Sure. I'll take a poke at it.
September 24, 2019, 06:07:34 pm - (Auto Merged - Double Posts are not allowed before 7 days.)
I was able to reproduce the crash.
Looks like an NMI is firing when you talk to the king, and the NMI code is scrambling the stack which causes it to jump back to the wrong place when it RTIs, which causes the crash.
The culprit code is here:
$FEF7:BD 06 01 LDA $0106,X @ $01EF = #$FF A:82 X:E9 Y:00 S:E9 P:NVUBdIzc
$FEFA:85 36 STA $0036 = #$B5 A:FF X:E9 Y:00 S:E9 P:NVUBdIzc
$FEFC:C9 FF CMP #$FF A:FF X:E9 Y:00 S:E9 P:NVUBdIzc
$FEFE:D0 10 BNE $FF10 A:FF X:E9 Y:00 S:E9 P:nVUBdIZC
$FF00:BD 05 01 LDA $0105,X @ $01EE = #$98 A:FF X:E9 Y:00 S:E9 P:nVUBdIZC
$FF03:C9 96 CMP #$96 A:98 X:E9 Y:00 S:E9 P:NVUBdIzC
$FF05:90 09 BCC $FF10 A:98 X:E9 Y:00 S:E9 P:nVUBdIzC
$FF07:C9 D6 CMP #$D6 A:98 X:E9 Y:00 S:E9 P:nVUBdIzC
$FF09:B0 05 BCS $FF10 A:98 X:E9 Y:00 S:E9 P:NVUBdIzc
$FF0B:A9 D6 LDA #$D6 A:98 X:E9 Y:00 S:E9 P:NVUBdIzc
$FF0D:9D 05 01 STA $0105,X @ $01EE = #$98 A:D6 X:E9 Y:00 S:E9 P:NVUBdIzc
This code seems to be examining the interrupt return address, and if it's within the $FF96-FFD6 range, it will change the return address to $FFD6. This matches my crash reproduction, as my NMI occurred when the PC was at $FF98 and the RTI took me back to $FFD6.
Looking at the original ROM, the $FF98-FFD6 range appears to be the PRG swap code. After seeing that, it all clicked.
On MMC1, PRG swaps are serial -- you have to do 5 writes to do a swap. So what happens if an interrupt happens after only 2 of the writes? The swap would get butchered. So the interrupt handler is checking to see if it was in the middle of a swap, and if it was, just skip over the rest of it (presumably it would have performed the desired swap first).
Since MMC5 swaps are not serial, you don't have to worry about this and can probably remove all this code. That should fix the crash.