Header of a ROM cartridge

Page 1/4
| 2 | 3 | 4

By pp

Rookie (27)

pp's picture

06-12-2005, 07:53

Hi,

When disassembling a cartridge ROM. one sees a header consisting of 16 bytes. Does anyone know what bytes 0-1 mean ? Bytes 2-3 are the execution start address, the rest (in my case) are all zero's.

What I also don't understand is why there's code below the startaddress.

In my case, execution address is 406AH, but code starts at 4010H. How does the disassembler know to start there ?

Regards,

pp

Login or register to post comments

By pitpan

Prophet (3132)

pitpan's picture

06-12-2005, 09:43

bytes 0 and 1: ROM signature, should be 40h, 41h - in ASCII "AB"
bytes 2 and 3: word pointing to start address

About the start point, you can define it. It is typical to include a ASCII header with some information and the the code starts. Or it is possible to have some routines that are secondary before the starting point.

db "AB"
dw INIT
db "This is my game"
INIT:
; Code begins here

Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares Wink

By pp

Rookie (27)

pp's picture

06-12-2005, 10:13

bytes 0 and 1: ROM signature, should be 40h, 41h - in ASCII "AB"
bytes 2 and 3: word pointing to start address

About the start point, you can define it. It is typical to include a ASCII header with some information and the the code starts. Or it is possible to have some routines that are secondary before the starting point.

db "AB"
dw INIT
db "This is my game"
INIT:
; Code begins here

Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares Wink

Okay,

But how does the disassembler know about these routines before the start point ? Apperently, the disassembler starts with inserting memory addresses before each instruction. How does it know where to start these memory addresses ?

Regards,

pp

By pitpan

Prophet (3132)

pitpan's picture

06-12-2005, 10:35

I don't understand the question, pp. About what the disassembler does, just read the instructions. Are you sure that we are discussing a disassembler and not an assembler? In other words, what do you want to do exactly? Maybe we would be able to help you if you tell us what are you looking for.

By zeilemaker54

Champion (281)

zeilemaker54's picture

06-12-2005, 11:28


Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares Wink

This is not the correct way!! You assume that the ROM takes control and never returns. But is only the case with games and programs that do not interact with other system expansions. The right definition of the ROM header is:

DEFB "AB" ; expansion ROM header
DEFW initcode ; start of the init code, 0 if no initcode
DEFW callstat; pointer to CALL statement handler, 0 if no such handler
DEFW device; pointer to expansion device handler, 0 if no such handler
DEFW basic ; pointer to the start of a tokenized basicprogram, 0 if no basicprogram
DEFS 6,0 ; room reserved for future extensions

By pp

Rookie (27)

pp's picture

06-12-2005, 12:05

Okay, sorry everyone, if I'm a bit chaotic. What I'm doing is disassembling a cartridge ROM with msxdasmw. Here's how the first lines of code looks:

;þ MSX DASM v0.9 for Win32 - CopyRight Fudeba Software, 2004

;File: p.rom
;DASM As: ROM Cartridge
;Init. Address: 406Ah
;Stat. Address: 0000h
;Device Address: 0000h
;Text Address: 0000h

;Addr Hexa ASCII Z80 Mnemonic Comments

T4010h 43...... C... LD B,E
T4011h 44...... D... LD B,H
T4012h 07...... .... RLCA
T4013h 43...... C... LD B,E
T4014h 60...... `... LD H,B
T4015h 00...... .... NOP
T4016h E0...... à... RET PO

T4017h 04...... .... INC B ;
T4018h 92...... ’... SUB D
T4019h E0...... à... RET PO

T401Ah 0D...... .... DEC C
T401Bh 90...... ?... SUB B
T401Ch E0...... à... RET PO

T401Dh 83...... ƒ... ADD A,E
T401Eh E0...... à... RET PO

T401Fh 86...... †... ADD A,(HL)
T4020h E0...... à... RET PO

T4021h F7...... ÷... RST 30h
T4022h 40...... @... LD B,B
T4023h CD3E01.. Í>.. CALL T013EH
T4026h F3...... ó... DI
T4027h 3E0E.... >... LD A,00Eh
T4029h 320080.. 2.€. LD (T8000H),A
T402Ch 3C...... <... INC A ;
T402Dh 3200A0.. 2. . LD (TA000H),A
T4030h CD8280.. Í‚€. CALL T8082H
T4033h F3...... ó... DI
T4034h 3AF2F0.. :òð. LD A,(TF0F2H)
T4037h 320080.. 2.€. LD (T8000H),A
T403Ah 3AF3F0.. :óð. LD A,(TF0F3H)
T403Dh 3200A0.. 2. . LD (TA000H),A
T4040h 2105E0.. !.à. LD HL,0E005h
T4043h CB46.... ËF.. BIT 0,(HL)
T4045h 200C.... .... JR NZ,00Ch ; Jump to 04053H
T4047h 34...... 4... INC (HL) ;
T4048h FB...... û... EI
T4049h CDBB44.. ͻD. CALL T44BBH
T404Ch CD0080.. Í.€. CALL T8000H
T404Fh AF...... ¯... XOR A ; Clear A and F
T4050h 3205E0.. 2.à. LD (TE005H),A
T4053h FB...... û... EI
T4054h C9...... É... RET

T4055h 87...... ‡... ADD A,A
T4056h 85...... …... ADD A,L
T4057h 6F...... o... LD L,A
T4058h D0...... Ð... RET NC

T4059h 24...... $... INC H ;
T405Ah C9...... É... RET

T405Bh 83...... ƒ... ADD A,E
T405Ch 5F...... _... LD E,A
T405Dh D0...... Ð... RET NC

T405Eh 14...... .... INC D ;
T405Fh C9...... É... RET

T4060h E1...... á... POP HL
T4061h 87...... ‡... ADD A,A
T4062h CD5640.. ÍV@. CALL T4056H
T4065h 5E...... ^... LD E,(HL)
T4066h 23...... #... INC HL ;
T4067h 56...... V... LD D,(HL)
T4068h EB...... ë... EX DE,HL
T4069h E9...... é... JP (HL)

T406Ah F3...... ó... DI
T406Bh ED56.... íV.. IM 1
T406Dh F3...... ó... DI

As you can see the cartridge header says start at 406AH, but there's code in front of it. How does the disassembler compute the first column memory addresses ? That's what I would like to know.

Hope you guys can help still.

pp

By pitpan

Prophet (3132)

pitpan's picture

06-12-2005, 13:15

The disassembler apparently disassembles all the positions that are located between 4010h and the end of the file. But if you check the first disassembled opcodes you will see that they do not make sense. They are probably data and not code.

But also the start address, 406Ah, does not make much sense: DI: IM 1: DI. The 4060 part is valid code though.

By pp

Rookie (27)

pp's picture

06-12-2005, 13:46

This is a valid ROM, the ROM software works ! How can we explain this ? Am I using the wrong disassembler ?

pp

By pitpan

Prophet (3132)

pitpan's picture

06-12-2005, 14:18

Is it a game? Maybe it would be easier if I could have a look into it.

By zeilemaker54

Champion (281)

zeilemaker54's picture

06-12-2005, 14:27

Looks like a konami ROM to me.... They have a table at 04010H containing information about the game. This is used by the konami gamemaster (for cheating ect).

By pitpan

Prophet (3132)

pitpan's picture

06-12-2005, 14:28


Please note that this is not standard: the first 16 bytes of any ROM should use the strict syntax: if you just use a machine code ROM, only the first 4 bytes will be used and the others, up to 16, should be 0. But no one cares Wink

This is not the correct way!! You assume that the ROM takes control and never returns. But is only the case with games and programs that do not interact with other system expansions. The right definition of the ROM header is:

DEFB "AB" ; expansion ROM header
DEFW initcode ; start of the init code, 0 if no initcode
DEFW callstat; pointer to CALL statement handler, 0 if no such handler
DEFW device; pointer to expansion device handler, 0 if no such handler
DEFW basic ; pointer to the start of a tokenized basicprogram, 0 if no basicprogram
DEFS 6,0 ; room reserved for future extensions

Once again, I know all this. But we were talking of a ROM with only an executable machine code program, with only the first 4 bytes set up and the rest set to 0. Please read all the messages before Wink

Page 1/4
| 2 | 3 | 4