Wednesday, January 22, 2014

Boot ROMs

When you first turn on the game boy the Nintendo Logo will scroll down the screen and it chimes before the game starts, or if you don't have any game cartridge in it will show a black square like in this video:


What is happening when you first turn on the game boy is that it maps a "boot ROM" that's hard coded into the CPU over the memory range 0x0000-0x0100, it starts off by executing this program (which includes scrolling down the logo as well as initializing some CPU settings) before control flow is given over to the game cartridge itself.

A lot of specific information about the boot rom is described in Patent 5134391: System for preventing the use of an unauthorized external memory, but in particular at the very end of execution it maps the cartridge back over the range 0x0000-0x0100 so that a game can't read the boot ROM at all: That means you can't just create your own game cartridge that prints out the code inside the boot ROM.

In fact no one extracted the boot ROM from the game boy until neviksti in 2003 - 14 years after the Game Boy was released. This was done by decapping this chip and locating the part of the chip which actually encodes the boot ROM:

and then zooming in to it and reading off the individual bits by eye!


given that you can disassembly it from binary into assembly code that shows al the operations that the boot ROM does, you can read that commented here on the gbdev wiki and it really does follow the flow chart given on the patent almost by the letter:

The boot ROM for the game boy color was dumped in 2009 (almost a decade later) by a different technique using overclocking to skip that last instruction which locks out the boot ROM. You can read about that here: http://www.fpgb.org/?page_id=17.


No comments:

Post a Comment