==============================================================================
C R A Z Y N A T i O N
GAMECUBE LOW LEVEL INFO [lastupdate:05/30/02] BY TITANIK
==============================================================================
Ok guys, this doc design is shit, also note that some part may be 100% wrong,
put some parts are ok so I guess it can be usefull in some way ;-) Will be
fixed with time hehe...
In this doc, most of the time (hehe) bit 0 is the least significant bit
(like in most cases, but not with the powerpc usually..)
Most of the values are in Hexa, if not, they are in Decimal ;-)
==========
0. INDEX
==========
0 - Index
1 - Memory Map
1.1 - Overview
1.2 - Ram map
2 - Harware registers
3 - Disk & File structure
4 - Run flow
===============
1. MEMORY MAP
===============
1.1. OVERVIEW
-------------
start addr
-----------
00000000 Physical address of the RAM
80000000 Logical address of the RAM, cached
C0000000 Same RAM but not cached
CC000000 Hardware registers
1.2. RAM MAP
------------
address length
-------- --------
80000000 4 DiskID : GameName
80000004 2 DiskID : Company
80000006 1 DiskID : Disk ID
80000007 1 DiskID : Version
80000008 1 DiskID : Streaming 0 = audio streaming off
80000009 1 DiskID : StreamBufSize
8000000a 15 padding(0)
80000020 4 Magic word (how did the console boot?)
80000024 4 Version
80000028 4 Memory Size
8000002C 4 Console type
bit 31 : [0 = retail console, 1 = dev console]
00000001 = Retail1
00000002 = Retail2
1XXXXXXX = Devkits
80000030 4 ArenaLo
80000034 4 ArenaHi
80000038 4 FST Location in ram
8000003C 4 FST Max Length
800000CC 4 0 = runned from bios ? 1 = runned from cd ?
800000F0 4 Simulated Memory Size
800000F4 4 Pad Spec (?)
80000100 System Reset Interrupt
80000200 Machine Check Interrupt
80000300 DSI Interrupt
80000400 ISI Interrupt
80000500 External Interrupt
80000600 Alignment Interrupt
80000700 Program Interrupt
80000800 FP unavailable Interrupt
80000900 Decrementer Interrupt
80000C00 System Call
(All those interrupt, except system reset, are leading to the
same devkit-gamecube-exception-handler)
800030E0 16 Pad etc ? pad à 30E4 et E9 ?
800030F2 1 Boot status
0 = first boot
1 = already booted
80003100 ? Start of code (usually)
80003140 ? Entry point (sometimes;)
=======================
2. HARDWARE REGISTERS
=======================
2.1. OVERVIEW
-------------
CC002000 VI - Video Interface
CC003000 Interrupt Interface
CC004000 MI - Memory Interface
CC005000 AI - Audio Interface
CC006000 DI - DVD Interface
CC006400 SI - Serial Interface
CC006800 EXI - External Interface
CC006C00 Streaming Interface
CC008000 GX FIFO (Graphic display lists)
VIDEO INTERFACE (VI)
--------------------
CC002002 = status
CC00201C = Physical address of Frame Buffer #1 (32 bytes alignement)
CC002024 = Physical address of Frame Buffer #2 (32 bytes alignement)
CC00202C = current halfline1 (10 bits) (use it to make a Vsync routine)
CC00202E = current halfline2 (10 bits)
CC00206C = Video status, bit 0 = progressive scan? (halfword)
Video Init
----------
Depending on the video mode, copy the values to the video registers.
(from 0xcc002000)
u32 vid640480ntsc[] = {
0x0F060001, 0x476901AD, 0x02EA5140, 0x00030018,
0x00020019, 0x410C410C, 0x40ED40ED, 0x00435A4E,
0x00000000, 0x00435A4E, 0x00000000, 0x00000000,
0x110701AE, 0x10010001, 0x00010001, 0x00010001,
0x00000000, 0x00000000, 0x28500100, 0x1AE771F0,
0x0DB4A574, 0x00C1188E, 0xC4C0CBE2, 0xFCECDECF,
0x13130F08, 0x00080C0F, 0x00FF0000, 0x00000000,
0x02800000, 0x000000FF, 0x00FF00FF, 0x00FF00FF};
u32 vid640480pal60[] = {
0x0F060001, 0x476901AD, 0x02EA5140, 0x00030018,
0x00020019, 0x410C410C, 0x40ED40ED, 0x00435A4E,
0x00000000, 0x00435A4E, 0x00000000, 0x00050176,
0x110701AE, 0x10010001, 0x00010001, 0x00010001,
0x00000000, 0x00000000, 0x28500100, 0x1AE771F0,
0x0DB4A574, 0x00C1188E, 0xC4C0CBE2, 0xFCECDECF,
0x13130F08, 0x00080C0F, 0x00FF0000, 0x00000000,
0x02800000, 0x000000FF, 0x00FF00FF, 0x00FF00FF};
u32 vid640480pal50[] = {
0x11F50101, 0x4B6A01B0, 0x02F85640, 0x00010023,
0x00000024, 0x4D2B4D6D, 0x4D8A4D4C, 0x00435A4E,
0x00000000, 0x00435A4E, 0x00000000, 0x013C0144,
0x113901B1, 0x10010001, 0x00010001, 0x00010001,
0x00000000, 0x00000000, 0x28500100, 0x1AE771F0,
0x0DB4A574, 0x00C1188E, 0xC4C0CBE2, 0xFCECDECF,
0x13130F08, 0x00080C0F, 0x00FF0000, 0x00000000,
0x02800000, 0x000000FF, 0x00FF00FF, 0x00FF00FF};
INTERRUPT INTERFACE (II)
------------------------
CC003004 = Interrupt cause
AUDIO INTERFACE (AI) (accessed by 16 bits)
--------------------
CC005000 = DSP Status
CC00500A = DSP Control
CC005030 = DMA Start address (High)
CC005032 = DMA Start address (Low)
CC005036 = DMA Control - DMA length
CC00503A = DMA Bytes left
DRIVE INFO (INQUIRY)
--------------------
DMA Control <- DMA Control or 00008000
STREAMING INTERFACE (AI)
--------------------
CC006C00 = StreamStatus (r/w)
CC006C04 = StreamVolume
CC006C08 = StreamSampleCount
CC006C0C = StreamTrigger
DVD INTERFACE (DI) (accessed by 32 bits)
------------------
address length
-------- ------
CC006000 4 status1
6004 4 status2
bit 29 & 30 = cover info? wr bit 1 = wait for cover? (all PPC)
6008 1 command
6009 1 subcommand
600A 2 subcommand2
600C 4 offset (shr 2)
6010 4 source length
6014 4 destination buffer
6018 4 destination length
601C 4 action
bit 0 = execute command
bit 1 = use destination buffer
6020 4 errorcode
6024 4 config (only in lsb) ®
(access by word)
DRIVE INFO (INQUIRY)
--------------------
Command/Subcommand/Padding <- 12000000
Offset <- 0
SLength <- 20h
Buffer <- Address in ram of the buffer
DLength <- 20h
Action <- 3
output buffer:
0000-0001 revisionLevel
0002-0003 deviceCode
0004-0007 releaseDate
0008-001F padding(0)
READ
--------------------
Command/Subcommand/Padding <- A8000000
Offset <- Position on DVD shr 2
SLength <- Length of the read
Buffer <- Address in ram of the buffer
DLength <- SLength
Action <- 3
SEEK
--------------------
Command/Subcommand/Padding <- AB000000
Offset <- Position on DVD shr 2
Action <- 1
REQUEST ERROR
--------------------
Command/Subcommand/Padding <- E0000000
Action <- 1
AUDIOSTREAM
--------------------
Command/Subcommand/Padding <- E1??0000 ?? = subcommand
Offset <- Position on DVD shr 2
SLength <- Length of the stream
Action <- 1
REQUEST AUDIO STATUS
--------------------
Command/Subcommand/Padding <- E2000000
Action <- 1
STOP MOTOR
--------------------
Command/Subcommand/Padding <- E3000000
Action <- 1
DVD AUDIO DISABLE
--------------------
Command/Subcommand/Padding <- E4000000
Action <- 1
DVD AUDIO ENABLE
--------------------
Command/Subcommand/Padding <- E4010000
Action <- 1
ACK (???)
---------
Status2 <- Status2
INIT (???)
----------
Status1 <- 2Ah
Status2 <- 0
WAIT FOR COVER CLOSE (???)
--------------------------
CC006004 <- 2
check CC006004 bits 29(ppc) et 30(ppc)
SERIAL INTERFACE (SI) (32 bits access only)
-------------------------------------------
address length
-------- ------
CC006400 12 Joychannel 1
CC00640C 12 Joychannel 2
CC006418 12 Joychannel 3
CC006424 12 Joychannel 4
6430 4 Calibration gun ?
6434 4 command (r/w)
6438 4 channel select & status2
6480 128 SI output/input buffer (pifram
(access by word)
A channel can be 0, 1, 2 or 3 and represent one of the joystick port
JOYCHANNEL STRUCTURE
--------------------
Analog buttons are 8 bit unsigned
0000-0003 Command (00 40 03 00)
0004-0005 digital buttons: LEFT = 0001
RIGHT = 0002
DOWN = 0004
UP = 0008
TRG-R = 0020
TRG-R = 0040
A = 0100
B = 0200
X = 0400
Y = 0800
START = 1000
0006 Analog X
0007 Analog Y
0008 C Analog X
0009 C Analog Y
000A Analog Trigger L
000B Analog Trigger R
SERIAL SEND BUFFER
------------------
1. Do a channel select:
a. find mask corresponding to channel
channel 0 : mask = 0F000000
channel 1 : mask = 000F0000
channel 2 : mask = 00000F00
channel 3 : mask = 0000000F
b. temp <- [CC006438]
c. [CC006438] <- temp AND mask
2. Put output data into SI buffer (128 bytes maximum), word
by word.
3. Send command
a. temp <- [CC006434]
b. [CC006434] <- TTTTTCC1 TMMMMMMM TNNNNNNN 1BTTTTTT
where T = bit coming from temp
CC = channel #
MMMMMMM = number of bytes we want in return (AND 7F)
NNNNNNN = number of bytes we want to send (AND 7F)
B = [0 if no callback, 1 if callback]
(note that to send 128 bytes, nnnnnnn=0)
SERIAL GET RESULT
------------------
simply read the SI buffer
INIT (?)
----------
1. wait until bit 31 [CC006434] = 0
2. put it to 1
===========================
3. DISK & FILE STRUCTURES
===========================
Disk header at offset 00000000
0000-0003 GameName
0004-0005 Comany
0006 Disk ID
0007 Version
0008 Streaming
0009 StreamBufSize
0420-0424 offset of main executable DOL
0424-0427 offset of the FST
Apploader at offset 00002440
0000-0009 Date (version) of the apploader in ASCII
000A-000F padding (0)
0010-0013 Apploader entrypoint
0014-0017 size of the apploader (32 bit)
0020-.... Apploader code (loaded at 81200000 in RAM)
Dol file format
Header Size = 100h bytes
0000-001B Text[0..7] sections File Positions
001C-0047 Data[0..10] sections File Positions
0048-0063 Text[0..7] sections Mem Address
0064-008F Data[0..10] sections Mem Address
0090-00AB Text[0..7] sections Sizes
00AC-00D7 Data[0..10] sections Sizes
00D8 BSS Mem address
00DC BSS Size
00E0 Entry Point
0100-.... Start of sections datas (body)
FST format
1st 32bits = nb of files, then we get a structure repeated for each file
structure looks like that :
NameOffset (32bits), diskAddr (32bits), fileSize (32bits)
if bit 31 of Nameoffset is set, it means we are entering in a directory,
that contains [fileSize] files
=============
4. RUN FLOW
=============
1. Bootrom
The 2MB ROM can be accesses using External DMA Read from address 00000000.
It's in charge of the starting intro/menus, and to load a game it calls
functions of the Apploader.
Here is the bootrom layout :
addr length
======== ========
00000000 00000100 Copyright message
00000100 ???????? BIOS (crypted :/)
001AFF00 0004D000 ROM Fonts #1
001FCF00 00003000 ROM Fonts #2
2. Apploader
The Apploader provides functions to the bootrom that load the game (using
bootrom read DVD functions)
At first, the bios calls the Apploader entrypoint with r3, r4, and r5
pointing to a free space for a 32 bit value.
at [r3] there will be the address of the Apploader Init function
at [r4] there will be the address of the Apploader Main Loading function
at [r5] there will be the address of the Apploader Closing function
The bootrom calls the Init function, then the Main function in a loop,
then the Closing function.
Apploader Entrypoint
Input values :
r3 = Address where to put the address of the Init function
r4 = Address where to put the address of the Main Loading function
r5 = Address where to put the address of the Closing function
Return values :
?
Init function
Input values :
?
Return values :
?
Main Loader function
Input values :
r3 = Address where to put the Memory destination of the disk read
r4 = Address where to put the Size of the disk read
r5 = Address where to put the Starting position of the disk read
Return value:
r3 = 0 if everything is already loaded
= 1 (or !=0) if main function should be called again
Closing function
Return value: r3 = entry point
3. Main DOL executable
==============================================================================
-------------------------[crazynation in mmii & mmiii]------------------------
==============================================================================