Skip to content
Open source Gamecube bootrom
Assembly C C++ Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
BS2Main_Subcalls
Bootstrap
MainLoop
images
0x81300F50.txt
0x813012D0 - DEMOInit.txt
0x813022F4.txt
0x813025A4.txt
0x81302D2C.txt
0x81307B0C.txt
0x81307D90 - Heap.txt
0x81307E40.txt
0x81307EB8.TXT
0x81308208.txt
0x8130B84C.txt
0x8130BCB4.txt
0x8130BEE8 - BIG.txt
0x8131C5C4.txt
0x8135B160.txt
BS2Mach_12.txt
BS2Main.c
Build_Instructions.txt
DVDLoader.c
DVDLoader.h
DVDLoader.txt
Heap.c
Heap.h
IPL.lcf
IPL.mcp
README.md
calltree.txt
main.c
oslomem.h
ossram.h

README.md

Open source Gamecube bootrom

!!! For educational purposes only !!!

Project Goals:

  • Reverse engineering of retail GameCube bootrom (USA / NTSC version was used as reference)
  • Write own bootrom, based on IPL reversing
  • Use bootrom in gamecube emulators to have fun :-)

Toolchain (mostly official):

  • CodeWarrior IDE for Nintendo GameCube
  • Dolphin SDK
  • Dolwin debugger

Overall Progress:

  • Bootstrap 1 stage disassembly DONE
  • Way to compile it back in binary file DONE
  • Bootrom fonts investigated DONE
  • IPL listing DONE
  • Identify all library calls
  • IPL intro
  • IPL menus
  • Utility to merge all pieces in single binary ROM file

Gamecube Bootrom details:

Bootrom is located in special chip, designed by Macronix Ltd., and placed near Flipper IC :

Same chip shares non-volatile memory (SRAM) and real-time clock (RTC).

Bootrom size is 2 MB.

First logical part of bootrom (reset vector) called Bootstrap 1 (BS1). This small procedure is written on assembly and started from 0xfff00100 physical address. It prepares Gamecube hardware, checks memory, initialize virtual addressing and load second logical part, known as Bootstrap 2 (BS2) or IPL (Intial Program Loader).

IPL is written on C. It's compiled as DOL executable, by using early version Dolphin SDK as system API.
Code entrypoint for start routine is made to 0x81300000 location (virtual address), by link script.

Almost 50% of IPL binary payload is occupied by Dolphin SDK library calls.

Important Note: Bootrom is encrypted itself. Decryption is done by MX chip, during block reading of bootrom data. On early stages (BS1) decryption is done on-the-fly as Gekko load 32-Byte bursts in instruction cache. Later its decrypted by EXI DMA, during BS2 copy. Its very important to watch scrambler not to go out-of-sync, otherwise trash appear as output. Symmetric encryption algorithm (XOR-based) was reversed by segher : Descrambler

Also Bootrom contains two sets of raster fonts. One for ANSI charset and another for SJIS:

These fonts are rarely used by some games. Font data is not encrypted (BS1 disables bootrom scrambler after BS2 was copied in RAM, so subsequent Font reading is actually done over 0x00000000 XOR stream. Same thing applies to first 0x100 bytes of bootrom with Copyright strings)

When IPL starts, following sequence appear :

First is rotating cube intro:

Next IPL menu appear, looking like rotating glass cube:

Each side of cube representing different menus (memory card manager, calendar settings etc.)
Deep inside cube are floating small cubes, appearing as different patterns.

YouTube video :


Credits: Credits go to Gamecube scene members and my good friends : groepaz and tmbinc :=)
Thanks to Nintendo and ArtX team for such sexy console ^^

You can’t perform that action at this time.