#37243 - Dwedit - Wed Mar 09, 2005 8:58 am
The movie player is a really weird device. One day I dump it and the same 512 bytes repeat everywhere. I just dumped it again today, and it came out fine! The rom mirroring is rather odd, it's as if each address is ANDed with 00111110 00111111 11111111. Does this mean it's an incomplete dump, or is it just a memory mapping quirk? The mask there makes a 512k rom appear to be 4 megabytes large.
Using the hacks from the chinese version dump, I managed to get it booting in visualboyadvance. Does the exact same thing it would do as if there was no CF card inserted.
_________________
"We are merely sprites that dance at the beck and call of our button pressing overlord."
#37244 - Sebbo - Wed Mar 09, 2005 9:27 am
well done Dwedit. the next step is rewriting the update file
#37245 - Vince - Wed Mar 09, 2005 10:13 am
Hello,
That's very interesting given that it opens a whole world of possibility for Supercard hacking. Could you elaborate on how you performed the dump/give pointers? I am really interested into it so that we could reproduce it for the SuperCard firmware.
Thanks,
Vince
PS : the Supercard hacking thread is here : http://forum.gbadev.org/viewtopic.php?t=5051
_________________
Reclaim control of your F2A/F2AU with if2a !!
#37247 - Dwedit - Wed Mar 09, 2005 10:16 am
I'm not exactly how my movie player got unlocked, but try booting it up as normal, then power off and on quickly, then go into multiboot mode to send the data to pc.
_________________
"We are merely sprites that dance at the beck and call of our button pressing overlord."
#37248 - cocole - Wed Mar 09, 2005 10:24 am
So you dumped it with a multiboot cable ? EZFA ? F2A ? XBoo ? Another one ?
#37249 - Dwedit - Wed Mar 09, 2005 10:27 am
I used an MBV2 cable to dump it. "mb -1 romname.gba -w 10"
_________________
"We are merely sprites that dance at the beck and call of our button pressing overlord."
#37305 - RueGorE - Thu Mar 10, 2005 7:52 am
Good job Dwedit. ::pats your back:: Now that you have a good dump, what do you plan to do with it?
#37310 - Dwedit - Thu Mar 10, 2005 9:29 am
Somehow find the entry points to read from the CF card? Either calling them from code or direct access. Preferably using the existing routines from the rom. Mainly so that pocketnes on the movie player can run huge roms. It would be nice if writing could be supported, but I don't know if the HW can do that or not.
_________________
"We are merely sprites that dance at the beck and call of our button pressing overlord."
#37326 - tepples - Thu Mar 10, 2005 3:13 pm
| Dwedit wrote: |
| Somehow find the entry points to read from the CF card? Either calling them from code or direct access. Preferably using the existing routines from the rom. Mainly so that pocketnes on the movie player can run huge roms. |
Or so that homebrewers can develop native multipart multiboot programs. A long time ago, on the gbadev Yahoo! Group, I mentioned such an idea. Search the list for "Advance Disc System".
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#38740 - Dwedit - Thu Mar 31, 2005 3:14 am
Is it okay to distribute a rom dump of the movie player? The firmware updates are freely available.
_________________
"We are merely sprites that dance at the beck and call of our button pressing overlord."
#39213 - npropanol - Wed Apr 06, 2005 1:45 am
I would think so - I don't recall reading one of those eulas - and anyway the majority of the people that would want it would be those that already owned one.
#40103 - chishm - Fri Apr 15, 2005 3:53 am
The Movie Player may be able to write to the cmpact flash card. It is definitely writing to something, as it is able to store bookmarks even with the power off. Then again, it might be storing it in the same area as the firmware.
#40106 - Dwedit - Fri Apr 15, 2005 4:05 am
If you have two compact flash cards, you could test that theory out.
_________________
"We are merely sprites that dance at the beck and call of our button pressing overlord."
#40120 - chishm - Fri Apr 15, 2005 7:22 am
It seems that it is not writing to the cf card. I took the card out, formatted it then put only the text file back on. Unfortunately the bookmark was still there. Must be stored on the cart itself. And I thought I was on to something. Damn.
#40247 - Cyberman - Sat Apr 16, 2005 4:52 pm
| chishm wrote: |
| It seems that it is not writing to the cf card. I took the card out, formatted it then put only the text file back on. Unfortunately the bookmark was still there. Must be stored on the cart itself. And I thought I was on to something. Damn. |
It would make no sense to store it on the CF card, namely because it would add wear to the flash media. (those polysilicon wires can only operate so many times before blowing). It would make more sense if they had a EEPROM or SRAM on the board somewhere where the stored the bookmark data.
Cyb
_________________
If at first you don't succeed parachuting is NOT for you.
#40254 - Dwedit - Sat Apr 16, 2005 6:53 pm
To my knowledge, there is no SRAM or EEPROM on the movie player. It probably stores it somewhere in its total 512k of flash rom.
_________________
"We are merely sprites that dance at the beck and call of our button pressing overlord."
#42232 - chishm - Sun May 08, 2005 4:40 am
Has anybody successfully worked out how to use this to read a CF card?
I have found that the firmware is reading and writing to the following adresses:
0x090C0000
0x098C0000
The second has a value of 0x50 when a CF card is inserted, although some writes cause this to become 0xD0. The first address has so far had the values 0xe0, 0xd0, 0xa0 and 0x00 on different attempts to read it, depending on what I write to either of the adresses. I also think that the address 0x0904000, 0x09060000, 0x09080000 and 0x090A0000 are being sed for something. Not sure what yet.
#42597 - chishm - Fri May 13, 2005 10:11 am
I have worked out that the bookmarks are stored in the firmware starting at offset 0x060000 from the start of the ROM (ie address 0x08060000). This is visible in dumps of the ROM.
Also, it is possible to write to cart locations at 0x09040000, 0x09060000, 0x09080000, 0x090A0000 and then read back the same data from them. I am thinking they are an interface to the CF card, but unfortunately I still haven't managed to get any data from the CF card yet. I am not sure whether it will simply be a case of reading from some other location in Cart address space, or whether it involves DMA. If anyone has any ideas, I would be greatful.