Register - Login
Views: 87822357
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - JCS - Stats - Latest Posts - Color Chart - Smilies
12-14-17 09:00:43 AM

Jul - Game Research/Hacking/Modding - Displaying "N64 boot logo" in OoT Debug ROM New poll - New thread - New reply
Next newer thread | Next older thread
vexiant
Random nobody
Level: 4


Posts: 2/4
EXP: 225
For next: 54

Since: 10-14-15


Since last post: 1.0 years
Last activity: 1.0 years

Posted on 12-03-15 07:47:57 PM (last edited by vexiant at 12-03-15 08:14:07 PM) Link | Quote
I'm going to create my own N64 boot logo and place it in the debug rom. This thread will be a recording of my progress. Probably interesting shit to follow.

The goal here is to only use the tools available in Nemu64 to prove anyone can do this with no special tools. I used developer documents for supplemental information that are publicly available.

Feel free to post anything related.

http://n64devkit.square7.ch/pro-man/pro06/06-10.htm

Important bit: Load 1 MB of game from ROM to RDRAM at physical address 0x00000400

So after spending 9 quality hours stepping through the boot sequence of the game, here's what I discovered:


The 1MB of boot code loads the game engine.
The game engine then begins reading files to load in a sequence. The game engine/DMA access function loads pieces of files at 0x2000 per fetch.
The first file the game engine loads is ovl_title, which contains the N64 logo intro we've been looking for.
Now we spend another 3 days stepping through the logo code, seeing what functions do the drawing, animating, and so on.

Six hours later:

Now we need to determine what ovl_title actually does.



This is the very first time anyone has seen the rotating N64 logo with its respective debug text. Look familiar? Majora's Mask's debug ROM has the same screen.

Code run before game.c hook:
80100DCC - The instruction that turns on the title screen debug text. It has to be set to 0x0002, not 0x0001. Makes me think this is for more verbosity. I wonder if this has an effect on other parts of the game.

Inside game.c:
80400B68 - This is where the game init begins. At the very end, the game init sets up variables to be used by ovl_title, and then passes control to it.
80400C50 - The instruction that sets the opacity of the rectangle covering our logo.

Inside ovl_title:
80400AA8 - Function to set 'on' flag
80400418 - The instruction that sets a flag to 0x0001. If it remains 0x0000 it will continue to play.
80400AB0 - Function to draw the N64 logo and texture text

Gameshark code that should activate it:
81100DCE 0002
81400C52 0000
8140041A 0000

It doesn't though! I guess gameshark only writes at certain times, and is not in time to overwrite these areas in RAM. [Someone confirm please]

Closing
Someone should do a binary diff between the debug rom's ovl_title and 1.0's - as of now, there is no obvious way to naturally activate this screen.

I also haven't found the reference to the N64 logo mesh in the code. We know where it is thanks to the mapped out file system, but would rather be able to find it without it. It definitely isn't far from the cluster of functions we found in ovl_title.
Cross-post from: http://pb.ajf.me/index.php?topic=45.0
Rena

Star Mario
Fennel
Level: 127


Posts: 5220/5239
EXP: 23369396
For next: 357170

Since: 07-22-07
From: RSP Segment 6

Since last post: 117 days
Last activity: 75 days

Posted on 12-10-16 07:15:48 AM Link | Quote
So from what you've described, the codes do:

81100DCE 0002 - set "verbosity" to 2 so the logo/text will appear
81400C52 0000 - hide the rectangle covering the logo
8140041A 0000 - don't set the flag to skip the logo

A real Gameshark hooks the vblank handler, and should be able to write to these addresses no problem (but I'm not sure how reliably it can hook 8MB games at all). On emulators, I imagine it's usually done during vblank as well, but without hooks (the emulator just does the writes itself, instead of patching the game code).

There's also the F0 and F1 code types, which work like 80 and 81 but write only once, at startup. They're mainly used for patching out anti-shark routines. I don't know if emulators even bother to implement them, but they might be worth trying for hacks like this, that patch startup code.

Some emulators don't play well with codes that patch the code. In Nemu, I think Ctrl+R or Ctrl+K resets the dynamic compiler cache, so patched instructions will function correctly. (It's in the menu, anyway.) In others, you might have to use the interpreter core.

Someone with a flash cart should try this on the real console, and someone less lazy than me should try patching these instruction in the ROM instead to see what happens.
Next newer thread | Next older thread
Jul - Game Research/Hacking/Modding - Displaying "N64 boot logo" in OoT Debug ROM New poll - New thread - New reply




Rusted Logic

Acmlmboard - commit 2f1bc75 [2017-08-27]
©2000-2017 Acmlm, Xkeeper, Inuyasha, et al.

27 database queries.
Query execution time: 0.162038 seconds
Script execution time: 0.004586 seconds
Total render time: 0.166624 seconds