Gameboy Development Forum

Discussion about software development for the old-school Gameboys, ranging from the "Gray brick" to Gameboy Color
(Launched in 2008)

You are not logged in.

Ads

#1 2020-09-04 03:36:55

endrift
Member
Registered: 2017-05-24
Posts: 11

HuC-3 research (WIP)

TAMA5 is bad, but at least it doesn't leak state like this...this...pile of silicon.

HuC-3 is an extension of HuC-1 (basically just MBC5 + an IR sensor), but it has several "modes", set by writing to $0000, which affect the external memory region ("SRAM"). As with most mappers, writing 0xA allows direct access to the SRAM, and the top nybble is ignored (so a 4-bit output).

Modes $0-$9: Reads out $FF. There doesn't seem to be any difference between these.
Mode $A: SRAM access, same as a normal MBC.
Mode $B: Seems to be an internal register write. Bits 2-6 like to bleed out in other modes for some reason. Bit 7 always seems to be high when read. Bits 4-6 seem to demarcate the type write, and bits 0-3 are the value written, at least according to SameBoy's source.
Mode $C: Seems to be some sort of output register. However, the there are some weird leaks from the mode $B register.
Mode $D: Not really sure what this one is, but it seems to be used for committing changes in other modes. When switching to this mode, bit 0 is always high, and clearing it appears to commit changes.
Mode $E: IR mode, according to LIJI. Not very well investigated yet, but bit 0 is if it detects an IR signal.
Mode $F: Reads out $FF. Seems to be unused.

A list of "mode $B" write types from SameBoy's source, but not fully investigated yet appear to be:
$10: Move the internal value referred to by the "access index" to the mode $C output register. It also says this increments the index, but I believe that's done by the mode D bit clear mentioned above.
$20: Store the value (low four bits) to the internal value referred to by the "access index".
$30: Same as above?
$40: Set the low nybble of the access index.
$50: Set the high nybble of the access index (I believe this is actually some sort of flag register, not the access index; see below).
$60: Set the "access flags". This is only used in one place, and I've confirmed that the behavior in SameBoy for this is inaccurate. This is not a flags register, but I don't know what it is yet.

Other mode $B write types seem to be unmapped, but they do leaking state for some reason, so the value of $B will affect other reads regardless of whether or not the "type" is mapped.

The access indices, according to SameBoy, I believe are:
$0-$2: Nybbles into the RTC's minutes since the start of the day (0 - 1439, rolls over at 1440 to increment the day value below)
$3-$7: Nybbles into the RTC's number of days since 1950 (?)
$8-$A: Nybbles into the alarm's minutes (same format as above)
$B-$E: Nybbles into the alarm's days (same format as above)
$F: Alarm enabled (bit 0 only)

SameBoy maps indices $8-$F as $58-$5F, which I think is erroneous, and the $5 nybble has some relevance to how the internal state touches the alarm.

When the game Robot Poncots: Sun Version (the only HuC-3 game I have at the moment; should be getting Star Version somewhat soon) boots, it writes $01 to $6000 (which afaik is unmapped, but due to how many bits like to randomly float this may have an actual effect...), then does the following operations (on loop):

Write $0000 := $0D # Switch to mode $D
Read $A000 # Purpose unknown
Write $0000 := $0B # Switch to mode $B
Write $A000 := $62 # Seems to set some internal latch that affects the value of the mode $C register
Write $0000 := $0D # Switch to mode $D
Write $A000 := $FE # Commit mode $B change?
Read $A000 # Purpose unknown
Write $0000 := $0C # Switch to mode $C
Read $A000 # It checks that the low nybble is $1, and only breaks out of the loop if it is.

Now, about the modes $C and $D registers...the top bits seem to be directly leaked from the mode $B register, though how much depends on which one:
The mode $C register bits 4-6 are directly leaked from the mode $B register. Bit 7 is always high. Bits 0-3 seem to be output, though what asserts this output seems...strange. When writing $62 to the mode $B register, this register becomes $E1. ($80 from what appears to be an always-high bit. $60 from the mode $B register, and $1 from whatever $60-type writes do--bits 2-3 of the $60-type write also get output here, but bits 0-1 are distinct.)
The mode $D register bits 2-6 (I think) are directly leaked from the mode $B register. Bit 7 is again always high. What asserts bit 1 is...currently unknown, but has some weird properties. Bit 0 can be directly modified, but is initially asserted when entering mode $D.

This mapper is...a huge mess. I'm almost tearing my hair out trying to figure out what any of it is. State leaks all over the place, which makes it hard to tell which change is doing what; some bits just seem to be floating; nothing makes any sense. I really don't know what the people who designed this thing were thinking.

Offline

 

#2 2020-09-14 17:46:59

AntonioND
Member
Registered: 2014-06-17
Posts: 122
Website

Re: HuC-3 research (WIP)

Wow. Okay. That's certainly annoying to reverse engineer...

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson