Star Fox 64 patch for the Nintendo 64
It appears all roms released up to Star Fox 64 had same header info between offset $40-$1000 (0x0040-0x1000). With the release of Star Fox that changed. Here are the differences.
The first byte difference at offset $005a references a 12 byte (0x000c) difference between the old roms and the star fox 64 rom. Starting at offset $d8 (0x00d8). That is where three instructions are dropped from the old roms and where the desync between the roms begins. Those 3 instructions deleted from Star Fox 64 but in the old roms are :
OFFSET OPCODE INSTRUCTION
000000d8 24110020 ADDIU R17,R0,0x0020
000000dc 2231FFFF ADDI R17,R17,0xFFFF
000000e0 1620FFFE BNE R17,R0,0x000000dc
$e4 (0x00e4) of old roms and $d8 (0x00d8) of star fox 64 are now synced with 12 (0x000c) byte difference in offsets for branches / jumps.
IMPORTANT CODE DIFFERENCES:
At location $46c (0x046c) of old roms and $460 (0x0460) of star fox
Old roms:
OFFSET OPCODE INSTRUCTION
0000046c 3C08A400 LUI R8,0xA400
00000470 no difference
00000474 3C0BA400 LUI R11,0xA400
00000478 yes different but probably because of desync
0000047c yes different but probably because of desync
New roms:
OFFSET OPCODE INSTRUCTION
00000460 3C080400 LUI R8,0x0400
00000464 no difference
00000468 3C0B0400 LUI R11,0x0400
0000046c yes different but probably because of desync
00000470 yes different but probably because of desync
No differences from this point on except for offsets which effect jumps/branches.
Then, some instructions are dropped from old roms. And at $584 (0x0584) of old roms and $588 (0x0588) of star fox 64 new sync begins with 4 byte difference between roms until $b6c (0x0b6c) when both roms are resync at same address.
Old roms maybe checksummed between $40-$1000(0x0040-0x1000) because just changing the 04's to a4's doesn't solve problem of lock up ( black screen at start up ).
If SLL R0,R0,0 (0x00000000) is the same as (basically) a nop instruction, I copied over those first 3 bytes at $d8(0x00d8) ,$dc(0x00dc) and $e0(0x0e0) of human's grand prix (because they're not used in star fox 64) and it refused to load. So ,then, it appears there is a checksum on that part of the rom between $40-$1000 (0x0040-0x1000).
Starfox 64 Patch - Some words from Jovis
Im not sure what superdoc is getting at in his explanation of the crack. Maybe I can make it a little more clear.
The ROM image is not checksummed up until 0x1000, from there the checksum covers just 1 meg, so anything after that can be changed at will.
The 0x40-0x1000 code is the code which reads the 'lockout chip' in the cart. The chip had been changed in the new starfox rom, therefore I switched the security code (0x40-0x1000) to be the same as the older roms.
It is very likely that the 0x40-0x1000 code is checksummed, but that the area has a 'fixed' checksum, so that they can change the code, and throw in some 'junk' bytes to fixup their csum result.
The real csumm is different, though. it starts at offset 0x10 in the image and is 4 words long. It is checked by the N64 init bootcode (rom code) when you turn on the power. The next init is the lockout chip check, and if it doesn't successfully complete, the hardware will lock up.
Hope this is helpful.
