I've been looking over the menu source Dr. Neo released. The hardware is rather interesting. I'm reposting some info I'm posting over there in case others are interested in the hardware beyond simply running carts.
The source can be found in the first post of this thread:
http://www.neoflash.com/forum/index.php ... 794.0.html
Let's start with an overview of the cart hardware. Remember that this is just what I've inferred from the menu source. I have no other sources of info on this. I'm also not going to use addresses - just look up the symbols in the source.
The cart appears to be comprised of a pseudo-static RAM (PSRAM from now on), a programmable gate array (either a CLD or an FPGA, I haven't taken mine appart to see which), an FM chip for SMS mode, and misc other minor circuits we don't care about (like an amp for the audio out on the FM). There is a slot for Neo2 GBA Flash Modules.
There is a register that enables and disables operating modes of the cart. It's called OPTION_IO in the source. Let's look at the modes:
MODE0 - Storing a word of 0 to OPTION_IO sets mode 0. In this mode, the cart control circuitry (in the CLD/FPGA) can be accessed. This is done by reading from the cart - the address lines A20-A1 and the contents of the lower bank select register (GBAC_LIO) are all latched by the CLD/FPGA when the read line is asserted. So the first two MB of cart space plus the bank register form the 24 bit word sent to the CLD/FPGA. The top four bits are stored in GBAC_LIO, then the lower 20 bits are shifted once left (remember that the 68000 uses a 16 bit bus, so A0 is NOT present on the cart port) and used as A20 to A1, then a read of that shifted value is done. I don't know what any of these values sent to the CLD/FPGA mean. It's one of the areas we'd need more info from Dr. Neo.
MODE1 - Storing a word of 1 to OPTION_IO sets mode 1. This is some sort of test mode. Unused code in the menu program sets mode 1, then reads some bytes from the second two MB space in the cart for particular values. Not much is known about this.
MODE6 - Storing a word of 6 to OPTION_IO sets mode 6. This is the mode used for running MD and 32X carts. In this mode, the PSRAM is mapped to the cart space. The amount of RAM is set by the mask register PRAM_ZIO, and the offset into the PSRAM is set by PRAM_BIO. The RAM is subject to the same bank select mechanism as the SSF2 cart. You have to set up the RAM before you switch to this mode. The size of GBA Flash in this mode is set to 0, so it appears that flash is available, but overlaps the PSRAM unless you "disable" it by setting the size to 0.
MODE7 - Storing a word of 7 to OPTION_IO sets mode 7, what the menu calls "copy mode". The reason why is this is the mode used to copy the flash rom to the PSRAM. When in mode 7, the GBA Flash is accessible at cart address 0, and the PSRAM at 2 MB. Each can be up to 1 MB in size, so one MB at a time can be copied. The GBA Flash size is set by GBAC_ZIO, and the bank that will appear at cart address 0 is set by the combination of GBAC_HIO and GBAC_LIO. GBAC_LIO holds the ROM offset address bits A23-A16, and GBAC_HIO holds address bits A27-A24. The source always says A25-A24, but that's because the default flash shipped with this is 64 MB. If you look at the code, it always masks FOUR bits, not TWO bits. This allows for up to 2048 Mb flash carts to be used (the biggest they have out is 1024 Mb at this time). So up to 1 MB of ROM offset anywhere within 256 MB can be set to appear at cart address 0. Up to 1 MB of PSRAM can be set (using PRAM_ZIO) to appear at cart address 2MB. That memory is divided into banks of 1 MB. The bank appearing in the cart space is set by PRAM_BIO, and can be from 0 to 4 (5 MB for SSF2). I suspect this can actually be 0 to 7, but I haven't done any tests yet to confirm that. So copying flash to PSRAM is done this way: set the offset into the flash; set the size of the rom space, up to 1MB; set the size of the PSRAM bank, up to 1MB; set the PSRAM bank to 0; copy up to 1MB of words from the rom bank at 0 to the PSRAM bank at 2MB; if the rom is larger than 1MB, increment the ram bank to the next ram bank, increment the flash rom offset address, and copy the next bank; repeat until done.
Note that ROM is fast enough for 68000 cycles! The menu does use the 68000 to copy the rom into ram, after all. So you COULD run the cart straight from the flash. However, I suspect that for some reason, the hardware limits the space the rom can occupy to 1MB. Notice how even though the copy mode has space for 2MB between the rom and PSRAM banks, they only use 1MB maximum. So running the cart from flash directly would only work for carts up to 1MB (8 Mb). Larger carts must be run from PSRAM, so the menu simply runs ALL carts from PSRAM for consistency. I suspect that SSF2 bank selection is only available to the PSRAM, and SMS bank selection is only available to the flash; that would explain why they run the carts in the modes they do.
Note that the PSRAM is writable: You store a 2 to WE_IO to enable writing to the PSRAM. This is done before the copying occurs. You store a 0 to WE_IO to disable writing to PSRAM. That is done after the copying is complete.
Note that because you aren't likely to have a valid exception table at cart address 0 much of the time, the menu should have interrupts disabled during the copy. In fact, the times when you have an exception table the menu wants are rare, so the menu should be written to run with interrupts disabled all the time. Note that exceptions will probably hang the menu program. Don't count of being able to catch things like address faults.
MODE8 - Storing a word of 8 to OPTION_IO sets mode 8. Mode 8 is used for CD BIOS. The CD BIOS to use is copied in mode 7 just like carts, but instead of running in mode 6, the CD BIOS is run in mode 8. The difference is probably how and where the SRAM appears. SRAM is normally at 2MB in cart space for normal carts. It's at 6 MB for CD BUPRAM (IIRC). So 6 vs 8 probably controls where SRAM decodes to in the address map.
MODE12/MODE13 - Storing a word of hexadecimal 12 or 13 (18 or 19 in decimal) sets SMS mode. Note that bit 0 controls the FM chip: 1 enables the FM, and 0 disables it. So MD/32X games use a mode of 00110 binary, and SMS uses 1001x binary, where x is the FM enable.
Note that SMS carts are run directly from the GBA flash. The size and offset into the flash are set via GBAC_ZIO, GBAC_HIO, and GBAC_LIO, then the SMS cart is run in mode 12 or 13. So I suspect that bit 2 in OPTION_IO controls whether PSRAM is enabled. It is 1 for MD/32X games, and 0 for SMS games run from the flash.
So tentatively, OPTION_IO seems to be decoded this way:
b4 = SMS_EN => 1 = enable SMS mode, 0 = disable SMS mode
b3 = CD_EN => 1 = enable CD mode, 0 = disable CD mode
b2 = PSRAM_EN => 1 = enable PSRAM access, 0 = disable PSRAM access
b1 = ? not sure about what this controls yet
b0 = If SMS mode: 1 = enable FM chip, 0 = disable FM chip
If not SMS mode: 1 = PSRAM at 2MB cart address, 0 = PSRAM at 0 cart address