Whichboot.gb boot ROM detection, and a newly dumped clone boot ROM

Discussion of programming and development for the original Game Boy and Game Boy Color.
Post Reply
nitro2k01
Posts: 252
Joined: Sat Aug 28, 2010 9:01 am

Whichboot.gb boot ROM detection, and a newly dumped clone boot ROM

Post by nitro2k01 »

Announcing two related things:

1) Whichboot.gb - a ROM that can identify which boot ROM ran before it started by looking at the initial CPU registers, and time since boot using the DIV register. The DIV register wraps around at a rate of 64 Hz, but this nevertheless gives a predictable "fingerprint" of how long the boot ROM took to run.

The main purpose of this ROM is to run it on Gameboy clones to detect whether a given unit has a boot ROM variation that's not yet dumped, without needing to modify the hardware. It also turned out reveal a few interesting things about various older emulators. If you own an Gameboy clone, I would appreciate if you could try running it on the clone, and report back what it reports, and some info about your particular clone.

https://github.com/nitro2k01/whichboot.gb/

2) A new Gameboy clone boot ROM was dumped, from the clone known as Maxstation. This clone is showing a modified boot graphic that says "Loading..." instead of the usual Nintendo. At first when I heard about this, I thought it was using the same trick as GB Boy, of using a stock Nintendo boot ROM and cloaking the graphics after it comes out of the PPU. Running whichboot.gb identified it as having a DMG boot ROM, which pointed in that direction too. But something wasn't right. The Maxstation crashed after the boot sequence when turning it on without a cartridge instead of locking upand revealing the black bar like it would on a GB Boy. So I asked bbbbbr (who owns the Maxstation in question) to dump it for me. After a little help, he had the 256 bytes that make up the boot ROM and these are the results:

The Maxstation clone does indeed use a modified boot ROM, based on the DMG ROM. The changes are as follows:
  • Instead of copying a Nintendo logo from the cartridge header, it copies a static image from the boot ROM itself, which is the "Loading..." graphic.
  • The tile for the ® symbol is replaced with null bytes.
  • The jr instructions that are supposed to make the boot ROM lock up if the logo and checksum are incorrect, respectively, are patched out with nops.
The removal of the checks explains the crash. The CPU gets stuck in an endless recursion of calling rst $38 (the instruction for $FF which is what the CPU reads on open bus). But because the boot ROM is a minimally modified DMG boot ROM, it takes the same execution path as the DMG boot ROM itself, which produces the same timings and initial CPU registers as it.

However, it leaves behind the "Loading..." graphic in VRAM, which lead me to make a last minute addition of a VRAM check in whichboot.gb before the public release. This was a useful aspect of boot ROM detection that I had completely overlooked.

If you're interested, you can find the dumped boot ROM in my GB boot ROM archive, or in bbbbbr's repo about the Maxstation which also has some hardware pics and a disassembly of the boot ROM.

https://gbdev.gg8.se/files/roms/bootroms/

https://github.com/bbbbbr/gameboy_clone_maxstation
Attachments
maxstation-opt.gif
maxstation-opt.gif (11.61 KiB) Viewed 1433 times
Post Reply