Hi all,
here's some technical datas for patching Biomotor unitron (based on the "Biomotor Unitron (UE) [!].ngc" dump, should be the same for others)
This one was a little harder to modify, compared to Cotton or Melon Chan as the block to clear wasn't directly addressed, but stored in the b register.
And as neopop debugger don't show lines before a break point, it was a not as easy to track.
Biomotor unitron :
this is the part of the code where the game handle the savegame.
DIS 20DBB4: LD B,0x11 "22 11" ==> by defalut, the game clear block 0x11. So I changed this value with 0x21 to relocate the save at the end of a 16mbit cartridge.
DIS 20DBB6: CALL 0x20776F "1D 6F 77 20" ==> call the block erase function
DIS 20DBBA: CP RA3,0 "C7 30 D8"
DIS 20DBBD: JR NZ,0x20DBB4 "6E F5"
DIS 20DBBF: LD BC,0x0008 "31 08 00"
DIS 20DBC2: LD XDE,0x000FA000 "42 00 A0 0F 00" ==> set the destination address, here 0x0FA000 (A0 0F 00) thet I relocated at 0x1FA000 (A0 1F 00)
DIS 20DBC7: LD XHL,0x00004000 "43 00 40 00 00"
DIS 20DBCC: CALL 0x207788 "1D 88 77 20" ==> write function
DIS 20DBD0: CP RA3,0 "C7 30 D8"
savegame functions :
--block erase :
DIS 20776F: CP (0x200020),0xFFFE "D2 20 00 20 3F FE FF" ==> always false ? address is part of the cartridge header
DIS 207776: SCC Z,RA3 "C7 30 76" ==> RA3 <= 0
DIS 207779: LD RB3,B "C7 35 9A" ==> RB3 <= 0x11 (0x21 after modification)
DIS 20777C: LD RW3,0x08 "C7 31 03 08"
DIS 207780: LD (0x6F),0x4E "08 6F 4E"
DIS 207783: SWI 1 "F9"
DIS 207784: LD (0x6F),0x4E "08 6F 4E"
DIS 207787: RET "0E"
--block write :
DIS 207788: CP (0x200020),0xFFFE "D2 20 00 20 3F FE FF"
DIS 20778F: SCC Z,RA3 "C7 30 76"
DIS 207792: LD RW3,6 "C7 31 AE"
DIS 207795: LD RBC3,BC "D7 34 99"
DIS 207798: LD XHL3,XHL "E7 3C 9B"
DIS 20779B: LD XDE3,XDE "E7 38 9A" ==> write destination : 0x0FA000 before, and 0x1FA000 after relocation.
DIS 20779E: LD (0x6F),0x4E "08 6F 4E"
DIS 2077A1: SWI 1 "F9"
DIS 2077A2: LD (0x6F),0x4E "08 6F 4E"
DIS 2077A5: RET "0E"
However, the pattern "22 11 1D 6F 77 20" (LD B,0x11 & CALL 0x20776F) can be found 4 times in the source code, near the same address area. Maybe there's something left to modify, but it will require some testing.
Load game part :
DIS 20DABD: ADD XHL,0x000FA000 "EB C8 00 A0 0F 00" ==> read data from cartridge at 0x0FA000, relocated at 0x1FA000 (EB C8 00 A0 1F 00)
DIS 20DAC3: PUSH XHL "3B"
DIS 20DAC4: CALL 0x2077BE "1D BE 77 20" ==> call the reading function. Not really usefull to be described here ^^
Here's a sample of the mess ngp.c driver that describe the block number, and size regarding the cartridge size :
I can try to provide more informations if wanted.
here's some technical datas for patching Biomotor unitron (based on the "Biomotor Unitron (UE) [!].ngc" dump, should be the same for others)
This one was a little harder to modify, compared to Cotton or Melon Chan as the block to clear wasn't directly addressed, but stored in the b register.
And as neopop debugger don't show lines before a break point, it was a not as easy to track.
Biomotor unitron :
this is the part of the code where the game handle the savegame.
DIS 20DBB4: LD B,0x11 "22 11" ==> by defalut, the game clear block 0x11. So I changed this value with 0x21 to relocate the save at the end of a 16mbit cartridge.
DIS 20DBB6: CALL 0x20776F "1D 6F 77 20" ==> call the block erase function
DIS 20DBBA: CP RA3,0 "C7 30 D8"
DIS 20DBBD: JR NZ,0x20DBB4 "6E F5"
DIS 20DBBF: LD BC,0x0008 "31 08 00"
DIS 20DBC2: LD XDE,0x000FA000 "42 00 A0 0F 00" ==> set the destination address, here 0x0FA000 (A0 0F 00) thet I relocated at 0x1FA000 (A0 1F 00)
DIS 20DBC7: LD XHL,0x00004000 "43 00 40 00 00"
DIS 20DBCC: CALL 0x207788 "1D 88 77 20" ==> write function
DIS 20DBD0: CP RA3,0 "C7 30 D8"
savegame functions :
--block erase :
DIS 20776F: CP (0x200020),0xFFFE "D2 20 00 20 3F FE FF" ==> always false ? address is part of the cartridge header
DIS 207776: SCC Z,RA3 "C7 30 76" ==> RA3 <= 0
DIS 207779: LD RB3,B "C7 35 9A" ==> RB3 <= 0x11 (0x21 after modification)
DIS 20777C: LD RW3,0x08 "C7 31 03 08"
DIS 207780: LD (0x6F),0x4E "08 6F 4E"
DIS 207783: SWI 1 "F9"
DIS 207784: LD (0x6F),0x4E "08 6F 4E"
DIS 207787: RET "0E"
--block write :
DIS 207788: CP (0x200020),0xFFFE "D2 20 00 20 3F FE FF"
DIS 20778F: SCC Z,RA3 "C7 30 76"
DIS 207792: LD RW3,6 "C7 31 AE"
DIS 207795: LD RBC3,BC "D7 34 99"
DIS 207798: LD XHL3,XHL "E7 3C 9B"
DIS 20779B: LD XDE3,XDE "E7 38 9A" ==> write destination : 0x0FA000 before, and 0x1FA000 after relocation.
DIS 20779E: LD (0x6F),0x4E "08 6F 4E"
DIS 2077A1: SWI 1 "F9"
DIS 2077A2: LD (0x6F),0x4E "08 6F 4E"
DIS 2077A5: RET "0E"
However, the pattern "22 11 1D 6F 77 20" (LD B,0x11 & CALL 0x20776F) can be found 4 times in the source code, near the same address area. Maybe there's something left to modify, but it will require some testing.
Load game part :
DIS 20DABD: ADD XHL,0x000FA000 "EB C8 00 A0 0F 00" ==> read data from cartridge at 0x0FA000, relocated at 0x1FA000 (EB C8 00 A0 1F 00)
DIS 20DAC3: PUSH XHL "3B"
DIS 20DAC4: CALL 0x2077BE "1D BE 77 20" ==> call the reading function. Not really usefull to be described here ^^
Here's a sample of the mess ngp.c driver that describe the block number, and size regarding the cartridge size :
Quote:source : http://git.redump.net/mess/tree/src/mess/drivers/ngp.c
The cartridges
==============
The cartridges used flash chips produced by Toshiba, Sharp or Samsung. These
are the only 3 manufacturers supported by the NeoGeo pocket bios. The device
IDs supported appear to be SNK exclusive. Most likely because of the factory
blocked game data areas on these chip.
These manufacturer IDs are supported: 0x98, 0xec, 0xb0
These device IDs are supported: 0xab, 0x2c, 0x2f
There is support for 3 different sizes of flash roms: 4Mbit, 8Mbit 16Mbit. The
32Mbit games appear to be 2 16Mbit flash chips in 2 different memory regions (?).
The flash chips have a couple of different sized blocks. When writing to a
cartridge the neogeo pocket bios will erase the proper block and write the data
to the block.
The relation between block number and flash chip is as follows:
## | 16Mbit (2f) | 8Mbit (2c) | 4Mbit (ab)
---+---------------+-------------+-------------
00 | 000000-00ffff | 00000-0ffff | 00000-0ffff
01 | 010000-01ffff | 10000-1ffff | 10000-1ffff
02 | 020000-02ffff | 20000-2ffff | 20000-2ffff
03 | 030000-03ffff | 30000-3ffff | 30000-3ffff
04 | 040000-01ffff | 40000-4ffff | 40000-4ffff
05 | 050000-01ffff | 50000-5ffff | 50000-5ffff
06 | 060000-01ffff | 60000-6ffff | 60000-6ffff
07 | 070000-01ffff | 70000-7ffff | 70000-77fff
08 | 080000-01ffff | 80000-8ffff | 78000-79fff
09 | 090000-01ffff | 90000-9ffff | 7a000-7bfff
10 | 0a0000-01ffff | a0000-affff | 7c000-7ffff
11 | 0b0000-01ffff | b0000-bffff |
12 | 0c0000-01ffff | c0000-cffff |
13 | 0d0000-01ffff | d0000-dffff |
14 | 0e0000-01ffff | e0000-effff |
15 | 0f0000-01ffff | f0000-f7fff |
16 | 100000-10ffff | f8000-f9fff |
17 | 110000-11ffff | fa000-fbfff |
18 | 120000-12ffff | fc000-fffff |
19 | 130000-13ffff | |
20 | 140000-14ffff | |
21 | 150000-15ffff | |
22 | 160000-16ffff | |
23 | 170000-17ffff | |
24 | 180000-18ffff | |
25 | 190000-19ffff | |
26 | 1a0000-1affff | |
27 | 1b0000-1bffff | |
28 | 1c0000-1cffff | |
29 | 1d0000-1dffff | |
30 | 1e0000-1effff | |
31 | 1f0000-1f7fff | |
32 | 1f8000-1f9fff | |
33 | 1fa000-1fbfff | |
34 | 1fc000-1fffff | |
The last block is always reserved for use by the system. The Neogeo Pocket Color
bios does some tests on this last block to see if the flash functionality is
working. It does this on every boot!
I can try to provide more informations if wanted.