits of JOY_TRANS_H)
3141 | Send XXh (Upper 8bits of JOY_TRANS_H)
3142 | Send XXh (lower 8bits of SIOSTAT register)
3143 | ```
3144 |
3145 | ## SIO General-Purpose Mode
3146 |
3147 | In this mode, the SIO is 'misused' as a 4bit bi-directional parallel port, each
3148 | of the SI,SO,SC,SD pins may be directly controlled, each can be separately
3149 | declared as input (with internal pull-up) or as output signal.
3150 |
3151 | ### 4000134h - RCNT (R) - SIO Mode, usage in GENERAL-PURPOSE Mode (R/W)
3152 |
3153 | Interrupts can be requested when SI changes from HIGH to LOW, as General
3154 | Purpose mode does not require a serial shift clock, this interrupt may be
3155 | produced even when the GBA is in Stop (low power standby) state.
3156 |
3157 | ```
3158 | Bit Expl.
3159 | 0 SC Data Bit (0=Low, 1=High)
3160 | 1 SD Data Bit (0=Low, 1=High)
3161 | 2 SI Data Bit (0=Low, 1=High)
3162 | 3 SO Data Bit (0=Low, 1=High)
3163 | 4 SC Direction (0=Input, 1=Output)
3164 | 5 SD Direction (0=Input, 1=Output)
3165 | 6 SI Direction (0=Input, 1=Output, but see below)
3166 | 7 SO Direction (0=Input, 1=Output)
3167 | 8 SI Interrupt Enable (0=Disable, 1=Enable)
3168 | 9-13 Not used
3169 | 14 Must be "0" for General-Purpose Mode
3170 | 15 Must be "1" for General-Purpose or JOYBUS Mode
3171 | ```
3172 |
3173 | SI should be always used as Input to avoid problems with other hardware which
3174 | does not expect data to be output there.
3175 |
3176 | ### 4000128h - SIOCNT - SIO Control, not used in GENERAL-PURPOSE Mode
3177 |
3178 | This register is not used in general purpose mode. That is, the separate bits
3179 | of SIOCNT still exist and are read- and/or write-able in the same manner as for
3180 | Normal, Multiplay, or UART mode (depending on SIOCNT Bit 12,13), but are having
3181 | no effect on data being output to the link port.
3182 |
3183 | ## SIO Control Registers Summary
3184 |
3185 | ### Mode Selection (by RCNT.15-14 and SIOCNT.13-12)
3186 |
3187 | ```
3188 | R.15 R.14 S.13 S.12 Mode
3189 | 0 x 0 0 Normal 8bit
3190 | 0 x 0 1 Normal 32bit
3191 | 0 x 1 0 Multiplay 16bit
3192 | 0 x 1 1 UART (RS232)
3193 | 1 0 x x General Purpose
3194 | 1 1 x x JOY BUS
3195 | ```
3196 |
3197 | ### SIOCNT
3198 |
3199 | ```
3200 | Bit 0 1 2 3 4 5 6 7 8 9 10 11
3201 | Normal Master Rate SI/In SO/Out - - - Start - - - -
3202 | Multi Baud Baud SI/In SD/In ID# Err Start - - - -
3203 | UART Baud Baud CTS Parity S R Err Bits FIFO Parity Send Recv
3204 | ```
3205 |
3206 | ## GBA Wireless Adapter
3207 |
3208 | ### GBA Wireless Adapter (AGB-015 or OXY-004)
3209 |
3210 | - [GBA Wireless Adapter Games](#gbawirelessadaptergames)
3211 | - [GBA Wireless Adapter Login](#gbawirelessadapterlogin)
3212 | - [GBA Wireless Adapter Commands](#gbawirelessadaptercommands)
3213 | - [GBA Wireless Adapter Component Lists](#gbawirelessadaptercomponentlists)
3214 |
3215 | ## GBA Wireless Adapter Games
3216 |
3217 | ### GBA Wireless Adapter compatible Games
3218 |
3219 | ```
3220 | bit Generations series (Japan only)
3221 | Boktai 2: Solar Boy Django (Konami)
3222 | Boktai 3: Sabata's Counterattack
3223 | Classic NES Series: Donkey Kong
3224 | Classic NES Series: Dr. Mario
3225 | Classic NES Series: Ice Climber
3226 | Classic NES Series: Pac-Man
3227 | Classic NES Series: Super Mario Bros.
3228 | Classic NES Series: Xevious
3229 | Digimon Racing (Bandai) (No Wireless Adapter support in European release)
3230 | Dragon Ball Z: Buu's Fury (Atari)
3231 | Famicom Mini Series: #13 Balloon Fight
3232 | Famicom Mini Series: #12 Clu Clu Land
3233 | Famicom Mini Series: #16 Dig Dug
3234 | Famicom Mini Series: #02 Donkey Kong
3235 | Famicom Mini Series: #15 Dr. Mario
3236 | Famicom Mini Series: #03 Ice Climber
3237 | Famicom Mini Series: #18 Makaimura
3238 | Famicom Mini Series: #08 Mappy
3239 | Famicom Mini Series: #11 Mario Bros.
3240 | Famicom Mini Series: #06 Pac-Man
3241 | Famicom Mini Series: #30 SD Gundam World Scramble Wars
3242 | Famicom Mini Series: #01 Super Mario Bros.
3243 | Famicom Mini Series: #21 Super Mario Bros.
3244 | Famicom Mini Series: #19 Twin Bee
3245 | Famicom Mini Series: #14 Wrecking Crew
3246 | Famicom Mini Series: #07 Xevious
3247 | Hamtaro: Ham-Ham Games (Nintendo)
3248 | Lord of the Rings: The Third Age, The (EA Games)
3249 | Mario Golf: Advance Tour (Nintendo)
3250 | Mario Tennis: Power Tour (Nintendo)
3251 | Mega Man Battle Network 5: Team Protoman (Capcom)
3252 | Mega Man Battle Network 5: Team Colonel (Capcom)
3253 | Mega Man Battle Network 6: Cybeast Falzar
3254 | Mega Man Battle Network 6: Cybeast Gregar
3255 | Momotaro Dentetsu G: Make a Gold Deck! (Japan only)
3256 | Pokemon Emerald (Nintendo)
3257 | Pokemon FireRed (Nintendo)
3258 | Pokemon LeafGreen (Nintendo)
3259 | Sennen Kazoku (Japan only)
3260 | Shrek SuperSlam
3261 | Sonic Advance 3
3262 | ```
3263 |
3264 | ## GBA Wireless Adapter Login
3265 |
3266 | ### GBA Wireless Adapter Login
3267 |
3268 | ```
3269 | rcnt=8000h ;\
3270 | rcnt=80A0h ;
3271 | rcnt=80A2h ; reset adapter or so
3272 | wait ;
3273 | rcnt=80A0h ;/
3274 | siocnt=5003h ;\set 32bit normal mode, 2MHz internal clock
3275 | rcnt=0000h ;/
3276 | passes=0, index=0
3277 | @@lop:
3278 | passes=passes+1, if passes>32 then ERROR ;give up (usually only 10 passses)
3279 | recv.lo=siodata AND FFFFh ;response from adapter
3280 | recv.hi=siodata/10000h ;adapter's own "NI" data
3281 | if send.hi<>recv.lo then index=0, goto @@stuck ;<-- fallback to index=0
3282 | if (send.lo XOR FFFFh)<>recv.lo then goto @@stuck
3283 | if (send.hi XOR FFFFh)<>recv.hi then goto @@stuck
3284 | index=index+1
3285 | @@stuck:
3286 | send.lo=halfword[@@key_string+index*2]
3287 | send.hi=recv.hi XOR FFFFh
3288 | siodata=send.lo+(send.hi*10000h)
3289 | siocnt.bit7=1 ;<-- start transmission
3290 | if index<4 then goto @@lop
3291 | ret
3292 | @@key_string db 'NINTENDO',01h,80h ;10 bytes (5 halfwords; index=0..4)
3293 | ```
3294 |
3295 | ### Data exchanged during Login
3296 |
3297 | ```
3298 | GBA ADAPTER
3299 | xxxx494E ;\ <--> xxxxxxxx
3300 | xxxx494E ; "NI" <--> "NI"/; 494EB6B1 ;\
3301 | NOT("NI") /; B6B1494E ;/ <--> \; 494EB6B1 ; NOT("NI")
3302 | \; B6B1544E ;\"NT" <--> "NT"/; 544EB6B1 ;/
3303 | NOT("NT") /; ABB1544E ;/ <--> \; 544EABB1 ;\NOT("NT")
3304 | \; ABB14E45 ;\"EN" <--> "EN"/; 4E45ABB1 ;/
3305 | NOT("EN") /; B1BA4E45 ;/ <--> \; 4E45B1BA ;\NOT("EN")
3306 | \; B1BA4F44 ;\"DO" <--> "DO"/; 4F44B1BA ;/
3307 | NOT("DO") /; B0BB4F44 ;/ <--> \; 4F44B0BB ;\NOT("DO")
3308 | \; B0BB8001 ;-fin <--> fin-; 8001B0BB ;/
3309 | \ \ \ \
3310 | \ LSBs=Own \ LSBs=Inverse of
3311 | \ Data.From.Gba \ Prev.Data.From.Gba
3312 | \ \
3313 | MSBs=Inverse of MSBs=Own
3314 | Prev.Data.From.Adapter Data.From.Adapter
3315 | ```
3316 |
3317 | ## GBA Wireless Adapter Commands
3318 |
3319 | ### Wireless Command/Parameter Transmission
3320 |
3321 | ```
3322 | GBA Adapter
3323 | 9966ppcch 80000000h ;-send command (cc), and num param_words (pp)
3324 | 80000000h ;\
3325 | 80000000h ; send "pp" parameter word(s), if any
3326 | ... ... ;/
3327 | 80000000h 9966rraah ;-recv ack (aa=cc+80h), and num response_words (rr)
3328 | 80000000? ;\
3329 | 80000000? ; recv "rr" response word(s), if any
3330 | ... ... ;/
3331 | ```
3332 |
3333 | Wireless 32bit Transfers
3334 |
3335 | ```
3336 | wait until [4000128h].Bit2=0 ;want SI=0
3337 | set [4000128h].Bit3=1 ;set SO=1
3338 | wait until [4000128h].Bit2=1 ;want SI=1
3339 | set [4000128h].Bit3=0,Bit7=1 ;set SO=0 and start 32bit transfer
3340 | ```
3341 |
3342 | All command/param/reply transfers should be done at Internal Clock (except,
3343 | Response Words for command 25h,27h,35h,37h should use External Clock).
3344 |
3345 | ### Wireless Commands
3346 |
3347 | ```
3348 | Cmd Para Reply Name
3349 | 10h - - Hello (send immediately after login)
3350 | 11h - 1 Good/Bad response to cmd 16h ?
3351 | 12h
3352 | 13h - 1
3353 | 14h
3354 | 15h
3355 | 16h 6 - Introduce (send game/user name)
3356 | 17h 1 - Config (send after Hello) (eg. param=003C0420h or 003C043Ch)
3357 | 18h
3358 | 19h
3359 | 1Ah
3360 | 1Bh
3361 | 1Ch - -
3362 | 1Dh - NN Get Directory? (receive list of game/user names?)
3363 | 1Eh - NN Get Directory? (receive list of game/user names?)
3364 | 1Fh 1 - Select Game for Download (send 16bit Game_ID)
3365 | ```
3366 |
3367 | ```
3368 | 20h - 1
3369 | 21h - 1 Good/Bad response to cmd 1Fh ?
3370 | 22h
3371 | 23h
3372 | 24h - -
3373 | 25h ;use EXT clock!
3374 | 26h - -
3375 | 27h - - Begin Download ? ;use EXT clock!
3376 | 28h
3377 | 29h
3378 | 2Ah
3379 | 2Bh
3380 | 2Ch
3381 | 2Dh
3382 | 2Eh
3383 | 2Fh
3384 | ```
3385 |
3386 | ```
3387 | 30h 1 -
3388 | 31h
3389 | 32h
3390 | 33h
3391 | 34h
3392 | 35h ;use EXT clock!
3393 | 36h
3394 | 37h ;use EXT clock!
3395 | 38h
3396 | 39h
3397 | 3Ah
3398 | 3Bh
3399 | 3Ch
3400 | 3Dh - - Bye (return to language select)
3401 | 3Eh
3402 | 3Fh
3403 | ```
3404 |
3405 | Special Response 996601EEh for error or so? (only at software side?)
3406 |
3407 | ## GBA Wireless Adapter Component Lists
3408 |
3409 | Main Chipset
3410 |
3411 | ```
3412 | U1 32pin Freescale MC13190 (2.4 GHz ISM band transceiver)
3413 | U2 48pin Freescale CT3000 or CT3001 (depending on adapter version)
3414 | X3 2pin 9.5MHz crystal
3415 | ```
3416 |
3417 | The MC13190 is a Short-Range, Low-Power 2.4 GHz ISM band transceiver.
3418 |
3419 | The processor is Motorola's 32-bit M-Core RISC engine. (?) MCT3000 (?)
3420 |
3421 | See also: http://www.eetimes.com/document.asp?doc\_id=1271943
3422 |
3423 | Version with GERMAN Postal Code on sticker:
3424 |
3425 | ```
3426 | Sticker on Case:
3427 | "GAME BOY advance, WIRELESS ADAPTER"
3428 | "Pat.Pend.Made in Philipines, CE0125(!)B"
3429 | "MODEL NO./MODELE NO.AGB-015 D-63760 Grossosteim P/AGB-A-WA-EUR-2 E3"
3430 | PCB: "19-C046-04, A-7" (top side) and "B-7" and Microchip ",\\" (bottom side)
3431 | PCB: white stamp "3104, 94V-0, RU, TW-15"
3432 | PCB: black stamp "22FDE"
3433 | U1 32pin "Freescale 13190, 4WFQ" (MC13190) (2.4 GHz ISM band transceiver)
3434 | U2 48pin "Freescale CT3001, XAC0445" (bottom side)
3435 | X3 2pin "D959L4I" (9.5MHz) (top side) (ca. 19 clks per 2us)
3436 | ```
3437 |
3438 | Further components... top side (A-7)
3439 |
3440 | ```
3441 | D1 5pin "D6F, 44" (top side, below X3)
3442 | U71 6pin ".., () 2" (top side, right of X3, tiny black chip)
3443 | B71 6pin "[]" (top side, right of X3, small white chip)
3444 | ANT 2pin on-board copper wings
3445 | Q? 3pin (top side, above CN1)
3446 | Q? 3pin (top side, above CN1)
3447 | D? 2pin "72" (top side, above CN1)
3448 | D3 2pin "F2" (top side, above CN1)
3449 | U200 4pin "MSV" (top side, above CN1)
3450 | U202 5pin "LXKA" (top side, right of CN1)
3451 | U203 4pin "M6H" (top side, right of CN1)
3452 | CN1 6pin connector to GBA link port (top side)
3453 | ```
3454 |
3455 | Further components... bottom side (B-7)
3456 |
3457 | ```
3458 | U201 5pin "LXVB" (bottom side, near CN1)
3459 | U72 4pin "BMs" (bottom side, near ANT, tiny black chip)
3460 | FL70 ?pin "[] o26" (bottom side, near ANT, bigger white chip)
3461 | B70 6pin "[]" (bottom side, near ANT, small white chip)
3462 | ```
3463 |
3464 | Plus, resistors and capacitors (without any markings).
3465 |
3466 | Version WITHOUT sticker:
3467 |
3468 | ```
3469 | Sticker on Case: N/A
3470 | PCB: "19-C046-03, A-1" (top side) and "B-1" and Microchip ",\\" (bottom side)
3471 | PCB: white stamp "3204, TW-15, RU, 94V-0"
3472 | PCB: black stamp "23MN" or "23NH" or so (smeared)
3473 | U1 32pin "Freescale 13190, 4FGD" (top side)
3474 | U2 48pin "Freescale CT3000, XAB0425" (bottom side) ;CT3000 (not CT3001)
3475 | X3 2pin "9.5SKSS4GT" (top side)
3476 | ```
3477 |
3478 | Further components... top side (A-1)
3479 |
3480 | ```
3481 | D1 5pin "D6F, 31" (top side, below X3)
3482 | U71 6pin "P3, () 2" (top side, right of X3, tiny black chip)
3483 | B71 6pin "[]" (top side, right of X3, small white chip)
3484 | ANT 2pin on-board copper wings
3485 | Q70 3pin (top side, above CN1)
3486 | D? 2pin "72" (top side, above CN1)
3487 | D3 2pin "F2" (top side, above CN1)
3488 | U200 4pin "MSV" (top side, above CN1)
3489 | U202 5pin "LXKH" (top side, right of CN1)
3490 | U203 4pin "M6H" (top side, right of CN1)
3491 | CN1 6pin connector to GBA link port (top side)
3492 | ```
3493 |
3494 | Further components... bottom side (B-1)
3495 |
3496 | ```
3497 | U201 5pin "LXV2" (bottom side, near CN1)
3498 | U70 6pin "AAG" (bottom side, near ANT, tiny black chip)
3499 | FL70 ?pin "[] o26" (bottom side, near ANT, bigger white chip)
3500 | B70 6pin "[]" (bottom side, near ANT, small white chip)
3501 | ```
3502 |
3503 | Plus, resistors and capacitors (without any markings).
3504 |
3505 | Major Differences
3506 |
3507 | ```
3508 | Sticker "N/A" vs "Grossosteim P/AGB-A-WA-EUR-2 E3"
3509 | PCB-markings "19-C046-03, A-1, 3204" vs "19-C046-04, A-7, 3104"
3510 | U1 "CT3000, XAB0425" vs "CT3001, XAC0445"
3511 | Transistors One transistor (Q70) vs Two transistors (both nameless)
3512 | U70/U72 U70 "AAG" (6pin) vs U72 "BMs" (4pin)
3513 | ```
3514 |
3515 | Purpose of the changes is unknown (either older/newer revisions, or different
3516 | regions with different FCC regulations).
3517 |
3518 | ## GBA Infrared Communication
3519 |
3520 | Early GBA prototypes have been intended to include a built-in IR port for
3521 | sending and receiving IR signals. Among others, this port could have been used
3522 | to communicate with other GBAs, or older CGB models, or TV Remote Controls,
3523 | etc.
3524 |
3525 | [ THE INFRARED COMMUNICATION FEATURE IS -NOT- SUPPORTED ANYMORE ]
3526 |
3527 | Anyways, the prototype specifications have been as shown below...
3528 |
3529 | Keep in mind that the IR signal may be interrupted by whatever objects moved
3530 | between sender and receiver - the IR port isn't recommended for programs that
3531 | require realtime data exchange (such like action games).
3532 |
3533 | ### 4000136h - IR - Infrared Register (R/W)
3534 |
3535 | ```
3536 | Bit Expl.
3537 | 0 Transmission Data (0=LED Off, 1=LED On)
3538 | 1 READ Enable (0=Disable, 1=Enable)
3539 | 2 Reception Data (0=None, 1=Signal received) (Read only)
3540 | 3 AMP Operation (0=Off, 1=On)
3541 | 4 IRQ Enable Flag (0=Disable, 1=Enable)
3542 | 5-15 Not used
3543 | ```
3544 |
3545 | When IRQ is enabled, an interrupt is requested if the incoming signal was
3546 | 0.119us Off (2 cycles), followed by 0.536us On (9 cycles) - minimum timing
3547 | periods each.
3548 |
3549 | ### Transmission Notes
3550 |
3551 | When transmitting an IR signal, note that it'd be not a good idea to keep the
3552 | LED turned On for a very long period (such like sending a 1 second
3553 | synchronization pulse). The recipient's circuit would treat such a long signal
3554 | as "normal IR pollution which is in the air" after a while, and thus ignore the
3555 | signal.
3556 |
3557 | ### Reception Notes
3558 |
3559 | Received data is internally latched. Latched data may be read out by setting
3560 | both READ and AMP bits.
3561 |
3562 | Note: Provided that you don't want to receive your own IR signal, be sure to
3563 | set Bit 0 to zero before attempting to receive data.
3564 |
3565 | ### Power-consumption
3566 |
3567 | After using the IR port, be sure to reset the register to zero in order to
3568 | reduce battery power consumption.
3569 |
3570 | ## GBA Keypad Input
3571 |
3572 | The built-in GBA gamepad has 4 direction keys, and 6 buttons.
3573 |
3574 | ### 4000130h - KEYINPUT - Key Status (R)
3575 |
3576 | ```
3577 | Bit Expl.
3578 | 0 Button A (0=Pressed, 1=Released)
3579 | 1 Button B (etc.)
3580 | 2 Select (etc.)
3581 | 3 Start (etc.)
3582 | 4 Right (etc.)
3583 | 5 Left (etc.)
3584 | 6 Up (etc.)
3585 | 7 Down (etc.)
3586 | 8 Button R (etc.)
3587 | 9 Button L (etc.)
3588 | 10-15 Not used
3589 | ```
3590 |
3591 | It'd be usually recommended to read-out this register only once per frame, and
3592 | to store the current state in memory. As a side effect, this method avoids
3593 | problems caused by switch bounce when a key is newly released or pressed.
3594 |
3595 | ### 4000132h - KEYCNT - Key Interrupt Control (R/W)
3596 |
3597 | The keypad IRQ function is intended to terminate the very-low-power Stop mode,
3598 | it is not suitable for processing normal user input, to do this, most programs
3599 | are invoking their keypad handlers from within VBlank IRQ.
3600 |
3601 | ```
3602 | Bit Expl.
3603 | 0 Button A (0=Ignore, 1=Select)
3604 | 1 Button B (etc.)
3605 | 2 Select (etc.)
3606 | 3 Start (etc.)
3607 | 4 Right (etc.)
3608 | 5 Left (etc.)
3609 | 6 Up (etc.)
3610 | 7 Down (etc.)
3611 | 8 Button R (etc.)
3612 | 9 Button L (etc.)
3613 | 10-13 Not used
3614 | 14 IRQ Enable Flag (0=Disable, 1=Enable)
3615 | 15 IRQ Condition (0=Logical OR, 1=Logical AND)
3616 | ```
3617 |
3618 | In logical OR mode, an interrupt is requested when at least one of the selected
3619 | buttons is pressed.
3620 |
3621 | In logical AND mode, an interrupt is requested when ALL of the selected buttons
3622 | are pressed.
3623 |
3624 | ### Notes
3625 |
3626 | In 8bit gameboy compatibility mode, L and R Buttons are used to toggle the
3627 | screen size between normal 160x144 pixels and stretched 240x144 pixels.
3628 |
3629 | The GBA SP is additionally having a \* Button used to toggle the backlight on
3630 | and off (controlled by separate hardware logic, there's no way to detect or
3631 | change the current backlight state by software).
3632 |
3633 | ## GBA Interrupt Control
3634 |
3635 | ### 4000208h - IME - Interrupt Master Enable Register (R/W)
3636 |
3637 | ```
3638 | Bit Expl.
3639 | 0 Disable all interrupts (0=Disable All, 1=See IE register)
3640 | 1-31 Not used
3641 | ```
3642 |
3643 | ### 4000200h - IE - Interrupt Enable Register (R/W)
3644 |
3645 | ```
3646 | Bit Expl.
3647 | 0 LCD V-Blank (0=Disable)
3648 | 1 LCD H-Blank (etc.)
3649 | 2 LCD V-Counter Match (etc.)
3650 | 3 Timer 0 Overflow (etc.)
3651 | 4 Timer 1 Overflow (etc.)
3652 | 5 Timer 2 Overflow (etc.)
3653 | 6 Timer 3 Overflow (etc.)
3654 | 7 Serial Communication (etc.)
3655 | 8 DMA 0 (etc.)
3656 | 9 DMA 1 (etc.)
3657 | 10 DMA 2 (etc.)
3658 | 11 DMA 3 (etc.)
3659 | 12 Keypad (etc.)
3660 | 13 Game Pak (external IRQ source) (etc.)
3661 | 14-15 Not used
3662 | ```
3663 |
3664 | Note that there is another 'master enable flag' directly in the CPUs Status
3665 | Register (CPSR) accessible in privileged modes, see CPU reference for details.
3666 |
3667 | ### 4000202h - IF - Interrupt Request Flags / IRQ Acknowledge (R/W, see below)
3668 |
3669 | ```
3670 | Bit Expl.
3671 | 0 LCD V-Blank (1=Request Interrupt)
3672 | 1 LCD H-Blank (etc.)
3673 | 2 LCD V-Counter Match (etc.)
3674 | 3 Timer 0 Overflow (etc.)
3675 | 4 Timer 1 Overflow (etc.)
3676 | 5 Timer 2 Overflow (etc.)
3677 | 6 Timer 3 Overflow (etc.)
3678 | 7 Serial Communication (etc.)
3679 | 8 DMA 0 (etc.)
3680 | 9 DMA 1 (etc.)
3681 | 10 DMA 2 (etc.)
3682 | 11 DMA 3 (etc.)
3683 | 12 Keypad (etc.)
3684 | 13 Game Pak (external IRQ source) (etc.)
3685 | 14-15 Not used
3686 | ```
3687 |
3688 | Interrupts must be manually acknowledged by writing a "1" to one of the IRQ
3689 | bits, the IRQ bit will then be cleared.
3690 |
3691 | "[Cautions regarding clearing IME and IE]
3692 |
3693 | A corresponding interrupt could occur even while a command to clear IME or each
3694 | flag of the IE register is being executed. When clearing a flag of IE, you need
3695 | to clear IME in advance so that mismatching of interrupt checks will not
3696 | occur." ?
3697 |
3698 | "[When multiple interrupts are used]
3699 |
3700 | When the timing of clearing of IME and the timing of an interrupt agree,
3701 | multiple interrupts will not occur during that interrupt. Therefore, set
3702 | (enable) IME after saving IME during the interrupt routine." ?
3703 |
3704 | ### BIOS Interrupt handling
3705 |
3706 | Upon interrupt execution, the CPU is switched into IRQ mode, and the physical
3707 | interrupt vector is called - as this address is located in BIOS ROM, the BIOS
3708 | will always execute the following code before it forwards control to the user
3709 | handler:
3710 |
3711 | ```
3712 | 00000018 b 128h ;IRQ vector: jump to actual BIOS handler
3713 | 00000128 stmfd r13!,r0-r3,r12,r14 ;save registers to SP_irq
3714 | 0000012C mov r0,4000000h ;ptr+4 to 03FFFFFC (mirror of 03007FFC)
3715 | 00000130 add r14,r15,0h ;retadr for USER handler $+8=138h
3716 | 00000134 ldr r15,[r0,-4h] ;jump to [03FFFFFC] USER handler
3717 | 00000138 ldmfd r13!,r0-r3,r12,r14 ;restore registers from SP_irq
3718 | 0000013C subs r15,r14,4h ;return from IRQ (PC=LR-4, CPSR=SPSR)
3719 | ```
3720 |
3721 | As shown above, a pointer to the 32bit/ARM-code user handler must be setup in
3722 | [03007FFCh]. By default, 160 bytes of memory are reserved for interrupt stack
3723 | at 03007F00h-03007F9Fh.
3724 |
3725 | ### Recommended User Interrupt handling
3726 |
3727 | - If necessary switch to THUMB state manually (handler is called in ARM state)
3728 |
3729 | - Determine reason(s) of interrupt by examining IF register
3730 |
3731 | - User program may freely assign priority to each reason by own logic
3732 |
3733 | - Process the most important reason of your choice
3734 |
3735 | - User MUST manually acknowledge by writing to IF register
3736 |
3737 | - If user wants to allow nested interrupts, save SPSR\_irq, then enable IRQs.
3738 |
3739 | - If using other registers than BIOS-pushed R0-R3, manually save R4-R11 also.
3740 |
3741 | - Note that Interrupt Stack is used (which may have limited size)
3742 |
3743 | - So, for memory consuming stack operations use system mode (=user stack).
3744 |
3745 | - When calling subroutines in system mode, save LSR\_usr also.
3746 |
3747 | - Restore SPSR\_irq and/or R4-R11 if you've saved them above.
3748 |
3749 | - Finally, return to BIOS handler by BX LR (R14\_irq) instruction.
3750 |
3751 | ### Default memory usage at 03007FXX (and mirrored to 03FFFFXX)
3752 |
3753 | ```
3754 | Addr. Size Expl.
3755 | 3007FFCh 4 Pointer to user IRQ handler (32bit ARM code)
3756 | 3007FF8h 2 Interrupt Check Flag (for IntrWait/VBlankIntrWait functions)
3757 | 3007FF4h 4 Allocated Area
3758 | 3007FF0h 4 Pointer to Sound Buffer
3759 | 3007FE0h 16 Allocated Area
3760 | 3007FA0h 64 Default area for SP_svc Supervisor Stack (4 words/time)
3761 | 3007F00h 160 Default area for SP_irq Interrupt Stack (6 words/time)
3762 | ```
3763 |
3764 | Memory below 7F00h is free for User Stack and user data. The three stack
3765 | pointers are initially initialized at the TOP of the respective areas:
3766 |
3767 | ```
3768 | SP_svc=03007FE0h
3769 | SP_irq=03007FA0h
3770 | SP_usr=03007F00h
3771 | ```
3772 |
3773 | The user may redefine these addresses and move stacks into other locations,
3774 | however, the addresses for system data at 7FE0h-7FFFh are fixed.
3775 |
3776 | ### Not sure, is following free for user ?
3777 |
3778 | Registers R8-R12\_fiq, R13\_fiq, R14\_fiq, SPSR\_fiq
3779 |
3780 | Registers R13-R14\_abt, SPSR\_abt
3781 |
3782 | Registers R13-R14\_und, SPSR\_und
3783 |
3784 | ### Fast Interrupt (FIQ)
3785 |
3786 | The ARM CPU provides two interrupt sources, IRQ and FIQ. In the GBA only IRQ is
3787 | used. In normal GBAs, the FIQ signal is shortcut to VDD35, ie. the signal is
3788 | always high, and there is no way to generate a FIQ by hardware. The registers
3789 | R8..12\_fiq could be used by software (when switching into FIQ mode by writing
3790 | to CPSR) - however, this might make the game incompatible with hardware
3791 | debuggers (which are reportedly using FIQs for debugging purposes).
3792 |
3793 | ## GBA System Control
3794 |
3795 | ### 4000204h - WAITCNT - Waitstate Control (R/W)
3796 |
3797 | This register is used to configure game pak access timings. The game pak ROM is
3798 | mirrored to three address regions at 08000000h, 0A000000h, and 0C000000h, these
3799 | areas are called Wait State 0-2. Different access timings may be assigned to
3800 | each area (this might be useful in case that a game pak contains several ROM
3801 | chips with different access times each).
3802 |
3803 | ```
3804 | Bit Expl.
3805 | 0-1 SRAM Wait Control (0..3 = 4,3,2,8 cycles)
3806 | 2-3 Wait State 0 First Access (0..3 = 4,3,2,8 cycles)
3807 | 4 Wait State 0 Second Access (0..1 = 2,1 cycles)
3808 | 5-6 Wait State 1 First Access (0..3 = 4,3,2,8 cycles)
3809 | 7 Wait State 1 Second Access (0..1 = 4,1 cycles; unlike above WS0)
3810 | 8-9 Wait State 2 First Access (0..3 = 4,3,2,8 cycles)
3811 | 10 Wait State 2 Second Access (0..1 = 8,1 cycles; unlike above WS0,WS1)
3812 | 11-12 PHI Terminal Output (0..3 = Disable, 4.19MHz, 8.38MHz, 16.78MHz)
3813 | 13 Not used
3814 | 14 Game Pak Prefetch Buffer (Pipe) (0=Disable, 1=Enable)
3815 | 15 Game Pak Type Flag (Read Only) (0=GBA, 1=CGB) (IN35 signal)
3816 | 16-31 Not used
3817 | ```
3818 |
3819 | At startup, the default setting is 0000h. Currently manufactured cartridges are
3820 | using the following settings: WS0/ROM=3,1 clks; SRAM=8 clks; WS2/EEPROM: 8,8
3821 | clks; prefetch enabled; that is, WAITCNT=4317h, for more info see "GBA
3822 | Cartridges" chapter.
3823 |
3824 | First Access (Non-sequential) and Second Access (Sequential) define the
3825 | waitstates for N and S cycles, the actual access time is 1 clock cycle PLUS the
3826 | number of waitstates.
3827 |
3828 | GamePak uses 16bit data bus, so that a 32bit access is split into TWO 16bit
3829 | accesses (of which, the second fragment is always sequential, even if the first
3830 | fragment was non-sequential).
3831 |
3832 | - [GBA GamePak Prefetch](#gbagamepakprefetch)
3833 |
3834 | NOTES:
3835 |
3836 | The GBA forcefully uses non-sequential timing at the beginning of each
3837 | 128K-block of gamepak ROM, eg. "LDMIA [801fff8h],r0-r7" will have
3838 | non-sequential timing at 8020000h.
3839 |
3840 | The PHI Terminal output (PHI Pin of Gamepak Bus) should be disabled.
3841 |
3842 | ### 4000300h - POSTFLG - BYTE - Undocumented - Post Boot / Debug Control (R/W)
3843 |
3844 | After initial reset, the GBA BIOS initializes the register to 01h, and any
3845 | further execution of the Reset vector (00000000h) will pass control to the
3846 | Debug vector (0000001Ch) when sensing the register to be still set to 01h.
3847 |
3848 | ```
3849 | Bit Expl.
3850 | 0 Undocumented. First Boot Flag (0=First, 1=Further)
3851 | 1-7 Undocumented. Not used.
3852 | ```
3853 |
3854 | Normally the debug handler rejects control unless it detects Debug flags in
3855 | cartridge header, in that case it may redirect to a cut-down boot procedure
3856 | (bypassing Nintendo logo and boot delays, much like nocash burst boot for
3857 | multiboot software). I am not sure if it is possible to reset the GBA
3858 | externally without automatically resetting register 300h though.
3859 |
3860 | ### 4000301h - HALTCNT - BYTE - Undocumented - Low Power Mode Control (W)
3861 |
3862 | Writing to this register switches the GBA into battery saving mode.
3863 |
3864 | In Halt mode, the CPU is paused as long as (IE AND IF)=0, this should be used
3865 | to reduce power-consumption during periods when the CPU is waiting for
3866 | interrupt events.
3867 |
3868 | In Stop mode, most of the hardware including sound and video are paused, this
3869 | very-low-power mode could be used much like a screensaver.
3870 |
3871 | ```
3872 | Bit Expl.
3873 | 0-6 Undocumented. Not used.
3874 | 7 Undocumented. Power Down Mode (0=Halt, 1=Stop)
3875 | ```
3876 |
3877 | The current GBA BIOS addresses only the upper eight bits of this register (by
3878 | writing 00h or 80h to address 04000301h), however, as the register isn't
3879 | officially documented, some or all of the bits might have different meanings in
3880 | future GBA models.
3881 |
3882 | For best forwards compatibility, it'd generally be more recommended to use the
3883 | BIOS Functions SWI 2 (Halt) or SWI 3 (Stop) rather than writing to this
3884 | register directly.
3885 |
3886 | ### 4000410h - Undocumented - Purpose Unknown ? 8bit (W)
3887 |
3888 | The BIOS writes the 8bit value 0FFh to this address. Purpose Unknown.
3889 |
3890 | Probably just another bug in the BIOS.
3891 |
3892 | ### 4000800h - 32bit - Undocumented - Internal Memory Control (R/W)
3893 |
3894 | Supported by GBA and GBA SP only - NOT supported by DS (even in GBA mode).
3895 |
3896 | Also supported by GBA Micro - but crashes on "overclocked" WRAM setting.
3897 |
3898 | Initialized to 0D000020h (by hardware). Unlike all other I/O registers, this
3899 | register is mirrored across the whole I/O area (in increments of 64K, ie. at
3900 | 4000800h, 4010800h, 4020800h, ..., 4FF0800h)
3901 |
3902 | ```
3903 | Bit Expl.
3904 | 0 Disable 32K+256K WRAM (0=Normal, 1=Disable) (when off: empty/prefetch)
3905 | 1-3 Unknown (Read/Write-able)
3906 | 4 Unknown (Always zero, not used or write only)
3907 | 5 Enable 256K WRAM (0=Disable, 1=Normal) (when off: mirror of 32K WRAM)
3908 | 6-23 Unknown (Always zero, not used or write only)
3909 | 24-27 Wait Control WRAM 256K (0-14 = 15..1 Waitstates, 15=Lockup)
3910 | 28-31 Unknown (Read/Write-able)
3911 | ```
3912 |
3913 | The default value 0Dh in Bits 24-27 selects 2 waitstates for 256K WRAM (ie.
3914 | 3/3/6 cycles 8/16/32bit accesses). The fastest possible setting would be 0Eh (1
3915 | waitstate, 2/2/4 cycles for 8/16/32bit), that works on GBA and GBA SP only, the
3916 | GBA Micro locks up with that setting (it's on-chip RAM is too slow, and works
3917 | only with 2 or more waitstates).
3918 |
3919 | Note: One cycle equals approx. 59.59ns (ie. 16.78MHz clock).
3920 |
3921 | ## GBA GamePak Prefetch
3922 |
3923 | GamePak Prefetch can be enabled in WAITCNT register. When prefetch buffer is
3924 | enabled, the GBA attempts to read opcodes from Game Pak ROM during periods when
3925 | the CPU is not using the bus (if any). Memory access is then performed with 0
3926 | Waits if the CPU requests data which is already stored in the buffer. The
3927 | prefetch buffer stores up to eight 16bit values.
3928 |
3929 | ### GamePak ROM Opcodes
3930 |
3931 | The prefetch feature works only with \ fetched from GamePak ROM.
3932 | Opcodes executed in RAM or BIOS are not affected by the prefetch feature (even
3933 | if that opcodes read \ from GamePak ROM).
3934 |
3935 | ### Prefetch Enable
3936 |
3937 | For GamePak ROM opcodes, prefetch may occur in two situations:
3938 |
3939 | ```
3940 | 1) opcodes with internal cycles (I) which do not change R15, shift/rotate
3941 | register-by-register, load opcodes (ldr,ldm,pop,swp), multiply opcodes
3942 | 2) opcodes that load/store memory (ldr,str,ldm,stm,etc.)
3943 | ```
3944 |
3945 | ### Prefetch Disable Bug
3946 |
3947 | When Prefetch is disabled, the Prefetch Disable Bug will occur for all
3948 |
3949 | ```
3950 | "Opcodes in GamePak ROM with Internal Cycles which do not change R15"
3951 | ```
3952 |
3953 | for those opcodes, the bug changes the opcode fetch time from 1S to 1N.
3954 |
3955 | Note: Affected opcodes (with I cycles) are: Shift/rotate register-by-register
3956 | opcodes, multiply opcodes, and load opcodes (ldr,ldm,pop,swp).
3957 |
3958 | ## GBA Cartridges
3959 |
3960 | ### ROM
3961 |
3962 | - [GBA Cartridge Header](#gbacartridgeheader)
3963 | - [GBA Cartridge ROM](#gbacartridgerom)
3964 |
3965 | ### Backup Media
3966 |
3967 | Aside from ROM, cartridges may also include one of the following backup medias,
3968 | used to store game positions, highscore tables, options, or other data.
3969 |
3970 | - [GBA Cart Backup IDs](#gbacartbackupids)
3971 | - [GBA Cart Backup SRAM/FRAM](#gbacartbackupsramfram)
3972 | - [GBA Cart Backup EEPROM](#gbacartbackupeeprom)
3973 | - [GBA Cart Backup Flash ROM](#gbacartbackupflashrom)
3974 | - [GBA Cart Backup DACS](#gbacartbackupdacs)
3975 |
3976 | ### Add-Ons
3977 |
3978 | - [GBA Cart I/O Port (GPIO)](#gbacartioportgpio)
3979 | - [GBA Cart Real-Time Clock (RTC)](#gbacartrealtimeclockrtc)
3980 | - [GBA Cart Solar Sensor](#gbacartsolarsensor)
3981 | - [GBA Cart Tilt Sensor](#gbacarttiltsensor)
3982 | - [GBA Cart Gyro Sensor](#gbacartgyrosensor)
3983 | - [GBA Cart Rumble](#gbacartrumble)
3984 | - [GBA Cart e-Reader](#gbacartereader)
3985 | - [GBA Cart Unknown Devices](#gbacartunknowndevices)
3986 | - [GBA Cart Protections](#gbacartprotections)
3987 |
3988 | ### Other Accessoires
3989 |
3990 | - [GBA Flashcards](#gbaflashcards)
3991 | - [GBA Cheat Devices](#gbacheatdevices)
3992 |
3993 | ## GBA Cartridge Header
3994 |
3995 | The first 192 bytes at 8000000h-80000BFh in ROM are used as cartridge header.
3996 | The same header is also used for Multiboot images at 2000000h-20000BFh (plus
3997 | some additional multiboot entries at 20000C0h and up).
3998 |
3999 | ### Header Overview
4000 |
4001 | ```
4002 | Address Bytes Expl.
4003 | 000h 4 ROM Entry Point (32bit ARM branch opcode, eg. "B rom_start")
4004 | 004h 156 Nintendo Logo (compressed bitmap, required!)
4005 | 0A0h 12 Game Title (uppercase ascii, max 12 characters)
4006 | 0ACh 4 Game Code (uppercase ascii, 4 characters)
4007 | 0B0h 2 Maker Code (uppercase ascii, 2 characters)
4008 | 0B2h 1 Fixed value (must be 96h, required!)
4009 | 0B3h 1 Main unit code (00h for current GBA models)
4010 | 0B4h 1 Device type (usually 00h) (bit7=DACS/debug related)
4011 | 0B5h 7 Reserved Area (should be zero filled)
4012 | 0BCh 1 Software version (usually 00h)
4013 | 0BDh 1 Complement check (header checksum, required!)
4014 | 0BEh 2 Reserved Area (should be zero filled)
4015 | --- Additional Multiboot Header Entries ---
4016 | 0C0h 4 RAM Entry Point (32bit ARM branch opcode, eg. "B ram_start")
4017 | 0C4h 1 Boot mode (init as 00h - BIOS overwrites this value!)
4018 | 0C5h 1 Slave ID Number (init as 00h - BIOS overwrites this value!)
4019 | 0C6h 26 Not used (seems to be unused)
4020 | 0E0h 4 JOYBUS Entry Pt. (32bit ARM branch opcode, eg. "B joy_start")
4021 | ```
4022 |
4023 | Note: With all entry points, the CPU is initially set into system mode.
4024 |
4025 | ### 000h - Entry Point, 4 Bytes
4026 |
4027 | Space for a single 32bit ARM opcode that redirects to the actual startaddress
4028 | of the cartridge, this should be usually a "B \" instruction.
4029 |
4030 | Note: This entry is ignored by Multiboot slave GBAs (in fact, the entry is then
4031 | overwritten and redirected to a separate Multiboot Entry Point, as described
4032 | below).
4033 |
4034 | ### 004h..09Fh - Nintendo Logo, 156 Bytes
4035 |
4036 | Contains the Nintendo logo which is displayed during the boot procedure.
4037 | Cartridge won't work if this data is missing or modified.
4038 |
4039 | In detail: This area contains Huffman compression data (but excluding the
4040 | compression header which is hardcoded in the BIOS, so that it'd be probably not
4041 | possible to hack the GBA by producing de-compression buffer overflows).
4042 |
4043 | A copy of the compression data is stored in the BIOS, the GBA will compare this
4044 | data and lock-up itself if the BIOS data isn't exactly the same as in the
4045 | cartridge (or multiboot header). The only exception are the two entries below
4046 | which are allowed to have variable settings in some bits.
4047 |
4048 | ### 09Ch Bit 2,7 - Debugging Enable
4049 |
4050 | This is part of the above Nintendo Logo area, and must be commonly set to 21h,
4051 | however, Bit 2 and Bit 7 may be set to other values.
4052 |
4053 | When both bits are set (ie. A5h), the FIQ/Undefined Instruction handler in the
4054 | BIOS becomes unlocked, the handler then forwards these exceptions to the user
4055 | handler in cartridge ROM (entry point defined in 80000B4h, see below).
4056 |
4057 | Other bit combinations currently do not seem to have special functions.
4058 |
4059 | ### 09Eh Bit 0,1 - Cartridge Key Number MSBs
4060 |
4061 | This is part of the above Nintendo Logo area, and must be commonly set to F8h,
4062 | however, Bit 0-1 may be set to other values.
4063 |
4064 | During startup, the BIOS performs some dummy-reads from a stream of pre-defined
4065 | addresses, even though these reads seem to be meaningless, they might be
4066 | intended to unlock a read-protection inside of commercial cartridge. There are
4067 | 16 pre-defined address streams - selected by a 4bit key number - of which the
4068 | upper two bits are gained from 800009Eh Bit 0-1, and the lower two bits from a
4069 | checksum across header bytes 09Dh..0B7h (bytewise XORed, divided by 40h).
4070 |
4071 | ### 0A0h - Game Title, Uppercase Ascii, max 12 characters
4072 |
4073 | Space for the game title, padded with 00h (if less than 12 chars).
4074 |
4075 | ### 0ACh - Game Code, Uppercase Ascii, 4 characters
4076 |
4077 | This is the same code as the AGB-UTTD code which is printed on the package and
4078 | sticker on (commercial) cartridges (excluding the leading "AGB-" part).
4079 |
4080 | ```
4081 | U Unique Code (usually "A" or "B" or special meaning)
4082 | TT Short Title (eg. "PM" for Pac Man)
4083 | D Destination/Language (usually "J" or "E" or "P" or specific language)
4084 | ```
4085 |
4086 | The first character (U) is usually "A" or "B", in detail:
4087 |
4088 | ```
4089 | A Normal game; Older titles (mainly 2001..2003)
4090 | B Normal game; Newer titles (2003..)
4091 | C Normal game; Not used yet, but might be used for even newer titles
4092 | F Famicom/Classic NES Series (software emulated NES games)
4093 | K Yoshi and Koro Koro Puzzle (acceleration sensor)
4094 | P e-Reader (dot-code scanner)
4095 | R Warioware Twisted (cartridge with rumble and z-axis gyro sensor)
4096 | U Boktai 1 and 2 (cartridge with RTC and solar sensor)
4097 | V Drill Dozer (cartridge with rumble)
4098 | ```
4099 |
4100 | The second/third characters (TT) are:
4101 |
4102 | ```
4103 | Usually an abbreviation of the game title (eg. "PM" for "Pac Man") (unless
4104 | that gamecode was already used for another game, then TT is just random)
4105 | ```
4106 |
4107 | The fourth character (D) indicates Destination/Language:
4108 |
4109 | ```
4110 | J Japan P Europe/Elsewhere F French S Spanish
4111 | E USA/English D German I Italian
4112 | ```
4113 |
4114 | ### 0B0h - Maker code, Uppercase Ascii, 2 characters
4115 |
4116 | Identifies the (commercial) developer. For example, "01"=Nintendo.
4117 |
4118 | ### 0B2h - Fixed value, 1 Byte
4119 |
4120 | Must be 96h.
4121 |
4122 | ### 0B3h - Main unit code, 1 Byte
4123 |
4124 | Identifies the required hardware. Should be 00h for current GBA models.
4125 |
4126 | ### 0B4h - Device type, 1 Byte
4127 |
4128 | Normally, this entry should be zero. With Nintendo's hardware debugger Bit 7
4129 | identifies the debugging handlers entry point and size of DACS (Debugging And
4130 | Communication System) memory: Bit7=0: 9FFC000h/8MBIT DACS, Bit7=1:
4131 | 9FE2000h/1MBIT DACS. The debugging handler can be enabled in 800009Ch (see
4132 | above), normal cartridges do not have any memory (nor any mirrors) at these
4133 | addresses though.
4134 |
4135 | ### 0B5h - Reserved Area, 7 Bytes
4136 |
4137 | Reserved, zero filled.
4138 |
4139 | ### 0BCh - Software version number
4140 |
4141 | Version number of the game. Usually zero.
4142 |
4143 | ### 0BDh - Complement check, 1 Byte
4144 |
4145 | Header checksum, cartridge won't work if incorrect. Calculate as such:
4146 |
4147 | chk=0:for i=0A0h to 0BCh:chk=chk-[i]:next:chk=(chk-19h) and 0FFh
4148 |
4149 | ### 0BEh - Reserved Area, 2 Bytes
4150 |
4151 | Reserved, zero filled.
4152 |
4153 | Below required for Multiboot/slave programs only. For Multiboot, the above 192
4154 | bytes are required to be transferred as header-block (loaded to
4155 | 2000000h-20000BFh), and some additional header-information must be located at
4156 | the beginning of the actual program/data-block (loaded to 20000C0h and up).
4157 | This extended header consists of Multiboot Entry point(s) which must be set up
4158 | correctly, and of two reserved bytes which are overwritten by the boot
4159 | procedure:
4160 |
4161 | ### 0C0h - Normal/Multiplay mode Entry Point
4162 |
4163 | This entry is used only if the GBA has been booted by using Normal or Multiplay
4164 | transfer mode (but not by Joybus mode).
4165 |
4166 | Typically deposit a ARM-32bit "B \" branch opcode at this location,
4167 | which is pointing to your actual initialization procedure.
4168 |
4169 | ### 0C4h (BYTE) - Boot mode
4170 |
4171 | The slave GBA download procedure overwrites this byte by a value which is
4172 | indicating the used multiboot transfer mode.
4173 |
4174 | ```
4175 | Value Expl.
4176 | 01h Joybus mode
4177 | 02h Normal mode
4178 | 03h Multiplay mode
4179 | ```
4180 |
4181 | Typically set this byte to zero by inserting DCB 00h in your source.
4182 |
4183 | Be sure that your uploaded program does not contain important program code or
4184 | data at this location, or at the ID-byte location below.
4185 |
4186 | ### 0C5h (BYTE) - Slave ID Number
4187 |
4188 | If the GBA has been booted in Normal or Multiplay mode, this byte becomes
4189 | overwritten by the slave ID number of the local GBA (that'd be always 01h for
4190 | normal mode).
4191 |
4192 | ```
4193 | Value Expl.
4194 | 01h Slave #1
4195 | 02h Slave #2
4196 | 03h Slave #3
4197 | ```
4198 |
4199 | Typically set this byte to zero by inserting DCB 00h in your source.
4200 |
4201 | When booted in Joybus mode, the value is NOT changed and remains the same as
4202 | uploaded from the master GBA.
4203 |
4204 | ### 0C6h..0DFh - Not used
4205 |
4206 | Appears to be unused.
4207 |
4208 | ### 0E0h - Joybus mode Entry Point
4209 |
4210 | If the GBA has been booted by using Joybus transfer mode, then the entry point
4211 | is located at this address rather than at 20000C0h. Either put your
4212 | initialization procedure directly at this address, or redirect to the actual
4213 | boot procedure by depositing a "B \" opcode here (either one using
4214 | 32bit ARM code). Or, if you are not intending to support joybus mode (which is
4215 | probably rarely used), ignore this entry.
4216 |
4217 | ## GBA Cartridge ROM
4218 |
4219 | ### ROM Size
4220 |
4221 | The games F-ZERO and Super Mario Advance use ROMs of 4 MBytes each. Zelda uses
4222 | 8 MBytes. Not sure if other sizes are manufactured.
4223 |
4224 | ### ROM Waitstates
4225 |
4226 | The GBA starts the cartridge with 4,2 waitstates (N,S) and prefetch disabled.
4227 | The program may change these settings by writing to WAITCNT, the games F-ZERO
4228 | and Super Mario Advance use 3,1 waitstates (N,S) each, with prefetch enabled.
4229 |
4230 | Third-party flashcards are reportedly running unstable with these settings.
4231 | Also, prefetch and shorter waitstates are allowing to read more data and
4232 | opcodes from ROM is less time, the downside is that it increases the power
4233 | consumption.
4234 |
4235 | ### ROM Chip
4236 |
4237 | Because of how 24bit addresses are squeezed through the Gampak bus, the
4238 | cartridge must include a circuit that latches the lower 16 address bits on
4239 | non-sequential access, and that increments these bits on sequential access.
4240 | Nintendo includes this circuit directly in the ROM chip.
4241 |
4242 | Also, the ROM must have 16bit data bus (or a circuit which converts two 8bit
4243 | data units into one 16bit unit - by not exceeding the waitstate timings).
4244 |
4245 | ## GBA Cart Backup IDs
4246 |
4247 | Nintendo didn't include a backup-type entry in the ROM header, however, the
4248 | required type can be detected by ID strings in the ROM-image. Nintendo's tools
4249 | are automatically inserting these strings (as part of their library headers).
4250 | When using other tools, you may insert ID strings by hand.
4251 |
4252 | ### ID Strings
4253 |
4254 | The ID string must be located at a word-aligned memory location, the string
4255 | length should be a multiple of 4 bytes (padded with zero's).
4256 |
4257 | ```
4258 | EEPROM_Vnnn EEPROM 512 bytes or 8 Kbytes (4Kbit or 64Kbit)
4259 | SRAM_Vnnn SRAM 32 Kbytes (256Kbit)
4260 | FLASH_Vnnn FLASH 64 Kbytes (512Kbit) (ID used in older files)
4261 | FLASH512_Vnnn FLASH 64 Kbytes (512Kbit) (ID used in newer files)
4262 | FLASH1M_Vnnn FLASH 128 Kbytes (1Mbit)
4263 | ```
4264 |
4265 | For Nintendo's tools, "nnn" is a 3-digit library version number. When using
4266 | other tools, best keep it set to "nnn" rather than inserting numeric digits.
4267 |
4268 | ### Notes
4269 |
4270 | No$gba does auto-detect most backup types, even without ID strings, except for
4271 | 128K FLASH (without ID "FLASH1M\_Vnnn", the FLASH size defaults to 64K).
4272 | Ideally, for faster detection, the ID should be put into the first some bytes
4273 | of the ROM-image (ie. somewhere right after the ROM header).
4274 |
4275 | ## GBA Cart Backup SRAM/FRAM
4276 |
4277 | SRAM - 32 KBytes (256Kbit) Lifetime: Depends on back-up battery
4278 |
4279 | FRAM - 32 KBytes (256Kbit) Lifetime: 10,000,000,000 read/write per bit
4280 |
4281 | Hyundai GM76V256CLLFW10 SRAM (Static RAM) (eg. F-Zero)
4282 |
4283 | Fujitsu MB85R256 FRAM (Ferroelectric RAM) (eg. Warioware Twisted)
4284 |
4285 | ### Addressing and Waitstates
4286 |
4287 | SRAM/FRAM is mapped to E000000h-E007FFFh, it should be accessed with 8
4288 | waitstates (write a value of 3 into Bit0-1 of WAITCNT).
4289 |
4290 | ### Databus Width
4291 |
4292 | The SRAM/FRAM databus is restricted to 8 bits, it should be accessed by LDRB,
4293 | LDRSB, and STRB opcodes only.
4294 |
4295 | ### Reading and Writing
4296 |
4297 | Reading from SRAM/FRAM should be performed by code executed in WRAM only (but
4298 | not by code executed in ROM). There is no such restriction for writing.
4299 |
4300 | ### Preventing Data Loss
4301 |
4302 | The GBA SRAM/FRAM carts do not include a write-protect function (unlike older
4303 | 8bit gameboy carts). This seems to be a problem and may cause data loss when a
4304 | cartridge is removed or inserted while the GBA is still turned on. As far as I
4305 | understand, this is not so much a hardware problem, but rather a software
4306 | problem, ie. theoretically you could remove/insert the cartridge as many times
4307 | as you want, but you should take care that your program does not crash (and
4308 | write blindly into memory).
4309 |
4310 | ### Recommended Workaround
4311 |
4312 | Enable the Gamepak Interrupt (it'll most likely get triggered when removing the
4313 | cartridge), and hang-up the GBA in an endless loop when your interrupt handler
4314 | senses a Gamepak IRQ. For obvious reason, your interrupt handler should be
4315 | located in WRAM, ie. not in the (removed) ROM cartridge. The handler should
4316 | process Gamepak IRQs at highest priority. Periods during which interrupts are
4317 | disabled should be kept as short as possible, if necessary allow nested
4318 | interrupts.
4319 |
4320 | ### When to use the above Workaround
4321 |
4322 | A program that relies wholly on code and data in WRAM, and that does not crash
4323 | even when ROM is removed, may keep operating without having to use the above
4324 | mechanism.
4325 |
4326 | Do NOT use the workaround for programs that run without a cartridge inserted
4327 | (ie. single gamepak/multiboot slaves), or for programs that use Gamepak IRQ/DMA
4328 | for other purposes.
4329 |
4330 | All other programs should use it. It'd be eventually a good idea to include it
4331 | even in programs that do not use SRAM/FRAM themselves (eg. otherwise removing a
4332 | SRAM/FRAM-less cartridge may lock up the GBA, and may cause it to destroy
4333 | backup data when inserting a SRAM/FRAM cartridge).
4334 |
4335 | ### SRAM vs FRAM
4336 |
4337 | FRAM (Ferroelectric RAM) is a newer technology, used in newer GBA carts, unlike
4338 | SRAM (Static RAM), it doesn't require a battery to hold the data. At software
4339 | side, it is accessed exactly like SRAM, ie. unlike EEPROM/FLASH, it doesn't
4340 | require any Write/Erase commands/delays.
4341 |
4342 | ### Note
4343 |
4344 | In SRAM/FRAM cartridges, the /REQ pin (Pin 31 of Gamepak bus) should be a
4345 | little bit shorter as than the other pins; when removing the cartridge, this
4346 | causes the gamepak IRQ signal to get triggered before the other pins are
4347 | disconnected.
4348 |
4349 | ## GBA Cart Backup EEPROM
4350 |
4351 | 9853 - EEPROM 512 Bytes (0200h) (4Kbit) (eg. used by Super Mario Advance)
4352 |
4353 | 9854 - EEPROM 8 KBytes (2000h) (64Kbit) (eg. used by Boktai)
4354 |
4355 | Lifetime: 100,000 writes per address
4356 |
4357 | ### Addressing and Waitstates
4358 |
4359 | The eeprom is connected to Bit0 of the data bus, and to the upper 1 bit (or
4360 | upper 17 bits in case of large 32MB ROM) of the cartridge ROM address bus,
4361 | communication with the chip takes place serially.
4362 |
4363 | The eeprom must be used with 8 waitstates (set WAITCNT=X3XXh; 8,8 clks in WS2
4364 | area), the eeprom can be then addressed at DFFFF00h..DFFFFFFh.
4365 |
4366 | Respectively, with eeprom, ROM is restricted to 8000000h-9FFFeFFh (max.
4367 | 1FFFF00h bytes = 32MB minus 256 bytes). On carts with 16MB or smaller ROM,
4368 | eeprom can be alternately accessed anywhere at D000000h-DFFFFFFh.
4369 |
4370 | ### Data and Address Width
4371 |
4372 | Data can be read from (or written to) the EEPROM in units of 64bits (8 bytes).
4373 | Writing automatically erases the old 64bits of data. Addressing works in units
4374 | of 64bits respectively, that is, for 512 Bytes EEPROMS: an address range of
4375 | 0-3Fh, 6bit bus width; and for 8KByte EEPROMs: a range of 0-3FFh, 14bit bus
4376 | width (only the lower 10 address bits are used, upper 4 bits should be zero).
4377 |
4378 | ### Set Address (For Reading)
4379 |
4380 | Prepare the following bitstream in memory:
4381 |
4382 | ```
4383 | 2 bits "11" (Read Request)
4384 | n bits eeprom address (MSB first, 6 or 14 bits, depending on EEPROM)
4385 | 1 bit "0"
4386 | ```
4387 |
4388 | Then transfer the stream to eeprom by using DMA.
4389 |
4390 | ### Read Data
4391 |
4392 | Read a stream of 68 bits from EEPROM by using DMA,
4393 |
4394 | then decipher the received data as follows:
4395 |
4396 | ```
4397 | 4 bits - ignore these
4398 | 64 bits - data (conventionally MSB first)
4399 | ```
4400 |
4401 | ### Write Data to Address
4402 |
4403 | Prepare the following bitstream in memory, then transfer the stream to eeprom
4404 | by using DMA, it'll take ca. 108368 clock cycles (ca. 6.5ms) until the old data
4405 | is erased and new data is programmed.
4406 |
4407 | ```
4408 | 2 bits "10" (Write Request)
4409 | n bits eeprom address (MSB first, 6 or 14 bits, depending on EEPROM)
4410 | 64 bits data (conventionally MSB first)
4411 | 1 bit "0"
4412 | ```
4413 |
4414 | After the DMA, keep reading from the chip, by normal LDRH [DFFFF00h], until Bit
4415 | 0 of the returned data becomes "1" (Ready). To prevent your program from
4416 | locking up in case of malfunction, generate a timeout if the chip does not
4417 | reply after 10ms or longer.
4418 |
4419 | ### Using DMA
4420 |
4421 | Transferring a bitstream to/from the EEPROM by LDRH/STRH opcodes does not work,
4422 | this might be because of timing problems, or because how the GBA squeezes
4423 | non-sequential memory addresses through the external address/data bus.
4424 |
4425 | For this reason, a buffer in memory must be used (that buffer would be
4426 | typically allocated temporarily on stack, one halfword for each bit, bit1-15 of
4427 | the halfwords are don't care, only bit0 is of interest).
4428 |
4429 | The buffer must be transfered as a whole to/from EEPROM by using DMA3 (only DMA
4430 | 3 is valid to read & write external memory), use 16bit transfer mode, both
4431 | source and destination address incrementing (ie. DMA3CNT=80000000h+length).
4432 |
4433 | DMA channels of higher priority should be disabled during the transfer (ie.
4434 | H/V-Blank or Sound FIFO DMAs). And, of course any interrupts that might mess
4435 | with DMA registers should be disabled.
4436 |
4437 | ### Pin-Outs
4438 |
4439 | The EEPROM chips are having only 8 pins, these are connected, Pin 1..8, to
4440 | ROMCS, RD, WR, AD0, GND, GND, A23, VDD of the GamePak bus. Carts with 32MB ROM
4441 | must have A7..A22 logically ANDed with A23.
4442 |
4443 | ### Notes
4444 |
4445 | There seems to be no autodection mechanism, so that a hardcoded bus width must
4446 | be used.
4447 |
4448 | ## GBA Cart Backup Flash ROM
4449 |
4450 | 64 KBytes - 512Kbits Flash ROM - Lifetime: 10,000 writes per sector
4451 |
4452 | 128 KBytes - 1Mbit Flash ROM - Lifetime: ??? writes per sector
4453 |
4454 | ### Chip Identification (all device types)
4455 |
4456 | ```
4457 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=90h (enter ID mode)
4458 | dev=[E000001h], man=[E000000h] (get device & manufacturer)
4459 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=F0h (terminate ID mode)
4460 | ```
4461 |
4462 | Used to detect the type (and presence) of FLASH chips. See Device Types below.
4463 |
4464 | ### Reading Data Bytes (all device types)
4465 |
4466 | ```
4467 | dat=[E00xxxxh] (read byte from address xxxx)
4468 | ```
4469 |
4470 | ### Erase Entire Chip (all device types)
4471 |
4472 | ```
4473 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=80h (erase command)
4474 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=10h (erase entire chip)
4475 | wait until [E000000h]=FFh (or timeout)
4476 | ```
4477 |
4478 | Erases all memory in chip, erased memory is FFh-filled.
4479 |
4480 | ### Erase 4Kbyte Sector (all device types, except Atmel)
4481 |
4482 | ```
4483 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=80h (erase command)
4484 | [E005555h]=AAh, [E002AAAh]=55h, [E00n000h]=30h (erase sector n)
4485 | wait until [E00n000h]=FFh (or timeout)
4486 | ```
4487 |
4488 | Erases memory at E00n000h..E00nFFFh, erased memory is FFh-filled.
4489 |
4490 | ### Erase-and-Write 128 Bytes Sector (only Atmel devices)
4491 |
4492 | ```
4493 | old=IME, IME=0 (disable interrupts)
4494 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=A0h (erase/write sector command)
4495 | [E00xxxxh+00h..7Fh]=dat[00h..7Fh] (write 128 bytes)
4496 | IME=old (restore old IME state)
4497 | wait until [E00xxxxh+7Fh]=dat[7Fh] (or timeout)
4498 | ```
4499 |
4500 | Interrupts (and DMAs) should be disabled during command/write phase. Target
4501 | address must be a multiple of 80h.
4502 |
4503 | ### Write Single Data Byte (all device types, except Atmel)
4504 |
4505 | ```
4506 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=A0h (write byte command)
4507 | [E00xxxxh]=dat (write byte to address xxxx)
4508 | wait until [E00xxxxh]=dat (or timeout)
4509 | ```
4510 |
4511 | The target memory location must have been previously erased.
4512 |
4513 | ### Terminate Command after Timeout (only Macronix devices, ID=1CC2h)
4514 |
4515 | ```
4516 | [E005555h]=F0h (force end of write/erase command)
4517 | ```
4518 |
4519 | Use if timeout occurred during "wait until" periods, for Macronix devices only.
4520 |
4521 | ### Bank Switching (devices bigger than 64K only)
4522 |
4523 | ```
4524 | [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=B0h (select bank command)
4525 | [E000000h]=bnk (write bank number 0..1)
4526 | ```
4527 |
4528 | Specifies 64K bank number for read/write/erase operations.
4529 |
4530 | Required because gamepak flash/sram addressbus is limited to 16bit width.
4531 |
4532 | ### Device Types
4533 |
4534 | Nintendo puts different FLASH chips in commercial game cartridges. Developers
4535 | should thus detect & support all chip types. For Atmel chips it'd be
4536 | recommended to simulate 4K sectors by software, though reportedly Nintendo
4537 | doesn't use Atmel chips in newer games anymore. Also mind that different
4538 | timings should not disturb compatibility and performance.
4539 |
4540 | ```
4541 | ID Name Size Sectors AverageTimings Timeouts/ms Waits
4542 | D4BFh SST 64K 16x4K 20us?,?,? 10, 40, 200 3,2
4543 | 1CC2h Macronix 64K 16x4K ?,?,? 10,2000,2000 8,3
4544 | 1B32h Panasonic 64K 16x4K ?,?,? 10, 500, 500 4,2
4545 | 3D1Fh Atmel 64K 512x128 ?,?,? ...40.., 40 8,8
4546 | 1362h Sanyo 128K ? ?,?,? ? ? ? ?
4547 | 09C2h Macronix 128K ? ?,?,? ? ? ? ?
4548 | ```
4549 |
4550 | Identification Codes MSB=Device Type, LSB=Manufacturer.
4551 |
4552 | Size in bytes, and numbers of sectors \* sector size in bytes.
4553 |
4554 | Average medium Write, Erase Sector, Erase Chips timings are unknown?
4555 |
4556 | Timeouts in milliseconds for Write, Erase Sector, Erase Chips.
4557 |
4558 | Waitstates for Writes, and Reads in clock cycles.
4559 |
4560 | ### Accessing FLASH Memory
4561 |
4562 | FLASH memory is located in the "SRAM" area at E000000h..E00FFFFh, which is
4563 | restricted to 16bit address and 8bit data buswidths. Respectively, the memory
4564 | can be accessed \ by 8bit read/write LDRB/STRB opcodes.
4565 |
4566 | Also, reading anything (data or status/busy information) can be done
4567 | \ by opcodes executed in WRAM (not from opcodes in ROM) (there's no
4568 | such restriction for writing).
4569 |
4570 | ### FLASH Waitstates
4571 |
4572 | Use 8 clk waitstates for initial detection (WAITCNT Bits 0,1 both set). After
4573 | detection of certain device types smaller wait values may be used for
4574 | write/erase, and even smaller wait values for raw reading, see Device Types
4575 | table.
4576 |
4577 | In practice, games seem to use smaller values only for write/erase (even though
4578 | those operations are slow anyways), whilst raw reads are always done at 8 clk
4579 | waits (even though reads could actually benefit slightly from smaller wait
4580 | values).
4581 |
4582 | ### Verify Write/Erase and Retry
4583 |
4584 | Even though device signalizes the completion of write/erase operations, it'd be
4585 | recommended to read/confirm the content of the changed memory area by software.
4586 | In practice, Nintendo's "erase-write-verify-retry" function typically repeats
4587 | the operation up to three times in case of errors.
4588 |
4589 | Also, for SST devices only, the "erase-write" and "erase-write-verify-retry"
4590 | functions repeat the erase command up to 80 times, additionally followed by one
4591 | further erase command if no retries were needed, otherwise followed by six
4592 | further erase commands.
4593 |
4594 | ### Note
4595 |
4596 | FLASH (64Kbytes) is used by the game Sonic Advance, and possibly others.
4597 |
4598 | ## GBA Cart Backup DACS
4599 |
4600 | 128 KBytes - 1Mbit DACS - Lifetime: 100,000 writes.
4601 |
4602 | 1024 KBytes - 8Mbit DACS - Lifetime: 100,000 writes.
4603 |
4604 | DACS (Debugging And Communication System) is used in Nintendo's hardware
4605 | debugger only, DACS is NOT used in normal game cartridges.
4606 |
4607 | Parts of DACS memory is used to store the debugging exception handlers (entry
4608 | point/size defined in cartridge header), the remaining memory could be used to
4609 | store game positions or other data. The address space is the upper end of the
4610 | 32MB ROM area, the memory can be read directly by the CPU, including for
4611 | ability to execute program code in this area.
4612 |
4613 | ## GBA Cart I/O Port (GPIO)
4614 |
4615 | 4bit General Purpose I/O Port (GPIO) - contained in the ROM-chip
4616 |
4617 | Used by Boktai for RTC and Solar Sensor:
4618 |
4619 | - [GBA Cart Real-Time Clock (RTC)](#gbacartrealtimeclockrtc)
4620 | - [GBA Cart Solar Sensor](#gbacartsolarsensor)
4621 | And by Warioware Twisted for Rumble and Z-Axis Sensor:
4622 |
4623 | - [GBA Cart Rumble](#gbacartrumble)
4624 | - [GBA Cart Gyro Sensor](#gbacartgyrosensor)
4625 | Might be also used by other games for other purposes, such like other sensors,
4626 | or SRAM bank switching, etc.
4627 |
4628 | The I/O registers are mapped to a 6-byte region in the ROM-area at 80000C4h,
4629 | the 6-byte region should be zero-filled in the ROM-image. In Boktai, the size
4630 | of the zero-filled region is 0E0h bytes - that probably due to an incorrect
4631 | definition (the additional bytes do not contain any extra ports, nor mirrors of
4632 | the ports in the 6-byte region). Observe that ROM-bus writes are limited to
4633 | 16bit/32bit access (STRB opcodes are ignored; that, only in DS mode?).
4634 |
4635 | ### 80000C4h - I/O Port Data (selectable W or R/W)
4636 |
4637 | ```
4638 | bit0-3 Data Bits 0..3 (0=Low, 1=High)
4639 | bit4-15 not used (0)
4640 | ```
4641 |
4642 | ### 80000C6h - I/O Port Direction (for above Data Port) (selectable W or R/W)
4643 |
4644 | ```
4645 | bit0-3 Direction for Data Port Bits 0..3 (0=In, 1=Out)
4646 | bit4-15 not used (0)
4647 | ```
4648 |
4649 | ### 80000C8h - I/O Port Control (selectable W or R/W)
4650 |
4651 | ```
4652 | bit0 Register 80000C4h..80000C8h Control (0=Write-Only, 1=Read/Write)
4653 | bit1-15 not used (0)
4654 | ```
4655 |
4656 | In write-only mode, reads return 00h (or possible other data, if the rom
4657 | contains non-zero data at that location).
4658 |
4659 | ### Connection Examples
4660 |
4661 | ```
4662 | GPIO | Boktai | Wario
4663 | Bit Pin | RTC SOL | GYR RBL
4664 | -----------+---------+---------
4665 | 0 ROM.1 | SCK CLK | RES -
4666 | 1 ROM.2 | SIO RST | CLK -
4667 | 2 ROM.21 | CS - | DTA -
4668 | 3 ROM.22 | - FLG | - MOT
4669 | -----------+---------+---------
4670 | IRQ ROM.43 | IRQ - | - -
4671 | ```
4672 |
4673 | Aside from the I/O Port, the ROM-chip also includes an inverter (used for
4674 | inverting the RTC /IRQ signal), and some sort of an (unused) address decoder
4675 | output (which appears to be equal or related to A23 signal) (ie. reacting on
4676 | ROM A23, or SRAM D7, which share the same pin on GBA slot).
4677 |
4678 | ## GBA Cart Real-Time Clock (RTC)
4679 |
4680 | S3511 - 8pin RTC with 3-wire serial bus (used in Boktai)
4681 |
4682 | The RTC chip is (almost) the same as used in NDS consoles:
4683 |
4684 | - [DS Real-Time Clock (RTC)](#dsrealtimeclockrtc)
4685 | The chip is accessed via 4bit I/O port (only 3bits are used for RTC):
4686 |
4687 | - [GBA Cart I/O Port (GPIO)](#gbacartioportgpio)
4688 |
4689 | ### Comparision of RTC Registers
4690 |
4691 | ```
4692 | NDS_________GBA_________GBA/Params___
4693 | stat2 control (1-byte)
4694 | datetime datetime (7-byte)
4695 | time time (3-byte)
4696 | stat1 force reset (0-byte)
4697 | clkadjust force irq (0-byte)
4698 | alarm1/int1 always FFh (boktai contains code for writing 1-byte to it)
4699 | alarm2 always FFh (unused)
4700 | free always FFh (unused)
4701 | ```
4702 |
4703 | ### Control Register
4704 |
4705 | ```
4706 | Bit Dir Expl.
4707 | 0 - Not used
4708 | 1 R/W IRQ duty/hold related?
4709 | 2 - Not used
4710 | 3 R/W Per Minute IRQ (30s duty) (0=Disable, 1=Enable)
4711 | 4 - Not used
4712 | 5 R/W Unknown?
4713 | 6 R/W 12/24-hour Mode (0=12h, 1=24h) (usually 1)
4714 | 7 R Power-Off (auto cleared on read) (0=Normal, 1=Failure)
4715 | ```
4716 |
4717 | Setting after Battery-Shortcut is 82h. Setting after Force-Reset is 00h.
4718 |
4719 | Unused bits seem to be always zero, but might be read-only or write-only?
4720 |
4721 | ### Datetime and Time Registers
4722 |
4723 | Same as NDS, except AM/PM flag moved from hour.bit6 (NDS) to hour.bit7 (GBA).
4724 |
4725 | ### Force Reset/Irq Registers
4726 |
4727 | Used to reset all RTC registers (all used registers become 00h, except
4728 | day/month which become 01h), or to drag the IRQ output LOW for a short moment.
4729 | These registers are strobed by ANY access to them, ie. by both writing to, as
4730 | well as reading from these registers.
4731 |
4732 | ### Pin-Outs / IRQ Signal
4733 |
4734 | The package has identical pin-outs as in NDS, although it is slightly larger
4735 | than the miniature chip in the DS.
4736 |
4737 | For whatever reason, the RTC's /IRQ output is passed through an inverter
4738 | (contained in the ROM-chip), the inverted signal is then passed to the /IRQ pin
4739 | on the cartridge slot. So, IRQ's will be triggered on the "wrong" edge -
4740 | possible somehow in relation with detecting cartridge-removal IRQs?
4741 |
4742 | ## GBA Cart Solar Sensor
4743 |
4744 | Uses a Photo Diode as Solar Sensor (used in Boktai, allowing to defeat vampires
4745 | when the cartridge is exposed to sunlight). The cartridge comes in transparent
4746 | case, and it's slightly longer than normal carts, so the sensor reaches out of
4747 | the cartridge slot. According to the manual, the sensor works only with
4748 | sunlight, but actually it works with any strong light source (eg. a 100 Watt
4749 | bulb at 1-2 centimeters distance). The sensor is accessed via 4bit I/O port
4750 | (only 3bits used), which is contained in the ROM-chip.
4751 |
4752 | - [GBA Cart I/O Port (GPIO)](#gbacartioportgpio)
4753 |
4754 | ### A/D Conversion
4755 |
4756 | The cartridge uses a self-made A/D converter, which is (eventually) better than
4757 | measuring a capacitor charge-up time, and/or less expensive than a real
4758 | ADC-chip:
4759 |
4760 | It contains a 74LV4040 12bit binary counter (clocked by CPU via the I/O port),
4761 | of which only the lower 8bit are used, which are passed to a resistor
4762 | ladder-type D/A converter, which is generating a linear increasing voltage,
4763 | which is passed to a TLV272 voltage comparator, which is passing a signal to
4764 | the I/O port when the counter voltage becomes greater than the sensor voltage.
4765 |
4766 | ### Example Code
4767 |
4768 | ```
4769 | strh 0001h,[80000c8h] ;-enable R/W mode
4770 | strh 0007h,[80000c6h] ;-init I/O direction
4771 | strh 0002h,[80000c4h] ;-reset counter to zero (high=reset) (I/O bit0)
4772 | strh 0000h,[80000c4h] ;-clear reset (low=normal)
4773 | mov r0,0 ;-initial level
4774 | @@lop:
4775 | strh 0001h,[80000c4h] ;-clock high ;\increase counter (I/O bit1)
4776 | strh 0000h,[80000c4h] ;-clock low ;/
4777 | ldrh r1,[80000c4h] ;-read port (I/O bit3)
4778 | tst r1,08h ;\
4779 | addeq r0,1 ; loop until voltage match (exit with r0=00h..FFh),
4780 | tsteq r0,100h ; or until failure/timeout (exit with r0=100h)
4781 | beq @@lop ;/
4782 | ```
4783 |
4784 | The results vary depending on the clock rate used. In above example, ensure
4785 | that IRQs or DMAs do not interrupt the function. Alternately, use a super-slow
4786 | clock rate (eg. like 666Hz used in Boktai) so that additional small IRQ/DMA
4787 | delays have little effect on the overall timing. Results should be somewhat:
4788 |
4789 | ```
4790 | E8h total darkness (including daylight on rainy days)
4791 | Dxh close to a 100 Watt Bulb
4792 | 5xh reaches max level in boktai's solar gauge
4793 | 00h close to a tactical nuclear bomb dropped on your city
4794 | ```
4795 |
4796 | The exact values may change from cartridge to cartridge, so it'd be recommened
4797 | to include a darkness calibration function, prompting the user to cover the
4798 | sensor for a moment.
4799 |
4800 | ## GBA Cart Tilt Sensor
4801 |
4802 | Yoshi's Universal Gravitation / Yoshi Topsy Turvy (X/Y-Axis)
4803 |
4804 | Koro Koro Puzzle (probably same as Yoshi, X/Y-Axis, too) (?)
4805 |
4806 | ### Yoshi-Type (X/Y-Axis)
4807 |
4808 | All of the registers are one byte wide, mapped into the top "half" of the SRAM
4809 | memory range.
4810 |
4811 | ```
4812 | E008000h (W) Write 55h to start sampling
4813 | E008100h (W) Write AAh to start sampling
4814 | E008200h (R) Lower 8 bits of X axis
4815 | E008300h (R) Upper 4 bits of X axis, and Bit7: ADC Status (0=Busy, 1=Ready)
4816 | E008400h (R) Lower 8 bits of Y axis
4817 | E008500h (R) Upper 4 bits of Y axis
4818 | ```
4819 |
4820 | You must set SRAM wait control to 8 clocks to access it correctly.
4821 |
4822 | You must also set the cartridge PHI terminal to 4 MHz to make it work.
4823 |
4824 | Sampling routine (typically executed once a frame during VBlank):
4825 |
4826 | ```
4827 | wait until [E008300h].Bit7=1 or until timeout ;wait ready
4828 | x = ([E008300h] AND 0Fh)*100h + [E008200h] ;get x
4829 | y = ([E008500h] AND 0Fh)*100h + [E008400h] ;get y
4830 | [E008000h]=55h, [E008100h]=AAh ;start next conversion
4831 | ```
4832 |
4833 | Example values (may vary on different carts and on temperature, etc):
4834 |
4835 | ```
4836 | X ranged between 0x2AF to 0x477, center at 0x392. Huh?
4837 | Y ranged between 0x2C3 to 0x480, center at 0x3A0. Huh?
4838 | ```
4839 |
4840 | Thanks to Flubba for Yoshi-Type information.
4841 |
4842 | Unknown if the Yoshi-Type sensors are sensing rotation, or orientation, or
4843 | motion, or something else? In case of rotation, rotation around X-axis would
4844 | result in motion in Y-direction, so not too sure whether X and Y have which
4845 | meaning?
4846 |
4847 | Most probably, the sensors are measuring (both) static acceleration (gravity),
4848 | and dynamic acceleration (eg. shaking the device left/right).
4849 |
4850 | The X/Y values are likely to be mirrored depending on using a back-loading
4851 | cartridge slot (original GBA), or front-loading cartridge slot (newer GBA SP,
4852 | and NDS, and NDS-Lite).
4853 |
4854 | ## GBA Cart Gyro Sensor
4855 |
4856 | Warioware Twisted (Z-Axis Gyro Sensor, plus Rumble)
4857 |
4858 | ### Wario-Type (Z-Axis)
4859 |
4860 | Uses a single-axis sensor, which senses rotation around the Z-axis. The sensor
4861 | is connected to an analogue-in, serial-out ADC chip, which is accessed via
4862 | lower 3 bits of the GPIO,
4863 |
4864 | - [GBA Cart I/O Port (GPIO)](#gbacartioportgpio)
4865 | The four I/O Lines are connected like so,
4866 |
4867 | ```
4868 | GPIO.Bit0 (W) Start Conversion
4869 | GPIO.Bit1 (W) Serial Clock
4870 | GPIO.Bit2 (R) Serial Data
4871 | GPIO.Bit3 (W) Used for Rumble (not gyro related)
4872 | ```
4873 |
4874 | There should be at least \ between the STRH opcodes which toggle the CLK signal. Wario uses
4876 | WAITCNT=45B7h (SRAM=8clks, WS0/WS1/WS2=3,1clks, Prefetch=On, PHI=Off).
4877 |
4878 | The data stream consists of: 4 dummy bits (usually zero), followed by 12 data
4879 | bits, followed by endless unused bits (usually zero).
4880 |
4881 | ```
4882 | read_gyro:
4883 | mov r1,8000000h ;-cartridge base address
4884 | mov r0,01h ;\enable R/W access
4885 | strh r0,[r1,0c8h] ;/
4886 | mov r0,0bh ;\init direction (gpio2=input, others=output)
4887 | strh r0,[r1,0c6h] ;/
4888 | ldrh r2,[r1,0c4h] ;-get current state (for keeping gpio3=rumble)
4889 | orr r2,3 ;\
4890 | strh r2,[r1,0c4h] ;gpio0=1 ; start ADC conversion
4891 | bic r2,1 ;
4892 | strh r2,[r1,0c4h] ;gpio0=0 ;/
4893 | mov r0,00010000h ;stop-bit ;\
4894 | bic r2,2 ;
4895 | @@lop: ;
4896 | ldrh r3,[r1,0c4h] ;get gpio2=data ; read 16 bits
4897 | strh r2,[r1,0c4h] ;gpio1=0=clk=low ; (4 dummy bits, plus 12 data bits)
4898 | movs r3,r3,lsr 3 ;gpio2 to cy=data ;
4899 | adcs r0,r0,r0 ;merge data, cy=done;
4900 | orr r3,r2,2 ;set bit1 and delay ;
4901 | strh r3,[r1,0c4h] ;gpio1=1=clk=high ;
4902 | bcc @@lop ;/
4903 | bic r0,0f000h ;-strip upper 4 dummy bits (isolate 12bit adc)
4904 | bx lr
4905 | ```
4906 |
4907 | Example values (may vary on different carts, battery charge, temperature, etc):
4908 |
4909 | ```
4910 | 354h rotated in anti-clockwise direction (shock-speed)
4911 | 64Dh rotated in anti-clockwise direction (normal fast)
4912 | 6A3h rotated in anti-clockwise direction (slow)
4913 | 6C0h no rotation (stopped)
4914 | 6DAh rotation in clockwise direction (slow)
4915 | 73Ah rotation in clockwise direction (normal fast)
4916 | 9E3h rotation in clockwise direction (shock-speed)
4917 | ```
4918 |
4919 | For detection, values 000h and FFFh would indicate that there's no sensor.
4920 |
4921 | The Z-axis always points into same direction; no matter of frontloading or
4922 | backloading cartridge slots.
4923 |
4924 | Thanks to Momo Vampire for contributing a Wario cartridge.
4925 |
4926 | ### X/Y/Z-Axes
4927 |
4928 | X-Axis and Y-Axis are meant to be following the screens X and Y coordinates, so
4929 | the Z-Axis would point into the screens depth direction.
4930 |
4931 | ### DSi Cameras
4932 |
4933 | DSi consoles can mis-use the built-in cameras as Gyro sensor (as done by the
4934 | System Flaw DSi game).
4935 |
4936 | ## GBA Cart Rumble
4937 |
4938 | Warioware Twisted (Rumble, plus Z-Axis Gyro Sensor)
4939 |
4940 | Drill Dozer (Rumble only) \<-- and ALSO supports Gameboy Player rumble?
4941 |
4942 | GBA Rumble Carts are containing a small motor, which is causing some vibration
4943 | when/while it is switched on (that, unlike DS Rumble, which must be repeatedly
4944 | toggled on/off).
4945 |
4946 | In Warioware Twisted, rumble is controlled via GPIO.Bit3 (Data 0=Low=Off,
4947 | 1=High=On) (and Direction 1=Output), the other GPIO Bits are used for the gyro
4948 | sensor.
4949 |
4950 | - [GBA Cart I/O Port (GPIO)](#gbacartioportgpio)
4951 | Note: GPIO3 is connected to an external pulldown resistor (so the HighZ level
4952 | gets dragged to Low=Off when direction is set to Input).
4953 |
4954 | Unknown if Drill Dozer is controlled via GPIO.Bit3, too?
4955 |
4956 | ### DS Rumble Pak
4957 |
4958 | Additionally, there's a Rumble Pak for the NDS, which connects to the GBA slot,
4959 | so it can be used also for GBA games (provided that the game doesn't require
4960 | the GBA slot, eg. GBA multiboot games).
4961 |
4962 | - [DS Cart Rumble Pak](#dscartrumblepak)
4963 |
4964 | ### Gamecube Rumble
4965 |
4966 | Moreover, GBA games that are running on a Gameboy Player are having access to
4967 | the Rumble function of Gamecube joypads.
4968 |
4969 | - [GBA Gameboy Player](#gbagameboyplayer)
4970 |
4971 | ## GBA Cart e-Reader
4972 |
4973 | - [GBA Cart e-Reader Overview](#gbacartereaderoverview)
4974 | - [GBA Cart e-Reader I/O Ports](#gbacartereaderioports)
4975 | - [GBA Cart e-Reader Dotcode Format](#gbacartereaderdotcodeformat)
4976 | - [GBA Cart e-Reader Data Format](#gbacartereaderdataformat)
4977 | - [GBA Cart e-Reader Program Code](#gbacartereaderprogramcode)
4978 | - [GBA Cart e-Reader API Functions](#gbacartereaderapifunctions)
4979 | - [GBA Cart e-Reader VPK Decompression](#gbacartereadervpkdecompression)
4980 | - [GBA Cart e-Reader Error Correction](#gbacartereadererrorcorrection)
4981 | - [GBA Cart e-Reader File Formats](#gbacartereaderfileformats)
4982 |
4983 | ```
4984 | ________________
4985 | | ShortStrip |
4986 | |L L|
4987 | |o Center o|
4988 | |n Region n|
4989 | |g g|
4990 | | may contain |
4991 | |S pictures, S|
4992 | |t instructions t|
4993 | |r etc. r|
4994 | |i i|
4995 | |p p|
4996 | |___ShortStrip___|
4997 | ```
4998 |
4999 | ## GBA Cart e-Reader Overview
5000 |
5001 | The e-Reader is a large GBA cartridge (about as big as the GBA console), with
5002 | built-in dotcode scanning hardware. Dotcodes are tiny strips of black and white
5003 | pixels printed on the edges of cardboard cards. The cards have to be pulled
5004 | through a slot on the e-Reader, which is giving it a feeling like using a
5005 | magnet card reader. The binary data on the dotcodes contains small games,
5006 | either in native GBA code (ARM/THUMB), or in software emulated 8bit Z80 or
5007 | NES/Famicom (6502) code.
5008 |
5009 | ### The e-Reader Hardware
5010 |
5011 | The hardware consists of regular 8MByte ROM and 128KByte FLASH chips, two link
5012 | ports, a custom PGA chip, the camera module (with two red LEDs, used as light
5013 | source), and some analogue components for generating the LED voltages, etc. The
5014 | camera supports 402x302 pixels with 7bit monochrome color depth, but the PGA
5015 | clips it to max 320 pixels per scanline with 1bit color depth.
5016 |
5017 | ### Link Port Plug/Socket
5018 |
5019 | The e-Reader's two link ports are simply interconnected with each other;
5020 | without connection to the rest of the e-Reader hardware. These ports are used
5021 | only on the original GBA (where the large e-Reader cartridge would be covering
5022 | the GBA's link socket). When trying to insert the e-Reader into an original NDS
5023 | (or GBA-Micro), then the e-Reader's link plug will hit against the case of the
5024 | NDS, so it works only with some minor modification to the hardware. There's no
5025 | such problem with GBA-SP and NDS-Lite.
5026 |
5027 | ### Region/Version
5028 |
5029 | There are 3 different e-Reader's: Japanese/Original, Japanese/Plus, and
5030 | Non-Japanese. The Original version has only 64K FLASH, no Link Port, and
5031 | reportedly supports only Z80 code, but no NES/GBA code. The Plus and
5032 | Non-Japanese versions should be almost identical, except that they reject cards
5033 | from the wrong region, and that the title strings aren't ASCII in Japan, the
5034 | Plus version should be backwards compatible to the Original one.
5035 |
5036 | ### The Problem
5037 |
5038 | Nintendo's current programmers are definetly unable to squeeze a Pac-Man style
5039 | game into less than 4MBytes. Their solution has been: MORE memory. That is,
5040 | they've put a whopping 8MByte BIOS ROM into the e-Reader, which contains the
5041 | User Interface, and software emulation for running some of their 20 years old
5042 | 8bit NES and Game&Watch titles, which do fit on a few dotcode strips.
5043 |
5044 | ## GBA Cart e-Reader I/O Ports
5045 |
5046 | ### DF80000h Useless Register (R/W)
5047 |
5048 | ```
5049 | 0 Output to PGA.Pin93 (which seems to be not connected to anything)
5050 | 1-3 Unknown, read/write-able (not used by e-Reader BIOS)
5051 | 4-15 Always zero (0)
5052 | ```
5053 |
5054 | ### DFA0000h Reset Register (R/W)
5055 |
5056 | ```
5057 | 0 Always zero (0)
5058 | 1 Reset Something? (0=Normal, 1=Reset)
5059 | 2 Unknown, always set (1)
5060 | 3 Unknown, read/write-able (not used by e-Reader BIOS)
5061 | 4-7 Always zero (0)
5062 | 8 Unknown, read/write-able (not used by e-Reader BIOS)
5063 | 9-15 Always zero (0)
5064 | ```
5065 |
5066 | ### DFC0000h..DFC0027h Scanline Data (R)
5067 |
5068 | Scanline data (40 bytes, for 320 pixels, 1bit per pixel, 0=black, 1=white).
5069 |
5070 | The first (leftmost) pixel is located in the LSB of the LAST byte.
5071 |
5072 | Port E00FFB1h.Bit1 (and [4000202h].Bit13) indicates when a new scanline is
5073 | present, the data should be then transferred to RAM via DMA3 (SAD=DFC0000h,
5074 | DAD=buf+y\*28h, CNT=80000014h; a slower non-DMA transfer method would result in
5075 | missed scanlines). After the DMA, software must reset E00FFB1h.Bit1.
5076 |
5077 | Note: The scanning resolution is 1000 DPI.
5078 |
5079 | ### DFC0028h+(0..2Fh\*2) Brightest Pixels of 8x6 Blocks (R)
5080 |
5081 | ```
5082 | 0-6 Max Brightness (00h..7Fh; 00h=All black, 7Fh=One or more white)
5083 | 7-15 Always zero
5084 | ```
5085 |
5086 | Can be used to adjust the Port E00FF80h..E00FFAFh settings.
5087 |
5088 | ### DFC0088h Darkest Pixel of whole Image (R)
5089 |
5090 | ```
5091 | 0-7 Max Darkness (00h..7Fh; 00h=One or more black, 7Fh=All white)
5092 | 8-15 Always zero
5093 | ```
5094 |
5095 | Can be used to adjust the Port E00FF80h..E00FFAFh settings.
5096 |
5097 | ### E00FF80h..E00FFAFh Intensity Boundaries for 8x6 Blocks (R/W)
5098 |
5099 | The 320x246 pixel camera input is split into 8x6 blocks (40x41 pixels each),
5100 | with Block00h=Upper-right, Block07h=Upper-left, ..., Block27h=Lower-left. The
5101 | boundary values for the separate blocks are used for 128-grayscale to 2-color
5102 | conversion, probably done like "IF Pixel>Boundary THEN white ELSE black".
5103 |
5104 | ```
5105 | 0-6 Block Intensity Boundaries (0..7Fh; 7Fh=Whole block gets black)
5106 | 7 Always zero
5107 | ```
5108 |
5109 | The default boundary values are stored in FLASH memory, the values are
5110 | typically ranging from 28h (outer edges) to 34h (center image), that in respect
5111 | to the light source (the two LEDs are emitting more light to the center
5112 | region).
5113 |
5114 | ### E00FFB0h Control Register 0 (R/W)
5115 |
5116 | ```
5117 | 0 Serial Data (Low/High)
5118 | 1 Serial Clock (Low/High)
5119 | 2 Serial Direction (0=Input, 1=Output)
5120 | 3 Led/Irq Enable (0=Off, 1=On; Enable LED and Gamepak IRQ)
5121 | 4 Start Scan (0=Off, 1=Start) (0-to-1 --> Resync line 0)
5122 | 5 Phi 16MHz Output (0=Off, 1=On; Enable Clock for Camera, and for LED)
5123 | 6 Power 3V Enable (0=Off, 1=On; Enable 3V Supply for Camera)
5124 | 7 Not used (always 0) (sometimes 1) (Read only)
5125 | ```
5126 |
5127 | ### E00FFB1h Control Register 1 (R/W)
5128 |
5129 | ```
5130 | 0 Not used (always 0)
5131 | 1 Scanline Flag (1=Scanline Received, 0=Acknowledge)
5132 | 2-3 Not used (always 0)
5133 | 4 Strange Bit (0=Normal, 1=Force Resync/Line0 on certain interval?)
5134 | 5 LED Anode Voltage (0=3.0V, 1=5.1V; requires E00FFB0h.Bit3+5 to be set)
5135 | 6 Not used (always 0)
5136 | 7 Input from PGA.Pin22, always high (not used by e-Reader) (Read Only)
5137 | ```
5138 |
5139 | Bit1 can be SET by hardware only, software can only RESET that bit, the Gamepak
5140 | IRQ flag (Port 4000202h.Bit13) becomes set on 0-to-1 transitions.
5141 |
5142 | ### E00FFB2h Light Source LED Kathode Duration (LSB) (R/W)
5143 |
5144 | ### E00FFB3h Light Source LED Kathode Duration (MSB) (R/W)
5145 |
5146 | Selects the LED Kathode=LOW Duration, aka the LED=ON Duration. That does act as
5147 | pulse width modulated LED brightness selection (the camera seems to react
5148 | slowly enough to view the light as being dimmed to medium, rather than seeing
5149 | the actual light ON and OFF states). The PWM timer seems to be clocked at 8MHz.
5150 | The hardware clips timer values 2000h..FFFFh to max 2000h (=1ms). Additionally,
5151 | the e-Reader BIOS clips values to max 11B3h. Default setting is found in FLASH
5152 | calibration data. A value of 0000h disables the LED.
5153 |
5154 | ### Serial Port Registers (Camera Type 1) (DV488800) (calib\_data[3Ch]=1)
5155 |
5156 | All 16bit values are ordered MSB,LSB. All registers are whole 8bit
5157 | Read/Write-able, except 00h,57h-5Ah (read only), and 53h-55h (2bit only).
5158 |
5159 | ```
5160 | Port Expl. (e-Reader Setting)
5161 | 00h Maybe Chip ID (12h) (not used by e-Reader BIOS) (Read Only)
5162 | 01h (05h) ;-Bit0: 1=auto-repeat scanning?
5163 | 02h (0Eh)
5164 | 10h-11h Vertical Scroll (calib_data[30h]+7)
5165 | 12h-13h Horizontal Scroll (0030h)
5166 | 14h-15h Vertical Size (00F6h=246)
5167 | 16h-17h Horizontal Size (0140h=320)
5168 | 20h-21h H-Blank Duration (00C4h)
5169 | 22h-23h (0400h) ;-Upper-Blanking in dot-clock units?
5170 | 25h (var) ;-bit1: 0=enable [57h..5Ah] ?
5171 | 26h (var) ;\maybe a 16bit value
5172 | 27h (var) ;/
5173 | 28h (00h)
5174 | 30h Brightness/contrast (calib_data[31h]+/-nn)
5175 | 31h-33h (014h,014h,014h)
5176 | 34h Brightness/contrast (02h)
5177 | 50h-52h 8bit Read/Write (not used by e-Reader BIOS)
5178 | 53h-55h 2bit Read/Write (not used by e-Reader BIOS)
5179 | 56h 8bit Read/Write (not used by e-Reader BIOS)
5180 | 57h-58h 16bit value, used to autodetect/adjust register[30h] (Read Only)
5181 | 59h-5Ah 16bit value, used to autodetect/adjust register[30h] (Read Only)
5182 | 80h-FFh Mirrors of 00h..7Fh (not used by e-Reader BIOS)
5183 | ```
5184 |
5185 | All other ports are unused, writes to those ports are ignored, and reads are
5186 | returning data mirrored from other ports; that is typically data from 2 or more
5187 | ports, ORed together.
5188 |
5189 | ### Serial Port Registers (Camera Type 2) (calib\_data[3Ch]=2)
5190 |
5191 | All 16bit values are using more conventional LSB,MSB ordering, and port numbers
5192 | are arranged in a more reasonable way. The e-Reader BIOS doesn't support (or
5193 | doesn't require) brightness adjustment for this camera module.
5194 |
5195 | ```
5196 | Port Expl. (e-Reader Setting)
5197 | 00h (22h)
5198 | 01h (50h)
5199 | 02h-03h Vertical Scroll (calib_data[30h]+28h)
5200 | 04h-05h Horizontal Scroll (001Eh)
5201 | 06h-07h Vertical Size (00F6h) ;=246
5202 | 08h-09h Horizontal Size (0140h) ;=320
5203 | 0Ah-0Ch (not used by e-Reader BIOS)
5204 | 0Dh (01h)
5205 | 0Eh-0Fh (01EAh) ;=245*2
5206 | 10h-11h (00F5h) ;=245
5207 | 12h-13h (20h,F0h) ;maybe min/max values?
5208 | 14h-15h (31h,C0h) ;maybe min/max values?
5209 | 16h (00h)
5210 | 17h-18h (77h,77h)
5211 | 19h-1Ch (30h,30h,30h,30h)
5212 | 1Dh-20h (80h,80h,80h,80h)
5213 | 21h-FFh (not used by e-Reader BIOS)
5214 | ```
5215 |
5216 | This appears to be a Micron (aka Aptina) camera (resembling the DSi cameras).
5217 |
5218 | My own e-Reader uses a Type 1 camera module. Not sure if Nintendo has ever
5219 | manufactured any e-Readers with Type 2 cameras?
5220 |
5221 | ### Calibration Data in FLASH Memory (Bank 0, Sector 0Dh)
5222 |
5223 | ```
5224 | E00D000 14h ID String ('Card-E Reader 2001',0,0)
5225 | E00D014 2 Sector Checksum (NOT(x+x/10000h); x=sum of all other halfwords)
5226 | ```
5227 |
5228 | Begin of actual data (40h bytes)
5229 |
5230 | ```
5231 | E00D016 8x6 [00h] Intensity Boundaries for 8x6 blocks ;see E00FF80h..AFh
5232 | E00D046 1 [30h] Vertical scroll (0..36h) ;see type1.reg10h/type2.reg02h
5233 | E00D047 1 [31h] Brightness or contrast ;see type1.reg30h
5234 | E00D048 2 [32h] LED Duration ;see E00FFB2h..B3h
5235 | E00D04A 2 [34h] Not used? (0000h)
5236 | E00D04C 2 [36h] Signed value, related to adjusting the 8x6 blocks
5237 | E00D04E 4 [38h] Not used? (00000077h)
5238 | E00D052 4 [3Ch] Camera Type (0=none,1=DV488800,2=Whatever?)
5239 | ```
5240 |
5241 | Remaining bytes in this Sector...
5242 |
5243 | ```
5244 | E00D056 FAAh Not used (zerofilled) (included in above checksum)
5245 | ```
5246 |
5247 | ### Flowchart for Overall Camera Access
5248 |
5249 | ereader\_scan\_camera:
5250 |
5251 | ```
5252 | call ereader_power_on
5253 | call ereader_initialize
5254 | for z=1 to number_of_frames
5255 | for y=0 to 245
5256 | Wait until E00FFB1h.Bit1 gets set by hardware (can be handled by IRQ)
5257 | Copy 14h halfwords from DFC0000h to buf+y*28h via DMA3
5258 | Reset E00FFB1h.Bit1 by software
5259 | next y
5260 | ;(could now check DFC0028h..DFC0086h/DFC0088h for adjusting E00FF00h..2Fh)
5261 | ;(could now show image on screen, that may require to stop/pause scanning)
5262 | next z
5263 | call ereader_power_off
5264 | Ret
5265 | ```
5266 |
5267 | ereader\_power\_on:
5268 |
5269 | ```
5270 | [4000204h]=5803h ;Init waitstates, and enable Phi 16MHz
5271 | [DFA0000h].Bit1=1
5272 | Wait(10ms)
5273 | [E00FFB0h]=40h ;Enable Power3V and reset other bits
5274 | [DFA0000h].Bit1=0
5275 | [E00FFB1h]=20h ;Enable Power5V and reset other bits
5276 | Wait(40ms)
5277 | [E00FFB1h].Bit4=0 ;...should be already 0 ?
5278 | [E00FFB0h]=40h+27h ;Phi16MHz=On, SioDtaClkDir=HighHighOut
5279 | Ret
5280 | ```
5281 |
5282 | ereader\_power\_off:
5283 |
5284 | ```
5285 | [E00FFB0h]=04h ;Power3V=Off, Disable Everything, SioDtaClkDir=LowLowOut
5286 | [DFA0000h].Bit1=0 ;...should be already 0
5287 | [E00FFB1h].Bit5=0 ;Power5V=Off
5288 | Ret
5289 | ```
5290 |
5291 | ereader\_initialize:
5292 |
5293 | ```
5294 | IF calib_data[3Ch] AND 03h = 1 THEN init_camera_type1
5295 | [E00FFB0h].Bit4=1 ;ScanStart
5296 | IF calib_data[3Ch] AND 03h = 2 THEN init_camera_type2
5297 | Copy calib_data[00h..2Fh] to [E00FF80h+00h..2Fh] ;Intensity Boundaries
5298 | Copy calib_data[32h..33h] to [E00FFB2h+00h..01h] ;LED Duration LSB,MSB
5299 | [E00FFB0h].Bit3=1 ;LedIrqOn
5300 | Ret
5301 | ```
5302 |
5303 | init\_camera\_type1:
5304 |
5305 | ```
5306 | x=MIN(0,calib_data[31h]-0Bh)
5307 | Set Sio Registers (as shown for Camera Type 1, except below values...)
5308 | Set Sio Registers [30h]=x [25h]=04h, [26h]=58h, [27h]=6Ch
5309 | ;(could now detect/adjust based on Sio Registers [57h..5Ah])
5310 | Set Sio Registers [30h]=x [25h]=06h, [26h]=E8h, [27h]=6Ch
5311 | Ret
5312 | ```
5313 |
5314 | init\_camera\_type2:
5315 |
5316 | - Wait(0.5ms)
5317 | - Set Sio Registers (as shown for Camera Type 2)
5318 | - Ret
5319 |
5320 | ### Accessing Serial Registers via E00FFB0h
5321 |
5322 | ```
5323 | Begin Write(A) Write(B) Read(C) Read(D) End Idle PwrOff
5324 | Dir ooooooo ooooooo ooooooo iiiiiii iiiiiii ooooooo ooooooo ooooooo
5325 | Dta ---____ AAAAAAA BBBBBBB xxxxxCx xxxxxDx ______- ------- _______
5326 | Clk ------_ ___---_ ___---_ ___---_ ___---_ ___---- ------- _______
5327 | ```
5328 |
5329 | ### Flowchart for accessing Serial Registers via E00FFB0h (looks like I2C bus)
5330 |
5331 | - Delay:
5332 | - Wait circa 2.5us, Ret
5333 | - SioBegin:
5334 | - SioDta=1, SioDir=Out, SioClk=1, Delay, SioDta=0, Delay, SioClk=0, Ret
5335 | - SioEnd:
5336 | - SioDta=0, SioDir=Out, Delay, SioClk=1, Delay, SioDta=1, Ret
5337 | - SioRead1bit: ;out: databit
5338 | - SioDir=In, Delay, SioClk=1, Delay, databit=SioDta, SioClk=0, Ret
5339 | - SioWrite1bit: ;in: databit
5340 | - SioDta=databit, SioDir=Out, Delay, SioClk=1, Delay, SioClk=0, Ret
5341 | - SioReadByte: ;in: endflag - out: data
5342 | - for i=7 to 0, data.bit\=SioRead1bit, next i, SioWrite1bit(endflag), Ret
5343 | - SioWriteByte: ;in: data - out: errorflag
5344 | - for i=7 to 0, Delay(huh/why?), SioWrite1bit(data.bit\), next i
5345 | - errorflag=SioRead1bit, SioDir=Out(huh/why?), Ret
5346 | - SioWriteRegisters: ;in: index, len, buffer
5347 | - SioBegin
5348 | - SioWriteByte(22h) ;command (set\_index) (and write\_data)
5349 | - SioWriteByte(index) ;index
5350 | - for i=0 to len-1
5351 | - SioWriteByte(buffer[i]) ;write data (and auto-increment index)
5352 | - next
5353 | - SioEnd
5354 | - ret
5355 | - SioReadRegisters: ;in: index, len - out: buffer
5356 | - SioBegin
5357 | - SioWriteByte(22h) ;command (set\_index) (without any write\_data here)
5358 | - SioWriteByte(index) ;index
5359 | - SioBegin
5360 | - SioWriteByte(23h) ;command (read\_data) (using above index)
5361 | - for i=0 to len-1
5362 | - if i=len-1 then endflag=1 else endflag=0
5363 | - buffer[i]=SioReadByte(endflag) ;read data (and auto-increment index)
5364 | - next
5365 | - SioEnd
5366 | - Ret
5367 |
5368 | Caution: Accessing the SIO registers appears highly unstable, and seems to
5369 | require error handling with retries. Not sure what is causing that problem,
5370 | possibly the registers cannot be accessed during camera-data-scans...?
5371 |
5372 | ### WAITCNT
5373 |
5374 | The e-Reader BIOS uses WAITCNT [4000204h]=5803h when accessing the PGA, that
5375 | is, gamepak 16.78MHz phi output (bit11-12=3), 8 waits for SRAM region
5376 | (bit0-1=3), gamepak prefetch enabled (bit14=1), also sets WS0 to 4,2 waits
5377 | (bit2-4=0), and sets WS2 to odd 4,8 waits (bit8-10=0). The WS2 (probably WS0
5378 | too) settings are nonsense, and should work with faster timings (the e-Reader
5379 | can be accessed in NDS mode, which doesn't support that slow timings).
5380 |
5381 | ### e-Reader Memory and I/O Map (with all used/unused/mirrored regions)
5382 |
5383 | ```
5384 | C000000h-C7FFFFFh ROM (8MB)
5385 | C800000h-DF7FFFFh Open Bus
5386 | DF80000h-DF80001h Useless Register (R/W)
5387 | DF80002h-DF9FFFFh Mirrors of DF80000h-DF80001h
5388 | DFA0000h-DFA0001h Reset Register (R/W)
5389 | DFA0002h-DFBFFFFh Mirrors of DFA0000h-DFA0001h
5390 | DFC0000h-DFC0027h Scanline Data (320 Pixels) (R)
5391 | DFC0028h-DFC0087h Brightest Pixels of 8x6 Blocks (R)
5392 | DFC0088h Darkest Pixel of whole Image (R)
5393 | DFC0089h-DFC00FFh Always zero
5394 | DFC0100h-DFDFFFFh Mirrors of DFC0000h-DFC00FFh
5395 | DFE0000h-DFFFFFFh Open Bus
5396 | E000000h-E00CFFFh FLASH Bank 0 - Data
5397 | E00D000h-E00DFFFh FLASH Bank 0 - Calibration Data
5398 | E00E000h-E00EFFFh FLASH Bank 0 - Copy of Calibration Data
5399 | E00F000h-E00FF7Fh FLASH Bank 0 - Unused region
5400 | E000000h-E00EFFFh FLASH Bank 1 - Data
5401 | E00F000h-E00FF7Fh FLASH Bank 1 - Unused region
5402 | E00FF80h-E00FFAFh Intensity Boundaries for 8x6 Blocks (R/W)
5403 | E00FFB0h Control Register 0 (R/W)
5404 | E00FFB1h Control Register 1 (R/W)
5405 | E00FFB2h-E00FFB3h LED Duration (16bit) (R/W)
5406 | E00FFB4h-E00FFBFh Always zero
5407 | E00FFC0h-E00FFFFh Mirror of E00FF80h-E00FFBFh
5408 | ```
5409 |
5410 | Mind that WS2 should be accessed by LDRH/STRH, and SRAM region by LDRB/STRB.
5411 |
5412 | Additionally about 32 serial bus registers are contained in the camera module.
5413 |
5414 | ### Camera Module Notes
5415 |
5416 | The Type 1 initial setting on power-on is 402x302 pixels, the e-Reader uses
5417 | only 320x246 pixels. The full vertical resolution could be probably used
5418 | without problems. Port DFC0000h-DFC0027h are restricted to 320 pixels, so
5419 | larger horizontal resolutions could be probably obtained only by changing the
5420 | horizontal scroll offset on each 2nd scan.
5421 |
5422 | The camera output is 128 grayscales (via parallel 7bit databus), but the PGA
5423 | converts it to 2 colors (1bit depth). For still images, it might be possible to
5424 | get 4 grayshades via 3 scans with different block intensity boundary settings.
5425 |
5426 | No idea if the camera supports serial commands other than 22h and 23h. Namely,
5427 | it \ be a quite obvious and basic feature to allow to receive the
5428 | bitmap via the 2-wire serial bus (alternately to the 7bit databus), if
5429 | supported, it'd allow to get 7bit images, bypassing 1bit PGA conversion.
5430 |
5431 | When used as actual camera (by cutting an opening in the case), the main
5432 | problem is the 1bit color depth, which allows only black and white schemes,
5433 | when/if solving that problem, focusing might be also a problem.
5434 |
5435 | Either the camera or the PGA seem to have a problem on white-to-black
5436 | transitions in vertical direction, the upper some black pixels are sorts of
5437 | getting striped or dithered. For example, scanning the large sync marks appears
5438 | as:
5439 |
5440 | ```
5441 | Actual Shape Scanned Shape
5442 | XXXXX X X
5443 | XXXXXXX X X X
5444 | XXXXXXXXX X X X XX
5445 | XXXXXXXXX X X X XX
5446 | XXXXXXX XXXXXXX
5447 | XXXXX XXXXX
5448 | ```
5449 |
5450 | That appears only on large black shapes (the smaller data dots look better).
5451 | Probably the image is scanned from bottom upwards (and the camera senses only
5452 | the initial transition at the bottom, and then looses track of what it is
5453 | doing).
5454 |
5455 | ## GBA Cart e-Reader Dotcode Format
5456 |
5457 | Resolution is 342.39 DPI (almost 10 blocks per inch).
5458 |
5459 | Resolution is 134.8 dots/cm (almost 4 blocks per centimeter).
5460 |
5461 | The width and height of each block, and the spacing to the bottom edge of the
5462 | card is ca. 1/10 inch, or ca. 4 millimeters.
5463 |
5464 | ```
5465 | XXX BLOCK 1 XXX BLOCK 2 XXX
5466 | XXXXX XXXXX XXXXX
5467 | XXXXX X X X X X X X X X X X X XXXXX X X X X X X X X X X X X XXXXX
5468 | XXXXX XXXXX XXXXX
5469 | XXX HHHHHHHHHHHHHHHHHHHH...... XXX HHHHHHHHHHHHHHHHHHHH...... XXX
5470 | .......................... ..........................
5471 | ...... 3 short lines ..... ..........................
5472 | A..................................A..................................A..
5473 | A.... 26 long lines ....A........ X = Sync Marks ........A..
5474 | A.... (each 34 data dots) ....A........ H = Block Header ........A..
5475 | A....(not all lines shown here)....A........ . = Data Bits ........A..
5476 | A..................................A........ A = Address Bits ........A..
5477 | ...... 3 short lines ..... ..........................
5478 | ...(each 26 data dots).... ..........................
5479 | XXX .......................... XXX .......................... XXX
5480 | XXXXX XXXXX XXXXX
5481 | XXXXX X X X X X X X X X X X X XXXXX X X X X X X X X X X X X XXXXX
5482 | XXXXX XXXXX XXXXX
5483 | XXX XXX XXX
5484 |
5485 | ___Snip____________________________________________________________________
5486 | ```
5487 |
5488 | ### Address Columns
5489 |
5490 | Each Column consists of 26 dots. From top to bottom: 1 black dot, 8 blank dots,
5491 | 16 address dots (MSB topmost), and 1 blank dot. The 16bit address values can be
5492 | calculated as:
5493 |
5494 | ```
5495 | addr[0] = 03FFh
5496 | for i = 1 to 53
5497 | addr[i] = addr[i-1] xor ((i and (-i)) * 769h)
5498 | if (i and 07h)=0 then addr[i] = addr[i] xor (769h)
5499 | if (i and 0Fh)=0 then addr[i] = addr[i] xor (769h*2)
5500 | if (i and 1Fh)=0 then addr[i] = addr[i] xor (769h*4) xor (769h)
5501 | next i
5502 | ```
5503 |
5504 | Short strips use addr[1..19], long strips use addr[25..53], left to right.
5505 |
5506 | ### Block Header
5507 |
5508 | The 18h-byte Block Header is taken from the 1st two bytes (20 dots) of the 1st
5509 | 0Ch blocks (and is then repeated in the 1st two bytes of further blocks).
5510 |
5511 | ```
5512 | 00h Unknown (00h)
5513 | 01h Dotcode type (02h=Short, 03h=Long)
5514 | 02h Unknown (00h)
5515 | 03h Address of 1st Block (01h=Short, 19h=Long)
5516 | 04h Total Fragment Size (40h) ;64 bytes per fragment, of which,
5517 | ;48 bytes are actual data, the remaining
5518 | 05h Error-Info Size (10h) ;16 bytes are error-info
5519 | 06h Unknown (00h)
5520 | 07h Interleave Value (1Ch=Short, 2Ch=Long)
5521 | 08h..17h 16 bytes Reed-solomon error correction info for Block Header
5522 | ```
5523 |
5524 | ### Data 4-Bit to 5-bit Conversion
5525 |
5526 | In the Block Header (HHHHH), and Data Region (.....), each 4bit are expanded to
5527 | 5bit, so one byte occupies 10 dots, and each block (1040 data dots) contains
5528 | 104 bytes.
5529 |
5530 | ```
5531 | 4bit 00h 01h 02h 03h 04h 05h 06h 07h 08h 09h 0Ah 0Bh 0Ch 0Dh 0Eh 0Fh
5532 | 5bit 00h 01h 02h 12h 04h 05h 06h 16h 08h 09h 0Ah 14h 0Ch 0Dh 11h 10h
5533 | ```
5534 |
5535 | That formatting ensures that there are no more than two continous black dots
5536 | (in horizontal direction), neither inside of a 5bit value, nor between two 5bit
5537 | values, however, the address bars are violating that rule, and up to 5
5538 | continous black dots can appear at the (..A..) block boundaries.
5539 |
5540 | ### Data Order
5541 |
5542 | Data starts with the upper bit of the 5bit value for the upper 4bit of the
5543 | first byte, which is located at the leftmost dot of the upper line of the
5544 | leftmost block, it does then extend towards rightmost dot of that block, and
5545 | does then continue in the next line, until reaching the bottom of the block,
5546 | and does then continue in the next block. The 1st two bytes of each block
5547 | contain a portion of the Block Header, the remaining 102 bytes in each block
5548 | contain data.
5549 |
5550 | ### Data Size
5551 |
5552 | A long strip consists of 28 blocks (28\*104 = 2912 bytes), a short strip of 18
5553 | blocks (18\*104 = 1872 bytes). Of which, less than 75% can be actually used for
5554 | program code, the remaining data contains error correction info, and various
5555 | headers. See Data Format for more info.
5556 |
5557 | ### Interleaved Fragments
5558 |
5559 | The Interleave Value (I) specifies the number of fragments, and does also
5560 | specify the step to the next byte inside of a fragment; except that, at the
5561 | block boundaries (every 104 bytes), the step is 2 bigger (for skipping the next
5562 | two Block Header bytes).
5563 |
5564 | ```
5565 | RAW Offset Content
5566 | 000h..001h 1st 2 bytes of RAW Header
5567 | 002h 1st byte of 1st fragment
5568 | 003h 1st byte of 2nd fragment
5569 | ... ...
5570 | 002h+I-1 1st byte of last fragment
5571 | 002h+I 2nd byte of 1st fragment
5572 | 003h+I 2nd byte of 2nd fragment
5573 | ... ...
5574 | 002h+I*2-1 2nd byte of last fragment
5575 | ... ...
5576 | ```
5577 |
5578 | Each fragment consists of 48 actual data bytes, followed by 16 error correction
5579 | bytes, followed by 0..2 unused bytes (since I\*40h doesn't exactly match
5580 | num\_blocks\*102).
5581 |
5582 | ## GBA Cart e-Reader Data Format
5583 |
5584 | ### Data Strip Format
5585 |
5586 | The size of the data region is I\*48 bytes (I=Interleave Value, see Dotcode
5587 | Format), the first 48-byte fragment contains the Data Header, the remaining
5588 | (I-1) fragments are Data Fragments (which contain title(s), and VPK compressed
5589 | program code).
5590 |
5591 | ### First Strip
5592 |
5593 | ```
5594 | Data Header (48 bytes)
5595 | Main-Title (17 bytes, or 33 bytes)
5596 | Sub-Title(s) (3+18 bytes, or 33 bytes) (for each strip) (optional)
5597 | VPK Size (2 byte value, total length of VPK Data in ALL strips)
5598 | NULL Value (4 bytes, contained ONLY in 1st strip of GBA strips)
5599 | VPK Data (length as defined in VPK Size entry, see above)
5600 | ```
5601 |
5602 | ### Further Strip(s)
5603 |
5604 | ```
5605 | Data Header (48 bytes)
5606 | Main-Title (17 bytes, or 33 bytes)
5607 | Sub-Title(s) (3+18 bytes, or 33 bytes) (for each strip) (optional)
5608 | VPK Data (continued from previous strip)
5609 | ```
5610 |
5611 | ### Data Header (30h bytes) (1st fragment)
5612 |
5613 | ```
5614 | 00h-01h Fixed (00h,30h)
5615 | 02h Fixed (01h) ;01h="Do not calculate Global Checksum" ?
5616 | 03h Primary Type (see below)
5617 | 04h-05h Fixed (00h,01h) (don't care)
5618 | 06h-07h Strip Size (0510h=Short, 0810h=Long Strip) ((I-1)*30h) (MSB,LSB)
5619 | 08h-0Bh Fixed (00h,00h,10h,12h)
5620 | 0Ch-0Dh Region/Type (see below)
5621 | 0Eh Strip Type (02h=Short Strip, 01h=Long Strip) (don't care)
5622 | 0Fh Fixed (00h) (don't care)
5623 | 10h-11h Unknown (whatever) (don't care)
5624 | 12h Fixed (10h) ;10h="Do calculate Data Checksum" ?
5625 | 13h-14h Data Checksum (see below) (MSB,LSB)
5626 | 15h-19h Fixed (19h,00h,00h,00h,08h)
5627 | 1Ah-21h ID String ('NINTENDO')
5628 | 22h-25h Fixed (00h,22h,00h,09h)
5629 | 26h-29h Size Info (see below)
5630 | 2Ah-2Dh Flags (see below)
5631 | 2Eh Header Checksum (entries [0Ch-0Dh,10h-11h,26h-2Dh] XORed together)
5632 | 2Fh Global Checksum (see below)
5633 | ```
5634 |
5635 | Primary Type [03h] is 8bit,
5636 |
5637 | ```
5638 | 0 Card Type (upper bit) (see below)
5639 | 1 Unknown (usually opposite of Bit0) (don't care)
5640 | 2-7 Unknown (usually zero)
5641 | ```
5642 |
5643 | Region/Type [0Ch..0Dh] is 16bit,
5644 |
5645 | ```
5646 | 0-3 Unknown (don't care)
5647 | 4-7 Card Type (lower bits) (see below)
5648 | 8-11 Region/Version (0=Japan/Original, 1=Non-japan, 2=Japan/Plus)
5649 | 12-15 Unknown (don't care)
5650 | ```
5651 |
5652 | Size Info [26h-29h] is 32bit,
5653 |
5654 | ```
5655 | 0 Unknown (don't care)
5656 | 1-4 Strip Number (01h..Number of strips)
5657 | 5-8 Number of Strips (01h..0Ch) (01h..08h for Japan/Original version)
5658 | 9-23 Size of all Strips (excluding Headers and Main/Sub-Titles)
5659 | (same as "VPK Size", but also including the 2-byte "VPK Size" value,
5660 | plus the 4-byte NULL value; if it is present)
5661 | 24-31 Fixed (02h) (don't care)
5662 | ```
5663 |
5664 | Flags [2Ah-2Dh] is 32bit,
5665 |
5666 | ```
5667 | 0 Permission to save (0=Start Immediately, 1=Prompt for FLASH Saving)
5668 | 1 Sub-Title Flag (0=Yes, 1=None) (Japan/Original: always 0=Yes)
5669 | 2 Application Type (0=GBA/Z80, 1=NES) (Japan/Original: always 0=Z80)
5670 | 3-31 Zero (0) (don't care)
5671 | ```
5672 |
5673 | Data Checksum [13h-14h] is the complement (NOT) of the sum of all halfwords in
5674 | all Data Fragments, however, it's all done in reversed byte order: checksum is
5675 | calculated with halfwords that are read in MSB,LSB order, and the resulting
5676 | checksum is stored in MSB,LSB order in the Header Fragment.
5677 |
5678 | Global Checksum [2Fh] is the complement (NOT) of the sum of the first 2Fh bytes
5679 | in the Data Header plus the sum of all Data Fragment checksums; the Data
5680 | Fragment checksums are all 30h bytes in a fragment XORed with each other.
5681 |
5682 | ### Titles (3+N bytes, or N bytes)
5683 |
5684 | Titles can be 33 bytes for both Main and Sub (Format 0Eh), or Main=17 bytes and
5685 | Sub=3+18 bytes (Formats 02h..05h). In the 3+N bytes form, the first 3 bytes
5686 | (24bit) are are used to display "stats" information in form of "HP: h1 ID:
5687 | i1-i2-i3", defined as:
5688 |
5689 | ```
5690 | Bit Expl.
5691 | 0-3 h1, values 1..15 shown as "10..150", value 0 is not displayed
5692 | 4-6 i3, values 0..7 shown as "A..G,#"
5693 | 7-13 i2, values 0..98 shown as "01..99" values 99..127 as "A0..C8"
5694 | 14-18 i1, values 0..31 shown as "A..Z,-,_,{HP},.,{ID?},:"
5695 | 19-22 Unknown
5696 | 23 Disable stats (0=Show as "HP: h1 ID: i1-i2-i3", 1=Don't show it)
5697 | ```
5698 |
5699 | The N bytes portion contains the actual title, which must be terminated by 00h
5700 | (so the max length is N-1 characters, if it is shorter than N-1, then the
5701 | unused bytes are padded by further 00h's). The character set is normal ASCII
5702 | for non-Japan (see Region/Version entry in header), and 2-byte SHIFT-JIS for
5703 | Japanese long-titles (=max 16 2-byte chars) with values as so:
5704 |
5705 | ```
5706 | 00h --> end-byte
5707 | 81h,40h --> SPC
5708 | 81h,43h..97h --> punctuation marks
5709 | 82h,4Fh..58h --> "0..9"
5710 | 82h,60h..79h --> "A..Z"
5711 | 82h,81h..9Ah --> "a..z"
5712 | ```
5713 |
5714 | And 1-byte chars for Japanese short-titles,
5715 |
5716 | ```
5717 | 00 = end-byte
5718 | 01 = spc
5719 | 02..0B = 0..9
5720 | 0C..AF = japanese
5721 | B0..B4 = dash, male, female, comma, round-dot
5722 | B5..C0 = !"%&~?/+-:.'
5723 | C1..DA = A..Z
5724 | DB..DF = unused (blank)
5725 | E0..E5 = japanese
5726 | E6..FF = a..z
5727 | N/A = #$()*;<=>@[\]^_`{|}
5728 | ```
5729 |
5730 | Additionally to the Main-Title, optional Sub-Titles for each strip can be
5731 | included (see Sub-Title Flag in header). If enabled, then ALL strip titles are
5732 | included in each strip (allowing to show a preview of which strips have/haven't
5733 | been scanned yet).
5734 |
5735 | The e-Reader can display maximum of 8 sub-titles, if the data consists of more
5736 | than 8 strips, then sub-titles aren't displayed (so it'd be waste of space to
5737 | include them in the dotcodes).
5738 |
5739 | The Main Title gets clipped to 128 pixels width (that are, circa 22
5740 | characters), and, the e-Reader BIOS acts confused on multi-strip games with
5741 | Main Titles longer than 26 characters (so the full 33 bytes may be used only in
5742 | Japan; with 16bit charset).
5743 |
5744 | If the title is empty (00h-filled), and there is only one card in the
5745 | application, then the application is started immediately. That, without
5746 | allowing the user to save it in FLASH memory.
5747 |
5748 | Caution: Although shorter Titles do save memory, they do act unpleasant: the
5749 | text "(C) P-Letter" will be displayed at the bottom of the loading screen.
5750 |
5751 | On Japanese/Original, 8bit sub-titles can be up to 18 characters (without any
5752 | end-byte) (or less when stats are enabled, due to limited screen width).
5753 |
5754 | ### Card Types (Primary Type.Bit0 and Region/Type.Bit12-15)
5755 |
5756 | ```
5757 | 00h..01h Blank Screen (?)
5758 | 02h..03h Dotcode Application with 17byte-title, with stats, load music A
5759 | 04h..05h Dotcode Application with 17byte-title, with stats, load music B
5760 | 06h..07h P-Letter Attacks
5761 | 08h..09h Construction Escape
5762 | 0Ah..0Bh Construction Action
5763 | 0Ch..0Dh Construction Melody Box
5764 | 0Eh Dotcode Application with 33byte-title, without stats, load music A
5765 | 0Fh Game specific cards
5766 | 10h..1Dh P-Letter Viewer
5767 | 1Eh..1Fh Same as 0Eh and 0Fh (see above)
5768 | ```
5769 |
5770 | The 'Application' types are meant to be executable GBA/Z80/NES programs.
5771 |
5772 | ## GBA Cart e-Reader Program Code
5773 |
5774 | The GBA/Z80/NES program code is stored in the VPK compressed area.
5775 |
5776 | NES-type is indicated by header [2Ah].Bit2, GBA-type is indicated by the NULL
5777 | value inserted between VPK Size and VPK Data, otherwise Z80-type is used.
5778 |
5779 | ### GBA Format
5780 |
5781 | Load Address and Entrypoint are at 2000000h (in ARM state). The 32bit word at
5782 | 2000008h is eventually destroyed by the e-Reader. Namely,
5783 |
5784 | ```
5785 | IF e-Reader is Non-Japanese,
5786 | AND [2000008h] is outside of range of 2000000h..20000E3h,
5787 | AND only if booted from camera (not when booted from FLASH?),
5788 | THEN [2000008h]=[2000008h]-0001610Ch ELSE [2000008h] kept intact
5789 | ```
5790 |
5791 | Existing multiboot-able GBA binaries can be converted to e-Reader format by,
5792 |
5793 | ```
5794 | Store "B 20000C0h" at 2000000h ;redirect to RAM-entrypoint
5795 | Zerofill 2000004h..20000BFh ;erase header (for better compression rate)
5796 | Store 01h,01h at 20000C4h ;indicate RAM boot
5797 | ```
5798 |
5799 | The GBA code has full access to the GBA hardware, and may additionally use
5800 | whatever API functions contained in the e-Reader BIOS. With the incoming LR
5801 | register value, "mov r0,N, bx lr" returns to the e-Reader BIOS (with N being
5802 | 0=Restart, or 2=To\_Menu). No idea if it's necessary to preserve portions of RAM
5803 | when returning to the e-Reader BIOS?
5804 |
5805 | Caution: Unlike for normal GBA cartridges/multiboot files, the hardware is left
5806 | uninitialized when booting dotcodes (among others: sound DMA is active, and
5807 | brightness is set to zero), use "mov r0,0feh, swi 010000h" to get the normal
5808 | settings.
5809 |
5810 | ### NES Format
5811 |
5812 | Emulates a NES (Nintendo Entertainment System) console (aka Family Computer).
5813 |
5814 | The visible 240x224 pixel NES/NTSC screen resolution is resampled to 240x160 to
5815 | match the smaller vertical resolution of the GBA hardware. So, writing e-Reader
5816 | games in NES format will result in blurred screen output. The
5817 | screen/sound/joypad is accessed via emulated NES I/O ports, program code is
5818 | running on an emulated 6502 8bit CPU, for more info on the NES hardware, see
5819 | no$nes debugger specifications, or
5820 |
5821 | ```
5822 | http://problemkaputt.de/everynes.htm
5823 | ```
5824 |
5825 | The e-Reader's NES emulator supports only 16K PRG ROM, followed by 8K VROM. The
5826 | emulation accuracy is very low, barely working with some of Nintendo's own NES
5827 | titles; running the no$nes diagnostics program on it has successfully failed on
5828 | ALL hardware tests ;-)
5829 |
5830 | The load address for the 16K PRG-ROM is C000h, the 16bit NMI vector at [FFFAh]
5831 | is encrypted like so:
5832 |
5833 | ```
5834 | for i=17h to 0
5835 | for j=07h to 0, nmi = nmi shr 1, if carry then nmi = nmi xor 8646h, next j
5836 | nmi = nmi xor (byte[dmca_data+i] shl 8)
5837 | next i
5838 | dmca_data: db 0,0,'DMCA NINTENDO E-READER'
5839 | ```
5840 |
5841 | The 16bit reset vector at [FFFCh] contains:
5842 |
5843 | ```
5844 | Bit0-14 Lower bits of Entrypoint (0..7FFFh = Address 8000h..FFFFh)
5845 | Bit15 Nametable Mode (0=Vertical Mirroring, 1=Horizontal Mirroring)
5846 | ```
5847 |
5848 | reportedly,
5849 |
5850 | ```
5851 | (NES limitations, 1 16K program rom + 1-2 8K CHR rom, mapper 0 and 1)
5852 | ines mapper 1 would be MMC1, rather than CNROM (ines mapper 3)?
5853 | but, there are more or less NONE games that have 16K PRG ROM + 16K VROM?
5854 | ```
5855 |
5856 | The L+R Button key-combination allows to reset the NES, however, there seems to
5857 | be no way to return to the e-Reader BIOS.
5858 |
5859 | ### Z80/8080 Format
5860 |
5861 | The e-Reader doesn't support the following Z80 opcodes:
5862 |
5863 | ```
5864 | CB [Prefix] E0 RET PO E2 JP PO,nn E4 CALL PO,nn 27 DAA 76 HALT
5865 | ED [Prefix] E8 RET PE EA JP PE,nn EC CALL PE,nn D3 OUT (n),A
5866 | DD [IX Prefix] F3 DI 08 EX AF,AF' F4 CALL P,nn DB IN A,(n)
5867 | FD [IY Prefix] FB EI D9 EXX FC CALL M,nn xx RST 00h..38h
5868 | ```
5869 |
5870 | That is leaving not more than six supported Z80 opcodes (DJNZ, JR, JR
5871 | c/nc/z/nz), everything else are 8080 opcodes. Custom opcodes are:
5872 |
5873 | ```
5874 | 76 WAIT A frames, D3 WAIT n frames, and C7/CF RST 0/8 used for API calls.
5875 | ```
5876 |
5877 | The load address and entrypoint are at 0100h in the emulated Z80 address space.
5878 | The Z80 doesn't have direct access to the GBA hardware, instead
5879 | video/sound/joypad are accessed via API functions, invoked via RST 0 and RST 8
5880 | opcodes, followed by an 8bit data byte, and with parameters in the Z80 CPU
5881 | registers. For example, "ld a,02h, rst 8, db 00h" does return to the e-Reader
5882 | BIOS.
5883 |
5884 | The Z80/8080 emulation is incredibly inefficient, written in HLL code,
5885 | developed by somebody whom knew nothing about emulation nor about ARM nor about
5886 | Z80/8080 processors.
5887 |
5888 | ### Running GBA-code on Japanese/Original e-Reader
5889 |
5890 | Original e-Reader supports Z80 code only, but can be tweaked to run GBA-code:
5891 |
5892 | ```
5893 | retry:
5894 | ld bc,data // ld hl,00c8h ;src/dst
5895 | lop:
5896 | ld a,[bc] // inc bc // ld e,a ;lsb
5897 | ld a,[bc] // inc bc // ld d,a ;msb
5898 | dw 0bcfh ;aka rst 8 // db 0bh ;[4000000h+hl]=de (DMA registers)
5899 | inc hl // inc hl // ld a,l
5900 | cp a,0dch // jr nz,lop
5901 | mod1 equ $+1
5902 | dw 37cfh ;aka rst 8 // db 37h ;bx 3E700F0h
5903 | ;below executed only on jap/plus... on jap/plus, above 37cfh is hl=[400010Ch]
5904 | ld a,3Ah // ld [mod1],a ;bx 3E700F0h (3Ah instead 37h)
5905 | ld hl,1 // ld [mod2],hl // ld [mod3],hl ;base (0200010Ch instead 0201610Ch)
5906 | jr retry
5907 | data:
5908 | mod2 equ $+1
5909 | dd loader ;40000C8h dma2sad (loader) ;\
5910 | dd 030000F0h ;40000CCh dma2dad (mirrored 3E700F0h) ; relocate loader
5911 | dd 8000000ah ;40000D0h dma2cnt (copy 0Ah x 16bit) ;/
5912 | mod3 equ $+1
5913 | dd main ;40000D4h dma3sad (main) ;\prepare main reloc
5914 | dd 02000000h ;40000D8h dma3dad (2000000h) ;/dma3cnt see loader
5915 | .align 2 ;alignment for 16bit-halfword
5916 | org $+201600ch ;jap/plus: adjusted to org $+200000ch
5917 | loader:
5918 | mov r0,80000000h ;(dma3cnt, copy 10000h x 16bit)
5919 | mov r1,04000000h ;i/o base
5920 | strb r1,[r1,208h] ;ime=0 (better disable ime before moving ram)
5921 | str r0,[r1,0DCh] ;dma3cnt (relocate to 2000000h)
5922 | mov r15,2000000h ;start relocated code at 2000000h in ARM state
5923 | main:
5924 | ;...insert/append whatever ARM code here...
5925 | end
5926 | ```
5927 |
5928 | ## GBA Cart e-Reader API Functions
5929 |
5930 | ### Z80 Interface (Special Opcodes)
5931 |
5932 | ```
5933 | db 76h ;Wait8bit A
5934 | db D3h,xxh ;Wait8bit xxh
5935 | db C7h,xxh ;RST0_xxh
5936 | db CFh,xxh ;RST8_xxh
5937 | ld r,[00xxh] ;get system values (addresses differ on jap/ori)
5938 | ld r,[00C2h..C3h] ;GetKeyStateSticky (jap/ori: 9F02h..9F03h)
5939 | ld r,[00C4h..C5h] ;GetKeyStateRaw (jap/ori: 9F04h..9F05h)
5940 | ld r,[00C0h..C1h] ;see Exit and ExitRestart
5941 | ld r,[00D0h..D3h] ;see Mul16bit
5942 | ```
5943 |
5944 | For jap/ori, 9Fxxh isn't forwards compatible with jap/plus, so it'd be better
5945 | to check joypad via IoRead.
5946 |
5947 | ### GBA Interface
5948 |
5949 | ```
5950 | bx [30075FCh] ;ApiVector ;in: r0=func_no,r1,r2,r3,[sp+0],[sp+4],[sp+8]=params
5951 | bx lr ;Exit ;in: r0 (0=Restart, 2=To_Menu)
5952 | ```
5953 |
5954 | ### Wait8bit/Wait16bit
5955 |
5956 | The various Wait opcodes and functions are waiting as many frames as specified.
5957 | Many API functions have no effect until the next Wait occurs.
5958 |
5959 | ### Z80 RST0\_xxh Functions / GBA Functions 02xxh
5960 |
5961 | ```
5962 | RST0_00h FadeIn, A speed, number of frames (0..x)
5963 | RST0_01h FadeOut
5964 | RST0_02h BlinkWhite
5965 | RST0_03h (?)
5966 | RST0_04h (?) blend_func_unk1
5967 | RST0_05h (?)
5968 | RST0_06h (?)
5969 | RST0_07h (?)
5970 | RST0_08h (?)
5971 | RST0_09h (?) _020264CC_check
5972 | RST0_0Ah (?) _020264CC_free
5973 | RST0_0Bh N/A (bx 0)
5974 | RST0_0Ch N/A (bx 0)
5975 | RST0_0Dh N/A (bx 0)
5976 | RST0_0Eh N/A (bx 0)
5977 | RST0_0Fh N/A (bx 0)
5978 | RST0_10h LoadSystemBackground, A number of background (1..101), E bg# (0..3)
5979 | RST0_11h SetBackgroundOffset, A=bg# (0..3), DE=X, BC=Y
5980 | RST0_12h SetBackgroundAutoScroll
5981 | RST0_13h SetBackgroundMirrorToggle
5982 | RST0_14h (?)
5983 | RST0_15h (?)
5984 | RST0_16h (?) write_000000FF_to_02029494_
5985 | RST0_17h (?)
5986 | RST0_18h (?)
5987 | RST0_19h SetBackgroundMode, A=mode (0..2)
5988 | RST0_1Ah (?)
5989 | RST0_1Bh (?)
5990 | RST0_1Ch (?)
5991 | RST0_1Dh (?)
5992 | RST0_1Eh (?)
5993 | RST0_1Fh (?)
5994 | RST0_20h LayerShow
5995 | RST0_21h LayerHide
5996 | RST0_22h (?)
5997 | RST0_23h (?)
5998 | RST0_24h ... [20264DCh+A*20h+1Ah]=DE, [20264DCh+A*20h+1Ch]=BC
5999 | RST0_25h (?)
6000 | RST0_26h (?)
6001 | RST0_27h (?)
6002 | RST0_28h (?)
6003 | RST0_29h (?)
6004 | RST0_2Ah (?)
6005 | RST0_2Bh (?)
6006 | RST0_2Ch (?)
6007 | RST0_2Dh LoadCustomBackground, A bg# (0..3), DE pointer to struct_background,
6008 | max. tile data size = 3000h bytes, max. map data size = 1000h bytes
6009 | RST0_2Eh GBA: N/A - Z80: (?)
6010 | RST0_2Fh (?)
6011 | RST0_30h CreateSystemSprite, - - (what "- -" ???)
6012 | RST0_31h SpriteFree, HL sprite handle
6013 | RST0_32h SetSpritePos, HL=sprite handle, DE=X, BC=Y
6014 | RST0_33h (?) sprite_unk2
6015 | RST0_34h SpriteFrameNext
6016 | RST0_35h SpriteFramePrev
6017 | RST0_36h SetSpriteFrame, HL=sprite handle, E=frame number (0..x)
6018 | RST0_37h (?) sprite_unk3
6019 | RST0_38h (?) sprite_unk4
6020 | RST0_39h SetSpriteAutoMove, HL=sprite handle, DE=X, BC=Y
6021 | RST0_3Ah (?) sprite_unk5
6022 | RST0_3Bh (?) sprite_unk6
6023 | RST0_3Ch SpriteAutoAnimate
6024 | RST0_3Dh (?) sprite_unk7
6025 | RST0_3Eh SpriteAutoRotateUntilAngle
6026 | RST0_3Fh SpriteAutoRotateByAngle
6027 | RST0_40h SpriteAutoRotateByTime
6028 | RST0_41h (?) sprite_unk8
6029 | RST0_42h SetSpriteAutoMoveHorizontal
6030 | RST0_43h SetSpriteAutoMoveVertical
6031 | RST0_44h (?) sprite_unk9
6032 | RST0_45h SpriteDrawOnBackground
6033 | RST0_46h SpriteShow, HL=sprite handle
6034 | RST0_47h SpriteHide, HL=sprite handle
6035 | RST0_48h SpriteMirrorToggle
6036 | RST0_49h (?) sprite_unk10
6037 | RST0_4Ah (?) sprite_unk11
6038 | RST0_4Bh (?) sprite_unk12
6039 | RST0_4Ch GetSpritePos
6040 | RST0_4Dh CreateCustomSprite
6041 | RST0_4Eh (?)
6042 | RST0_4Fh (?) sprite_unk14
6043 | RST0_50h (?) sprite_unk15
6044 | RST0_51h (?) sprite_unk16
6045 | RST0_52h (?) sprite_unk17
6046 | RST0_53h (?) sprite_unk18
6047 | RST0_54h (?)
6048 | RST0_55h (?) sprite_unk20
6049 | RST0_56h (?)
6050 | RST0_57h SpriteMove
6051 | RST0_58h (?) sprite_unk22
6052 | RST0_59h (?) sprite_unk23
6053 | RST0_5Ah (?) sprite_unk24
6054 | RST0_5Bh SpriteAutoScaleUntilSize, C=speed (higher value is slower),
6055 | HL=sprite handle, DE=size (0100h = normal size,
6056 | lower value = larger, higher value = smaller)
6057 | RST0_5Ch SpriteAutoScaleBySize
6058 | RST0_5Dh SpriteAutoScaleWidthUntilSize
6059 | RST0_5Eh SpriteAutoScaleHeightBySize
6060 | RST0_5Fh (?)
6061 | RST0_60h (?)
6062 | RST0_61h (?)
6063 | RST0_62h (?)
6064 | RST0_63h (?)
6065 | RST0_64h hl=[[2024D28h+a*4]+12h]
6066 | RST0_65h (?) sprite_unk25
6067 | RST0_66h SetSpriteVisible, HL=sprite handle, E=(0=not visible, 1=visible)
6068 | RST0_67h (?) sprite_unk26
6069 | RST0_68h (?) set_sprite_unk27
6070 | RST0_69h (?) get_sprite_unk27
6071 | RST0_6Ah (?)
6072 | RST0_6Bh (?)
6073 | RST0_6Ch (?)
6074 | RST0_6Dh (?)
6075 | RST0_6Eh hl=[hl+000Ah] ;r0=[r1+0Ah]
6076 | RST0_6Fh (?)
6077 | RST0_70h (?)
6078 | RST0_71h (?)
6079 | RST0_72h (?)
6080 | RST0_73h (?)
6081 | RST0_74h (?)
6082 | RST0_75h (?)
6083 | RST0_76h (?)
6084 | RST0_77h (?)
6085 | RST0_78h (?)
6086 | RST0_79h (?)
6087 | RST0_7Ah (?)
6088 | RST0_7Bh (?)
6089 | RST0_7Ch (?) _0202FD2C_unk12
6090 | RST0_7Dh Wait16bit ;HL=num_frames (16bit variant of Wait8bit opcode/function)
6091 | RST0_7Eh SetBackgroundPalette, HL=src_addr, DE=offset, C=num_colors (1..x)
6092 | RST0_7Fh GetBackgroundPalette(a,b,c)
6093 | RST0_80h SetSpritePalette, HL=src_addr, DE=offset, C=num_colors (1..x)
6094 | RST0_81h GetSpritePalette(a,b,c)
6095 | RST0_82h ClearPalette
6096 | RST0_83h (?) _0202FD2C_unk11
6097 | RST0_84h (?)
6098 | RST0_85h (?)
6099 | RST0_86h (?)
6100 | RST0_87h (?) _0202FD2C_unk8
6101 | RST0_88h (?) _0202FD2C_unk7
6102 | RST0_89h (?)
6103 | RST0_8Ah (?) _0202FD2C_unk6
6104 | RST0_8Bh (?) _0202FD2C_unk5
6105 | RST0_8Ch GBA: N/A - Z80: (?)
6106 | RST0_8Dh GBA: N/A - Z80: (?)
6107 | RST0_8Eh (?)
6108 | RST0_8Fh WindowHide
6109 | RST0_90h CreateRegion, H=bg# (0..3), L=palbank# (0..15),
6110 | D,E,B,C=x1,y1,cx,cy (in tiles), return: n/a (no$note: n/a ???)
6111 | RST0_91h SetRegionColor
6112 | RST0_92h ClearRegion
6113 | RST0_93h SetPixel
6114 | RST0_94h GetPixel
6115 | RST0_95h DrawLine
6116 | RST0_96h DrawRect
6117 | RST0_97h (?) _0202FD2C_unk4
6118 | RST0_98h SetTextColor, A=region handle, D=color foreground (0..15),
6119 | E=color background (0..15)
6120 | RST0_99h DrawText, A=region handle, BC=pointer to text, D=X, E=Y
6121 | (non-japan uses ASCII text, but japanese e-reader's use STH ELSE?)
6122 | RST0_9Ah SetTextSize
6123 | RST0_9Bh (?) RegionUnk7
6124 | RST0_9Ch (?) _0202FD2C_unk3
6125 | RST0_9Dh (?) _0202FD2C_unk2
6126 | RST0_9Eh (?) _0202FD2C_unk1
6127 | RST0_9Fh Z80: (?) - GBA: SetBackgroundModeRaw
6128 | RST0_A0h (?)
6129 | RST0_A1h (?)
6130 | RST0_A2h (?) RegionUnk6
6131 | RST0_A3h GBA: N/A - Z80: (?)
6132 | RST0_A4h GBA: N/A - Z80: (?)
6133 | RST0_A5h (?)
6134 | RST0_A6h (?)
6135 | RST0_A7h (?)
6136 | RST0_A8h (?)
6137 | RST0_A9h (?)
6138 | RST0_AAh (?)
6139 | RST0_ABh (?)
6140 | RST0_ACh (?)
6141 | RST0_ADh (?) RegionUnk5
6142 | RST0_AEh [202FD2Ch+122h]=A
6143 | RST0_AFh [202FD2Ch+123h]=A
6144 | RST0_B0h [202FD2Ch+124h]=A
6145 | RST0_B1h (?)
6146 | RST0_B2h (?)
6147 | RST0_B3h GBA: N/A - Z80: Sqrt ;hl=sqrt(hl)
6148 | RST0_B4h GBA: N/A - Z80: ArcTan ;hl=ArcTan2(hl,de)
6149 | RST0_B5h Sine ;hl=sin(a)*de
6150 | RST0_B6h Cosine ;hl=cos(a)*de
6151 | RST0_B7h (?)
6152 | RST0_B8h (?)
6153 | RST0_B9h N/A (bx 0)
6154 | RST0_BAh N/A (bx 0)
6155 | RST0_BBh N/A (bx 0)
6156 | RST0_BCh N/A (bx 0)
6157 | RST0_BDh N/A (bx 0)
6158 | RST0_BEh N/A (bx 0)
6159 | RST0_BFh N/A (bx 0)
6160 | Below Non-Japan and Japan/Plus only (not Japan/Ori)
6161 | RST0_C0h GetTextWidth(a,b)
6162 | RST0_C1h GetTextWidthEx(a,b,c)
6163 | RST0_C2h (?)
6164 | RST0_C3h Z80: N/A (bx 0) - GBA: (?)
6165 | RST0_C4h (?)
6166 | RST0_C5h (?)
6167 | RST0_C6h (?)
6168 | RST0_C7h (?)
6169 | RST0_C8h (?)
6170 | RST0_C9h (?)
6171 | RST0_CAh (?)
6172 | RST0_CBh (?)
6173 | RST0_CCh (?)
6174 | RST0_CDh N/A (bx lr)
6175 | RST0_CEh ;same as RST0_3Bh, but with 16bit mask
6176 | RST0_CFh ;same as RST0_3Eh, but with 16bit de
6177 | RST0_D0h ;same as RST0_3Fh, but with 16bit de
6178 | RST0_D1h ;same as RST0_5Bh, but with 16bit de
6179 | RST0_D2h ;same as RST0_5Ch, but with 16bit de
6180 | RST0_D3h ;same as RST0_5Dh, but with 16bit de
6181 | RST0_D4h ;same as RST0_5Eh, but with 16bit de
6182 | RST0_D5h (?)
6183 | RST0_D6h (?)
6184 | RST0_D7h ;[202FD2Ch+125h]=A
6185 | RST0_D8h (?)
6186 | RST0_D9h (?)
6187 | RST0_DAh (?)
6188 | RST0_DBh ;A=[3003E51h]
6189 | RST0_DCh ;[3004658h]=01h
6190 | RST0_DDh DecompressVPKorNonVPK
6191 | RST0_DEh FlashWriteSectorSingle(a,b)
6192 | RST0_DFh FlashReadSectorSingle(a,b)
6193 | RST0_E0h SoftReset
6194 | RST0_E1h GetCartridgeHeader ;[hl+0..BFh]=[8000000h..80000BFh]
6195 | RST0_E2h GBA: N/A - Z80: bx hl ;in: hl=addr, af,bc,de,sp=param, out: a
6196 | RST0_E3h Z80: N/A (bx 0) - GBA: (?)
6197 | RST0_E4h (?)
6198 | RST0_E5h (?)
6199 | RST0_E6h (?)
6200 | RST0_E7h (?)
6201 | RST0_E8h (?)
6202 | RST0_E9h ;[2029498h]=0000h
6203 | RST0_EAh Z80: N/A (bx 0) - GBA: InitMemory(a)
6204 | RST0_EBh (?) BL_irq_sio_dma3
6205 | RST0_ECh ;hl = [3003E30h]*100h + [3003E34h]
6206 | RST0_EDh FlashWriteSectorMulti(a,b,c)
6207 | RST0_EEh FlashReadPart(a,b,c)
6208 | RST0_EFh ;A=((-([2029416h] xor 1)) OR (+([2029416h] xor 1))) SHR 31
6209 | RST0_F0h (?) _unk1
6210 | RST0_F1h RandomInit ;in: hl=random_seed
6211 | RST0_F2h (?)
6212 | Below Japan/Plus only
6213 | RST0_F3h (?)
6214 | RST0_F4h (?)
6215 | RST0_F5h (?)
6216 | RST0_F6h (?)
6217 | RST0_F7h GBA: N/A - Z80: (?)
6218 | Below is undefined/garbage (values as so in Z80 mode)
6219 | Jap/Ori: RST0_C0h N/A (bx 0)
6220 | Jap/Ori: RST0_C1h..FFh Overlaps RST8 jump list
6221 | Non-Jap: RST0_F3h..FFh Overlaps RST8 jump list
6222 | Jap/Pls: RST0_F8h..FFh Overlaps RST8 jump list
6223 | ```
6224 |
6225 | ### Z80 RST8\_xxh Functions / GBA Functions 01xxh
6226 |
6227 | ```
6228 | RST8_00h GBA: N/A - Z80: Exit ;[00C0h]=a ;(1=restart, 2=exit)
6229 | RST8_01h GBA: N/A - Z80: Mul8bit ;hl=a*e
6230 | RST8_02h GBA: N/A - Z80: Mul16bit ;hl=hl*de, s32[00D0h]=hl*de
6231 | RST8_03h Div ;hl=hl/de
6232 | RST8_04h DivRem ;hl=hl mod de
6233 | RST8_05h PlaySystemSound ;in: hl=sound_number
6234 | RST8_06h (?) sound_unk1
6235 | RST8_07h Random8bit ;a=random(0..FFh)
6236 | RST8_08h SetSoundVolume
6237 | RST8_09h BcdTime ;[de+0..5]=hhmmss(hl*bc)
6238 | RST8_0Ah BcdNumber ;[de+0..4]=BCD(hl), [de+5]=00h
6239 | RST8_0Bh IoWrite ;[4000000h+hl]=de
6240 | RST8_0Ch IoRead ;de=[4000000h+hl]
6241 | RST8_0Dh GBA: N/A - Z80: (?)
6242 | RST8_0Eh GBA: N/A - Z80: (?)
6243 | RST8_0Fh GBA: N/A - Z80: (?)
6244 | RST8_10h GBA: N/A - Z80: (?)
6245 | RST8_11h DivSigned ;hl=hl/de, signed
6246 | RST8_12h RandomMax ;a=random(0..a-1)
6247 | RST8_13h SetSoundSpeed
6248 | RST8_14h hl=[202FD20h]=[2024CACh]
6249 | RST8_15h hl=[2024CACh]-[202FD20h]
6250 | RST8_16h SoundPause
6251 | RST8_17h SoundResume
6252 | RST8_18h PlaySystemSoundEx
6253 | RST8_19h IsSoundPlaying
6254 | RST8_1Ah (?)
6255 | RST8_1Bh (?)
6256 | RST8_1Ch (?)
6257 | RST8_1Dh GetExitCount ;a=[2032D34h]
6258 | RST8_1Eh Permille ;hl=de*1000/hl
6259 | RST8_1Fh GBA: N/A - Z80: ExitRestart;[2032D38h]=a, [00C0h]=0001h ;a=?
6260 | RST8_20h GBA: N/A - Z80: WaitJoypad ;wait until joypad<>0, set hl=joypad
6261 | RST8_21h GBA: N/A - Z80: (?)
6262 | RST8_22h (?) _sound_unk7
6263 | RST8_23h (?) _sound_unk8
6264 | RST8_24h (?) _sound_unk9
6265 | RST8_25h (?) _sound_unk10
6266 | RST8_26h Mosaic ;bgcnt.bit6=a.bit, [400004Ch]=de
6267 | RST8_27h (?)
6268 | RST8_28h (?)
6269 | RST8_29h (?)
6270 | RST8_2Ah (?) get_8bit_from_2030110h
6271 | RST8_2Bh (?)
6272 | RST8_2Ch (?) get_16bit_from_2030112h ;jap/ori: hl=[20077B2h]
6273 | RST8_2Dh (?) get_16bit_from_2030114h ;jap/ori: hl=[20077B4h]
6274 | RST8_2Eh (?)
6275 | RST8_2Fh PlayCustomSound(a,b)
6276 | Below not for Japanese/Original
6277 | (the renumbered functions can be theoretically used on japanese/original)
6278 | (but, doing so would blow forwards compatibility with japanese/plus)
6279 | RST8_30h (ori: none) GBA: N/A - Z80: (?)
6280 | RST8_31h (ori: none) PlayCustomSoundEx(a,b,c)
6281 | RST8_32h (ori: RST8_30h) BrightnessHalf ;[4000050h]=00FFh,[4000054h]=0008h
6282 | RST8_33h (ori: RST8_31h) BrightnessNormal ;[4000050h]=0000h
6283 | RST8_34h (ori: RST8_32h) N/A (bx lr)
6284 | RST8_35h (ori: RST8_33h) (?)
6285 | RST8_36h (ori: RST8_34h) ResetTimer ;[400010Ch]=00000000h, [400010Eh]=A+80h
6286 | RST8_37h (ori: RST8_35h) GetTimer ;hl=[400010Ch]
6287 | RST8_38h (ori: none) GBA: N/A - Z80: (?)
6288 | Below is undefined/reserved/garbage (values as so in Z80 mode)
6289 | (can be used to tweak jap/ori to start GBA-code from inside of Z80-code)
6290 | (that, after relocating code to 3000xxxh via DMA via IoWrite function)
6291 | RST8_39h (ori: RST8_36h) bx 0140014h
6292 | RST8_3Ah (ori: RST8_37h) bx 3E700F0h
6293 | RST8_3Bh (ori: RST8_38h) bx 3E70000h+1
6294 | RST8_3Ch (ori: RST8_39h) bx 3E703E6h+1
6295 | RST8_3Dh (ori: RST8_3Ah) bx 3E703E6h+1
6296 | RST8_3Eh (ori: RST8_3Bh) bx 3E703E6h+1
6297 | RST8_3Fh (ori: RST8_3Ch) bx 3E703E6h+1
6298 | 40h-FFh (ori: 3Dh-FFh) bx ...
6299 | ```
6300 |
6301 | ### GBA Functions 03xxh (none such in Z80 mode)
6302 |
6303 | ```
6304 | RSTX_00h Wait8bit ;for 16bit: RST0_7Dh
6305 | RSTX_01h GetKeyStateSticky()
6306 | RSTX_02h GetKeyStateRaw()
6307 | RSTX_03h (?)
6308 | RSTX_04h (?)
6309 | ```
6310 |
6311 | ## GBA Cart e-Reader VPK Decompression
6312 |
6313 | ### vpk\_decompress(src,dest)
6314 |
6315 | ```
6316 | collected32bit=80000000h ;initially empty (endflag in bit31)
6317 | for i=0 to 3, id[i]=read_bits(8), next i, if id[0..3]<>'vpk0' then error
6318 | dest_end=dest+read_bits(32) ;size of decompressed data (of all strips)
6319 | method=read_bits(8), if method>1 then error
6320 | tree_index=0, read_huffman_tree, disproot=tree_index
6321 | tree_index=tree_index+1, read_huffman_tree, lenroot=tree_index
6322 | ;above stuff is contained only in the first strip. below loop starts at
6323 | ;current location in first strip, and does then continue in further strips.
6324 | decompress_loop:
6325 | if read_bits(1)=0 then ;copy one uncompressed data byte,
6326 | [dest]=read_bits(8), dest=dest+1 ;does work without huffman trees
6327 | else
6328 | if disproot=-1 or lenroot=-1 then error ;compression does require trees
6329 | disp=read_tree(disproot)
6330 | if method=1 ;disp*4 is good for 32bit ARM opcodes
6331 | if disp>2 then disp=disp*4-8 else disp=disp+4*read_tree(disproot)-7
6332 | len=read_tree(lenroot)
6333 | if len=0 or disp<=0 or dest+len-1>dest_end then error ;whoops
6334 | for j=1 to len, [dest]=[dest-disp], dest=dest+1, next j
6335 | if dest-1 ;loop until reaching data node
6360 | if read_bits(1)=1 then i=node[i].right else i=node[i].left
6361 | i=node[i].left ;get number of bits
6362 | i=read_bits(i) ;read that number of bits
6363 | ret(i) ;return that value
6364 | ```
6365 |
6366 | ### load\_huffman\_tree
6367 |
6368 | ```
6369 | stacktop=sp
6370 | if read_bits(1)=1 then tree_index=-1, ret ;exit (empty)
6371 | node[tree_index].right=-1 ;indicate data node
6372 | node[tree_index].left=read_bits(8) ;store data value
6373 | if read_bits(1)=1 then ret ;exit (only 1 data node at root)
6374 | push tree_index ;save previous (child) node
6375 | tree_index=tree_index+1
6376 | jmp data_injump
6377 | load_loop:
6378 | push tree_index ;save previous (child) node
6379 | tree_index=tree_index+1
6380 | if read_bits(1)=1 then parent_node
6381 | data_injump:
6382 | node[tree_index].right=-1 ;indicate data node
6383 | node[tree_index].left=read_bits(8) ;store data value
6384 | jmp load_loop
6385 | parent_node:
6386 | pop node[tree_index].right ;store 1st child
6387 | pop node[tree_index].left ;store 2nd child
6388 | if sp<>stacktop then jmp load_loop
6389 | if read_bits(1)=0 then error ;end bit (must be 1)
6390 | ret
6391 | ```
6392 |
6393 | The best values for the huffman trees that I've found are 6,9,12-bit
6394 | displacements for method 0 (best for NES/Z80 code), and two less for method 1,
6395 | ie. 4,7,10-bit (best for GBA code). And 2,4,10-bit for the length values. The
6396 | smallest value in node 0, and the other values in node 10 and 11.
6397 |
6398 | ### Notes
6399 |
6400 | The decompression works similar to the GBA BIOS'es LZ77 decompression function,
6401 | but without using fixed bit-widths of length=4bit and displacement=12bit,
6402 | instead, the bit-widths are read from huffman trees (which can also define
6403 | fixed bit-widths; if data is located directly in the root node).
6404 |
6405 | Unlike the GBA BIOS'es Huffman decompression function, the trees are starting
6406 | with data entries, end are ending with the root entry. The above load function
6407 | deciphers the data, and returns the root index.
6408 |
6409 | With the variable bit-widths, the VPK compression rate is quite good, only,
6410 | it's a pity that the length/disp values are zero-based, eg. for 2bit and 4bit
6411 | lengths, it'd be much better to assign 2bit as 2..5, and 4bit as 6..21.
6412 |
6413 | ### Non-VPK
6414 |
6415 | The e-Reader additionally supports an alternate decompression function,
6416 | indicated by the absence of the "vpk0" ID, which supports compression of
6417 | increasing byte-values, which isn't useful for program code.
6418 |
6419 | Bit15 of the VPK Size value seems to disable (de-)compression, the VPK Data
6420 | field is then containing plain uncompressed data.
6421 |
6422 | ## GBA Cart e-Reader Error Correction
6423 |
6424 | The Error Correction Information that is appended at the end of the Block
6425 | Header & Data Fragments consists of standard Reed-Solomon codes, which are
6426 | also used for CD/DVD disks, DSL modems, and digital DVB television signals.
6427 | That info allows to locate and repair a number of invalid data bytes.
6428 |
6429 | Below code shows how to create and verify error-info (but not how to do the
6430 | actual error correction). The dtalen,errlen values should be 18h,10h for the
6431 | Block Header, and 40h,10h for Data Fragments; the latter settings might be
6432 | possible to get changed to other values though?
6433 |
6434 | ### append\_error\_info(data,dtalen,errlen)
6435 |
6436 | ```
6437 | reverse_byte_order(data,dtalen)
6438 | zerofill_error_bytes(data,errlen)
6439 | for i=dtalen-1 to errlen ;loop across data portion
6440 | z = rev[ data[i] xor data[errlen-1] ] ;
6441 | for j=errlen-1 to 0 ;loop across error-info portion
6442 | if j=0 then x=00h else x=data[j-1]
6443 | if z<>FFh then
6444 | y=gg[j], if y<>FFh then
6445 | y=y+z, if y>=FFh then y=y-FFh
6446 | x=x xor pow[y]
6447 | data[j]=x
6448 | next j
6449 | next i
6450 | invert_error_bytes(data,errlen)
6451 | reverse_byte_order(data,dtalen)
6452 | ```
6453 |
6454 | ### verify\_error\_info(data,dtalen,errlen)
6455 |
6456 | ```
6457 | reverse_byte_order(data,dtalen)
6458 | invert_error_bytes(data,errlen)
6459 | make_rev(data,dtalen)
6460 | for i=78h to 78h+errlen-1
6461 | x=0, z=0
6462 | for j=0 to dtalen-1
6463 | y=data[j]
6464 | if y<>FFh then
6465 | y=y+z, if y>=FFh then y=y-FFh
6466 | x=x xor pow[y]
6467 | z=z+i, if z>=FFh then z=z-FFh
6468 | next j
6469 | if x<>0 then error
6470 | next i
6471 | ;(if errors occured, could correct them now)
6472 | make_pow(data,dtalen)
6473 | invert_error_bytes(data,errlen)
6474 | reverse_byte_order(data,dtalen)
6475 | ```
6476 |
6477 | ### make\_rev(data,len)
6478 |
6479 | ```
6480 | for i=0 to len-1, data[i]=rev[data[i]], next i
6481 | ```
6482 |
6483 | ### make\_pow(data,len)
6484 |
6485 | ```
6486 | for i=0 to len-1, data[i]=pow[data[i]], next i
6487 | ```
6488 |
6489 | ### invert\_error\_bytes(data,len)
6490 |
6491 | ```
6492 | for i=0 to len-1, data[i]=data[i] xor FFh, next i
6493 | ```
6494 |
6495 | ### zerofill\_error\_bytes(data,len)
6496 |
6497 | ```
6498 | for i=0 to len-1, data[i]=00h, next i
6499 | ```
6500 |
6501 | ### reverse\_byte\_order(data,len)
6502 |
6503 | ```
6504 | for i=0 to (len-1)/2, x=data[i], data[i]=data[len-i], data[len-i]=x, next i
6505 | ```
6506 |
6507 | ### create\_pow\_and\_rev\_tables
6508 |
6509 | ```
6510 | x=01h, pow[FFh]=00h, rev[00h]=FFh
6511 | for i=00h to FEh
6512 | pow[i]=x, rev[x]=i, x=x*2, if x>=100h then x=x xor 187h
6513 | next i
6514 | ```
6515 |
6516 | ### create\_gg\_table
6517 |
6518 | ```
6519 | gg[0]=pow[78h]
6520 | for i=1 to errlen-1
6521 | gg[i]=01h
6522 | for j=i downto 0
6523 | if j=0 then y=00h else y=gg[j-1]
6524 | x=gg[j], if x<>00h then
6525 | x=rev[x]+78h+i, if x>=FFh then x=x-FFh
6526 | y=y xor pow[x]
6527 | gg[j]=y
6528 | next j
6529 | next i
6530 | make_rev(gg,errlen)
6531 | ```
6532 |
6533 | With above value of 78h, and errlen=10h, gg[00h..0Fh] will be always:
6534 |
6535 | ```
6536 | 00h,4Bh,EBh,D5h,EFh,4Ch,71h,00h,F4h,00h,71h,4Ch,EFh,D5h,EBh,4Bh
6537 | ```
6538 |
6539 | So using a hardcoded table should take up less memory than calculating it.
6540 |
6541 | ### Notes
6542 |
6543 | The actual error correction should be able to fix up to "errlen" errors at
6544 | known locations (eg. data from blocks that haven't been scanned, or whose
6545 | 5bit-to-4bit conversion had failed due to an invalid 5bit value), or up to
6546 | "errlen/2" errors at unknown locations. The corrected data isn't guaranteed to
6547 | be correct (even if it looks okay to the "verify" function), so the Data Header
6548 | checksums should be checked, too.
6549 |
6550 | ### More Info
6551 |
6552 | For more info, I've found Reed-Solomon source code from Simon Rockliff, and an
6553 | updated version from Robert Morelos-Zaragoza and Hari Thirumoorthy to be
6554 | useful. For getting started with that source, some important relationships
6555 | & differences are:
6556 |
6557 | ```
6558 | pow = alpha_to, but generated as shown above
6559 | rev = index_of, dito
6560 | b0 = 78h
6561 | nn = dtalen
6562 | kk = dtalen-errlen
6563 | %nn = MOD FFh (for the ereader that isn't MOD dtalen)
6564 | -1 = FFh
6565 | ```
6566 |
6567 | And, the ereader processes data/errinfo backwards, starting at the last byte.
6568 |
6569 | ## GBA Cart e-Reader File Formats
6570 |
6571 | ### .BMP Files (homebrew 300 DPI strips)
6572 |
6573 | Contains a picture of the whole dotcode strip with address bars and sync marks
6574 | (see Dotcode chapter) in Microsoft's Bitmap format. The image is conventionally
6575 | surrounded by a blank 2-pixel border, resulting in a size of 989x44 pixels for
6576 | long strips. The file should should have 1bit color depth. The pixels per meter
6577 | entry should match the desired printing resolution, either 300 DPI or 360 DPI.
6578 | But, resolution of printer hardware is typically specified in inch rather than
6579 | in meters, so an exact match isn't supported by Microsoft. Most homebrew .BMP
6580 | files contain nonsense resolutions like 200 DPI, or 300 dots per meter (ca. 8
6581 | DPI).
6582 |
6583 | ### .JPG Files (scanned 1200 DPI strips)
6584 |
6585 | Same as BMP, but should contain a dotcode scanned at 1200 DPI, with correct
6586 | orientation (the card-edge side at the bottom of the image), and containing
6587 | only the dotcode (not the whole card), so the JPG size should be about 3450x155
6588 | pixels for long strips.
6589 |
6590 | No$gba currently doesn't work with progressive JPGs. Scans with white
6591 | background can be saved as monochrome JPG. Scans with red/yellow background
6592 | should contain a correct RED layer (due to the red LED light source) (the
6593 | brightness of the green/blue layers can be set to zero for better compression).
6594 |
6595 | ### .RAW Files
6596 |
6597 | Contains the "raw" information from the BMP format, that is, 2-byte block
6598 | header, 102-byte data, 2-byte block header, 102-byte data, etc. The data
6599 | portion is interleaved, and includes the full 48-byte data header, titles, vpk
6600 | compressed data, error-info, and unused bytes. RAW files are excluding Address
6601 | Bars, Sync Marks, and 4bit-to-5bit encoding.
6602 |
6603 | Each RAW file contains one or more strip(s), so the RAW filesize is either
6604 | 18\*104 bytes (short strip), or 28\*104 bytes (long strip), or a multiple thereof
6605 | (if it contains more than one strip) (although multi-strip games are often
6606 | stored in separate files for each strip; named file1.raw, file2.raw, etc).
6607 |
6608 | ### .BIN Files
6609 |
6610 | Filesize should be I\*30h, with I=1Ch for short strips, and I=2Ch for long
6611 | strips, or a multiple thereof (if it contains more than one strip). Each strip
6612 | consists of the 48-byte Data Header, followed by title(s), and vpk compressed
6613 | data. Unlike .RAW files, .BIN files aren't interleaved, and do not contain
6614 | Block Headers, nor error-info, nor unused bytes (in last block). The files do
6615 | contain padding bytes to match a full strip-size of I\*30h.
6616 |
6617 | Caution: Older .BIN files have been using a size-reduced 12-byte header (taken
6618 | from entries 0Dh, 0Ch, 10h-11h, 26h-2Dh of the 48-byte Data Header; in that
6619 | order), that files have never contained more than one strip per file, so the
6620 | filesize should be exactly I\*30h-36, the size-reduced header doesn't contain a
6621 | Primary Type entry, so it's everyone's bet which Card Type is to be used (hint:
6622 | the 12-byte headers were based on the assumption that Primary Type would be
6623 | always 01h on Short Strips, and 02h on Long Strips).
6624 |
6625 | ### .SAV Files
6626 |
6627 | Contains a copy of the e-Reader's 128Kbyte FLASH memory. With the saved
6628 | e-Reader application being located in the 2nd 64K-bank, the data consists of a
6629 | header with title and gba/nes/z80 format info, followed by the vpk compressed
6630 | data. The FLASH memory does also contain e-Reader calibration settings, the
6631 | remaining 100Kbytes are typically FFh-filled.
6632 |
6633 | ## GBA Cart Unknown Devices
6634 |
6635 | ### GBA Infra-Red Port (AGB-006)
6636 |
6637 | No info?
6638 |
6639 | ## GBA Cart Protections
6640 |
6641 | ### Classic NES Series
6642 |
6643 | These are some NES/Famicom games ported or emulated to work on GBA. The games
6644 | are doing some uncommon stuff that can cause compatibility problems when not
6645 | using original GBA consoles or cartridges.
6646 |
6647 | - CPU pipeline (selfmodifying code that shall NOT affect prefetched opcodes)
6648 |
6649 | - STMDA write to I/O ports (writes in INCREASING order, not DECREASING order)
6650 |
6651 | - SRAM detection (refuses to run if SRAM exists; the games do contain EEPROM)
6652 |
6653 | - ROM mirrors (instead of the usual increasing numbers in unused ROM area)
6654 |
6655 | - RAM mirrors (eg. main RAM accessed at 2F00000h instead of 2000000h)
6656 |
6657 | Note: These games can be detected by checking [80000ACh]="F" (ie. game
6658 | code="Fxxx").
6659 |
6660 | ## GBA Flashcards
6661 |
6662 | Flashcards are re-writable cartridges using FLASH memory, allowing to test even
6663 | multiboot-incompatible GBA software on real hardware, providing a good
6664 | development environment when used in combination with a reasonable software
6665 | debugger.
6666 |
6667 | The carts can be written to from external tools, or directly from GBA programs.
6668 |
6669 | Below are pseudo code flowcharts for detect, erase, and write operations.
6670 |
6671 | All flash reads/writes are meant to be 16bit (ldrh/strh) memory accesses.
6672 |
6673 | ### detect\_flashcard:
6674 |
6675 | ```
6676 | configure_flashcard(9E2468Ah,9413h) ;unlock flash advance cards
6677 | turbo=1, send_command(8000000h,90h) ;enter ID mode (both chips, if any)
6678 | maker=[8000000h], device=[8000000h+2]
6679 | IF maker=device THEN device=[8000000h+4] ELSE turbo=0
6680 | flashcard_read_mode ;exit ID mode
6681 | search (maker+device*10000h) in device_list
6682 | total/erase/write_block_size = list_entry SHL turbo
6683 | ```
6684 |
6685 | ### flashcard\_erase(dest,len):
6686 |
6687 | ```
6688 | FOR x=1 to len/erase_block_size
6689 | send_command(dest,20h) ;erase sector command
6690 | send_command(dest,D0h) ;confirm erase sector
6691 | dest=dest+erase_block_size
6692 | IF wait_busy=okay THEN NEXT x
6693 | enter_read_mode ;exit erase/status mode
6694 | ```
6695 |
6696 | ### flashcard\_write(src,dest,len):
6697 |
6698 | ```
6699 | siz=write_block_size
6700 | FOR x=1 to len/siz
6701 | IF siz=2 THEN send_command(dest,10h) ;write halfword command
6702 | IF siz>2 THEN send_command(dest,E8h) ;write to buffer command
6703 | IF siz>2 THEN send_command(dest,16-1) ;buffer size 16 halfwords (per chip)
6704 | FOR y=1 TO siz/2
6705 | [dest]=[src], dest=dest+2, src=src+2 ;write data to buffer
6706 | NEXT y
6707 | IF siz>2 THEN send_command(dest,D0h) ;confirm write to buffer
6708 | IF wait_busy=okay THEN NEXT x
6709 | enter_read_mode ;exit write/status mode
6710 | ```
6711 |
6712 | ### send\_command(adr,val):
6713 |
6714 | - [adr]=val
6715 | - IF turbo THEN [adr+2]=val
6716 |
6717 | ### enter\_read\_mode:
6718 |
6719 | ```
6720 | send_command(8000000h,FFh) ;exit status mode
6721 | send_command(8000000h,FFh) ;again maybe more stable (as in jeff's source)
6722 | ```
6723 |
6724 | ### flashcard\_wait\_busy:
6725 |
6726 | - start=time
6727 | - REPEAT
6728 | - stat=[8000000h] XOR 80h
6729 | - IF turbo THEN stat=stat OR ([8000000h+2] XOR 80h)
6730 | - IF (stat AND 7Fh)>0 THEN error
6731 | - IF (stat AND 80h)=0 THEN ready
6732 | - IF time-start>5secs THEN timeout
6733 | - UNTIL ready OR error OR timeout
6734 | - IF error OR timeout THEN send\_command(8000000h,50h) ;clear status
6735 |
6736 | ### configure\_flashcard(adr,val): ;required for Flash Advance cards only
6737 |
6738 | - [930ECA8h]=5354h
6739 | - [802468Ah]=1234h, repeated 500 times
6740 | - [800ECA8h]=5354h
6741 | - [802468Ah]=5354h
6742 | - [802468Ah]=5678h, repeated 500 times
6743 | - [930ECA8h]=5354h
6744 | - [802468Ah]=5354h
6745 | - [8ECA800h]=5678h
6746 | - [80268A0h]=1234h
6747 | - [802468Ah]=ABCDh, repeated 500 times
6748 | - [930ECA8h]=5354h
6749 | - [adr]=val
6750 |
6751 | ### init\_backup: ;no info how to use that exactly
6752 |
6753 | ```
6754 | configure_flashcard(942468Ah,???)
6755 | ```
6756 |
6757 | ### device\_list: (id code, total/erase/write sizes in bytes)
6758 |
6759 | ```
6760 | ID Code Total Erase Write Name
6761 | -??-00DCh ? ? ? Hudson Cart (???)
6762 | 00160089h 4M 128K 32 Intel i28F320J3A (Flash Advance)
6763 | 00170089h 8M 128K 32 Intel i28F640J3A (Flash Advance)
6764 | 00180089h 16M 128K 32 Intel i28F128J3A (Flash Advance)
6765 | 00E200B0h ? 64K 2 Sharp LH28F320BJE ? (Nintendo)
6766 | ```
6767 |
6768 | ### Notes
6769 |
6770 | All flashcards should work at 4,2 waitstates (power on default), most
6771 | commercial games change waits to 3,1 which may work unstable with some/older FA
6772 | flashcards. Intel FLASH specified to have a lifetime of 100,000 erases, and
6773 | average block erase time 1 second (up to 5 second in worst cases).
6774 |
6775 | Aside from the main FLASH memory, Flash Advance (FA) (aka Visoly) cards
6776 | additionally contain battery buffered SRAM backup, and FLASH backup, and in
6777 | some cases also EEPROM backup.
6778 |
6779 | Turbo FA cards are containing two chips interlaced (at odd/even halfword
6780 | addresses), allowing to write/erase both chips simultaneously, resulting in
6781 | twice as fast programming time.
6782 |
6783 | Standard Nintendo flash carts have to be modified before you can actually write
6784 | to them. This is done by removing resistor R7 and putting it at empty location
6785 | R8.
6786 |
6787 | Mind that write/erase/detect modes output status information in ROM area, so
6788 | that in that modes all GBA program code (and any interrupt handlers) must be
6789 | executed in WRAM, not in ROM.
6790 |
6791 | Thanks to Jeff Frohwein for his FAQ and CARTLIB sample in FLGBA at devrs.com
6792 |
6793 | ## GBA Cheat Devices
6794 |
6795 | Codebreaker (US) aka Xploder (EUR).
6796 |
6797 | Gameshark (US) aka Action Replay (EUR).
6798 |
6799 | - [GBA Cheat Codes - General Info](#gbacheatcodesgeneralinfo)
6800 | - [GBA Cheat Codes - Codebreaker/Xploder](#gbacheatcodescodebreakerxploder)
6801 | - [GBA Cheat Codes - Gameshark/Action Replay V1/V2](#gbacheatcodesgamesharkactionreplayv1v2)
6802 | - [GBA Cheat Codes - Pro Action Replay V3](#gbacheatcodesproactionreplayv3)
6803 |
6804 | ## GBA Cheat Codes - General Info
6805 |
6806 | Cheat devices are external adapters, connected between the GBA and the game
6807 | cartridge. The devices include a BIOS ROM which is, among others, used to
6808 | prompt the user to enter cheat codes.
6809 |
6810 | These codes are used to patch specified memory locations for a certain GBA
6811 | game, allowing the user to gain goodies such like Infinite sex, 255 Cigarettes,
6812 | etc.
6813 |
6814 | ### ROM and RAM Patches
6815 |
6816 | For ROM Patches, the device watches the address bus, if it matches a specified
6817 | address then it outputs a patched value to the data bus, that mechanism is
6818 | implemented by hardware, aside from the Hook Enable Code some devices also
6819 | allow a limited number of cheats to use ROM patches.
6820 |
6821 | Most cheat codes are RAM patches, each time when the hook procedure is executed
6822 | it will process all codes and overwrite the specified addresses in RAM (or VRAM
6823 | or I/O area) by the desired values.
6824 |
6825 | ### Enable Codes (Must Be On)
6826 |
6827 | Enable codes usually consist of the Game ID, Hook Address, and eventually a
6828 | third code used to encrypt all following codes. The Game ID is used to confirm
6829 | that the correct cartridge is inserted, just a verification, though the device
6830 | may insist on the ID code.
6831 |
6832 | The Hook Address specifies an address in cartridge ROM, and should point to an
6833 | opcode which is executed several times per second (eg. once per frame, many
6834 | codes place the hook in the joypad handler). At the hook address, the device
6835 | redirects to its own BIOS, processes the RAM patches, and does then return
6836 | control to the game cartridge.
6837 |
6838 | Note: The hook address should not point to opcodes with relative addressing
6839 | (eg. B, BL, LDR Rd,=Imm, ADD Rd,=Imm opcodes - which are all relative to PC
6840 | program counter register).
6841 |
6842 | ### Alignment
6843 |
6844 | Addresses for 16bit or 32bit values should be properly aligned.
6845 |
6846 | ## GBA Cheat Codes - Codebreaker/Xploder
6847 |
6848 | ### Codebreaker Codes
6849 |
6850 | ```
6851 | 0000xxxx 000y Enable Code 1 - Game ID
6852 | 1aaaaaaa 000z Enable Code 2 - Hook Address
6853 | 2aaaaaaa yyyy [aaaaaaa]=[aaaaaaa] OR yyyy
6854 | 3aaaaaaa 00yy [aaaaaaa]=yy
6855 | 4aaaaaaa yyyy [aaaaaaa+0..(cccc-1)*ssss]=yyyy+0..(cccc-1)*ssss
6856 | iiiicccc ssss parameters for above code
6857 | 5aaaaaaa cccc [aaaaaaa+0..(cccc-1)]=11,22,33,44,etc.
6858 | 11223344 5566 parameter bytes 1..6 for above code (example)
6859 | 77880000 0000 parameter bytes 7..8 for above code (padded with zero)
6860 | 6aaaaaaa yyyy [aaaaaaa]=[aaaaaaa] AND yyyy
6861 | 7aaaaaaa yyyy IF [aaaaaaa]=yyyy THEN (next code)
6862 | 8aaaaaaa yyyy [aaaaaaa]=yyyy
6863 | 9xyyxxxx xxxx Enable Code 0 - Encrypt all following codes (optional)
6864 | Aaaaaaaa yyyy IF [aaaaaaa]<>yyyy THEN (next code)
6865 | Baaaaaaa yyyy IF [aaaaaaa]>yyyy THEN (next code) (signed comparison)
6866 | Caaaaaaa yyyy IF [aaaaaaa] GBA Cheat Codes - Gameshark/Action Replay V1/V2
6945 |
6946 | ### Gameshark RAW Codes (These codes must be encrypted before using them)
6947 |
6948 | ```
6949 | 0aaaaaaa 000000xx [aaaaaaa]=xx
6950 | 1aaaaaaa 0000xxxx [aaaaaaa]=xxxx
6951 | 2aaaaaaa xxxxxxxx [aaaaaaa]=xxxxxxxx
6952 | 3000cccc xxxxxxxx write xxxxxxxx to (cccc-1) addresses (list in next codes)
6953 | aaaaaaaa aaaaaaaa parameter for above code, containing two addresses each
6954 | aaaaaaaa 00000000 last parameter for above, zero-padded if only one address
6955 | 60aaaaaa y000xxxx [8000000h+aaaaaa*2]=xxxx (ROM Patch)
6956 | 8a1aaaaa 000000xx IF GS_Button_Down THEN [a0aaaaa]=xx
6957 | 8a2aaaaa 0000xxxx IF GS_Button_Down THEN [a0aaaaa]=xxxx
6958 | 80F00000 0000xxxx IF GS_Button_Down THEN slowdown xxxx * ? cycles per hook
6959 | Daaaaaaa 0000xxxx IF [aaaaaaa]=xxxx THEN (next code)
6960 | E0zzxxxx 0aaaaaaa IF [aaaaaaa]=xxxx THEN (next 'zz' codes)
6961 | Faaaaaaa 00000x0y Enable Code - Hook Routine
6962 | xxxxxxxx 001DC0DE Enable Code - Game Code ID (value at [0ACh] in cartridge)
6963 | DEADFACE 0000xxyy Change Encryption Seeds
6964 | ```
6965 |
6966 | ### Enable Code - Hook Routine
6967 |
6968 | Hook Address 'aaaaaaa' is a 28bit ROM address (8FFFFFFh-9FFFFFFh).
6969 |
6970 | Used to insert the GS code handler routine where it will be executed at
6971 |
6972 | least 20 times per second. Without this code, GSA can not write to RAM.
6973 |
6974 | - y=1 - Executes code handler without backing up the LR register.
6975 | - y=2 - Executes code handler and backs up the LR register.
6976 | - y=3 - Replaces a 32-bit pointer used for long-branches.
6977 | - x=0 - Must turn GSA off before loading game.
6978 | - x=1 - Must not do that.
6979 |
6980 | ### ROM Patch
6981 |
6982 | This type allows GSA to intercept ROM reads and returns the value xxxx.
6983 |
6984 | - y=0 wait for the code handler to enable the patch
6985 | - y=1 patch is enabled before the game starts
6986 | - y=2 unknown ?
6987 |
6988 | Note: V1/V2 hardware can only have up to 1 user-defined rom patch max. V3 can
6989 | have up to 4. Some enable code types can shorten the amount of user-defined rom
6990 | patches available.
6991 |
6992 | ### Gameshark Encryption
6993 |
6994 | A=Left half, and V=Right half of code.
6995 |
6996 | ```
6997 | FOR I=1 TO 32
6998 | A=A + (V*16+S0) XOR (V+I*9E3779B9h) XOR (V/32+S1)
6999 | V=V + (A*16+S2) XOR (A+I*9E3779B9h) XOR (A/32+S3)
7000 | NEXT I
7001 | ```
7002 |
7003 | Upon startup, the initial encryption seeds are:
7004 |
7005 | ```
7006 | S0=09F4FBBDh S1=9681884Ah S2=352027E9h S3=F3DEE5A7h
7007 | ```
7008 |
7009 | Upon DEADFACE 0000xxyy, the S0..S3 seeds are changed like so:
7010 |
7011 | ```
7012 | FOR y=0 TO 3
7013 | FOR x=0 TO 3
7014 | z = T1[(xx+x) AND FFh] + T2[(yy+y) AND FFh]
7015 | Sy = Sy*100h + (z AND FFh)
7016 | NEXT x
7017 | NEXT y
7018 | ```
7019 |
7020 | All calculations truncated to unsigned 32bit integer values.
7021 |
7022 | T1 and T2 are translation tables contained in the gameshark cartridge.
7023 |
7024 | ## GBA Cheat Codes - Pro Action Replay V3
7025 |
7026 | ### Pro Action Replay V3 - RAW Codes
7027 |
7028 | ```
7029 | C4aaaaaa 0000yyyy Enable Code - Hook Routine at [8aaaaaa]
7030 | xxxxxxxx 001DC0DE Enable Code - ID Code [080000AC]
7031 | DEADFACE 0000xxxx Enable Code - Change Encryption Seeds
7032 | 00aaaaaa xxxxxxyy [a0aaaaa..a0aaaaa+xxxxxx]=yy
7033 | 02aaaaaa xxxxyyyy [a0aaaaa..a0aaaaa+xxxx*2]=yyyy
7034 | 04aaaaaa yyyyyyyy [a0aaaaa]=yyyyyyyy
7035 | 40aaaaaa xxxxxxyy [ [a0aaaaa] + xxxxxx ]=yy (Indirect)
7036 | 42aaaaaa xxxxyyyy [ [a0aaaaa] + xxxx*2 ]=yyyy (Indirect)
7037 | 44aaaaaa yyyyyyyy [ [a0aaaaa] ]=yyyyyyyy (Indirect)
7038 | 80aaaaaa 000000yy [a0aaaaa]=[a0aaaaa]+yy
7039 | 82aaaaaa 0000yyyy [a0aaaaa]=[a0aaaaa]+yyyy
7040 | 84aaaaaa yyyyyyyy [a0aaaaa]=[a0aaaaa]+yyyyyyyy
7041 | C6aaaaaa 0000yyyy [4aaaaaa]=yyyy (I/O Area)
7042 | C7aaaaaa yyyyyyyy [4aaaaaa]=yyyyyyyy (I/O Area)
7043 | iiaaaaaa yyyyyyyy IF [a0aaaaa] THEN
7044 | 00000000 60000000 ELSE (?)
7045 | 00000000 40000000 ENDIF (?)
7046 | 00000000 0800xx00 AR Slowdown : loops the AR xx times
7047 | 00000000 00000000 End of the code list
7048 | 00000000 10aaaaaa 000000zz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zz
7049 | 00000000 12aaaaaa 0000zzzz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zzzz
7050 | 00000000 14aaaaaa zzzzzzzz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zzzzzzzz
7051 | 00000000 18aaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 1)
7052 | 00000000 1Aaaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 2)
7053 | 00000000 1Caaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 3)
7054 | 00000000 1Eaaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 4)
7055 | ```
7056 |
7057 | ```
7058 | 00000000 80aaaaaa 000000yy ssccssss repeat cc times [a0aaaaa]=yy
7059 | (with yy=yy+ss, a0aaaaa=a0aaaaa+ssss after each step)
7060 | ```
7061 |
7062 | ```
7063 | 00000000 82aaaaaa 0000yyyy ssccssss repeat cc times [a0aaaaa]=yyyy
7064 | (with yyyy=yyyy+ss, a0aaaaa=a0aaaaa+ssss*2 after each step)
7065 | ```
7066 |
7067 | ```
7068 | 00000000 84aaaaaa yyyyyyyy ssccssss repeat cc times [a0aaaaa]=yyyyyyyy
7069 | (with yyyy=yyyy+ss, a0aaaaa=a0aaaaa+ssss*4 after each step)
7070 | ```
7071 |
7072 | Warning: There is a bug on the real AR (v2 upgraded to v3, and maybe on real
7073 | v3) with the 32bit Increment Slide code. You HAVE to add a code (best choice is
7074 | 80000000 00000000 : add 0 to value at address 0) right after it, else the AR
7075 | will erase the 2 last 8 digits lines of the 32 Bits Inc. Slide code when you
7076 | enter it !!!
7077 |
7078 | Final Notes
7079 |
7080 | The 'turn off all codes' makes an infinite loop (that can't be broken, unless
7081 | the condition becomes True). - How? By Interrupt? Huh?
7082 |
7083 | ROM Patch1 works on real V3 and, on V1/V2 upgraded to V3.
7084 |
7085 | ROM Patch2,3,4 work on real V3 hardware only.
7086 |
7087 | ### Pro Action Replay V3 Conditional Codes - iiaaaaaa yyyyyyyy
7088 |
7089 | The 'ii' is composed of \ + \ + \.
7090 |
7091 | ```
7092 |
7093 | 08 Equal = 00 8bit zz 00 execute next code
7094 | 10 Not equal <> 02 16bit zzzz 40 execute next two codes
7095 | 18 Signed < 04 32bit zzzzzzzz 80 execute all following
7096 | 20 Signed > 06 (always false) codes until ELSE or ENDIF
7097 | 28 Unsigned < C0 normal ELSE turn off all codes
7098 | 30 Unsigned >
7099 | 38 Logical AND
7100 | ```
7101 |
7102 | For example, ii=18h+02h+40h=5Ah, produces IF [a0aaaaa]\ GBA Gameboy Player
7138 |
7139 | The Gameboy Player is an "adapter" for the Gamecube console. It's basicly is a
7140 | GBA in a black box without LCD screen and without buttons, connected to an
7141 | expansion port at the bottom of the Gamecube. The Gamecube is then capturing
7142 | the GBA video output (and passing it to the television set), and in the other
7143 | direction, passing the Gamecube joypad input to the GBA inputs.
7144 |
7145 | ### Unlocking and Detecting Gameboy Player Functions
7146 |
7147 | Both unlocking and detection requires to display the 240x160 pixel Gameboy
7148 | Player logo (44 colors) for a number of frames... maybe at least 3-4 frames?
7149 | not sure if it checks the color of the logo... so maybe it can be hidden by
7150 | using dark gray on black background?
7151 |
7152 | While displaying this logo, the joypad data will switch between values 03FFh (2
7153 | frames duration) and 030Fh (1 frame duration). The latter value (left, right,
7154 | up, down all pressed) indicates that it's a Gameboy Player.
7155 |
7156 | ### Palette
7157 |
7158 | Knowing Nintendo, they've probably not reproduced the blurred GBA colors (?),
7159 | so the games won't look as desired on the TV screen. Unless the game does
7160 | detect the Gameboy Player, and adjust the colors accordingly by software.
7161 |
7162 | ### Rumble
7163 |
7164 | The only known existing special function is the joypad rumble function,
7165 | controlled by sending data through the serial port (the normal GBA port, even
7166 | though it also has the connectors).
7167 |
7168 | The Game Boy Player added a rumble feature to certain Game Boy Advance games
7169 | when played with a GameCube controller. Those games included:
7170 |
7171 | - Drill Dozer (supports BOTH handheld-rumble and GBP-rumble?)
7172 | - Mario & Luigi: Superstar Saga
7173 | - Pokemon Pinball: Ruby & Sapphire
7174 | - Shikakui Atama wo Marukusuru Advance: Kokugo Sansu Rika Shakai
7175 | - Shikakui Atama wo Marukusuru Advance: Kanji Keisan
7176 | - Summon Night Craft Sword Monogatari: Hajimari no Ishi
7177 | - Super Mario Advance 4: Super Mario Bros. 3
7178 |
7179 | Fredrik Olsson (aka Flubba) has implemented rumble in 3 applications now
7180 | RumblePong (FluBBA) (homebrew)
7181 |
7182 | ```
7183 | Remudvance (FluBBA) (homebrew)
7184 | Goomba (FluBBA) (8bit Gameboy Color Emulator for 32bit GBA) (homebrew)
7185 | and, supposedly in "Tetanus on Drugs" (Tepples) (homebrew)
7186 | ```
7187 |
7188 | The GBP can also use some of the extra controllers for the GC like the Bongas
7189 |
7190 | from Donkey Konga.
7191 |
7192 | The logo requires at least 256 colors, it doesn't matter if you use a tiled
7193 |
7194 | screen mode or a bitmapped one, the logo can be ripped from either
7195 |
7196 | "Pokemon Pinball" or "Super Mario Advance 4".
7197 |
7198 | ### Rumble
7199 |
7200 | After detecting/unlocking the Gameboy Player, init RCNT and SIOCNT to 32bit
7201 | normal mode, external clock, SO=high, with IRQ enabled, and set the transfer
7202 | start bit. You should then receive the following sequence (about once per
7203 | frame), and your serial IRQ handler should send responses accordingly:
7204 |
7205 | ```
7206 | Receive Response
7207 | 0000494E 494EB6B1
7208 | xxxx494E 494EB6B1
7209 | B6B1494E 544EB6B1
7210 | B6B1544E 544EABB1
7211 | ABB1544E 4E45ABB1
7212 | ABB14E45 4E45B1BA
7213 | B1BA4E45 4F44B1BA
7214 | B1BA4F44 4F44B0BB
7215 | B0BB4F44 8000B0BB
7216 | B0BB8002 10000010
7217 | 10000010 20000013
7218 | 20000013 40000004
7219 | 30000003 40000004
7220 | 30000003 40000004
7221 | 30000003 40000004
7222 | 30000003 400000yy
7223 | 30000003 40000004
7224 | ```
7225 |
7226 | The first part of the transfer just contains the string "NINTENDO" split into
7227 | 16bit fragments, and bitwise inversions thereof (eg. 494Eh="NI", and B6B1h=NOT
7228 | 494Eh). In the second part, \ should be 04h=RumbleOff, or
7229 | 26h=RumbleOn.
7230 |
7231 | ### Note
7232 |
7233 | If it's having a similar range of functions as the 8bit Super Gameboy, then the
7234 | Gameboy Player might be also able to access analogue joypad input, and to
7235 | access other features of the Gamecube hardware, up to possibly executing code
7236 | on the Gamecube CPU...?
7237 |
7238 | ## GBA Unpredictable Things
7239 |
7240 | ### Forward
7241 |
7242 | Most of the below is caused by 'traces' from previous operations which have
7243 | used the databus. No promises that the results are stable on all current or
7244 | future GBA models, and/or under all temperature and interference circumstances.
7245 |
7246 | Also, below specifies 32bit data accesses only. When reading units less than
7247 | 32bit, data is rotated depending on the alignment of the originally specified
7248 | address, and 8bit or 16bit are then isolated from the 32bit value as usually.
7249 |
7250 | ### Reading from BIOS Memory (00000000-00003FFF)
7251 |
7252 | The BIOS memory is protected against reading, the GBA allows to read opcodes or
7253 | data only if the program counter is located inside of the BIOS area. If the
7254 | program counter is not in the BIOS area, reading will return the most recent
7255 | successfully fetched BIOS opcode (eg. the opcode at [00DCh+8] after startup and
7256 | SoftReset, the opcode at [0134h+8] during IRQ execution, and opcode at
7257 | [013Ch+8] after IRQ execution, and opcode at [0188h+8] after SWI execution).
7258 |
7259 | ### Reading from Unused Memory (00004000-01FFFFFF,10000000-FFFFFFFF)
7260 |
7261 | Accessing unused memory at 00004000h-01FFFFFFh, and 10000000h-FFFFFFFFh (and
7262 | 02000000h-03FFFFFFh when RAM is disabled via Port 4000800h) returns the
7263 | recently pre-fetched opcode. For ARM code this is simply:
7264 |
7265 | ```
7266 | WORD = [$+8]
7267 | ```
7268 |
7269 | For THUMB code the result consists of two 16bit fragments and depends on the
7270 | address area and alignment where the opcode was stored.
7271 |
7272 | For THUMB code in Main RAM, Palette Memory, VRAM, and Cartridge ROM this is:
7273 |
7274 | ```
7275 | LSW = [$+4], MSW = [$+4]
7276 | ```
7277 |
7278 | For THUMB code in BIOS or OAM (and in 32K-WRAM on Original-NDS (in GBA mode)):
7279 |
7280 | ```
7281 | LSW = [$+4], MSW = [$+6] ;for opcodes at 4-byte aligned locations
7282 | LSW = [$+2], MSW = [$+4] ;for opcodes at non-4-byte aligned locations
7283 | ```
7284 |
7285 | For THUMB code in 32K-WRAM on GBA, GBA SP, GBA Micro, NDS-Lite (but not NDS):
7286 |
7287 | ```
7288 | LSW = [$+4], MSW = OldHI ;for opcodes at 4-byte aligned locations
7289 | LSW = OldLO, MSW = [$+4] ;for opcodes at non-4-byte aligned locations
7290 | ```
7291 |
7292 | Whereas OldLO/OldHI are usually:
7293 |
7294 | ```
7295 | OldLO=[$+2], OldHI=[$+2]
7296 | ```
7297 |
7298 | Unless the previous opcode's prefetch was overwritten; that can happen if the
7299 | previous opcode was itself an LDR opcode, ie. if it was itself reading data:
7300 |
7301 | ```
7302 | OldLO=LSW(data), OldHI=MSW(data)
7303 | Theoretically, this might also change if a DMA transfer occurs.
7304 | ```
7305 |
7306 | Note: Additionally, as usually, the 32bit data value will be rotated if the
7307 | data address wasn't 4-byte aligned, and the upper bits of the 32bit value will
7308 | be masked in case of LDRB/LDRH reads.
7309 |
7310 | Note: The opcode prefetch is caused by the prefetch pipeline in the CPU itself,
7311 | not by the external gamepak prefetch, ie. it works for code in ROM and RAM as
7312 | well.
7313 |
7314 | ### Reading from Unused or Write-Only I/O Ports
7315 |
7316 | Works like above Unused Memory when the entire 32bit memory fragment is Unused
7317 | (eg. 0E0h) and/or Write-Only (eg. DMA0SAD). And otherwise, returns zero if the
7318 | lower 16bit fragment is readable (eg. 04Ch=MOSAIC, 04Eh=NOTUSED/ZERO).
7319 |
7320 | ### Reading from GamePak ROM when no Cartridge is inserted
7321 |
7322 | Because Gamepak uses the same signal-lines for both 16bit data and for lower
7323 | 16bit halfword address, the entire gamepak ROM area is effectively filled by
7324 | incrementing 16bit values (Address/2 AND FFFFh).
7325 |
7326 | ### Memory Mirrors
7327 |
7328 | Most internal memory is mirrored across the whole 24bit/16MB address space in
7329 | which it is located: Slow On-board RAM at 2XXXXXX, Fast On-Chip RAM at
7330 | 3XXXXXXh, Palette RAM at 5XXXXXXh, VRAM at 6XXXXXXh, and OAM at 7XXXXXXh. Even
7331 | though VRAM is sized 96K (64K+32K), it is repeated in steps of 128K
7332 | (64K+32K+32K, the two 32K blocks itself being mirrors of each other).
7333 |
7334 | BIOS ROM, Normal ROM Cartridges, and I/O area are NOT mirrored, the only
7335 | exception is the undocumented I/O port at 4000800h (repeated each 64K).
7336 |
7337 | The 64K SRAM area is mirrored across the whole 32MB area at E000000h-FFFFFFFh,
7338 | also, inside of the 64K SRAM field, 32K SRAM chips are repeated twice.
7339 |
7340 | ### Writing 8bit Data to Video Memory
7341 |
7342 | Video Memory (BG, OBJ, OAM, Palette) can be written to in 16bit and 32bit units
7343 | only. Attempts to write 8bit data (by STRB opcode) won't work:
7344 |
7345 | Writes to OBJ (6010000h-6017FFFh) (or 6014000h-6017FFFh in Bitmap mode) and to
7346 | OAM (7000000h-70003FFh) are ignored, the memory content remains unchanged.
7347 |
7348 | Writes to BG (6000000h-600FFFFh) (or 6000000h-6013FFFh in Bitmap mode) and to
7349 | Palette (5000000h-50003FFh) are writing the new 8bit value to BOTH upper and
7350 | lower 8bits of the addressed halfword, ie. "[addr AND NOT 1]=data\*101h".
7351 |
7352 | ### Using Invalid Tile Numbers
7353 |
7354 | In Text mode, large tile numbers (combined with a non-zero character base
7355 | setting in BGnCNT register) may exceed the available 64K of BG VRAM.
7356 |
7357 | On GBA and GBA SP, such invalid tiles are displayed as if the character data is
7358 | filled by the 16bit BG Map entry value (ie. as vertically striped tiles). Above
7359 | applies only if there is only one BG layer enabled, with two or more layers,
7360 | things are getting much more complicated: tile-data is then somehow derived
7361 | from the other layers, depending on their priority order and scrolling offsets.
7362 |
7363 | On NDS (in GBA mode), such invalid tiles are displayed as if the character data
7364 | is zero-filled (ie. as invisible/transparent tiles).
7365 |
7366 | ### Accessing SRAM Area by 16bit/32bit
7367 |
7368 | Reading retrieves 8bit value from specified address, multiplied by 0101h (LDRH)
7369 | or by 01010101h (LDR). Writing changes the 8bit value at the specified address
7370 | only, being set to LSB of (source\_data ROR (address\*8)).
7371 |
7372 | ## ARM CPU Reference
7373 |
7374 | ### General ARM7TDMI Information
7375 |
7376 | - [ARM CPU Overview](#armcpuoverview)
7377 | - [ARM CPU Register Set](#armcpuregisterset)
7378 | - [ARM CPU Flags & Condition Field (cond)](#armcpuflagsconditionfieldcond)
7379 | - [ARM CPU 26bit Memory Interface](#armcpu26bitmemoryinterface)
7380 | - [ARM CPU Exceptions](#armcpuexceptions)
7381 | - [ARM CPU Memory Alignments](#armcpumemoryalignments)
7382 |
7383 | ### ARM 32bit Instruction Set (ARM Code)
7384 |
7385 | - [ARM Instruction Summary](#arminstructionsummary)
7386 | - [ARM Opcodes: Branch and Branch with Link (B, BL, BX, BLX, SWI, BKPT)](#armopcodesbranchandbranchwithlinkbblbxblxswibkpt)
7387 | - [ARM Opcodes: Data Processing (ALU)](#armopcodesdataprocessingalu)
7388 | - [ARM Opcodes: Multiply and Multiply-Accumulate (MUL, MLA)](#armopcodesmultiplyandmultiplyaccumulatemulmla)
7389 | - [ARM Opcodes: Special ARM9 Instructions (CLZ, QADD/QSUB)](#armopcodesspecialarm9instructionsclzqaddqsub)
7390 | - [ARM Opcodes: PSR Transfer (MRS, MSR)](#armopcodespsrtransfermrsmsr)
7391 | - [ARM Opcodes: Memory: Single Data Transfer (LDR, STR, PLD)](#armopcodesmemorysingledatatransferldrstrpld)
7392 | - [ARM Opcodes: Memory: Halfword, Doubleword, and Signed Data Transfer](#armopcodesmemoryhalfworddoublewordandsigneddatatransfer)
7393 | - [ARM Opcodes: Memory: Block Data Transfer (LDM, STM)](#armopcodesmemoryblockdatatransferldmstm)
7394 | - [ARM Opcodes: Memory: Single Data Swap (SWP)](#armopcodesmemorysingledataswapswp)
7395 | - [ARM Opcodes: Coprocessor Instructions (MRC/MCR, LDC/STC, CDP, MCRR/MRRC)](#armopcodescoprocessorinstructionsmrcmcrldcstccdpmcrrmrrc)
7396 |
7397 | ### ARM 16bit Instruction Set (THUMB Code)
7398 |
7399 | When operating in THUMB state, cut-down 16bit opcodes are used.
7400 |
7401 | THUMB is supported on T-variants of ARMv4 and up, ie. ARMv4T, ARMv5T, etc.
7402 |
7403 | - [THUMB Instruction Summary](#thumbinstructionsummary)
7404 | - [THUMB Opcodes: Register Operations (ALU, BX)](#thumbopcodesregisteroperationsalubx)
7405 | - [THUMB Opcodes: Memory Load/Store (LDR/STR)](#thumbopcodesmemoryloadstoreldrstr)
7406 | - [THUMB Opcodes: Memory Addressing (ADD PC/SP)](#thumbopcodesmemoryaddressingaddpcsp)
7407 | - [THUMB Opcodes: Memory Multiple Load/Store (PUSH/POP and LDM/STM)](#thumbopcodesmemorymultipleloadstorepushpopandldmstm)
7408 | - [THUMB Opcodes: Jumps and Calls](#thumbopcodesjumpsandcalls)
7409 |
7410 | ### Note
7411 |
7412 | Switching between ARM and THUMB state can be done by using the Branch and
7413 | Exchange (BX) instruction.
7414 |
7415 | ### Further Information
7416 |
7417 | - [ARM Pseudo Instructions and Directives](#armpseudoinstructionsanddirectives)
7418 | - [ARM CP15 System Control Coprocessor](#armcp15systemcontrolcoprocessor)
7419 | - [ARM CPU Instruction Cycle Times](#armcpuinstructioncycletimes)
7420 | - [ARM CPU Versions](#armcpuversions)
7421 | - [ARM CPU Data Sheet](#armcpudatasheet)
7422 |
7423 | ## ARM CPU Overview
7424 |
7425 | The ARM7TDMI is a 32bit RISC (Reduced Instruction Set Computer) CPU, designed
7426 | by ARM (Advanced RISC Machines), and designed for both high performance and low
7427 | power consumption.
7428 |
7429 | ### Fast Execution
7430 |
7431 | Depending on the CPU state, all opcodes are sized 32bit or 16bit (that's
7432 | counting both the opcode bits and its parameters bits) providing fast decoding
7433 | and execution. Additionally, pipelining allows - (a) one instruction to be
7434 | executed while (b) the next instruction is decoded and (c) the next instruction
7435 | is fetched from memory - all at the same time.
7436 |
7437 | ### Data Formats
7438 |
7439 | The CPU manages to deal with 8bit, 16bit, and 32bit data, that are called:
7440 |
7441 | ```
7442 | 8bit - Byte
7443 | 16bit - Halfword
7444 | 32bit - Word
7445 | ```
7446 |
7447 | ### The two CPU states
7448 |
7449 | As mentioned above, two CPU states exist:
7450 |
7451 | - ARM state: Uses the full 32bit instruction set (32bit opcodes)
7452 |
7453 | - THUMB state: Uses a cutdown 16bit instruction set (16bit opcodes)
7454 |
7455 | Regardless of the opcode-width, both states are using 32bit registers, allowing
7456 | 32bit memory addressing as well as 32bit arithmetic/logical operations.
7457 |
7458 | ### When to use ARM state
7459 |
7460 | Basically, there are two advantages in ARM state:
7461 |
7462 | - - Each single opcode provides more functionality, resulting
7463 | - in faster execution when using a 32bit bus memory system
7464 | - (such like opcodes stored in GBA Work RAM).
7465 | - - All registers R0-R15 can be accessed directly.
7466 |
7467 | The downsides are:
7468 |
7469 | - - Not so fast when using 16bit memory system
7470 | - (but it still works though).
7471 | - - Program code occupies more memory space.
7472 |
7473 | ### When to use THUMB state
7474 |
7475 | There are two major advantages in THUMB state:
7476 |
7477 | - - Faster execution up to approx 160% when using a 16bit bus
7478 | - memory system (such like opcodes stored in GBA GamePak ROM).
7479 | - - Reduces code size, decreases memory overload down to approx 65%.
7480 |
7481 | The disadvantages are:
7482 |
7483 | - - Not as multi-functional opcodes as in ARM state, so it will
7484 | - be sometimes required use more than one opcode to gain a
7485 | - similar result as for a single opcode in ARM state.
7486 | - - Most opcodes allow only registers R0-R7 to be used directly.
7487 |
7488 | ### Combining ARM and THUMB state
7489 |
7490 | Switching between ARM and THUMB state is done by a normal branch (BX)
7491 | instruction which takes only a handful of cycles to execute (allowing to change
7492 | states as often as desired - with almost no overload).
7493 |
7494 | Also, as both ARM and THUMB are using the same register set, it is possible to
7495 | pass data between ARM and THUMB mode very easily.
7496 |
7497 | The best memory & execution performance can be gained by combining both
7498 | states: THUMB for normal program code, and ARM code for timing critical
7499 | subroutines (such like interrupt handlers, or complicated algorithms).
7500 |
7501 | Note: ARM and THUMB code cannot be executed simultaneously.
7502 |
7503 | ### Automatic state changes
7504 |
7505 | Beside for the above manual state switching by using BX instructions, the
7506 | following situations involve automatic state changes:
7507 |
7508 | - CPU switches to ARM state when executing an exception
7509 |
7510 | - User switches back to old state when leaving an exception
7511 |
7512 | ## ARM CPU Register Set
7513 |
7514 | ### Overview
7515 |
7516 | The following table shows the ARM7TDMI register set which is available in each
7517 | mode. There's a total of 37 registers (32bit each), 31 general registers (Rxx)
7518 | and 6 status registers (xPSR).
7519 |
7520 | Note that only some registers are 'banked', for example, each mode has it's own
7521 | R14 register: called R14, R14\_fiq, R14\_svc, etc. for each mode respectively.
7522 |
7523 | However, other registers are not banked, for example, each mode is using the
7524 | same R0 register, so writing to R0 will always affect the content of R0 in
7525 | other modes also.
7526 |
7527 | ```
7528 | System/User FIQ Supervisor Abort IRQ Undefined
7529 | --------------------------------------------------------------
7530 | R0 R0 R0 R0 R0 R0
7531 | R1 R1 R1 R1 R1 R1
7532 | R2 R2 R2 R2 R2 R2
7533 | R3 R3 R3 R3 R3 R3
7534 | R4 R4 R4 R4 R4 R4
7535 | R5 R5 R5 R5 R5 R5
7536 | R6 R6 R6 R6 R6 R6
7537 | R7 R7 R7 R7 R7 R7
7538 | --------------------------------------------------------------
7539 | R8 R8_fiq R8 R8 R8 R8
7540 | R9 R9_fiq R9 R9 R9 R9
7541 | R10 R10_fiq R10 R10 R10 R10
7542 | R11 R11_fiq R11 R11 R11 R11
7543 | R12 R12_fiq R12 R12 R12 R12
7544 | R13 (SP) R13_fiq R13_svc R13_abt R13_irq R13_und
7545 | R14 (LR) R14_fiq R14_svc R14_abt R14_irq R14_und
7546 | R15 (PC) R15 R15 R15 R15 R15
7547 | --------------------------------------------------------------
7548 | CPSR CPSR CPSR CPSR CPSR CPSR
7549 | -- SPSR_fiq SPSR_svc SPSR_abt SPSR_irq SPSR_und
7550 | --------------------------------------------------------------
7551 | ```
7552 |
7553 | ### R0-R12 Registers (General Purpose Registers)
7554 |
7555 | These thirteen registers may be used for whatever general purposes. Basically,
7556 | each is having same functionality and performance, ie. there is no 'fast
7557 | accumulator' for arithmetic operations, and no 'special pointer register' for
7558 | memory addressing.
7559 |
7560 | However, in THUMB mode only R0-R7 (Lo registers) may be accessed freely, while
7561 | R8-R12 and up (Hi registers) can be accessed only by some instructions.
7562 |
7563 | ### R13 Register (SP)
7564 |
7565 | This register is used as Stack Pointer (SP) in THUMB state. While in ARM state
7566 | the user may decided to use R13 and/or other register(s) as stack pointer(s),
7567 | or as general purpose register.
7568 |
7569 | As shown in the table above, there's a separate R13 register in each mode, and
7570 | (when used as SP) each exception handler may (and MUST!) use its own stack.
7571 |
7572 | ### R14 Register (LR)
7573 |
7574 | This register is used as Link Register (LR). That is, when calling to a
7575 | sub-routine by a Branch with Link (BL) instruction, then the return address
7576 | (ie. old value of PC) is saved in this register.
7577 |
7578 | Storing the return address in the LR register is obviously faster than pushing
7579 | it into memory, however, as there's only one LR register for each mode, the
7580 | user must manually push its content before issuing 'nested' subroutines.
7581 |
7582 | Same happens when an exception is called, PC is saved in LR of new mode.
7583 |
7584 | Note: In ARM mode, R14 may be used as general purpose register also, provided
7585 | that above usage as LR register isn't required.
7586 |
7587 | ### R15 Register (PC)
7588 |
7589 | R15 is always used as program counter (PC). Note that when reading R15, this
7590 | will usually return a value of PC+nn because of read-ahead (pipelining),
7591 | whereas 'nn' depends on the instruction and on the CPU state (ARM or THUMB).
7592 |
7593 | ### CPSR and SPSR (Program Status Registers) (ARMv3 and up)
7594 |
7595 | The current condition codes (flags) and CPU control bits are stored in the CPSR
7596 | register. When an exception arises, the old CPSR is saved in the SPSR of the
7597 | respective exception-mode (much like PC is saved in LR).
7598 |
7599 | For details refer to chapter about CPU Flags.
7600 |
7601 | ## ARM CPU Flags & Condition Field (cond)
7602 |
7603 | ### ARM Condition Field {cond}
7604 |
7605 | The opcode {cond} suffixes can be used for conditionally executed code based on
7606 | the C,N,Z,V flags in CPSR register. For example: BEQ = Branch if Equal, MOVMI =
7607 | Move if Signed.
7608 |
7609 | In ARM mode, {cond} can be used with all opcodes (except for a few newer ARMv5
7610 | instructions: BKPT, PLD, CDP2, LDC2, MCR2, MRC2, STC2, and BLX\_imm are
7611 | nonconditional; however BLX\_reg can be conditional).
7612 |
7613 | In THUMB mode, {cond} can be used only for branch opcodes.
7614 |
7615 | ```
7616 | Code Suffix Flags Meaning
7617 | 0: EQ Z=1 equal (zero) (same)
7618 | 1: NE Z=0 not equal (nonzero) (not same)
7619 | 2: CS/HS C=1 unsigned higher or same (carry set)
7620 | 3: CC/LO C=0 unsigned lower (carry cleared)
7621 | 4: MI N=1 negative (minus)
7622 | 5: PL N=0 positive or zero (plus)
7623 | 6: VS V=1 overflow (V set)
7624 | 7: VC V=0 no overflow (V cleared)
7625 | 8: HI C=1 and Z=0 unsigned higher
7626 | 9: LS C=0 or Z=1 unsigned lower or same
7627 | A: GE N=V greater or equal
7628 | B: LT N<>V less than
7629 | C: GT Z=0 and N=V greater than
7630 | D: LE Z=1 or N<>V less or equal
7631 | E: AL - always (the "AL" suffix can be omitted)
7632 | F: NV - never (ARMv1,v2 only) (Reserved ARMv3 and up)
7633 | ```
7634 |
7635 | Execution Time: If condition=false: 1S cycle. Otherwise: as specified for the
7636 | respective opcode.
7637 |
7638 | ### Current Program Status Register (CPSR)
7639 |
7640 | ```
7641 | Bit Expl.
7642 | 31 N - Sign Flag (0=Not Signed, 1=Signed) ;\
7643 | 30 Z - Zero Flag (0=Not Zero, 1=Zero) ; Condition
7644 | 29 C - Carry Flag (0=Borrow/No Carry, 1=Carry/No Borrow) ; Code Flags
7645 | 28 V - Overflow Flag (0=No Overflow, 1=Overflow) ;/
7646 | 27 Q - Sticky Overflow (1=Sticky Overflow, ARMv5TE and up only)
7647 | 26-8 Reserved (For future use) - Do not change manually!
7648 | 7 I - IRQ disable (0=Enable, 1=Disable) ;\
7649 | 6 F - FIQ disable (0=Enable, 1=Disable) ; Control
7650 | 5 T - State Bit (0=ARM, 1=THUMB) - Do not change manually!; Bits
7651 | 4-0 M4-M0 - Mode Bits (See below) ;/
7652 | ```
7653 |
7654 | ### Bit 31-28: Condition Code Flags (N,Z,C,V)
7655 |
7656 | These bits reflect results of logical or arithmetic instructions. In ARM mode,
7657 | it is often optionally whether an instruction should modify flags or not, for
7658 | example, it is possible to execute a SUB instruction that does NOT modify the
7659 | condition flags.
7660 |
7661 | In ARM state, all instructions can be executed conditionally depending on the
7662 | settings of the flags, such like MOVEQ (Move if Z=1). While In THUMB state,
7663 | only Branch instructions (jumps) can be made conditionally.
7664 |
7665 | ### Bit 27: Sticky Overflow Flag (Q) - ARMv5TE and ARMv5TExP and up only
7666 |
7667 | Used by QADD, QSUB, QDADD, QDSUB, SMLAxy, and SMLAWy only. These opcodes set
7668 | the Q-flag in case of overflows, but leave it unchanged otherwise. The Q-flag
7669 | can be tested/reset by MSR/MRS opcodes only.
7670 |
7671 | ### Bit 27-8: Reserved Bits (except Bit 27 on ARMv5TE and up, see above)
7672 |
7673 | These bits are reserved for possible future implementations. For best forwards
7674 | compatibility, the user should never change the state of these bits, and should
7675 | not expect these bits to be set to a specific value.
7676 |
7677 | ### Bit 7-0: Control Bits (I,F,T,M4-M0)
7678 |
7679 | These bits may change when an exception occurs. In privileged modes (non-user
7680 | modes) they may be also changed manually.
7681 |
7682 | The interrupt bits I and F are used to disable IRQ and FIQ interrupts
7683 | respectively (a setting of "1" means disabled).
7684 |
7685 | The T Bit signalizes the current state of the CPU (0=ARM, 1=THUMB), this bit
7686 | should never be changed manually - instead, changing between ARM and THUMB
7687 | state must be done by BX instructions.
7688 |
7689 | The Mode Bits M4-M0 contain the current operating mode.
7690 |
7691 | ```
7692 | Binary Hex Dec Expl.
7693 | 0xx00b 00h 0 - Old User ;\26bit Backward Compatibility modes
7694 | 0xx01b 01h 1 - Old FIQ ; (supported only on ARMv3, except ARMv3G,
7695 | 0xx10b 02h 2 - Old IRQ ; and on some non-T variants of ARMv4)
7696 | 0xx11b 03h 3 - Old Supervisor ;/
7697 | 10000b 10h 16 - User (non-privileged)
7698 | 10001b 11h 17 - FIQ
7699 | 10010b 12h 18 - IRQ
7700 | 10011b 13h 19 - Supervisor (SWI)
7701 | 10111b 17h 23 - Abort
7702 | 11011b 1Bh 27 - Undefined
7703 | 11111b 1Fh 31 - System (privileged 'User' mode) (ARMv4 and up)
7704 | ```
7705 |
7706 | Writing any other values into the Mode bits is not allowed.
7707 |
7708 | ### Saved Program Status Registers (SPSR\_\)
7709 |
7710 | Additionally to above CPSR, five Saved Program Status Registers exist:
7711 |
7712 | SPSR\_fiq, SPSR\_svc, SPSR\_abt, SPSR\_irq, SPSR\_und
7713 |
7714 | Whenever the CPU enters an exception, the current status register (CPSR) is
7715 | copied to the respective SPSR\_\ register. Note that there is only
7716 | one SPSR for each mode, so nested exceptions inside of the same mode are
7717 | allowed only if the exception handler saves the content of SPSR in memory.
7718 |
7719 | For example, for an IRQ exception: IRQ-mode is entered, and CPSR is copied to
7720 | SPSR\_irq. If the interrupt handler wants to enable nested IRQs, then it must
7721 | first push SPSR\_irq before doing so.
7722 |
7723 | ## ARM CPU 26bit Memory Interface
7724 |
7725 | The 26bit Memory Interface was used by ARMv1 and ARMv2. The 32bit interface is
7726 | used by ARMv3 and newer, however, 26bit backward compatibility was included in
7727 | all ARMv3 (except ARMv3G), and optionally in some non-T variants of ARMv4.
7728 |
7729 | ### Format of R15 in 26bit Mode (Program Counter Register)
7730 |
7731 | ```
7732 | Bit Name Expl.
7733 | 31-28 N,Z,C,V Flags (Sign, Zero, Carry, Overflow)
7734 | 27-26 I,F Interrupt Disable bits (IRQ, FIQ) (1=Disable)
7735 | 25-2 PC Program Counter, 24bit, Step 4 (64M range)
7736 | 1-0 M1,M0 Mode (0=User, 1=FIQ, 2=IRQ, 3=Supervisor)
7737 | ```
7738 |
7739 | Branches with +/-32M range wrap the PC register, and can reach all 64M memory.
7740 |
7741 | ### Reading from R15
7742 |
7743 | If R15 is specified in bit16-19 of an opcode, then NZCVIF and M0,1 are masked
7744 | (zero), otherwise the full 32bits are used.
7745 |
7746 | ### Writing to R15
7747 |
7748 | ALU opcodes with S=1, and LDM opcodes with PSR=1 can write to all 32bits in R15
7749 | (in 26bit mode, that is allowed even in user mode, though it does then affect
7750 | only NZCF, not the write protected IFMM bits ???), other opcodes which write to
7751 | R15 will modify only the program counter bits. Also, special CMP/CMN/TST/TEQ{P}
7752 | opcodes can be used to write to the PSR bits in R15 without modifying the PC
7753 | bits.
7754 |
7755 | ### Exceptions
7756 |
7757 | SWIs, Reset, Data/Prefetch Aborts and Undefined instructions enter Supervisor
7758 | mode. Interrupts enter IRQ and FIQ mode. Additionally, a special 26bit Address
7759 | Exception exists, which enters Supervisor mode on accesses to memory
7760 | addresses>=64M as follows:
7761 |
7762 | ```
7763 | R14_svc = PC ($+8, including old PSR bits)
7764 | M1,M0 = 11b = supervisor mode, F=same, I=1, PC=14h,
7765 | to continue at the fault location, return by SUBS PC,LR,8.
7766 | ```
7767 |
7768 | 32bit CPUs with 26bit compatibility mode can be configured to switch into 32bit
7769 | mode when encountering exceptions.
7770 |
7771 | ## ARM CPU Exceptions
7772 |
7773 | ### Exception Vectors
7774 |
7775 | The following are the exception vectors in memory. That is, when an exception
7776 | arises, CPU is switched into ARM state, and the program counter (PC) is loaded
7777 | by the respective address.
7778 |
7779 | ```
7780 | Address Prio Exception Mode on Entry Interrupt Flags
7781 | BASE+00h 1 Reset Supervisor (_svc) I=1, F=1
7782 | BASE+04h 7 Undefined Instruction Undefined (_und) I=1, F=unchanged
7783 | BASE+08h 6 Software Interrupt (SWI) Supervisor (_svc) I=1, F=unchanged
7784 | BASE+0Ch 5 Prefetch Abort Abort (_abt) I=1, F=unchanged
7785 | BASE+10h 2 Data Abort Abort (_abt) I=1, F=unchanged
7786 | BASE+14h ?? Address Exceeds 26bit Supervisor (_svc) I=1, F=unchanged
7787 | BASE+18h 4 Normal Interrupt (IRQ) IRQ (_irq) I=1, F=unchanged
7788 | BASE+1Ch 3 Fast Interrupt (FIQ) FIQ (_fiq) I=1, F=1
7789 | ```
7790 |
7791 | BASE is normally 00000000h, but may be optionally FFFF0000h in some ARM CPUs.
7792 | Priority for simultaneously occuring exceptions ranges from Prio=1=Highest to
7793 | Prio=7=Lowest.
7794 |
7795 | As there's only space for one ARM opcode at each of the above addresses, it'd
7796 | be usually recommended to deposit a Branch opcode into each vector, which'd
7797 | then redirect to the actual exception handlers address.
7798 |
7799 | ### Actions performed by CPU when entering an exception
7800 |
7801 | ```
7802 | - R14_=PC+nn ;save old PC, ie. return address
7803 | - SPSR_=CPSR ;save old flags
7804 | - CPSR new T,M bits ;set to T=0 (ARM state), and M4-0=new mode
7805 | - CPSR new I bit ;IRQs disabled (I=1), done by ALL exceptions
7806 | - CPSR new F bit ;FIQs disabled (F=1), done by Reset and FIQ only
7807 | - PC=exception_vector ;see table above
7808 | ```
7809 |
7810 | Above "PC+nn" depends on the type of exception. Basically, in ARM state that
7811 | nn-offset is caused by pipelining, and in THUMB state an identical ARM-style
7812 | 'offset' is generated (even though the 'base address' may be only
7813 | halfword-aligned).
7814 |
7815 | ### Required user-handler actions when returning from an exception
7816 |
7817 | Restore any general registers (R0-R14) which might have been modified by the
7818 | exception handler. Use return-instruction as listed in the respective
7819 | descriptions below, this will both restore PC and CPSR - that automatically
7820 | involves that the old CPU state (THUMB or ARM) as well as old state of FIQ and
7821 | IRQ disable flags are restored.
7822 |
7823 | As mentioned above (see action on entering...), the return address is always
7824 | saved in ARM-style format, so that exception handler may use the same
7825 | return-instruction, regardless of whether the exception has been generated from
7826 | inside of ARM or THUMB state.
7827 |
7828 | ### FIQ (Fast Interrupt Request)
7829 |
7830 | This interrupt is generated by a LOW level on the nFIQ input. It is supposed to
7831 | process timing critical interrupts at a high priority, as fast as possible.
7832 |
7833 | Additionally to the common banked registers (R13\_fiq,R14\_fiq), five extra
7834 | banked registers (R8\_fiq-R12\_fiq) are available in FIQ mode. The exception
7835 | handler may freely access these registers without modifying the main programs
7836 | R8-R12 registers (and without having to save that registers on stack).
7837 |
7838 | In privileged (non-user) modes, FIQs may be also manually disabled by setting
7839 | the F Bit in CPSR.
7840 |
7841 | ### IRQ (Normal Interrupt Request)
7842 |
7843 | This interrupt is generated by a LOW level on the nIRQ input. Unlike FIQ, the
7844 | IRQ mode is not having its own banked R8-R12 registers.
7845 |
7846 | IRQ is having lower priority than FIQ, and IRQs are automatically disabled when
7847 | a FIQ exception becomes executed. In privileged (non-user) modes, IRQs may be
7848 | also manually disabled by setting the I Bit in CPSR.
7849 |
7850 | To return from IRQ Mode (continuing at following opcode):
7851 |
7852 | ```
7853 | SUBS PC,R14,4 ;both PC=R14_irq-4, and CPSR=SPSR_irq
7854 | ```
7855 |
7856 | ### Software Interrupt
7857 |
7858 | Generated by a software interrupt instruction (SWI). Recommended to request a
7859 | supervisor (operating system) function. The SWI instruction may also contain a
7860 | parameter in the 'comment field' of the opcode:
7861 |
7862 | In case that your main program issues SWIs from both inside of THUMB and ARM
7863 | states, then your exception handler must separate between 24bit comment fields
7864 | in ARM opcodes, and 8bit comment fields in THUMB opcodes (if necessary
7865 | determine old state by examining T Bit in SPSR\_svc); However, in Little Endian
7866 | mode, you could use only the most significant 8bits of the 24bit ARM comment
7867 | field (as done in the GBA, for example) - the exception handler could then
7868 | process the BYTE at [R14-2], regardless of whether it's been called from ARM or
7869 | THUMB state.
7870 |
7871 | To return from Supervisor Mode (continuing at following opcode):
7872 |
7873 | ```
7874 | MOVS PC,R14 ;both PC=R14_svc, and CPSR=SPSR_svc
7875 | ```
7876 |
7877 | Note: Like all other exceptions, SWIs are always executed in ARM state, no
7878 | matter whether it's been caused by an ARM or THUMB state SWI instruction.
7879 |
7880 | ### Undefined Instruction Exception (supported by ARMv3 and up)
7881 |
7882 | This exception is generated when the CPU comes across an instruction which it
7883 | cannot handle. Most likely signalizing that the program has locked up, and that
7884 | an errormessage should be displayed.
7885 |
7886 | However, it might be also used to emulate custom functions, ie. as an
7887 | additional 'SWI' instruction (which'd use R14\_und and SPSR\_und though, and it'd
7888 | thus allow to execute the Undefined Instruction handler from inside of
7889 | Supervisor mode without having to save R14\_svc and SPSR\_svc).
7890 |
7891 | To return from Undefined Mode (continuing at following opcode):
7892 |
7893 | ```
7894 | MOVS PC,R14 ;both PC=R14_und, and CPSR=SPSR_und
7895 | ```
7896 |
7897 | Note that not all unused opcodes are necessarily producing an exception, for
7898 | example, an ARM state Multiply instruction with Bit6=1 would be blindly
7899 | accepted as 'legal' opcode.
7900 |
7901 | ### Abort (supported by ARMv3 and up)
7902 |
7903 | Aborts (page faults) are mostly supposed for virtual memory systems (ie. not
7904 | used in GBA, as far as I know), otherwise they might be used just to display an
7905 | error message. Two types of aborts exists:
7906 |
7907 | - Prefetch Abort (occurs during an instruction prefetch)
7908 |
7909 | - Prefetch Abort (also occurs on BKPT opcodes, ARMv5 and up)
7910 |
7911 | - Data Abort (occurs during a data access)
7912 |
7913 | A virtual memory systems abort handler would then most likely determine the
7914 | fault address: For prefetch abort that's just "R14\_abt-4". For Data abort, the
7915 | THUMB or ARM instruction at "R14\_abt-8" needs to be 'disassembled' in order to
7916 | determine the addressed data in memory.
7917 |
7918 | The handler would then fix the error by loading the respective memory page into
7919 | physical memory, and then retry to execute the SAME instruction again, by
7920 | returning as follows:
7921 |
7922 | ```
7923 | prefetch abort: SUBS PC,R14,#4 ;PC=R14_abt-4, and CPSR=SPSR_abt
7924 | data abort: SUBS PC,R14,#8 ;PC=R14_abt-8, and CPSR=SPSR_abt
7925 | ```
7926 |
7927 | Separate exception vectors for prefetch/data abort exists, each should use the
7928 | respective return instruction as shown above.
7929 |
7930 | ### Address Exceeds 26bit
7931 |
7932 | This exception can occur only on old ARM CPUs with 26bit address scheme (or in
7933 | 26bit backwards compatibility mode).
7934 |
7935 | ### Reset
7936 |
7937 | Forces PC=VVVV0000h, and forces control bits of CPSR to T=0 (ARM state), F=1
7938 | and I=1 (disable FIQ and IRQ), and M4-0=10011b (Supervisor mode).
7939 |
7940 | ## ARM CPU Memory Alignments
7941 |
7942 | The CPU does NOT support accessing mis-aligned addresses (which would be rather
7943 | slow because it'd have to merge/split that data into two accesses).
7944 |
7945 | When reading/writing code/data to/from memory, Words and Halfwords must be
7946 | located at well-aligned memory address, ie. 32bit words aligned by 4, and 16bit
7947 | halfwords aligned by 2.
7948 |
7949 | ### Mis-aligned STR,STRH,STM,LDM,LDRD,STRD,PUSH,POP (forced align)
7950 |
7951 | The mis-aligned low bit(s) are ignored, the memory access goes to a forcibly
7952 | aligned (rounded-down) memory address.
7953 |
7954 | For LDRD/STRD, it isn't clearly defined if the address must be aligned by 8 (on
7955 | the NDS, align-4 seems to be okay) (align-8 may be required on other CPUs with
7956 | 64bit databus).
7957 |
7958 | ### Mis-aligned LDR,SWP (rotated read)
7959 |
7960 | Reads from forcibly aligned address "addr AND (NOT 3)", and does then rotate
7961 | the data as "ROR (addr AND 3)\*8". That effect is internally used by LDRB and
7962 | LDRH opcodes (which do then mask-out the unused bits).
7963 |
7964 | The SWP opcode works like a combination of LDR and STR, that means, it does
7965 | read-rotated, but does write-unrotated.
7966 |
7967 | ### Mis-aligned LDRH,LDRSH (does or does not do strange things)
7968 |
7969 | On ARM9 aka ARMv5 aka NDS9:
7970 |
7971 | ```
7972 | LDRH Rd,[odd] --> LDRH Rd,[odd-1] ;forced align
7973 | LDRSH Rd,[odd] --> LDRSH Rd,[odd-1] ;forced align
7974 | ```
7975 |
7976 | On ARM7 aka ARMv4 aka NDS7/GBA:
7977 |
7978 | ```
7979 | LDRH Rd,[odd] --> LDRH Rd,[odd-1] ROR 8 ;read to bit0-7 and bit24-31
7980 | LDRSH Rd,[odd] --> LDRSB Rd,[odd] ;sign-expand BYTE value
7981 | ```
7982 |
7983 | ### Mis-aligned PC/R15 (branch opcodes, or MOV/ALU/LDR with Rd=R15)
7984 |
7985 | For ARM code, the low bits of the target address should be usually zero,
7986 | otherwise, R15 is forcibly aligned by clearing the lower two bits.
7987 |
7988 | For THUMB code, the low bit of the target address may/should/must be set, the
7989 | bit is (or is not) interpreted as thumb-bit (depending on the opcode), and R15
7990 | is then forcibly aligned by clearing the lower bit.
7991 |
7992 | In short, R15 will be always forcibly aligned, so mis-aligned branches won't
7993 | have effect on subsequent opcodes that use R15, or [R15+disp] as operand.
7994 |
7995 | ## ARM Instruction Summary
7996 |
7997 | Modification of CPSR flags is optional for all {S} instructions.
7998 |
7999 | ### Logical ALU Operations
8000 |
8001 | ```
8002 | Instruction Cycles Flags Expl.
8003 | MOV{cond}{S} Rd,Op2 1S+x+y NZc- Rd = Op2
8004 | MVN{cond}{S} Rd,Op2 1S+x+y NZc- Rd = NOT Op2
8005 | ORR{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn OR Op2
8006 | EOR{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn XOR Op2
8007 | AND{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn AND Op2
8008 | BIC{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn AND NOT Op2
8009 | TST{cond}{P} Rn,Op2 1S+x NZc- Void = Rn AND Op2
8010 | TEQ{cond}{P} Rn,Op2 1S+x NZc- Void = Rn XOR Op2
8011 | ```
8012 |
8013 | Add x=1I cycles if Op2 shifted-by-register. Add y=1S+1N cycles if Rd=R15.
8014 |
8015 | Carry flag affected only if Op2 contains a non-zero shift amount.
8016 |
8017 | ### Arithmetic ALU Operations
8018 |
8019 | ```
8020 | Instruction Cycles Flags Expl.
8021 | ADD{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn+Op2
8022 | ADC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn+Op2+Cy
8023 | SUB{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn-Op2
8024 | SBC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn-Op2+Cy-1
8025 | RSB{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Op2-Rn
8026 | RSC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Op2-Rn+Cy-1
8027 | CMP{cond}{P} Rn,Op2 1S+x NZCV Void = Rn-Op2
8028 | CMN{cond}{P} Rn,Op2 1S+x NZCV Void = Rn+Op2
8029 | ```
8030 |
8031 | Add x=1I cycles if Op2 shifted-by-register. Add y=1S+1N cycles if Rd=R15.
8032 |
8033 | ### Multiply
8034 |
8035 | ```
8036 | Instruction Cycles Flags Expl.
8037 | MUL{cond}{S} Rd,Rm,Rs 1S+mI NZx- Rd = Rm*Rs
8038 | MLA{cond}{S} Rd,Rm,Rs,Rn 1S+mI+1I NZx- Rd = Rm*Rs+Rn
8039 | UMULL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+1I NZx- RdHiLo = Rm*Rs
8040 | UMLAL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+2I NZx- RdHiLo = Rm*Rs+RdHiLo
8041 | SMULL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+1I NZx- RdHiLo = Rm*Rs
8042 | SMLAL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+2I NZx- RdHiLo = Rm*Rs+RdHiLo
8043 | SMLAxy{cond} Rd,Rm,Rs,Rn ARMv5TE(xP) ----q Rd=HalfRm*HalfRs+Rn
8044 | SMLAWy{cond} Rd,Rm,Rs,Rn ARMv5TE(xP) ----q Rd=(Rm*HalfRs)/10000h+Rn
8045 | SMULWy{cond} Rd,Rm,Rs ARMv5TE(xP) ---- Rd=(Rm*HalfRs)/10000h
8046 | SMLALxy{cond} RdLo,RdHi,Rm,Rs ARMv5TE(xP) ---- RdHiLo=RdHiLo+HalfRm*HalfRs
8047 | SMULxy{cond} Rd,Rm,Rs ARMv5TE(xP) ---- Rd=HalfRm*HalfRs
8048 | ```
8049 |
8050 | ### Memory Load/Store
8051 |
8052 | ```
8053 | Instruction Cycles Flags Expl.
8054 | LDR{cond}{B}{T} Rd, 1S+1N+1I+y ---- Rd=[Rn+/-]
8055 | LDR{cond}H Rd, 1S+1N+1I+y ---- Load Unsigned halfword
8056 | LDR{cond}D Rd, ---- Load Dword ARMv5TE
8057 | LDR{cond}SB Rd, 1S+1N+1I+y ---- Load Signed byte
8058 | LDR{cond}SH Rd, 1S+1N+1I+y ---- Load Signed halfword
8059 | LDM{cond}{amod} Rn{!},{^} nS+1N+1I+y ---- Load Multiple
8060 | STR{cond}{B}{T} Rd, 2N ---- [Rn+/-]=Rd
8061 | STR{cond}H Rd, 2N ---- Store halfword
8062 | STR{cond}D Rd, ---- Store Dword ARMv5TE
8063 | STM{cond}{amod} Rn{!},{^} (n-1)S+2N ---- Store Multiple
8064 | SWP{cond}{B} Rd,Rm,[Rn] 1S+2N+1I ---- Rd=[Rn], [Rn]=Rm
8065 | PLD 1S ---- Prepare Cache ARMv5TE
8066 | ```
8067 |
8068 | For LDR/LDM, add y=1S+1N if Rd=R15, or if R15 in Rlist.
8069 |
8070 | ### Jumps, Calls, CPSR Mode, and others
8071 |
8072 | ```
8073 | Instruction Cycles Flags Expl.
8074 | B{cond} label 2S+1N ---- PC=$+8+/-32M
8075 | BL{cond} label 2S+1N ---- PC=$+8+/-32M, LR=$+4
8076 | BX{cond} Rn 2S+1N ---- PC=Rn, T=Rn.0 (THUMB/ARM)
8077 | BLX{cond} Rn 2S+1N ---- PC=Rn, T=Rn.0, LR=PC+4, ARM9
8078 | BLX label 2S+1N ---- PC=PC+$+/-32M, LR=$+4, T=1, ARM9
8079 | MRS{cond} Rd,Psr 1S ---- Rd=Psr
8080 | MSR{cond} Psr{_field},Op 1S (psr) Psr[field]=Op
8081 | SWI{cond} Imm24bit 2S+1N ---- PC=8, ARM Svc mode, LR=$+4
8082 | BKPT Imm16bit ??? ---- PC=C, ARM Abt mode, LR=$+4 ARM9
8083 | The Undefined Instruction 2S+1I+1N ---- PC=4, ARM Und mode, LR=$+4
8084 | cond=false 1S ---- Any opcode with condition=false
8085 | NOP 1S ---- R0=R0
8086 | ```
8087 |
8088 | ```
8089 | CLZ{cond} Rd,Rm ??? ---- Count Leading Zeros ARMv5
8090 | QADD{cond} Rd,Rm,Rn ----q Rd=Rm+Rn ARMv5TE(xP)
8091 | QSUB{cond} Rd,Rm,Rn ----q Rd=Rm-Rn ARMv5TE(xP)
8092 | QDADD{cond} Rd,Rm,Rn ----q Rd=Rm+Rn*2 ARMv5TE(xP)
8093 | QDSUB{cond} Rd,Rm,Rn ----q Rd=Rm-Rn*2 ARMv5TE(xP)
8094 | ```
8095 |
8096 | ### Coprocessor Functions (if any)
8097 |
8098 | ```
8099 | Instruction Cycles Flags Expl.
8100 | CDP{cond} Pn,,Cd,Cn,Cm{,} 1S+bI ---- Coprocessor specific
8101 | STC{cond}{L} Pn,Cd, (n-1)S+2N+bI [address] = CRd
8102 | LDC{cond}{L} Pn,Cd, (n-1)S+2N+bI CRd = [address]
8103 | MCR{cond} Pn,,Rd,Cn,Cm{,} 1S+bI+1C CRn = Rn { CRm}
8104 | MRC{cond} Pn,,Rd,Cn,Cm{,} 1S+(b+1)I+1C Rn = CRn { CRm}
8105 | CDP2,STC2,LDC2,MCR2,MRC2 - ARMv5 Extensions similar above, without {cond}
8106 | MCRR{cond} Pn,,Rd,Rn,Cm ;write Rd,Rn to coproc ARMv5TE
8107 | MRRC{cond} Pn,,Rd,Rn,Cm ;read Rd,Rn from coproc ARMv5TE
8108 | ```
8109 |
8110 | ### ARM Binary Opcode Format
8111 |
8112 | ```
8113 | |..3 ..................2 ..................1 ..................0|
8114 | |1_0_9_8_7_6_5_4_3_2_1_0_9_8_7_6_5_4_3_2_1_0_9_8_7_6_5_4_3_2_1_0|
8115 | |_Cond__|0_0_0|___Op__|S|__Rn___|__Rd___|__Shift__|Typ|0|__Rm___| DataProc
8116 | |_Cond__|0_0_0|___Op__|S|__Rn___|__Rd___|__Rs___|0|Typ|1|__Rm___| DataProc
8117 | |_Cond__|0_0_1|___Op__|S|__Rn___|__Rd___|_Shift_|___Immediate___| DataProc
8118 | |_Cond__|0_0_1_1_0|P|1|0|_Field_|__Rd___|_Shift_|___Immediate___| PSR Imm
8119 | |_Cond__|0_0_0_1_0|P|L|0|_Field_|__Rd___|0_0_0_0|0_0_0_0|__Rm___| PSR Reg
8120 | |_Cond__|0_0_0_1_0_0_1_0_1_1_1_1_1_1_1_1_1_1_1_1|0_0|L|1|__Rn___| BX,BLX
8121 | |1_1_1_0|0_0_0_1_0_0_1_0|_____immediate_________|0_1_1_1|_immed_| BKPT ARM9
8122 | |_Cond__|0_0_0_1_0_1_1_0_1_1_1_1|__Rd___|1_1_1_1|0_0_0_1|__Rm___| CLZ ARM9
8123 | |_Cond__|0_0_0_1_0|Op_|0|__Rn___|__Rd___|0_0_0_0|0_1_0_1|__Rm___| QALU ARM9
8124 | |_Cond__|0_0_0_0_0_0|A|S|__Rd___|__Rn___|__Rs___|1_0_0_1|__Rm___| Multiply
8125 | |_Cond__|0_0_0_0_1|U|A|S|_RdHi__|_RdLo__|__Rs___|1_0_0_1|__Rm___| MulLong
8126 | |_Cond__|0_0_0_1_0|Op_|0|Rd/RdHi|Rn/RdLo|__Rs___|1|y|x|0|__Rm___| MulHalfARM9
8127 | |_Cond__|0_0_0_1_0|B|0_0|__Rn___|__Rd___|0_0_0_0|1_0_0_1|__Rm___| TransSwp12
8128 | |_Cond__|0_0_0|P|U|0|W|L|__Rn___|__Rd___|0_0_0_0|1|S|H|1|__Rm___| TransReg10
8129 | |_Cond__|0_0_0|P|U|1|W|L|__Rn___|__Rd___|OffsetH|1|S|H|1|OffsetL| TransImm10
8130 | |_Cond__|0_1_0|P|U|B|W|L|__Rn___|__Rd___|_________Offset________| TransImm9
8131 | |_Cond__|0_1_1|P|U|B|W|L|__Rn___|__Rd___|__Shift__|Typ|0|__Rm___| TransReg9
8132 | |_Cond__|0_1_1|________________xxx____________________|1|__xxx__| Undefined
8133 | |_Cond__|1_0_0|P|U|S|W|L|__Rn___|__________Register_List________| BlockTrans
8134 | |_Cond__|1_0_1|L|___________________Offset______________________| B,BL,BLX
8135 | |_Cond__|1_1_0|P|U|N|W|L|__Rn___|__CRd__|__CP#__|____Offset_____| CoDataTrans
8136 | |_Cond__|1_1_0_0_0_1_0|L|__Rn___|__Rd___|__CP#__|_CPopc_|__CRm__| CoRR ARM9
8137 | |_Cond__|1_1_1_0|_CPopc_|__CRn__|__CRd__|__CP#__|_CP__|0|__CRm__| CoDataOp
8138 | |_Cond__|1_1_1_0|CPopc|L|__CRn__|__Rd___|__CP#__|_CP__|1|__CRm__| CoRegTrans
8139 | |_Cond__|1_1_1_1|_____________Ignored_by_Processor______________| SWI
8140 | ```
8141 |
8142 | ## ARM Opcodes: Branch and Branch with Link (B, BL, BX, BLX, SWI, BKPT)
8143 |
8144 | ### Branch and Branch with Link (B, BL, BLX\_imm)
8145 |
8146 | Branch (B) is supposed to jump to a subroutine. Branch with Link is meant to be
8147 | used to call to a subroutine, return address is then saved in R14.
8148 |
8149 | ```
8150 | Bit Expl.
8151 | 31-28 Condition (must be 1111b for BLX)
8152 | 27-25 Must be "101" for this instruction
8153 | 24 Opcode (0-1) (or Halfword Offset for BLX)
8154 | 0: B{cond} label ;branch PC=PC+8+nn*4
8155 | 1: BL{cond} label ;branch/link PC=PC+8+nn*4, LR=PC+4
8156 | H: BLX label ;ARM9 ;branch/link/thumb PC=PC+8+nn*4+H*2, LR=PC+4, T=1
8157 | 23-0 nn - Signed Offset, step 4 (-32M..+32M in steps of 4)
8158 | ```
8159 |
8160 | Branch with Link can be used to 'call' to a sub-routine, which may then
8161 | 'return' by MOV PC,R14 for example.
8162 |
8163 | Execution Time: 2S + 1N
8164 |
8165 | Return: No flags affected.
8166 |
8167 | ### Branch and Exchange (BX, BLX\_reg)
8168 |
8169 | ```
8170 | Bit Expl.
8171 | 31-28 Condition
8172 | 27-8 Must be "0001.0010.1111.1111.1111" for this instruction
8173 | 7-4 Opcode
8174 | 0001b: BX{cond} Rn ;PC=Rn, T=Rn.0 (ARMv4T and ARMv5 and up)
8175 | 0011b: BLX{cond} Rn ;PC=Rn, T=Rn.0, LR=PC+4 (ARMv5 and up)
8176 | 3-0 Rn - Operand Register (R0-R14)
8177 | ```
8178 |
8179 | Switching to THUMB Mode: Set Bit 0 of the value in Rn to 1, program continues
8180 | then at Rn-1 in THUMB mode.
8181 |
8182 | Results in undefined behaviour if using R15 (PC+8 itself) as operand. Using BLX
8183 | R14 is possible (sets PC=Old\_LR, and New\_LR=retadr).
8184 |
8185 | Execution Time: 2S + 1N
8186 |
8187 | Return: No flags affected.
8188 |
8189 | ### Branch via ALU, LDR, LDM
8190 |
8191 | Most ALU, LDR, LDM opcodes can also change PC/R15.
8192 |
8193 | ### Software Interrupt (SWI/BKPT) (svc/abt exceptions)
8194 |
8195 | SWI supposed for calls to the operating system - Enter Supervisor mode (SVC) in
8196 | ARM state. BKPT intended for debugging - enters Abort mode in ARM state via
8197 | Prefetch Abort vector.
8198 |
8199 | ```
8200 | Bit Expl.
8201 | 31-28 Condition (must be 1110b for BKPT, ie. Condition=always)
8202 | 27-24 Opcode
8203 | 1111b: SWI{cond} nn ;software interrupt
8204 | 0001b: BKPT nn ;breakpoint (ARMv5 and up)
8205 | For SWI:
8206 | 23-0 nn - Comment Field, ignored by processor (24bit value)
8207 | For BKPT:
8208 | 23-20 Must be 0010b for BKPT
8209 | 19-8 nn - upper 12bits of comment field, ignored by processor
8210 | 7-4 Must be 0111b for BKPT
8211 | 3-0 nn - lower 4bits of comment field, ignored by processor
8212 | ```
8213 |
8214 | Execution Time: 2S+1N
8215 |
8216 | The exception handler may interprete the SWI Comment Field by examining the
8217 | lower 24bit of the 32bit opcode opcode at [R14\_svc-4]. If your are also using
8218 | SWI's from inside of THUMB, then the SWI handler must examine the T Bit
8219 | SPSR\_svc in order to determine whether it's been a THUMB SWI - and if so,
8220 | examine the lower 8bit of the 16bit opcode opcode at [R14\_svc-2].
8221 |
8222 | For Returning from SWI use "MOVS PC,R14", that instruction does restore both PC
8223 | and CPSR, ie. PC=R14\_svc, and CPSR=SPSR\_svc.
8224 |
8225 | Nesting SWIs: SPSR\_svc and R14\_svc should be saved on stack before either
8226 | invoking nested SWIs, or (if the IRQ handler uses SWIs) before enabling IRQs.
8227 |
8228 | Execution SWI/BKPT:
8229 |
8230 | ```
8231 | R14_svc=PC+4 R14_abt=PC+4 ;save return address
8232 | SPSR_svc=CPSR SPSR_abt=CPSR ;save CPSR flags
8233 | CPSR= CPSR= ;Enter svc/abt, ARM state, IRQs disabled
8234 | PC=VVVV0008h PC=VVVV000Ch ;jump to SWI/PrefetchAbort vector address
8235 | ```
8236 |
8237 | ### Undefined Instruction (und exception)
8238 |
8239 | ```
8240 | Bit Expl.
8241 | 31-28 Condition
8242 | 27-25 Must be 011b for this instruction
8243 | 24-5 Reserved for future use
8244 | 4 Must be 1b for this instruction
8245 | 3-0 Reserved for future use
8246 | ```
8247 |
8248 | No assembler mnemonic exists, following bitstreams are (not) reserved.
8249 |
8250 | ```
8251 | cond011xxxxxxxxxxxxxxxxxxxx1xxxx - reserved for future use (except below).
8252 | cond01111111xxxxxxxxxxxx1111xxxx - free for user.
8253 | ```
8254 |
8255 | Execution time: 2S+1I+1N.
8256 |
8257 | ## ARM Opcodes: Data Processing (ALU)
8258 |
8259 | ### Opcode Format
8260 |
8261 | ```
8262 | Bit Expl.
8263 | 31-28 Condition
8264 | 27-26 Must be 00b for this instruction
8265 | 25 I - Immediate 2nd Operand Flag (0=Register, 1=Immediate)
8266 | 24-21 Opcode (0-Fh) ;*=Arithmetic, otherwise Logical
8267 | 0: AND{cond}{S} Rd,Rn,Op2 ;AND logical Rd = Rn AND Op2
8268 | 1: EOR{cond}{S} Rd,Rn,Op2 ;XOR logical Rd = Rn XOR Op2
8269 | 2: SUB{cond}{S} Rd,Rn,Op2 ;* ;subtract Rd = Rn-Op2
8270 | 3: RSB{cond}{S} Rd,Rn,Op2 ;* ;subtract reversed Rd = Op2-Rn
8271 | 4: ADD{cond}{S} Rd,Rn,Op2 ;* ;add Rd = Rn+Op2
8272 | 5: ADC{cond}{S} Rd,Rn,Op2 ;* ;add with carry Rd = Rn+Op2+Cy
8273 | 6: SBC{cond}{S} Rd,Rn,Op2 ;* ;sub with carry Rd = Rn-Op2+Cy-1
8274 | 7: RSC{cond}{S} Rd,Rn,Op2 ;* ;sub cy. reversed Rd = Op2-Rn+Cy-1
8275 | 8: TST{cond}{P} Rn,Op2 ;test Void = Rn AND Op2
8276 | 9: TEQ{cond}{P} Rn,Op2 ;test exclusive Void = Rn XOR Op2
8277 | A: CMP{cond}{P} Rn,Op2 ;* ;compare Void = Rn-Op2
8278 | B: CMN{cond}{P} Rn,Op2 ;* ;compare neg. Void = Rn+Op2
8279 | C: ORR{cond}{S} Rd,Rn,Op2 ;OR logical Rd = Rn OR Op2
8280 | D: MOV{cond}{S} Rd,Op2 ;move Rd = Op2
8281 | E: BIC{cond}{S} Rd,Rn,Op2 ;bit clear Rd = Rn AND NOT Op2
8282 | F: MVN{cond}{S} Rd,Op2 ;not Rd = NOT Op2
8283 | 20 S - Set Condition Codes (0=No, 1=Yes) (Must be 1 for opcode 8-B)
8284 | 19-16 Rn - 1st Operand Register (R0..R15) (including PC=R15)
8285 | Must be 0000b for MOV/MVN.
8286 | 15-12 Rd - Destination Register (R0..R15) (including PC=R15)
8287 | Must be 0000b (or 1111b) for CMP/CMN/TST/TEQ{P}.
8288 | When above Bit 25 I=0 (Register as 2nd Operand)
8289 | When below Bit 4 R=0 - Shift by Immediate
8290 | 11-7 Is - Shift amount (1-31, 0=Special/See below)
8291 | When below Bit 4 R=1 - Shift by Register
8292 | 11-8 Rs - Shift register (R0-R14) - only lower 8bit 0-255 used
8293 | 7 Reserved, must be zero (otherwise multiply or undefined opcode)
8294 | 6-5 Shift Type (0=LSL, 1=LSR, 2=ASR, 3=ROR)
8295 | 4 R - Shift by Register Flag (0=Immediate, 1=Register)
8296 | 3-0 Rm - 2nd Operand Register (R0..R15) (including PC=R15)
8297 | When above Bit 25 I=1 (Immediate as 2nd Operand)
8298 | 11-8 Is - ROR-Shift applied to nn (0-30, in steps of 2)
8299 | 7-0 nn - 2nd Operand Unsigned 8bit Immediate
8300 | ```
8301 |
8302 | ### Second Operand (Op2)
8303 |
8304 | This may be a shifted register, or a shifted immediate. See Bit 25 and 11-0.
8305 |
8306 | Unshifted Register: Specify Op2 as "Rm", assembler converts to "Rm,LSL#0".
8307 |
8308 | Shifted Register: Specify as "Rm,SSS#Is" or "Rm,SSS Rs" (SSS=LSL/LSR/ASR/ROR).
8309 |
8310 | Immediate: Specify as 32bit value, for example: "#000NN000h", assembler should
8311 | automatically convert into "#0NNh,ROR#0ssh" as far as possible (ie. as far as a
8312 | section of not more than 8bits of the immediate is non-zero).
8313 |
8314 | ### Zero Shift Amount (Shift Register by Immediate, with Immediate=0)
8315 |
8316 | ```
8317 | LSL#0: No shift performed, ie. directly Op2=Rm, the C flag is NOT affected.
8318 | LSR#0: Interpreted as LSR#32, ie. Op2 becomes zero, C becomes Bit 31 of Rm.
8319 | ASR#0: Interpreted as ASR#32, ie. Op2 and C are filled by Bit 31 of Rm.
8320 | ROR#0: Interpreted as RRX#1 (RCR), like ROR#1, but Op2 Bit 31 set to old C.
8321 | ```
8322 |
8323 | In source code, LSR#32, ASR#32, and RRX#1 should be specified as such -
8324 | attempts to specify LSR#0, ASR#0, or ROR#0 will be internally converted to
8325 | LSL#0 by the assembler.
8326 |
8327 | ### Using R15 (PC)
8328 |
8329 | When using R15 as Destination (Rd), note below CPSR description and Execution
8330 | time description.
8331 |
8332 | When using R15 as operand (Rm or Rn), the returned value depends on the
8333 | instruction: PC+12 if I=0,R=1 (shift by register), otherwise PC+8 (shift by
8334 | immediate).
8335 |
8336 | ### Returned CPSR Flags
8337 |
8338 | If S=1, Rd\<>R15, logical operations (AND,EOR,TST,TEQ,ORR,MOV,BIC,MVN):
8339 |
8340 | ```
8341 | V=not affected
8342 | C=carryflag of shift operation (not affected if LSL#0 or Rs=00h)
8343 | Z=zeroflag of result
8344 | N=signflag of result (result bit 31)
8345 | ```
8346 |
8347 | If S=1, Rd\<>R15, arithmetic operations (SUB,RSB,ADD,ADC,SBC,RSC,CMP,CMN):
8348 |
8349 | ```
8350 | V=overflowflag of result
8351 | C=carryflag of result
8352 | Z=zeroflag of result
8353 | N=signflag of result (result bit 31)
8354 | ```
8355 |
8356 | IF S=1, with unused Rd bits=1111b, {P} opcodes (CMPP/CMNP/TSTP/TEQP):
8357 |
8358 | ```
8359 | R15=result ;modify PSR bits in R15, ARMv2 and below only.
8360 | In user mode only N,Z,C,V bits of R15 can be changed.
8361 | In other modes additionally I,F,M1,M0 can be changed.
8362 | The PC bits in R15 are left unchanged in all modes.
8363 | ```
8364 |
8365 | If S=1, Rd=R15; should not be used in user mode:
8366 |
8367 | ```
8368 | CPSR = SPSR_
8369 | PC = result
8370 | For example: MOVS PC,R14 ;return from SWI (PC=R14_svc, CPSR=SPSR_svc).
8371 | ```
8372 |
8373 | If S=0: Flags are not affected (not allowed for CMP,CMN,TEQ,TST).
8374 |
8375 | The instruction "MOV R0,R0" is used as "NOP" opcode in 32bit ARM state.
8376 |
8377 | Execution Time: (1+p)S+rI+pN. Whereas r=1 if I=0 and R=1 (ie. shift by
8378 | register); otherwise r=0. And p=1 if Rd=R15; otherwise p=0.
8379 |
8380 | ## ARM Opcodes: Multiply and Multiply-Accumulate (MUL, MLA)
8381 |
8382 | ### Opcode Format
8383 |
8384 | ```
8385 | Bit Expl.
8386 | 31-28 Condition
8387 | 27-25 Must be 000b for this instruction
8388 | 24-21 Opcode
8389 | 0000b: MUL{cond}{S} Rd,Rm,Rs ;multiply Rd = Rm*Rs
8390 | 0001b: MLA{cond}{S} Rd,Rm,Rs,Rn ;mul.& accumulate Rd = Rm*Rs+Rn
8391 | 0100b: UMULL{cond}{S} RdLo,RdHi,Rm,Rs ;multiply RdHiLo=Rm*Rs
8392 | 0101b: UMLAL{cond}{S} RdLo,RdHi,Rm,Rs ;mul.& acc. RdHiLo=Rm*Rs+RdHiLo
8393 | 0110b: SMULL{cond}{S} RdLo,RdHi,Rm,Rs ;sign.mul. RdHiLo=Rm*Rs
8394 | 0111b: SMLAL{cond}{S} RdLo,RdHi,Rm,Rs ;sign.m&a. RdHiLo=Rm*Rs+RdHiLo
8395 | 1000b: SMLAxy{cond} Rd,Rm,Rs,Rn ;Rd=HalfRm*HalfRs+Rn
8396 | 1001b: SMLAWy{cond} Rd,Rm,Rs,Rn ;Rd=(Rm*HalfRs)/10000h+Rn
8397 | 1001b: SMULWy{cond} Rd,Rm,Rs ;Rd=(Rm*HalfRs)/10000h
8398 | 1010b: SMLALxy{cond} RdLo,RdHi,Rm,Rs ;RdHiLo=RdHiLo+HalfRm*HalfRs
8399 | 1011b: SMULxy{cond} Rd,Rm,Rs ;Rd=HalfRm*HalfRs
8400 | 20 S - Set Condition Codes (0=No, 1=Yes) (Must be 0 for Halfword mul)
8401 | 19-16 Rd (or RdHi) - Destination Register (R0-R14)
8402 | 15-12 Rn (or RdLo) - Accumulate Register (R0-R14) (Set to 0000b if unused)
8403 | 11-8 Rs - Operand Register (R0-R14)
8404 | For Non-Halfword Multiplies
8405 | 7-4 Must be 1001b for these instructions
8406 | For Halfword Multiplies
8407 | 7 Must be 1 for these instructions
8408 | 6 y - Rs Top/Bottom flag (0=B=Lower 16bit, 1=T=Upper 16bit)
8409 | 5 x - Rm Top/Bottom flag (as above), or 0 for SMLAW, or 1 for SMULW
8410 | 4 Must be 0 for these instructions
8411 | 3-0 Rm - Operand Register (R0-R14)
8412 | ```
8413 |
8414 | ### Multiply and Multiply-Accumulate (MUL, MLA)
8415 |
8416 | Restrictions: Rd may not be same as Rm. Rd,Rn,Rs,Rm may not be R15.
8417 |
8418 | Note: Only the lower 32bit of the internal 64bit result are stored in Rd, thus
8419 | no sign/zero extension is required and MUL and MLA can be used for both signed
8420 | and unsigned calculations!
8421 |
8422 | Execution Time: 1S+mI for MUL, and 1S+(m+1)I for MLA. Whereas 'm' depends on
8423 | whether/how many most significant bits of Rs are all zero or all one. That is
8424 | m=1 for Bit 31-8, m=2 for Bit 31-16, m=3 for Bit 31-24, and m=4 otherwise.
8425 |
8426 | Flags (if S=1): Z=zeroflag, N=signflag, C=destroyed (ARMv4 and below) or C=not
8427 | affected (ARMv5 and up), V=not affected. MUL/MLA supported by ARMv2 and up.
8428 |
8429 | ### Multiply Long and Multiply-Accumulate Long (MULL, MLAL)
8430 |
8431 | Optionally supported, INCLUDED in ARMv3M, EXCLUDED in ARMv4xM/ARMv5xM.
8432 |
8433 | Restrictions: RdHi,RdLo,Rm must be different registers. R15 may not be used.
8434 |
8435 | Execution Time: 1S+(m+1)I for MULL, and 1S+(m+2)I for MLAL. Whereas 'm' depends
8436 | on whether/how many most significant bits of Rs are "all zero" (UMULL/UMLAL) or
8437 | "all zero or all one" (SMULL,SMLAL). That is m=1 for Bit31-8, m=2 for Bit31-16,
8438 | m=3 for Bit31-24, and m=4 otherwise.
8439 |
8440 | Flags (if S=1): Z=zeroflag, N=signflag, C=destroyed (ARMv4 and below) or C=not
8441 | affected (ARMv5 and up), V=destroyed??? (ARMv4 and below???) or V=not affected
8442 | (ARMv5 and up).
8443 |
8444 | ### Signed Halfword Multiply (SMLAxy,SMLAWy,SMLALxy,SMULxy,SMULWy)
8445 |
8446 | Supported by E variants of ARMv5 and up, ie. ARMv5TE(xP).
8447 |
8448 | Q-flag gets set on 32bit SMLAxy/SMLAWy addition overflows, however, the result
8449 | is NOT truncated (as it'd be done with QADD opcodes).
8450 |
8451 | Q-flag is NOT affected on (rare) 64bit SMLALxy addition overflows.
8452 |
8453 | SMULxy/SMULWy cannot overflow, and thus leave Q-flag unchanged as well.
8454 |
8455 | NZCV-flags are not affected by Halfword multiplies.
8456 |
8457 | Execution Time: 1S+Interlock (SMULxy,SMLAxy,SMULWx,SMLAWx)
8458 |
8459 | Execution Time: 1S+1I+Interlock (SMLALxy)
8460 |
8461 | ## ARM Opcodes: Special ARM9 Instructions (CLZ, QADD/QSUB)
8462 |
8463 | ### Count Leading Zeros (CLZ)
8464 |
8465 | ```
8466 | Bit Expl.
8467 | 31-28 Condition
8468 | 27-16 Must be 0001.0110.1111b for this instruction
8469 | Opcode (fixed)
8470 | CLZ{cond} Rd,Rm ;Rd=Number of leading zeros in Rm
8471 | 15-12 Rd - Destination Register (R0-R14)
8472 | 11-4 Must be 1111.0001b for this instruction
8473 | 3-0 Rm - Source Register (R0-R14)
8474 | ```
8475 |
8476 | CLZ supported by ARMv5 and up. Execution time: 1S.
8477 |
8478 | Return: No Flags affected. Rd=0..32.
8479 |
8480 | ### Opcode Format (QADD/QSUB)
8481 |
8482 | ```
8483 | Bit Expl.
8484 | 31-28 Condition
8485 | 27-24 Must be 0001b for this instruction
8486 | 23-20 Opcode
8487 | 0000b: QADD{cond} Rd,Rm,Rn ;Rd=Rm+Rn
8488 | 0010b: QSUB{cond} Rd,Rm,Rn ;Rd=Rm-Rn
8489 | 0100b: QDADD{cond} Rd,Rm,Rn ;Rd=Rm+Rn*2 (doubled)
8490 | 0110b: QDSUB{cond} Rd,Rm,Rn ;Rd=Rm-Rn*2 (doubled)
8491 | 19-16 Rn - Second Source Register (R0-R14)
8492 | 15-12 Rd - Destination Register (R0-R14)
8493 | 11-4 Must be 00000101b for this instruction
8494 | 3-0 Rm - First Source Register (R0-R14)
8495 | ```
8496 |
8497 | Supported by E variants of ARMv5 and up, ie. ARMv5TE(xP).
8498 |
8499 | Execution time: 1S+Interlock.
8500 |
8501 | Results truncated to signed 32bit range in case of overflows, with the Q-flag
8502 | being set (and being left unchanged otherwise). NZCV flags are not affected.
8503 |
8504 | Note: Rn\*2 is internally processed first, and may get truncated - even if the
8505 | final result would fit into range.
8506 |
8507 | ## ARM Opcodes: PSR Transfer (MRS, MSR)
8508 |
8509 | ### Opcode Format
8510 |
8511 | These instructions occupy an unused area (TEQ,TST,CMP,CMN with S=0) of ALU
8512 | opcodes.
8513 |
8514 | ```
8515 | Bit Expl.
8516 | 31-28 Condition
8517 | 27-26 Must be 00b for this instruction
8518 | 25 I - Immediate Operand Flag (0=Register, 1=Immediate) (Zero for MRS)
8519 | 24-23 Must be 10b for this instruction
8520 | 22 Psr - Source/Destination PSR (0=CPSR, 1=SPSR_)
8521 | 21 Opcode
8522 | 0: MRS{cond} Rd,Psr ;Rd = Psr
8523 | 1: MSR{cond} Psr{_field},Op ;Psr[field] = Op
8524 | 20 Must be 0b for this instruction (otherwise TST,TEQ,CMP,CMN)
8525 | For MRS:
8526 | 19-16 Must be 1111b for this instruction (otherwise SWP)
8527 | 15-12 Rd - Destination Register (R0-R14)
8528 | 11-0 Not used, must be zero.
8529 | For MSR:
8530 | 19 f write to flags field Bit 31-24 (aka _flg)
8531 | 18 s write to status field Bit 23-16 (reserved, don't change)
8532 | 17 x write to extension field Bit 15-8 (reserved, don't change)
8533 | 16 c write to control field Bit 7-0 (aka _ctl)
8534 | 15-12 Not used, must be 1111b.
8535 | For MSR Psr,Rm (I=0)
8536 | 11-4 Not used, must be zero. (otherwise BX)
8537 | 3-0 Rm - Source Register (R0-R14)
8538 | For MSR Psr,Imm (I=1)
8539 | 11-8 Shift applied to Imm (ROR in steps of two 0-30)
8540 | 7-0 Imm - Unsigned 8bit Immediate
8541 | In source code, a 32bit immediate should be specified as operand.
8542 | The assembler should then convert that into a shifted 8bit value.
8543 | ```
8544 |
8545 | MSR/MRS and CPSR/SPSR supported by ARMv3 and up.
8546 |
8547 | ARMv2 and below contained PSR flags in R15, accessed by CMP/CMN/TST/TEQ{P}.
8548 |
8549 | The field mask bits specify which bits of the destination Psr are write-able
8550 | (or write-protected), one or more of these bits should be set, for example,
8551 | CPSR\_fsxc (aka CPSR aka CPSR\_all) unlocks all bits (see below user mode
8552 | restriction though).
8553 |
8554 | Restrictions:
8555 |
8556 | In non-privileged mode (user mode): only condition code bits of CPSR can be
8557 | changed, control bits can't.
8558 |
8559 | Only the SPSR of the current mode can be accessed; In User and System modes no
8560 | SPSR exists.
8561 |
8562 | The T-bit may not be changed; for THUMB/ARM switching use BX instruction.
8563 |
8564 | Unused Bits in CPSR are reserved for future use and should never be changed
8565 | (except for unused bits in the flags field).
8566 |
8567 | Execution Time: 1S.
8568 |
8569 | Note: The A22i assembler recognizes MOV as alias for both MSR and MRS because
8570 | it is practically not possible to remember whether MSR or MRS was the load or
8571 | store opcode, and/or whether it does load to or from the Psr register.
8572 |
8573 | ## ARM Opcodes: Memory: Single Data Transfer (LDR, STR, PLD)
8574 |
8575 | ### Opcode Format
8576 |
8577 | ```
8578 | Bit Expl.
8579 | 31-28 Condition (Must be 1111b for PLD)
8580 | 27-26 Must be 01b for this instruction
8581 | 25 I - Immediate Offset Flag (0=Immediate, 1=Shifted Register)
8582 | 24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
8583 | 23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
8584 | 22 B - Byte/Word bit (0=transfer 32bit/word, 1=transfer 8bit/byte)
8585 | When above Bit 24 P=0 (Post-indexing, write-back is ALWAYS enabled):
8586 | 21 T - Memory Management (0=Normal, 1=Force non-privileged access)
8587 | When above Bit 24 P=1 (Pre-indexing, write-back is optional):
8588 | 21 W - Write-back bit (0=no write-back, 1=write address into base)
8589 | 20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
8590 | 0: STR{cond}{B}{T} Rd, ;[Rn+/-]=Rd
8591 | 1: LDR{cond}{B}{T} Rd, ;Rd=[Rn+/-]
8592 | (1: PLD ;Prepare Cache for Load, see notes below)
8593 | Whereas, B=Byte, T=Force User Mode (only for POST-Indexing)
8594 | 19-16 Rn - Base register (R0..R15) (including R15=PC+8)
8595 | 15-12 Rd - Source/Destination Register (R0..R15) (including R15=PC+12)
8596 | When above I=0 (Immediate as Offset)
8597 | 11-0 Unsigned 12bit Immediate Offset (0-4095, steps of 1)
8598 | When above I=1 (Register shifted by Immediate as Offset)
8599 | 11-7 Is - Shift amount (1-31, 0=Special/See below)
8600 | 6-5 Shift Type (0=LSL, 1=LSR, 2=ASR, 3=ROR)
8601 | 4 Must be 0 (Reserved, see The Undefined Instruction)
8602 | 3-0 Rm - Offset Register (R0..R14) (not including PC=R15)
8603 | ```
8604 |
8605 | ### Instruction Formats for \
8606 |
8607 | An expression which generates an address:
8608 |
8609 | ```
8610 | ;an immediate used as address
8611 | ;*** restriction: must be located in range PC+/-4095+8, if so,
8612 | ;*** assembler will calculate offset and use PC (R15) as base.
8613 | ```
8614 |
8615 | Pre-indexed addressing specification:
8616 |
8617 | ```
8618 | [Rn] ;offset = zero
8619 | [Rn, <#{+/-}expression>]{!} ;offset = immediate
8620 | [Rn, {+/-}Rm{,} ]{!} ;offset = register shifted by immediate
8621 | ```
8622 |
8623 | Post-indexed addressing specification:
8624 |
8625 | ```
8626 | [Rn], <#{+/-}expression> ;offset = immediate
8627 | [Rn], {+/-}Rm{,} ;offset = register shifted by immediate
8628 | ```
8629 |
8630 | Whereas...
8631 |
8632 | ```
8633 | immediate shift such like LSL#4, ROR#2, etc. (see ALU opcodes).
8634 | {!} exclamation mark ("!") indicates write-back (Rn will be updated).
8635 | ```
8636 |
8637 | ### Notes
8638 |
8639 | Shift amount 0 has special meaning, as described for ALU opcodes.
8640 |
8641 | When writing a word (32bit) to memory, the address should be word-aligned.
8642 |
8643 | When reading a byte from memory, upper 24 bits of Rd are zero-extended.
8644 |
8645 | LDR PC,\ on ARMv4 leaves CPSR.T unchanged.
8646 |
8647 | LDR PC,\ on ARMv5 sets CPSR.T to \ Bit0, (1=Switch to Thumb).
8648 |
8649 | When reading a word from a halfword-aligned address (which is located in the
8650 | middle between two word-aligned addresses), the lower 16bit of Rd will contain
8651 | [address] ie. the addressed halfword, and the upper 16bit of Rd will contain
8652 | [Rd-2] ie. more or less unwanted garbage. However, by isolating lower bits this
8653 | may be used to read a halfword from memory. (Above applies to little endian
8654 | mode, as used in GBA.)
8655 |
8656 | In a virtual memory based environment (ie. not in the GBA), aborts (ie. page
8657 | faults) may take place during execution, if so, Rm and Rn should not specify
8658 | the same register when post-indexing is used, as the abort-handler might have
8659 | problems to reconstruct the original value of the register.
8660 |
8661 | Return: CPSR flags are not affected.
8662 |
8663 | Execution Time: For normal LDR: 1S+1N+1I. For LDR PC: 2S+2N+1I. For STR: 2N.
8664 |
8665 | ### PLD \ ;Prepare Cache for Load
8666 |
8667 | PLD must use following settings cond=1111b, P=1, B=1, W=0, L=1, Rd=1111b, the
8668 | address may not use post-indexing, and may not use writeback, the opcode is
8669 | encoded identical as LDRNVB R15,\.
8670 |
8671 | PLD signalizes to the memory system that a specific memory address will be soon
8672 | accessed, the memory system may use this hint to prepare caching/pipelining,
8673 | aside from that, PLD does not have any affect to the program logic, and behaves
8674 | identical as NOP.
8675 |
8676 | PLD supported by ARMv5TE only, not ARMv5, not ARMv5TExP.
8677 |
8678 | ## ARM Opcodes: Memory: Halfword, Doubleword, and Signed Data Transfer
8679 |
8680 | ### Opcode Format
8681 |
8682 | ```
8683 | Bit Expl.
8684 | 31-28 Condition
8685 | 27-25 Must be 000b for this instruction
8686 | 24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
8687 | 23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
8688 | 22 I - Immediate Offset Flag (0=Register Offset, 1=Immediate Offset)
8689 | When above Bit 24 P=0 (Post-indexing, write-back is ALWAYS enabled):
8690 | 21 Not used, must be zero (0)
8691 | When above Bit 24 P=1 (Pre-indexing, write-back is optional):
8692 | 21 W - Write-back bit (0=no write-back, 1=write address into base)
8693 | 20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
8694 | 19-16 Rn - Base register (R0-R15) (Including R15=PC+8)
8695 | 15-12 Rd - Source/Destination Register (R0-R15) (Including R15=PC+12)
8696 | 11-8 When above Bit 22 I=0 (Register as Offset):
8697 | Not used. Must be 0000b
8698 | When above Bit 22 I=1 (immediate as Offset):
8699 | Immediate Offset (upper 4bits)
8700 | 7 Reserved, must be set (1)
8701 | 6-5 Opcode (0-3)
8702 | When Bit 20 L=0 (Store) (and Doubleword Load/Store):
8703 | 0: Reserved for SWP instruction
8704 | 1: STR{cond}H Rd, ;Store halfword [a]=Rd
8705 | 2: LDR{cond}D Rd, ;Load Doubleword R(d)=[a], R(d+1)=[a+4]
8706 | 3: STR{cond}D Rd, ;Store Doubleword [a]=R(d), [a+4]=R(d+1)
8707 | When Bit 20 L=1 (Load):
8708 | 0: Reserved.
8709 | 1: LDR{cond}H Rd, ;Load Unsigned halfword (zero-extended)
8710 | 2: LDR{cond}SB Rd, ;Load Signed byte (sign extended)
8711 | 3: LDR{cond}SH Rd, ;Load Signed halfword (sign extended)
8712 | 4 Reserved, must be set (1)
8713 | 3-0 When above Bit 22 I=0:
8714 | Rm - Offset Register (R0-R14) (not including R15)
8715 | When above Bit 22 I=1:
8716 | Immediate Offset (lower 4bits) (0-255, together with upper bits)
8717 | ```
8718 |
8719 | STRH,LDRH,LDRSB,LDRSH supported on ARMv4 and up.
8720 |
8721 | STRD/LDRD supported on ARMv5TE only, not ARMv5, not ARMv5TExP.
8722 |
8723 | STRD/LDRD: base writeback: Rn should not be same as R(d) or R(d+1).
8724 |
8725 | STRD: index register: Rm should not be same as R(d) or R(d+1).
8726 |
8727 | STRD/LDRD: Rd must be an even numbered register (R0,R2,R4,R6,R8,R10,R12).
8728 |
8729 | STRD/LDRD: Address must be double-word aligned (multiple of eight).
8730 |
8731 | ### Instruction Formats for \
8732 |
8733 | An expression which generates an address:
8734 |
8735 | ```
8736 | ;an immediate used as address
8737 | ;*** restriction: must be located in range PC+/-255+8, if so,
8738 | ;*** assembler will calculate offset and use PC (R15) as base.
8739 | ```
8740 |
8741 | Pre-indexed addressing specification:
8742 |
8743 | ```
8744 | [Rn] ;offset = zero
8745 | [Rn, <#{+/-}expression>]{!} ;offset = immediate
8746 | [Rn, {+/-}Rm]{!} ;offset = register
8747 | ```
8748 |
8749 | Post-indexed addressing specification:
8750 |
8751 | ```
8752 | [Rn], <#{+/-}expression> ;offset = immediate
8753 | [Rn], {+/-}Rm ;offset = register
8754 | ```
8755 |
8756 | Whereas...
8757 |
8758 | ```
8759 | {!} exclamation mark ("!") indicates write-back (Rn will be updated).
8760 | ```
8761 |
8762 | Return: No Flags affected.
8763 |
8764 | Execution Time: For Normal LDR, 1S+1N+1I. For LDR PC, 2S+2N+1I. For STRH 2N.
8765 |
8766 | ## ARM Opcodes: Memory: Block Data Transfer (LDM, STM)
8767 |
8768 | ### Opcode Format
8769 |
8770 | ```
8771 | Bit Expl.
8772 | 31-28 Condition
8773 | 27-25 Must be 100b for this instruction
8774 | 24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
8775 | 23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
8776 | 22 S - PSR & force user bit (0=No, 1=load PSR or force user mode)
8777 | 21 W - Write-back bit (0=no write-back, 1=write address into base)
8778 | 20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
8779 | 0: STM{cond}{amod} Rn{!},{^} ;Store (Push)
8780 | 1: LDM{cond}{amod} Rn{!},{^} ;Load (Pop)
8781 | Whereas, {!}=Write-Back (W), and {^}=PSR/User Mode (S)
8782 | 19-16 Rn - Base register (R0-R14) (not including R15)
8783 | 15-0 Rlist - Register List
8784 | (Above 'offset' is meant to be the number of words specified in Rlist.)
8785 | ```
8786 |
8787 | Return: No Flags affected.
8788 |
8789 | Execution Time: For normal LDM, nS+1N+1I. For LDM PC, (n+1)S+2N+1I. For STM
8790 | (n-1)S+2N. Where n is the number of words transferred.
8791 |
8792 | ### Addressing Modes {amod}
8793 |
8794 | The IB,IA,DB,DA suffixes directly specify the desired U and P bits:
8795 |
8796 | ```
8797 | IB increment before ;P=1, U=1
8798 | IA increment after ;P=0, U=1
8799 | DB decrement before ;P=1, U=0
8800 | DA decrement after ;P=0, U=0
8801 | ```
8802 |
8803 | Alternately, FD,ED,FA,EA could be used, mostly to simplify mnemonics for stack
8804 | transfers.
8805 |
8806 | ```
8807 | ED empty stack, descending ;LDM: P=1, U=1 ;STM: P=0, U=0
8808 | FD full stack, descending ; P=0, U=1 ; P=1, U=0
8809 | EA empty stack, ascending ; P=1, U=0 ; P=0, U=1
8810 | FA full stack, ascending ; P=0, U=0 ; P=1, U=1
8811 | ```
8812 |
8813 | Ie. the following expressions are aliases for each other:
8814 |
8815 | ```
8816 | STMFD=STMDB=PUSH STMED=STMDA STMFA=STMIB STMEA=STMIA
8817 | LDMFD=LDMIA=POP LDMED=LDMIB LDMFA=LDMDA LDMEA=LDMDB
8818 | ```
8819 |
8820 | Note: The equivalent THUMB functions use fixed organization:
8821 |
8822 | ```
8823 | PUSH/POP: full descending ;base register SP (R13)
8824 | LDM/STM: increment after ;base register R0..R7
8825 | ```
8826 |
8827 | Descending is common stack organization as used in 80x86 and Z80 CPUs, SP is
8828 | decremented when pushing/storing data, and incremented when popping/loading
8829 | data.
8830 |
8831 | ### When S Bit is set (S=1)
8832 |
8833 | If instruction is LDM and R15 is in the list: (Mode Changes)
8834 |
8835 | ```
8836 | While R15 loaded, additionally: CPSR=SPSR_
8837 | ```
8838 |
8839 | Otherwise: (User bank transfer)
8840 |
8841 | ```
8842 | Rlist is referring to User Bank Registers, R0-R15 (rather than
8843 | register related to the current mode, such like R14_svc etc.)
8844 | Base write-back should not be used for User bank transfer.
8845 | Caution - When instruction is LDM:
8846 | If the following instruction reads from a banked register (eg. R14_svc),
8847 | then CPU might still read R14 instead; if necessary insert a dummy NOP.
8848 | ```
8849 |
8850 | ### Notes
8851 |
8852 | The base address should be usually word-aligned.
8853 |
8854 | LDM Rn,...,PC on ARMv4 leaves CPSR.T unchanged.
8855 |
8856 | LDR Rn,...,PC on ARMv5 sets CPSR.T to \ Bit0, (1=Switch to Thumb).
8857 |
8858 | ### Transfer Order
8859 |
8860 | The lowest Register in Rlist (R0 if its in the list) will be loaded/stored
8861 | to/from the lowest memory address.
8862 |
8863 | Internally, the rlist register are always processed with INCREASING addresses
8864 | (ie. for DECREASING addressing modes, the CPU does first calculate the lowest
8865 | address, and does then process rlist with increasing addresses; this detail can
8866 | be important when accessing memory mapped I/O ports).
8867 |
8868 | ### Strange Effects on Invalid Rlist's
8869 |
8870 | Empty Rlist: R15 loaded/stored (ARMv4 only), and Rb=Rb+/-40h (ARMv4-v5).
8871 |
8872 | Writeback with Rb included in Rlist: Store OLD base if Rb is FIRST entry in
8873 | Rlist, otherwise store NEW base (STM/ARMv4), always store OLD base (STM/ARMv5),
8874 | no writeback (LDM/ARMv4), writeback if Rb is "the ONLY register, or NOT the
8875 | LAST register" in Rlist (LDM/ARMv5).
8876 |
8877 | ## ARM Opcodes: Memory: Single Data Swap (SWP)
8878 |
8879 | ### Opcode Format
8880 |
8881 | ```
8882 | Bit Expl.
8883 | 31-28 Condition
8884 | 27-23 Must be 00010b for this instruction
8885 | Opcode (fixed)
8886 | SWP{cond}{B} Rd,Rm,[Rn] ;Rd=[Rn], [Rn]=Rm
8887 | 22 B - Byte/Word bit (0=swap 32bit/word, 1=swap 8bit/byte)
8888 | 21-20 Must be 00b for this instruction
8889 | 19-16 Rn - Base register (R0-R14)
8890 | 15-12 Rd - Destination Register (R0-R14)
8891 | 11-4 Must be 00001001b for this instruction
8892 | 3-0 Rm - Source Register (R0-R14)
8893 | ```
8894 |
8895 | SWP/SWPB supported by ARMv2a and up.
8896 |
8897 | Swap works properly including if Rm and Rn specify the same register.
8898 |
8899 | R15 may not be used for either Rn,Rd,Rm. (Rn=R15 would be MRS opcode).
8900 |
8901 | Upper bits of Rd are zero-expanded when using Byte quantity. For info about
8902 | byte and word data memory addressing, read LDR and STR opcode description.
8903 |
8904 | Execution Time: 1S+2N+1I. That is, 2N data cycles, 1S code cycle, plus 1I.
8905 |
8906 | ## ARM Opcodes: Coprocessor Instructions (MRC/MCR, LDC/STC, CDP, MCRR/MRRC)
8907 |
8908 | ### Coprocessor Register Transfers (MRC, MCR) (with ARM Register read/write)
8909 |
8910 | ```
8911 | Bit Expl.
8912 | 31-28 Condition (or 1111b for MRC2/MCR2 opcodes on ARMv5 and up)
8913 | 27-24 Must be 1110b for this instruction
8914 | 23-21 CP Opc - Coprocessor operation code (0-7)
8915 | 20 ARM-Opcode (0-1)
8916 | 0: MCR{cond} Pn,,Rd,Cn,Cm{,} ;move from ARM to CoPro
8917 | 0: MCR2 Pn,,Rd,Cn,Cm{,} ;move from ARM to CoPro
8918 | 1: MRC{cond} Pn,,Rd,Cn,Cm{,} ;move from CoPro to ARM
8919 | 1: MRC2 Pn,,Rd,Cn,Cm{,} ;move from CoPro to ARM
8920 | 19-16 Cn - Coprocessor source/dest. Register (C0-C15)
8921 | 15-12 Rd - ARM source/destination Register (R0-R15)
8922 | 11-8 Pn - Coprocessor number (P0-P15)
8923 | 7-5 CP - Coprocessor information (0-7)
8924 | 4 Reserved, must be one (1) (otherwise CDP opcode)
8925 | 3-0 Cm - Coprocessor operand Register (C0-C15)
8926 | ```
8927 |
8928 | MCR/MRC supported by ARMv2 and up, MCR2/MRC2 by ARMv5 and up.
8929 |
8930 | A22i syntax allows to use MOV with Rd specified as first (dest), or last
8931 | (source) operand. Native MCR/MRC syntax uses Rd as middle operand, \
8932 | can be ommited if \ is zero.
8933 |
8934 | When using MCR with R15: Coprocessor will receive a data value of PC+12.
8935 |
8936 | When using MRC with R15: Bit 31-28 of data are copied to Bit 31-28 of CPSR (ie.
8937 | N,Z,C,V flags), other data bits are ignored, CPSR Bit 27-0 are not affected,
8938 | R15 (PC) is not affected.
8939 |
8940 | Execution time: 1S+bI+1C for MCR, 1S+(b+1)I+1C for MRC.
8941 |
8942 | Return: For MRC only: Either R0-R14 modified, or flags affected (see above).
8943 |
8944 | For details refer to original ARM docs. The opcodes irrelevant for GBA/NDS7
8945 | because no coprocessor exists (except for a dummy CP14 unit). However, NDS9
8946 | includes a working CP15 unit.
8947 |
8948 | - [ARM CP14 ICEbreaker Debug Communications Channel](#armcp14icebreakerdebugcommunicationschannel)
8949 | - [ARM CP15 System Control Coprocessor](#armcp15systemcontrolcoprocessor)
8950 |
8951 | ### Coprocessor Data Transfers (LDC, STC) (with Memory read/write)
8952 |
8953 | ```
8954 | Bit Expl.
8955 | 31-28 Condition (or 1111b for LDC2/STC2 opcodes on ARMv5 and up)
8956 | 27-25 Must be 110b for this instruction
8957 | 24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
8958 | 23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
8959 | 22 N - Transfer length (0-1, interpretation depends on co-processor)
8960 | 21 W - Write-back bit (0=no write-back, 1=write address into base)
8961 | 20 Opcode (0-1)
8962 | 0: STC{cond}{L} Pn,Cd, ;Store to memory (from coprocessor)
8963 | 0: STC2{L} Pn,Cd, ;Store to memory (from coprocessor)
8964 | 1: LDC{cond}{L} Pn,Cd, ;Read from memory (to coprocessor)
8965 | 1: LDC2{L} Pn,Cd, ;Read from memory (to coprocessor)
8966 | whereas {L} indicates long transfer (Bit 22: N=1)
8967 | 19-16 Rn - ARM Base Register (R0-R15) (R15=PC+8)
8968 | 15-12 Cd - Coprocessor src/dest Register (C0-C15)
8969 | 11-8 Pn - Coprocessor number (P0-P15)
8970 | 7-0 Offset - Unsigned Immediate, step 4 (0-1020, in steps of 4)
8971 | ```
8972 |
8973 | LDC/STC supported by ARMv2 and up, LDC2/STC2 by ARMv5 and up.
8974 |
8975 | Execution time: (n-1)S+2N+bI, n=number of words transferred.
8976 |
8977 | For details refer to original ARM docs, irrelevant in GBA because no
8978 | coprocessor exists.
8979 |
8980 | ### Coprocessor Data Operations (CDP) (without Memory or ARM Register operand)
8981 |
8982 | ```
8983 | Bit Expl.
8984 | 31-28 Condition (or 1111b for CDP2 opcode on ARMv5 and up)
8985 | 27-24 Must be 1110b for this instruction
8986 | ARM-Opcode (fixed)
8987 | CDP{cond} Pn,,Cd,Cn,Cm{,}
8988 | CDP2 Pn,,Cd,Cn,Cm{,}
8989 | 23-20 CP Opc - Coprocessor operation code (0-15)
8990 | 19-16 Cn - Coprocessor operand Register (C0-C15)
8991 | 15-12 Cd - Coprocessor destination Register (C0-C15)
8992 | 11-8 Pn - Coprocessor number (P0-P15)
8993 | 7-5 CP - Coprocessor information (0-7)
8994 | 4 Reserved, must be zero (otherwise MCR/MRC opcode)
8995 | 3-0 Cm - Coprocessor operand Register (C0-C15)
8996 | ```
8997 |
8998 | CDP supported by ARMv2 and up, CDP2 by ARMv5 and up.
8999 |
9000 | Execution time: 1S+bI, b=number of cycles in coprocessor busy-wait loop.
9001 |
9002 | Return: No flags affected, no ARM-registers used/modified.
9003 |
9004 | For details refer to original ARM docs, irrelevant in GBA because no
9005 | coprocessor exists.
9006 |
9007 | ### Coprocessor Double-Register Transfer (MCRR, MRRC) - ARMv5TE only
9008 |
9009 | ```
9010 | Bit Expl.
9011 | 31-28 Condition
9012 | 27-21 Must be 1100010b for this instruction
9013 | 20 L - Opcode (Load/Store)
9014 | 0: MCRR{cond} Pn,opcode,Rd,Rn,Cm ;write Rd,Rn to coproc
9015 | 1: MRRC{cond} Pn,opcode,Rd,Rn,Cm ;read Rd,Rn from coproc
9016 | 19-16 Rn - Second source/dest register (R0-R14)
9017 | 15-12 Rd - First source/dest register (R0-R14)
9018 | 11-8 Pn - Coprocessor number (P0-P15)
9019 | 7-4 CP Opc - Coprocessor operation code (0-15)
9020 | 3-0 Cm - Coprocessor operand Register (C0-C15)
9021 | ```
9022 |
9023 | Supported by ARMv5TE only, not ARMv5, not ARMv5TExP.
9024 |
9025 | ## THUMB Instruction Summary
9026 |
9027 | The table below lists all THUMB mode instructions with clock cycles, affected
9028 | CPSR flags, Format/chapter number, and description.
9029 |
9030 | Only register R0..R7 can be used in thumb mode (unless R8-15,SP,PC are
9031 | explicitly mentioned).
9032 |
9033 | ### Logical Operations
9034 |
9035 | ```
9036 | Instruction Cycles Flags Format Expl.
9037 | MOV Rd,Imm8bit 1S NZ-- 3 Rd=nn
9038 | MOV Rd,Rs 1S NZ00 2 Rd=Rs+0
9039 | MOV R0..14,R8..15 1S ---- 5 Rd=Rs
9040 | MOV R8..14,R0..15 1S ---- 5 Rd=Rs
9041 | MOV R15,R0..15 2S+1N ---- 5 PC=Rs
9042 | MVN Rd,Rs 1S NZ-- 4 Rd=NOT Rs
9043 | AND Rd,Rs 1S NZ-- 4 Rd=Rd AND Rs
9044 | TST Rd,Rs 1S NZ-- 4 Void=Rd AND Rs
9045 | BIC Rd,Rs 1S NZ-- 4 Rd=Rd AND NOT Rs
9046 | ORR Rd,Rs 1S NZ-- 4 Rd=Rd OR Rs
9047 | EOR Rd,Rs 1S NZ-- 4 Rd=Rd XOR Rs
9048 | LSL Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SHL nn
9049 | LSL Rd,Rs 1S+1I NZc- 4 Rd=Rd SHL (Rs AND 0FFh)
9050 | LSR Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SHR nn
9051 | LSR Rd,Rs 1S+1I NZc- 4 Rd=Rd SHR (Rs AND 0FFh)
9052 | ASR Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SAR nn
9053 | ASR Rd,Rs 1S+1I NZc- 4 Rd=Rd SAR (Rs AND 0FFh)
9054 | ROR Rd,Rs 1S+1I NZc- 4 Rd=Rd ROR (Rs AND 0FFh)
9055 | NOP 1S ---- 5 R8=R8
9056 | ```
9057 |
9058 | Carry flag affected only if shift amount is non-zero.
9059 |
9060 | ### Arithmetic Operations and Multiply
9061 |
9062 | ```
9063 | Instruction Cycles Flags Format Expl.
9064 | ADD Rd,Rs,Imm3bit 1S NZCV 2 Rd=Rs+nn
9065 | ADD Rd,Imm8bit 1S NZCV 3 Rd=Rd+nn
9066 | ADD Rd,Rs,Rn 1S NZCV 2 Rd=Rs+Rn
9067 | ADD R0..14,R8..15 1S ---- 5 Rd=Rd+Rs
9068 | ADD R8..14,R0..15 1S ---- 5 Rd=Rd+Rs
9069 | ADD R15,R0..15 2S+1N ---- 5 PC=Rd+Rs
9070 | ADD Rd,PC,Imm8bit*4 1S ---- 12 Rd=(($+4) AND NOT 2)+nn
9071 | ADD Rd,SP,Imm8bit*4 1S ---- 12 Rd=SP+nn
9072 | ADD SP,Imm7bit*4 1S ---- 13 SP=SP+nn
9073 | ADD SP,-Imm7bit*4 1S ---- 13 SP=SP-nn
9074 | ADC Rd,Rs 1S NZCV 4 Rd=Rd+Rs+Cy
9075 | SUB Rd,Rs,Imm3Bit 1S NZCV 2 Rd=Rs-nn
9076 | SUB Rd,Imm8bit 1S NZCV 3 Rd=Rd-nn
9077 | SUB Rd,Rs,Rn 1S NZCV 2 Rd=Rs-Rn
9078 | SBC Rd,Rs 1S NZCV 4 Rd=Rd-Rs-NOT Cy
9079 | NEG Rd,Rs 1S NZCV 4 Rd=0-Rs
9080 | CMP Rd,Imm8bit 1S NZCV 3 Void=Rd-nn
9081 | CMP Rd,Rs 1S NZCV 4 Void=Rd-Rs
9082 | CMP R0-15,R8-15 1S NZCV 5 Void=Rd-Rs
9083 | CMP R8-15,R0-15 1S NZCV 5 Void=Rd-Rs
9084 | CMN Rd,Rs 1S NZCV 4 Void=Rd+Rs
9085 | MUL Rd,Rs 1S+mI NZx- 4 Rd=Rd*Rs
9086 | ```
9087 |
9088 | ### Jumps and Calls
9089 |
9090 | ```
9091 | Instruction Cycles Flags Format Expl.
9092 | B disp 2S+1N ---- 18 PC=$+/-2048
9093 | BL disp 3S+1N ---- 19 PC=$+/-4M, LR=$+5
9094 | B{cond=true} disp 2S+1N ---- 16 PC=$+/-0..256
9095 | B{cond=false} disp 1S ---- 16 N/A
9096 | BX R0..15 2S+1N ---- 5 PC=Rs, ARM/THUMB (Rs bit0)
9097 | SWI Imm8bit 2S+1N ---- 17 PC=8, ARM SVC mode, LR=$+2
9098 | BKPT Imm8bit ??? ---- 17 ??? ARM9 Prefetch Abort
9099 | BLX disp ??? ---- ??? ??? ARM9
9100 | BLX R0..R14 ??? ---- ??? ??? ARM9
9101 | POP {Rlist,}PC (n+1)S+2N+1I ---- 14
9102 | MOV R15,R0..15 2S+1N ---- 5 PC=Rs
9103 | ADD R15,R0..15 2S+1N ---- 5 PC=Rd+Rs
9104 | ```
9105 |
9106 | The thumb BL instruction occupies two 16bit opcodes, 32bit in total.
9107 |
9108 | ### Memory Load/Store
9109 |
9110 | ```
9111 | Instruction Cycles Flags Format Expl.
9112 | LDR Rd,[Rb,5bit*4] 1S+1N+1I ---- 9 Rd = WORD[Rb+nn]
9113 | LDR Rd,[PC,8bit*4] 1S+1N+1I ---- 6 Rd = WORD[PC+nn]
9114 | LDR Rd,[SP,8bit*4] 1S+1N+1I ---- 11 Rd = WORD[SP+nn]
9115 | LDR Rd,[Rb,Ro] 1S+1N+1I ---- 7 Rd = WORD[Rb+Ro]
9116 | LDRB Rd,[Rb,5bit*1] 1S+1N+1I ---- 9 Rd = BYTE[Rb+nn]
9117 | LDRB Rd,[Rb,Ro] 1S+1N+1I ---- 7 Rd = BYTE[Rb+Ro]
9118 | LDRH Rd,[Rb,5bit*2] 1S+1N+1I ---- 10 Rd = HALFWORD[Rb+nn]
9119 | LDRH Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = HALFWORD[Rb+Ro]
9120 | LDSB Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = SIGNED_BYTE[Rb+Ro]
9121 | LDSH Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = SIGNED_HALFWORD[Rb+Ro]
9122 | STR Rd,[Rb,5bit*4] 2N ---- 9 WORD[Rb+nn] = Rd
9123 | STR Rd,[SP,8bit*4] 2N ---- 11 WORD[SP+nn] = Rd
9124 | STR Rd,[Rb,Ro] 2N ---- 7 WORD[Rb+Ro] = Rd
9125 | STRB Rd,[Rb,5bit*1] 2N ---- 9 BYTE[Rb+nn] = Rd
9126 | STRB Rd,[Rb,Ro] 2N ---- 7 BYTE[Rb+Ro] = Rd
9127 | STRH Rd,[Rb,5bit*2] 2N ---- 10 HALFWORD[Rb+nn] = Rd
9128 | STRH Rd,[Rb,Ro] 2N ---- 8 HALFWORD[Rb+Ro]=Rd
9129 | PUSH {Rlist}{LR} (n-1)S+2N ---- 14
9130 | POP {Rlist}{PC} ---- 14 (ARM9: with mode switch)
9131 | STMIA Rb!,{Rlist} (n-1)S+2N ---- 15
9132 | LDMIA Rb!,{Rlist} nS+1N+1I ---- 15
9133 | ```
9134 |
9135 | ### THUMB Binary Opcode Format
9136 |
9137 | This table summarizes the position of opcode/parameter bits for THUMB mode
9138 | instructions, Format 1-19.
9139 |
9140 | ```
9141 | Form|_15|_14|_13|_12|_11|_10|_9_|_8_|_7_|_6_|_5_|_4_|_3_|_2_|_1_|_0_|
9142 | __1_|_0___0___0_|__Op___|_______Offset______|____Rs_____|____Rd_____|Shifted
9143 | __2_|_0___0___0___1___1_|_I,_Op_|___Rn/nn___|____Rs_____|____Rd_____|ADD/SUB
9144 | __3_|_0___0___1_|__Op___|____Rd_____|_____________Offset____________|Immedi.
9145 | __4_|_0___1___0___0___0___0_|______Op_______|____Rs_____|____Rd_____|AluOp
9146 | __5_|_0___1___0___0___0___1_|__Op___|Hd_|Hs_|____Rs_____|____Rd_____|HiReg/BX
9147 | __6_|_0___1___0___0___1_|____Rd_____|_____________Word______________|LDR PC
9148 | __7_|_0___1___0___1_|__Op___|_0_|___Ro______|____Rb_____|____Rd_____|LDR/STR
9149 | __8_|_0___1___0___1_|__Op___|_1_|___Ro______|____Rb_____|____Rd_____|""H/SB/SH
9150 | __9_|_0___1___1_|__Op___|_______Offset______|____Rb_____|____Rd_____|""{B}
9151 | _10_|_1___0___0___0_|Op_|_______Offset______|____Rb_____|____Rd_____|""H
9152 | _11_|_1___0___0___1_|Op_|____Rd_____|_____________Word______________|"" SP
9153 | _12_|_1___0___1___0_|Op_|____Rd_____|_____________Word______________|ADD PC/SP
9154 | _13_|_1___0___1___1___0___0___0___0_|_S_|___________Word____________|ADD SP,nn
9155 | _14_|_1___0___1___1_|Op_|_1___0_|_R_|____________Rlist______________|PUSH/POP
9156 | _17_|_1___0___1___1___1___1___1___0_|___________User_Data___________|BKPT ARM9
9157 | _15_|_1___1___0___0_|Op_|____Rb_____|____________Rlist______________|STM/LDM
9158 | _16_|_1___1___0___1_|_____Cond______|_________Signed_Offset_________|B{cond}
9159 | _U__|_1___1___0___1___1___1___1___0_|_____________var_______________|UndefARM9
9160 | _17_|_1___1___0___1___1___1___1___1_|___________User_Data___________|SWI
9161 | _18_|_1___1___1___0___0_|________________Offset_____________________|B
9162 | _19_|_1___1___1___0___1_|_________________________var___________|_0_|BLX.ARM9
9163 | _U__|_1___1___1___0___1_|_________________________var___________|_1_|UndefARM9
9164 | _19_|_1___1___1___1_|_H_|______________Offset_Low/High______________|BL,BLX
9165 | ```
9166 |
9167 | Further UNDEFS ??? ARM9?
9168 |
9169 | - 1011 0001 xxxxxxxx (reserved)
9170 | - 1011 0x1x xxxxxxxx (reserved)
9171 | - 1011 10xx xxxxxxxx (reserved)
9172 | - 1011 1111 xxxxxxxx (reserved)
9173 | - 1101 1110 xxxxxxxx (free for user)
9174 |
9175 | ## THUMB Opcodes: Register Operations (ALU, BX)
9176 |
9177 | ### THUMB.1: move shifted register
9178 |
9179 | ```
9180 | 15-13 Must be 000b for 'move shifted register' instructions
9181 | 12-11 Opcode
9182 | 00b: LSL Rd,Rs,#Offset (logical/arithmetic shift left)
9183 | 01b: LSR Rd,Rs,#Offset (logical shift right)
9184 | 10b: ASR Rd,Rs,#Offset (arithmetic shift right)
9185 | 11b: Reserved (used for add/subtract instructions)
9186 | 10-6 Offset (0-31)
9187 | 5-3 Rs - Source register (R0..R7)
9188 | 2-0 Rd - Destination register (R0..R7)
9189 | ```
9190 |
9191 | Example: LSL Rd,Rs,#nn ; Rd = Rs \<\< nn ; ARM equivalent: MOVS Rd,Rs,LSL
9192 | #nn
9193 |
9194 | Zero shift amount is having special meaning (same as for ARM shifts), LSL#0
9195 | performs no shift (the carry flag remains unchanged), LSR/ASR#0 are interpreted
9196 | as LSR/ASR#32. Attempts to specify LSR/ASR#0 in source code are automatically
9197 | redirected as LSL#0, and source LSR/ASR#32 is redirected as opcode LSR/ASR#0.
9198 |
9199 | Execution Time: 1S
9200 |
9201 | Flags: Z=zeroflag, N=sign, C=carry (except LSL#0: C=unchanged), V=unchanged.
9202 |
9203 | ### THUMB.2: add/subtract
9204 |
9205 | ```
9206 | 15-11 Must be 00011b for 'add/subtract' instructions
9207 | 10-9 Opcode (0-3)
9208 | 0: ADD Rd,Rs,Rn ;add register Rd=Rs+Rn
9209 | 1: SUB Rd,Rs,Rn ;subtract register Rd=Rs-Rn
9210 | 2: ADD Rd,Rs,#nn ;add immediate Rd=Rs+nn
9211 | 3: SUB Rd,Rs,#nn ;subtract immediate Rd=Rs-nn
9212 | Pseudo/alias opcode with Imm=0:
9213 | 2: MOV Rd,Rs ;move (affects cpsr) Rd=Rs+0
9214 | 8-6 For Register Operand:
9215 | Rn - Register Operand (R0..R7)
9216 | For Immediate Operand:
9217 | nn - Immediate Value (0-7)
9218 | 5-3 Rs - Source register (R0..R7)
9219 | 2-0 Rd - Destination register (R0..R7)
9220 | ```
9221 |
9222 | Return: Rd contains result, N,Z,C,V affected (including MOV).
9223 |
9224 | Execution Time: 1S
9225 |
9226 | ### THUMB.3: move/compare/add/subtract immediate
9227 |
9228 | ```
9229 | 15-13 Must be 001b for this type of instructions
9230 | 12-11 Opcode
9231 | 00b: MOV Rd,#nn ;move Rd = #nn
9232 | 01b: CMP Rd,#nn ;compare Void = Rd - #nn
9233 | 10b: ADD Rd,#nn ;add Rd = Rd + #nn
9234 | 11b: SUB Rd,#nn ;subtract Rd = Rd - #nn
9235 | 10-8 Rd - Destination Register (R0..R7)
9236 | 7-0 nn - Unsigned Immediate (0-255)
9237 | ```
9238 |
9239 | ARM equivalents for MOV/CMP/ADD/SUB are MOVS/CMP/ADDS/SUBS same format.
9240 |
9241 | Execution Time: 1S
9242 |
9243 | Return: Rd contains result (except CMP), N,Z,C,V affected (for MOV only N,Z).
9244 |
9245 | ### THUMB.4: ALU operations
9246 |
9247 | ```
9248 | 15-10 Must be 010000b for this type of instructions
9249 | 9-6 Opcode (0-Fh)
9250 | 0: AND Rd,Rs ;AND logical Rd = Rd AND Rs
9251 | 1: EOR Rd,Rs ;XOR logical Rd = Rd XOR Rs
9252 | 2: LSL Rd,Rs ;log. shift left Rd = Rd << (Rs AND 0FFh)
9253 | 3: LSR Rd,Rs ;log. shift right Rd = Rd >> (Rs AND 0FFh)
9254 | 4: ASR Rd,Rs ;arit shift right Rd = Rd SAR (Rs AND 0FFh)
9255 | 5: ADC Rd,Rs ;add with carry Rd = Rd + Rs + Cy
9256 | 6: SBC Rd,Rs ;sub with carry Rd = Rd - Rs - NOT Cy
9257 | 7: ROR Rd,Rs ;rotate right Rd = Rd ROR (Rs AND 0FFh)
9258 | 8: TST Rd,Rs ;test Void = Rd AND Rs
9259 | 9: NEG Rd,Rs ;negate Rd = 0 - Rs
9260 | A: CMP Rd,Rs ;compare Void = Rd - Rs
9261 | B: CMN Rd,Rs ;neg.compare Void = Rd + Rs
9262 | C: ORR Rd,Rs ;OR logical Rd = Rd OR Rs
9263 | D: MUL Rd,Rs ;multiply Rd = Rd * Rs
9264 | E: BIC Rd,Rs ;bit clear Rd = Rd AND NOT Rs
9265 | F: MVN Rd,Rs ;not Rd = NOT Rs
9266 | 5-3 Rs - Source Register (R0..R7)
9267 | 2-0 Rd - Destination Register (R0..R7)
9268 | ```
9269 |
9270 | ARM equivalent for NEG would be RSBS.
9271 |
9272 | Return: Rd contains result (except TST,CMP,CMN),
9273 |
9274 | Affected Flags:
9275 |
9276 | ```
9277 | N,Z,C,V for ADC,SBC,NEG,CMP,CMN
9278 | N,Z,C for LSL,LSR,ASR,ROR (carry flag unchanged if zero shift amount)
9279 | N,Z,C for MUL on ARMv4 and below: carry flag destroyed
9280 | N,Z for MUL on ARMv5 and above: carry flag unchanged
9281 | N,Z for AND,EOR,TST,ORR,BIC,MVN
9282 | ```
9283 |
9284 | Execution Time:
9285 |
9286 | ```
9287 | 1S for AND,EOR,ADC,SBC,TST,NEG,CMP,CMN,ORR,BIC,MVN
9288 | 1S+1I for LSL,LSR,ASR,ROR
9289 | 1S+mI for MUL on ARMv4 (m=1..4; depending on MSBs of incoming Rd value)
9290 | 1S+mI for MUL on ARMv5 (m=3; fucking slow, no matter of MSBs of Rd value)
9291 | ```
9292 |
9293 | ### THUMB.5: Hi register operations/branch exchange
9294 |
9295 | ```
9296 | 15-10 Must be 010001b for this type of instructions
9297 | 9-8 Opcode (0-3)
9298 | 0: ADD Rd,Rs ;add Rd = Rd+Rs
9299 | 1: CMP Rd,Rs ;compare Void = Rd-Rs ;CPSR affected
9300 | 2: MOV Rd,Rs ;move Rd = Rs
9301 | 2: NOP ;nop R8 = R8
9302 | 3: BX Rs ;jump PC = Rs ;may switch THUMB/ARM
9303 | 3: BLX Rs ;call PC = Rs ;may switch THUMB/ARM (ARM9)
9304 | 7 MSBd - Destination Register most significant bit (or BL/BLX flag)
9305 | 6 MSBs - Source Register most significant bit
9306 | 5-3 Rs - Source Register (together with MSBs: R0..R15)
9307 | 2-0 Rd - Destination Register (together with MSBd: R0..R15)
9308 | ```
9309 |
9310 | Restrictions: For ADD/CMP/MOV, MSBs and/or MSBd must be set, ie. it is not
9311 | allowed that both are cleared.
9312 |
9313 | When using R15 (PC) as operand, the value will be the address of the
9314 | instruction plus 4 (ie. $+4). Except for BX R15: CPU switches to ARM state, and
9315 | PC is auto-aligned as (($+4) AND NOT 2).
9316 |
9317 | For BX, MSBs may be 0 or 1, MSBd must be zero, Rd is not used/zero.
9318 |
9319 | For BLX, MSBs may be 0 or 1, MSBd must be set, Rd is not used/zero.
9320 |
9321 | For BX/BLX, when Bit 0 of the value in Rs is zero:
9322 |
9323 | ```
9324 | Processor will be switched into ARM mode!
9325 | If so, Bit 1 of Rs must be cleared (32bit word aligned).
9326 | Thus, BX PC (switch to ARM) may be issued from word-aligned address
9327 | only, the destination is PC+4 (ie. the following halfword is skipped).
9328 | ```
9329 |
9330 | BLX may not use R15. BLX saves the return address as LR=PC+3 (with thumb bit).
9331 |
9332 | Using BLX R14 is possible (sets PC=Old\_LR, and New\_LR=retadr).
9333 |
9334 | Assemblers/Disassemblers should use MOV R8,R8 as NOP (in THUMB mode).
9335 |
9336 | Return: Only CMP affects CPSR condition flags!
9337 |
9338 | Execution Time:
9339 |
9340 | ```
9341 | 1S for ADD/MOV/CMP
9342 | 2S+1N for ADD/MOV with Rd=R15, and for BX
9343 | ```
9344 |
9345 | ## THUMB Opcodes: Memory Load/Store (LDR/STR)
9346 |
9347 | ### THUMB.6: load PC-relative (for loading immediates from literal pool)
9348 |
9349 | ```
9350 | 15-11 Must be 01001b for this type of instructions
9351 | N/A Opcode (fixed)
9352 | LDR Rd,[PC,#nn] ;load 32bit Rd = WORD[PC+nn]
9353 | 10-8 Rd - Destination Register (R0..R7)
9354 | 7-0 nn - Unsigned offset (0-1020 in steps of 4)
9355 | ```
9356 |
9357 | The value of PC will be interpreted as (($+4) AND NOT 2).
9358 |
9359 | Return: No flags affected, data loaded into Rd.
9360 |
9361 | Execution Time: 1S+1N+1I
9362 |
9363 | ### THUMB.7: load/store with register offset
9364 |
9365 | ```
9366 | 15-12 Must be 0101b for this type of instructions
9367 | 11-10 Opcode (0-3)
9368 | 0: STR Rd,[Rb,Ro] ;store 32bit data WORD[Rb+Ro] = Rd
9369 | 1: STRB Rd,[Rb,Ro] ;store 8bit data BYTE[Rb+Ro] = Rd
9370 | 2: LDR Rd,[Rb,Ro] ;load 32bit data Rd = WORD[Rb+Ro]
9371 | 3: LDRB Rd,[Rb,Ro] ;load 8bit data Rd = BYTE[Rb+Ro]
9372 | 9 Must be zero (0) for this type of instructions
9373 | 8-6 Ro - Offset Register (R0..R7)
9374 | 5-3 Rb - Base Register (R0..R7)
9375 | 2-0 Rd - Source/Destination Register (R0..R7)
9376 | ```
9377 |
9378 | Return: No flags affected, data loaded either into Rd or into memory.
9379 |
9380 | Execution Time: 1S+1N+1I for LDR, or 2N for STR
9381 |
9382 | ### THUMB.8: load/store sign-extended byte/halfword
9383 |
9384 | ```
9385 | 15-12 Must be 0101b for this type of instructions
9386 | 11-10 Opcode (0-3)
9387 | 0: STRH Rd,[Rb,Ro] ;store 16bit data HALFWORD[Rb+Ro] = Rd
9388 | 1: LDSB Rd,[Rb,Ro] ;load sign-extended 8bit Rd = BYTE[Rb+Ro]
9389 | 2: LDRH Rd,[Rb,Ro] ;load zero-extended 16bit Rd = HALFWORD[Rb+Ro]
9390 | 3: LDSH Rd,[Rb,Ro] ;load sign-extended 16bit Rd = HALFWORD[Rb+Ro]
9391 | 9 Must be set (1) for this type of instructions
9392 | 8-6 Ro - Offset Register (R0..R7)
9393 | 5-3 Rb - Base Register (R0..R7)
9394 | 2-0 Rd - Source/Destination Register (R0..R7)
9395 | ```
9396 |
9397 | Return: No flags affected, data loaded either into Rd or into memory.
9398 |
9399 | Execution Time: 1S+1N+1I for LDR, or 2N for STR
9400 |
9401 | ### THUMB.9: load/store with immediate offset
9402 |
9403 | ```
9404 | 15-13 Must be 011b for this type of instructions
9405 | 12-11 Opcode (0-3)
9406 | 0: STR Rd,[Rb,#nn] ;store 32bit data WORD[Rb+nn] = Rd
9407 | 1: LDR Rd,[Rb,#nn] ;load 32bit data Rd = WORD[Rb+nn]
9408 | 2: STRB Rd,[Rb,#nn] ;store 8bit data BYTE[Rb+nn] = Rd
9409 | 3: LDRB Rd,[Rb,#nn] ;load 8bit data Rd = BYTE[Rb+nn]
9410 | 10-6 nn - Unsigned Offset (0-31 for BYTE, 0-124 for WORD)
9411 | 5-3 Rb - Base Register (R0..R7)
9412 | 2-0 Rd - Source/Destination Register (R0..R7)
9413 | ```
9414 |
9415 | Return: No flags affected, data loaded either into Rd or into memory.
9416 |
9417 | Execution Time: 1S+1N+1I for LDR, or 2N for STR
9418 |
9419 | ### THUMB.10: load/store halfword
9420 |
9421 | ```
9422 | 15-12 Must be 1000b for this type of instructions
9423 | 11 Opcode (0-1)
9424 | 0: STRH Rd,[Rb,#nn] ;store 16bit data HALFWORD[Rb+nn] = Rd
9425 | 1: LDRH Rd,[Rb,#nn] ;load 16bit data Rd = HALFWORD[Rb+nn]
9426 | 10-6 nn - Unsigned Offset (0-62, step 2)
9427 | 5-3 Rb - Base Register (R0..R7)
9428 | 2-0 Rd - Source/Destination Register (R0..R7)
9429 | ```
9430 |
9431 | Return: No flags affected, data loaded either into Rd or into memory.
9432 |
9433 | Execution Time: 1S+1N+1I for LDR, or 2N for STR
9434 |
9435 | ### THUMB.11: load/store SP-relative
9436 |
9437 | ```
9438 | 15-12 Must be 1001b for this type of instructions
9439 | 11 Opcode (0-1)
9440 | 0: STR Rd,[SP,#nn] ;store 32bit data WORD[SP+nn] = Rd
9441 | 1: LDR Rd,[SP,#nn] ;load 32bit data Rd = WORD[SP+nn]
9442 | 10-8 Rd - Source/Destination Register (R0..R7)
9443 | 7-0 nn - Unsigned Offset (0-1020, step 4)
9444 | ```
9445 |
9446 | Return: No flags affected, data loaded either into Rd or into memory.
9447 |
9448 | Execution Time: 1S+1N+1I for LDR, or 2N for STR
9449 |
9450 | ## THUMB Opcodes: Memory Addressing (ADD PC/SP)
9451 |
9452 | ### THUMB.12: get relative address
9453 |
9454 | ```
9455 | 15-12 Must be 1010b for this type of instructions
9456 | 11 Opcode/Source Register (0-1)
9457 | 0: ADD Rd,PC,#nn ;Rd = (($+4) AND NOT 2) + nn
9458 | 1: ADD Rd,SP,#nn ;Rd = SP + nn
9459 | 10-8 Rd - Destination Register (R0..R7)
9460 | 7-0 nn - Unsigned Offset (0-1020, step 4)
9461 | ```
9462 |
9463 | Return: No flags affected, result in Rd.
9464 |
9465 | Execution Time: 1S
9466 |
9467 | ### THUMB.13: add offset to stack pointer
9468 |
9469 | ```
9470 | 15-8 Must be 10110000b for this type of instructions
9471 | 7 Opcode/Sign
9472 | 0: ADD SP,#nn ;SP = SP + nn
9473 | 1: ADD SP,#-nn ;SP = SP - nn
9474 | 6-0 nn - Unsigned Offset (0-508, step 4)
9475 | ```
9476 |
9477 | Return: No flags affected, SP adjusted.
9478 |
9479 | Execution Time: 1S
9480 |
9481 | ## THUMB Opcodes: Memory Multiple Load/Store (PUSH/POP and LDM/STM)
9482 |
9483 | ### THUMB.14: push/pop registers
9484 |
9485 | ```
9486 | 15-12 Must be 1011b for this type of instructions
9487 | 11 Opcode (0-1)
9488 | 0: PUSH {Rlist}{LR} ;store in memory, decrements SP (R13)
9489 | 1: POP {Rlist}{PC} ;load from memory, increments SP (R13)
9490 | 10-9 Must be 10b for this type of instructions
9491 | 8 PC/LR Bit (0-1)
9492 | 0: No
9493 | 1: PUSH LR (R14), or POP PC (R15)
9494 | 7-0 Rlist - List of Registers (R7..R0)
9495 | ```
9496 |
9497 | In THUMB mode stack is always meant to be 'full descending', ie. PUSH is
9498 | equivalent to 'STMFD/STMDB' and POP to 'LDMFD/LDMIA' in ARM mode.
9499 |
9500 | Examples:
9501 |
9502 | ```
9503 | PUSH {R0-R3} ;push R0,R1,R2,R3
9504 | PUSH {R0,R2,LR} ;push R0,R2,LR
9505 | POP {R4,R7} ;pop R4,R7
9506 | POP {R2-R4,PC} ;pop R2,R3,R4,PC
9507 | ```
9508 |
9509 | Note: When calling to a sub-routine, the return address is stored in LR
9510 | register, when calling further sub-routines, PUSH {LR} must be used to save
9511 | higher return address on stack. If so, POP {PC} can be later used to return
9512 | from the sub-routine.
9513 |
9514 | POP {PC} ignores the least significant bit of the return address (processor
9515 | remains in thumb state even if bit0 was cleared), when intending to return with
9516 | optional mode switch, use a POP/BX combination (eg. POP {R3} / BX R3).
9517 |
9518 | ARM9: POP {PC} copies the LSB to thumb bit (switches to ARM if bit0=0).
9519 |
9520 | Return: No flags affected, SP adjusted, registers loaded/stored.
9521 |
9522 | Execution Time: nS+1N+1I (POP), (n+1)S+2N+1I (POP PC), or (n-1)S+2N (PUSH).
9523 |
9524 | ### THUMB.15: multiple load/store
9525 |
9526 | ```
9527 | 15-12 Must be 1100b for this type of instructions
9528 | 11 Opcode (0-1)
9529 | 0: STMIA Rb!,{Rlist} ;store in memory, increments Rb
9530 | 1: LDMIA Rb!,{Rlist} ;load from memory, increments Rb
9531 | 10-8 Rb - Base register (modified) (R0-R7)
9532 | 7-0 Rlist - List of Registers (R7..R0)
9533 | ```
9534 |
9535 | Both STM and LDM are incrementing the Base Register.
9536 |
9537 | The lowest register in the list (ie. R0, if it's in the list) is stored/loaded
9538 | at the lowest memory address.
9539 |
9540 | Examples:
9541 |
9542 | ```
9543 | STMIA R7!,{R0-R2} ;store R0,R1,R2
9544 | LDMIA R0!,{R1,R5} ;store R1,R5
9545 | ```
9546 |
9547 | Return: No flags affected, Rb adjusted, registers loaded/stored.
9548 |
9549 | Execution Time: nS+1N+1I for LDM, or (n-1)S+2N for STM.
9550 |
9551 | ### Strange Effects on Invalid Rlist's
9552 |
9553 | Empty Rlist: R15 loaded/stored (ARMv4 only), and Rb=Rb+40h (ARMv4-v5).
9554 |
9555 | Writeback with Rb included in Rlist: Store OLD base if Rb is FIRST entry in
9556 | Rlist, otherwise store NEW base (STM/ARMv4), always store OLD base (STM/ARMv5),
9557 | no writeback (LDM/ARMv4/ARMv5; at this point, THUMB opcodes work different than
9558 | ARM opcodes).
9559 |
9560 | ## THUMB Opcodes: Jumps and Calls
9561 |
9562 | ### THUMB.16: conditional branch
9563 |
9564 | ```
9565 | 15-12 Must be 1101b for this type of instructions
9566 | 11-8 Opcode/Condition (0-Fh)
9567 | 0: BEQ label ;Z=1 ;equal (zero) (same)
9568 | 1: BNE label ;Z=0 ;not equal (nonzero) (not same)
9569 | 2: BCS/BHS label ;C=1 ;unsigned higher or same (carry set)
9570 | 3: BCC/BLO label ;C=0 ;unsigned lower (carry cleared)
9571 | 4: BMI label ;N=1 ;negative (minus)
9572 | 5: BPL label ;N=0 ;positive or zero (plus)
9573 | 6: BVS label ;V=1 ;overflow (V set)
9574 | 7: BVC label ;V=0 ;no overflow (V cleared)
9575 | 8: BHI label ;C=1 and Z=0 ;unsigned higher
9576 | 9: BLS label ;C=0 or Z=1 ;unsigned lower or same
9577 | A: BGE label ;N=V ;greater or equal
9578 | B: BLT label ;N<>V ;less than
9579 | C: BGT label ;Z=0 and N=V ;greater than
9580 | D: BLE label ;Z=1 or N<>V ;less or equal
9581 | E: Undefined, should not be used
9582 | F: Reserved for SWI instruction (see SWI opcode)
9583 | 7-0 Signed Offset, step 2 ($+4-256..$+4+254)
9584 | ```
9585 |
9586 | Destination address must by halfword aligned (ie. bit 0 cleared)
9587 |
9588 | Return: No flags affected, PC adjusted if condition true
9589 |
9590 | Execution Time:
9591 |
9592 | ```
9593 | 2S+1N if condition true (jump executed)
9594 | 1S if condition false
9595 | ```
9596 |
9597 | ### BX and ADD/MOV PC
9598 |
9599 | See also THUMB.5: BX Rs, and ADD/MOV PC,Rs.
9600 |
9601 | ### THUMB.18: unconditional branch
9602 |
9603 | ```
9604 | 15-11 Must be 11100b for this type of instructions
9605 | N/A Opcode (fixed)
9606 | B label ;branch (jump)
9607 | 10-0 Signed Offset, step 2 ($+4-2048..$+4+2046)
9608 | ```
9609 |
9610 | Return: No flags affected, PC adjusted.
9611 |
9612 | Execution Time: 2S+1N
9613 |
9614 | ### THUMB.19: long branch with link
9615 |
9616 | This may be used to call (or jump) to a subroutine, return address is saved in
9617 | LR (R14).
9618 |
9619 | Unlike all other THUMB mode instructions, this instruction occupies 32bit of
9620 | memory which are split into two 16bit THUMB opcodes.
9621 |
9622 | - First Instruction - LR = PC+4+(nn SHL 12)
9623 | - 15-11 Must be 11110b for BL/BLX type of instructions
9624 | - 10-0 nn - Upper 11 bits of Target Address
9625 | - Second Instruction - PC = LR + (nn SHL 1), and LR = PC+2 OR 1 (and BLX: T=0)
9626 | - 15-11 Opcode
9627 | - 11111b: BL label ;branch long with link
9628 | - 11101b: BLX label ;branch long with link switch to ARM mode (ARM9)
9629 | - 10-0 nn - Lower 11 bits of Target Address (BLX: Bit0 Must be zero)
9630 |
9631 | The destination address range is (PC+4)-400000h..+3FFFFEh, ie. PC+/-4M.
9632 |
9633 | Target must be halfword-aligned. As Bit 0 in LR is set, it may be used to
9634 | return by a BX LR instruction (keeping CPU in THUMB mode).
9635 |
9636 | Return: No flags affected, PC adjusted, return address in LR.
9637 |
9638 | Execution Time: 3S+1N (first opcode 1S, second opcode 2S+1N).
9639 |
9640 | Note: Exceptions may or may not occur between first and second opcode, this is
9641 | "implementation defined" (unknown how this is implemented in GBA and NDS).
9642 |
9643 | Using only the 2nd half of BL as "BL LR+imm" is possible (for example, Mario
9644 | Golf Advance Tour for GBA uses opcode F800h as "BL LR+0").
9645 |
9646 | ### THUMB.17: software interrupt and breakpoint
9647 |
9648 | SWI supposed for calls to the operating system - Enter Supervisor mode (SVC) in
9649 | ARM state. BKPT intended for debugging - enters Abort mode in ARM state via
9650 | Prefetch Abort vector.
9651 |
9652 | ```
9653 | 15-8 Opcode
9654 | 11011111b: SWI nn ;software interrupt
9655 | 10111110b: BKPT nn ;software breakpoint (ARMv5 and up)
9656 | 7-0 nn - Comment Field, ignored by processor (8bit value) (0-255)
9657 | ```
9658 |
9659 | Execution Time: 2S+1N
9660 |
9661 | The exception handler may interprete the SWI Comment Field by examining the
9662 | lower 8bit of the 16bit opcode opcode at [R14\_svc-2].
9663 |
9664 | If your are also using SWI's from inside of ARM mode, then the SWI handler must
9665 | examine the T Bit SPSR\_svc in order to determine whether it's been a ARM SWI -
9666 | and if so, examine the lower 24bit of the 32bit opcode opcode at [R14\_svc-4].
9667 |
9668 | For Returning from SWI use "MOVS PC,R14", that instruction does restore both PC
9669 | and CPSR, ie. PC=R14\_svc, and CPSR=SPSR\_svc, and (as called from THUMB mode),
9670 | it'll also restore THUMB mode.
9671 |
9672 | Nesting SWIs: SPSR\_svc and R14\_svc should be saved on stack before either
9673 | invoking nested SWIs, or (if the IRQ handler uses SWIs) before enabling IRQs.
9674 |
9675 | Execution SWI/BKPT:
9676 |
9677 | ```
9678 | R14_svc=PC+2 R14_abt=PC+4 ;save return address
9679 | SPSR_svc=CPSR SPSR_abt=CPSR ;save CPSR flags
9680 | CPSR= CPSR= ;Enter svc/abt, ARM state, IRQs disabled
9681 | PC=VVVV0008h PC=VVVV000Ch ;jump to SWI/PrefetchAbort vector address
9682 | ```
9683 |
9684 | ## ARM Pseudo Instructions and Directives
9685 |
9686 | ### ARM Pseudo Instructions
9687 |
9688 | ```
9689 | nop mov r0,r0
9690 | ldr Rd,=Imm ldr Rd,[r15,disp] ;use .pool as parameter field
9691 | add Rd,=addr add/sub Rd,r15,disp
9692 | adr Rd,addr add/sub Rd,r15,disp
9693 | adrl Rd,addr two add/sub opcodes with disp=xx00h+00yyh
9694 | mov Rd,Imm mvn Rd,NOT Imm ;or vice-versa
9695 | and Rd,Rn,Imm bic Rd,Rn,NOT Imm ;or vice-versa
9696 | cmp Rd,Rn,Imm cmn Rd,Rn,-Imm ;or vice-versa
9697 | add Rd,Rn,Imm sub Rd,Rn,-Imm ;or vice-versa
9698 | ```
9699 |
9700 | All above opcodes may be made conditional by specifying a {cond} field.
9701 |
9702 | ### THUMB Pseudo Instructions
9703 |
9704 | ```
9705 | nop mov r8,r8
9706 | ldr Rd,=Imm ldr Rd,[r15,disp] ;use .pool as parameter field
9707 | add Rd,=addr add Rd,r15,disp
9708 | adr Rd,addr add Rd,r15,disp
9709 | mov Rd,Rs add Rd,Rs,0 ;with Rd,Rs in range r0-r7 each
9710 | ```
9711 |
9712 | ### A22i Directives
9713 |
9714 | ```
9715 | org adr assume following code from this address on
9716 | .gba indicate GBA program
9717 | .nds indicate NDS program
9718 | .dsi indicate DSi program
9719 | .fix fix GBA/NDS/DSi header checksum
9720 | .ereader_create_bmp create GBA e-Reader dotcode .BMP file(s) (bitmaps)
9721 | .ereader_create_raw create GBA e-Reader dotcode .RAW file (useless)
9722 | .ereader_create_bin create GBA e-Reader dotcode .BIN file (smallest)
9723 | .ereader_japan_plus japanese/plus (default is non-japanese)
9724 | .ereader_japan_original japanese/original (with Z80-stub for GBA-code)
9725 | .title 'Txt' defines a title (used for e-Reader dotcodes)
9726 | .teak select TeakLiteII instruction set (for DSi DSP)
9727 | .xtensa select Xtensa instruction set (for DSi Atheros Wifi)
9728 | .norewrite do not delete existing output file (keep following data in file)
9729 | .data? following defines RAM data structure (assembled to nowhere)
9730 | .code following is normal ROM code/data (assembled to ROM image)
9731 | .include includes specified source code file (no nesting/error handling)
9732 | .import imports specified binary file (optional parameters: ,begin,len)
9733 | .radix nn changes default numeric format (nn=2,8,10,16 = bin/oct/dec/hex)
9734 | .errif expr generates an error message if expression is nonzero
9735 | .if expr assembles following code only if expression is nonzero
9736 | .else invert previous .if condition
9737 | .endif terminate .if/.ifdef/.ifndef
9738 | .ifdef sym assemble following only if symbol is defined
9739 | .ifndef sym assemble following only if symbol is not defined
9740 | .align nn aligns to an address divisible-by-nn, inserts 00's
9741 | .msg defines a no$gba debugmessage string, such like .msg 'Init Okay'
9742 | .brk defines a no$gba source code break opcode
9743 | l equ n l=n
9744 | l: [cmd] l=$ (global label)
9745 | @@l: [cmd] @@l=$ (local label, all locals are reset at next global label)
9746 | end end of source code
9747 | db ... define 8bit data (bytes)
9748 | dw ... define 16bit data (halfwords)
9749 | dd ... define 32bit data (words)
9750 | defs nn define nn bytes space (zero-filled)
9751 | ;... defines a comment (ignored by the assembler)
9752 | // alias for CRLF, eg. allows in one line
9753 | ```
9754 |
9755 | ### A22i Alias Directives (for compatibility with other assemblers)
9756 |
9757 | ```
9758 | align .align 4 code16 .thumb
9759 | align nn .align nn .code 16 .thumb
9760 | % nn defs nn code32 .arm
9761 | .space nn defs nn .code 32 .arm
9762 | ..ds nn defs nn ltorg .pool
9763 | x=n x equ n .ltorg .pool
9764 | .equ x,n x equ n ..ltorg .pool
9765 | .define x n x equ n dcb db (8bit data)
9766 | incbin .import defb db (8bit data)
9767 | @@@... ;comment .byte db (8bit data)
9768 | @ ... ;comment .ascii db (8bit string)
9769 | @*... ;comment dcw dw (16bit data)
9770 | @... ;comment defw dw (16bit data)
9771 | .text .code .hword dw (16bit data)
9772 | .bss .data? dcd dd (32bit data)
9773 | .global (ignored) defd dd (32bit data)
9774 | .extern (ignored) .long dd (32bit data)
9775 | .thumb_func (ignored) .word dw/dd, don't use
9776 | #directive .directive .end end
9777 | .fill nn,1,0 defs nn
9778 | ```
9779 |
9780 | ### Alias Conditions, Opcodes, Operands
9781 |
9782 | ```
9783 | hs cs ;condition higher or same = carry set
9784 | lo cc ;condition lower = carry cleared
9785 | asl lsl ;arithmetic shift left = logical shift left
9786 | ```
9787 |
9788 | ### A22i Numeric Formats & Dialects
9789 |
9790 | ```
9791 | Type Normal Alias
9792 | Decimal 85 #85 &d85
9793 | Hexadecimal 55h #55h 0x55 #0x55 $55 &h55
9794 | Octal 125o 0o125 &o125
9795 | Ascii 'U' "U"
9796 | Binary 01010101b %01010101 0b01010101 &b01010101
9797 | Roman &rLXXXV (very useful for arrays of kings and chapters)
9798 | ```
9799 |
9800 | Note: The default numeric format can be changed by the .radix directive
9801 | (usually 10=decimal). For example, with radix 16, values like "85" and "0101b"
9802 | are treated as hexadecimal numbers (in that case, decimal and binary numbers
9803 | can be still defined with prefixes &d and &b).
9804 |
9805 | ### A22i Numeric Operators Priority
9806 |
9807 | ```
9808 | Prio Operator Aliases
9809 | 8 (,) brackets
9810 | 7 +,- sign
9811 | 6 *,/,MOD,SHL,SHR MUL,DIV,<<,>>
9812 | 5 +,- operation
9813 | 4 EQ,GE,GT,LE,LT,NE =,>=,>,<=,<,<>,==,!=
9814 | 3 NOT
9815 | 2 AND
9816 | 1 OR,XOR EOR
9817 | ```
9818 |
9819 | Operators of same priority are processed from left to right.
9820 |
9821 | Boolean operators (priority 4) return 1=TRUE, 0=FALSE.
9822 |
9823 | ### A22i Nocash Syntax
9824 |
9825 | Even though A22i does recognize the official ARM syntax, it's also allowing to
9826 | use friendly code:
9827 |
9828 | ```
9829 | mov r0,0ffh ;no C64-style "#", and no C-style "0x" required
9830 | stmia [r7]!,r0,r4-r5 ;square [base] brackets, no fancy {rlist} brackets
9831 | mov r0,cpsr ;no confusing MSR and MRS (whatever which is which)
9832 | mov r0,p0,0,c0,c0,0 ;no confusing MCR and MRC (whatever which is which)
9833 | ldr r0,[score] ;allows to use clean brackets for relative addresses
9834 | push rlist ;alias for stmfd [r13]!,rlist (and same for pop/ldmfd)
9835 | label: ;label definitions recommended to use ":" colons
9836 | ```
9837 |
9838 | [A22i is the no$gba debug version's built-in source code assembler.]
9839 |
9840 |
9841 |
9842 |
9843 |
9844 |
9845 |
9846 |
9847 |
9848 |
9849 | ## ARM CPU Instruction Cycle Times
9850 |
9851 | Instruction Cycle Summary
9852 |
9853 | ```
9854 | Instruction Cycles Additional
9855 | ---------------------------------------------------------------------
9856 | ALU 1S +1S+1N if R15 loaded, +1I if SHIFT(Rs)
9857 | MSR,MRS 1S
9858 | LDR 1S+1N+1I +1S+1N if R15 loaded
9859 | STR 2N
9860 | LDM nS+1N+1I +1S+1N if R15 loaded
9861 | STM (n-1)S+2N
9862 | SWP 1S+2N+1I
9863 | BL (THUMB) 3S+1N
9864 | B,BL 2S+1N
9865 | SWI,trap 2S+1N
9866 | MUL 1S+ml
9867 | MLA 1S+(m+1)I
9868 | MULL 1S+(m+1)I
9869 | MLAL 1S+(m+2)I
9870 | CDP 1S+bI
9871 | LDC,STC (n-1)S+2N+bI
9872 | MCR 1N+bI+1C
9873 | MRC 1S+(b+1)I+1C
9874 | {cond} false 1S
9875 | ```
9876 |
9877 | ARM9:
9878 |
9879 | ```
9880 | Q{D}ADD/SUB 1S+Interlock.
9881 | CLZ 1S.
9882 | LDR 1S+1N+1L
9883 | LDRB,LDRH,LDRmis 1S+1N+2L
9884 | LDR PC ...
9885 | STR 1S+1N (not 2N, and both in parallel)
9886 | ```
9887 |
9888 | Execution Time: 1S+Interlock (SMULxy,SMLAxy,SMULWx,SMLAWx)
9889 |
9890 | Execution Time: 1S+1I+Interlock (SMLALxy)
9891 |
9892 | Whereas,
9893 |
9894 | ```
9895 | n = number of words transferred
9896 | b = number of cycles spent in coprocessor busy-wait loop
9897 | m = depends on most significant byte(s) of multiplier operand
9898 | ```
9899 |
9900 | Above 'trap' is meant to be the execution time for exceptions. And '{cond}
9901 | false' is meant to be the execution time for conditional instructions which
9902 | haven't been actually executed because the condition has been false.
9903 |
9904 | The separate meaning of the N,S,I,C cycles is:
9905 |
9906 | ### N - Non-sequential cycle
9907 |
9908 | Requests a transfer to/from an address which is NOT related to the address used
9909 | in the previous cycle. (Called 1st Access in GBA language).
9910 |
9911 | The execution time for 1N is 1 clock cycle (plus non-sequential access
9912 | waitstates).
9913 |
9914 | ### S - Sequential cycle
9915 |
9916 | Requests a transfer to/from an address which is located directly after the
9917 | address used in the previous cycle. Ie. for 16bit or 32bit accesses at
9918 | incrementing addresses, the first access is Non-sequential, the following
9919 | accesses are sequential. (Called 2nd Access in GBA language).
9920 |
9921 | The execution time for 1S is 1 clock cycle (plus sequential access waitstates).
9922 |
9923 | ### I - Internal Cycle
9924 |
9925 | CPU is just too busy, not even requesting a memory transfer for now.
9926 |
9927 | The execution time for 1I is 1 clock cycle (without any waitstates).
9928 |
9929 | ### C - Coprocessor Cycle
9930 |
9931 | The CPU uses the data bus to communicate with the coprocessor (if any), but no
9932 | memory transfers are requested.
9933 |
9934 | ### Memory Waitstates
9935 |
9936 | Ideally, memory may be accessed free of waitstates (1N and 1S are then equal to
9937 | 1 clock cycle each). However, a memory system may generate waitstates for
9938 | several reasons: The memory may be just too slow. Memory is currently accessed
9939 | by DMA, eg. sound, video, memory transfers, etc. Or when data is squeezed
9940 | through a 16bit data bus (in that special case, 32bit access may have more
9941 | waitstates than 8bit and 16bit accesses). Also, the memory system may separate
9942 | between S and N cycles (if so, S cycles would be typically faster than N
9943 | cycles).
9944 |
9945 | ### Memory Waitstates for Different Memory Areas
9946 |
9947 | Different memory areas (eg. ROM and RAM) may have different waitstates. When
9948 | executing code in one area which accesses data in another area, then the S+N
9949 | cycles must be split into code and data accesses: 1N is used for data access,
9950 | plus (n-1)S for LDM/STM, the remaining S+N are code access. If an instruction
9951 | jumps to a different memory area, then all code cycles for that opcode are
9952 | having waitstate characteristics of the NEW memory area (except Thumb BL which
9953 | still executes 1S in OLD area).
9954 |
9955 | ## ARM CPU Versions
9956 |
9957 | ### Version Numbers
9958 |
9959 | ARM CPUs are distributed by name ARM#, and are described as ARMv# in
9960 | specifications, whereas "#" is NOT the same than "v#", for example, ARM7TDMI is
9961 | ARMv4TM. That is so confusing, that ARM didn't even attempt to clarify the
9962 | relationship between the various "#" and "v#" values.
9963 |
9964 | ### Version Variants
9965 |
9966 | Suffixes like "M" (long multiply), "T" (Thumb support), "E" (Enhanced DSP)
9967 | indicate presence of special features, additionally to the standard instruction
9968 | set of a given version, or, when preceded by an "x", indicate the absence of
9969 | that features.
9970 |
9971 | ### ARMv1 aka ARM1
9972 |
9973 | Some sort of a beta version, according to ARM never been used in any commercial
9974 | products.
9975 |
9976 | ### ARMv2 and up
9977 |
9978 | MUL,MLA
9979 |
9980 | CDP,LDC,MCR,MRC,STC
9981 |
9982 | SWP/SWPB (ARMv2a and up only)
9983 |
9984 | Two new FIQ registers
9985 |
9986 | ### ARMv3 and up
9987 |
9988 | MRS,MSR opcodes (instead CMP/CMN/TST/TEQ{P} opcodes)
9989 |
9990 | CPSR,SPSR registers (instead PSR bits in R15)
9991 |
9992 | Removed never condition, cond=NV no longer valid
9993 |
9994 | 32bit addressing (instead 26bit addressing in older versions)
9995 |
9996 | 26bit addressing backwards comptibility mode (except v3G)
9997 |
9998 | Abt and Und modes (instead handling aborts/undefined in Svc mode)
9999 |
10000 | SMLAL,SMULL,UMLAL,UMULL (optionally, INCLUDED in v3M, EXCLUDED in v4xM/v5xM)
10001 |
10002 | ### ARMv4 aka ARM7 and up
10003 |
10004 | LDRH,LDRSB,LDRSH,STRH
10005 |
10006 | Sys mode (privileged user mode)
10007 |
10008 | BX (only ARMv4T, and any ARMv5 or ARMv5T and up)
10009 |
10010 | THUMB code (only T variants, ie. ARMv4T, ARMv5T)
10011 |
10012 | ### ARMv5 aka ARM9 and up
10013 |
10014 | BKPT,BLX,CLZ (BKPT,BLX also in THUMB mode)
10015 |
10016 | LDM/LDR/POP PC with mode switch (POP PC also in THUMB mode)
10017 |
10018 | CDP2,LDC2,MCR2,MRC2,STC2 (new coprocessor opcodes)
10019 |
10020 | C-flag unchanged by MUL (instead undefined flag value)
10021 |
10022 | changed instruction cycle timings / interlock ??? or not ???
10023 |
10024 | QADD,QDADD,QDSUB,QSUB opcodes, CPSR.Q flag (v5TE and V5TExP only)
10025 |
10026 | SMLAxy,SMLALxy,SMLAWy,SMULxy,SMULWy (v5TE and V5TExP only)
10027 |
10028 | LDRD,STRD,PLD,MCRR,MRRC (v5TE only, not v5, not v5TExP)
10029 |
10030 | ### ARMv6
10031 |
10032 | No public specifications available.
10033 |
10034 | ### A Milestone in Computer History
10035 |
10036 | Original ARMv2 has been used in the relative rare and expensive Archimedes
10037 | deluxe home computers in the late eighties, the Archimedes has caught a lot of
10038 | attention, particularly for being the first home computer that used a BIOS
10039 | being programmed in BASIC language - which has been a absolutely revolutionary
10040 | decadency at that time.
10041 |
10042 | Inspired, programmers all over the world have successfully developed even
10043 | slower and much more inefficient programming languages, which are nowadays
10044 | consequently used by nearly all ARM programmers, and by most non-ARM
10045 | programmers as well.
10046 |
10047 | ## ARM CPU Data Sheet
10048 |
10049 | This present document is an attempt to supply a brief ARM7TDMI reference,
10050 | hopefully including all information which is relevant for programmers.
10051 |
10052 | Some details that I have treated as meaningless for GBA programming aren't
10053 | included - such like Big Endian format, and Virtual Memory data aborts, and
10054 | most of the chapters listed below.
10055 |
10056 | Have a look at the complete data sheet (URL see below) for more detailed
10057 | verbose information about ARM7TDMI instructions. That document also includes:
10058 |
10059 | - Signal Description
10060 |
10061 | ```
10062 | Pins of the original CPU, probably other for GBA.
10063 | ```
10064 |
10065 | - Memory Interface
10066 |
10067 | ```
10068 | Optional virtual memory circuits, etc. not for GBA.
10069 | ```
10070 |
10071 | - Coprocessor Interface
10072 |
10073 | ```
10074 | As far as I know, none such in GBA.
10075 | ```
10076 |
10077 | - Debug Interface
10078 |
10079 | ```
10080 | For external hardware-based debugging.
10081 | ```
10082 |
10083 | - ICEBreaker Module
10084 |
10085 | ```
10086 | For external hardware-based debugging also.
10087 | ```
10088 |
10089 | - Instruction Cycle Operations
10090 |
10091 | ```
10092 | Detailed: What happens during each cycle of each instruction.
10093 | ```
10094 |
10095 | - DC Parameters (Power supply)
10096 |
10097 | - AC Parameters (Signal timings)
10098 |
10099 | The official ARM7TDMI data sheet can be downloaded from ARMs webpage,
10100 |
10101 | ```
10102 | http://www.arm.com/Documentation/UserMans/PDF/ARM7TDMI.html
10103 | ```
10104 |
10105 | Be prepared for bloated PDF Format, approx 1.3 MB, about 200 pages.
10106 |
10107 | ## BIOS Functions
10108 |
10109 | The BIOS includes several System Call Functions which can be accessed by SWI
10110 | instructions. Incoming parameters are usually passed through registers
10111 | R0,R1,R2,R3. Outgoing registers R0,R1,R3 are typically containing either
10112 | garbage, or return value(s). All other registers (R2,R4-R14) are kept
10113 | unchanged.
10114 |
10115 | ### Caution
10116 |
10117 | When invoking SWIs from inside of ARM state specify SWI NN\*10000h, instead of
10118 | SWI NN as in THUMB state.
10119 |
10120 | ### Overview
10121 |
10122 | - [BIOS Function Summary](#biosfunctionsummary)
10123 | - [BIOS Differences between GBA and NDS functions](#biosdifferencesbetweengbaandndsfunctions)
10124 |
10125 | ### All Functions Described
10126 |
10127 | - [BIOS Arithmetic Functions](#biosarithmeticfunctions)
10128 | - [BIOS Rotation/Scaling Functions](#biosrotationscalingfunctions)
10129 | - [BIOS Decompression Functions](#biosdecompressionfunctions)
10130 | - [BIOS Memory Copy](#biosmemorycopy)
10131 | - [BIOS Halt Functions](#bioshaltfunctions)
10132 | - [BIOS Reset Functions](#biosresetfunctions)
10133 | - [BIOS Misc Functions](#biosmiscfunctions)
10134 | - [BIOS Multi Boot (Single Game Pak)](#biosmultibootsinglegamepak)
10135 | - [BIOS Sound Functions](#biossoundfunctions)
10136 | - [BIOS SHA1 Functions (DSi only)](#biossha1functionsdsionly)
10137 | - [BIOS RSA Functions (DSi only)](#biosrsafunctionsdsionly)
10138 |
10139 | ### RAM Usage, BIOS Dumps
10140 |
10141 | - [BIOS RAM Usage](#biosramusage)
10142 | - [BIOS Dumping](#biosdumping)
10143 |
10144 | ### How BIOS Processes SWIs
10145 |
10146 | SWIs can be called from both within THUMB and ARM mode. In ARM mode, only the
10147 | upper 8bit of the 24bit comment field are interpreted.
10148 |
10149 | Each time when calling a BIOS function 4 words (SPSR, R11, R12, R14) are saved
10150 | on Supervisor stack (\_svc). Once it has saved that data, the SWI handler
10151 | switches into System mode, so that all further stack operations are using user
10152 | stack.
10153 |
10154 | In some cases the BIOS may allow interrupts to be executed from inside of the
10155 | SWI procedure. If so, and if the interrupt handler calls further SWIs, then
10156 | care should be taken that the Supervisor Stack does not overflow.
10157 |
10158 | ## BIOS Function Summary
10159 |
10160 | ```
10161 | GBA NDS7 NDS9 DSi7 DSi9 Basic Functions
10162 | 00h 00h 00h - - SoftReset
10163 | 01h - - - - RegisterRamReset
10164 | 02h 06h 06h 06h 06h Halt
10165 | 03h 07h - 07h - Stop/Sleep
10166 | 04h 04h 04h 04h 04h IntrWait ;DSi7/DSi9: both bugged?
10167 | 05h 05h 05h 05h 05h VBlankIntrWait ;DSi7/DSi9: both bugged?
10168 | 06h 09h 09h 09h 09h Div
10169 | 07h - - - - DivArm
10170 | 08h 0Dh 0Dh 0Dh 0Dh Sqrt
10171 | 09h - - - - ArcTan
10172 | 0Ah - - - - ArcTan2
10173 | 0Bh 0Bh 0Bh 0Bh 0Bh CpuSet
10174 | 0Ch 0Ch 0Ch 0Ch 0Ch CpuFastSet
10175 | 0Dh - - - - GetBiosChecksum
10176 | 0Eh - - - - BgAffineSet
10177 | 0Fh - - - - ObjAffineSet
10178 | GBA NDS7 NDS9 DSi7 DSi9 Decompression Functions
10179 | 10h 10h 10h 10h 10h BitUnPack
10180 | 11h 11h 11h 11h 11h LZ77UnCompReadNormalWrite8bit ;"Wram"
10181 | 12h - - - - LZ77UnCompReadNormalWrite16bit ;"Vram"
10182 | - - - 01h 01h LZ77UnCompReadByCallbackWrite8bit
10183 | - 12h 12h 02h 02h LZ77UnCompReadByCallbackWrite16bit
10184 | - - - 19h 19h LZ77UnCompReadByCallbackWrite16bit (same as above)
10185 | 13h - - - - HuffUnCompReadNormal
10186 | - 13h 13h 13h 13h HuffUnCompReadByCallback
10187 | 14h 14h 14h 14h 14h RLUnCompReadNormalWrite8bit ;"Wram"
10188 | 15h - - - - RLUnCompReadNormalWrite16bit ;"Vram"
10189 | - 15h 15h 15h 15h RLUnCompReadByCallbackWrite16bit
10190 | 16h - 16h - 16h Diff8bitUnFilterWrite8bit ;"Wram"
10191 | 17h - - - - Diff8bitUnFilterWrite16bit ;"Vram"
10192 | 18h - 18h - 18h Diff16bitUnFilter
10193 | GBA NDS7 NDS9 DSi7 DSi9 Sound (and Multiboot/HardReset/CustomHalt)
10194 | 19h 08h - 08h - SoundBias
10195 | 1Ah - - - - SoundDriverInit
10196 | 1Bh - - - - SoundDriverMode
10197 | 1Ch - - - - SoundDriverMain
10198 | 1Dh - - - - SoundDriverVSync
10199 | 1Eh - - - - SoundChannelClear
10200 | 1Fh - - - - MidiKey2Freq
10201 | 20h - - - - SoundWhatever0
10202 | 21h - - - - SoundWhatever1
10203 | 22h - - - - SoundWhatever2
10204 | 23h - - - - SoundWhatever3
10205 | 24h - - - - SoundWhatever4
10206 | 25h - - - - MultiBoot
10207 | 26h - - - - HardReset
10208 | 27h 1Fh - 1Fh - CustomHalt
10209 | 28h - - - - SoundDriverVSyncOff
10210 | 29h - - - - SoundDriverVSyncOn
10211 | 2Ah - - - - SoundGetJumpList
10212 | GBA NDS7 NDS9 DSi7 DSi9 New NDS Functions
10213 | - 03h 03h 03h 03h WaitByLoop
10214 | - 0Eh 0Eh 0Eh 0Eh GetCRC16
10215 | - 0Fh 0Fh - - IsDebugger
10216 | - 1Ah - 1Ah - GetSineTable
10217 | - 1Bh - 1Bh - GetPitchTable (DSi7: bugged)
10218 | - 1Ch - 1Ch - GetVolumeTable
10219 | - 1Dh - 1Dh - GetBootProcs (DSi7: only 1 proc)
10220 | - - 1Fh - 1Fh CustomPost
10221 | GBA NDS7 NDS9 DSi7 DSi9 New DSi Functions (RSA/SHA1)
10222 | - - - 20h 20h RSA_Init_crypto_heap
10223 | - - - 21h 21h RSA_Decrypt
10224 | - - - 22h 22h RSA_Decrypt_Unpad
10225 | - - - 23h 23h RSA_Decrypt_Unpad_OpenPGP_SHA1
10226 | - - - 24h 24h SHA1_Init
10227 | - - - 25h 25h SHA1_Update
10228 | - - - 26h 26h SHA1_Finish
10229 | - - - 27h 27h SHA1_Init_update_fin
10230 | - - - 28h 28h SHA1_Compare_20_bytes
10231 | - - - 29h 29h SHA1_Random_maybe
10232 | GBA NDS7 NDS9 DSi7 DSi9 Invalid Functions
10233 | 2Bh+ 20h+ 20h+ - - Crash (SWI xxh..FFh do jump to garbage addresses)
10234 | - xxh xxh - - Jump to 0 (on any SWI numbers not listed above)
10235 | - - - 12h 12h No function (ignored)
10236 | - - - 2Bh 2Bh No function (ignored)
10237 | - - - 40h+ 40h+ Mirror (SWI 40h..FFh mirror to 00h..3Fh)
10238 | - - - xxh xxh Hang (on any SWI numbers not listed above)
10239 | ```
10240 |
10241 | Invalid NDS functions: NDS7 SWI 01h, 02h, 0Ah, 16h-19h, 1Eh, and NDS9 SWI 01h,
10242 | 02h, 07h, 08h, 0Ah, 17h, 19h-1Eh will jump to zero (ie. to the NDS7 reset
10243 | vector, or to NDS9 unused (usually PU-locked ITCM) memory, which will be both
10244 | redirected to the debug handler, if any).
10245 |
10246 | Invalid DSi functions: DSi9 SWI 00h, 07h-08h, 0Ah, 0Fh, 17h, 1Ah-1Eh, 2Ah,
10247 | 2Ch-3Fh do hang in endless loop.
10248 |
10249 | ## BIOS Differences between GBA and NDS functions
10250 |
10251 | ### Differences between GBA and NDS BIOS functions
10252 |
10253 | - SoftReset uses different addresses
10254 |
10255 | - SWI numbers for Halt, Stop/Sleep, Div, Sqrt have changed
10256 |
10257 | - Halt destroys r0 on NDS9, IntrWait bugged on NDS9
10258 |
10259 | - CpuFastSet allows 4-byte blocks (nice), but...
10260 |
10261 | - CpuFastSet works very SLOW because of a programming bug (uncool)
10262 |
10263 | - Some of the decompression functions are now using callbacks
10264 |
10265 | - SoundBias uses new delay parameter
10266 |
10267 | And, a number of GBA functions have been removed, and some new NDS functions
10268 | have been added, see:
10269 |
10270 | - [BIOS Function Summary](#biosfunctionsummary)
10271 |
10272 | ## BIOS Arithmetic Functions
10273 |
10274 | Div
10275 |
10276 | DivArm
10277 |
10278 | Sqrt
10279 |
10280 | ArcTan
10281 |
10282 | ArcTan2
10283 |
10284 | ### SWI 06h (GBA) or SWI 09h (NDS7/NDS9/DSi7/DSi9) - Div
10285 |
10286 | Signed Division, r0/r1.
10287 |
10288 | ```
10289 | r0 signed 32bit Number
10290 | r1 signed 32bit Denom
10291 | ```
10292 |
10293 | Return:
10294 |
10295 | ```
10296 | r0 Number DIV Denom ;signed
10297 | r1 Number MOD Denom ;signed
10298 | r3 ABS (Number DIV Denom) ;unsigned
10299 | ```
10300 |
10301 | For example, incoming -1234, 10 should return -123, -4, +123.
10302 |
10303 | The function usually gets caught in an endless loop upon division by zero.
10304 |
10305 | Note: The NDS9 and DSi9 additionally support hardware division, by math
10306 | coprocessor, accessed via I/O Ports, however, the SWI function is a raw
10307 | software division.
10308 |
10309 | ### SWI 07h (GBA) - DivArm
10310 |
10311 | Same as above (SWI 06h Div), but incoming parameters are exchanged, r1/r0
10312 | (r0=Denom, r1=number). For compatibility with ARM's library. Slightly slower (3
10313 | clock cycles) than SWI 06h.
10314 |
10315 | ### SWI 08h (GBA) or SWI 0Dh (NDS7/NDS9/DSi7/DSi9) - Sqrt
10316 |
10317 | Calculate square root.
10318 |
10319 | ```
10320 | r0 unsigned 32bit number
10321 | ```
10322 |
10323 | Return:
10324 |
10325 | ```
10326 | r0 unsigned 16bit number
10327 | ```
10328 |
10329 | The result is an integer value, so Sqrt(2) would return 1, to avoid this
10330 | inaccuracy, shift left incoming number by 2\*N as much as possible (the result
10331 | is then shifted left by 1\*N). Ie. Sqrt(2 shl 30) would return 1.41421 shl 15.
10332 |
10333 | Note: The NDS9 and DSi9 additionally support hardware square root calculation,
10334 | by math coprocessor, accessed via I/O Ports, however, the SWI function is a raw
10335 | software calculation.
10336 |
10337 | ### SWI 09h (GBA) - ArcTan
10338 |
10339 | Calculates the arc tangent.
10340 |
10341 | ```
10342 | r0 Tan, 16bit (1bit sign, 1bit integral part, 14bit decimal part)
10343 | ```
10344 |
10345 | Return:
10346 |
10347 | ```
10348 | r0 "-PI/2 BIOS Rotation/Scaling Functions
10371 |
10372 | BgAffineSet
10373 |
10374 | ObjAffineSet
10375 |
10376 | ### SWI 0Eh (GBA) - BgAffineSet
10377 |
10378 | Used to calculate BG Rotation/Scaling parameters.
10379 |
10380 | ```
10381 | r0 Pointer to Source Data Field with entries as follows:
10382 | s32 Original data's center X coordinate (8bit fractional portion)
10383 | s32 Original data's center Y coordinate (8bit fractional portion)
10384 | s16 Display's center X coordinate
10385 | s16 Display's center Y coordinate
10386 | s16 Scaling ratio in X direction (8bit fractional portion)
10387 | s16 Scaling ratio in Y direction (8bit fractional portion)
10388 | u16 Angle of rotation (8bit fractional portion) Effective Range 0-FFFF
10389 | r1 Pointer to Destination Data Field with entries as follows:
10390 | s16 Difference in X coordinate along same line
10391 | s16 Difference in X coordinate along next line
10392 | s16 Difference in Y coordinate along same line
10393 | s16 Difference in Y coordinate along next line
10394 | s32 Start X coordinate
10395 | s32 Start Y coordinate
10396 | r2 Number of Calculations
10397 | ```
10398 |
10399 | Return: No return value, Data written to destination address.
10400 |
10401 | ### SWI 0Fh (GBA) - ObjAffineSet
10402 |
10403 | Calculates and sets the OBJ's affine parameters from the scaling ratio and
10404 | angle of rotation.
10405 |
10406 | The affine parameters are calculated from the parameters set in Srcp.
10407 |
10408 | The four affine parameters are set every Offset bytes, starting from the Destp
10409 | address.
10410 |
10411 | If the Offset value is 2, the parameters are stored contiguously. If the value
10412 | is 8, they match the structure of OAM.
10413 |
10414 | When Srcp is arrayed, the calculation can be performed continuously by
10415 | specifying Num.
10416 |
10417 | ```
10418 | r0 Source Address, pointing to data structure as such:
10419 | s16 Scaling ratio in X direction (8bit fractional portion)
10420 | s16 Scaling ratio in Y direction (8bit fractional portion)
10421 | u16 Angle of rotation (8bit fractional portion) Effective Range 0-FFFF
10422 | r1 Destination Address, pointing to data structure as such:
10423 | s16 Difference in X coordinate along same line
10424 | s16 Difference in X coordinate along next line
10425 | s16 Difference in Y coordinate along same line
10426 | s16 Difference in Y coordinate along next line
10427 | r2 Number of calculations
10428 | r3 Offset in bytes for parameter addresses (2=continuous, 8=OAM)
10429 | ```
10430 |
10431 | Return: No return value, Data written to destination address.
10432 |
10433 | For both Bg- and ObjAffineSet, Rotation angles are specified as 0-FFFFh
10434 | (covering a range of 360 degrees), however, the GBA BIOS recurses only the
10435 | upper 8bit; the lower 8bit may contain a fractional portion, but it is ignored
10436 | by the BIOS.
10437 |
10438 | ## BIOS Decompression Functions
10439 |
10440 | BitUnPack
10441 |
10442 | Diff8bitUnFilter
10443 |
10444 | HuffUnComp
10445 |
10446 | LZ77UnComp
10447 |
10448 | RLUnComp
10449 |
10450 | ### Decompression Read/Write Variants
10451 |
10452 | ```
10453 | ReadNormal: Fast (src must be memory mapped)
10454 | ReadByCallback: Slow (src can be non-memory, eg. serial Firmware SPI bus)
10455 | Write8bitUnits: Fast (dest must support 8bit writes, eg. not VRAM)
10456 | Write16bitUnits: Slow (dest must be halfword-aligned) (for VRAM)
10457 | ```
10458 |
10459 | ### BitUnPack - SWI 10h (GBA/NDS7/NDS9/DSi7/DSi9)
10460 |
10461 | Used to increase the color depth of bitmaps or tile data. For example, to
10462 | convert a 1bit monochrome font into 4bit or 8bit GBA tiles. The Unpack Info is
10463 | specified separately, allowing to convert the same source data into different
10464 | formats.
10465 |
10466 | ```
10467 | r0 Source Address (no alignment required)
10468 | r1 Destination Address (must be 32bit-word aligned)
10469 | r2 Pointer to UnPack information:
10470 | 16bit Length of Source Data in bytes (0-FFFFh)
10471 | 8bit Width of Source Units in bits (only 1,2,4,8 supported)
10472 | 8bit Width of Destination Units in bits (only 1,2,4,8,16,32 supported)
10473 | 32bit Data Offset (Bit 0-30), and Zero Data Flag (Bit 31)
10474 | The Data Offset is always added to all non-zero source units.
10475 | If the Zero Data Flag was set, it is also added to zero units.
10476 | ```
10477 |
10478 | Data is written in 32bit units, Destination can be Wram or Vram. The size of
10479 | unpacked data must be a multiple of 4 bytes. The width of source units (plus
10480 | the offset) should not exceed the destination width.
10481 |
10482 | Return: No return value, Data written to destination address.
10483 |
10484 | ### Diff8bitUnFilterWrite8bit (Wram) - SWI 16h (GBA/NDS9/DSi9)
10485 |
10486 | ### Diff8bitUnFilterWrite16bit (Vram) - SWI 17h (GBA)
10487 |
10488 | ### Diff16bitUnFilter - SWI 18h (GBA/NDS9/DSi9)
10489 |
10490 | These aren't actually real decompression functions, destination data will have
10491 | exactly the same size as source data. However, assume a bitmap or wave form to
10492 | contain a stream of increasing numbers such like 10..19, the
10493 | filtered/unfiltered data would be:
10494 |
10495 | ```
10496 | unfiltered: 10 11 12 13 14 15 16 17 18 19
10497 | filtered: 10 +1 +1 +1 +1 +1 +1 +1 +1 +1
10498 | ```
10499 |
10500 | In this case using filtered data (combined with actual compression algorithms)
10501 | will obviously produce better compression results.
10502 |
10503 | Data units may be either 8bit or 16bit used with Diff8bit or Diff16bit
10504 | functions respectively.
10505 |
10506 | ```
10507 | r0 Source address (must be aligned by 4) pointing to data as follows:
10508 | Data Header (32bit)
10509 | Bit 0-3 Data size (must be 1 for Diff8bit, 2 for Diff16bit)
10510 | Bit 4-7 Type (must be 8 for DiffFiltered)
10511 | Bit 8-31 24bit size after decompression
10512 | Data Units (each 8bit or 16bit depending on used SWI function)
10513 | Data0 ;original data
10514 | Data1-Data0 ;difference data
10515 | Data2-Data1 ;...
10516 | Data3-Data2
10517 | ...
10518 | r1 Destination address
10519 | ```
10520 |
10521 | Return: No return value, Data written to destination address.
10522 |
10523 | ### HuffUnCompReadNormal - SWI 13h (GBA)
10524 |
10525 | ### HuffUnCompReadByCallback - SWI 13h (NDS/DSi)
10526 |
10527 | The decoder starts in root node, the separate bits in the bitstream specify if
10528 | the next node is node0 or node1, if that node is a data node, then the data is
10529 | stored in memory, and the decoder is reset to the root node. The most often
10530 | used data should be as close to the root node as possible. For example, the
10531 | 4-byte string "Huff" could be compressed to 6 bits: 10-11-0-0, with root.0
10532 | pointing directly to data "f", and root.1 pointing to a child node, whose nodes
10533 | point to data "H" and data "u".
10534 |
10535 | Data is written in units of 32bits, if the size of the compressed data is not a
10536 | multiple of 4, please adjust it as much as possible by padding with 0.
10537 |
10538 | Align the source address to a 4Byte boundary.
10539 |
10540 | ```
10541 | r0 Source Address, aligned by 4, pointing to:
10542 | Data Header (32bit)
10543 | Bit0-3 Data size in bit units (normally 4 or 8)
10544 | Bit4-7 Compressed type (must be 2 for Huffman)
10545 | Bit8-31 24bit size of decompressed data in bytes
10546 | Tree Size (8bit)
10547 | Bit0-7 Size of Tree Table/2-1 (ie. Offset to Compressed Bitstream)
10548 | Tree Table (list of 8bit nodes, starting with the root node)
10549 | Root Node and Non-Data-Child Nodes are:
10550 | Bit0-5 Offset to next child node,
10551 | Next child node0 is at (CurrentAddr AND NOT 1)+Offset*2+2
10552 | Next child node1 is at (CurrentAddr AND NOT 1)+Offset*2+2+1
10553 | Bit6 Node1 End Flag (1=Next child node is data)
10554 | Bit7 Node0 End Flag (1=Next child node is data)
10555 | Data nodes are (when End Flag was set in parent node):
10556 | Bit0-7 Data (upper bits should be zero if Data Size is less than 8)
10557 | Compressed Bitstream (stored in units of 32bits)
10558 | Bit0-31 Node Bits (Bit31=First Bit) (0=Node0, 1=Node1)
10559 | r1 Destination Address
10560 | r2 Callback temp buffer ;\for NDS/DSi "ReadByCallback" variants only
10561 | r3 Callback structure ;/(see Callback notes below)
10562 | ```
10563 |
10564 | Return: No return value, Data written to destination address.
10565 |
10566 | ### LZ77UnCompReadNormalWrite8bit (Wram) - SWI 11h (GBA/NDS7/NDS9/DSi7/DSi9)
10567 |
10568 | ### LZ77UnCompReadNormalWrite16bit (Vram) - SWI 12h (GBA)
10569 |
10570 | ### LZ77UnCompReadByCallbackWrite8bit - SWI 01h (DSi7/DSi9)
10571 |
10572 | ### LZ77UnCompReadByCallbackWrite16bit - SWI 12h (NDS), SWI 02h or 19h (DSi)
10573 |
10574 | Expands LZ77-compressed data. The Wram function is faster, and writes in units
10575 | of 8bits. For the Vram function the destination must be halfword aligned, data
10576 | is written in units of 16bits.
10577 |
10578 | CAUTION: Writing 16bit units to [dest-1] instead of 8bit units to [dest] means
10579 | that reading from [dest-1] won't work, ie. the "Vram" function works only with
10580 | disp=001h..FFFh, but not with disp=000h.
10581 |
10582 | If the size of the compressed data is not a multiple of 4, please adjust it as
10583 | much as possible by padding with 0. Align the source address to a 4-Byte
10584 | boundary.
10585 |
10586 | ```
10587 | r0 Source address, pointing to data as such:
10588 | Data header (32bit)
10589 | Bit 0-3 Reserved
10590 | Bit 4-7 Compressed type (must be 1 for LZ77)
10591 | Bit 8-31 Size of decompressed data
10592 | Repeat below. Each Flag Byte followed by eight Blocks.
10593 | Flag data (8bit)
10594 | Bit 0-7 Type Flags for next 8 Blocks, MSB first
10595 | Block Type 0 - Uncompressed - Copy 1 Byte from Source to Dest
10596 | Bit 0-7 One data byte to be copied to dest
10597 | Block Type 1 - Compressed - Copy N+3 Bytes from Dest-Disp-1 to Dest
10598 | Bit 0-3 Disp MSBs
10599 | Bit 4-7 Number of bytes to copy (minus 3)
10600 | Bit 8-15 Disp LSBs
10601 | r1 Destination address
10602 | r2 Callback parameter ;\for NDS/DSi "ReadByCallback" variants only
10603 | r3 Callback structure ;/(see Callback notes below)
10604 | ```
10605 |
10606 | Return: No return value.
10607 |
10608 | ### RLUnCompReadNormalWrite8bit (Wram) - SWI 14h (GBA/NDS7/NDS9/DSi7/DSi9)
10609 |
10610 | ### RLUnCompReadNormalWrite16bit (Vram) - SWI 15h (GBA)
10611 |
10612 | ### RLUnCompReadByCallbackWrite16bit - SWI 15h (NDS7/NDS9/DSi7/DSi9)
10613 |
10614 | Expands run-length compressed data. The Wram function is faster, and writes in
10615 | units of 8bits. For the Vram function the destination must be halfword aligned,
10616 | data is written in units of 16bits.
10617 |
10618 | If the size of the compressed data is not a multiple of 4, please adjust it as
10619 | much as possible by padding with 0. Align the source address to a 4Byte
10620 | boundary.
10621 |
10622 | ```
10623 | r0 Source Address, pointing to data as such:
10624 | Data header (32bit)
10625 | Bit 0-3 Reserved
10626 | Bit 4-7 Compressed type (must be 3 for run-length)
10627 | Bit 8-31 Size of decompressed data
10628 | Repeat below. Each Flag Byte followed by one or more Data Bytes.
10629 | Flag data (8bit)
10630 | Bit 0-6 Expanded Data Length (uncompressed N-1, compressed N-3)
10631 | Bit 7 Flag (0=uncompressed, 1=compressed)
10632 | Data Byte(s) - N uncompressed bytes, or 1 byte repeated N times
10633 | r1 Destination Address
10634 | r2 Callback parameter ;\for NDS/DSi "ReadByCallback" variants only
10635 | r3 Callback structure ;/(see Callback notes below)
10636 | ```
10637 |
10638 | Return: No return value, Data written to destination address.
10639 |
10640 | ### NDS/DSi Decompression Callbacks
10641 |
10642 | On NDS and DSi, the "ReadByCallback" variants are reading source data from
10643 | callback functions (rather than directly from memory). The callback functions
10644 | may read normal data from memory, or from other devices, such like directly
10645 | from the gamepak bus, without storing the source data in memory. The downside
10646 | is that the callback mechanism makes the function very slow, furthermore,
10647 | NDS7/NDS9 SWI 12h, 13h, 15h are using THUMB code, and variables on stack,
10648 | alltogether that makes the whole shit very-very-very slow.
10649 |
10650 | ```
10651 | r2 = user defined callback parameter (passed on to Open function)
10652 | (or, for Huffman: pointer to temp buffer, max 200h bytes needed)
10653 | r3 = pointer to callback structure
10654 | ```
10655 |
10656 | Callback structure (five 32bit pointers to callback functions)
10657 |
10658 | ```
10659 | Open_and_get_32bit (eg. LDR r0,[r0], get header)
10660 | Close (optional, 0=none)
10661 | Get_8bit (eg. LDRB r0,[r0])
10662 | Get_16bit (not used)
10663 | Get_32bit (used by Huffman only)
10664 | ```
10665 |
10666 | All functions may use ARM or THUMB code (indicated by address bit0). The
10667 | current source address (r0) is passed to all callback functions. Additionally,
10668 | the initial destination address (r1), and a user defined parameter (r2) are
10669 | passed to the Open function. For Huffman r2 must point to a temp buffer (max
10670 | 200h bytes needed, internally used by the SWI function to make a copy of the
10671 | huffman tree; needed for random-access to the tree, which wouldn't work with
10672 | the sequentially reading callbacks).
10673 |
10674 | All functions have return values in r0. The Open function normally returns the
10675 | first word (containing positive length and type), alternatively it may return a
10676 | negative error code to abort/reject decompression. The Close function, if it is
10677 | defined, should return zero (or any positive value), or a negative errorcode.
10678 | The other functions return raw data, without errorcodes. The SWI returns the
10679 | length of decompressed data, or the signed errorcode from the Open/Close
10680 | functions.
10681 |
10682 | ## BIOS Memory Copy
10683 |
10684 | CpuFastSet
10685 |
10686 | CpuSet
10687 |
10688 | ### SWI 0Ch (GBA/NDS7/NDS9/DSi7/DSi9) - CpuFastSet
10689 |
10690 | Memory copy/fill in units of 32 bytes. Memcopy is implemented as repeated
10691 | LDMIA/STMIA [Rb]!,r2-r9 instructions. Memfill as single LDR followed by
10692 | repeated STMIA [Rb]!,r2-r9.
10693 |
10694 | After processing all 32-byte-blocks, the NDS/DSi additonally processes the
10695 | remaining words as 4-byte blocks. BUG: The NDS/DSi uses the fast 32-byte-block
10696 | processing only for the first N bytes (not for the first N words), so only the
10697 | first quarter of the memory block is FAST, the remaining three quarters are
10698 | SLOWLY copied word-by-word.
10699 |
10700 | The length is specifed as wordcount, ie. the number of bytes divided by 4.
10701 |
10702 | On the GBA, the length should be a multiple of 8 words (32 bytes) (otherwise
10703 | the GBA is forcefully rounding-up the length). On NDS/DSi, the length may be
10704 | any number of words (4 bytes).
10705 |
10706 | ```
10707 | r0 Source address (must be aligned by 4)
10708 | r1 Destination address (must be aligned by 4)
10709 | r2 Length/Mode
10710 | Bit 0-20 Wordcount (GBA: rounded-up to multiple of 8 words)
10711 | Bit 24 Fixed Source Address (0=Copy, 1=Fill by WORD[r0])
10712 | ```
10713 |
10714 | Return: No return value, Data written to destination address.
10715 |
10716 | ### SWI 0Bh (GBA/NDS7/NDS9/DSi7/DSi9) - CpuSet
10717 |
10718 | Memory copy/fill in units of 4 bytes or 2 bytes. Memcopy is implemented as
10719 | repeated LDMIA/STMIA [Rb]!,r3 or LDRH/STRH r3,[r0,r5] instructions. Memfill as
10720 | single LDMIA or LDRH followed by repeated STMIA [Rb]!,r3 or STRH r3,[r0,r5].
10721 |
10722 | The length must be a multiple of 4 bytes (32bit mode) or 2 bytes (16bit mode).
10723 | The (half)wordcount in r2 must be length/4 (32bit mode) or length/2 (16bit
10724 | mode), ie. length in word/halfword units rather than byte units.
10725 |
10726 | ```
10727 | r0 Source address (must be aligned by 4 for 32bit, by 2 for 16bit)
10728 | r1 Destination address (must be aligned by 4 for 32bit, by 2 for 16bit)
10729 | r2 Length/Mode
10730 | Bit 0-20 Wordcount (for 32bit), or Halfwordcount (for 16bit)
10731 | Bit 24 Fixed Source Address (0=Copy, 1=Fill by {HALF}WORD[r0])
10732 | Bit 26 Datasize (0=16bit, 1=32bit)
10733 | ```
10734 |
10735 | Return: No return value, Data written to destination address.
10736 |
10737 | Note: On GBA, NDS7 and DSi7, these two functions will silently reject to do
10738 | anything if the source start or end addresses are reaching into the BIOS area.
10739 | The NDS9 and DSi9 don't have such read-proctections.
10740 |
10741 | ## BIOS Halt Functions
10742 |
10743 | Halt
10744 |
10745 | IntrWait
10746 |
10747 | VBlankIntrWait
10748 |
10749 | Stop/Sleep
10750 |
10751 | CustomHalt
10752 |
10753 | ### SWI 02h (GBA) or SWI 06h (NDS7/NDS9/DSi7/DSi9) - Halt
10754 |
10755 | Halts the CPU until an interrupt request occurs. The CPU is switched into
10756 | low-power mode, all other circuits (video, sound, timers, serial, keypad,
10757 | system clock) are kept operating.
10758 |
10759 | Halt mode is terminated when any enabled interrupts are requested, that is when
10760 | (IE AND IF) is not zero, the GBA locks up if that condition doesn't get true.
10761 | However, the state of CPUs IRQ disable bit in CPSR register, and the IME
10762 | register are don't care, Halt passes through even if either one has disabled
10763 | interrupts.
10764 |
10765 | On GBA and NDS7/DSi7, Halt is implemented by writing to HALTCNT, Port 4000301h.
10766 | On NDS9/DSi9, Halt is implemted by writing to System Control Coprocessor (mov
10767 | p15,0,c7,c0,4,r0 opcode), this opcode hangs if IME=0.
10768 |
10769 | No parameters, no return value.
10770 |
10771 | (GBA/NDS7/DSi7: all registers unchanged, NDS9/DSi9: R0 destroyed)
10772 |
10773 | ### SWI 04h (GBA/NDS7/NDS9/DSi7/DSi9) - IntrWait ;DSi7/DSi9=bugged?
10774 |
10775 | Continues to wait in Halt state until one (or more) of the specified
10776 | interrupt(s) do occur. The function forcefully sets IME=1. When using multiple
10777 | interrupts at the same time, this function is having less overhead than
10778 | repeatedly calling the Halt function.
10779 |
10780 | ```
10781 | r0 0=Return immediately if an old flag was already set (NDS9: bugged!)
10782 | 1=Discard old flags, wait until a NEW flag becomes set
10783 | r1 Interrupt flag(s) to wait for (same format as IE/IF registers)
10784 | r2 DSi7 only: Extra flags (same format as DSi7's IE2/IF2 registers)
10785 | ```
10786 |
10787 | Caution: When using IntrWait or VBlankIntrWait, the user interrupt handler MUST
10788 | update the BIOS Interrupt Flags value in RAM; when acknowleding processed
10789 | interrupt(s) by writing a value to the IF register, the same value should be
10790 | also ORed to the BIOS Interrupt Flags value, at following memory location:
10791 |
10792 | ```
10793 | Host GBA (16bit) NDS7 (32bit) NDS9 (32bit) DSi7-IF2 (32bit)
10794 | Address [3007FF8h] [380FFF8h] [DTCM+3FF8h] [380FFC0h]
10795 | ```
10796 |
10797 | NDS9: BUG: No Discard (r0=0) doesn't work. The function always waits for at
10798 | least one IRQ to occur (no matter which, including IRQs that are not selected
10799 | in r1), even if the desired flag was already set. NB. the same bug is also
10800 | found in the GBA/NDS7 functions, but it's compensated by a second bug, ie. the
10801 | GBA/NDS7 functions are working okay because their "bug doesn't work".
10802 |
10803 | Return: No return value, the selected flag(s) are automatically reset in BIOS
10804 | Interrupt Flags value in RAM upon return.
10805 |
10806 | DSi9: BUG: The function tries to enter Halt state via Port 4000301h (which
10807 | would be okay on ARM7, but it's probably ignored on ARM9, which should normally
10808 | use CP15 to enter Halt state; if Port 4000301h is really ignored, then the
10809 | function will "successfully" wait for interrupts, but without actually entering
10810 | any kind of low power mode).
10811 |
10812 | DSi7: BUG: The function tries to wait for IF and IF2 interrupts, but it does
10813 | accidently ignore the old IF interrupts, and works only with new IF2 ones.
10814 |
10815 | ### SWI 05h (GBA/NDS7/NDS9/DSi7/DSi9) - VBlankIntrWait ;DSi7/DSi9=bugged?
10816 |
10817 | Continues to wait in Halt status until a new V-Blank interrupt occurs.
10818 |
10819 | The function sets r0=1 and r1=1 (plus r2=0 on DSi7) and does then execute
10820 | IntrWait (SWI 04h), see IntrWait for details.
10821 |
10822 | No parameters, no return value.
10823 |
10824 | ### SWI 03h (GBA) - Stop
10825 |
10826 | Switches the GBA into very low power mode (to be used similar as a
10827 | screen-saver). The CPU, System Clock, Sound, Video, SIO-Shift Clock, DMAs, and
10828 | Timers are stopped.
10829 |
10830 | Stop state can be terminated by the following interrupts only (as far as
10831 | enabled in IE register): Joypad, Game Pak, or General-Purpose-SIO.
10832 |
10833 | "The system clock is stopped so the IF flag is not set."
10834 |
10835 | Preparation for Stop:
10836 |
10837 | Disable Video before implementing Stop (otherwise Video just freezes, but still
10838 | keeps consuming battery power). Possibly required to disable Sound also?
10839 | Obviously, it'd be also recommended to disable any external hardware (such like
10840 | Rumble or Infra-Red) as far as possible.
10841 |
10842 | No parameters, no return value.
10843 |
10844 | ### SWI 07h (NDS7/DSi7) - Sleep
10845 |
10846 | No info, probably similar as GBA SWI 03h (Stop). Sleep is implemented for ARM7
10847 | only, not for ARM9. But maybe the ARM7 function does stop \ ARM7 and
10848 | ARM9 (?)
10849 |
10850 | ### SWI 27h (GBA) or SWI 1Fh (NDS7/DSi7) - CustomHalt (Undocumented)
10851 |
10852 | Writes the 8bit parameter value to HALTCNT, below values are equivalent to Halt
10853 | and Stop/Sleep functions, other values reserved, purpose unknown.
10854 |
10855 | ```
10856 | r2 8bit parameter (GBA: 00h=Halt, 80h=Stop) (NDS7/DSi7: 80h=Halt, C0h=Sleep)
10857 | ```
10858 |
10859 | No return value.
10860 |
10861 | ## BIOS Reset Functions
10862 |
10863 | SoftReset
10864 |
10865 | RegisterRamReset
10866 |
10867 | HardReset
10868 |
10869 | ### SWI 00h (GBA/NDS7/NDS9) - SoftReset
10870 |
10871 | Clears 200h bytes of RAM (containing stacks, and BIOS IRQ vector/flags),
10872 | initializes system, supervisor, and irq stack pointers, sets R0-R12, LR\_svc,
10873 | SPSR\_svc, LR\_irq, and SPSR\_irq to zero, and enters system mode.
10874 |
10875 | Note that the NDS9 stack registers are hardcoded (the DTCM base should be set
10876 | to the default setting of 0800000h). The NDS9 function additionally flushes
10877 | caches and write buffer, and sets the CP15 control register to 12078h.
10878 |
10879 | ```
10880 | Host sp_svc sp_irq sp_sys zerofilled area return address
10881 | GBA 3007FE0h 3007FA0h 3007F00h [3007E00h..3007FFFh] Flag[3007FFAh]
10882 | NDS7 380FFDCh 380FFB0h 380FF00h [380FE00h..380FFFFh] Addr[27FFE34h]
10883 | NDS9 0803FC0h 0803FA0h 0803EC0h [DTCM+3E00h..3FFFh] Addr[27FFE24h]
10884 | ```
10885 |
10886 | The NDS7/NDS9 return addresses at [27FFE34h/27FFE24h] are usually containing
10887 | copies of Cartridge Header [034h/024h] entry points, which may select ARM/THUMB
10888 | state via bit0. The GBA return address 8bit flag is interpreted as 00h=8000000h
10889 | (ROM), or 01h-FFh=2000000h (RAM), entered in ARM state.
10890 |
10891 | Note: The reset is applied only to the CPU that has executed the SWI (ie. on
10892 | the NDS, the other CPU will remain unaffected).
10893 |
10894 | Return: Does not return to calling procedure, instead, loads the above return
10895 | address into R14, and then jumps to that address by a "BX R14" opcode.
10896 |
10897 | ### SWI 01h (GBA) - RegisterRamReset
10898 |
10899 | Resets the I/O registers and RAM specified in ResetFlags. However, it does not
10900 | clear the CPU internal RAM area from 3007E00h-3007FFFh.
10901 |
10902 | ```
10903 | r0 ResetFlags
10904 | Bit Expl.
10905 | 0 Clear 256K on-board WRAM ;-don't use when returning to WRAM
10906 | 1 Clear 32K on-chip WRAM ;-excluding last 200h bytes
10907 | 2 Clear Palette
10908 | 3 Clear VRAM
10909 | 4 Clear OAM ;-zerofilled! does NOT disable OBJs!
10910 | 5 Reset SIO registers ;-switches to general purpose mode!
10911 | 6 Reset Sound registers
10912 | 7 Reset all other registers (except SIO, Sound)
10913 | ```
10914 |
10915 | Return: No return value.
10916 |
10917 | Bug: LSBs of SIODATA32 are always destroyed, even if Bit5 of R0 was cleared.
10918 |
10919 | The function always switches the screen into forced blank by setting
10920 | DISPCNT=0080h (regardless of incoming R0, screen becomes white).
10921 |
10922 | ### SWI 26h (GBA) - HardReset (Undocumented)
10923 |
10924 | This function reboots the GBA (including for getting through the time-consuming
10925 | nintendo intro, which is making the function particularly useless and
10926 | annoying).
10927 |
10928 | Parameters: None. Return: Never/Reboot.
10929 |
10930 | Execution Time: About 2 seconds (!)
10931 |
10932 | ## BIOS Misc Functions
10933 |
10934 | GetBiosChecksum
10935 |
10936 | WaitByLoop
10937 |
10938 | GetCRC16
10939 |
10940 | IsDebugger
10941 |
10942 | GetSineTable
10943 |
10944 | GetPitchTable
10945 |
10946 | GetVolumeTable
10947 |
10948 | CustomPost
10949 |
10950 | GetBootProcs
10951 |
10952 | ### SWI 0Dh (GBA) - GetBiosChecksum (Undocumented)
10953 |
10954 | Calculates the checksum of the BIOS ROM (by reading in 32bit units, and adding
10955 | up these values). IRQ and FIQ are disabled during execution.
10956 |
10957 | The checksum is BAAE187Fh (GBA and GBA SP), or BAAE1880h (DS in GBA mode,
10958 | whereas the only difference is that the byte at [3F0Ch] is changed from 00h to
10959 | 01h, otherwise the BIOS is 1:1 same as GBA BIOS, it does even include multiboot
10960 | code).
10961 |
10962 | Parameters: None. Return: r0=Checksum.
10963 |
10964 | ### SWI 03h (NDS7/NDS9/DSi7/DSi9) - WaitByLoop
10965 |
10966 | Performs a "LOP: SUB R0,1 / BGT LOP" wait loop, the loop is executed in BIOS
10967 | memory, which provides reliable timings (regardless of the memory waitstates
10968 | & cache state of the calling procedure). Intended only for short delays
10969 | (eg. flash memory programming cycles).
10970 |
10971 | ```
10972 | r0 Delay value (should be in range 1..7FFFFFFFh)
10973 | ```
10974 |
10975 | Execution time varies for ARM7 vs ARM9. On ARM9 it does also depend on whether
10976 | ROM is cached, and on DSi it does further depended on the ARM9 CPU clock, and
10977 | on whether using NDS or DSi BIOS ROM (NDS uses faster THUMB code, whilst DSi
10978 | uses ARM code, which is slow on uncached ARM9 ROM reads). For example, to get a
10979 | 1 millisecond delay, use following values:
10980 |
10981 | ```
10982 | CPU Clock Cache BIOS Value for 1ms
10983 | ARM7 33.51MHz none NDS/DSi r0=20BAh ;=20BAh ;-ARM7
10984 | ARM9 67.03MHz on NDS/DSi r0=20BAh*2 ;=4174h ;\ARM9 with cache
10985 | ARM9 134.06MHz on DSi r0=20BAh*4 ;=82E8h ;/
10986 | ARM9 67.03MHz off NDS r0=20BAh/2 ;=105Dh ;\
10987 | ARM9 67.03MHz off DSi r0=20BAh/4 ;=082Eh ; ARM9 without cache
10988 | ARM9 134.06MHz off DSi r0=20BAh/3 ;=0AE8h ;/
10989 | ```
10990 |
10991 | Return: No return value.
10992 |
10993 | ### SWI 0Eh (NDS7/NDS9/DSi7/DSi9) - GetCRC16
10994 |
10995 | ```
10996 | r0 Initial CRC value (16bit, usually FFFFh)
10997 | r1 Start Address (must be aligned by 2)
10998 | r2 Length in bytes (must be aligned by 2)
10999 | ```
11000 |
11001 | CRC16 checksums can be calculated as such:
11002 |
11003 | ```
11004 | val[0..7] = C0C1h,C181h,C301h,C601h,CC01h,D801h,F001h,A001h
11005 | for i=start to end
11006 | crc=crc xor byte[i]
11007 | for j=0 to 7
11008 | crc=crc shr 1:if carry then crc=crc xor (val[j] shl (7-j))
11009 | next j
11010 | next i
11011 | ```
11012 |
11013 | Return:
11014 |
11015 | ```
11016 | r0 Calculated 16bit CRC Value
11017 | ```
11018 |
11019 | Additionally, if the length is nonzero, r3 contains the last processed halfword
11020 | at [addr+len-2]. Unlike most other NDS7/DSi7 SWI functions (which do reject
11021 | reading from BIOS memory), this allows to dump the NDS7/DSi7 BIOS (except for
11022 | the memory region that is locked via BIOSPROT Port 4000308h).
11023 |
11024 | ### SWI 0Fh (NDS7/NDS9) - IsDebugger
11025 |
11026 | Detects if 4MB (normal) or 8MB (debug version) Main RAM installed.
11027 |
11028 | Caution: Fails on ARM9 when cache is enabled (always returns 8MB state).
11029 |
11030 | Return: r0 = result (0=normal console 4MB, 1=debug version 8MB)
11031 |
11032 | Destroys halfword at [27FFFFAh] (NDS7) or [27FFFF8h] (NDS9)!
11033 |
11034 | The SWI 0Fh function doesn't work stable if it gets interrupted by an interrupt
11035 | which is calling SWI 0Fh, which would destroy the above halfword scratch value
11036 | (unless the IRQ handler has saved/restored the halfword).
11037 |
11038 | ### SWI 1Ah (NDS7/DSi7) - GetSineTable
11039 |
11040 | ```
11041 | r0 Index (0..3Fh) (must be in that range, otherwise returns garbage)
11042 | ```
11043 |
11044 | Return: r0 = Desired Entry (0000h..7FF5h) ;SIN(0 .. 88.6 degrees)\*8000h
11045 |
11046 | ### SWI 1Bh (NDS7/DSi7) - GetPitchTable (DSi7: bugged)
11047 |
11048 | ```
11049 | r0 Index (0..2FFh) (must be in that range, otherwise returns garbage)
11050 | ```
11051 |
11052 | BUG: DSi7 accidently reads from SineTable instead of PitchTable, as workaround
11053 | for obtaining PitchTable values, one can set "r0=(0..2FFh)-46Ah" on DSi.
11054 |
11055 | Return: r0 = Desired Entry (0000h..FF8Ah) (unsigned)
11056 |
11057 | ### SWI 1Ch (NDS7/DSi7) - GetVolumeTable
11058 |
11059 | ```
11060 | r0 Index (0..2D3h) (must be in that range, otherwise returns garbage)
11061 | ```
11062 |
11063 | Return: r0 = Desired Entry (00h..7Fh) (unsigned)
11064 |
11065 | ### SWI 1Fh (NDS9/DSi9) - CustomPost
11066 |
11067 | Writes to the POSTFLG register, probably for use by Firmware boot procedure.
11068 |
11069 | ```
11070 | r0 32bit value, to be written to POSTFLG, Port 4000300h
11071 | ```
11072 |
11073 | Return: No return value.
11074 |
11075 | ### SWI 1Dh (NDS7/DSi7) - GetBootProcs
11076 |
11077 | Returns addresses of Gamecart boot procedure/interrupt handler, probably for
11078 | use by Firmware boot procedure. Most of the returned NDS7 functions won't work
11079 | if the POSTFLG register is set.
11080 |
11081 | The return values are somewhat XORed by each other (on DSi7 most of the values
11082 | are zero; which does rather negate the XORing effect, and, as a special
11083 | gimmick, one of the zero values is XORed by incoming r2).
11084 |
11085 | ## BIOS Multi Boot (Single Game Pak)
11086 |
11087 | MultiBoot
11088 |
11089 | ### SWI 25h (GBA) - MultiBoot
11090 |
11091 | This function uploads & starts program code to slave GBAs, allowing to
11092 | launch programs on slave units even if no cartridge is inserted into the slaves
11093 | (this works because all GBA BIOSes contain built-in download procedures in
11094 | ROM).
11095 |
11096 | However, the SWI 25h BIOS upload function covers only 45% of the required
11097 | Transmission Protocol, the other 55% must be coded in the master cartridge (see
11098 | Transmission Protocol below).
11099 |
11100 | ```
11101 | r0 Pointer to MultiBootParam structure
11102 | r1 Transfer Mode (undocumented)
11103 | 0=256KHz, 32bit, Normal mode (fast and stable)
11104 | 1=115KHz, 16bit, MultiPlay mode (default, slow, up to three slaves)
11105 | 2=2MHz, 32bit, Normal mode (fastest but maybe unstable)
11106 | Note: HLL-programmers that are using the MultiBoot(param_ptr) macro cannot
11107 | specify the transfer mode and will be forcefully using MultiPlay mode.
11108 | ```
11109 |
11110 | Return:
11111 |
11112 | ```
11113 | r0 0=okay, 1=failed
11114 | ```
11115 |
11116 | See below for more details.
11117 |
11118 | ### Multiboot Parameter Structure
11119 |
11120 | Size of parameter structure should be 4Ch bytes (the current GBA BIOS uses only
11121 | first 44h bytes though). The following entries must be set before calling SWI
11122 | 25h:
11123 |
11124 | ```
11125 | Addr Size Name/Expl.
11126 | 14h 1 handshake_data (entry used for normal mode only)
11127 | 19h 3 client_data[1,2,3]
11128 | 1Ch 1 palette_data
11129 | 1Eh 1 client_bit (Bit 1-3 set if child 1-3 detected)
11130 | 20h 4 boot_srcp (typically 8000000h+0C0h)
11131 | 24h 4 boot_endp (typically 8000000h+0C0h+length)
11132 | ```
11133 |
11134 | The transfer length (excluding header data) should be a multiple of 10h,
11135 | minimum length 100h, max 3FF40h (ca. 256KBytes). Set palette\_data as
11136 | "81h+color\*10h+direction\*8+speed\*2", or as "0f1h+color\*2" for fixed palette,
11137 | whereas color=0..6, speed=0..3, direction=0..1. The other entries
11138 | (handshake\_data, client\_data[1-3], and client\_bit) must be same as specified in
11139 | Transmission Protocol (see below hh,cc,y).
11140 |
11141 | ### Multiboot Transfer Protocol
11142 |
11143 | Below describes the complete transfer protocol, normally only the Initiation
11144 | part must be programmed in the master cartridge, the main data transfer can be
11145 | then performed by calling SWI 25h, the slave program is started after SWI 25h
11146 | completion.
11147 |
11148 | The ending handshake is normally not required, when using it, note that you
11149 | will need custom code in BOTH master and slave programs.
11150 |
11151 | ```
11152 | Times Send Receive Expl.
11153 | -----------------------Required Transfer Initiation in master program
11154 | ... 6200 FFFF Slave not in multiplay/normal mode yet
11155 | 1 6200 0000 Slave entered correct mode now
11156 | 15 6200 720x Repeat 15 times, if failed: delay 1/16s and restart
11157 | 1 610y 720x Recognition okay, exchange master/slave info
11158 | 60h xxxx NN0x Transfer C0h bytes header data in units of 16bits
11159 | 1 6200 000x Transfer of header data completed
11160 | 1 620y 720x Exchange master/slave info again
11161 | ... 63pp 720x Wait until all slaves reply 73cc instead 720x
11162 | 1 63pp 73cc Send palette_data and receive client_data[1-3]
11163 | 1 64hh 73uu Send handshake_data for final transfer completion
11164 | -----------------------Below is SWI 25h MultiBoot handler in BIOS
11165 | DELAY - - Wait 1/16 seconds at master side
11166 | 1 llll 73rr Send length information and receive random data[1-3]
11167 | LEN yyyy nnnn Transfer main data block in units of 16 or 32 bits
11168 | 1 0065 nnnn Transfer of main data block completed, request CRC
11169 | ... 0065 0074 Wait until all slaves reply 0075 instead 0074
11170 | 1 0065 0075 All slaves ready for CRC transfer
11171 | 1 0066 0075 Signalize that transfer of CRC follows
11172 | 1 zzzz zzzz Exchange CRC must be same for master and slaves
11173 | -----------------------Optional Handshake (NOT part of master/slave BIOS)
11174 | ... .... .... Exchange whatever custom data
11175 | ```
11176 |
11177 | Legend for above Protocol
11178 |
11179 | ```
11180 | y client_bit, bit(s) 1-3 set if slave(s) 1-3 detected
11181 | x bit 1,2,or 3 set if slave 1,2,or 3
11182 | xxxx header data, transferred in 16bit (!) units (even in 32bit normal mode)
11183 | nn response value for header transfer, decreasing 60h..01h
11184 | pp palette_data
11185 | cc random client_data[1..3] from slave 1-3, FFh if slave not exists
11186 | hh handshake_data, 11h+client_data[1]+client_data[2]+client_data[3]
11187 | uu random data, not used, ignore this value
11188 | ```
11189 |
11190 | Below automatically calculated by SWI 25h BIOS function (don't care about)
11191 |
11192 | ```
11193 | llll download length/4-34h
11194 | rr random data from each slave for encryption, FFh if slave not exists
11195 | yyyy encoded data in 16bit (multiplay) or 32bit (normal mode) units
11196 | nnnn response value, lower 16bit of destadr in GBA memory (00C0h and up)
11197 | zzzz 16bit download CRC value, must be same for master and slaves
11198 | ```
11199 |
11200 | Pseudo Code for SWI 25h Transfer with Checksum and Encryption calculations
11201 |
11202 | ```
11203 | if normal_mode then c=C387h:x=C37Bh:k=43202F2Fh
11204 | if multiplay_mode then c=FFF8h:x=A517h:k=6465646Fh
11205 | m=dword(pp,cc,cc,cc):f=dword(hh,rr,rr,rr)
11206 | for ptr=000000C0h to (file_size-4) step 4
11207 | c=c xor data[ptr]:for i=1 to 32:c=c shr 1:if carry then c=c xor x:next
11208 | m=(6F646573h*m)+1
11209 | send_32_or_2x16 (data[ptr] xor (-2000000h-ptr) xor m xor k)
11210 | next
11211 | c=c xor f:for i=1 to 32:c=c shr 1:if carry then c=c xor x:next
11212 | wait_all_units_ready_for_checksum:send_32_or_1x16 (c)
11213 | ```
11214 |
11215 | Whereas, explained: c=chksum,x=chkxor,f=chkfin,k=keyxor,m=keymul
11216 |
11217 | ### Multiboot Communication
11218 |
11219 | In Multiplay mode, master sends 16bit data, and receives 16bit data from each
11220 | slave (or FFFFh if none). In Normal mode, master sends 32bit data (upper 16bit
11221 | zero, lower 16bit as for multiplay mode), and receives 32bit data (upper 16bit
11222 | as for multiplay mode, and lower 16bit same as lower 16bit previously sent by
11223 | master). Because SIODATA32 occupies same addresses as SIOMULTI0-1, the same
11224 | transfer code can be used for both multiplay and normal mode (in normal mode
11225 | SIOMULTI2-3 should be forced to FFFFh though). After each transfer, master
11226 | should wait for Start bit cleared in SIOCNT register, followed by a 36us delay.
11227 |
11228 | Note: The multiboot slave would also recognize data being sent in Joybus mode,
11229 | however, master GBAs cannot use joybus mode (because GBA hardware cannot act as
11230 | master in joybus mode).
11231 |
11232 | ### Multiboot Slave Header
11233 |
11234 | The transferred Header block is written to 2000000-20000BFh in slave RAM, the
11235 | header must contain valid data (identically as for normal ROM-cartridge
11236 | headers, including a copy of the Nintendo logo, correct header CRC, etc.), in
11237 | most cases it'd be recommended just to transfer a copy of the master cartridges
11238 | header from 8000000h-80000BFh.
11239 |
11240 | ### Multiboot Slave Program/Data
11241 |
11242 | The transferred main program/data block is written to 20000C0h and up (max
11243 | 203FFFFh) in slave RAM, note that absolute addresses in the program must be
11244 | then originated at 2000000h rather than 8000000h. In case that the master
11245 | cartridge is 256K or less, it could just transfer a copy of the whole cartridge
11246 | at 80000C0h and up, the master should then copy & execute its own ROM data
11247 | into RAM as well.
11248 |
11249 | ### Multiboot Slave Extended Header
11250 |
11251 | For Multiboot slaves, separate Entry Point(s) must be defined at the beginning
11252 | of the Program/Data block (the Entry Point in the normal header is ignored),
11253 | also some reserved bytes in this section are overwritten by the Multiboot
11254 | procedure. For more information see chapter about Cartridge Header.
11255 |
11256 | ### Multiboot Slave with Cartridge
11257 |
11258 | Beside for slaves without cartridge, multiboot can be also used for slaves
11259 | which do have a cartridge inserted, if so, SELECT and START must be kept held
11260 | down during power-on in order to switch the slave GBA into Multiboot mode (ie.
11261 | to prevent it from starting the cartridge as normally).
11262 |
11263 | The general idea is to enable newer programs to link to any existing older GBA
11264 | programs, even if these older programs originally didn't have been intended to
11265 | support linking.
11266 |
11267 | The uploaded program may access the slaves SRAM, Flash ROM, or EEPROM (if any,
11268 | allowing to read out or modify slave game positions), as well as cartridge ROM
11269 | at 80000A0h-8000FFFh (the first 4KBytes, excluding the nintendo logo, allowing
11270 | to read out the cartridge name from the header, for example).
11271 |
11272 | The main part of the cartridge ROM is meant to be locked out in order to
11273 | prevent software pirates from uploading "intruder" programs which would send
11274 | back a copy of the whole cartridge to the master, however, for good or evil, at
11275 | present time, current GBA models and GBA carts do not seem to contain any such
11276 | protection.
11277 |
11278 | ### Uploading Programs from PC
11279 |
11280 | Beside for the ability to upload a program from one GBA to another, this
11281 | feature can be also used to upload small programs from a PC to a GBA. For more
11282 | information see chapter about External Connectors.
11283 |
11284 | ### Nintendo DS
11285 |
11286 | The GBA multiboot function requires a link port, and so, works on GBA and GBA
11287 | SP only. The Nintendo DS in GBA mode does include the multiboot BIOS function,
11288 | but it won't be of any use as the DS doesn't have a link port.
11289 |
11290 | ## BIOS Sound Functions
11291 |
11292 | MidiKey2Freq
11293 |
11294 | SoundBias
11295 |
11296 | SoundChannelClear
11297 |
11298 | SoundDriverInit
11299 |
11300 | SoundDriverMain
11301 |
11302 | SoundDriverMode
11303 |
11304 | SoundDriverVSync
11305 |
11306 | SoundDriverVSyncOff
11307 |
11308 | SoundDriverVSyncOn
11309 |
11310 | SoundWhatever0..4
11311 |
11312 | SoundGetJumpList
11313 |
11314 | ### SWI 1Fh (GBA) - MidiKey2Freq
11315 |
11316 | Calculates the value of the assignment to ((SoundArea)sa).vchn[x].fr when
11317 | playing the wave data, wa, with the interval (MIDI KEY) mk and the fine
11318 | adjustment value (halftones=256) fp.
11319 |
11320 | ```
11321 | r0 WaveData* wa
11322 | r1 u8 mk
11323 | r2 u8 fp
11324 | ```
11325 |
11326 | Return:
11327 |
11328 | ```
11329 | r0 u32
11330 | ```
11331 |
11332 | This function is particularly popular because it allows to read from BIOS
11333 | memory without copy protection range checks. The formula to read one byte (a)
11334 | from address (i, 0..3FFF) is:
11335 |
11336 | a = (MidiKey2Freq(i-(((i AND 3)+1)OR 3), 168, 0) \* 2) SHR 24
11337 |
11338 | ### SWI 19h (GBA) or SWI 08h (NDS7/DSi7) - SoundBias
11339 |
11340 | Increments or decrements the current level of the SOUNDBIAS register (with
11341 | short delays) until reaching the desired new level. The upper bits of the
11342 | register are kept unchanged.
11343 |
11344 | ```
11345 | r0 BIAS level (0=Level 000h, any other value=Level 200h)
11346 | r1 Delay Count (NDS/DSi only) (GBA uses a fixed delay count of 8)
11347 | ```
11348 |
11349 | Return: No return value.
11350 |
11351 | ### SWI 1Eh (GBA) - SoundChannelClear
11352 |
11353 | Clears all direct sound channels and stops the sound.
11354 |
11355 | This function may not operate properly when the library which expands the sound
11356 | driver feature is combined afterwards. In this case, do not use it.
11357 |
11358 | No parameters, no return value.
11359 |
11360 | ### SWI 1Ah (GBA) - SoundDriverInit
11361 |
11362 | Initializes the sound driver. Call this only once when the game starts up.
11363 |
11364 | It is essential that the work area already be secured at the time this function
11365 | is called.
11366 |
11367 | You cannot execute this driver multiple times, even if separate work areas have
11368 | been prepared.
11369 |
11370 | ```
11371 | r0 Pointer to work area for sound driver, SoundArea structure as follows:
11372 | SoundArea (sa) Structure
11373 | u32 ident Flag the system checks to see whether the
11374 | work area has been initialized and whether it
11375 | is currently being accessed.
11376 | vu8 DmaCount User access prohibited
11377 | u8 reverb Variable for applying reverb effects to direct sound
11378 | u16 d1 User access prohibited
11379 | void (*func)() User access prohibited
11380 | int intp User access prohibited
11381 | void* NoUse User access prohibited
11382 | SndCh vchn[MAX] The structure array for controlling the direct
11383 | sound channels (currently 8 channels are
11384 | available). The term "channel" here does
11385 | not refer to hardware channels, but rather to
11386 | virtual constructs inside the sound driver.
11387 | s8 pcmbuf[PCM_BF*2]
11388 | SoundChannel Structure
11389 | u8 sf The flag indicating the status of this channel.
11390 | When 0 sound is stopped.
11391 | To start sound, set other parameters and
11392 | then write 80h to here.
11393 | To stop sound, logical OR 40h for a
11394 | release-attached off (key-off), or write zero
11395 | for a pause. The use of other bits is
11396 | prohibited.
11397 | u8 r1 User access prohibited
11398 | u8 rv Sound volume output to right side
11399 | u8 lv Sound volume output to left side
11400 | u8 at The attack value of the envelope. When the
11401 | sound starts, the volume begins at zero and
11402 | increases every 1/60 second. When it
11403 | reaches 255, the process moves on to the
11404 | next decay value.
11405 | u8 de The decay value of the envelope. It is
11406 | multiplied by "this value/256" every 1/60
11407 | sec. and when sustain value is reached, the
11408 | process moves to the sustain condition.
11409 | u8 su The sustain value of the envelope. The
11410 | sound is sustained by this amount.
11411 | (Actually, multiplied by rv/256, lv/256 and
11412 | output left and right.)
11413 | u8 re The release value of the envelope. Key-off
11414 | (logical OR 40h in sf) to enter this state.
11415 | The value is multiplied by "this value/256"
11416 | every 1/60 sec. and when it reaches zero,
11417 | this channel is completely stopped.
11418 | u8 r2[4] User access prohibited
11419 | u32 fr The frequency of the produced sound.
11420 | Write the value obtained with the
11421 | MidiKey2Freq function here.
11422 | WaveData* wp Pointer to the sound's waveform data. The waveform
11423 | data can be generated automatically from the AIFF
11424 | file using the tool (aif2agb.exe), so users normally
11425 | do not need to create this themselves.
11426 | u32 r3[6] User access prohibited
11427 | u8 r4[4] User access prohibited
11428 | WaveData Structure
11429 | u16 type Indicates the data type. This is currently not used.
11430 | u16 stat At the present time, non-looped (1 shot) waveform
11431 | is 0000h and forward loop is 4000h.
11432 | u32 freq This value is used to calculate the frequency.
11433 | It is obtained using the following formula:
11434 | sampling rate x 2^((180-original MIDI key)/12)
11435 | u32 loop Loop pointer (start of loop)
11436 | u32 size Number of samples (end position)
11437 | s8 data[] The actual waveform data. Takes (number of samples+1)
11438 | bytes of 8bit signed linear uncompressed data. The last
11439 | byte is zero for a non-looped waveform, and the same
11440 | value as the loop pointer data for a looped waveform.
11441 | ```
11442 |
11443 | Return: No return value.
11444 |
11445 | ### SWI 1Ch (GBA) - SoundDriverMain
11446 |
11447 | Main of the sound driver.
11448 |
11449 | Call every 1/60 of a second. The flow of the process is to call
11450 | SoundDriverVSync, which is explained later, immediately after the V-Blank
11451 | interrupt.
11452 |
11453 | After that, this routine is called after BG and OBJ processing is executed.
11454 |
11455 | No parameters, no return value.
11456 |
11457 | ### SWI 1Bh (GBA) - SoundDriverMode
11458 |
11459 | Sets the sound driver operation mode.
11460 |
11461 | ```
11462 | r0 Sound driver operation mode
11463 | Bit Expl.
11464 | 0-6 Direct Sound Reverb value (0-127, default=0) (ignored if Bit7=0)
11465 | 7 Direct Sound Reverb set (0=ignore, 1=apply reverb value)
11466 | 8-11 Direct Sound Simultaneously-produced (1-12 channels, default 8)
11467 | 12-15 Direct Sound Master volume (1-15, default 15)
11468 | 16-19 Direct Sound Playback Frequency (1-12 = 5734,7884,10512,13379,
11469 | 15768,18157,21024,26758,31536,36314,40137,42048, def 4=13379 Hz)
11470 | 20-23 Final number of D/A converter bits (8-11 = 9-6bits, def. 9=8bits)
11471 | 24-31 Not used.
11472 | ```
11473 |
11474 | Return: No return value.
11475 |
11476 | ### SWI 1Dh (GBA) - SoundDriverVSync
11477 |
11478 | An extremely short system call that resets the sound DMA. The timing is
11479 | extremely critical, so call this function immediately after the V-Blank
11480 | interrupt every 1/60 second.
11481 |
11482 | No parameters, no return value.
11483 |
11484 | ### SWI 28h (GBA) - SoundDriverVSyncOff
11485 |
11486 | Due to problems with the main program if the V-Blank interrupts are stopped,
11487 | and SoundDriverVSync cannot be called every 1/60 a second, this function must
11488 | be used to stop sound DMA.
11489 |
11490 | Otherwise, even if you exceed the limit of the buffer the DMA will not stop and
11491 | noise will result.
11492 |
11493 | No parameters, no return value.
11494 |
11495 | ### SWI 29h (GBA) - SoundDriverVSyncOn
11496 |
11497 | This function restarts the sound DMA stopped with the previously described
11498 | SoundDriverVSyncOff.
11499 |
11500 | After calling this function, have a V-Blank occur within 2/60 of a second and
11501 | call SoundDriverVSync.
11502 |
11503 | No parameters, no return value.
11504 |
11505 | ### SWI 20h..24h (GBA) - SoundWhatever0..4 (Undocumented)
11506 |
11507 | Whatever undocumented sound-related BIOS functions.
11508 |
11509 | ### SWI 2Ah (GBA) - SoundGetJumpList (Undocumented)
11510 |
11511 | Receives pointers to 36 additional sound-related BIOS functions.
11512 |
11513 | ```
11514 | r0 Destination address (must be aligned by 4) (120h bytes buffer)
11515 | ```
11516 |
11517 |
11518 |
11519 | ## BIOS RSA Basics
11520 |
11521 | ### RSA Basics
11522 |
11523 | The RSA formulas are quite simple: Applying an exponent and modulus to the
11524 | source data. There are two formulas used for encryption/decryption. The first
11525 | formula requires only the Public Key (and an exponent, which is usually some
11526 | fixed constant; on the DSi it's always 10001h aka 65537 decimal). The second
11527 | formula is almost same, but requires the Private Key instead of the constant
11528 | exponent (and also requires the Public Key as modulus):
11529 |
11530 | ```
11531 | Public Key formula: dest = src^10001h mod pubkey
11532 | Private Key formula: dest = src^prvkey mod pubkey
11533 | ```
11534 |
11535 | That formulas can be used for encrypting secret messages, as so:
11536 |
11537 | ```
11538 | Recipient's Public Key --> Encrypt a message
11539 | Recipient's Private Key --> Decrypt a message
11540 | ```
11541 |
11542 | Or, using the formulas the other way around, to create digital signatures:
11543 |
11544 | ```
11545 | Sender's Private Key --> Encrypt/create a signature
11546 | Sender's Public Key --> Decrypt/verify a signature
11547 | ```
11548 |
11549 | The overall idea is that only the owner of the Private Key can decrypt
11550 | messages, or create signatures. The Public Key can be shared freely, so that
11551 | everybody can encrypt messages, or verify signatures.
11552 |
11553 | ### RSA Big Number Maths
11554 |
11555 | The exponent/modulus can be implemented with simple unsigned multiply/divide
11556 | operations. However, RSA requires dealing with big 1024bit integers (or even
11557 | bigger numbers when using larger keys), this does usually require some software
11558 | functions since regular CPUs cannot directly deal with such large numbers.
11559 |
11560 | ### RSA Byte Order
11561 |
11562 | The DSi is storing all RSA keys and signatures in Big-Endian format, so one
11563 | will need to reverse the byte order before doing the actual maths on
11564 | Little-Endian CPUs.
11565 |
11566 | ### RSA Signatures (used on DSi)
11567 |
11568 | Digital signatures can be used for signing documents or other binaries. The
11569 | signature does usually consist of a secure checksum (SHA-1, MD5, SHA256, etc.)
11570 | computed on the document/binary, and then encrypted via the RSA Private Key
11571 | formula.
11572 |
11573 | The checksum can be then decrypted via Public Key, if the decrypted checksum
11574 | does match up, then one can be sure that the document/binary hasn't been
11575 | modified, and that it was really created by the Private Key owner.
11576 |
11577 | ### RSA Encrypted Messages (not used on DSi)
11578 |
11579 | Encrypted RSA messages are restricted to the size of the Public Key (eg. with a
11580 | 1024bit key, the message should be smaller than 128 bytes). For bigger
11581 | messages, one could either split the message into smaller snippets, or, one
11582 | could combine RSA with some other encryption mechanism (eg. store an AES key in
11583 | the RSA message, and decrypt the actual document via AES; that would add
11584 | private/public key security to AES).
11585 |
11586 | ### RSA Padding
11587 |
11588 | RSA can be weak if the message is a small number (especially very small values
11589 | like "0" or "1" obviously wouldn't work well with the "msg^exp" maths; other
11590 | small values can be also weak, eg. with the common/small public exponent
11591 | 10001h). To avoid that problem, the MSBs of the message should be padded with
11592 | nonzero bytes, typically as so (as defined in RFC 2313):
11593 |
11594 | ```
11595 | 00h 1 "00" Leading zero (00h)
11596 | 01h 1 "BT" Block type (always 01h on DSi)
11597 | 02h 8+n "PS" Padding (FFh-filled, min 8 bytes, usually 69h bytes on DSi)
11598 | 0Ah+n 1 "00" Padding end (00h)
11599 | 0Bh+n 75h-n "D" Data (max 75h bytes, usually a 14h-byte SHA1 value on DSi)
11600 | ```
11601 |
11602 | That, for 80h-byte messages. For other sizes replace "75h" by "F5h, 1F5h, etc."
11603 |
11604 | ### RSA Key Generation
11605 |
11606 | Generating a RSA key pair is more difficult than the encryption/decryption
11607 | part. First of, one needs two unsigned random prime numbers; for a 1024bit key,
11608 | that would be usually two large 512bit prime numbers (whereas, finding real
11609 | prime numbers is complicated, and it's more common to use values that have a
11610 | "high probability" of being prime numbers).
11611 |
11612 | The public key is then simply generated by multiplying the two prime numbers (P
11613 | and Q) with each other:
11614 |
11615 | ```
11616 | pubkey = P * Q
11617 | ```
11618 |
11619 | The private key is also based on the same prime numbers, but the maths there
11620 | are more complicated (and not described here).
11621 |
11622 | When knowing one prime number, one could theoretically compute the other as
11623 | "Q=pubkey/P", however, prime numbers aren't as rare as one might think, and
11624 | it's quite impossible to guess (or brute-force) one of the prime numbers.
11625 |
11626 | ## BIOS RSA Pseudo Code
11627 |
11628 | ### rsa\_mpi\_pow\_mod(dst,src,pubkey,exp,num\_exp\_bits) ;[dst]=[src]^[exp] mod [key]
11629 |
11630 | ```
11631 | base(rsa__number_size), bigbuf(rsa_number_size*2)
11632 | [base]=[src], [dst]=1, pow8bit=01h ;-init base, result, powbit
11633 | for i=1 to num_exp_bits
11634 | if [exp] AND pow8bit then rsa_mpi_mul_mod(dst,base) ;-mul result
11635 | rsa_mpi_mul_mod(base,base) ;-square base
11636 | pow8bit=pow8bit ROL 1, exp=exp+carry ;-next exp bit
11637 | next i
11638 | return
11639 | ```
11640 |
11641 | This is the RSA main function. The exponent is applied by squaring the "src"
11642 | several times, and, if the corresponding exponent bit is set, multiplying the
11643 | result by the squared value. To avoid the numbers to become incredible large,
11644 | the modulus is applied after each multiplication (rather than applying it only
11645 | on the final result).
11646 |
11647 | ```
11648 | For the Private Key formula: Use exp=prvkey, num_exp_bits=rsa_number_size*8
11649 | For the Public Key formula: Use exp=ptr_to_10001h, num_exp_bits=17
11650 | ```
11651 |
11652 | The parameters and result for "rsa\_mpi\_pow\_mod" must be in little-endian. Ie.
11653 | for DSi, reverse byte the byte order of the incoming/outgoing values. And, on
11654 | DSi, use rsa\_number\_size=80h (aka 128 bytes, aka for 1024bit RSA).
11655 |
11656 | ### rsa\_mpi\_mul\_mod(dst,src):
11657 |
11658 | ```
11659 | rsa_mpi_mul(bigbuf,dst,src) ;-multiply
11660 | rsa_mpi_mod(bigbuf,pubkey) ;-modulus
11661 | [dst]=[bigbuf+0..rsa_number_size-1] ;-copy to dst
11662 | return
11663 | ```
11664 |
11665 | ### rsa\_mpi\_mul(dst,src1,src2): ;[dst]=[src1]\*[src2]
11666 |
11667 | ```
11668 | [dst+0]=0, oldmsw=0 ;-init first word and oldmsw
11669 | for i=0 to rsa_number_size-4 step 4 ;\
11670 | call @@inner_loop ; compute LSWs of destination
11671 | src2=src2+4 ;
11672 | next i ;/
11673 | src2=src2-4
11674 | for i=rsa_number_size-8 to 0 step -4 ;\
11675 | src1=src1+4 ; compute MSWs of destination
11676 | call @@inner_loop ;
11677 | next i ;/
11678 | return
11679 | ;---
11680 | @@inner_loop:
11681 | [dst+4]=oldmsw, oldmsw=0
11682 | for j=0 to i step 4
11683 | msw:lsw = [src1+j]*[src2-j]
11684 | [dst+0]=[dst+0]+lsw
11685 | [dst+4]=[dst+4]+msw+cy
11686 | oldmsw=oldmsw+cy
11687 | next j
11688 | dst=dst+4
11689 | ret
11690 | ```
11691 |
11692 | ### rsa\_mpi\_mod(dst,src): ;[dst]=[dst] mod [src] ;aka division remainder
11693 |
11694 | ;Double/Single -> Single modulo division (mpi/mpi)
11695 |
11696 | ;Divisor's MSW must be >= 80000000h
11697 |
11698 | ```
11699 | ebx=rsa_number_size, dst=dst+ebx, i=ebx+4
11700 | @@type0_lop: ;\
11701 | if [dst+ebx-4]=0 then goto @@type0_next ;
11702 | rsa_mpi_cmp(dst,src), if borrow then goto @@type1_next ; type0
11703 | rsa_mpi_sub(dst,src), if [dst+ebx-4]<>0 then goto @@type1_next ; loop
11704 | @@type0_next: ;
11705 | dst=dst-4, i=i-4, if i>0 then goto @@type0_lop ;/
11706 | goto @@done
11707 | ;--- --- ---
11708 | @@type1_lop: ;\
11709 | lsw=[dst+ebx-4], msw=[dst+ebx-0] ;
11710 | if msw>=[src+ebx-4] then fac=FFFFFFFFh else fac=msw:lsw / [src+ebx-4] ;
11711 | rsa_mpi_mulsub(dst,src,fac), if carry=0 then goto @@skip_add ; type1
11712 | @@add_more: ; loop
11713 | rsa_mpi_add(dst,src) ;
11714 | [dst+ebx]=[dst+ebx]+carry, if carry=0 then goto @@add_more ;
11715 | @@skip_add: ;
11716 | if [dst+ebx-4]=0 then goto @@type0_next ;
11717 | @@type1_next: ;
11718 | dst=dst-4, i=i-4, if i>0 then goto @@type1_lop ;/
11719 | @@done:
11720 | return
11721 | ```
11722 |
11723 | ### rsa\_mpi\_mulsub(dst,src,fac): ;[dst]=[dst]-[src]\*fac
11724 |
11725 | ```
11726 | oldborrow=0, oldmsw=0 ;\
11727 | for i=0 to rsa_number_size-4 step 4 ; process
11728 | msw:lsw = [src+i]*fac, lsw=lsw+oldmsw, oldmsw=msw+carry ; rsa_number_size
11729 | [dst+i]=[dst+i]-lsw-oldborrow, oldborrow=borrow ; bytes, plus...
11730 | next i ;/
11731 | [dst+rsa_number_size]=[dst+rsa_number_size]-oldmsw-oldborrow ;-one extra word
11732 | return borrow ;(unlike "rsa_embedded" which returns INVERTED borrow)
11733 | ```
11734 |
11735 | ### rsa\_mpi\_add(dst,src): ;out: [dst]=[dst]+[src], carry
11736 |
11737 | ```
11738 | carry = 0
11739 | for i=0 to rsa_number_size-4 step 4
11740 | [dst+i]=[dst+i]+[src+i]+carry
11741 | next i
11742 | return carry
11743 | ```
11744 |
11745 | ### rsa\_mpi\_sub(dst,src): ;out: [dst]=[dst]-[src], borrow/unused
11746 |
11747 | ```
11748 | borrow = 0
11749 | for i=0 to rsa_number_size-4 step 4
11750 | [dst+i]=[dst+i]-[src+i]-borrow
11751 | next i
11752 | return borrow
11753 | ```
11754 |
11755 | ### rsa\_mpi\_cmp[dst,src]: ;compare [dst]-[src], out: borrow
11756 |
11757 | ```
11758 | for i=rsa_number_size-4 to 0 step -4
11759 | temp=[dst+i]-[src+i], if not equal then return borrow
11760 | next i
11761 | return borrow
11762 | ```
11763 |
11764 | This is about same as "sub", but faster (because it can abort the loop upon
11765 | first difference).
11766 |
11767 | ## BIOS RAM Usage
11768 |
11769 | Below contains info about RAM contents at cartridge boot time (as initialized
11770 | by the BIOS/Firmware), plus info about RAM locations used by IRQ handlers and
11771 | SWI functions.
11772 |
11773 | ### GBA BIOS RAM Usage
11774 |
11775 | Below memory at 3007Fxxh is often accessed directly, or via mirrors at
11776 | 3FFFFxxh.
11777 |
11778 | ```
11779 | 3000000h 7F00h User Memory and User Stack (sp_usr=3007F00h)
11780 | 3007F00h A0h Default Interrupt Stack (6 words/time) (sp_irq=3007FA0h)
11781 | 3007FA0h 40h Default Supervisor Stack (4 words/time) (sp_svc=3007FE0h)
11782 | 3007FE0h 10h Debug Exception Stack (4 words/time) (sp_xxx=3007FF0h)
11783 | 3007FF0h 4 Pointer to Sound Buffer (for SWI Sound functions)
11784 | 3007FF4h 3 Reserved (unused)
11785 | 3007FF7h 1 Reserved (intro/nintendo logo related)
11786 | 3007FF8h 2 IRQ IF Check Flags (for SWI IntrWait/VBlankIntrWait functions)
11787 | 3007FFAh 1 Soft Reset Re-entry Flag (for SWI SoftReset function)
11788 | 3007FFBh 1 Reserved (intro/multiboot slave related)
11789 | 3007FFCh 4 Pointer to user IRQ handler (to 32bit ARM code)
11790 | ```
11791 |
11792 | ### NDS BIOS RAM Usage
11793 |
11794 | Below memory at 27FFxxxh is mirrored to 23FFxxxh (on retail consoles with 4MB
11795 | RAM), however, it should be accessed via address 27FFxxxh (for compatibility
11796 | with debug consoles with 8MB RAM). Accessing it via mirrors at 2FFFxxxh is also
11797 | valid (this is done by DSi enhanced games; even when running in non-DSi mode;
11798 | this allows DSi games to use the same memory addresses in NDS and DSi mode).
11799 |
11800 | ```
11801 | 2000000h ... ARM7 and ARM9 bootcode can be loaded here (2000000h..23BFDFFh)
11802 | 2400000h ... Debug bootcode can be loaded here (2400000h..27BFDFFh)
11803 | 23FEE00h 168h Fragments of NDS9 firmware boot code
11804 | 27FF800h 4 NDS Gamecart Chip ID 1
11805 | 27FF804h 4 NDS Gamecart Chip ID 2
11806 | 27FF808h 2 NDS Cart Header CRC (verified) ;hdr[15Eh]
11807 | 27FF80Ah 2 NDS Cart Secure Area CRC (not verified ?) ;hdr[06Ch]
11808 | 27FF80Ch 2 NDS Cart Missing/Bad CRC (0=Okay, 1=Missing/Bad)
11809 | 27FF80Eh 2 NDS Cart Secure Area Bad (0=Okay, 1=Bad)
11810 | 27FF810h 2 Boot handler task number (usually FFFFh at cart boot time)
11811 | 27FF812h 2 Secure disable (0=Normal, 1=Disable; Cart[078h]=BIOS[1088h])
11812 | 27FF814h 2 SIO Debug Connection Exists (0=No, 1=Yes)
11813 | 27FF816h 2 RTC Status? (0=Okay, 1=Bad)
11814 | 27FF818h 1 Random RTC ;random LSB from SIO debug detect handshake
11815 | 27FF819h 37h Zerofilled by firmware
11816 | 27FF850h 2 NDS7 BIOS CRC (5835h)
11817 | 27FF860h 4 Somewhat copy of Cart[038h], nds7 ram addr (?)
11818 | 27FF864h 4 Wifi FLASH User Settings Bad (0=Okay, 1=Bad)
11819 | 27FF868h 4 Wifi FLASH User Settings FLASH Address (fmw[20h]*8)
11820 | maybe recommended to use above RAM cell instead FLASH entry?
11821 | 27FF86Ch 4 Whatever (seems to be zero at cart boot time)
11822 | 27FF870h 4 Whatever (seems to be zero at cart boot time)
11823 | 27FF874h 2 Wifi FLASH firmware part5 crc16 (359Ah) (fmw[026h])
11824 | 27FF876h 2 Wifi FLASH firmware part3/part4 crc16 (fmw[004h] or ZERO)
11825 | Above is usually ZERO at cart boot (set to fmw[004h] only
11826 | when running pictochat, or maybe also when changing user
11827 | settings)
11828 | 27FF878h 08h Not used
11829 | 27FF880h 4 Message from NDS9 to NDS7 (=7 at cart boot time)
11830 | 27FF884h 4 NDS7 Boot Task (also checked by NDS9) (=6 at cart boot time)
11831 | 27FF888h .. Whatever (seems to be zero at cart boot time)
11832 | 27FF890h 4 Somewhat boot flags (somewhat B0002A22h)
11833 | bit10 part3/part4 loaded/decoded (bit3 set if bad crc)
11834 | bit28 part5 loaded/decoded with good crc
11835 | 27FF894h 36Ch Not used (zero)
11836 | 27FFC00h 4 NDS Gamecart Chip ID 1 (copy of 27FF800h)
11837 | 27FFC04h 4 NDS Gamecart Chip ID 2 (copy of 27FF804h)
11838 | 27FFC08h 2 NDS Cart Header CRC (copy of 27FF808h)
11839 | 27FFC0Ah 2 NDS Cart Secure Area CRC (copy of 27FF80Ah)
11840 | 27FFC0Ch 2 NDS Cart Missing/Bad CRC (copy of 27FF80Ch)
11841 | 27FFC0Eh 2 NDS Cart Secure Area Bad (copy of 27FF80Eh)
11842 | 27FFC10h 2 NDS7 BIOS CRC (5835h) (copy of <27FF850h>)
11843 | 27FFC12h 2 Secure Disable (copy of 27FF812h)
11844 | 27FFC14h 2 SIO Debug Exist (copy of 27FF814h)
11845 | 27FFC16h 1 RTC Status? (<8bit> copy of 27FF816h)
11846 | 27FFC17h 1 Random 8bit (copy of <27FF818h>)
11847 | 27FFC18h 18h Not used (zero)
11848 | 27FFC30h 2 GBA Cartridge Header[BEh], Reserved
11849 | 27FFC32h 3 GBA Cartridge Header[B5h..B7h], Reserved
11850 | 27FFC35h 1 Whatever flags ?
11851 | 27FFC36h 2 GBA Cartridge Header[B0h], Maker Code
11852 | 27FFC38h 4 GBA Cartridge Header[ACh], Gamecode
11853 | 27FFC3Ch 4 Frame Counter (eg. 00000332h in no$gba with original firmware)
11854 | 27FFC40h 2 Boot Indicator (0001h=normal; required for some NDS games)
11855 | 27FFC42h 3Eh Not used (zero)
11856 | 27FFC80h 70h Wifi FLASH User Settings (fmw[newest_user_settings])
11857 | 27FFCF0h 10h Not used (zero)
11858 | 27FFDxxh .. NDS9 Debug Exception Stack (stacktop=27FFD9Ch)
11859 | 27FFD9Ch 4 NDS9 Debug Exception Vector (0=None)
11860 | 27FFDA0h .. ...
11861 | 27FFE00h 170h NDS Cart Header at 27FFE00h+0..16Fh
11862 | 27FFF70h .. Not used (zerofilled at cart boot time)
11863 | 27FFFF8h 2 NDS9 Scratch addr for SWI IsDebugger check
11864 | 27FFFFAh 2 NDS7 Scratch addr for SWI IsDebugger check
11865 | 27FFFFCh .. ...
11866 | 27FFFFEh 2 Main Memory Control (on-chip power-down I/O port)
11867 | DTCM+3FF8h 4 NDS9 IRQ IF Check Bits (hardcoded RAM address)
11868 | DTCM+3FFCh 4 NDS9 IRQ Handler (hardcoded RAM address)
11869 | 37F8000h FE00h ARM7 bootcode can be loaded here (37F8000h..3807DFFh)
11870 | 380F700h 1D4h Fragments of NDS7 firmware boot code
11871 | 380F980h 4 Unknown/garbage (set to FBDD37BBh, purpose unknown)
11872 | NOTE: Cooking Coach is doing similar crap at 37FCF1Ch ?!?!
11873 | 380FFC0h 4 DSi7 IRQ IF2 Check Bits (hardcoded RAM address) (DSi only)
11874 | 380FFDCh .. NDS7 Debug Stacktop / Debug Vector (0=None)
11875 | 380FFF8h 4 NDS7 IRQ IF Check Bits (hardcoded RAM address)
11876 | 380FFFCh 4 NDS7 IRQ Handler (hardcoded RAM address)
11877 | ---
11878 | summary of nds memory used at cartridge boot time:
11879 | (all other memory zero-filled unless containing cartridge data)
11880 | 37F8000h..3807E00h ;cartridge area (nds7 only)
11881 | 2000000h..23BFE00h ;cartridge area (nds9 and nds7)
11882 | 2400000h..27BFE00h ;cartridge area (debug ver)
11883 | 23FEE00h..23FEF68h ;fragments of NDS9 firmware boot code
11884 | 27FF800h..27FF85Fh ;various values (from BIOS boot code)
11885 | 27FF860h..27FF893h ;various values (from Firmware boot code)
11886 | 27FFC00h..27FFC41h ;various values (from Firmware boot code)
11887 | 27FFC80h..27FFCE6h ;firmware user settings
11888 | 27FFE00h..27FFF6Fh ;cart header
11889 | 380F700h..380F8D4h ;fragments of NDS7 firmware boot code
11890 | 380F980h ;set to FBDD37BBh
11891 | ---
11892 | register settings at cartridge boot time:
11893 | nds9 r0..r11 = zero
11894 | nds9 r12,r14,r15 = entrypoint
11895 | nds9 r13 = 3002F7Ch (!)
11896 | nds9 r13_irq = 3003F80h
11897 | nds9 r13_svc = 3003FC0h
11898 | nds9 r14/spsr_irq= zero
11899 | nds9 r14/spsr_svc= zero
11900 | ---
11901 | nds7 r0..r11 = zero
11902 | nds7 r12,r14,r15 = entrypoint
11903 | nds7 r13 = 380FD80h
11904 | nds7 r13_irq = 380FF80h
11905 | nds7 r13_svc = 380FFC0h
11906 | nds7 r14/spsr_irq= zero
11907 | nds7 r14/spsr_svc= zero
11908 | ---
11909 | Observe that SWI SoftReset applies different stack pointers:
11910 | Host sp_svc sp_irq sp_sys zerofilled area return address
11911 | NDS7 380FFDCh 380FFB0h 380FF00h [380FE00h..380FFFFh] Addr[27FFE34h]
11912 | NDS9 0803FC0h 0803FA0h 0803EC0h [DTCM+3E00h..3FFFh] Addr[27FFE24h]
11913 | ```
11914 |
11915 | ### DSi BIOS RAM
11916 |
11917 | ```
11918 | 2000000h 8 Whatever Title ID ;carthdr[230h]
11919 | 2000008h 1 Whatever Unknown/Unused
11920 | 2000009h 1 Whatever Flags (03h=Stuff is used?)
11921 | 200000Ah 2 Whatever Maker code ;carthdr[010h]
11922 | 200000Ch 2 Whatever Unknown ;\counter/length/indices/whatever?
11923 | 200000Eh 2 Whatever Unknown ;/
11924 | 2000010h 2 Whatever CRC16 [2000000h..20002FFh] ini=FFFFh,[2000010h]=0000h
11925 | 2000012h 2 Whatever Unknown/Unused
11926 | 2000014h 2ECh Whatever Unknown... some buffer... string maybe?
11927 | 2000300h 5 Warmboot ID ("TLNC",00h) (also requires BPTWL[70h]=01h)
11928 | 2000305h 1 Warmboot Length of data at 2000308h (01h..18h, for CRC)
11929 | 2000306h 2 Warmboot CRC16 of data at 2000308h (with initial value FFFFh)
11930 | 2000308h 8 Warmboot Unknown ;-rarely used
11931 | 2000310h 8 Warmboot Title ID ;-often used
11932 | 2000318h 4 Warmboot Flags (bit0, 1-3, 4, 5,6,7) ;-usually 16bit, once 32bit
11933 | 200031Ch 4 Warmboot Unused
11934 | 2000400h 128h System Settings from TWLCFGn.dat file (bytes 088h..1AFh)
11935 | 20005E0h 1 WlFirm Type (1=DWM-W015, 2=DWM-W024) (as wifi_flash[1FDh])
11936 | 20005E1h 1 WlFirm Unknown (zero)
11937 | 20005E2h 2 WlFirm CRC16 with initial value FFFFh on [20005E4h..20005EFh]
11938 | 20005E4h 4 WlFirm RAM vars (500400h) ;\
11939 | 20005E8h 4 WlFirm RAM base (500000h) ; as from "Wifi Firmware" file
11940 | 20005ECh 4 WlFirm RAM size (02E000h) ;/
11941 | 20005F0h 10h WlFirm Unknown (zero)
11942 | 2000600h 14h Hexvalues from HWINFO_N.dat
11943 | 23FEE00h 200h DSi9 bootstrap relict
11944 | ---
11945 | 2FEE120h 4 "nand" <--- passed as so to launcher
11946 | 2FF80xxh
11947 | 2FF82xxh
11948 | 2FF83xxh
11949 | 2FF89xxh
11950 | 2FF8Axxh
11951 | 2FF8Bxxh
11952 | 2FF8Cxxh
11953 | 2FF8Dxxh ... Wifi MAC address, channel mask, etc.
11954 | 2FF8Fxxh
11955 | 2FF90xxh
11956 | 2FF91xxh
11957 | 2FF9208h FBDD37BBh (that odd "garbage" value occurs also on NDS)
11958 | 2FFA1xxh
11959 | 2FFA2xxh
11960 | 2FFA5xxh
11961 | 2FFA6xxh
11962 | 2FFA680h 12 02FD4D80h,00000000h,00001980h
11963 | 2FFA68Ch .. Zerofilled
11964 | ---
11965 | 2FFC000h 1000h Full Cart Header (as at 2FFE000h, but, FOR NDS ROM CARTRIDGE)
11966 | 2FFD000h 7B0h Zerofilled
11967 | 2FFD7B0h 8+1 Version Data Filename (eg. 30,30,30,30,30,30,30,34,00)
11968 | 2FFD7B9h 1 Version Data Region (eg. 50h="P"=Europe)
11969 | 2FFD7BAh 1 Unknown (00) ;bit0 = warmboot-flag-related
11970 | 2FFD7BBh 1 Unknown (00)
11971 | 2FFD7BCh 15+1 eMMC CID (dd,ss,ss,ss,ss,03,4D,30,30,46,50,41,00,00,15), 00
11972 | 2FFD7CCh 15+1 eMMC CSD (40,40,96,E9,7F,DB,F6,DF,01,59,0F,2A,01,26,90), 00
11973 | 2FFD7DCh 4 eMMC OCR (80,80,FF,80) ;20h
11974 | 2FFD7E0h 8 eMMC SCR (00,04,00,00,00,00,00,00) (for MMC: dummy/4bit);24h
11975 | 2FFD7E8h 2 eMMC RCA (01,00) ;2Ch
11976 | 2FFD7EAh 2 eMMC Typ (01,00) (0=SD Card, 1=MMC Card) ;2Eh
11977 | 2FFD7ECh 2 eMMC HCS (00,00) ;copy of OCR.bit30 (sector addressing) ;30h
11978 | 2FFD7EEh 2 eMMC ? (00,00) ;32h
11979 | 2FFD7F0h 4 eMMC ? (00,00,00,00) ;34h
11980 | 2FFD7F4h 4 eMMC CSR (00,09,00,00) ;card status (state=tran) ;38h
11981 | 2FFD7F8h 2 eMMC Port 4004824h setting (00,01) ;SD_CARD_CLK_CTL ;3Ch
11982 | 2FFD7FAh 2 eMMC Port 4004828h setting (E0,40) ;SD_CARD_OPTION ;3Eh
11983 | 2FFD7FCh 2 eMMC ? (00,00) ;40h
11984 | 2FFD7FEh 2 eMMC Device (usually 0001h=eMMC) (0000h=SD/MMC Slot?) ;42h
11985 | 2FFD800h 1 Unknown 05h (maybe number of IDs at 2FFD850h?)
11986 | 2FFD801h 2Fh Zerofilled
11987 | 2FFD830h 1 Unknown 1Fh
11988 | 2FFD831h 1Fh Zerofilled
11989 | 2FFD850h 5x8 Five Title IDs (ROM Cart, and HNBP, HNDA, HNEA, HNGP) why?
11990 | 2FFD878h 788h Zerofilled
11991 | 2FFE000h 1000h DSi Full Cart Header (additionally to short headers)
11992 | 2FFF000h 0Ch Zerofilled
11993 | 2FFF00Ch 4 ? 0000007Fh
11994 | 2FFF010h 4 ? 550E25B8h
11995 | 2FFF014h 4 ? 02FF4000h
11996 | 2FFF018h A68h Zerofilled
11997 | 2FFFA80h 160h Short Cart header (as at 2FFFE00h, but, FOR NDS ROM CARTRIDGE)
11998 | 2FFFBE0h 20h Zerofilled
11999 | ```
12000 |
12001 | Below resembles NDS area at 27FFC00h (with added/removed stuff)...
12002 |
12003 | ```
12004 | 2FFFC00h 4 NDS Gamecart Chip ID
12005 | 2FFFC04h 20h Zerofilled
12006 | 2FFFC24h 5 ? (04 00 73 01 03)
12007 | 2FFFC29h 7 Zerofilled
12008 | 2FFFC30h 12 GBA Cartridge Header (FF FF FF FF FF 00 FF FF FF FF FF FF)
12009 | 2FFFC3Ch 4 Frame Counter maybe? (eg. 1F 01 00 00 in cooking coach)
12010 | 2FFFC40h 2 Boot Indicator (0001h=normal; required for some NDS games)
12011 | 2FFFC42h 3Eh Not used (zero)
12012 | 2FFFC80h 70h Wifi FLASH User Settings (fmw[newest_user_settings])
12013 | 2FFFCF0h 4 ? (3D 00 01 6E) (update counter and crc16 ?)
12014 | 2FFFCF4h 6 Wifi MAC Address (00 23 CC xx xx xx) (fmw[036h])
12015 | 2FFFCFAh 2 Wifi Channels (usually 1041h = ch1+7+13) (based on fmw[03Ch])
12016 | 2FFFCFCh 4 Zero
12017 | 2FFFD00h 68h Zerofilled
12018 | 2FFFD68h 4 Bitmask for Supported Languages (3Eh for Europe);\
12019 | 2FFFD6Ch 4 Unknown (00,00,00,00) ; from
12020 | 2FFFD70h 1 Console Region (0=JP,1=US,2=EU,3=AU,4=CHN,5=KOR); HWINFO_S.dat
12021 | 2FFFD71h 12 Serial/Barcode (ASCII, 11-12 characters) ;
12022 | 2FFFD7Dh 3 ? (00 00 3C) ;/
12023 | 2FFFD80h 0Ch Zerofilled
12024 | 2FFFD8Ch 10h ARM9 debug exception stack (stacktop 2FFFD9Ch)
12025 | 2FFFD9Ch 4 ARM9 debug exception vector (020D3E64h)
12026 | 2FFFDA0h 4 02F80000h ;\
12027 | 2FFFDA4h 4 02FFA674h ;
12028 | 2FFFDA8h 4 00000000h zero ; start addresses?
12029 | 2FFFDACh 4 01FF86E0h itcm? ;
12030 | 2FFFDB0h 4 027C00C0h ;
12031 | 2FFFDB4h 4 02FFF000h ;
12032 | 2FFFDB8h 4 03040000h wram? ;
12033 | 2FFFDBCh 4 03800000h wram? ;
12034 | 2FFFDC0h 4 0380C3B4h wram? ;/
12035 | 2FFFDC4h 4 02F80000h ;\
12036 | 2FFFDC8h 4 02FFC000h ptr to DSi Full Cart Header ;
12037 | 2FFFDCCh 4 00000000h zero ; end addresses?
12038 | 2FFFDD0h 4 02000000h ram bottom? ; (for above nine
12039 | 2FFFDD4h 4 027C0780h ; start addresses)
12040 | 2FFFDD8h 4 02FFF680h ;
12041 | 2FFFDDCh 4 03040000h wram? ;
12042 | 2FFFDE0h 4 03800000h wram? ;
12043 | 2FFFDE4h 4 0380F780h wram? ;/
12044 | 2FFFDE8h 4 RTC Date at Boot (BCD) (yy,mm,dd,XX) (XX=maybe day-of-week?)
12045 | 2FFFDECh 4 RTC Time at Boot (BCD) (hh,ss,mm,0) (hh.bit6=maybe PM or 24h?)
12046 | 2FFFDF0h 4 Initial ARM7 Port 4004008h bits (13FBFB06h) (SCFG_EXT)
12047 | 2FFFDF4h 1 Initial ARM7 Port 40040xxh bits (C4h) (SCFG_xxx)
12048 | 2FFFDF5h 1 Initial ARM7 Port 400400xh bits (F0h) (SCFG_xxx)
12049 | 2FFFDF6h 2+2 Zerofilled
12050 | 2FFFDFAh 1 Warmboot Flag (bptwl[70h] OR 80h, ie. 80h=cold or 81h=warm)
12051 | 2FFFDFBh 1 01h
12052 | 2FFFDFCh 4 Pointer to TWLCFGn.dat (usually 2000400h) (or 0=2000400h)
12053 | 2FFFE00h 160h Short Cart header (unlike NDS, only 160h, not 170h)
12054 | 2FFFF60h A0h Zerofilled
12055 | 37FA414h "nand:/title/....app" <-- [1D4h]+3C0h (without Device List!)
12056 | 380C400h 22E4h BIOS Keys (as from Boot Stage 1, see there)
12057 | 380F010h 10h AES key for dev.kp (E5,CC,5A,8B,...) (optional/for launcher)
12058 | 380F600h 200h DSi7 bootstrap relict (at 3FFF600h aka mirrored to 380F600h)
12059 | 380FFC0h 4 DSi7 IRQ IF2 Check Bits (hardcoded RAM address) (DSi only)
12060 | 380FFC4h 4 DSi7 SCFG_EXT setting
12061 | 380FFC8h 2 DSi7 SCFG_misc bits
12062 | 380FFDCh .. DSi7 Debug Stacktop / Debug Vector (0=None)
12063 | 380FFF8h 4 DSi7 IRQ IF Check Bits (hardcoded RAM address)
12064 | 380FFFCh 4 DSi7 IRQ Handler (hardcoded RAM address)
12065 | xxxxxxxh ? ARM7i and ARM9 bootcode can be loaded WHERE and WHERE?
12066 | cart_header[1D4h] 400h SD/MMC Device List ARM7 RAM; initialized by firmware
12067 | ```
12068 |
12069 | Initial state after DSi BIOS ROM bootcode (when starting eMMC bootcode)
12070 | requires only a few memory blocks in ITCM, ARM7 WRAM, and AES keyslots:
12071 |
12072 | ```
12073 | 1FFC400h 400h BIOS Keys from FFFF87F4h (C3 02 93 DE ..) Whatever, 8x80h RSA?
12074 | 1FFC800h 80h BIOS Keys from FFFF9920h (30 33 26 D5 ..) Whatever
12075 | 1FFC880h 14h Whatever, should/may be zerofilled?
12076 | 1FFC894h 1048h BIOS Keys from FFFF99A0h (99 D5 20 5F ..) Blowfish/NDS-mode
12077 | 1FFD8DCh 1048h BIOS Keys from FFFFA9E8h (D8 18 FA BF ..) Blowfish/unused?
12078 | 3FFC400h 200h BIOS Keys from 00008188h (CA 13 31 79 ..) Whatever, 32x10h AES?
12079 | 3FFC600h 40h BIOS Keys from 0000B5D8h (AF 1B F5 16 ..) Whatever, AES?
12080 | 3FFC640h 14h Whatever, must be zerofilled
12081 | 3FFC654h 1048h BIOS Keys from 0000C6D0h (59 AA 56 8E ..) Blowfish/DSi-mode
12082 | 3FFD69Ch 1048h BIOS Keys from 0000D718h (54 86 13 3B ..) Blowfish/unused?
12083 | 3FFE6E4h 44h eMMC Info (to be relocated to 2FFD7BCh, see there for details)
12084 | 4004450h 8 AES Key0.X ("Nintendo") for modcrypt
12085 | 4004480h 10h AES Key1.X (CPU/Console ID and constants) for dev.kp and Tad
12086 | 40044xxh ? AES Key2... (?)
12087 | 40044E0h 1Ch AES Key3.X/Y (CPU/Console ID and constants) for eMMC
12088 | 2000300h 20h Warmboot Info (optional, passed on to Launcher)
12089 | ```
12090 |
12091 | ## BIOS Dumping
12092 |
12093 | ### BIOSes
12094 |
12095 | ```
12096 | GBA BIOS 16K (fully dumpable)
12097 | NDS7 BIOS 16K (fully dumpable)
12098 | NDS9 BIOS 4K (fully dumpable)
12099 | DSi7 BIOS 64K (about 41K dumpable)
12100 | DSi9 BIOS 64K (about 41K dumpable)
12101 | DSiWifi BIOS 80K on older DSi (fully dumpable)
12102 | DSiWifi BIOS Unknown size on newer DSi (probably fully dumpable)
12103 | 3DSWifi BIOS Unknown size on 3DS (probably fully dumpable)
12104 | ```
12105 |
12106 | ### GBA BIOS
12107 |
12108 | Contains SWI Functions and Bootcode (for starting cartridges, or booting via
12109 | Serial Port). The GBA BIOS can be read only by opcodes executed in BIOS area,
12110 | for example, via the MidiKey2Freq function (most other SWI Functions (like
12111 | CpuSet) are refusing source addresses within BIOS area).
12112 |
12113 | ### NDS BIOSes
12114 |
12115 | Contains SWI Functions and Bootcode (for booting from SPI Bus Firmware FLASH
12116 | memory). The NDS9 BIOS can be dumped without restrictions (eg. via CpuSet, or
12117 | via LDR opcodes in RAM). The NDS7 BIOS has same restrictions as GBA, ie.
12118 | reading works only by BIOS opcodes, and not by functions like CpuSet. The
12119 | GetCRC16 functions does work though (at least for memory at 1204h..3FFFh). As
12120 | an additional obstacle, memory at 0000h..1203h can be dumped only by opcodes
12121 | within 0000h..1203h (that memory does mainly contain data, but some of the data
12122 | values can serve as THUMB LDR opcodes). For details see:
12123 |
12124 | - [DS Memory Control - BIOS](#dsmemorycontrolbios)
12125 | Note: DSi consoles are containing a copy of the NDS BIOSes, but with BIOSPROT
12126 | set to 0020h (even when running in NDS mode), so the first 20h bytes of the
12127 | DSi's NDS7 BIOS aren't dumpable (except via tracing, see below), that 20h bytes
12128 | should be just same as on original NDS7 though.
12129 |
12130 | ### DSi BIOSes - Lower 32K-halves (SWI Functions)
12131 |
12132 | The lower 32K of DSi9 doesn't have any restricions. The lower 32K of DSi7 has
12133 | similar restrictions as NDS7, but with BIOSPROT set to 0020h (instead of
12134 | 1204h), this is making it more easy to dump memory at 0020h..7FFFh (eg. via
12135 | GetCRC16), but makes it impossible to dump the exception vectors at
12136 | 0000h..001Fh, however, they can be deduced by tracing (with timer IRQs):
12137 |
12138 | ```
12139 | ROM:00000000h EA000006 b 20h ;dsi7_reset_vector
12140 | ROM:00000004h EA000006 b 24h ;dsi7_undef_handler
12141 | ROM:00000008h EA00001F b 8Ch ;dsi7_swi_handler
12142 | ROM:0000000Ch EA000004 b 24h ;dsi7_prefetch_abort_handler
12143 | ROM:00000010h EA000003 b 24h ;dsi7_data_abort_handler
12144 | ROM:00000014h EAFFFFFE b 14h ;reserved_vector
12145 | ROM:00000018h EA000013 b 6Ch ;dsi7_irq_handler
12146 | ROM:0000001Ch EA000000 b 24h ;dsi7_fiq_handler
12147 | ```
12148 |
12149 | Aside from branch opcodes, above could theoretically contain ALU opcodes that
12150 | modify R15 (but that would be very unlikely, and would make no difference).
12151 |
12152 | ### DSi BIOSes - Upper 32K-halves (Bootcode, for booting from eMMC memory)
12153 |
12154 | The upper 32K of the DSi9 and DSi7 BIOSes are locked at some point during
12155 | booting, and there's no known way to dump them directly. However, portions of
12156 | that memory are relocated to RAM/TCM before locking, and that relocated copies
12157 | can be dumped.
12158 |
12159 | On a DSi, the following DSi ROM data can be dumped (originally done via Main
12160 | Memory hacks, ie. with complex external hardware soldered to the mainboard, but
12161 | it's now also possible via Unlaunch.dsi exploit):
12162 |
12163 | ```
12164 | ROM:FFFF87F4h / TCM:1FFC400h (400h) (C3 02 93 DE ..) Whatever, 8x80h RSA?
12165 | ROM:FFFF9920h / TCM:1FFC800h (80h) (30 33 26 D5 ..) Whatever
12166 | ROM:FFFF99A0h / TCM:1FFC894h (1048h) (99 D5 20 5F ..) Blowfish/NDS-mode
12167 | ROM:FFFFA9E8h / TCM:1FFD8DCh (1048h) (D8 18 FA BF ..) Blowfish/unused?
12168 | ROM:00008188h / RAM:3FFC400h (200h) (CA 13 31 79 ..) Whatever, 32x10h AES?
12169 | ROM:0000B5D8h / RAM:3FFC600h (40h) (AF 1B F5 16 ..) Whatever, "common key"?
12170 | ROM:0000C6D0h / RAM:3FFC654h (1048h) (59 AA 56 8E ..) Blowfish/DSi-mode
12171 | ROM:0000D718h / RAM:3FFD69Ch (1048h) (54 86 13 3B ..) Blowfish/unused?
12172 | ```
12173 |
12174 | On a 3DS, the following "DSi ROM data" can be dumped from the 2470h-byte DSi
12175 | key area in 3DS memory at ARM9 ITCM 01FFD000h..01FFF46F (via 3DS exploits that
12176 | are capable of executing code on ARM9 side):
12177 |
12178 | ```
12179 | ROM:FFFF87F4h / 3DS:01FFD000h 200h RSA key 0..3
12180 | ROM:00008308h / 3DS:01FFD200h 80h some AES keys
12181 | ROM:FFFF9920h / 3DS:01FFD280h 80h whatever
12182 | ROM:0000B5D8h / 3DS:01FFD300h 40h AES keys and values (common etc)
12183 | ROM:? / 3DS:01FFD340h A0h misc "Nintendo" string etc.
12184 | ROM:0000C6D0h / 3DS:01FFD3E0h 1048h Blowfish for DSi-mode
12185 | ROM:FFFF99A0h / 3DS:01FFE428h 1048h Blowfish for DS-mode
12186 | ```
12187 |
12188 | The 3DS does have only half of the DSi keys (the extra keys might be used for
12189 | DSi debug version, but aren't needed for normal DSi software).
12190 |
12191 | The 40h-byte area for ROM:0000B5D8h can be fully dumped from 3DS ITCM, the same
12192 | vales should also exist in DSi ITCM, but the DSi zerofills a 10h-byte fraction
12193 | of that area after initialization, and it doesn't seem be possible to read that
12194 | values via Main Memory hacks (most of that erased values can be found in AES
12195 | keyslots though).
12196 |
12197 | The A0h-byte area is found only in 3DS ITCM, it should also exist somewhere in
12198 | DSi ROM, but isn't relocated to DSi ITCM (however, the relevant values can be
12199 | found in AES keyslots, eg. the "Nintendo" string).
12200 |
12201 | ### Checksums for BiosDSi.rom (20000h bytes)
12202 |
12203 | ```
12204 | Offset Size CRC32
12205 | 00000h 8000h 5434691Dh ;\
12206 | 08000h 188h ? ;
12207 | 08188h 180h E5632151h (not 3ds) ;
12208 | 08308h 80h 64515306h ;
12209 | 08388h 3250h ? ;
12210 | 0B5D8h 20h 85BE2749h ; ARM7
12211 | 0B5F8h 10h 25A46A54h (3ds only) ;
12212 | 0B608h 10h E882B9A9h ;
12213 | 0B618h 10B8h ? ;
12214 | 0C6D0h 1048h 3B5CDF06h ;
12215 | 0D718h 1048h 5AC363F9h (not 3ds) ;
12216 | 0E860h 18A0h ? ;/
12217 | 10000h 8000h 11E7C1EAh ;\
12218 | 18000h 7F4h ? ;
12219 | 187F4h 200h 4405D4BAh ;
12220 | 189F4h 200h 2A32F2E7h (not 3ds) ;
12221 | 18BF4h D2Ch ? ; ARM9
12222 | 19920h 80h 2699A10Fh ;
12223 | 199A0h 1048h A8F58AE7h ;
12224 | 1A9E8h 1048h E94759ACh (not 3ds) ;
12225 | 1BA30h 45D0h ? ;/
12226 | ? A0h 180DF59Bh (3ds only) ;-whatever, "Nintendo" string etc.
12227 | ? 80h ........h (TWL-FIRM) ;-RSA key for eMMC boot info
12228 | ```
12229 |
12230 | Checksums for the 'whole' 20000h-byte file (with unknown/missing areas
12231 | zerofilled):
12232 |
12233 | ```
12234 | 180DF59Bh (tcm/ram dump) (missing 10h bytes)
12235 | 03A21235h (3ds dump) (missing 180h+200h+1048h+1048h bytes)
12236 | CDAA8FF6h (combined dump) (missing only the unknown "?" areas)
12237 | ```
12238 |
12239 | ### DSiWifi BIOS
12240 |
12241 | The Wifi BIOS can be dumped by using the WINDOW\_DATA register via SDIO CMD53.
12242 |
12243 | ### Further DSi BIOSes
12244 |
12245 | The DSi cameras and several other I2C/SPI devices are probably having BIOS
12246 | ROMs, too. Unknown if/how that ROMs are dumpable.
12247 |
12248 | ### DSi BIOS Dumping via voltage errors
12249 |
12250 | Lowering VDD12 for a moment does work quite reliable for crashing the ARM9 and
12251 | trapping the 2FFFD9Ch vector in Main RAM. The problem is that Main RAM seems to
12252 | be disabled during bootstage 1 (it gets enabled at begin of bootstage 2 via
12253 | EXMEMCNT, that is, shortly after the upper BIOS 32Kbyte areas are disabled).
12254 | More on that here:
12255 |
12256 | ```
12257 | http://4dsdev.kuribo64.net/thread.php?id=130
12258 | ```
12259 |
12260 | One theory/idea (from dark\_samus) is that EXMEMCNT controls the CE2 pin on the
12261 | Main RAM chip, so one could try to rewire that pin to get Main RAM enabled
12262 | regardless of EXMEMCNT, if that's actually working, then trapping the 2FFFD9Ch
12263 | vector should work even while BIOS ROMs are fully readable.
12264 |
12265 | ## External Connectors
12266 |
12267 | ### External Connectors
12268 |
12269 | - [AUX GBA Game Pak Bus](#auxgbagamepakbus)
12270 | - [AUX DS Game Card Slot](#auxdsgamecardslot)
12271 | - [AUX Link Port](#auxlinkport)
12272 | - [AUX Sound/Headphone Socket and Battery/Power Supply](#auxsoundheadphonesocketandbatterypowersupply)
12273 | - [AUX DSi SD/MMC Pin-Outs](#auxdsisdmmcpinouts)
12274 |
12275 | ### Getting access to Internal Pins
12276 |
12277 | - [AUX Opening the GBA](#auxopeningthegba)
12278 | - [AUX Mainboard](#auxmainboard)
12279 | - [AUX DSi Component Lists](#auxdsicomponentlists)
12280 | - [AUX DSi Internal Connectors](#auxdsiinternalconnectors)
12281 | - [AUX DSi Chipset Pinouts](#auxdsichipsetpinouts)
12282 |
12283 | ### More Internal Stuff
12284 |
12285 | - [Pinouts - CPU - Signal Summary](#pinoutscpusignalsummary)
12286 | - [Pinouts - CPU - Pinouts](#pinoutscpupinouts)
12287 | - [Pinouts - Audio Amplifiers](#pinoutsaudioamplifiers)
12288 | - [Pinouts - LCD Cables](#pinoutslcdcables)
12289 | - [Pinouts - Power Switches, DC/DC Converters, Reset Generators](#pinoutspowerswitchesdcdcconvertersresetgenerators)
12290 | - [Pinouts - Wifi](#pinoutswifi)
12291 | - [Pinouts - Various](#pinoutsvarious)
12292 |
12293 | ### Xboo Multiboot Cable
12294 |
12295 | - [AUX Xboo PC-to-GBA Multiboot Cable](#auxxboopctogbamultibootcable)
12296 | - [AUX Xboo Flashcard Upload](#auxxbooflashcardupload)
12297 | - [AUX Xboo Burst Boot Backdoor](#auxxbooburstbootbackdoor)
12298 | - [DS Xboo](#dsxboo)
12299 |
12300 | ## AUX GBA Game Pak Bus
12301 |
12302 | ### Game Pak Bus - 32pin cartridge slot
12303 |
12304 | The cartridge bus may be used for both CGB and GBA game paks. In GBA mode, it
12305 | is used as follows:
12306 |
12307 | ```
12308 | Pin Name Dir Expl.
12309 | 1 VDD O Power Supply 3.3V DC
12310 | 2 PHI O System Clock (selectable none, 4.19MHz, 8.38MHz, 16.78MHz)
12311 | 3 /WR O Write Select ;\latched address to be incremented on
12312 | 4 /RD O Read Select ;/rising edges of /RD or /WR signals
12313 | 5 /CS O ROM Chip Select ;-A0..A15 to be latched on falling edge
12314 | 6-21 AD0-15 I/O lower 16bit Address and/or 16bit ROM-data (see below)
12315 | 22-29 A16-23 I/O upper 8bit ROM-Address or 8bit SRAM-data (see below)
12316 | 30 /CS2 O SRAM Chip Select
12317 | 31 /REQ I Interrupt request (/IREQ) or DMA request (/DREQ)
12318 | 32 GND O Ground 0V
12319 | ```
12320 |
12321 | When accessing game pak SRAM, a 16bit address is output through AD0-AD15, then
12322 | 8bit of data are transferred through A16-A23.
12323 |
12324 | When accessing game pak ROM, a 24bit address is output through AD0-AD15 and
12325 | A16-A23, then 16bit of data are transferred through AD0-AD15.
12326 |
12327 | The 24bit address is formed from the actual 25bit memory address (byte-steps),
12328 | divided by two (halfword-steps).
12329 |
12330 | Pin Pitch is 1.5mm.
12331 |
12332 | ### 8bit-Gamepak-Switch (GBA, GBA SP only) (not DS)
12333 |
12334 | A small switch is located inside of the cartridge slot, the switch is pushed
12335 | down when an 8bit cartridge is inserted, it is released when a GBA cartridge is
12336 | inserted (or if no cartridge is inserted).
12337 |
12338 | The switch mechanically controls whether VDD3 or VDD5 are output at VDD35; ie.
12339 | in GBA mode 3V power supply/signals are used for the cartridge slot and link
12340 | port, while in 8bit mode 5V are used.
12341 |
12342 | The switch additionally drags IN35 to 3V when an 8bit cart is inserted, the
12343 | current state of IN35 can be determined in GBA mode via Port 4000204h
12344 | (WAITCNT), if the switch is pushed, then CGB mode can be activated via Port
12345 | 4000000h (DISPCNT.3), this bit can be set ONLY by opcodes in BIOS region (eg.
12346 | via CpuSet SWI function).
12347 |
12348 | In 8bit mode, the cartridge bus works much like for GBA SRAM, however, the 8bit
12349 | /CS signal is expected at Pin 5, while GBA SRAM /CS2 at Pin 30 is interpreted
12350 | as /RESET signal by the 8bit MBC chip (if any). In practice, this appears to
12351 | result in 00h being received as data when attempting to read-out 8bit
12352 | cartridges from inside of GBA mode.
12353 |
12354 |
12355 | ## AUX Link Port
12356 |
12357 | ### Serial Link Port Pin-Out (GBA:"EXT" - GBA SP:"EXT.1")
12358 |
12359 | ```
12360 | Pin Name Cable
12361 | 1 VDD35 N/A GBA Socket GBA Plug Old "8bit" Plug
12362 | 2 SO Red ___________ _________ ___________
12363 | 3 SI Orange | 2 4 6 | / 2 4 6 \ | 2 4 6 |
12364 | 4 SD Brown \_1_ 3 _5_/ \_1_ 3 _5_/ \_1__3__5_/
12365 | 5 SC Green '-' '-'
12366 | 6 GND Blue Socket Outside View / Plug Inside View
12367 | Shield Shield
12368 | ```
12369 |
12370 | Note: The pin numbers and names are printed on the GBA mainboard, colors as
12371 | used in Nintendo's AGB-005 and older 8bit cables.
12372 |
12373 | ### Serial Link/Power Supply Port (GBA-Micro: "EXT.")
12374 |
12375 | ```
12376 | 1 In DC (Supply 5.2VDC) ___________________
12377 | 2 Out V3 (SIO 3.3VDC) | 1 2 3 4 5 6 7 8 |
12378 | 3 I/O SO (SIO RCNT.3) | ================= |
12379 | 4 I/O SI (SIO RCNT.2) \_________________/
12380 | 5 I/O SD (SIO RCNT.1)
12381 | 6 I/O SC (SIO RCNT.0)
12382 | 7 OUT DG (SIO GROUND)
12383 | 8 In DG (Supply GROUND)
12384 | - - - (Shield not connected)
12385 | ```
12386 |
12387 | ### Cable Diagrams (Left: GBA Cable, Right: 8bit Gameboy Cable)
12388 |
12389 | ```
12390 | Big Plug Middle Socket Small Plug Plug 1 Plug 2
12391 | SI _________________ ____ SI SI ______ ______SI
12392 | SO ____________SO |__ | ___ SO SO ______><______SO
12393 | GND____________GND______|____GND GND_____________GND
12394 | SD ____________SD____________ SD SD SD
12395 | SC ____________SC____________ SC SC _____________ SC
12396 | Shield_______Shield_______Shield Shield_______Shield
12397 | ```
12398 |
12399 | ### Normal Connection
12400 |
12401 | Just connect the plugs to the two GBAs and leave the Middle Socket
12402 | disconnected, in this mode both GBAs may behave as master or slave, regardless
12403 | of whether using big or small plugs.
12404 |
12405 | The GBA is (NOT ???) able to communicate in Normal mode with MultiPlay cables
12406 | which do not have crossed SI/SO lines.
12407 |
12408 | ### Multi-Play Connection
12409 |
12410 | Connect two GBAs as normal, for each further GBAs connect an additional cable
12411 | to the Middle socket of the first (or further) cable(s), up to four GBAs may be
12412 | connected by using up to three cables.
12413 |
12414 | The GBA which is connected to a Small Plug is master, the slaves are all
12415 | connected to Large Plugs. (Only small plugs fit into the Middle Socket, so it's
12416 | not possible to mess up something here).
12417 |
12418 | ### Multi-Boot Connection
12419 |
12420 | MultiBoot (SingleGamepak) is typically using Multi-Play communication, in this
12421 | case it is important that the Small plug is connected to the master/sender (ie.
12422 | to the GBA that contains the cartridge).
12423 |
12424 | ### Non-GBA Mode Connection
12425 |
12426 | First of all, it is not possible to link between 32bit GBA games and 8bit
12427 | games, parts because of different cable protocol, and parts because of
12428 | different signal voltages.
12429 |
12430 | However, when a 8bit cartridge is inserted (the GBA is switched into 8bit
12431 | compatibility mode) it may be connected to other 8bit games (monochrome
12432 | gameboys, CGBs, or to other GBAs which are in 8bit mode also, but not to GBAs
12433 | in 32bit mode).
12434 |
12435 | When using 8bit link mode, an 8bit link cable must be used. The GBA link cables
12436 | won't work, see below modification though.
12437 |
12438 | ### Using a GBA 32bit cable for 8bit communication
12439 |
12440 | Open the middle socket, and disconnect Small Plugs SI from GND, and connect SI
12441 | to Large Plugs SO instead. You may also want to install a switch that allows to
12442 | switch between SO and GND, the GND signal should be required for MultiPlay
12443 | communication only though.
12444 |
12445 | Also, cut off the plastic ledge from the plugs so that they fit into 8bit
12446 | gameboy sockets.
12447 |
12448 | ### Using a GBA 8bit cable for 32bit communication
12449 |
12450 | The cable should theoretically work as is, as the grounded SI would be required
12451 | for MultiPlay communication only. However, software that uses SD for
12452 | Slave-Ready detection won't work unless when adding a SD-to-SD connection (the
12453 | 8bit plugs probably do not even contain SD pins though).
12454 |
12455 | ## AUX Sound/Headphone Socket and Battery/Power Supply
12456 |
12457 | ### GBA, GBA-Micro, NDS, and NDS-Lite: Stereo Sound Connector (3.5mm, female)
12458 |
12459 | ```
12460 | Tip Audio Left ___ ___ _____+-----------+
12461 | Middle Audio Right (___|___|_____| |
12462 | Base Ground L R GND +-----------+
12463 | ```
12464 |
12465 | The NDS socket doesn't fully match regular 3.5mm plugs, one needs to cut-off a
12466 | portion of the DS case to be able to fully insert the plug, which still
12467 | requires a lot of pressure, furthermore, when fully inserted, left/right become
12468 | shortcut to mono, so one needs to pull-back the plug a bit to gain stereo
12469 | output.
12470 |
12471 | ### GBA SP and NDS - Power/Headphone Socket (EXT.2)
12472 |
12473 | ```
12474 | Pin SP NDS Expl.
12475 | 1 P31 SL Audio LOUT _____________
12476 | 2 P32 VIN Supply Input (DC 5.2V) SW| 5 ___ 1 |SL
12477 | 3 P33 SR Audio ROUT | ---- ---- |
12478 | 4 P34 SG Audio GND (via 100uF to GND) |_6__4 3__2_|
12479 | 5 P35 SW Audio Speaker Disable (GND=Dis) GND SG\_/SR VIN
12480 | 6 GND Supply GND
12481 | Shield GND
12482 | ```
12483 |
12484 | External power input is used to charge the built-in battery, it cannot be used
12485 | to run the SP without that battery.
12486 |
12487 | ### NDS-Lite - Power Socket
12488 |
12489 | ```
12490 | Pin Expl. __________
12491 | 1 Supply Input (DC 5.2V) / ====== \
12492 | 2 Supply GND GND |___2__1___| VIN
12493 | ```
12494 |
12495 | ### GBA-Micro - Power Socket
12496 |
12497 | Uses an 8pin socket (which combines SIO and Power), for pin-outs, see
12498 |
12499 | - [AUX Link Port](#auxlinkport)
12500 |
12501 | ### External Power Supply
12502 |
12503 | GBA: DC 3.3V (no separate power socket, requires 2xAA-battery-shaped adapter)
12504 |
12505 | GBA-SP/NDS: DC 5.2V (or DC 5V) (special connector on power/headphone socket)
12506 |
12507 | NDS-Lite: DC 5.2V (or DC 5V) (another special connector on power socket)
12508 |
12509 | ### Internal Battery Supply
12510 |
12511 | GBA: 2xAA (3V)
12512 |
12513 | GBA-SP: Li-ion 3.7V, 600mAh (built-in, recharge-able)
12514 |
12515 | GBA-Micro: Li-ion 3.8V, 460mAh (built-in, recharge-able)
12516 |
12517 | NDS: Li-ion 3.7V, 850mAh (built-in, recharge-able)
12518 |
12519 | NDS-Lite: Li-ion 3.7V, 1000mAh (built-in, recharge-able)
12520 |
12521 | ### Using PC +5V DC as Power Supply
12522 |
12523 | Developers whom are using a PC for GBA programming will probably want to use
12524 | the PC power supply (gained from disk drive power supply cable) for the GBA as
12525 | well rather than dealing with batteries or external power supplies.
12526 |
12527 | GBA: To lower the voltage to approximately 3 Volts use two diodes, type 1N 4004
12528 | or similar, the ring printed onto the diodes points towards the GBA side,
12529 | connected as such:
12530 |
12531 | ```
12532 | PC +5V (red) --------|>|---|>|-------- GBA BT+
12533 | PC GND (black) ------------------------- GBA BT-
12534 | ```
12535 |
12536 | GBA SP, GBA Micro, NDS, and NDS-Lite: Works directly at +5V connected to EXT.2
12537 | socket (not to the internal battery pins), without any diodes.
12538 |
12539 |
12540 | ## AUX Opening the GBA
12541 |
12542 | Since Nintendo uses special screws with Y-shaped heads to seal the GBA (as well
12543 | as older 8bit gameboys), it's always a bit difficult to loosen these screws.
12544 |
12545 | ### Using Screwdrivers
12546 |
12547 | One possible method is to use a small flat screwdriver, which might work, even
12548 | though it'll most likely damage the screwdriver.
12549 |
12550 | Reportedly, special Y-shaped screwdrivers for gameboys are available for sale
12551 | somewhere (probably not at your local dealer, but you might find some in the
12552 | internet or elsewhere).
12553 |
12554 | ### Destroying the Screws
12555 |
12556 | A more violent method is to take an electric drill, and drill-off the screw
12557 | heads, this might also slightly damage the GBA plastic chase, also take care
12558 | that the metal spoons from the destroyed screws don't produce shortcuts on the
12559 | GBA mainboard.
12560 |
12561 | ### Using a selfmade Screwdriver
12562 |
12563 | A possible method is to take a larger screw (with a normal I-shaped, or
12564 | X-shaped head), and to cut the screw-tip into Y-shape, you'll then end up with
12565 | an "adapter" which can be placed in the middle between a normal screwdriver and
12566 | gameboy screws.
12567 |
12568 | Preferably, first cut the screw-tip into a shape like a "sharp three sided
12569 | pyramid", next cut notches into each side. Access to a grinding-machine will be
12570 | a great benefit, but you might get it working by using a normal metal-file as
12571 | well.
12572 |
12573 | ### Opening the GBA Micro
12574 |
12575 | - open the case with appropriate screwdriver or drilling machine or whatever
12576 |
12577 | - remove the plastic front-plate (there are two snap-ins inside at ONE side)
12578 |
12579 | - remove the mainboard and screen and plastic skeleton from the metal case
12580 |
12581 | - remove the start/select daughter-board from the plastic skeleton
12582 |
12583 | - remove the plastic skeleton (move the screen through the skeleton)
12584 |
12585 | - remove the screen (lift lcd socket front-side, backlight socket rear-side)
12586 |
12587 | ### Opening the NDS-Lite
12588 |
12589 | - open the case with appropriate screwdriver or drilling machine or whatever
12590 |
12591 | - remove the RFU unit, and the 4-pin touch-screen cable (under the RFU unit)
12592 |
12593 | - remove the mainboard together with the lower screen
12594 |
12595 | - remove the upper/lower screen cables (on the rear-side of the mainboard)
12596 |
12597 | ## AUX Mainboard
12598 |
12599 | Other possibly useful signals on the mainboard...
12600 |
12601 | ### FIQ Signal
12602 |
12603 | The FIQ (Fast Interrupt) signal (labeled FIQ on the mainboard) could be used as
12604 | external interrupt (or debugging break) signal.
12605 |
12606 | Caution: By default, the FIQ input is directly shortcut to VDD35 (+3V or +5V
12607 | power supply voltage), this can be healed by scratching off the CL1 connection
12608 | located close to the FIQ pin (FIQ still appears to have an internal pull-up, so
12609 | that an external resistor is not required).
12610 |
12611 | The GBA BIOS rejects FIQs if using normal ROM cartridge headers (or when no
12612 | cartridge is inserted). When using a FIQ-compatible ROM header, Fast Interrupts
12613 | can be then requested by pulling FIQ to ground, either by a push button, or by
12614 | remote controlled signals.
12615 |
12616 | ### RESET Signal
12617 |
12618 | The RESET signal (found on the mainboard) could be used to reset the GBA by
12619 | pulling the signal to ground for a few microseconds (or longer). The signal can
12620 | be directly used (it is not shortcut to VDD35, unlike FIQ).
12621 |
12622 | Note: A reset always launches Nintendo's time-consuming and annoying boot/logo
12623 | procedure, so that it'd be recommend to avoid this "feature" when possible.
12624 |
12625 | ### Joypad Signals
12626 |
12627 | The 10 direction/button signals are each directly shortcut to ground when
12628 | pressed, and pulled up high otherwise (unlike 8bit gameboys which used a 2x4
12629 | keyboard matrix), it'd be thus easy to connect a remote keyboard, keypad,
12630 | joypad, or read-only 12bit parallel port.
12631 |
12632 |
12633 |
12634 |
12635 | ## Pinouts - CPU - Signal Summary
12636 |
12637 | ### Advance Gameboy CPU Signal Summary
12638 |
12639 | Cart Bus: D0-D7, A0-A15, /CS, /RD, /WR (different usage in GBA/DMG mode)
12640 |
12641 | WRAM Bus: WA0-WA16, WD0-WD15, /WLB, /WUB, /WWE, /WOE (used in GBA mode only)
12642 |
12643 | LCD Bus : LDR1-5, LDG1-5, LDB1-5, DCK, LP, PS, SPL, CLS, SPS, MOD, REVC
12644 |
12645 | Joypad: TP0-3 (Buttons), TP4-7 (Directions), TP8-9 (L/R-Buttons, via R43/R44)
12646 |
12647 | Serial Link: SC, SD (aka P14?), SI, SO - Audio: SO1-2, Vin
12648 |
12649 | Other: CK1-2, PHI, IN35, VCNT5, /FIQ (via CL1 to VDD3), /RESET (IN), /RES (OUT)
12650 |
12651 | Supply: VDD35, VDD3, VDD2, GND (some are probably undoc inputs)
12652 |
12653 | GBA SP: Same as GBA, plus VDD1, plus duplicated supply pins, plus pin 152.
12654 |
12655 | ## Pinouts - CPU - Pinouts
12656 |
12657 | ### Advance Gameboy CPU Pinouts (CPU AGB)
12658 |
12659 | ```
12660 | 1 VDD3 17 D0 33 A0 49 WA4 65 VDD2 81 WD9 97 LDB5 113 CK1
12661 | 2 IN35 18 A15 34 /CS 50 WA5 66 WD5 82 WD1 98 LDB4 114 CK2
12662 | 3 TP8 19 A14 35 /RD 51 WA6 67 WD13 83 /WOE 99 LDB3 115 VDD2
12663 | 4 TP0 20 A13 36 /WR 52 WA7 68 WD6 84 DCK 100 LDB2 116 GND
12664 | 5 TP1 21 A12 37 PHI 53 /WLB 69 WD14 85 LP 101 LDB1 117 VDD2
12665 | 6 SO1 22 A11 38 VDD35 54 /WUB 70 WD7 86 PS 102 GND 118 VCNT5
12666 | 7 SO2 23 A10 39 GND 55 /WWE 71 WD15 87 LDR5 103 VDD3 119 TP9
12667 | 8 Vin 24 A9 40 SC 56 WA8 72 WD8 88 LDR4 104 SPL 120 TP6
12668 | 9 /RES 25 A8 41 SD 57 WA9 73 WD16 89 LDR3 105 CLS 121 TP5
12669 | 10 D7 26 A7 42 SI 58 WA10 74 WA16 90 LDR2 106 SPS 122 TP7
12670 | 11 D6 27 A6 43 SO 59 WA11 75 WD12 91 LDR1 107 MOD 123 TP4
12671 | 12 D5 28 A5 44 VDD2 60 WA12 76 WD4 92 LDG5 108 REVC 124 /FIQ
12672 | 13 D4 29 A4 45 WA0 61 WA13 77 WD11 93 LDG4 109 GNDed 125 /RESET
12673 | 14 D3 30 A3 46 WA1 62 WA14 78 WD3 94 LDG3 110 GNDed 126 TP2
12674 | 15 D2 31 A2 47 WA2 63 WA15 79 WD10 95 LDG2 111 GNDed 127 TP3
12675 | 16 D1 32 A1 48 WA3 64 GND 80 WD2 96 LDG1 112 GNDed 128 GND
12676 | ```
12677 |
12678 | ### GBA SP CPU Pinouts (CPU AGB B)
12679 |
12680 | ```
12681 | 1 IN35 21 D0 41 A0 61 WA4 81 WD13 101 GND 121 LDB4 141 GND
12682 | 2 TP8 22 A15 42 /CS 62 WA5 82 WD6 102 VDD1 122 LDB3 142 VDD3
12683 | 3 TP0 23 A14 43 /RD 63 WA6 83 WD14 103 GND 123 LDB2 143 GND
12684 | 4 TP1 24 A13 44 /WR 64 WA7 84 WD7 104 VDD3 124 LDB1 144 VCNT5
12685 | 5 SO1 25 A12 45 PHI 65 /WLB 85 WD15 105 DCK 125 GND 145 TP9
12686 | 6 SO2 26 A11 46 VDD35 66 /WUB 86 WD8 106 LP 126 VDD3 146 TP6
12687 | 7 Vin 27 GND 47 GND 67 GND 87 WD16 107 PS 127 SPL 147 TP5
12688 | 8 VDD1 28 VDD35 48 SC 68 VDD2 88 WA16 108 LDR5 128 CLS 148 TP7
12689 | 9 GND 29 A10 49 SD 69 /WWE 89 VDD2 109 LDR4 129 SPS 149 TP4
12690 | 10 VDD35 30 A9 50 SI 70 WA8 90 GND 110 LDR3 130 MOD 150 /FIQ
12691 | 11 /RES 31 A8 51 SO 71 WA9 91 WD12 111 LDR2 131 REVC 151 /RESET
12692 | 12 D7 32 A7 52 VDD35 72 WA10 92 WD4 112 LDR1 132 GND 152 ?
12693 | 13 D6 33 A6 53 GND 73 WA11 93 WD11 113 LDG5 133 GND 153 TP3
12694 | 14 D5 34 A5 54 VDD1 74 WA12 94 WD3 114 LDG4 134 GND 154 TP2
12695 | 15 D4 35 A4 55 GND 75 WA13 95 WD10 115 LDG3 135 GND 155 VDD3
12696 | 16 D3 36 GND 56 VDD2 76 WA14 96 WD2 116 LDG2 136 VDD1 156 GND
12697 | 17 D2 37 VDD35 57 WA0 77 WA15 97 WD9 117 LDG1 137 GND
12698 | 18 GND 38 A3 58 WA1 78 GND 98 WD1 118 GND 138 CK1
12699 | 19 VDD35 39 A2 59 WA2 79 VDD2 99 /WOE 119 VDD3 139 CK2
12700 | 20 D1 40 A1 60 WA3 80 WD5 100 VDD2 120 LDB5 140 VDD2
12701 | ```
12702 |
12703 | Pin 152 seems to be not connected on the mainboard, maybe an undoc output.
12704 |
12705 | ### GBA-Micro, NDS, NDS-Lite, and DSi CPU Pinouts
12706 |
12707 | Unknown. The CPU Pins are hidden underneath of the CPU. And, in NDS and
12708 | NDS-Lite, the CPU itself hides underneath of the DS Cartridge Slot. In the DSi
12709 | it's hidden underneath of a shielding plate (which is itself underneath of the
12710 | removeable wifi daughterboard).
12711 |
12712 | ## Pinouts - Audio Amplifiers
12713 |
12714 | ### Advance Gameboy Audio Amplifier (AMP AGB IR3R60N) (U6)
12715 |
12716 | ```
12717 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
12718 | C38 FR1 FR2 FL1 FL2 GND RIN LIN C39 VOL SW VDD5 LOUT VCC3 ROUT VCC3 SP GND
12719 | ```
12720 |
12721 | SW=Headphone Switch (grounded when none connected).
12722 |
12723 | ### GBA SP Audio Amplifier (uses AMB AGB IR3R60N, too) (U3)
12724 |
12725 | Same connection as in GBA, except that pin14/16 connect to VR21 (instead VCC3),
12726 | and pin1/9 connect to different capacitors.
12727 |
12728 | ### NDS - National Semiconductor LM4880M Dual 250mW Audio Power Amplifier (U12)
12729 |
12730 | ```
12731 | 1-OUT A 2-IN A 3-BYPASS 4-GND 5-SHUTDOWN 6-IN B 7-OUT A 8-VDD.VQ5
12732 | ```
12733 |
12734 | NDS-Lite: No external amplifier (Mitsumi 3205B Powermanagment Device contains
12735 | internal amplifier).
12736 |
12737 | ## Pinouts - LCD Cables
12738 |
12739 | ### Advance Gameboy Display Socket
12740 |
12741 | ```
12742 | 1 ? 6 GND 11 LDR2 16 LDG2 21 LDB3 26 SPS 31 P2-VSS 36 V4
12743 | 2 VSHD 7 VSHD 12 LDR1 17 LDG1 22 LDB2 27 ? 32 P2-VCC 37 V3
12744 | 3 DCK 8 LDR5 13 LDG5 18 GND 23 LDB1 28 MOD 33 ? 38 V2
12745 | 4 LP 9 LDR4 14 LDG4 19 LDB5 24 SPL 29 VCOM 34 VDD5 39 V1
12746 | 5 PS 10 LDR3 15 LDG3 20 LDB4 25 CLS 30 P2-VEE 35 GND 40 V0
12747 | ```
12748 |
12749 | ### GBA SP Display Socket
12750 |
12751 | ```
12752 | 1 VSHD 5 VSHD 9 LDR3 13 LDG4 17 GND 21 LDB2 25 SPS 29 P2VSS 33 U83
12753 | 2 DCK 6 GND 10 LDR2 14 LDG3 18 LDB5 22 LDB1 26 MOD 30 COM 34 VDD5
12754 | 3 LP 7 LDR5 11 LDR1 15 LDG2 19 LDB4 23 SPL 27 REVC 31 VDD5
12755 | 4 PS 8 LDR4 12 LDG5 16 LDG1 20 LDB3 24 CLS 28 P2VDD 32 GND
12756 | ```
12757 |
12758 | ### GBA Micro Display Sockets
12759 |
12760 | ```
12761 | __GBA Mirco display socket (P1)____________________________________
12762 | 1-PS 6-5bit 11-MD 16-5bit 21-5bit 26-CL 31-GND
12763 | 2-RV 7-5bit 12-SL 17-5bit 22-5bit 27-SS 32-GND
12764 | 3-GND 8-5bit 13-CK 18-5bit 23-5bit 28-via C5 to VR1 33-V10
12765 | 4-5bit 9-LP 14-GND 19-5bit 24-5bit 29-V5 34-V-5
12766 | 5-5bit 10-VD 15-5bit 20-GND 25-5bit 30-to VR1
12767 | __GBA Mirco backlight socket (P3)__________________________________
12768 | 1-LC 2-LC 3-LA 4-LA
12769 | ```
12770 |
12771 | ### NDS Upper/Lower Display Sockets
12772 |
12773 | ```
12774 | ___NDS upper screen/upper backlight/speakers socket (P3)_____________________
12775 | 1-SPLO 7-PS2 13-LDR2 19-GND 25-LDG2 31-LDB2 37-MOD2 43-VDD15 49-SPRO
12776 | 2-SPLO 8-REV2 14-LDR1 20-DCLK2 26-LDG1 32-LDB1 38-GND 44-VDD-5 50-GND
12777 | 3-SSC2 9-GND 15-LDR0 21-GND 27-LDG0 33-LDB0 39-VDD5 45-VDD-10 51-GND
12778 | 4-ASC2 10-LDR5 16-LS2 22-LDG5 28-LDB5 34-GCK2 40-VDD10 46-LEDC2
12779 | 5-GND 11-LDR4 17-VSHD 23-LDG4 29-LDB4 35-GSP2 41-COM2 47-LEDA2
12780 | 6-SPL2 12-LDR3 18-DISP1 24-LDG3 30-LDB3 36-GND 42-GND 48-SPRO
12781 | ___NDS lower screen socket (P4)______________________________________________
12782 | 1-SSC1 6-REV1 11-LDR2 16-DISP0 21-LDG4 26-LDB5 31-LDB0 36-GND 41-VDD15
12783 | 2-ASC1 7-GND 12-LDR1 17-SPL1 22-LDG3 27-LDB4 32-GCK1 37-? 42-VDD10
12784 | 3-GND 8-LDR5 13-LDR0 18-DCLK1 23-LDG2 28-LDB3 33-GSP1 38-VDD5 43-GND
12785 | 4-? 9-LDR4 14-LS1 19-GND 24-LDG1 29-LDB2 34-VSHD 39-COM1 44-VDD-5
12786 | 5-PS1 10-LDR3 15-VSHD 20-LDG5 25-LDG0 30-LDB1 35-MOD1 40-GND 45-VDD-10
12787 | ___NDS lower backlight socket (P5)____ ___NDS touchscreen socket (P6)______
12788 | 1:LEDA1 2:LEDA1 3:LEDC1 4:LEDC1 1:Y- 2:X- 3:Y+ 4:X+
12789 | ```
12790 |
12791 | ### NDS-Lite Upper/Lower Display Sockets
12792 |
12793 | ```
12794 | ___NDS-Lite upper screen/upper backlight/speakers socket (P3)________________
12795 | 1-VDD-5 6-MOD 11-LD2xx 16-LD2xx 21-LD2xx 26-LD2xx 31-LS 36-GND 41-SPRO
12796 | 2-VDD10 7-GSP 12-LD2xx 17-LD2xx 22-LD2xx 27-LD2xx 32-VSHD 37-COM2 42-SG
12797 | 3-VDD5 8-GCK 13-LD2xx 18-GND 23-LD2xx 28-GND 33-GND 38-LEDA2 43-SG
12798 | 4-GND 9-LD2xx 14-LD2xx 19-LD2xx 24-LD2xx 29-DCLK 34-xx2? 39-LEDC2 44-SPLO
12799 | 5-VSHD 10-LD2xx 15-LD2xx 20-LD2xx 25-LD2xx 30-SPL 35-REV 40-SPRO 45-SPLO
12800 | ___NDS-Lite lower screen/lower backlight (P4)________________________________
12801 | 1-VDD-5 6-MOD 11-LD1xx 16-LD1xx 21-LD1xx 26-LD1xx 31-LS 36-GND
12802 | 2-VDD10 7-GSP 12-LD1xx 17-LD1xx 22-LD1xx 27-LD1xx 32-VSHD 37-COM1
12803 | 3-VDD5 8-GCK 13-LD1xx 18-GND 23-LD1xx 28-GND 33-GND 38-LEDA1
12804 | 4-GND 9-LD1xx 14-LD1xx 19-LD1xx 24-LD1xx 29-DCLK 34-xx1? 39-LEDC1
12805 | 5-VSHD 10-LD1xx 15-LD1xx 20-LD1xx 25-LD1xx 30-SPL 35-REV
12806 | ___NDS-Lite touchscreen socket (P6)______ ___NDS-Lite white coax (P12)_____
12807 | 1:X- 2:Y- 3:X+ 4:Y+ Center:MICIN Shield:GND
12808 | ```
12809 |
12810 | ## Pinouts - Power Switches, DC/DC Converters, Reset Generators
12811 |
12812 | ### Advance Gameboy Power Switch (2-position slider, with two common pins)
12813 |
12814 | ### GBA SP Power Switch (same as GBA)
12815 |
12816 | ```
12817 | 1 via resistor to GND (OFF)
12818 | 2 VS (BT+) (ON)
12819 | C VCC (to board)
12820 | ```
12821 |
12822 | ### GBA Micro Power Switch
12823 |
12824 | Same as GBA and GBA SP, but Pin 1 and 2 exchanged.
12825 |
12826 | ### Advance Gameboy Cartridge Slot Switch (integrated 4pin micro switch)
12827 |
12828 | ### GBA SP Cartridge Slot Switch (separate 4pin micro switch)
12829 |
12830 | ```
12831 | C1 VDD35 (to S2 when PRESSED, to S1 when RELEASED)
12832 | S1 VDD3 (to C2 when PRESSED, to C1 when RELEASED)
12833 | C2 IN35 (to S1 when PRESSED)
12834 | S2 VDD5 (to C1 when PRESSED)
12835 | ```
12836 |
12837 | Pressed=8bit DMG/MGB/CGB cart, Released=32bit GBA cart (or no cart inserted)
12838 |
12839 | GBA: switch integrated in cart socket, GBA-SP: separate switch next to socket.
12840 |
12841 | ### Advance Gameboy Power Controller (M 121 514X) (U4)
12842 |
12843 | ```
12844 | 1-VIN 2-VOUT5 3-CSS5 4-VDRV5 5-GND 6-VDRV3 7-CSS3 8-VOUT3
12845 | 9-VCNT5 10-CSCP 11-REGEXT 12-VDD3 13-VDD2 14-/RESET 15-LOWBAT 16-VDD13
12846 | ```
12847 |
12848 | /RESET is passed to the CPU, and then forwarded to /RES pin on cart slot.
12849 |
12850 | ### Advance Gameboy LCD Regulator (AGB-REG IR3E09N) (U3)
12851 |
12852 | ```
12853 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
12854 | ? ? REVC U3-COM V0 V1 ? ? ? GND ? V2 ? V3 V4 VDD5 U3-VDD ?
12855 | ```
12856 |
12857 | ### GBA SP Power Controller 1 (S6403 AU227 9276) (U4)
12858 |
12859 | ```
12860 | 1-VCC 2-SCP1 3-SCP2 4-VDRV3 5-VOUT3/VDD3 6-VDD2 7-VOUT1/VDD1 8-VDRV1
12861 | 9-LOWBAT 10-VCNT5 11-LS5 12-? 13-GND 14-? 15-VOUT5/VDD5 16-VDRV5
12862 | ```
12863 |
12864 | ### GBA SP Power Controller 2 (2253B 2808) (U5)
12865 |
12866 | ```
12867 | 1-TIN 2-U5C3 3-ADJ 4-U5VDD 5-VIN 6-? 7-U57 8-?
12868 | 9-to-C29 10-to-C30 11-? 12-GND 13-VS 14-S- 15-S+ 16-U5OUT
12869 | ```
12870 |
12871 | ### GBA Micro - Power Managment Device (U2)
12872 |
12873 | - 1 via C43 to GND
12874 | - 2 via R24 to C34 to R25 back to U2.2
12875 | - 3 via C35 to GND
12876 | - 4 via C36 to GND
12877 | - 5
12878 | - 6 audio.in ? (see BP)
12879 | - 7 via C48 to GND
12880 | - 8 via R21 to C46 to C47 to C38 to R23 to phones
12881 | - 9 VL (to U4)
12882 | - 10 via R27 to C33 to C44 to C49 to R22 to phones
12883 | - 11 via C45 to GND
12884 | - 12 audio.in ? (see BP)
12885 | - 13 via C41 to GND
12886 | - 14 phones (switch)
12887 | - 15 phones (tip via R22)
12888 | - 16 phones (mid via R23)
12889 | - 17 VCS
12890 | - 18 SP
12891 | - 19 GND
12892 | - 20 LB
12893 | - 21 via C52 to GND
12894 | - 22 via C53 to GND
12895 | - 23 RS (looks like RESET output)
12896 | - 24 to R37/C56 (looks like RESET input)
12897 | - 25
12898 | - 26
12899 | - 27 via C54 to V3
12900 | - 28 V3
12901 | - 29 GND
12902 | - 30 V3
12903 | - 31 VC
12904 | - 32 to C58
12905 | - 33 to R41/C58
12906 | - 34 GND
12907 | - 35
12908 | - 36 VC
12909 | - 37 VC
12910 | - 38
12911 | - 39 V5
12912 | - 40 GND
12913 | - 41 GND
12914 | - 42
12915 | - 43
12916 | - 44
12917 | - 45 B+
12918 | - 46 S-
12919 | - 47 S+
12920 | - 48
12921 |
12922 | ### GBA Micro - Volume/Backlight Level Up/Down Controller (U5)
12923 |
12924 | ```
12925 | 1- 5-GND 9- 13-XD 17- 21- 25- 29-
12926 | 2- 6-GND 10- 14-to U4.7 18-XR 22-CN 26- 30-
12927 | 3- 7- 11-XC 15- 19-V+ 23-CNS 27- 31-BP
12928 | 4-LN 8- 12-GND 16- 20-V- 24- 28-V3 32-
12929 | ```
12930 |
12931 | ### NDS Powermanagment Device (Mitsumi 3152A) (U3)
12932 |
12933 | ```
12934 | 1 R50-EXTB+ 17 33 LEDC1 49 VCNT5
12935 | 2 R39-ORANGE 18 34 GND 50
12936 | 3 GND 19 VQ5 35 LEDC2 51 RST
12937 | 4 20 36 52
12938 | 5 Rxx-Q4 21 37 U10-LEDA2 53
12939 | 6 INS+ 22 GND 38 54
12940 | 7 INS- 23 VQ5 39 MIC.C53-AIN 55 VQ5
12941 | 8 24 40 MIC.TSC.AUX 56 R24-SR
12942 | 9 VDET 25 VDD3.3 41 GND 57
12943 | 10 PVDD 26 GND 42 R38-RED 58 R22-SL
12944 | 11 27 CL60-VDD3.3 43 R37-GREEN 59 GND
12945 | 12 PWSW 28 VSHD 44 VDD3.3 60 VR3.PIN2
12946 | 13 29 45 PWM.SPI.CLK 61
12947 | 14 GND 30 VDD5 46 PWM.SPI.D 62
12948 | 15 GND 31 U9-LEDA1 47 PWM.SPI.Q 63
12949 | 16 VQ5 32 48 PWM.SPI.SEL 64 GND
12950 | ```
12951 |
12952 | ### NDS-LITE Powermanagment Device (Mitsumi 3205B) (U3)
12953 |
12954 | ```
12955 | 1 SW 17 33 LEDC1 49 VCNT5
12956 | 2 R50-EXTB+ 18 34 GND 50
12957 | 3 R39-ORANGE 19 VQ5 35 LEDC2 51 RST
12958 | 4 GND 20 36 52
12959 | 5 21 37 U10-LEDA2 53
12960 | 6 R30-Q4 22 GND 38 54
12961 | 7 INS+ 23 VQ5 39 MIC.C53-AIN 55 CL63-VQ5
12962 | 8 INS- 24 40 MIC.TSC.AUX 56 R24-SR
12963 | 9 VDET 25 VDD3.3 41 GND 57 SPRO
12964 | 10 PVDD 26 GND 42 R38-RED 58 SPLO
12965 | 11 27 CL60-VDD3.3 43 R37-GREEN 59 R22-SL
12966 | 12 PWSW 28 VSHD 44 VDD3.3 60 GND
12967 | 13 GND 29 45 PWM.SPI.CLK 61 R79-VR3.PIN2
12968 | 14 GND 30 VDD5 46 PWM.SPI.D 62
12969 | 15 GND 31 U9-LEDA1 47 PWM.SPI.Q 63
12970 | 16 VQ5 32 48 PWM.SPI.SEL 64
12971 | ```
12972 |
12973 | ### NDS-LITE Power Switch
12974 |
12975 | ```
12976 | 1 PWSW (grounded when switch is pulled)
12977 | 2 GND
12978 | 3 GND
12979 | 4 NC? (grounded when switch is not pulled)
12980 | ```
12981 |
12982 |
12983 | ## Pinouts - Various
12984 |
12985 | ### Advance Gameboy 256Kbytes RAM 128Kx16bit (NEC D442012LGY-B85x-MJH) (wide)
12986 |
12987 | ### GBA SP 256Kbytes RAM 128Kx16bit (F 82D12160-10FN) (square)
12988 |
12989 | ```
12990 | 1 A15 7 A9 13 IC 19 A6 25 A0 31 D2 37 VCC 43 D15
12991 | 2 A14 8 A8 14 /UB 20 A5 26 /CE1 32 D10 38 D5 44 D8
12992 | 3 A13 9 NC 15 /LB 21 A4 27 GND 33 D3 39 D13 45 D16
12993 | 4 A12 10 NC 16 NC 22 A3 28 /OE 34 D11 40 D6 46 GND
12994 | 5 A11 11 /WE 17 NC 23 A2 29 D1 35 D4 41 D14 47 NC
12995 | 6 A10 12 CE2 18 A7 24 A1 30 D9 36 D12 42 D7 48 A16
12996 | ```
12997 |
12998 | Connection in GBA and GBA SP: IC-GND, /CE1-GND, CE2-VDD2, VCC-VDD2, Pin16-VDD2,
12999 | the other NC pins seem to be actually not connected, all other pins connect to
13000 | the corresponding Wxx CPU pins. Note: Both GBA and GBA SP have soldering points
13001 | for wide (12x18mm) and square (12x14mm) RAMs, so either could be used.
13002 |
13003 | The GBA additionally contains 32K built-in WRAM, and built-in VRAM, so the
13004 | above 256K RAM chip is probably not used in 8bit classic/color gameboy mode.
13005 |
13006 | Note: In the GBA Micro, the 256K RAM are contained on-chip in the CPU.
13007 |
13008 | ### Advance Gameboy Schematic Fragments
13009 |
13010 | P2-VSS = VDD-15
13011 |
13012 | VIN = VCC3 via R33
13013 |
13014 | REGEXT (on my modified board, REGEXT underneath of my diodes)
13015 |
13016 | /RES (OUT) (via R40)
13017 |
13018 | /CS (via R39)
13019 |
13020 | /WR (via R38)
13021 |
13022 | SC (via Rxx)
13023 |
13024 | SD (via Rxx)
13025 |
13026 | SI (via Rxx)
13027 |
13028 | SO (via Rxx)
13029 |
13030 | DCK (via R36)
13031 |
13032 | A-GND via CP4 (100uF) to GND (used speaker, and on headphone socket)
13033 |
13034 | ### GBA SP Schematic Fragments
13035 |
13036 | P2VDD = VDD13
13037 |
13038 | P2VSS = VDD15
13039 |
13040 | /RES via R46
13041 |
13042 | /CS via R45
13043 |
13044 | /WR via R44
13045 |
13046 | DCK via R20
13047 |
13048 | VS=BT+
13049 |
13050 | In my repaired GBA-SP: CK1 test-point is disconnected (instead GND'ed).
13051 |
13052 | In my repaired GBA-SP: broken oscillator replaced
13053 |
13054 | In my repaired GBA-SP: broken r1 1mOhm replaced (near oscillator)
13055 |
13056 | In my repaired GBA-SP: broken EXT2 socket metal-spring/snapper removed
13057 |
13058 | CL1 FIQ (near SW4)
13059 |
13060 | CL2 ?
13061 |
13062 | CL3 ?
13063 |
13064 | CL4 VOUT1/VDD1 (near U4)
13065 |
13066 | CL5 VOUT3/VDD3 (near U4)
13067 |
13068 | CL6 VOUT5/VDD5 (near U4)
13069 |
13070 | DL1-red (power low) ---R32--Q4--R6--
13071 |
13072 | DL2-green (power good) ---Q6--LOWBAT/R34-VDD3
13073 |
13074 | DL3-orange (charge) --R24--Q2--VIN/U57
13075 |
13076 | P2VDD--VDD13
13077 |
13078 | P2VSS--VDD15
13079 |
13080 | S+ and S- are (almost) shortcut by R23 (1.0 ohm)
13081 |
13082 | S+ via Q1 to VIN
13083 |
13084 | VS via D1 to S-
13085 |
13086 | A-GND via CP1 (100uF) to GND
13087 |
13088 | U4 pin 12 to r6 (towards red led)
13089 |
13090 | U4 pin 14 to D6---to U7
13091 |
13092 | SC (CPU pin48) with R7 100K ohm pullup to VDD35
13093 |
13094 | P35 via Q11 to SW (speaker disable)
13095 |
13096 | ### GBA SP Backlight-Button Schematic (U6,U8,Q12)
13097 |
13098 | ```
13099 | ______ _____
13100 | GND--|1 U8 6|-- U85 | |--VDD5
13101 | U82--|2 5|-- U85 U61-| Q12 | U83 ------> to display
13102 | U83--|3____4|-- U82 |_____|--Q12B Q12B <------ from button
13103 | U61--|1 U6 8|--VDD5 (X)---R51--VDD5 (X)---C70--GND
13104 | U62--|2 7|--VDD5 U62---R49--VDD5 U61---R40--GND
13105 | U62--|3 6|--(X) Q12B--R39--VDD5 U82---R38--GND
13106 | GND--|4____5|--NC? Q12B--C69--VDD5 U85---R50--U62
13107 | ```
13108 |
13109 | ## AUX Xboo PC-to-GBA Multiboot Cable
13110 |
13111 | Below describes how to connect a PC parallel port to the GBA link port,
13112 | allowing to upload small programs (max 256 KBytes) from no$gba's Utility menu
13113 | into real GBAs.
13114 |
13115 | This is possible because the GBA BIOS includes a built-in function for
13116 | downloading & executing program code even when no cartridge is inserted.
13117 | The program is loaded to 2000000h and up in GBA memory, and must contain
13118 | cartridge header information just as for normal ROM cartridges (nintendo logo,
13119 | checksum, etc., plus some additional multiboot info).
13120 |
13121 | ### Basic Cable Connection
13122 |
13123 | The general connection is very simple (only needs four wires), the only problem
13124 | is that you need a special GBA plug or otherwise need to solder wires directly
13125 | to the GBA mainboard (see Examples below).
13126 |
13127 | ```
13128 | GBA Name Color SUBD CNTR Name
13129 | 2 SO Red ------------- 10 10 /ACK
13130 | 3 SI Orange ------------- 14 14 /AUTOLF
13131 | 5 SC Green ------------- 1 1 /STROBE
13132 | 6 GND Blue ------------- 19 19 GND
13133 | ```
13134 |
13135 | Optionally, also connect the following signals (see notes below):
13136 |
13137 | ```
13138 | 4 SD Brown ------------- 17 36 /SELECT (double speed burst)
13139 | 3 SI Orange ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm)
13140 | 5 SC Green ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm)
13141 | 4 SD Brown ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm)
13142 | START (mainboard) -----|>|----- 16 31 /INIT (auto-reset, 1N4148)
13143 | SELECT (mainboard) -----|>|----- 16 31 /INIT (auto-reset, 1N4148)
13144 | RESET (mainboard) -----||------ 16 31 /INIT (auto-reset, 300nF)
13145 | ```
13146 |
13147 | Notes: The GBA Pins are arranged from left to right as 2,4,6 in upper row, and
13148 | 1,3,5 in lower row; outside view of GBA socket; flat side of socket upside. The
13149 | above "Colors" are as used in most or all standard Nintendo link cables, note
13150 | that Red/Orange will be exchanged at one end in cables with crossed SO/SI
13151 | lines. At the PC side, use the SUBD pin numbers when connecting to a 25-pin
13152 | SUBD plug, or CNTR pin numbers for 36-pin Centronics plug.
13153 |
13154 | ### Optional SD Connection (Double Speed Burst)
13155 |
13156 | The SD line is used for Double Speed Burst transfers only, in case that you are
13157 | using a gameboy link plug for the connection, and if that plug does not have a
13158 | SD-pin (such like from older 8bit gameboy cables), then you may leave out this
13159 | connection. Burst Boot will then only work half as fast though.
13160 |
13161 | ### Optional Pull-Ups (Improves Low-to-High Transition Speed)
13162 |
13163 | If your parallel port works only with medium or slow delay settings, try to
13164 | connect 560 Ohm resistors to SI/SC/SD inputs each, and the other resistor pin
13165 | to any or all of the parallel port data lines (no$gba outputs high to pins
13166 | 2..9).
13167 |
13168 | ### Optional Reset Connection (CAUTION: Connection changed September 2004)
13169 |
13170 | The Reset connection allows to automatically reset & upload data even if a
13171 | program in the GBA has locked up (or if you've loaded a program that does not
13172 | support nocash burst boot), without having to reset the GBA manually by
13173 | switching it off and on (and without having to press Start+Select if a
13174 | cartridge is inserted).
13175 |
13176 | The two diodes should be 1N4148 or similar, the capacitor should be 300nF (eg.
13177 | three 100nF capacitors in parallel). The signals are labeled on the mainboard,
13178 | and can be found at following names / CPU pin numbers: RESET/CPU.125,
13179 | SELECT/TP2/CPU.126, START/TP3/CPU.127.
13180 |
13181 | ### Optional Power Supply Connection
13182 |
13183 | Also, you may want to connect the power supply to parallel port data lines, see
13184 | chapter Power Supply for details.
13185 |
13186 | ### Transmission Speed
13187 |
13188 | The first transfer will be very slow, and the GBA BIOS will display the boot
13189 | logo for at least 4 seconds, even if the transfer has completed in less time.
13190 | Once when you have uploaded a program with burst boot backdoor, further
13191 | transfers will be ways faster. The table below shows transfer times for 0KByte
13192 | - 256KByte files:
13193 |
13194 | ```
13195 | Boot Mode_____Delay 0_______Delay 1_______Delay 2_____
13196 | Double Burst 0.1s - 1.8s 0.1s - 3.7s 0.1s - 5.3s
13197 | Single Burst 0.1s - 3.6s 0.1s - 7.1s 0.1s - 10.6s
13198 | Normal Bios 4.0s - 9.0s 4.0s - 12.7s 4.0s - 16.3s
13199 | ```
13200 |
13201 | All timings measured on a 66MHz computer, best possible transmission speed
13202 | should be 150KBytes/second. Timings might slightly vary depending on the CPU
13203 | speed and/or operating system. Synchronization is done by I/O waitstates, that
13204 | should work even on faster computers. Non-zero delays are eventually required
13205 | for cables without pull-ups.
13206 |
13207 | ### Requirements
13208 |
13209 | Beside for the cable and plugs, no special requirements.
13210 |
13211 | The cable should work with all parallel ports, including old-fashioned
13212 | one-directional printer ports, as well as modern bi-directional EPP ports.
13213 | Transfer timings should work stable regardless of the PCs CPU speed (see above
13214 | though), and regardless of multitasking interruptions.
13215 |
13216 | Both no$gba and the actual transmission procedure are using some 32bit code, so
13217 | that either one currently requires 80386SX CPUs or above.
13218 |
13219 | ### Connection Examples
13220 |
13221 | As far as I can imagine, there are four possible methods how to connect the
13222 | cable to the GBA. The first two methods don't require to open the GBA, and the
13223 | other methods also allow to connect optional power supply and reset signal.
13224 |
13225 | ```
13226 | 1) Connect it to the GBA link port. Advantage: No need to
13227 | open/modify the GBA. Disadvantage: You need a special plug,
13228 | (typically gained by removing it from a gameboy link cable).
13229 | 2) Solder the cable directly to the GBA link port pins. Advantages:
13230 | No plug required & no need to open the GBA. Disadvantages:
13231 | You can't remove the cable, and the link port becomes unusable.
13232 | 3) Solder the cable directly to the GBA mainboard. Advantage: No
13233 | plug required at the GBA side. Disadvantage: You'll always
13234 | have a cable leaping out of the GBA even when not using it,
13235 | unless you put a small standard plug between GBA and cable.
13236 | 4) Install a Centronics socket in the GBA (between power switch
13237 | and headphone socket). Advantage: You can use a standard
13238 | printer cable. Disadvantages: You need to cut a big hole into
13239 | the GBAs battery box (which cannot be used anymore), the big
13240 | cable might be a bit uncomfortable when holding the GBA.
13241 | ```
13242 |
13243 | Personally, I've decided to use the lastmost method as I don't like ending up
13244 | with hundreds of special cables for different purposes, and asides, it's been
13245 | fun to damage the GAB as much as possible.
13246 |
13247 | ### Note
13248 |
13249 | The above used PC parallel port signals are typically using 5V=HIGH while GBA
13250 | link ports deal with 3V=HIGH. From my experiences, the different voltages do
13251 | not cause communication problems (and do not damage the GBA and/or PC
13252 | hardware), and after all real men don't care about a handful of volts, however,
13253 | use at own risk.
13254 |
13255 | ## AUX Xboo Flashcard Upload
13256 |
13257 | ### Flashcard Upload
13258 |
13259 | Allows to write data to flashcards which are plugged into GBA cartridge slot,
13260 | cartridge is automatically started after writing. On initial power-up, hold
13261 | down START+SELECT to prevent the GBA from booting the old program in the
13262 | flashcard.
13263 |
13264 | The Upload function in Utility menu uses flashcard mode for files bigger than
13265 | 256KB (otherwise uses multiboot mode automatically). Also, there's a separate
13266 | Upload to Flashcard function in Remote Access submenu, allowing to write files
13267 | of 256KB or less to flashcard if that should be desired.
13268 |
13269 | ### Supported Flashcards
13270 |
13271 | Function currently tested with Visoly Flash Advance (FA) 256Mbit (32MB) Turbo
13272 | cartridge. Should also work with older FA versions. Please let me know if you
13273 | are using other flashcards which aren't yet supported.
13274 |
13275 | ### Flashcard Performance
13276 |
13277 | Writing to flashcards may become potentially slow because of chip erase/write
13278 | times, cable transmission time, and the sheer size of larger ROM-images.
13279 | However, developers whom are testing different builts of their project usually
13280 | won't need to rewrite the complete flashcard, Xboo uses a highspeed checksum
13281 | mechanism (16MB/sec) to determine which flashcard sector(s) have changed, and
13282 | does then re-write only these sector(s).
13283 |
13284 | To eliminate transmission time, data transfer takes place in the erase phases.
13285 | Erase/write time depends on the flashcard type, should be circa 1-2 seconds per
13286 | 256KB sector. Because the cartridge is programmed directly in the GBA there's
13287 | no need to remove it from the GBA when writing to it.
13288 |
13289 | ### Developers Advice
13290 |
13291 | Locate your program fragments at fixed addresses, for example, code and data
13292 | blocks each aligned to 64K memory boundaries, so that data remains at the same
13293 | location even when the size of code changes. Fill any blank spaces by value FFh
13294 | for faster write time. Reduce the size of your ROM-image by efficient memory
13295 | use (except for above alignment trick). Include the burst boot backdoor in your
13296 | program, allowing to re-write the flashcard directly without resetting the GBA.
13297 |
13298 | ### Lamers Advice
13299 |
13300 | Xboo Flashcard support does not mean to get lame & to drop normal multiboot
13301 | support, if your program fits into 256KB then make it \ flashcard
13302 | \ multiboot compatible - multiboot reduces upload time, increases
13303 | your flashcard lifetime, and will also work for people whom don't own
13304 | flashcards.
13305 |
13306 | ## AUX Xboo Burst Boot Backdoor
13307 |
13308 | When writing Xboo compatible programs, always include a burst boot "backdoor",
13309 | this will allow yourself (and other people) to upload programs much faster as
13310 | when using the normal GBA BIOS multiboot function. Aside from the improved
13311 | transmission speed, there's no need to reset the GBA each time (eventually
13312 | manually if you do not have reset connect), without having to press
13313 | Start+Select (if cartridge inserted), and, most important, the time-consuming
13314 | nintendo-logo intro is bypassed.
13315 |
13316 | ### The Burst Boot Protocol
13317 |
13318 | In your programs IRQ handler, add some code that watches out for burst boot IRQ
13319 | requests. When sensing a burst boot request, download the actual boot
13320 | procedure, and pass control to that procedure.
13321 |
13322 | ```
13323 | Send (PC) Reply (GBA)
13324 | "BRST" "BOOT" ;request burst, and reply for boot
13325 | ;long delay, allow slave to enter IRQ handler
13326 | llllllll "OKAY" ;send length in bytes, reply to boot
13327 | dddddddd -------- ;send data in 32bit units, reply don't care
13328 | cccccccc cccccccc ;exchange crc (all data units added together)
13329 | ```
13330 |
13331 | Use normal mode, 32bit, external clock for all transfers. The received
13332 | highspeed loader (currently approx. 180h bytes) is to be loaded to and started
13333 | at 3000000h, which will then handle the actual download operation.
13334 |
13335 | Below is an example program which works with multiboot, burstboot, and as
13336 | normal rom/flashcard. The source can be assembled with a22i (the no$gba
13337 | built-in assembler, see no$gba utility menu). When using other/mainstream
13338 | assemblers, you'll eventually have to change some directives, convert numbers
13339 | from NNNh into 0xNNN format, and define the origin somewhere in linker/makefile
13340 | instead of in source code.
13341 |
13342 | ```
13343 | .arm ;select 32bit ARM instruction set
13344 | .gba ;indicate that it's a gameboy advance program
13345 | .fix ;automatically fix the cartridge header checksum
13346 | org 2000000h ;origin in RAM for multiboot-cable/no$gba-cutdown programs
13347 | ;------------------
13348 | ;cartridge header/multiboot header
13349 | b rom_start ;-rom entry point
13350 | dcb ...insert logo here... ;-nintento logo (156 bytes)
13351 | dcb 'XBOO SAMPLE ' ;-title (12 bytes)
13352 | dcb 0,0,0,0, 0,0 ;-game code (4 bytes), maker code (2 bytes)
13353 | dcb 96h,0,0 ;-fixed value 96h, main unit code, device type
13354 | dcb 0,0,0,0,0,0,0 ;-reserved (7 bytes)
13355 | dcb 0 ;-software version number
13356 | dcb 0 ;-header checksum (set by .fix)
13357 | dcb 0,0 ;-reserved (2 bytes)
13358 | b ram_start ;-multiboot ram entry point
13359 | dcb 0,0 ;-multiboot reserved bytes (destroyed by BIOS)
13360 | dcb 0,0 ;-blank padded (32bit alignment)
13361 | ;------------------
13362 | irq_handler: ;interrupt handler (note: r0-r3 are pushed by BIOS)
13363 | mov r1,4000000h ;\get I/O base address,
13364 | ldr r0,[r1,200h] ;IE/IF ; read IE and IF,
13365 | and r0,r0,r0,lsr 16 ; isolate occurred AND enabled irqs,
13366 | add r3,r1,200h ;IF ; and acknowledge these in IF
13367 | strh r0,[r3,2] ;/
13368 | ldrh r3,[r1,-8] ;\mix up with BIOS irq flags at 3007FF8h,
13369 | orr r3,r3,r0 ; aka mirrored at 3FFFFF8h, this is required
13370 | strh r3,[r1,-8] ;/when using the (VBlank-)IntrWait functions
13371 | and r3,r0,80h ;IE/IF.7 SIO ;\
13372 | cmp r3,80h ; check if it's a burst boot interrupt
13373 | ldreq r2,[r1,120h] ;SIODATA32 ; (if interrupt caused by serial transfer,
13374 | ldreq r3,[msg_brst] ; and if received data is "BRST",
13375 | cmpeq r2,r3 ; then jump to burst boot)
13376 | beq burst_boot ;/
13377 | ;... insert your own interrupt handler code here ...
13378 | bx lr ;-return to the BIOS interrupt handler
13379 | ;------------------
13380 | burst_boot: ;requires incoming r1=4000000h
13381 | ;... if your program uses DMA, disable any active DMA transfers here ...
13382 | ldr r4,[msg_okay] ;\
13383 | bl sio_transfer ; receive transfer length/bytes & reply "OKAY"
13384 | mov r2,r0 ;len ;/
13385 | mov r3,3000000h ;dst ;\
13386 | mov r4,0 ;crc ;
13387 | @@lop: ;
13388 | bl sio_transfer ; download burst loader to 3000000h and up
13389 | stmia [r3]!,r0 ;dst ;
13390 | add r4,r4,r0 ;crc ;
13391 | subs r2,r2,4 ;len ;
13392 | bhi @@lop ;/
13393 | bl sio_transfer ;-send crc value to master
13394 | b 3000000h ;ARM state! ;-launch actual transfer / start the loader
13395 | ;------------------
13396 | sio_transfer: ;serial transfer subroutine, 32bit normal mode, external clock
13397 | str r4,[r1,120h] ;siodata32 ;-set reply/send data
13398 | ldr r0,[r1,128h] ;siocnt ;\
13399 | orr r0,r0,80h ; activate slave transfer
13400 | str r0,[r1,128h] ;siocnt ;/
13401 | @@wait: ;\
13402 | ldr r0,[r1,128h] ;siocnt ; wait until transfer completed
13403 | tst r0,80h ;
13404 | bne @@wait ;/
13405 | ldr r0,[r1,120h] ;siodata32 ;-get received data
13406 | bx lr
13407 | ;---
13408 | msg_boot dcb 'BOOT' ;\
13409 | msg_okay dcb "OKAY" ; ID codes for the burstboot protocol
13410 | msg_brst dcb "BRST" ;/
13411 | ;------------------
13412 | download_rom_to_ram:
13413 | mov r0,8000000h ;src/rom ;\
13414 | mov r1,2000000h ;dst/ram ;
13415 | mov r2,40000h/16 ;length ; transfer the ROM content
13416 | @@lop: ; into RAM (done in units of 4 words/16 bytes)
13417 | ldmia [r0]!,r4,r5,r6,r7 ; currently fills whole 256K of RAM,
13418 | stmia [r1]!,r4,r5,r6,r7 ; even though the proggy is smaller
13419 | subs r2,r2,1 ;
13420 | bne @@lop ;/
13421 | sub r15,lr,8000000h-2000000h ;-return (retadr rom/8000XXXh -> ram/2000XXXh)
13422 | ;------------------
13423 | init_interrupts:
13424 | mov r4,4000000h ;-base address for below I/O registers
13425 | ldr r0,=irq_handler ;\install IRQ handler address
13426 | str r0,[r4,-4] ;IRQ HANDLER ;/at 3FFFFFC aka 3007FFC
13427 | mov r0,0008h ;\enable generating vblank irqs
13428 | strh r0,[r4,4h] ;DISPSTAT ;/
13429 | mrs r0,cpsr ;\
13430 | bic r0,r0,80h ; cpu interrupt enable (clear i-flag)
13431 | msr cpsr,r0 ;/
13432 | mov r0,0 ;\
13433 | str r0,[r4,134h] ;RCNT ; init SIO normal mode, external clock,
13434 | ldr r0,=5080h ; 32bit, IRQ enable, transfer started
13435 | str r0,[r4,128h] ;SIOCNT ; output "BOOT" (indicate burst boot prepared)
13436 | ldr r0,[msg_boot] ;
13437 | str r0,[r4,120h] ;SIODATA32 ;/
13438 | mov r0,1 ;\interrupt master enable
13439 | str r0,[r4,208h] ;IME=1 ;/
13440 | mov r0,81h ;\enable execution of vblank IRQs,
13441 | str r0,[r4,200h] ;IE=81h ;/and of SIO IRQs (burst boot)
13442 | bx lr
13443 | ;------------------
13444 | rom_start: ;entry point when booted from flashcart/rom
13445 | bl download_rom_to_ram ;-download ROM to RAM (returns to ram_start)
13446 | ram_start: ;entry point for multiboot/burstboot
13447 | mov r0,0feh ;\reset all registers, and clear all memory
13448 | swi 10000h ;RegisterRamReset ;/(except program code in wram at 2000000h)
13449 | bl init_interrupts ;-install burst boot irq handler
13450 | mov r4,4000000h ;\enable video,
13451 | strh r4,[r4,000h] ;DISPCNT ;/by clearing the forced blank bit
13452 | @@mainloop:
13453 | swi 50000h ;VBlankIntrWait ;-wait one frame (cpu in low power mode)
13454 | mov r5,5000000h ;\increment the backdrop palette color
13455 | str r8,[r5] ; (ie. display a blinking screen)
13456 | add r8,r8,1 ;/
13457 | b @@mainloop
13458 | ;------------------
13459 | .pool
13460 | end
13461 | ```
13462 |
13463 | ## About this Document
13464 |
13465 | ### About
13466 |
13467 | GBATEK written 2001-2014 by Martin Korth, programming specs for the GBA and NDS
13468 | hardware, I've been trying to keep the specs both as short as possible, and as
13469 | complete as possible. The document is part of the no$gba debuggers built-in
13470 | help text.
13471 |
13472 | ### Updates
13473 |
13474 | The standalone docs in TXT and HTM format are updated when having added any
13475 | major changes to the document. The no$gba built-in version will be updated more
13476 | regularly, including for minor changes, along with all no$gba updates.
13477 |
13478 | ### Homepage
13479 |
13480 | http://problemkaputt.de/gba.htm - no$gba emulator homepage (freeware)
13481 |
13482 | http://problemkaputt.de/gba-dev.htm - no$gba debugger homepage
13483 |
13484 | http://problemkaputt.de/gbapics.htm - no$gba debugger screenshots
13485 |
13486 | http://problemkaputt.de/gbatek.htm - gbatek html version
13487 |
13488 | http://problemkaputt.de/gbatek.txt - gbatek text version
13489 |
13490 | ### Feedback
13491 |
13492 | If you find any information in this document to be misleading, incomplete, or
13493 | incorrect, please say something! My spam-shielded email address is found at:
13494 |
13495 | http://problemkaputt.de/email.htm - contact
13496 |
13497 | Mail from programmers only, please. No gaming questions, thanks.
13498 |
13499 | ### Credits
13500 |
13501 | Thanks for GBATEK fixes, and for info about GBA and NDS hardware,
13502 |
13503 | - Jasper Vijn
13504 |
13505 | - Remi Veilleux (DS video details)
13506 |
13507 | - Randy Linden
13508 |
13509 | - Sebastian Rasmussen
13510 |
13511 | - Stephen Stair (DS Wifi)
13512 |
13513 | - Cue (DS Firmware bits and bytes)
13514 |
13515 | - Tim Seidel (DS Wifi RF2958 datasheet)
13516 |
13517 | - Damien Good (DS Bios Dumping, and lots of e-Reader info)
13518 |
13519 | - Kenobi and Dualscreenman (lots of ARDS/CBDS cheat info)
13520 |
13521 | - Flubba (GBA X/Y-Axis tilt sensor, and GBA Gameboy Player info)
13522 |
13523 | - DarkFader (DS Key2)
13524 |
13525 | - Dstek by neimod (DS Sound)
13526 |
13527 | - Christian Auby
13528 |
13529 | - Jeff Frohwein
13530 |
13531 | - NDSTech Wiki, http://www.bottledlight.com/ds/ (lots of DS info)
13532 |
13533 | ### Formatting
13534 |
13535 | TXT is 80 columns, TXT is 80 columns, TXT is 80 columns.
13536 |
13537 | Don't trust anything else. Never.
13538 |
13539 | ## Index
13540 |
13541 | - [Contents](#contents)
13542 | - [GBA Reference](#gbareference)
13543 | - [GBA Technical Data](#gbatechnicaldata)
13544 | - [GBA Memory Map](#gbamemorymap)
13545 | - [GBA I/O Map](#gbaiomap)
13546 | - [GBA LCD Video Controller](#gbalcdvideocontroller)
13547 | - [LCD I/O Display Control](#lcdiodisplaycontrol)
13548 | - [LCD I/O Interrupts and Status](#lcdiointerruptsandstatus)
13549 | - [LCD I/O BG Control](#lcdiobgcontrol)
13550 | - [LCD I/O BG Scrolling](#lcdiobgscrolling)
13551 | - [LCD I/O BG Rotation/Scaling](#lcdiobgrotationscaling)
13552 | - [LCD I/O Window Feature](#lcdiowindowfeature)
13553 | - [LCD I/O Mosaic Function](#lcdiomosaicfunction)
13554 | - [LCD I/O Color Special Effects](#lcdiocolorspecialeffects)
13555 | - [LCD VRAM Overview](#lcdvramoverview)
13556 | - [LCD VRAM Character Data](#lcdvramcharacterdata)
13557 | - [LCD VRAM BG Screen Data Format (BG Map)](#lcdvrambgscreendataformatbgmap)
13558 | - [LCD VRAM Bitmap BG Modes](#lcdvrambitmapbgmodes)
13559 | - [LCD OBJ - Overview](#lcdobjoverview)
13560 | - [LCD OBJ - OAM Attributes](#lcdobjoamattributes)
13561 | - [LCD OBJ - OAM Rotation/Scaling Parameters](#lcdobjoamrotationscalingparameters)
13562 | - [LCD OBJ - VRAM Character (Tile) Mapping](#lcdobjvramcharactertilemapping)
13563 | - [LCD Color Palettes](#lcdcolorpalettes)
13564 | - [LCD Dimensions and Timings](#lcddimensionsandtimings)
13565 | - [GBA Sound Controller](#gbasoundcontroller)
13566 | - [GBA Sound Channel 1 - Tone & Sweep](#gbasoundchannel1tonesweep)
13567 | - [GBA Sound Channel 2 - Tone](#gbasoundchannel2tone)
13568 | - [GBA Sound Channel 3 - Wave Output](#gbasoundchannel3waveoutput)
13569 | - [GBA Sound Channel 4 - Noise](#gbasoundchannel4noise)
13570 | - [GBA Sound Channel A and B - DMA Sound](#gbasoundchannelaandbdmasound)
13571 | - [GBA Sound Control Registers](#gbasoundcontrolregisters)
13572 | - [GBA Comparison of CGB and GBA Sound](#gbacomparisonofcgbandgbasound)
13573 | - [GBA Timers](#gbatimers)
13574 | - [GBA DMA Transfers](#gbadmatransfers)
13575 | - [GBA Communication Ports](#gbacommunicationports)
13576 | - [SIO Normal Mode](#sionormalmode)
13577 | - [SIO Multi-Player Mode](#siomultiplayermode)
13578 | - [SIO UART Mode](#siouartmode)
13579 | - [SIO JOY BUS Mode](#siojoybusmode)
13580 | - [SIO General-Purpose Mode](#siogeneralpurposemode)
13581 | - [SIO Control Registers Summary](#siocontrolregisterssummary)
13582 | - [GBA Wireless Adapter](#gbawirelessadapter)
13583 | - [GBA Wireless Adapter Games](#gbawirelessadaptergames)
13584 | - [GBA Wireless Adapter Login](#gbawirelessadapterlogin)
13585 | - [GBA Wireless Adapter Commands](#gbawirelessadaptercommands)
13586 | - [GBA Wireless Adapter Component Lists](#gbawirelessadaptercomponentlists)
13587 | - [GBA Infrared Communication](#gbainfraredcommunication)
13588 | - [GBA Keypad Input](#gbakeypadinput)
13589 | - [GBA Interrupt Control](#gbainterruptcontrol)
13590 | - [GBA System Control](#gbasystemcontrol)
13591 | - [GBA GamePak Prefetch](#gbagamepakprefetch)
13592 | - [GBA Cartridges](#gbacartridges)
13593 | - [GBA Cartridge Header](#gbacartridgeheader)
13594 | - [GBA Cartridge ROM](#gbacartridgerom)
13595 | - [GBA Cart Backup IDs](#gbacartbackupids)
13596 | - [GBA Cart Backup SRAM/FRAM](#gbacartbackupsramfram)
13597 | - [GBA Cart Backup EEPROM](#gbacartbackupeeprom)
13598 | - [GBA Cart Backup Flash ROM](#gbacartbackupflashrom)
13599 | - [GBA Cart Backup DACS](#gbacartbackupdacs)
13600 | - [GBA Cart I/O Port (GPIO)](#gbacartioportgpio)
13601 | - [GBA Cart Real-Time Clock (RTC)](#gbacartrealtimeclockrtc)
13602 | - [GBA Cart Solar Sensor](#gbacartsolarsensor)
13603 | - [GBA Cart Tilt Sensor](#gbacarttiltsensor)
13604 | - [GBA Cart Gyro Sensor](#gbacartgyrosensor)
13605 | - [GBA Cart Rumble](#gbacartrumble)
13606 | - [GBA Cart e-Reader](#gbacartereader)
13607 | - [GBA Cart e-Reader Overview](#gbacartereaderoverview)
13608 | - [GBA Cart e-Reader I/O Ports](#gbacartereaderioports)
13609 | - [GBA Cart e-Reader Dotcode Format](#gbacartereaderdotcodeformat)
13610 | - [GBA Cart e-Reader Data Format](#gbacartereaderdataformat)
13611 | - [GBA Cart e-Reader Program Code](#gbacartereaderprogramcode)
13612 | - [GBA Cart e-Reader API Functions](#gbacartereaderapifunctions)
13613 | - [GBA Cart e-Reader VPK Decompression](#gbacartereadervpkdecompression)
13614 | - [GBA Cart e-Reader Error Correction](#gbacartereadererrorcorrection)
13615 | - [GBA Cart e-Reader File Formats](#gbacartereaderfileformats)
13616 | - [GBA Cart Unknown Devices](#gbacartunknowndevices)
13617 | - [GBA Cart Protections](#gbacartprotections)
13618 | - [GBA Flashcards](#gbaflashcards)
13619 | - [GBA Cheat Devices](#gbacheatdevices)
13620 | - [GBA Cheat Codes - General Info](#gbacheatcodesgeneralinfo)
13621 | - [GBA Cheat Codes - Codebreaker/Xploder](#gbacheatcodescodebreakerxploder)
13622 | - [GBA Cheat Codes - Gameshark/Action Replay V1/V2](#gbacheatcodesgamesharkactionreplayv1v2)
13623 | - [GBA Cheat Codes - Pro Action Replay V3](#gbacheatcodesproactionreplayv3)
13624 | - [GBA Gameboy Player](#gbagameboyplayer)
13625 | - [GBA Unpredictable Things](#gbaunpredictablethings)
13626 | - [LZ Decompression Functions](#lzdecompressionfunctions)
13627 | - [ARM CPU Reference](#armcpureference)
13628 | - [ARM CPU Overview](#armcpuoverview)
13629 | - [ARM CPU Register Set](#armcpuregisterset)
13630 | - [ARM CPU Flags & Condition Field (cond)](#armcpuflagsconditionfieldcond)
13631 | - [ARM CPU 26bit Memory Interface](#armcpu26bitmemoryinterface)
13632 | - [ARM CPU Exceptions](#armcpuexceptions)
13633 | - [ARM CPU Memory Alignments](#armcpumemoryalignments)
13634 | - [ARM Instruction Summary](#arminstructionsummary)
13635 | - [ARM Opcodes: Branch and Branch with Link (B, BL, BX, BLX, SWI, BKPT)](#armopcodesbranchandbranchwithlinkbblbxblxswibkpt)
13636 | - [ARM Opcodes: Data Processing (ALU)](#armopcodesdataprocessingalu)
13637 | - [ARM Opcodes: Multiply and Multiply-Accumulate (MUL, MLA)](#armopcodesmultiplyandmultiplyaccumulatemulmla)
13638 | - [ARM Opcodes: Special ARM9 Instructions (CLZ, QADD/QSUB)](#armopcodesspecialarm9instructionsclzqaddqsub)
13639 | - [ARM Opcodes: PSR Transfer (MRS, MSR)](#armopcodespsrtransfermrsmsr)
13640 | - [ARM Opcodes: Memory: Single Data Transfer (LDR, STR, PLD)](#armopcodesmemorysingledatatransferldrstrpld)
13641 | - [ARM Opcodes: Memory: Halfword, Doubleword, and Signed Data Transfer](#armopcodesmemoryhalfworddoublewordandsigneddatatransfer)
13642 | - [ARM Opcodes: Memory: Block Data Transfer (LDM, STM)](#armopcodesmemoryblockdatatransferldmstm)
13643 | - [ARM Opcodes: Memory: Single Data Swap (SWP)](#armopcodesmemorysingledataswapswp)
13644 | - [ARM Opcodes: Coprocessor Instructions (MRC/MCR, LDC/STC, CDP, MCRR/MRRC)](#armopcodescoprocessorinstructionsmrcmcrldcstccdpmcrrmrrc)
13645 | - [THUMB Instruction Summary](#thumbinstructionsummary)
13646 | - [THUMB Opcodes: Register Operations (ALU, BX)](#thumbopcodesregisteroperationsalubx)
13647 | - [THUMB Opcodes: Memory Load/Store (LDR/STR)](#thumbopcodesmemoryloadstoreldrstr)
13648 | - [THUMB Opcodes: Memory Addressing (ADD PC/SP)](#thumbopcodesmemoryaddressingaddpcsp)
13649 | - [THUMB Opcodes: Memory Multiple Load/Store (PUSH/POP and LDM/STM)](#thumbopcodesmemorymultipleloadstorepushpopandldmstm)
13650 | - [THUMB Opcodes: Jumps and Calls](#thumbopcodesjumpsandcalls)
13651 | - [ARM Pseudo Instructions and Directives](#armpseudoinstructionsanddirectives)
13652 | - [ARM CPU Instruction Cycle Times](#armcpuinstructioncycletimes)
13653 | - [ARM CPU Versions](#armcpuversions)
13654 | - [ARM CPU Data Sheet](#armcpudatasheet)
13655 | - [BIOS Functions](#biosfunctions)
13656 | - [BIOS Function Summary](#biosfunctionsummary)
13657 | - [BIOS Differences between GBA and NDS functions](#biosdifferencesbetweengbaandndsfunctions)
13658 | - [BIOS Arithmetic Functions](#biosarithmeticfunctions)
13659 | - [BIOS Rotation/Scaling Functions](#biosrotationscalingfunctions)
13660 | - [BIOS Decompression Functions](#biosdecompressionfunctions)
13661 | - [BIOS Memory Copy](#biosmemorycopy)
13662 | - [BIOS Halt Functions](#bioshaltfunctions)
13663 | - [BIOS Reset Functions](#biosresetfunctions)
13664 | - [BIOS Misc Functions](#biosmiscfunctions)
13665 | - [BIOS Multi Boot (Single Game Pak)](#biosmultibootsinglegamepak)
13666 | - [BIOS Sound Functions](#biossoundfunctions)
13667 | - [BIOS SHA1 Functions (DSi only)](#biossha1functionsdsionly)
13668 | - [BIOS RSA Functions (DSi only)](#biosrsafunctionsdsionly)
13669 | - [BIOS RSA Basics](#biosrsabasics)
13670 | - [BIOS RSA Pseudo Code](#biosrsapseudocode)
13671 | - [BIOS RAM Usage](#biosramusage)
13672 | - [BIOS Dumping](#biosdumping)
13673 | - [External Connectors](#externalconnectors)
13674 | - [AUX GBA Game Pak Bus](#auxgbagamepakbus)
13675 | - [AUX DS Game Card Slot](#auxdsgamecardslot)
13676 | - [AUX Link Port](#auxlinkport)
13677 | - [AUX Sound/Headphone Socket and Battery/Power Supply](#auxsoundheadphonesocketandbatterypowersupply)
13678 | - [AUX Opening the GBA](#auxopeningthegba)
13679 | - [AUX Mainboard](#auxmainboard)
13680 | - [Pinouts - CPU - Signal Summary](#pinoutscpusignalsummary)
13681 | - [Pinouts - CPU - Pinouts](#pinoutscpupinouts)
13682 | - [Pinouts - Audio Amplifiers](#pinoutsaudioamplifiers)
13683 | - [Pinouts - LCD Cables](#pinoutslcdcables)
13684 | - [Pinouts - Power Switches, DC/DC Converters, Reset Generators](#pinoutspowerswitchesdcdcconvertersresetgenerators)
13685 | - [Pinouts - Wifi](#pinoutswifi)
13686 | - [Pinouts - Various](#pinoutsvarious)
13687 | - [AUX Xboo PC-to-GBA Multiboot Cable](#auxxboopctogbamultibootcable)
13688 | - [AUX Xboo Flashcard Upload](#auxxbooflashcardupload)
13689 | - [AUX Xboo Burst Boot Backdoor](#auxxbooburstbootbackdoor)
13690 |
--------------------------------------------------------------------------------