Author Topic: Snes emulators (Canoe, Snes9x) -- game problems and fixes (Read 427715 times)

sluffy · « **on:** February 10, 2018, 11:25:45 pm »

Canoe:
Current thread progress list by reyvgm
Trusted compatibility list by Robin64
Unverified generic list by everyone
Hardware discussion

patch pack by lich

Many of these patches can be used for playing in snes9x also. Especially 2010 or older. Which is why sluffy (snes9x user) is researching this stuff.

This is not solely Canoe thread. But largely targeted for them.

Robin64 · « **Reply #1 on:** February 11, 2018, 04:19:36 pm »

Alien 3 on Canoe is an odd one that might not take too much work to fix. Basically, the selection cursor on the password screen doesn't display.

(This sheet, by the way, has better info and includes images for games with graphical issues.)

reyvgm · « **Reply #2 on:** February 11, 2018, 06:26:46 pm »

Hey sluffy, glad you're helping out fixing games to work with Canoe.

Whenever you can, could you check out what's going on with a specific area in Soul Blazer?

The game has multiple areas with the same dimming effect, but only in that area is the effect missing. I don't know if this might help, but I initially thought it was a layer issue. Normally games that have a fog, or dimmed, or dark overlay, it's usually just a transparent layer placed on top of everything else. But in this case, that light circle (or the darkness around it) is not a layer. I turned off each layer (including the sprite layer), and the circle effect was still present. So apparently something has been hardcoded in that area to make that effect.

Here's a .srm file where you can reach that area:
https://www.sendspace.com/file/lp2uti

To reach the Volcano, just enter the bottom portal. Go all the way down and exit the town to go into the ocean. Then go all the way down and left to enter a new area, then go up to reach the Volcano where the dimming effect should happen.

sluffy · « **Reply #3 on:** February 11, 2018, 07:37:00 pm »

Cacoma Knight (USA) --- corrupt status bar

Code: [Select]

Normally game is SlowROM. But Canoe runs it too quickly, which triggers
in-game glitch - status bar is junked. What's going on?


* irq at line 224
$00/8117 E2 20       SEP #$20                A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvmxdIzc


wait for vblank
$00/8119 AD 12 42    LDA $4212  [$00:4212]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc
$00/811C 29 40       AND #$40                A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc
$00/811E F0 F9       BEQ $F9    [$8119]      A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc

==>
CB     WAI
80 04  BRA $04
EA     NOP
EA     NOP
EA     NOP
EA     NOP

* vblank at ~224.5 ?


turn screen off ...... make it black ...... seems like bad idea
$00/8120 A9 80       LDA #$80                A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc
$00/8122 8D 00 21    STA $2100  [$00:2100]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc

===>
80 03  BRA $03
EA     NOP
EA     NOP
EA     NOP


$00/8125 20 2F 81    JSR $812F  [$00:812F]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc


======================
======================


$00/812F C2 10       REP #$10                A:0080 X:0088 Y:FFFF D:0000 DB:80 S:03F4 P:eNvMxdIzc
$00/8131 E2 20       SEP #$20                A:0080 X:0088 Y:FFFF D:0000 DB:80 S:03F4 P:eNvMxdIzc


$00/8133 AD 04 0E    LDA $0E04  [$80:0E04]   A:0080 X:0088 Y:FFFF D:0000 DB:80 S:03F4 P:eNvMxdIzc
$00/8136 D0 2E       BNE $2E    [$8166]      A:0003 X:0088 Y:FFFF D:0000 DB:80 S:03F4 P:envMxdIzc

* SlowROM nmi @ 225

$80/8138 EE 04 0E    INC $0E04  [$00:0E04]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc



## ppu writes (!!)

$80/813B A2 00 00    LDX #$0000              A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc
$80/813E 8E 16 21    STX $2116  [$00:2116]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc

$80/8141 A9 01       LDA #$01                A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc
$80/8143 8D 00 43    STA $4300  [$00:4300]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc


* FastROM nmi @ 225


=====================
=====================


*** NMI
$00/80CB 48          PHA                     A:0001 X:0088 Y:0000 D:0000 DB:00 S:03FB P:envmxdIzc
$00/80CC 08          PHP                     A:0001 X:0088 Y:0000 D:0000 DB:00 S:03F9 P:envmxdIzc
$00/80CD AF 10 42 00 LDA $004210[$00:4210]   A:0001 X:0088 Y:0000 D:0000 DB:00 S:03F8 P:envmxdIzc

..

note: nmi changes 2116, 4300 as it does own dma transfers!

..

$00/8108 28          PLP                     A:0000 X:0088 Y:0000 D:0000 DB:00 S:03F8 P:envmxdIZc
$00/8109 68          PLA                     A:0000 X:0088 Y:0000 D:0000 DB:00 S:03F9 P:envmxdIzc
$00/810A 40          RTI                     A:0001 X:0088 Y:0000 D:0000 DB:00 S:03FB P:envmxdIzc


=====================
=====================


resume (fast) irq routine
-- warning: 2116, 4300 are invalid due to nmi


$80/8146 A9 18       LDA #$18                A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc
$80/8148 8D 01 43    STA $4301  [$00:4301]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc

$80/814B A2 00 A0    LDX #$A000              A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc HC:0398 VC:000 FC:00 I:00
$80/814E 8E 02 43    STX $4302  [$00:4302]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc HC:0414 VC:000 FC:00 I:00

$80/8151 A9 7E       LDA #$7E                A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc HC:0430 VC:000 FC:00 I:00
$80/8153 8D 04 43    STA $4304  [$00:4304]   A:0000 X:0000 Y:0000 D:0000 DB:00 S:01FF P:EnvMxdIzc HC:0446 VC:000 FC:00 I:00

..

dma status bar


note:
Because 2116 is pointing to wrong vram area, status bar is never
written. We get punked instead.


Simple solution:
irq @ 224
wai (wait until nmi is finished)

nmi @ 225
rti

(remove screen off -- no reason to use because we're
 still in vblank)

jsr $812f
dma status bar


What's more curious is.. if Canoe runs slowrom, how can it
still get glitched? During vblank spin loop, likely signal
vblank early than normal. Exiting loop fast and having enough
time to change ppu registers before nmi.

Speedy Gonzales (USA) --- 6-1 button freeze

Code: [Select]

Level 6-1 has an infamous green button that's supposed to
activate a magnet and deliver a crate. Instead it hangs on
nearly all emus not named higan. This is a strange one.


$8D/9BC9 A5 18       LDA $18    [$00:0A71]   A:0020 X:0008 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdiZc
$8D/9BCB 0A          ASL A                   A:0000 X:0008 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdiZc
$8D/9BCC AA          TAX                     A:0000 X:0008 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdiZc
$8D/9BCD 7C D0 9B    JMP ($9BD0,x)[$8D:9BDE] A:0000 X:0000 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdiZc


$8D/9BDE A2 00 00    LDX #$0000              A:0000 X:0000 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdiZc


old loop:
$8D/9BE1 BD 5D 18    LDA $185D,x[$8D:185D]   A:0000 X:0000 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdiZc
$8D/9BE4 30 09       BMI $09    [$9BEF]      A:09FD X:0000 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdizc
$8D/9BE6 AA          TAX                     A:09FD X:0000 Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdizc


new loop:
$8D/9BE7 BD 12 00    LDA $0012,x[$8D:0A0F]   A:09FD X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdizc
$8D/9BEA C9 0F 00    CMP #$000F              A:0002 X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdizc
$8D/9BED F0 04       BEQ $04    [$9BF3]      A:0002 X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:eNvmxdizc


$8D/9BEF E8          INX                     A:0002 X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:eNvmxdizc
$8D/9BF0 E8          INX                     A:0002 X:09FE Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdizc
$8D/9BF1 80 EE       BRA $EE    [$9BE1]      A:0002 X:09FF Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdizc
==> 80 F4



$8D/9BF3 86 37       STX $37    [$00:0A90]   A:0002 X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:eNvmxdiZc
$8D/9BF5 80 11       BRA $11    [$9C08]      A:0002 X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:eNvmxdiZc

..

$8D/9C08 E6 18       INC $18    [$00:0A71]   A:0002 X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:eNvmxdiZc
$8D/9C0A 60          RTS                     A:0002 X:09FD Y:0002 D:0A59 DB:8D S:1FF6 P:envmxdizc


Game hangs running 8D/9BE1-9BF1. Forever. We see it's checking
for 000F flag which it never ever finds. Okay~~?

Turns out above code is never used for entire game except this
1 dumb button. Ugh. Let's check 185D.
09FD
0A59
8000-FFFF list

It only likes 09FD,0A59. Rest after is ROM-area code - put
breakpoints to confirm ROM ones get used elsewhere.



Let's force X=09FD to be the answer @ 8D/9BED. Goes to 9BF3
and leaves. Doesn't work correctly. Same for X=0A59. New idea
is to change loop point to 9BE7. Why? Examine 09FD+0012=0A0F.
Looks like lots of 16-bit "codes". Besides, it doesn't make
much sense to read list @ 185D,185F,1861(ROM),1863(ROM),etc..

And game works. Wha??? Our X=1801 at 9BF3. 1801+12=1813.
7E/1813=000F. Is this right value??

Trying many other values as "answer" crashes game. Just
this 1 spot works.



Inspect 7e/1813 RAM region as game is running. It changes
with magnet/crate. Like coordinate values. Maybe our fix
is okay?? Where did 000F come from!? Turns out when Speedy
approaches crate area, it runs this:


$8D/CFFA B1 09       LDA ($09),y[$9E:E811]   A:0040 X:1801 Y:0002 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/CFFC 95 45       STA $45,x  [$00:1846]   A:0000 X:1801 Y:0002 D:0000 DB:9E S:1FEF P:envmxdiZc
$8D/CFFE 95 3D       STA $3D,x  [$00:183E]   A:0000 X:1801 Y:0002 D:0000 DB:9E S:1FEF P:envmxdiZc
$8D/D000 C8          INY                     A:0000 X:1801 Y:0002 D:0000 DB:9E S:1FEF P:envmxdiZc
$8D/D001 C8          INY                     A:0000 X:1801 Y:0003 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D002 B1 09       LDA ($09),y[$9E:E813]   A:0000 X:1801 Y:0004 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D004 95 3F       STA $3F,x  [$00:1840]   A:0008 X:1801 Y:0004 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D006 C8          INY                     A:0008 X:1801 Y:0004 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D007 C8          INY                     A:0008 X:1801 Y:0005 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D008 B1 09       LDA ($09),y[$9E:E815]   A:0008 X:1801 Y:0006 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D00A 29 FF 00    AND #$00FF              A:3830 X:1801 Y:0006 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D00D 95 41       STA $41,x  [$00:1842]   A:0030 X:1801 Y:0006 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D00F C8          INY                     A:0030 X:1801 Y:0006 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D010 B5 39       LDA $39,x  [$00:183A]   A:0030 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D012 38          SEC                     A:0030 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizc
$8D/D013 F5 3D       SBC $3D,x  [$00:183E]   A:0030 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D015 38          SEC                     A:0030 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D016 F5 41       SBC $41,x  [$00:1842]   A:0030 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D018 95 47       STA $47,x  [$00:1848]   A:0000 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D01A B1 09       LDA ($09),y[$9E:E816]   A:0000 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D01C 29 FF 00    AND #$00FF              A:0C38 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D01F 95 43       STA $43,x  [$00:1844]   A:0038 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D021 C8          INY                     A:0038 X:1801 Y:0007 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D022 B1 09       LDA ($09),y[$9E:E817]   A:0038 X:1801 Y:0008 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D024 95 4F       STA $4F,x  [$00:1850]   A:000C X:1801 Y:0008 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D026 C8          INY                     A:000C X:1801 Y:0008 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D027 C8          INY                     A:000C X:1801 Y:0009 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D028 B1 09       LDA ($09),y[$9E:E819]   A:000C X:1801 Y:000A D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D02A 95 57       STA $57,x  [$00:1858]   A:2000 X:1801 Y:000A D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D02C C8          INY                     A:2000 X:1801 Y:000A D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D02D C8          INY                     A:2000 X:1801 Y:000B D:0000 DB:9E S:1FEF P:envmxdizC


(** here **)
$8D/D02E B1 09       LDA ($09),y[$9E:E81B]   A:2000 X:1801 Y:000C D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D030 95 12       STA $12,x  [$00:1813]   A:000F X:1801 Y:000C D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D032 C8          INY                     A:000F X:1801 Y:000C D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D033 C8          INY                     A:000F X:1801 Y:000D D:0000 DB:9E S:1FEF P:envmxdizC


$8D/D034 B1 09       LDA ($09),y[$9E:E81D]   A:000F X:1801 Y:000E D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D036 95 30       STA $30,x  [$00:1831]   A:0000 X:1801 Y:000E D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D038 C8          INY                     A:0000 X:1801 Y:000E D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D039 C8          INY                     A:0000 X:1801 Y:000F D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D03A B1 09       LDA ($09),y[$9E:E81F]   A:0000 X:1801 Y:0010 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D03C 95 16       STA $16,x  [$00:1817]   A:0000 X:1801 Y:0010 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D03E C8          INY                     A:0000 X:1801 Y:0010 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D03F C8          INY                     A:0000 X:1801 Y:0011 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D040 B1 09       LDA ($09),y[$9E:E821]   A:0000 X:1801 Y:0012 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D042 95 14       STA $14,x  [$00:1815]   A:0000 X:1801 Y:0012 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D044 C8          INY                     A:0000 X:1801 Y:0012 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D045 C8          INY                     A:0000 X:1801 Y:0013 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D046 B1 09       LDA ($09),y[$9E:E823]   A:0000 X:1801 Y:0014 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D048 95 4D       STA $4D,x  [$00:184E]   A:0000 X:1801 Y:0014 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D04A C8          INY                     A:0000 X:1801 Y:0014 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D04B C8          INY                     A:0000 X:1801 Y:0015 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D04C B1 09       LDA ($09),y[$9E:E825]   A:0000 X:1801 Y:0016 D:0000 DB:9E S:1FEF P:envmxdizC
$8D/D04E 95 2C       STA $2C,x  [$00:182D]   A:0000 X:1801 Y:0016 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D050 C8          INY                     A:0000 X:1801 Y:0016 D:0000 DB:9E S:1FEF P:envmxdiZC
$8D/D051 C8          INY                     A:0000 X:1801 Y:0017 D:0000 DB:9E S:1FEF P:envmxdizC


So it's uploading a bunch of stuff to RAM at correct time.
And magic 000F is part of it. Watching this code during other
parts of game shows it's involved with game's scripting code.
Adding to a big list of code strings.

Current bugfix solution is to scan list of uploaded RAM scripting
codes and find 000F. Maybe it'd be better to search backwards
but it works.



And why original hardware does not crash?? Maybe a lot of luck.
No idea - amazing it finds the right spot. :)

=================================
=================================

Thanks for docs sheet. Updated. Will put future Alien3 thoughts in other thread.

Soul Blazer uses clip window technique. SNES PPU Window + Color-Math. Not strongly familiar with this but here's my low understanding:

upper main layer: bg1 + bg2
lower sub layer: bg1 + bg2

Paint just sub layer. We get a dark image.

Now take circle cookie cutter on top main layer and discard rest. It should be a dark but cropped image.

Color math says we add both pixels together. Only circle area becomes brighter when we paintshop merge layers. Rest stays dark.

Code: [Select]

-------
|  *  |
| *** |
|  *  |
-------

Canoe .. ignores this color math. Or .. transparency problem. Or HDMA error. ???

edit:
Got request to fix Beavis and Butthead (Canoe). Asking for a tester since emus don't trigger 1-hit death.

015F9C = 42 00
015FA8 = 42 00

If this works, will explain why it works.

Could someone (de)confirm Super Off Road (Canoe) glitched too?
https://www.reddit.com/r/miniSNESmods/comments/79j53s/potentially_useful_list_of_all_us_ntsc_games_that/

Robin64 · « **Reply #4 on:** February 12, 2018, 02:53:41 am »

Altered those values for Beavis and Butthead and now, interestingly, the game freezes when you get hit. The music continues, but the actual gameplay is locked up.

matt! · « **Reply #5 on:** February 12, 2018, 06:58:24 am »

Yes, Super Off Road computer AI does not use Nitro so the game is super easy.

sluffy · « **Reply #6 on:** February 12, 2018, 09:01:38 am »

Alien 3 (USA) --- missing password cursor

Code: [Select]

Interesting one. Password cursor never appears. Looking from
debuggers, we find whole starfield is created from sprites!
Each tile is 8x8. A sprite is 4x4 tiles. 8 sprites per row = 32
tiles. Add a 4x4 cursor and uh oh.

Range-Timer Over says we can draw 34 8x8 tiles per line, but we
have 36 now! So discard final 2 8x8 tiles. But our cursor normally
displays because it's left 16x16; right side is thrown out.

Speculation is Canoe throws entire 32x32 away because it's limit
(time) over. Doesn't partial draw. How do we get around this?
Cannot deconstruct starfield into 16x16 because 56 sprites @ 32x32
==> 224 sprites @ 16x16. 128 sprites max. How about making cursor
bg3? Painful but probably yes.

But cursor is sprite 0 - The King! It can be usurped by lower #s?
Yes. Sprites are rendered from bottom (127) to top (0). Because
cursor is last (0), gets thrown away (normally only partially).

What if we make cursor #127, which is unused? Upper sprites get
pasted on top of it, possibly making it invisible again. They all
have priority 0. Assign priority 3 to cursor and it goes on top of
everyone but still drawn 1st. Battle is over.


$81/C844 AD 50 0F    LDA $0F50  [$00:0F50]   A:003C X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C847 0A          ASL A                   A:0000 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdiZc
$81/C848 0A          ASL A                   A:0000 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdiZc
$81/C849 0A          ASL A                   A:0000 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdiZc
$81/C84A 0A          ASL A                   A:0000 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdiZc
$81/C84B 69 73 00    ADC #$0073              A:0000 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdiZc
$81/C84E 8D 54 0F    STA $0F54  [$00:0F54]   A:0073 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C851 AD 52 0F    LDA $0F52  [$00:0F52]   A:0073 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C854 8D CA 0F    STA $0FCA  [$00:0FCA]   A:003C X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C857 AD 54 0F    LDA $0F54  [$00:0F54]   A:003C X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C85A 8D CC 0F    STA $0FCC  [$00:0FCC]   A:0073 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc


password cursor  (x,y pos)
$81/C85D AD CC 0F    LDA $0FCC  [$00:0FCC]   A:0073 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C860 EB          XBA                     A:0073 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C861 18          CLC                     A:7300 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdiZc
$81/C862 6D CA 0F    ADC $0FCA  [$00:0FCA]   A:7300 X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdiZc
$81/C865 8F 80 09 00 STA $000980[$00:0980]   A:733C X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
===> 8F 7C 0B 00  [#127]


tile #  (01CC) + attr (0)
$81/C869 A9 CC 01    LDA #$01CC              A:733C X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
==> A9 CC 31  [priority 3]


$81/C86C 8F 82 09 00 STA $000982[$00:0982]   A:01CC X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
===> 8F 7E 0B 00  [#127]


obj size (32x32) + x-coord 256
$81/C870 A9 AA AA    LDA #$AAAA              A:01CC X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:envmxdizc
$81/C873 8F 80 0B 00 STA $000B80[$00:0B80]   A:AAAA X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:eNvmxdizc
==> 8F 9E 0B 00  [#120-127]

$81/C877 6B          RTL                     A:AAAA X:07D0 Y:0000 D:0000 DB:00 S:01D1 P:eNvmxdizc


An interesting side-effect is that cursor was behind the
password screen. Now it's in front. Scroll to left,right
cursor to see use.

Beavis and Butthead (USA) --- 1-hit death

Code: [Select]

The MTV duo die in 1-hit! Secret ultra hardcore non-wimpy
edition? Sounds like copy protection. But only known to happen
on Canoe so maybe not. Track down the health routine.


$82/DF97 DA          PHX                     A:0101 X:0006 Y:0000 D:0000 DB:81 S:01E7 P:envMxdizc
$82/DF98 5A          PHY                     A:0101 X:0006 Y:0000 D:0000 DB:81 S:01E5 P:envMxdizc
$82/DF99 8D 00 02    STA $0200  [$81:0200]   A:0101 X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxdizc


$82/DF9C 78          SEI                     A:0101 X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxdizc
$82/DF9D F8          SED                     A:0101 X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxdIzc
==> 80 00  BRA $00


hp - damage ==> hp
$82/DF9E AD 22 02    LDA $0222  [$81:0222]   A:0101 X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxDIzc
$82/DFA1 38          SEC                     A:010B X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxDIzc
$82/DFA2 ED 00 02    SBC $0200  [$81:0200]   A:010B X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxDIzC
$82/DFA5 8D 22 02    STA $0222  [$81:0222]   A:010A X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxDIzC


$82/DFA8 D8          CLD                     A:010A X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxDIzC
$82/DFA9 58          CLI                     A:010A X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxdIzC
==> 80 00  BRA $00


$82/DFAA 22 62 96 80 JSL $809662[$80:9662]   A:010E X:0006 Y:0000 D:0000 DB:81 S:01E3 P:envMxdizC


* Note that sei only prevents irq from launching; does not save
us from nmi. And nmi routine does not protect against D(ecimal)
flag. Probably very rare and unlikely to collide - nmi inside
health routine given when it happens. But it's still bad idea
and could crash the game.


SED. Activates Decimal math. What is (Binary Coded) Decimal?
Canoe can't handle it. So beware!

     Hex   BCD
00   $00   $00
01   $01   $01
..
09   $09   $09

10   $0A   $10
11   $0B   $11
12   $0C   $12


Notice the jump. Because our starting health is stored as $0B.
Yup. Border territory. Everyone agrees $10-1=$09.

65816 says $0B-1=$0A. Canoe puts it in $80-FF range = dead.
$00 = final life point.

We don't need BCD mode. Regular math passes. But how come
devs did this to us? Maybe originally as anti-cheat and they 
switched to "normal" hp. Or early beta used for printing #s
on-screen. $100 = 100. -1 = $099 = 099. Easy, no fuss. Boss 
health does a "dec" and avoids dreaded BCD error.


Which concludes with solution. 2 bytes:
nop x2 = 4 cycles
bra $00 = 3 cycles
wdm 00 = 2 cycles

* wdm crashes Canoe. Very unused opcode so not likely
to be seen.

Super Off Road (USA) --- stale rng

Code: [Select]

Next Canoe problem. Dumb AI. Lackluster bonus item placement.
Same, same. Easy CPU with no nitro? Something stinks. Another
copy protection that ucon64 missed?


Find when AI does nitro:
$00/A65A 20 C2 99    JSR $99C2  [$00:99C2]   A:0350 X:0002 Y:0001 D:0000 DB:00 S:01F4 P:envMXdIzc
$00/A65D C5 54       CMP $54    [$00:0054]   A:03D7 X:0002 Y:0001 D:0000 DB:00 S:01F4 P:eNvMXdIzc
$00/A65F B0 20       BCS $20    [$A681]      A:03D7 X:0002 Y:0001 D:0000 DB:00 S:01F4 P:eNvMXdIzC


cpu nitro
$00/A661 DA          PHX                     A:0442 X:0003 Y:0000 D:0000 DB:00 S:01F4 P:eNvMXdIzc
$00/A662 A6 5C       LDX $5C    [$00:005C]   A:0442 X:0003 Y:0000 D:0000 DB:00 S:01F3 P:eNvMXdIzc
$00/A664 A9 FF       LDA #$FF                A:0442 X:0006 Y:0000 D:0000 DB:00 S:01F3 P:envMXdIzc
$00/A666 9D 11 05    STA $0511,x[$00:0517]   A:04FF X:0006 Y:0000 D:0000 DB:00 S:01F3 P:eNvMXdIzc
$00/A669 9D 12 05    STA $0512,x[$00:0518]   A:04FF X:0006 Y:0000 D:0000 DB:00 S:01F3 P:eNvMXdIzc
$00/A66C FA          PLX                     A:04FF X:0006 Y:0000 D:0000 DB:00 S:01F3 P:eNvMXdIzc
$00/A66D 80 12       BRA $12    [$A681]      A:04FF X:0003 Y:0000 D:0000 DB:00 S:01F4 P:envMXdIzc


rng
====>
$00/99C2 DA          PHX                     A:0200 X:0003 Y:0000 D:0000 DB:00 S:01F2 P:envMXdIZC
$00/99C3 08          PHP                     A:0200 X:0003 Y:0000 D:0000 DB:00 S:01F1 P:envMXdIZC
$00/99C4 E2 20       SEP #$20                A:0200 X:0003 Y:0000 D:0000 DB:00 S:01F0 P:envMXdIZC
$00/99C6 66 51       ROR $51    [$00:0051]   A:0200 X:0003 Y:0000 D:0000 DB:00 S:01F0 P:envMXdIZC

$00/99C8 A5 50       LDA $50    [$00:0050]   A:0200 X:0003 Y:0000 D:0000 DB:00 S:01F0 P:eNvMXdIzc
$00/99CA 48          PHA                     A:0200 X:0003 Y:0000 D:0000 DB:00 S:01F0 P:envMXdIZc
$00/99CB 6A          ROR A                   A:0200 X:0003 Y:0000 D:0000 DB:00 S:01EF P:envMXdIZc
$00/99CC 85 51       STA $51    [$00:0051]   A:0200 X:0003 Y:0000 D:0000 DB:00 S:01EF P:envMXdIZc

$00/99CE A5 4F       LDA $4F    [$00:004F]   A:0200 X:0003 Y:0000 D:0000 DB:00 S:01EF P:envMXdIZc
$00/99D0 AA          TAX                     A:02E2 X:0003 Y:0000 D:0000 DB:00 S:01EF P:eNvMXdIzc
$00/99D1 0A          ASL A                   A:02E2 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:eNvMXdIzc
$00/99D2 0A          ASL A                   A:02C4 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:eNvMXdIzC
$00/99D3 0A          ASL A                   A:0288 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:eNvMXdIzC
$00/99D4 0A          ASL A                   A:0210 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzC
$00/99D5 85 50       STA $50    [$00:0050]   A:0220 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc

$00/99D7 A5 4E       LDA $4E    [$00:004E]   A:0220 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc
$00/99D9 85 4F       STA $4F    [$00:004F]   A:0205 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc

$00/99DB 4A          LSR A                   A:0205 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc
$00/99DC 4A          LSR A                   A:0202 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzC
$00/99DD 4A          LSR A                   A:0201 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc
$00/99DE 4A          LSR A                   A:0200 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIZC
$00/99DF 05 50       ORA $50    [$00:0050]   A:0200 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIZc
$00/99E1 45 51       EOR $51    [$00:0051]   A:0220 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc
$00/99E3 86 50       STX $50    [$00:0050]   A:0220 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc

$00/99E5 A6 4D       LDX $4D    [$00:004D]   A:0220 X:00E2 Y:0000 D:0000 DB:00 S:01EF P:envMXdIzc
$00/99E7 86 4E       STX $4E    [$00:004E]   A:0220 X:00AA Y:0000 D:0000 DB:00 S:01EF P:eNvMXdIzc
$00/99E9 85 4D       STA $4D    [$00:004D]   A:0220 X:00AA Y:0000 D:0000 DB:00 S:01EF P:eNvMXdIzc
$00/99EB 68          PLA                     A:0220 X:00AA Y:0000 D:0000 DB:00 S:01EF P:eNvMXdIzc
$00/99EC 85 51       STA $51    [$00:0051]   A:0200 X:00AA Y:0000 D:0000 DB:00 S:01F0 P:envMXdIZc

$00/99EE 28          PLP                     A:0200 X:00AA Y:0000 D:0000 DB:00 S:01F0 P:envMXdIZc
$00/99EF FA          PLX                     A:0200 X:00AA Y:0000 D:0000 DB:00 S:01F1 P:envMXdIZC


$00/99F0 A5 4D       LDA $4D    [$00:004D]   A:0200 X:0003 Y:0000 D:0000 DB:00 S:01F2 P:envMXdIzC
$00/99F2 60          RTS                     A:0220 X:0003 Y:0000 D:0000 DB:00 S:01F2 P:envMXdIzC



A random number generator. Funny to note is it's never
seeded. Relies on startup uninitialized ram. Snes9x = 55 55 55 55.
Canoe likely similar. Snes9x isn't fun to play either. What to do?

Jinx the numbers ourself. Note how ram $0b,$0d acts like in-game
timer but not fully tied to each other. Can deviate each other.
So that's our unpredictable spot. Choose a pre-race spot that
runs every time. Like when screen is turned off for loading.


$00/A428 E2 20       SEP #$20                A:FFFF X:02E8 Y:0100 D:0000 DB:00 S:01F6 P:eNvMxdIzc HC:0684 VC:234 FC:44 I:00
$00/A42A A9 80       LDA #$80                A:FFFF X:02E8 Y:0100 D:0000 DB:00 S:01F6 P:eNvMxdIzc HC:0714 VC:234 FC:44 I:00

$00/A42C 8D 00 21    STA $2100  [$00:2100]   A:FF80 X:02E8 Y:0100 D:0000 DB:00 S:01F6 P:eNvMxdIzc HC:0738 VC:234 FC:44 I:00
==> JSR seed

$00/A42F 20 6F B4    JSR $B46F  [$00:B46F]   A:FF80 X:02E8 Y:0100 D:0000 DB:00 S:01F6 P:eNvMxdIzc HC:0776 VC:234 FC:44 I:00




org $ffa0

seed:
sta $2100


lda $0b
sta $4d

lda $0d
sta $50

jsr $99c2
lsr
sta $4f

jsr $99c2
asl
sta $51

rts


This jiggles the rng enough to create some volatile
starting numbers. Note that routine can get "stuck"
over long time and start churning dumb patterns.
Or given bad initial seeds (55 55 55 55).

New code uses some uninit values + in-game timers
before every race. Keeps things fresh and plays good
enough overall. Creates some values that rng may not
generate in self-feedback lifespan.


Stupid rng problem can happen on real hardware too,
but more rare.

ShadowOne333 · « **Reply #7 on:** February 12, 2018, 10:40:12 am »

Since you are diving into the Canoe emulator ("canoe-shvc" inside /usr/bin/ right?), may I ask if you know what offsets/addresses are the ones which modify EarthBound's ROM?
I'm curious to dissect the changes made into EB from the emulator side, but I don't know exactly how to get the hang of the binary's code.

sluffy · « **Reply #8 on:** February 12, 2018, 11:06:23 am »

Dragon Ball Z: Super Butouden 2 (Japan, France) --- flickering split-screen

Code: [Select]

When fighters separate, split-screen mode activates.
And then it does freaky flashing, showing sky, ground,
normal, status bar. Which techniques are in-play here?

Each player gets a "window", like a scroll that can move
all 4 directions. And wraps around each boundary.


window1
bg1 = front
bg2 = back

window2
bg3 = front
bg4 = back


So isolate bad layer.

Turn off bg1,bg3. Same flicker problem.
Turn only bg4. Still glitchy status bar and such.
Turn only bg2. Now okay except for alternating blackness.

Step frame-by-frame with bg4. Notice how sometimes top-half
is ground, status bar, bottom-half is sky. So we have vertical
scrolling problem, which wraps around bottom --> top.


Learn this name: 2114h = BG4 vertical scroll. Very important
to know it takes -two- writes to get 16-bit value in. And it
shares a buffer with 210D-2114  (BG1-4 HOFS, VOFS).


As written in docs:
BGnHOFS = (Current << 8) | (Prev1&~7) | (Prev2&7);
Prev1 = Current;
Prev2 = Current;

or

BGnVOFS = (Current << 8) | Prev1;
Prev1 = Current;


Meaning if we write 04 to 2113, 05 to 2114, then 06 to 2113, 07 to 2114.
2113 ==> 04xx
2114 ==> 0504 vs 05yy
2113 ==> 0605 vs 0604
2114 ==> 0706 vs 0705



Tracking it down here:
$80/8338 AD 71 09    LDA $0971  [$80:0971]   A:0000 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIZC HC:1070 VC:028 FC:14 I:00
$80/833B 8D 14 21    STA $2114  [$80:2114]   A:0028 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC HC:1108 VC:028 FC:14 I:00

$80/833E AD 72 09    LDA $0972  [$80:0972]   A:0028 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC HC:1274 VC:028 FC:14 I:00
$80/8341 8D 14 21    STA $2114  [$80:2114]   A:0001 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC HC:1312 VC:028 FC:14 I:00


Which gets technical fun. Very timing sensitive, for bad
(tiny slow) emus. An IRQ fires at ~line 28 to set BG4VOFS.
Always reports $0128 value. And someone is kicking us.
Whose shortcut name is H-DMA.


Good:
$80/8338 AD 71 09    LDA $0971  [$80:0971]   A:0000 X:0500 Y:0800 D:0000 DB:80 S:1FD9 P:envMxdIZC HC:1106 VC:028

H-DMA[1] write (4) 0x000DC0->0x2126 ind, Count:  92, Rep: no , V-LINE:  28 0010DB
H-DMA[3] write (2) 0x001452->0x210F ind, Count:  11, Rep: yes, V-LINE:  28 00122B
H-DMA[5] write (2) 0x00145A->0x2113 ind, Count:  11, Rep: yes, V-LINE:  28 001397  0x2130 ind, Count:  20, Rep: yes, V-LINE:  28 8088F7

* 2114 safe to access

$80/833B 8D 14 21    STA $2114  [$80:2114]   A:0028 X:0500 Y:0800 D:0000 DB:80 S:1FD9 P:envMxdIzC HC:1274 VC:028
$80/833E AD 72 09    LDA $0972  [$80:0972]   A:0028 X:0500 Y:0800 D:0000 DB:80 S:1FD9 P:envMxdIzC HC:1310 VC:028
$80/8341 8D 14 21    STA $2114  [$80:2114]   A:0001 X:0500 Y:0800 D:0000 DB:80 S:1FD9 P:envMxdIzC HC:1348 VC:028



Bad:
$80/8338 AD 71 09    LDA $0971  [$80:0971]   A:0000 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIZC HC:1070 VC:028
$80/833B 8D 14 21    STA $2114  [$80:2114]   A:0028 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC HC:1108 VC:028


H-DMA[1] write (4) 0x000DC0->0x2126 ind, Count:  92, Rep: no , V-LINE:  28 0010DB
H-DMA[3] write (2) 0x001458->0x210F ind, Count:  11, Rep: yes, V-LINE:  28 00133C
H-DMA[5] write (2) 0x001450->0x2113 ind, Count:  11, Rep: yes, V-LINE:  28 0011D0  0x2130 ind, Count:  20, Rep: yes, V-LINE:  28 8088F7

* Previous 2114 write invalidated by 2113 write  (shared register cache) ==> wrong scroll value


$80/833E AD 72 09    LDA $0972  [$80:0972]   A:0028 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC HC:1274 VC:028
$80/8341 8D 14 21    STA $2114  [$80:2114]   A:0001 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC HC:1312 VC:028


Because we got interrupted by a 2114 - [2113 - 2113] - 2114 path,
2114 is invalid. We get greatly scrolled up picture. Note this
doesn't happen on Hardware or Bsnes because they run fast enough
that H-DMA begins after 2114 is done. Not Canoe - Geiger. Let's
re-arrange code to avoid this tragedy.


$80/831A A5 27       LDA $27    [$00:0027]   A:0002 X:158A Y:1582 D:0000 DB:80 S:1FDB P:envMxdIZC
$80/831C F0 1A       BEQ $1A    [$8338]      A:0000 X:158A Y:1582 D:0000 DB:80 S:1FDB P:envMxdIZC


warn: H-DMA interrupt messes up writes
$80/831E AD 71 09    LDA $0971  [$80:0971]   A:0000 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC
$80/8321 8D 14 21    STA $2114  [$80:2114]   A:0028 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC

$80/8324 AD 72 09    LDA $0972  [$80:0972]   A:0028 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC
$80/8327 8D 14 21    STA $2114  [$80:2114]   A:0001 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC


$80/832A AE 4D 09    LDX $094D  [$80:094D]   A:0001 X:0600 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC
$80/832D 8E 23 21    STX $2123  [$80:2123]   A:0001 X:0000 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIZC

$80/8330 AE 53 09    LDX $0953  [$80:0953]   A:0001 X:0000 Y:0500 D:0000 DB:80 S:1FCF P:envMxdIZC
$80/8333 8E 2C 21    STX $212C  [$80:212C]   A:0001 X:0F1F Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC
$80/8336 80 28       BRA $28    [$8360]      A:0001 X:0F1F Y:0500 D:0000 DB:80 S:1FCF P:envMxdIzC



warn: H-DMA interrupt messes up writes

$80/8338 AD 71 09    LDA $0971  [$80:0971]   A:0000 X:158A Y:1582 D:0000 DB:80 S:1FDB P:envMxdIZC
$80/833B 8D 14 21    STA $2114  [$80:2114]   A:0028 X:158A Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC

$80/833E AD 72 09    LDA $0972  [$80:0972]   A:0028 X:158A Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC
$80/8341 8D 14 21    STA $2114  [$80:2114]   A:0001 X:158A Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC


window bg1-4 mask settings
$80/8344 AE 2E 09    LDX $092E  [$80:092E]   A:0001 X:158A Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC
$80/8347 AD 45 09    LDA $0945  [$80:0945]   A:0001 X:CC33 Y:1582 D:0000 DB:80 S:1FDB P:eNvMxdIzC

* normally h-dma hits around here @ v:28, h:1098-1304

$80/834A 29 02       AND #$02                A:007E X:CC33 Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC
$80/834C D0 03       BNE $03    [$8351]      A:0002 X:CC33 Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC

$80/834E A2 00 00    LDX #$0000              A:0002 X:33CC Y:0000 D:0000 DB:80 S:1FD9 P:envMxdIZC

$80/8351 8E 23 21    STX $2123  [$80:2123]   A:0002 X:CC33 Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC
$80/8354 8E 4D 09    STX $094D  [$80:094D]   A:0002 X:CC33 Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC


main / sub designation
$80/8357 AE 51 09    LDX $0951  [$80:0951]   A:0002 X:CC33 Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC
$80/835A 8E 2C 21    STX $212C  [$80:212C]   A:0002 X:0F1F Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC
$80/835D 8E 53 09    STX $0953  [$80:0953]   A:0002 X:0F1F Y:1582 D:0000 DB:80 S:1FDB P:envMxdIzC


=== becomes this ===


Rev 1 = 80/831A
Rev 0 = 80/8318
France = 80/8311


A5 27     LDA $27
F0 1A     BEQ $8338



* geiger
AE 4D 09  LDX $094D
8E 23 21  STX $2123

AE 53 09  LDX $0953
8E 2C 21  STX $212C
* geiger


AD 71 09  LDA $0971
8D 14 21  STA $2114

AD 72 09  LDA $0972
8D 14 21  STA $2114

80 28     BRA $8360




* geiger
AE 2E 09  LDX $092E
AD 45 09  LDA $0945
29 02     AND #$02


D0 03     BNE $03
A2 00 00  LDX #$0000
8E 23 21  STX $2123
* geiger



* bsnes
8E 4D 09  STX $094D
AD 71 09  LDA $0971
* bsnes


8D 14 21  STA $2114

AD 72 09  LDA $0972
8D 14 21  STA $2114


Note how bsnes cuts it very close to disaster. But
we get what we need: a temporary workaround that happens
to satisfy both emus.

F-1 Grand Prix (Japan)

Code: [Select]

During in-game racing, hud is messed up on right side. And no h-dma
this time. Bunch of sprites.


Checking our irq log
008034 pha                    A:2000 X:15c4 Y:0004 S:016d D:0000 DB:01 nvmxdIZC V:  0 H: 120 F:42
008034 pha                    A:81a8 X:15c4 Y:81a8 S:0163 D:0000 DB:07 NvmxdIzc V:  8 H: 124 F:42
008034 pha                    A:81a8 X:15c4 Y:81a8 S:0163 D:0000 DB:07 NvmxdIzc V:  9 H: 780 F:42
008034 pha                    A:e0ff X:035e Y:0006 S:0169 D:0000 DB:03 nvmxdIzc V: 71 H: 122 F:42
008034 pha                    A:8080 X:0000 Y:0000 S:0192 D:0000 DB:00 NvmxdIzC V:120 H: 120 F:42
008034 pha                    A:8080 X:0000 Y:0000 S:0192 D:0000 DB:00 NvmxdIzC V:164 H: 106 F:42
008034 pha                    A:8080 X:0000 Y:0000 S:0192 D:0000 DB:00 NvmxdIzC V:223 H: 120 F:42


$00/81D6 8D 09 42    STA $4209  [$00:4209]   A:0008 X:102A Y:0013 D:0000 DB:00 S:0163 P:enVmxdIzc HC:0410 VC:001 FC:31 I:00
$00/81D6 8D 09 42    STA $4209  [$00:4209]   A:0009 X:15C4 Y:102A D:0000 DB:00 S:0162 P:enVmxdIzc HC:0378 VC:009 FC:31 I:00


Oh bugger. Another IRQ request on line 9 --> line 9. Back-to-back irq error again.
Canoe / Geiger cannot run another irq after rti on same line. Hardware allows this.

See Sink or Swim for lengthy explanation.



*** IRQ
$00/8032 C2 30       REP #$30                A:19A4 X:15C4 Y:102A D:0000 DB:01 S:0163 P:envmxdIzc HC:0122 VC:000 FC:54 I:02
$00/8034 48          PHA                     A:19A4 X:15C4 Y:102A D:0000 DB:01 S:0163 P:envmxdIzc HC:0152 VC:000 FC:54 I:02
$00/8035 8B          PHB                     A:19A4 X:15C4 Y:102A D:0000 DB:01 S:0161 P:envmxdIzc HC:0190 VC:000 FC:54 I:02
$00/8036 0B          PHD                     A:19A4 X:15C4 Y:102A D:0000 DB:01 S:0160 P:envmxdIzc HC:0220 VC:000 FC:54 I:02
$00/8037 4B          PHK                     A:19A4 X:15C4 Y:102A D:0000 DB:01 S:015E P:envmxdIzc HC:0258 VC:000 FC:54 I:02
$00/8038 AB          PLB                     A:19A4 X:15C4 Y:102A D:0000 DB:01 S:015D P:envmxdIzc HC:0288 VC:000 FC:54 I:02
$00/8039 A9 00 00    LDA #$0000              A:19A4 X:15C4 Y:102A D:0000 DB:00 S:015E P:envmxdIZc HC:0324 VC:000 FC:54 I:02
$00/803C 5B          TCD                     A:0000 X:15C4 Y:102A D:0000 DB:00 S:015E P:envmxdIZc HC:0356 VC:000 FC:54 I:02
$00/803D 2C 10 42    BIT $4210  [$00:4210]   A:0000 X:15C4 Y:102A D:0000 DB:00 S:015E P:envmxdIZc HC:0378 VC:000 FC:54 I:02
$00/8040 F4 45 80    PEA $8045               A:0000 X:15C4 Y:102A D:0000 DB:00 S:015E P:eNVmxdIZc HC:0422 VC:000 FC:54 I:00
$00/8043 6C CB 00    JMP ($00CB)[$00:81FC]   A:0000 X:15C4 Y:102A D:0000 DB:00 S:015C P:eNVmxdIZc HC:0470 VC:000 FC:54 I:00



$00/81C3 B2 CF       LDA ($CF)  [$00:81E2]   A:0000 X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIZc HC:0108 VC:001 FC:55 I:00
$00/81C5 D0 07       BNE $07    [$81CE]      A:821F X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIzc HC:0164 VC:001 FC:55 I:00

..

$00/81CE 85 CB       STA $CB    [$00:00CB]   A:821F X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIzc HC:0194 VC:001 FC:55 I:00
$00/81D0 E6 CF       INC $CF    [$00:00CF]   A:821F X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIzc HC:0234 VC:001 FC:55 I:00
$00/81D2 E6 CF       INC $CF    [$00:00CF]   A:821F X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIzc HC:0296 VC:001 FC:55 I:00

$00/81D4 B2 CF       LDA ($CF)  [$00:81E4]   A:821F X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIzc HC:0374 VC:001 FC:55 I:00
$00/81D6 8D 09 42    STA $4209  [$00:4209]   A:0008 X:15C4 Y:102A D:0000 DB:00 S:0158 P:enVmxdIzc HC:0430 VC:001 FC:55 I:00
$00/81D9 E6 CF       INC $CF    [$00:00CF]   A:0008 X:15C4 Y:102A D:0000 DB:00 S:0158 P:enVmxdIzc HC:0474 VC:001 FC:55 I:00
$00/81DB E6 CF       INC $CF    [$00:00CF]   A:0008 X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIzc HC:0536 VC:001 FC:55 I:00
$00/81DD 60          RTS                     A:0008 X:15C4 Y:102A D:0000 DB:00 S:0158 P:eNVmxdIzc HC:0638 VC:001 FC:55 I:00


$00/821D 68          PLA                     A:0008 X:15C4 Y:102A D:0000 DB:00 S:015A P:eNVmxdIzc HC:0688 VC:001 FC:55 I:00
$00/821E 60          RTS                     A:0000 X:15C4 Y:102A D:0000 DB:00 S:015C P:enVmxdIZc HC:0732 VC:001 FC:55 I:00


$00/8046 2B          PLD                     A:0000 X:15C4 Y:102A D:0000 DB:00 S:015E P:enVmxdIZc HC:0782 VC:001 FC:55 I:00
$00/8047 AB          PLB                     A:0000 X:15C4 Y:102A D:0000 DB:00 S:0160 P:enVmxdIZc HC:0826 VC:001 FC:55 I:00
$00/8048 68          PLA                     A:0000 X:15C4 Y:102A D:0000 DB:01 S:0161 P:enVmxdIzc HC:0862 VC:001 FC:55 I:00
$00/8049 40          RTI                     A:19A4 X:15C4 Y:102A D:0000 DB:01 S:0163 P:enVmxdIzc HC:0906 VC:001 FC:55 I:00



Patch with new routine that auto-runs irq 9. Ignore hardware irq handler to do it for us.


org $8081d9
jml start



org $80ff98

start:
inc $cf
inc $cf


; latch h/v counters + reset port
sep #$20
lda $2137
lda $213f



; check line 8-9
lda $213d
cmp #$08
beq +
cmp #$09
beq +



; normal irq
rep #$20
jml $8081dd



+

; fire #9 irq
rep #$20
pla
pla
pla

jml $808039

=================================================
=================================================

This site covers patches like Earthbound E-NTSC
http://darkakuma.z-net.us/p/sfromtool.html

I took a peek inside the emu code but. Yeah. It's all alien logic to me. Just taking less-educated guesses based on how each game behaves and some sideways thinking. But when it affects emus like Speedy or Cacoma (Fast), then I can dance along. Stuff like Alien3, Beavis, Blazer don't though so it's meh + tra-la-lu.

edit:
Updated Alien 3 thread with possible workaround.
http://www.romhacking.net/forum/index.php?topic=25553.0

Robin64 · « **Reply #9 on:** February 12, 2018, 02:02:29 pm »

80 00 had it.

reyvgm · « **Reply #10 on:** February 12, 2018, 03:07:24 pm »

Sluffy, in such a short time you've found solutions to a bunch of games! You are awesome.

If possible, could you take a look at Nosferatu? On Canoe, when you start playing, the right side of the screen is garbled. And when you reach the area of the first boss, the enemies partially disappear.

And also Space Megaforce, which has some audio issues where there's a lot of annoying popping sounds. Is that someone within your knowledge range?

Maybe you could figure out what's going on and find a fix?

matt! · « **Reply #11 on:** February 12, 2018, 06:37:13 pm »

Great work sluffy!

sluffy · « **Reply #12 on:** February 12, 2018, 06:47:22 pm »

SOS: Sink or Swim (USA, Europe) --- blue screen of water

Code: [Select]

Drop a bomb and start climbing down ladders. Blue Screen
of Death. Background scrolls around but not sprites.
Manual inspection of screen suggests status bar ~190-193.

Could be h-dma, but isn't. Safely waits for hblank transfers
then writes bg2 registers.


H-DMA[0] write (2) 0x0004BA->0x210F ind, Count:   3, Rep: no , V-LINE: 189 000389
H-DMA[1] write (2) 0x00043A->0x210D ind, Count:   3, Rep: no , V-LINE: 189 000309


IRQ logs
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:175 H:  90 F:52
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  84 F:52

00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:177 H:  98 F:53
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  88 F:53

00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:179 H:  82 F:54
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  92 F:54

00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:181 H:  82 F:55
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  88 F:55

00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:183 H:  88 F:56
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  96 F:56

00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:185 H:  84 F:57
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H: 100 F:57

00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:187 H:  94 F:58
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  82 F:58

*** key ***
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:189 H:  90 F:59
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H: 642 F:59

00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  86 F: 0
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  90 F: 1
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nvMXdIzC V:190 H:  88 F: 2
00ff41 jml $80e6d1   [80e6d1] A:0003 X:0008 Y:000c S:01f4 D:0000 DB:80 nVMXdIzC V:190 H:  84 F: 3


Fires 2 IRQs per frame.
4207-4208 = H-IRQ
4209-420A = V-IRQ



*** IRQ
$80/E6D1 08          PHP                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01F4 P:envMXdIzC HC:0148 VC:189
$80/E6D2 C2 30       REP #$30                A:0003 X:0008 Y:000C D:0000 DB:80 S:01F3 P:envMXdIzC HC:0180 VC:189
$80/E6D4 48          PHA                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01F3 P:envmxdIzC HC:0210 VC:189
$80/E6D5 DA          PHX                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01F1 P:envmxdIzC HC:0250 VC:189
$80/E6D6 5A          PHY                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01EF P:envmxdIzC HC:0290 VC:189
$80/E6D7 0B          PHD                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01ED P:envmxdIzC HC:0330 VC:189
$80/E6D8 8B          PHB                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01EB P:envmxdIzC HC:0370 VC:189
$80/E6D9 E2 30       SEP #$30                A:0003 X:0008 Y:000C D:0000 DB:80 S:01EA P:envmxdIzC HC:0402 VC:189
$80/E6DB AD 11 42    LDA $4211  [$80:4211]   A:0003 X:0008 Y:000C D:0000 DB:80 S:01EA P:envMXdIzC HC:0432 VC:189
$80/E6DE 6C 10 00    JMP ($0010)[$80:E7FD]   A:00C2 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0468 VC:189



$80/E7FD E2 30       SEP #$30                A:00C2 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0514 VC:189
$80/E7FF 20 C3 CF    JSR $CFC3  [$80:CFC3]   A:00C2 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0584 VC:189


hblank safety
$80/CFC3 08          PHP                     A:00C2 X:0008 Y:000C D:0000 DB:80 S:01E8 P:eNvMXdIzC HC:0636 VC:189
$80/CFC4 E2 30       SEP #$30                A:00C2 X:0008 Y:000C D:0000 DB:80 S:01E7 P:eNvMXdIzC HC:0668 VC:189
$80/CFC6 AD 12 42    LDA $4212  [$80:4212]   A:00C2 X:0008 Y:000C D:0000 DB:80 S:01E7 P:eNvMXdIzC HC:0698 VC:189
$80/CFC9 89 40       BIT #$40                A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:0734 VC:189
$80/CFCB D0 F9       BNE $F9    [$CFC6]      A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:0758 VC:189
$80/CFCD AD 12 42    LDA $4212  [$80:4212]   A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:0782 VC:189
$80/CFD0 89 40       BIT #$40                A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:0818 VC:189
$80/CFD2 F0 F9       BEQ $F9    [$CFCD]      A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:0842 VC:189
$80/CFCD AD 12 42    LDA $4212  [$80:4212]   A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:0872 VC:189
$80/CFD0 89 40       BIT #$40                A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:0908 VC:189
$80/CFD2 F0 F9       BEQ $F9    [$CFCD]      A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:0932 VC:189
$80/CFCD AD 12 42    LDA $4212  [$80:4212]   A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:0962 VC:189
$80/CFD0 89 40       BIT #$40                A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:0998 VC:189
$80/CFD2 F0 F9       BEQ $F9    [$CFCD]      A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:1022 VC:189
$80/CFCD AD 12 42    LDA $4212  [$80:4212]   A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:1052 VC:189
$80/CFD0 89 40       BIT #$40                A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:1088 VC:189
$80/CFD2 F0 F9       BEQ $F9    [$CFCD]      A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:1178 VC:189
$80/CFCD AD 12 42    LDA $4212  [$80:4212]   A:0002 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIZC HC:1208 VC:189
$80/CFD0 89 40       BIT #$40                A:0042 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:1244 VC:189
$80/CFD2 F0 F9       BEQ $F9    [$CFCD]      A:0042 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:1268 VC:189
$80/CFD4 28          PLP                     A:0042 X:0008 Y:000C D:0000 DB:80 S:01E7 P:envMXdIzC HC:1292 VC:189
$80/CFD5 60          RTS                     A:0042 X:0008 Y:000C D:0000 DB:80 S:01E8 P:eNvMXdIzC HC:1330 VC:189


$80/E802 E2 20       SEP #$20                A:0042 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0018 VC:190
$80/E804 9C 30 21    STZ $2130  [$80:2130]   A:0042 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0048 VC:190
$80/E807 A9 57       LDA #$57                A:0042 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0084 VC:190
$80/E809 8D 31 21    STA $2131  [$80:2131]   A:0057 X:0008 Y:000C D:0000 DB:80 S:01EA P:envMXdIzC HC:0108 VC:190
$80/E80C A9 60       LDA #$60                A:0057 X:0008 Y:000C D:0000 DB:80 S:01EA P:envMXdIzC HC:0144 VC:190
$80/E80E 8D 32 21    STA $2132  [$80:2132]   A:0060 X:0008 Y:000C D:0000 DB:80 S:01EA P:envMXdIzC HC:0168 VC:190
$80/E811 A9 98       LDA #$98                A:0060 X:0008 Y:000C D:0000 DB:80 S:01EA P:envMXdIzC HC:0204 VC:190
$80/E813 8D 32 21    STA $2132  [$80:2132]   A:0098 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0228 VC:190


~~~~~~~~~~~~~~~~~~~~~~~
set next irq @ 190
$80/E816 C2 30       REP #$30                A:0098 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvMXdIzC HC:0264 VC:190
$80/E818 A2 86 E7    LDX #$E786              A:0098 X:0008 Y:000C D:0000 DB:80 S:01EA P:eNvmxdIzC HC:0294 VC:190
$80/E81B A9 BE 00    LDA #$00BE              A:0098 X:E786 Y:000C D:0000 DB:80 S:01EA P:eNvmxdIzC HC:0324 VC:190
$80/E81E 20 CA E6    JSR $E6CA  [$80:E6CA]   A:00BE X:E786 Y:000C D:0000 DB:80 S:01EA P:envmxdIzC HC:0354 VC:190


$80/E821 E2 30       SEP #$30                A:00BE X:E786 Y:000C D:0000 DB:80 S:01EA P:envmxdIzC HC:0610 VC:190
$80/E823 4C E1 E6    JMP $E6E1  [$80:E6E1]   A:00BE X:0086 Y:000C D:0000 DB:80 S:01EA P:envMXdIzC HC:0646 VC:190
~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~
pal
$80/E822 C2 30       REP #$30                A:0098 X:0008 Y:0002 D:0000 DB:80 S:01EA P:eNVMXdIzC HC:0152 VC:137
$80/E824 A2 92 E7    LDX #$E792              A:0098 X:0008 Y:0002 D:0000 DB:80 S:01EA P:eNVmxdIzC HC:0176 VC:137
$80/E827 A9 BE 00    LDA #$00BE              A:0098 X:E792 Y:0002 D:0000 DB:80 S:01EA P:eNVmxdIzC HC:0200 VC:137
$80/E82A 20 D6 E6    JSR $E6D6  [$80:E6D6]   A:00BE X:E792 Y:0002 D:0000 DB:80 S:01EA P:enVmxdIzC HC:0224 VC:137

$80/E82D E2 30       SEP #$30                A:00BE X:E792 Y:0002 D:0000 DB:80 S:01EA P:enVmxdIzC HC:0392 VC:137
$80/E82F 4C ED E6    JMP $E6ED  [$80:E6ED]   A:00BE X:0092 Y:0002 D:0000 DB:80 S:01EA P:enVMXdIzC HC:0416 VC:137
~~~~~~~~~~~~~~~~~~~~~~~


$80/E6CA 8E 10 00    STX $0010  [$80:0010]   A:00BE X:E786 Y:0000 D:0000 DB:80 S:01E6 P:enVmxdIzC HC:1098 VC:234
$80/E6CD 8D 09 42    STA $4209  [$80:4209]   A:00BE X:E786 Y:0000 D:0000 DB:80 S:01E6 P:enVmxdIzC HC:1138 VC:234
$80/E6D0 60          RTS                     A:00BE X:E786 Y:0000 D:0000 DB:80 S:01E6 P:enVmxdIzC HC:1174 VC:234


$80/E6E1 C2 30       REP #$30                A:00BE X:0086 Y:000C D:0000 DB:80 S:01EA P:envMXdIzC HC:0682 VC:190
$80/E6E3 AB          PLB                     A:00BE X:0086 Y:000C D:0000 DB:80 S:01EA P:envmxdIzC HC:0718 VC:190
$80/E6E4 2B          PLD                     A:00BE X:0086 Y:000C D:0000 DB:80 S:01EB P:eNvmxdIzC HC:0762 VC:190
$80/E6E5 7A          PLY                     A:00BE X:0086 Y:000C D:0000 DB:80 S:01ED P:envmxdIZC HC:0814 VC:190
$80/E6E6 FA          PLX                     A:00BE X:0086 Y:000C D:0000 DB:80 S:01EF P:envmxdIzC HC:0866 VC:190
$80/E6E7 68          PLA                     A:00BE X:0008 Y:000C D:0000 DB:80 S:01F1 P:envmxdIzC HC:0918 VC:190
$80/E6E8 28          PLP                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01F3 P:envmxdIzC HC:0970 VC:190
$80/E6E9 40          RTI                     A:0003 X:0008 Y:000C D:0000 DB:80 S:01F4 P:envMXdIzC HC:1014 VC:190



Looks harmless. Trick though is follow this pattern:
V189: start irq
V190: enable irq @ 190
V190: rti

V190: start irq  (immediately after rti)
V191: rti

V225: nmi



Canoe / Geiger does:
V189: start irq
V190: enable irq @ 190
V190: rti

** skip irq **

V225: nmi


We're missing back-to-back irq firing. IRQs can trigger
mid-scanline again. So to fix, we run irq 190 ourself.



org $80e816
jml start


org $8FFFe0

start:

; latch h/v counters + reset port
lda $2137
lda $213f


; check line 189-190
lda $213d
cmp #$be
beq +
cmp #$bd
beq +

; normal irq
rep #$30
ldx #$e786
jml $80e81b


+

; fire 190 irq
jml $80e786



Now Geiger does this check on V190. Canoe does it on V189.
Little faster, because it likely breaks out of HBlank spin
loop quicker. Meaning HBlank could signal early on Canoe.

Uniracers / Unirally (USA, Europe) --- game pak not found (pending)

Code: [Select]

no$sns and some snes9x builds can show this text.
Copier protection. Take a peek.


$83/8AFA AF 00 00 77 LDA $770000[$77:0000]   A:0481 X:0000 Y:FFFF D:0000 DB:80 S:01FA P:eNvMxdIzC
$83/8AFE 48          PHA                     A:0441 X:0000 Y:FFFF D:0000 DB:80 S:01FA P:envMxdIzC
$83/8AFF A9 12       LDA #$12                A:0441 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC
$83/8B01 8F 00 00 77 STA $770000[$77:0000]   A:0412 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC

$83/8AF7 08          PHP                     A:0481 X:0000 Y:FFFF D:0000 DB:80 S:01FB P:eNvMxdIzC
$83/8AF8 E2 20       SEP #$20                A:0481 X:0000 Y:FFFF D:0000 DB:80 S:01FA P:eNvMxdIzC
$83/8AFA AF 00 00 77 LDA $770000[$77:0000]   A:0481 X:0000 Y:FFFF D:0000 DB:80 S:01FA P:eNvMxdIzC
$83/8AFE 48          PHA                     A:0441 X:0000 Y:FFFF D:0000 DB:80 S:01FA P:envMxdIzC
$83/8AFF A9 12       LDA #$12                A:0441 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC
$83/8B01 8F 00 00 77 STA $770000[$77:0000]   A:0412 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC
$83/8B05 C2 20       REP #$20                A:0412 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC
$83/8B07 A9 56 34    LDA #$3456              A:0412 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envmxdIzC
$83/8B0A 8F FF 1F 77 STA $771FFF[$77:1FFF]   A:3456 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envmxdIzC


USA, Europe
$83/8B0E E2 20       SEP #$20                A:3456 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envmxdIzC
$83/8B10 AF 00 00 77 LDA $770000[$77:0000]   A:3456 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC
$83/8B14 C9 34       CMP #$34                A:3434 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC
$83/8B16 F0 04       BEQ $04    [$8B1C]      A:3434 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIZC
==> 80 04


Game Pak not found
$83/8B18 5C EB 94 80 JMP $8094EB[$80:94EB]   A:3434 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIzC


$83/8B1C 68          PLA                     A:3434 X:0000 Y:FFFF D:0000 DB:80 S:01F9 P:envMxdIZC
$83/8B1D 8F 00 00 77 STA $770000[$77:0000]   A:3441 X:0000 Y:FFFF D:0000 DB:80 S:01FA P:envMxdIzC
$83/8B21 28          PLP                     A:3441 X:0000 Y:FFFF D:0000 DB:80 S:01FA P:envMxdIzC
$83/8B22 6B          RTL                     A:3441 X:0000 Y:FFFF D:0000 DB:80 S:01FB P:eNvMxdIzC


Writes 771FFF = 56, 772000 = 34. Then checks 770000 for 34.

Note that sram size = 2000. And when we reach that #, wraps
back to 0000. We patch routine above to proceed.

=============================================
=============================================

Thanks everyone. Kinda nice break from doing (tiring) faster rom code rewrites. Bonus is that these are really strange behaviors, at my learning level.

Audio issues .. if I can get it to happen in emu, then definitely perhaps yeah. Could be "un-init" audio ram glitch. Or reverb buffer. Haven't checked this particular bugger yet.

Screenshot of this Nosferatu? Nothing mysterious so far.
(read docs - "Glitches on right side when scrolling." Huh.)

(Scratch Uniracers - snes9x log talks about color windows)

Alien 3, Beavis writeups done.

DarkAkuma · « **Reply #13 on:** February 12, 2018, 08:25:33 pm »

I tried relaying a game for you to look into, but I'm not sure if you got it.

I went as far as I could go trying to get Dragon Ball Z - Super Butoden 2 to work. It was thought to be one that should be compatible with canoe, just requiring a correct intended preset id and/or a undumped VC ROM. I exhausted all the preset ids that it could be, and the only VC ROM contained no custom patching other then music. So I'm convinced theres going to be no other fix for it than a custom hack. Sadly, such hacks are beyond my skills.

I compiled an approximation of the issue into a gif. The issue is where the health bars glitch into the middle of the screen for a frame on player 1s side, and other tiles onto player 2s side. It alternates back and forth every second of so.

sluffy · « **Reply #14 on:** February 12, 2018, 10:23:08 pm »

Mario's Time Machine (USA, Europe, Germany) -- invisible surfing items

Code: [Select]

When Mario is surfing around, power-ups like mushrooms
or bad urchins can disappear in a flash when trying to
collect. How is game doing "mode 7" sprite coordinates?
Via the ppu, only during VBlank and not while rendering.


usa / europe / germany
$81/8834 A5 CD       LDA $CD    [$00:00CD]   A:0253 X:0002 Y:0000 D:0000 DB:81 S:01F0 P:eNvMxdizc
$81/8836 8D 1B 21    STA $211B  [$81:211B]   A:0200 X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envMxdiZc

$81/8839 A5 CE       LDA $CE    [$00:00CE]   A:0200 X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envMxdiZc
$81/883B 8D 1B 21    STA $211B  [$81:211B]   A:0200 X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envMxdiZc

$81/883E A9 7F       LDA #$7F                A:0200 X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envMxdiZc
$81/8840 8D 1C 21    STA $211C  [$81:211C]   A:027F X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envMxdizc


$81/8843 C2 20       REP #$20                A:027F X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envMxdizc
$81/8845 AD 36 21    LDA $2136  [$81:2136]   A:027F X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envmxdizc
==> AD 35 21

$81/8848 EB          XBA                     A:2100 X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envmxdizc
$81/8849 08          PHP                     A:0021 X:0002 Y:0000 D:0000 DB:81 S:01F0 P:envmxdizc
$81/884A 30 0F       BMI $0F    [$885B]      A:0021 X:0002 Y:0000 D:0000 DB:81 S:01EF P:envmxdizc


$81/884C AD 34 21    LDA $2134  [$81:2134]   A:0021 X:0002 Y:0000 D:0000 DB:81 S:01EF P:envmxdizc
$81/884F 85 B3       STA $B3    [$00:00B3]   A:0000 X:0002 Y:0000 D:0000 DB:81 S:01EF P:envmxdiZc

$81/8851 AD 36 21    LDA $2136  [$81:2136]   A:0000 X:0002 Y:0000 D:0000 DB:81 S:01EF P:envmxdiZc
$81/8854 29 FF 00    AND #$00FF              A:2100 X:0002 Y:0000 D:0000 DB:81 S:01EF P:envmxdizc
$81/8857 85 B5       STA $B5    [$00:00B5]   A:0000 X:0002 Y:0000 D:0000 DB:81 S:01EF P:envmxdiZc
$81/8859 80 1A       BRA $1A    [$8875]      A:0000 X:0002 Y:0000 D:0000 DB:81 S:01EF P:envmxdiZc


2134-2136 = Multiplication Result low-middle-high byte.
Instant result. When it works value is 0000. And "zero / minus"
says 2100 / 21FF? Where is 21 coming from?


2136 = high
2137 = latch h/v counters. Returns OpenBus.
       OpenBus is last value written to bus.


For 8-bit 2137 read, it's likely AD 34 21. Gives 21.

For 16-bit 2136-2137 read, 2136 says 00/FF. So bus has 00/FF.
2137 says OpenBus. So it's 00/FF again.


Reading code, suggestive that LDA $2135 is correct register.
Checks sign bit for normal or "inverse" coordinate system.

========================================
========================================

First heard of this one. Happens in Geiger also. Incredibly weird one as it uses window tricks to draw both halves.

bg3 is foreground - bush, log. Hides fighters.
bg4 is background - behind fighters. Status bar.

Flickers because when fighters are "off-screen", it mirrors bg1+bg2 bg3+bg4. Keeps alternating left/right fighter. So frame 1: left = bg1-2, right = bg3-4. Frame 2: left = bg3-4, right = bg1-2.

Because of timing "misstep" with Canoe (Geiger too), draws screen wrong on 1 side. In my case, it draws ground | life+power | sky. And some frames it gets correct briefly.

HDMA likely setting register at wrong time, causing sky/ground glitch. With clipping window problem on top. Looks difficult to understand so far beyond. ^^

reyvgm · « **Reply #15 on:** February 12, 2018, 10:35:49 pm »

Quote from: sluffy on February 12, 2018, 06:47:22 pm

Screenshot of this Nosferatu? Nothing mysterious so far.
(read docs - "Glitches on right side when scrolling." Huh.)

In Nosferatu. Once you start advancing in level 1, you'll notice that the graphics are corrupted on the right side of the screen. And when you reach the area before the last boss, the enemies will flicker on and off.

matt! · « **Reply #16 on:** February 13, 2018, 05:32:25 am »

sluffy doesn't have a SNES Classic, so please post screenshots. He uses a variety of PC emulators to try to find one that exhibits the same problem as Canoe, and if he can't then his solutions are based solely on looking at the SNES code and some educated guesswork.

sluffy · « **Reply #17 on:** February 13, 2018, 08:28:26 am »

Super Off Road needs some experimenting.
265f = b0 00
- Checking for dumb rng preventing nitro

If fails, combine both
2632 = 90 00
- Rng #2

May take a whole race to verify nitro behavior.

rhester72 · « **Reply #18 on:** February 13, 2018, 09:07:17 am »

For Super Off-Road, the problem is more than just nitros, but it's definitely RNG. The bonuses also get placed in exactly the same spots each time in canoe, so whatever's busted with the RNG, it's affecting multiple things.

Robin64 · « **Reply #19 on:** February 13, 2018, 09:13:40 am »

Oh, it seems there's a fix for Speedy Gonzales up on this site already! Not sure how I missed that.

https://www.romhacking.net/hacks/3875/

Edit: I'm an idiot, sluffy uploaded this.