Game King --------- 041816 V1.00 By K.Horton (Kevtris) Aaah, the Game King. This is an interestingish handheld videogame system released sometime around 2003/2004 timeframe. It uses a Sunplus chip (we think) which appears to be a lot more capable than what the Gameking (hereafter the GK) uses. It's based around a 65C02 running at 6MHz, but it has some slight modifications (noted in the software overview below). 512K of ROM is present and is used to make a BIOS and store the 3 built in games. Apparently there's a whole "learning computer" attachment/device related to the GK, but I do not own one. If/when one is available I may revisit this document and add that stuff to it. I have not fully documented the chip used in the GK because a bunch of it would be really tough to reverse engineer, and many of the IOs that use these peripherals might not even be bonded out. The undocumented parts are not being used by any known software, however, so I don't think this will matter too much. In fact I "overdocumented" things a bit and documented things not being used by known code. Hardware overview ----------------- (Thanks to Brian Provinciano for the initial cart pinout and a few other things) The complete pinout of the cartridge port: +----------------+ | | | | | | | (label) | | | | | | | +-+------------+-+ |||||||||||||| 30 1 top fingers (60) (31) bottom fingers 1 - VCC 2 - glop #46 3 - glop #45 4 - glop #44 5 - glop #43 6 - glop #57 7 - glop #56 8 - glop #55 9 - glop #54 10 - pulls high thru transistor when LCD is on (think it's to power down stuff) 11 - D7 12 - D5 13 - D3 14 - D1 15 - /RST (can pull low) 16 - /CE 4 17 - /CE 2 18 - /CE 0 (connects to /CE on cart ROM) 19 - A21 20 - A19 21 - A17 22 - A15 23 - A13 24 - A11 25 - A9 26 - A7 27 - A5 28 - A3 29 - A1 30 - GND A30 B1 31 - GND 32 - glop #71 33 - glop #70 34 - glop #69 35 - glop #68 36 - glop #67 37 - glop #66 38 - glop #65 39 - glop #64 40 - GND 41 - D6 42 - D4 43 - D2 44 - D0 45 - /WR 46 - /RD 47 - /CE 3 48 - /CE 8 49 - A20 50 - A18 51 - A16 52 - A14 53 - A12 54 - A10 55 - A8 56 - A6 57 - A4 58 - A2 59 - A0 60 - VCC Pins 2-9 and 32-39 are 16 bits of general purpose IO. The cartridges never seem to use it. There's also a plethora of chip enables which go unused. Only /CE 0 is ever used. It connects to /CE of the cartridge ROM. The /RD and /WR signals are never used either. Pin 10 is usually connected to VCC on the cartridges, but it would allow the system to power down the LCD bias if it's disconnected. Apparently there was a bug in the software or something so it's effectively disabled. There's a couple transistors to connect it to VCC under port control. /RST can be driven low to reset the system. It's connected to an RC circuit, and also to the reset button on the front. It goes low on start due to the capacitor, and driving it low with the button or external circuitry will reset the system. The gloptop pinout is probably not terribly interesting, but I ended up figuring this out too, so here it is. (pin 1 position is totally arbitrary) 1 - A0 2 - A1 3 - A2 4 - A3 5 - A4 6 - A5 7 - A6 8 - A7 9 - A17 10 - VCC 11 - A18 12 - A19 13 - A20 14 - A21 15 - /CE 8 16 - A8 17 - A9 18 - A10 19 - A11 20 - A12 21 - A13 22 - A14 23 - A15 24 - A16 25 - LCD controller #5 26 - GND 27 - LCD controller #4 28 - LCD controller #2 29 - LCD controller #8 30 - LCD controller #1 31 - LCD controller #3 32 - LCD controller #7 + other stuff then cart #10 33 - /RST ("S2" on old pinout) cart #15 34 - connects thru 100K resistor to another chip pin + other things... relates to VLED? 35 - VCC 36 - 6MHz xtal 37 - 6MHz xtal 38 - 32.768KHz xtal 39 - 32.768KHz xtal 40 - GND 41 - start 42 - GND 43 - cart #5 44 - cart #4 45 - cart #3 46 - cart #2 47 - select 48 - A 49 - B 50 - up 51 - down 52 - left 53 - right 54 - cart #9 55 - cart #8 56 - cart #7 57 - cart #6 58 - R4, 100K, high = power LED on 59 - JP4 (not connected) 60 - GND 61 - audio, connects to leg of volume pot then to speaker 62 - audio, connects to other side of speaker 63 - connects through a Schottky diode to VCC along with a diode. might be battery backup 64 - cart #39 65 - cart #38 66 - cart #37 67 - cart #36 68 - cart #35 69 - cart #34 70 - cart #33 71 - cart #32 72 - /CE 0 73 - /CE 2 74 - /CE 3 75 - /CE 4 76 - other side of 100K resistor (pin 34) 77 - TXDAT 78 - RXDAT 79 - /WR 80 - /RD 81 - GND 82 - D7 83 - D6 84 - D5 85 - D4 86 - D3 87 - D2 88 - D1 89 - D0 There is a mode jumper which appears to be used to set the region of the system. It's normally open (so reads high). Soldering it pulls it low. The code reads it first thing in the register init portion. On the loading screen where it says "TIME TOP" it makes some more text in Chinese appear above it. Everything runs on 3V, and there is literally no power supply at all- it's just the batteries connected through a switch, straight to everything! One benefit of this is that battery life is maximized due to the lack of wasted power in a regulator. The system already draws a stupidly low current of 4-5ma idle and 10-16ma max at full volume with the game running. Typically it's around 8ma. Power source is two AAA cells. Audio is produced by a small speaker, and is very interesting. There's ZERO in the way of audio amplification- the speaker is directly connected to two chip pins through the 2K volume pot! Audio is totally PWM based, and the games use the signed 8 bit PWM mode for all sounds/music. Interestingly there are two square channels and a noise channel, but they go unused. Also interesting is the code is actually in there to use them for music, but as far as I am aware, the games do not use it. Video is output on a crappy 48*32 pixel LCD. Interestingly, the GK's chip can drive a much much much larger (say, 160*160 pixel) LCD! The LCD controller is extremely versatile and all the timing is fully programmable. This is another thing that makes me suspect the chip is designed for a "learning computer". The LCD is being refreshed at 120Hz or so, but it takes three scans of the screen to draw 1 "frame". This is because the chip is effectively using PWM on the LCD for the 4 level greyscale. For a particular frame, the timing looks like this: grey: 0 1 2 3 ------- 0 0 0 1 refresh 1 0 1 1 1 refresh 2 0 0 1 1 refresh 3 The LCD controller can also output monochrome, but the GK does not use this mode. It only ever uses the 2bpp mode and packs 4 pixels into each byte of RAM. Finally, there is a 3.5mm (1/8") stereo jack on the system for a link port. It has TXD and RXD marked (and ground) so it obviously is a serial port of some kind. I made it output SOME signals but never could get it to spit out serial data that was recognizable on the scope. It does not get used by any game so it's there but kind of an appendix. Software Overview ----------------- Software on the system is fairly interesting. There's a built in 512K byte BIOS ROM which contains a true BIOS, and three games. The startup swooshing and three built in games reside here. The software all seems to use the BIOS, and only this BIOS actually ever writes to registers as far as I can tell. I could be wrong on this, but on the stuff I saw, the BIOS does most of the hardware heavy lifting. The CPU as specified earlier, is a 65C02 with some additions to it. Instead of the usual 3 vectors, this CPU has no less than 15. They also map to 7Fxxh instead of FFxxh. More info about the vectors is listed in the register section under interrupts. Also interesting about the vectors, is when an IRQ occurs, it forces the bank at 4000-7FFF to an internal ROM bank. This way, interrupts always are serviced by the BIOS. I am not 100% sure what controls this, or if this always happens. But the games definitely rely on it. Without it, they will crash fairly quick. It switches in the 4000-7FFFh area of the BIOS into 4000-7FFFh in CPU space. When an RTI occurs, it restores the previous bank. Memory Map: ----------- 0000-007F : system registers 0080-27FF : RAM 2800-3FFF : open bus 4000-7FFF : 16K selectable bank of ROM 8000-FFFF : 32K selectable bank of ROM The memory map is pretty simple on here, and only consists of two bankable blocks. More information about how memory mapping works is below in the register description. Register Description -------------------- Registers are broken up into logical functional groups to make digesting it easier. IO Ports: --------- There are 5 IO ports on the chip. Each IO port appears to be the same, and includes the IO port register itself, and a data direction register (DDR). The port's register will always return the instantaneous voltage on that particular port pin. i.e. low = 0, high = 1, regardless of the DDR setting. The DDR register that corresponds to the particular IO port controls whether the output drivers for a particular port pin will be active. A 1 bit will enable the output drivers, and each port pin can sink or source approximately 10ma. When a bit is 0, it will disable the output drivers. If a particular IO port pin is set to input via the DDR register, then writing to the port will control the weak pullups on that port. If a 1 is written, the port will source approximately 200uA, and if a 0 is written, the pin floats and is not driven at all. If this is a little confusing, here's an example: Port 0 is at 0000h (port register) and 0008h (DDR). for each port bit... port: DDR: pin: -------------------- 0 0 floating (pure "input") 1 0 200uA pullup for reading buttons or similar 0 1 10ma sinking (pull low) 1 1 10ma sourcing (pull high) 0000: (FF) IO port 0 0 - ? 1 - Start (low = pressed) 2 - ? 3 - ? 4 - Cart pin #5 5 - Cart pin #4 6 - Cart pin #3 7 - Cart pin #2 0001: (FF) IO port 1 0 - ? 1 - Select (low = pressed) 2 - A (low = pressed) 3 - B (low = pressed) 4 - Up (low = pressed) 5 - Down (low = pressed) 6 - Left (low = pressed) 7 - Right (low = pressed) 0002: (00) IO port 2 0 - Cart pin #9 1 - Cart pin #8 2 - Cart pin #7 3 - Cart pin #6 4 - ? 5 - ? 6 - Power LED. high = on 7 - mode jumper on PCB. low = soldered, high = unsoldered 0003: (DF) control register? 0 - ? 1 - ? 2 - ? 3 - ? 4 - ? 5 - ? 6 - ? 7 - ? 0004: (FF) IO port 4 0 - Cart pin #39 1 - Cart pin #38 2 - Cart pin #37 3 - Cart pin #36 4 - Cart pin #35 5 - Cart pin #34 6 - Cart pin #33 7 - Cart pin #32 0005: (FF) Port 2's "attribute" register. set bits act as normal IO, clear bits are special function. GK never uses the special functions so I haven't really tested it much. 0006: (FF) Not used? Always returns 1's. GK never reads or writes 0007: (FF) Not used? Always returns 1's. GK never reads or writes 0008: (00) DDR 0 corresponds to port 0 0009: (00) DDR 1 corresponds to port 1 000A: (40) DDR 2 corresponds to port 2 000B: (7F) control register? 000C: (00) DDR 4 corresponds to port 4 000D: (00) Not sure. GK firmware writes once. 000E: (DF) Not sure. writing here causes CPU to no longer read ROM area. (the bus accesses occur, but my bootstrap seems to not be getting the data.) GK firmware writes once. 000F: (D0) Not sure. writing here crashes the CPU. the GK firmware sets this once only. Audio: ------ Audio on the GK is fairly complicated. The system can play samples, and indeed the games all seem to be able to play 2 samples at once- one for the music and one for the sound effects. However, it appears the audio hardware is much more capable than this. Even though samples can be played, the audio coming out of the GK is 100% digital. There are two audio pins which connect directly to the speaker through a 2K volume pot. The GK is using them to send PWM'd audio to the speaker in a push pull fashion. One line will be held high, while the other PWMs for i.e. positive speaker excursions, and then for negative excursions, the first line is held high and the other PWM's. The games all tend to use the 46.9KHz PWM mode, which results in a sample rate of 46.9KHz. This is the 6MHz system clock divided by 128, resulting in exactly 7 bits worth of PWM. Because there are two outputs, they are used in a "push pull" fashion to get 8 bits of PWM- the 7 bit PWM plus sign (which PWM to use) for a total of 8 bits. Interestingly this chip can actually produce two square waves of varying volume, and a noise source via LFSR too. Square waves: ------------- The first four registers (0010-0013) can be used to generate square waves. Each specifies a 12 bit divisor used to divide the audio clock down. The audio clock is specified in the audio mode register, 0016. Register 0010 and 0011 form a 12 bit value that is used to reload a counter. This counter increments once per audio clock, and when it reaches FFFh, it reloads the 12 bit value from 0010/0011 and starts counting again. Each time this happens, an output clock occurs which will update the square wave. It takes 4 of these overflows to generate 1 cycle of the square wave. The square waves are always 50% duty cycle. So, if the registers are loaded with 0FEDh, the counter will overflow at 1000h-FEDh = 13h (19 decimal). So the output square wave will be 1/4th this rate. At a 6MHz audio clock rate, this means a 78.947KHz square wave is produced. This obviously a tad above human hearing. Normally a divide by 6 or similar mode is used to provide a much saner audio clock. PWM: ---- The games all use the 8 bit signed PWM mode. There's actually TWO PWM modes - 7 bit unsigned, and 7 bit signed. In 7 bit mode, the two audio output pins will produce opposite polarity square waves whose duty cycle is dependent on the the value written into the PWM register. In 7 bit signed mode, the value 0 will produce a 50% duty cycle square wave, a value of C0h will produce a 0% duty square wave, and a value of 3Fh will produce a 126/127% duty cycle square wave (close to 100%). In 8 bit signed mode (double ended), All values of the PWM register are valid. 0 produces no PWM pulses only, and both audio output lines idle high. A value of 40h produces a 50% duty cycle square wave on one line, keeping the other high, and a value of 7Fh produces close to 100% duty on the same line. A value of C0h produces a 50% duty cycle square wave on the second line while keeping the first high. When emulating, one can simply left shift the 7 bit signed value to make it 8 bits, and use the 8 bit value as-is to produce a signed sample to output to the speakers. Noise: ------ The noise is generated using a 15 bit LFSR. Its feedback is off of taps 13 and 14 (assuming the LFSR is a 15 bit register, that shifts left and bit 0 is the LSB and bit 14 is the MSB). The two bits are simply XOR'd together and fed back into bit 0 every time it shifts. This results in the usual maximal length of 2^15-1 or 32767 bits before it repeats. It is loaded with all 1's on reset. 0010: (00) (readable) Low byte of frequency, square 1. Returns the instantaneous counter value. 0011: (f0) (readable) High byte of frequency, square 1 (lower 4 bits only) Returns the instantaneous counter value. 0 - frequency high 1 - frequency high 2 - frequency high 3 - frequency high 4 - ? returns 1 when read always. 5 - ? returns 1 when read always. 6 - ? returns 1 when read always. 7 - ? returns 1 when read always. 0012: (bf) (readable) Low byte of frequency, square 2. Returns the instantaneous counter value. 0013: (fe) (readable) High byte of frequency, square 2 (lower 4 bits only) Returns the instantaneous counter value. 0 - frequency high 1 - frequency high 2 - frequency high 3 - frequency high 4 - ? returns 1 when read always. 5 - ? returns 1 when read always. 6 - ? returns 1 when read always. 7 - ? returns 1 when read always. Note: registers 0012 and 0013 change function depending on which mode the audio system is in. Square 2 selected: ------------------ These registers work exactly the same as 0010 and 0011. PWM / Noise selected: --------------------- These registers change function as so: The lower 6 bits of 0012 become the prescaler for the PWM unit. The GK firmware sets this to 3Fh, so that the prescaler divides by 1. This means the PWM unit is updated at the full 6MHz clock rate, but it does not have to. Like before, this prescaler counters up and when it reaches 3Fh, it reloads and pulses the PWM hardware in this case. The upper 2 bits of 0012 and the lower 4 bits of 0013 form a second 6 bit counter (bit order: XXXXYY where X is the 0013 bits and Y is the 0012 bits). This counter counts every time a PWM sample is generated (or the LFSR shifts) and when it reaches 3Fh, it is reloaded from said 6 bits and fires off a channel 2 interrupt (if enabled). The GK firmware writes 3Ah in here, which means an interrupt occurs every time 6 PWM samples are played. This sets the characteristic sample rate of the audio which is approximately 7.8KHz. This is calculated like so: (6MHz / 128) / 6. In noise mode, channel 2 DOES NOT produce interrupts. In square mode, channel 2's interrupt will be output each time the square wave toggles. 0014: (00) (readable) PWM value. PWM value is signed. In single-ended PWM mode, the PWM value 00h is silence, 3Fh is maximum positive excursion, and C0h is minimum negative excursion. In bidirectional PWM mode, the PWM value 00h is again silence, 7Fh now is maximum positive excursion, and 80h is minimum negative excursion. 0015: (ff) Never used. Reads as 0ffh regardless of value written. 0016: (8d) (readable) Audio control register 0 - Mode 1 - Mode 2 - Mode 3 - Mode 4 - Prescaler 5 - Prescaler 6 - Prescaler 7 - ? - returns 1 when read always. Modes: 0 - silence (bit 7 of 0017 runs to negative output inverted) 1 - PWM (single ended) 2 - square 1 3 - silence (both outputs low) 4 - square 2 5 - PWM (double ended, one signal out of phase. not used) 6 - square 1 + square 2 7 - silence (one output high, one output low) 8 - silence (bit 7 of 0017 will run to negative output) 9 - PWM (single ended + inverted) silent a - square 1 b - silence (both outputs low) c - noise d - PWM (double ended + inverted) e - square 1 + noise f - silence (both outputs low) int B's are NOT generated for modes 0,2,8,A,C,E The PWM can be single ended (both outputs will produce the PWM signal) or bidirectional (only one output will produce a signal at a time while the ether is held high). Usually mode d is selected on the GK. This provides a double ended PWM which allows for a full signed 8 bit audio sample to be played. The PWM generator is only 7 bits, but in bidirectional mode, the two PWMs can be switched between which allows for both negative and positive excursions of the speaker. This then produces an effective 8th bit. In single ended PWM mode, both outputs will produce the same waveform. As such, the PWM is only 7 bits. For this, mode 1 should be selected. This makes the two PWM outputs produce an out of phase signal for maximum volume. i.e. the negative output will be inverted relative to the positive one. Prescaler: The prescaler divides (or multiplies!) the incoming clock by the following amounts: 0 - divide by 1 (6MHz) 1 - divide by 2 (3MHz) 2 - divide by 4 (1.5MHz) 3 - divide by 6 (1MHz) 4 - multiply by 2 (12MHz) 5 - multiply by 2 (12MHz) 6 - multiply by 2 (12MHz) 7 - 32.768KHz oscillator (32.768KHz) 0017: (00) (readable) Volume control. Basically PWMs the square waves and noise channel to perform volume control on them. 0 - channel 1 volume 1 - channel 1 volume 2 - channel 1 volume 3 - channel 1 volume 4 - channel 2 volume 5 - channel 2 volume 6 - channel 2 volume 7 - channel 2 volume Depending on the settings of the mode bits in register 0016, channel 1/2 are mapped as follows: 0 - bit 7 controls the negative PWM output. The positive output is always high. if this bit is cleared, then the negative output of the PWM will also be high resulting in silence and 0 current draw. If this bit is set, then the negative output goes low, which will then apply power to the speaker, a max of 10ma. Doesn't hurt anything but will shorten battery life a bit. 1 - not used 2 - square 1 is mapped to both channel 1 and 2 3 - not used 4 - square 2 is mapped to both channel 1 and 2 5 - not used 6 - square 1 is mapped to channel 1, square 2 is mapped to channel 2 7 - not used 8 - same as 0 9 - not used a - same as 2 b - not used c - noise is mapped to both channel 1 and 2 d - not used e - square 1 is mapped to channel 1, noise is mapped to channel 2 f - not used The volume control PWM has 32 steps. Depending on the volume setting, the particular channel will be output 0, 1, 2, 3, ... 14, or 16 times per volume PWM cycle. The values 0-Eh produce a linear ramp in volume, then Fh turns the output on for all 16 cycles. Thus, 15 is skipped. The two channels are interleaved, such that channel 1 is output for 1 PWM period, then channel 2 is output the next period, and so on. This volume PWM runs at 6MHz/32 = 187.5KHz. This can cause some mixing/heterodyning if the square 1/2 rates are set too high. 0018: (ff) Never used. Reads as 0ffh regardless of value written. 0019: (ff) Never used. Reads as 0ffh regardless of value written. 001A: (ff) Never used. Reads as 0ffh regardless of value written. 001B: (ff) Never used. Reads as 0ffh regardless of value written. 001C: (ff) Never used. Reads as 0ffh regardless of value written. 001D: (ff) Never used. Reads as 0ffh regardless of value written. 001E: (ff) Never used. Reads as 0ffh regardless of value written. 001F: (ff) Never used. Reads as 0ffh regardless of value written. 0020: (01) Timer 0. Runs off the 32.768KHz oscillator. This sets the divisor for the one shot mode below. This is only written to once. 0 - mode 1 - mode 2 - mode 3 - mode 4 - mode 5 - always reads as 1 6 - always reads as 1 7 - always reads as 1 mode: 00 - disabled 01 - 2Hz 02-03 - 8Hz 04-07 - 64Hz 08-0F - 256Hz 10-1F - 2KHz 0021: (??) One shot interrupt timer. If bit 7 is written set, then the one shot interrupt is started. The interrupt will occur when timer 0 overflows. The GK will write to this register with 80h to keep the interrupts going in the interrupt handler. 0022: (??) Never read or written. Returns FFh at all times 0023: (C0) Timer 1 enable? Writing here enables timer 1 if bit 6 is set and bit 5 is clear. i.e. C0-DF will make the timer run. anything else seems to stop the timer. Probably selects a timer mode of some kind like capture/compare and PWM which is not used on GK. C0h is written here once and never touched again. 0024: (F4) TCON reg for timer 1. The time base is the system clock (6MHz). It is either divided down by the prescaler at 0025, or it is just divided by 256. GK writes 34h here once. 0 - Step size 1 - Step size 2 - Step size 3 - ? - toggling this doesn't seem to affect anything 4 - 1 = use prescaler at 0025, 0 = divide by 256 5 - 1 = enable timer, 0 = disable timer 6 - ? - reads as 1 7 - ? - reads as 1 step size: 0 - /65536 1 - /32768 2 - /8192 3 - /2048 4 - /256 5 - /32 6 - /8 7 - /2 0025: (1F) Timer 1 prescaler. Divides the CPU clock by this value. It is a "count up" style prescaler. FFh = divide by 1, 00h = divide by 256. Reading returns the instantaneous timer value. GK writes 49h here once which corresponds to a divisor of 183 decimal. A note about timer 1: The interrupt will occur when the timer chain overflows. This means on the GK, the 6MHz clock is first divided by the prescaler, then runs through the stepsize dividers. Once the stepsize divider overflows, the interrupt is generated. i.e., on the GK they load 49h into the prescaler and enable it, then select /256 mode. This produces around a 128Hz interrupt rate. The actual rate is: 6MHz / (256-73) / 256 = 128.07377Hz. 0026: (1A) Timer 2. GK writes 1Ah here once. this corresponds to a 512Hz speed. 0 - mode 1 - mode 2 - ? 3 - 1 = let timer run, 0 = stop timer 4 - speed 5 - ? always reads 1's 6 - ? always reads 1's 7 - ? always reads 1's mode: (speed = 0) 0 - 500mHz 1 - 1Hz 2 - 2Hz 3 - no interrupts (speed = 1) 0 - 128Hz 1 - 256Hz 2 - 512Hz 3 - no interrupts 0027: (FF) Never read or written. Returns FFh at all times DMA system: ----------- The DMA below registers specify a source and destination address for the DMA. The length registers specify the length. A value of 0000h will DMA 1 byte, a value of 0001h will DMA 2 bytes, and so on. Only the lower 4 bits of the DMA length high register are used for length, which means the largest transfer that can be done is 4096 bytes. The DMA will start when 002Ch is written to. The DMA registers will update from the DMA. i.e. if 5000h is loaded into source, and 6000h is loaded into destination, and 00ffh is loaded into length, the DMA will transfer 100h bytes, and then the source will have 5100h in it and destination will have 6100h in it. The length registers always return 0ffh's. The DMA is very fast, and takes 2 clocks per transfer- one to read, one to write. This means 3Mbyte/second can be moved at the nominal clock speed of 6MHz. LCD DMAs will interrupt the DMA in progress though since it always steals CPU cycles during LCD rendering. Unfortunately, the number of cycles stolen and when is not very deducible. The external bus goes idle (all 1's) when the CPU is accessing anything inside the chip. When code is running in ROM, there is no cycles stolen at all. Only if code were to run in RAM would the CPU ever be stalled, and this only happens very rarely to bankswitch. I do not emulate cycle stealing at all because of this. Bit 4 of the DMA length high register controls if the destination address increments or not. A value of 1 in this bit stops the destination address from incrementing which can be useful if you have to shoot a bunch of values into a single register in a row. The source and destination registers are only 15 bits. This means the DMA can only occur in the range of 0000-7FFF. Bit 7 of the source register specifies if bankswitching will be used or not. If it's set, this means data will be pulled from ROM at the 32K bank specified in registers 0036 and 0037. If it is clear, it will come from 0000-7FFF in address space (i.e. RAM, or the bank at 4000-7FFF). The destination high address byte also has a bit 7 that is toggleable but does not seem to do anything. Setting it does not cause a bankswitched write to occur. The high byte of the length is NOT updated after the DMA. This means if say, a length of 01ffh was specified, the 01h part is still present (the lower part must be rewritten to start a DMA anyways, so it cannot be known if it stays or is modified). 0028: (ff) (readable) DMA source address low 0029: (09) (readable) DMA source address high 002A: (00) (readable) DMA destination address low 002B: (0a) (readable) DMA destination address high 002C: (ff) (returns 0ffh always) DMA length low - writing here starts DMA, too 002D: (ff) (returns 0ffh always) DMA length high 002e: (ff) Never used. Reads as 0ffh regardless of value written. 002f: (ff) Never used. Reads as 0ffh regardless of value written. 0030: (1A) INTCON 0 - enable low voltage detector when set. 1 - enables interrupts at 003E if set. if clear, disables all of those interrupts 2 - ? - doesn't seem to do anything 3 - ? - doesn't seem to do anything 4 - ? - doesn't seem to do anything 5 - ? - doesn't seem to do anything 6 - setting this bit seems to crash it, or put it into a low power mode. not sure. 7 - ? - doesn't seem to do anything Reading will return the low voltage status in bit 0. if bit 0 is clear, the battery voltage is below 2.5V. If it's above this value, the bit is set. If bit 0 is clear, then this bit always returns 1's. GK only writes 1A here, and to test low voltage sets bit 0 then clears it when done. 0031: (00) Writing anything here with bits 0-6 set will cause the CPU to crash? or lock up. bit 7 seems to be able to be written to with impunity. The GK firmware writes 00h here and then never touches it again. This might be a clocking control register which is i.e. enabling RC oscillator mode or similar. 0032: (00) Bank select for 4000-7FFF. The upper 7 bits selects a 32K bank, while the lower bit inverts A14. This sounds weird, but the reason is so you can access each 16K of the designated 32K bank. A value of 01h in this register will select the first 16K of the ROM at 4000-7FFF, A value of 00h will select the second 16K, a value of 03h will select the 3rd 16K, and a value of 02h will select the 4th 16K, and so on. Basically invert bit 0 and then this becomes a flat 16K bank select register. 0033: (F1) (readable) Chip select for 4000-7FFF. The lower 3 bits specify one of many chip enables. GK only ever writes 0 or 1 in here to select internal ROM or external ROM. 0 - mode 1 - mode 2 - mode 3 - ? 4 - ? - returns 1 when read always. 5 - ? - returns 1 when read always. 6 - ? - returns 1 when read always. 7 - ? - returns 1 when read always. modes: 0 - internal ROM 1 - /CE 0 2 - /CE 4 3 - not bonded out / used 4 - /CE 3 5 - /CE 2 6 - /CE 8 7 - not bonded out / used 0034: (80) (readable) Bank select for 8000-FFFF. The lower 7 bits indicates which 32K of data from the cart will be mapped into 8000-FFFF. The banks are mapped linearly. i.e. writing 0 here maps 0000-7FFF of the ROM into 8000-FFFF. Writing 3 here will map 18000-1FFFF of the ROM into 8000-FFFF and so on. Bit 7 is a mode select, see below. 0035: (00) (readable) Chip select for 8000-FFFF. The lower 3 bits specify one of many chip enables. GK writes 00 here once and never touches it again, using bit 7 of 0034 to select internal or external ROM. 0 - mode 1 - mode 2 - mode 3 - ? - returns 1 when read always. 4 - ? - returns 1 when read always. 5 - ? - returns 1 when read always. 6 - ? - returns 1 when read always. 7 - ? - returns 1 when read always. modes: (bit 7 of 0034 set) ------------------- 0 - /CE 0 cart pin #18 (used by all carts) 1 - not bonded out / used 2 - /CE 2 cart pin #17 3 - /CE 3 cart pin #47 4 - /CE 4 cart pin #16 5 - not bonded out / used 6 - not bonded out / used 7 - internal ROM (bit 7 of 0034 clear) --------------------- 0 - internal ROM all other values select /CE 8 0036: (00) (readable) DMA source bank 0037: (f8) (readable) DMA source bank The DMA source bank works like the 32K bank at 8000-ffff and follows the exact same rules. (see DMA section) 0038: (F0) Not sure. Watchdog related? Writing here seems to cause the CPU to reset after awhile (1-2 seconds). If I write 0 twice it does this (or FF then 00). The code sets bit 4 using SMB4 once in the init. 0039: (00) Not sure. GK firmware writes 00 here once at startup. Lower 4 bits are writable, upper 4 bits always read as 1's. The following 4 registers might be an SPI port or similar that is multiplexed with the IO ports. not used on the GK 003A: (FF) Not sure. all 8 bits are readable and writable. 003B: (FF) Not sure. returns all 1's on read. Interrupts: ----------- There are no less than 15 interrupt vectors present. These have been labelled by me as such: 7FE2/7FE3 : int 1 function not known 7FE4/7FE5 : int 2 function not known 7FE6/7FE7 : int 3 function not known 7FE8/7FE9 : int 4 function not known 7FEA/7FEB : int 5 function not known 7FEC/7FED : int 6 function not known 7FEE/7FEF : int 7 timer 0 interrupt (enabled via 003E.5) 7FF0/7FF1 : int 8 IO change interrupt (enabled via 003E.4) 7FF2/7FF3 : int 9 timer 2 interrupt (enable via 003E.3) 7FF4/7FF5 : int A timer 1 / VBL interrupt (enable via 003E.2 / 003E.6) 7FF6/7FF7 : int B square 2 / PWM timer (enable via 003E.1) 7FF8/7FF9 : int C function not known 7FFA/7FFB : int D NMI handler (not sure what causes NMI) 7FFC/7FFD : int E reset vector like usual 7FFE/7FFF : int F IRQ handler (probably only does BRK duty now) The 7 unknown interrupts probably have to do with the other bits of 003E and 003F. Guessing they do things like interrupts after finishing sending or receiving serial data, SPI interrupts, etc. etc. The GK firmware does not use them so that makes deducing their function difficult to say the least. When an interrupt occurs, it effectively forces banking registers 0032/0033 both to 00h which forces 4000-7FFFh of the internal ROM to appear at 4000-7FFFh in CPU space. This happens as the vectors are being pulled which is why there is a set of vectors in every game ROM bank that can be mapped at 4000-7FFFh. The RTI instruction will then clear this bank override feature. Note that 0032/0033 are NOT modified and simply masked. 003C: (4A) Interrupt pending register. Writing 00 here will reset the interrupts represented by register 003E. 003D: (F0) Most likely works similar to 003C for another set of interrupts. 003E: (34) Interrupt enable register. This enables many of the interrupt sources. Reading seems to return interrupt sources that are pending. 0 - ? not sure, have not gotten it to generate an interrupt 1 - square 2 / PWM timer int B 2 - timer controlled by reg 0023/0024/0025 int A 3 - Timer controlled by reg 0026 int 9 4 - interrupt on IO change at port 0000 int 8 5 - timer 0 interrupt / one shot int 7 6 - Vblank. Each time the screen redraws, this interrupt fires int A 7 - ? not sure, have not gotten it to generate an interrupt Interrupt change will produce an interrupt any time an input changes state from low to high or vice-versa. Reading port 00 will acknowledge the interrupt on change event so it can trigger again (if it is not serviced, no more interrupts will be produced). 003F: (F0) 00 stored twice. Most likely another interrupt enable register for on board peripherals. Not used on GK. LCD system: ----------- LCD control registers map into 0040-004F. The LCD is drawn bottom-up, left to right. The LCD controller can actually drive a wide array of displays, some much larger than what the system comes with. These probably do not need to be emulated for the most part. Pixel data is 2 bits per pixel, and there are 4 pixels packed into each byte of RAM. Pixel data can be pulled from only RAM. Pulling data from somewhere else (registers, ROM) results in randomish data, which appears to be just raw data bus contents. If the LCD base address is set to FFFFh (or anywhere else that "rolls over" past FFFFh) it does not wrap to 0000h and shows internal bus operation instead. The first byte of pixel data is the 4 leftmost pixels on the bottom of the screen. Bits 6 and 7 are the very left most pixel, bits 4 and 5 are the next, and so on. Bits 0 and 1 are the 4th pixel in from the left side. Each row of pixels is 48 across, and there's 4 per byte so this means each row of pixels is stored into 12 bytes. The entire screen is 12*32 = 384 bytes. Most/all games appear to map this into 0200h. 0040: (returns 0ffh on read) LCD base address low. Address where the lowest left pixel is stored. 0041: (returns 0ffh on read) LCD base address high 0042: (returns 0ffh on read) LCD RAM data increment amount. GK writes 03 here which means every 4 pixels it increments the RAM pointer. 0043: some kind of timing 0044: (10) Scanlines per LCD frame. How many scanlines*2 that are present on the LCD. The GK writes 10h for 32 scanlines. Writing larger values here has the effect of making the display lighter because the duty cycle is dropping. Writing smaller values has the effect of repeating pixels at the top of the display from the bottom, because the LCD is in effect being "double scanned". Writing 0 to this register results in 512 scanlines being rendered. 0045: (F8) X Smooth scroll. Only the lower 3 bits appear to be implemented. Causes the LCD data to shift left 0 to 7 pixels. These pixels are "eaten" and not rendered, so the end result is the entire LCD contents shifts left 1 pixel, and pixels on scanline N will wrap to scanline N-1 (remember the LCD draws bottom to top). 0046: (NU) Address reset. When this number of scanlines*2 has been rendered, the registers at 0040-0041h are reloaded into the address counter. If the value 1 is written here, then every 2 scanlines the base address is reloaded, and the LCD constantly displays the same 2 scanlines over and over, up the display (16 times). The GK firmware loads FFh into this register which effectively disables it. A value of 00h corresponds to 512 scanlines worth of data. 0047: (1C) LCD control register. 0 - ? no visible change 1 - ? no visible change 2 - Bits per pixel. 0 = 1 BPP, 1 = 2 BPP (the GK is 2 BPP usually) 3 - LCD panel invert speed. 0 = every frame, 1 = every 2 frames. (not useful for emulation) 4 - LCD panel invert position relative to the start of frame. 0 = immediate at frame start, 1 = delay 1 scanline. 5 - LCD invert. 0 = normal, 1 = inverse. 0, 1, 2, 3 changes to 3, 2, 1, 0. 6 - Disable latch signal when set. Not terribly useful. 1 = effectively blanks LCD. 7 - Disable rendering. 1 = shuts off LCD system, and reduces power draw. 0 = normal operation. 0048: (0C) LCD control register. 0 - ? no visible change 1 - ? no visible change 2 - Pixel clock 0 3 - Pixel clock 1 4 - When set, changes pixel clock to 1 per scanline, results in blank LCD if set. 5 - ? no visible change 6 - ? no visible change 7 - ? no visible change Pixel clock: 00 - divide by 1 01 - divide by 2 10 - divide by 4 11 - divide by 6 On the GK, the main incoming clock is 6MHz, so this means the pixel clock will be 6MHz, 3MHz, 1.5MHz, or 1MHz. The firmware sets this to 6, so the pixel clock is nominally 1MHz. 0049: (19) LCD timing control register 0 - Step size 1 - Step size 2 - Step size 3 - Step size 4 - Step size 5 - Step size 6 - ? no visible change 7 - ? no visible change Step size: The lower 6 bits indicates the step size of extra pixels on the scanline. This basically lets one extend the scanline to effectively slow down the refresh rate of the LCD. If the LCD is refreshed too quickly, it will draw more power. By adding extra pixels, this effectively slows down the refresh and power use (as well as controlling contrast somewhat.) The final delay is (N+1*8) clocks. Values of 0, 1, and 2 are invalid and result in the lack of emitted pixels. The GK firmware writes 19h in here which is 2080 clocks. (19h = 25, +1 = 26*8 = 208). 004A: (00) LCD timing control register 0 - Step size 1 - Step size 2 - Step size 3 - Step size 4 - Step size 5 - ? no visible change 6 - ? no visible change 7 - ? no visible change Step size: Number of scanlines between frame invert pulses. If this is set to 0, the frame inverts every time the LCD refresh restarts (i.e. frame aligned). Any other value results in the delay of (N*4)+2 scanlines between inversions. i.e. setting this to 1 will result in the frame inverting every 6 scanlines, setting it to 10 will result in inversions every 66 scanlines, etc. 004B: (08) LCD timing control register 0 - Step size 1 - Step size 2 - Step size 3 - Step size 4 - Step size 5 - Step size 6 - ? no visible change 7 - ? no visible change Step size: How wide each horizontal latch pulse is. This controls how wide each latch pulse is. 0 will disable the latch pulse completely. Otherwise, the count is in multiples of 4 pixel clocks + 16. i.e. the value 8 which the GK firmware writes becomes 8*4+16 = 48. 004C: (0E) Not sure. This does something odd. GK writes 0Eh here, then expects to read xxxx x011x. Probably shows the LCD frame, scanline, and other things. GK only does it to verify operation I think. 0 - returns some kind of LCD state, toggles 1 - whatever was written is readable 2 - whatever was written is readable 3 - seems to return 0 4 - returns some kind of LCD state, toggles 5 - returns some kind of LCD state, toggles 6 - returns some kind of LCD state, toggles 7 - returns some kind of LCD state, toggles 004D: (??) Does not seem to be used. 004E: (F1) LCD control register. Adjusts various aspects of the LCD signals. Not useful. 0 - Pixel data enable. Clearing this bit stops pixels being emitted, resulting in a blank display 1 - ? no visible change 2 - ? no visible change 3 - Weirdness. Interacts with bit 3 of 004C. (see below) 4 - Pixel clock enable. Clearing this bit stops pixel clocks being emitted, resulting in blank display 5 - Pixel frame invert enable. clearing this bit stops frame inversions (can damage LCD after awhile) 6 - Pixel row latch enable. Clearing this bit stops pixel row latches being emitted. Blanks display 7 - Frame latch enable. Clearing this bit stops the frame refreshing. Blanks display Weird bit: When both bit 3's on 004C and 004E are set, the current draw jumps 10ma, up to 20ma. I suspect 004E and 004C bit 3 are for other LCD types/modes, and are not used on the GK. After reading some other Sunplus data sheets I suspect this turns a charge pump on (which is not bonded out on the GK) to boost the voltage to run bigger LCDs. 004F: (??) Does not get used, writing/reading don't appear to do anything. 0050: (FF) Never used. Writing seems to have no effect, reads all 1's. 0051: (BE) Never used. Writing seems to have no effect, always reads BEh. 0052: (FF) Never used. Writing seems to have no effect, reads all 1's. 0053: (80) Never used. The lower 7 bits are readable and writable, upper bit always reads as 1. 0054-005F: Does not appear to be used or contain registers. returns all 1's on reading. 0060: (??) UART related. (GK doesn't use) 0061: (??) UART related. (GK doesn't use) 0062: (??) UART related. (GK doesn't use) 0063: (??) UART related. (GK writes 00 here once) 0064: (??) UART related. (GK doesn't use) 0065: (??) UART related. (GK doesn't use) 0066: (??) UART related. (GK doesn't use) 0067: (??) UART baud rate register. 0068-007F: Does not appear to be used or contain registers. returns all 1's on reading. Writes have no effect.