guide_tech2.txt

nintendo64 survival document

2. Practice - Zelda 64


Make sure the ROM is in Z64 format (big-endian).
Let's start with the known bitmap 'Attack'.

Using a plugin that dumps textures, we get a 48x16 bitmap. 4-bpp IA linear.

Address = 20000000, Offset = 00215230
Size = 3072 bits = 384 bytes ($180).

; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We will follow this from TMEM (RCP texture memory) -> RAM -> ROM.

Dump the RAM and check $215230. Don't forget that the bytes will appear
'swapped'. Endian-order.

We see 'Attack' and 'Return'. And 'Attack' above these ones.

; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You'll need a debugger for this approach.
Place a write hook at RAM $215230.

8000488c: PI Copy CART to RDRAM 384b ($180) from B08C4DA0 to 80215230

Now known that it lives at ~$8C4DA0 ROM. 


Set your tile editor to 48 pixels width to see the other text.

- Tile Molester says 2-dimensional, block size = 6
 + 2D means pixels are stored as scanlines (row1, row2, .., rowN)
   1D means tile-based (8x8 tile 1, 8x8 tile 2, ..)

; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[0c00:0ed8] 80004830: JAL     80003B60                                  
[afa5:0024] 80004834: SW      a1[00000000],0024h(sp[80009B68])          
[8fa5:0024] 80004838: LW      a1[00000000],0024h(sp[80009B68])          
[3c0a:a460] 8000483C: LUI     t2[00000001],FFFFA460h                    

; Write DMA destination address

[ad42:0000] 80004840: SW      v0[001B9CE0],0000h(t2[A4600000])          

; ---------------------------------------------------------------------

[8fac:0028] 80004844: LW      t4[00000001],0028h(sp[80009B68])          
[8e0b:000c] 80004848: LW      t3[80006330],000Ch(s0[80009EA0])          
[3c01:1fff] 8000484C: LUI     at[1FFFFFFF],1FFFh                        
[3421:ffff] 80004850: ORI     at[1FFF0000],at[1FFF0000],FFFFh           
[016c:6825] 80004854: OR      t5[80127618],t3[B0000000],t4[003B62F0]    
[01a1:7024] 80004858: AND     t6[801B9CE0],t5[B03B62F0],at[1FFFFFFF]    

; T7 = $A460(0000)

[3c0f:a460] 8000485C: LUI     t7[00000001],FFFFA460h                    

; Write DMA source ($3B62F0 - $300*5 = $3B53F0)

[10a0:0006] 80004860: BEQ     a1[00000000],r0[00000000],8000487Ch       
[adee:0004] 80004864: SW      t6[103B62F0],0004h(t7[A4600000])          

(..)

; ---------------------------------------------------------------------

; T8 = STACK[ $9B68 + $30 ] = $300

[8fb8:0030] 8000487C: LW      t8[00000000],0030h(sp[80009B68])          

; T0 = $A460(0000)

[3c08:a460] 80004880: LUI     t0[00000000],FFFFA460h                    

; T9 = T8-1

[2719:ffff] 80004884: ADDIU   t9[00000000],t8[00000300],FFFFFFFFh       

; Start DMA, jump to $48a8

[1000:0007] 80004888: BEQ     r0[00000000],r0[00000000],800048A8h
[ad19:000c] 8000488C: SW      t9[000002FF],000Ch(t0[A4600000])