This page is a mirror of Tepples' nesdev forum mirror (URL TBD).
Last updated on Oct-18-2019 Download

Mapper hacking and debugging.

Mapper hacking and debugging.
by on (#141889)
First of all, I'm new to nes devealopment but I have some experience in Atari 2600 assembly.
What I would like to do is change a game from mapper 116 (somari) to mapper 004 (MMC3). I've been reading abut both mappers and things are starting to make sence to me. For those who don't know, mapper 116 is a combination of VRC2, MMC1 and MMC3. The board can switch from one to the other with $4100 as a control adress to do this. I'm used to patching mappers on Atari, but the mappers on nes seem a bit more complicated.

What I'm looking for here is some tips on how to go at it. What I really would love is an emulator that could interupt and debug when a bank-switch is about to happen. Right now I'm not even sure if I understand the mappers correctly.

Patching from 116 to 004 shouldn't be too hard I guess, since I have a feeling the game hardly ever uses the other 2 modes. And I don't think it uses RAM banks either (but I don't know how to check that)

The rom I'm looking at right now is 'AV Mei Shao Nv Zhan Shi'
Any help would be great.
Re: Mapper hacking and debugging.
by on (#141891)
DrWho198 wrote:
What I really would love is an emulator that could interrupt and debug when a bank-switch is about to happen.
Use FCEUX or Nintendulator's debuggers, and set a breakpoint on writes to $8000-$FFFF. (And, given m116's multicart register, $4100-$5FFF)

Quote:
Patching from 116 to 004 shouldn't be too hard I guess, since I have a feeling the game hardly ever uses the other 2 modes.
Well, assuming it's running in MMC3 mode at all...

Quote:
And I don't think it uses RAM banks either (but I don't know how to check that)
Set breakpoints for reads or writes on $6000-$7fff
Re: Mapper hacking and debugging.
by on (#141945)
A word of warning: A few emulators optimizes performance depending on the ROM you feed it with, which makes ROM/Mapper-hacking a bit more difficult than it should be. It's a bit stupid to be honest(as I've mentioned in other threads).
Re: Mapper hacking and debugging.
by on (#141962)
lidnariq wrote:
Use FCEUX or Nintendulator's debuggers, and set a breakpoint on writes to $8000-$FFFF. (And, given m116's multicart register, $4100-$5FFF)
That's how I'm trying to get a grip of things right now. But the dev's did some protecting and do a lot of unneeded switching and looping. I'm having a hard time checking what is needed and what is not. I have to keep track of what mode is activated at what time, and if the write actualy did something vallid. Since I'm only a beginner at nes mapper hacking, I'm not always sure if what I think will happen did actualy happen. And if I run the game step by step through the emulator, it sometimes doesn't show the changes of the bankswitching right away.
This method interupts even if the command was not valid. Interupting on a bank switch would make clear if it was a valid.

Quote:
Well, assuming it's running in MMC3 mode at all...
It's mostly MMC3 that is being used, if you change the mapper to 004 then the game works but with glitches.

Quote:
Set breakpoints for reads or writes on $6000-$7fff
Nice tip, didn't think about that one. Seems pretty obvious now.


oRBIT2002 wrote:
A word of warning: A few emulators optimizes performance depending on the ROM you feed it with, which makes ROM/Mapper-hacking a bit more difficult than it should be. It's a bit stupid to be honest(as I've mentioned in other threads).
Thanks for the warning, I already noticed that some emulators ignore the imap header of that rom since it often is set to mapper 004 instead of 116. I was already wondering if that might give me trouble in the future if I hack it to a real 004 mapper.
Re: Mapper hacking and debugging.
by on (#141968)
DrWho198 wrote:
I was already wondering if that might give me trouble in the future if I hack it to a real 004 mapper.

Emulators usually hash the ROM to look up correct headers in a database. Since you're modifying the ROM, the hash will be different, so the header should be honored.
Re: Mapper hacking and debugging.
by on (#141980)
tokumaru wrote:
Emulators usually hash the ROM to look up correct headers in a database. Since you're modifying the ROM, the hash will be different, so the header should be honored.
Thank you for clearing this up for me. I was actualy hoping emulators identified the roms by hash, but I was not sure.

While checking out the rom, it sometimes behaved different than I expected.
in the nesdev wiki I find this information about Mapper 116
Code:
Range,Mask:   $4000-7FFF, $4100
   $4100:  [.... .CMM]
     MM = Mapper mode
          %00 = VRC2b
          %01 = MMC3
          %02, %03 = MMC1
      C = 256K CHR ROM base (AV Girl Fighting uses this)

I now found out the anomalies had something to do with the C bit (256K CHR ROM base).
Since I don't understand what they mean with this, could someone clarify it for me? In other words, what changes when the bit is set?
Re: Mapper hacking and debugging.
by on (#141981)
MMC3 and VRC2 both appear to address a maximum 256k of CHR-ROM. From that description I would presume this selects a second 256k page, expanding it up to 512k.

i.e. C is connected to bit 18 of a 512k CHR-ROM's address bus.
Re: Mapper hacking and debugging.
by on (#141982)
The normal CHR banking registers on the MMC3 and similar only have the ability to address 256 KiB of data (8 bit microprocessor, 1KiB banks → 256 KiB). The C bit there serves as a 9th bit shared by all the CHR banks, allowing a total of 512 KiB of CHR to be addressed.

It's kinda like how VRC2 splits each CHR bank across two memory locations; one of which controls the lower 4 bits (1 KiB out of 16 KiB), and the other controls the upper 4 bits (16 KiB out of 256 KiB), only here the bit is shared across all six (or eight) CHR banks.
Re: Mapper hacking and debugging.
by on (#141983)
That sounds like the end of my attempt to convert it to MMC3.
If MMC3 is not able to access all CHR banks Mapper 116 uses, then there is no way for patching it.
Re: Mapper hacking and debugging.
by on (#141985)
Is the CHR-ROM of your target 512k in size? If not, the bit would be unused anyway.
Re: Mapper hacking and debugging.
by on (#141987)
'AV Mei Shao Nv Zhan Shi' = 'Girl Fighting', explicitly called out for using the C bit. It's 128 KiB PRG / 512 KiB CHR.
Re: Mapper hacking and debugging.
by on (#141989)
rainwarrior wrote:
Is the CHR-ROM of your target 512k in size? If not, the bit would be unused anyway.

The rom is 641kB in size, and the iNes header says it has 64 CHR banks. I don't know how to be sure of the size of the CHR rom. But I do know that the bit is set when calling the control register. and when I set it to 0 instead, the same glitches occur as if you would change the Mapper in the iNes header to 004.

Also the documentation in the wiki clearly states that only this game uses that bit, which would mean that this game is the only one that has such a large CHR rom.

lidnariq wrote:
'AV Mei Shao Nv Zhan Shi' = 'Girl Fighting', explicitly called out for using the C bit. It's 128 KiB PRG / 512 KiB CHR.

Thanks, I was writing this message while you cleared it up.
Re: Mapper hacking and debugging.
by on (#141991)
Ahh, I see. Well, if your goal is to make a repro for an MMC3 board, you could still add the needed functionality with a bit of extra wiring and a few logic ICs.
Re: Mapper hacking and debugging.
by on (#141994)
The goal was a bit of a mix. First of all I wanted to dig in nes assembly. Then I wanted to make the rom compatible with MMC3 so it would run on an unmodded board and the everdrive (yep, 116 is still not supported). And then I want to make a repro.

Sadly I will have to drop some of my goals. I was thinking of adding the extra functionality to a MMC3 cart, but I have no idea how to go at it. I know I have t isolate the condition and use a flipflop of some kind to hold the state of bit c so it can be connected to the chr eprom's pin. But the exact logic is beyond my knowledge.
Thanks for all the help guys, at least my insight of the subject has improved. Just sad that I have to cancel the project.
Re: Mapper hacking and debugging.
by on (#141999)
This is really straightforward hardware to add. It's a 74'138 and a latch such as a (74'74 or 74'161) on top of a board already containing an MMC3.

Wire the 74'138 to detect writes to $41xx by connecting:
R/W to /G1a
A13 to /G1b
M2 to G2
/ROMSEL to A
A8 to B
A14 to C
Then
74'138 /Y7 to latch CLK
CPU D2 to latch data in
latch data out to CHR A18.
Re: Mapper hacking and debugging.
by on (#142002)
lidnariq wrote:
This is really straightforward hardware to add. It's a 74'138 and a latch such as a (74'74 or 74'161) on top of a board already containing an MMC3.

Wire the 74'138 to detect writes to $41xx by connecting:
R/W to /G1a
A13 to /G1b
M2 to G2
/ROMSEL to A
A8 to B
A14 to C
Then
74'138 /Y7 to latch CLK
CPU D2 to latch data in
latch data out to CHR A18.


wow, thanks... I didn't expect this. I'll still have to check if the rom depends on the other mappers. But this information might make a repro possible again.
Re: Mapper hacking and debugging.
by on (#241487)
lidnariq wrote:
This is really straightforward hardware to add. It's a 74'138 and a latch such as a (74'74 or 74'161) on top of a board already containing an MMC3.


Seems it's not so simple. Trying to make repro of AV Mei Shao Nv Zhan Shi (Unl)
Attachment:
20190612_215858.jpg
20190612_215858.jpg [ 512.46 KiB | Viewed 3865 times ]


If mmc3 completely ignore writing to $41xx then this game should work on mapper 04 (just with broken graphics).
Probably 116 mapper do something with mmc3 registers on writing to $41xx because game behaves wrong (on character selection screen and during fight I have freeze and garbled graphics).

For easier reproduction we can change code and move control register for CHR to $6000, because no WRAM in this game and we can use signals from mmc3 instead of 74'138 (like in mapper 189).
If only we can make the rest code work on mapper 4.
Re: Mapper hacking and debugging.
by on (#241494)
If it crashes like that, odds are good that it's using MMC1 mode in order to change what would be MMC3's fixed bank, and so I fear an MMC3 mapper hack would be impossible.