Add disassembly of VTech V.Smile BIOS
diff --git a/Makefile b/cqfd-scientus/Makefile
similarity index 100%
rename from Makefile
rename to cqfd-scientus/Makefile
diff --git a/README.md b/cqfd-scientus/README.md
similarity index 100%
rename from README.md
rename to cqfd-scientus/README.md
diff --git a/bank0.control b/cqfd-scientus/bank0.control
similarity index 100%
rename from bank0.control
rename to cqfd-scientus/bank0.control
diff --git a/bank1.control b/cqfd-scientus/bank1.control
similarity index 100%
rename from bank1.control
rename to cqfd-scientus/bank1.control
diff --git a/bank2.control b/cqfd-scientus/bank2.control
similarity index 100%
rename from bank2.control
rename to cqfd-scientus/bank2.control
diff --git a/cqfd.control b/cqfd-scientus/cqfd.control
similarity index 100%
rename from cqfd.control
rename to cqfd-scientus/cqfd.control
diff --git a/interbank.control b/cqfd-scientus/interbank.control
similarity index 100%
rename from interbank.control
rename to cqfd-scientus/interbank.control
diff --git a/vsmile/README.md b/vsmile/README.md
new file mode 100644
index 0000000..6668e68
--- /dev/null
+++ b/vsmile/README.md
@@ -0,0 +1,5 @@
+Disassembly of the VTech V.Smile BIOS
+
+You will need the vsmile\_v103.bin BIOS and dasmxx (a version witn unsp CPU support).
+
+Use dasm with the provided listfile to get a commented disassembly of your BIOS.
diff --git a/vsmile/disassemble.sh b/vsmile/disassemble.sh
new file mode 100644
index 0000000..d3e8203
--- /dev/null
+++ b/vsmile/disassemble.sh
@@ -0,0 +1 @@
+dasmunsp -o test.dasm listfile
diff --git a/vsmile/listfile b/vsmile/listfile
new file mode 100644
index 0000000..102a8f9
--- /dev/null
+++ b/vsmile/listfile
@@ -0,0 +1,341 @@
+fvsmile_v103.bin
+t00
+w0000
+w07a3 multipliers_table
+l0844 INT_COUNTER_LOW
+l0845 INT_COUNTER_HIGH
+l0846 INT_FLAGS_BACKUP
+l084B BREAK
+l084D FIQ
+l084F IRQ0
+l0851 IRQ1
+l0853 IRQ2
+l0855 IRQ3
+l0857 IRQ4
+l0859 IRQ5
+l085B IRQ6
+l085D IRQ7
+l27d1 G_MAGIC_IS_INSTALLED
+l27d2 G_IS_COMPUTER_ON
+l2813 PPU_LAYERA_CONTROL
+l2819 PPU_LAYERB_CONTROL
+l2842 PPU_SPRITES_ENABLE
+l2854 PPU_LCD_CTRL
+l3400 SPU_CHANNEL_ENABLE
+l3401 SPU_MASTER_VOLUME
+l340F SPU_CHANNEL_STATUS
+l3D00 R_GPIO_CTRL
+l3D01 R_IOA_DATA
+l3D02 R_IOA_BUFFER
+l3D03 R_IOA_DIRECTION
+l3D04 R_IOA_ATTR
+l3D05 R_IOA_MASK
+l3D06 R_IOB_DATA
+l3D07 R_IOB_BUFFER
+l3D08 R_IOB_DIRECTION
+l3D09 R_IOB_ATTR
+l3D0A R_IOB_MASK
+l3D0B R_IOC_DATA
+l3D0C R_IOC_BUFFER
+l3D0D R_IOC_DIRECTION
+l3D0E R_IOC_ATTR
+l3D0F R_IOC_MASK
+l3d20 R_SYSTEM_CTRL
+l3d21 R_INTERRUPT_CTRL
+l3d23 R_EXT_MEM_CTRL
+l3d24 R_WDG_CLEAR
+l3d25 R_ADC_CTRL
+l3d29 R_WAKEUP_SRC
+l3D2A R_WAKEUP_TIME
+l3d2e R_FIQ_SEL
+l3d2f DS
+p7bd5 BREAK_INTERRUPT
+p7be3 FIQ_INTERRUPT
+p7bf1 IRQ0_INTERRUPT
+p7c59 IRQ1_INTERRUPT
+p7c67 IRQ2_INTERRUPT
+p7c95 IRQ3_INTERRUPT
+p7cd4 IRQ4_INTERRUPT
+p7ce2 IRQ5_INTERRUPT
+p7d0b IRQ6_INTERRUPT
+p7d43 IRQ7_INTERRUPT
+w8000 DATA_PAIRS
+n8000
+First word is the number of entries in the DATA init table (there's only 1)
+Then each entry contains:
+- A destination address in RAM
+- A long source address in ROM (DS + offset)
+- A size
+.
+pA819
+pA8CB
+pA9CD
+pAA04
+pAA3D
+pAA94
+pAB25 CONTROLLER_GPIO_CONFIG
+kAB26 Disable both external interrupts
+kAB2e UART Rx and Tx as inputs
+kAB46 Configure RTS/CTS
+pAB5E
+wABBA
+pADBE
+pADDA CHECK_MAGIC_AND_POWERBUTTONS
+nADDA
+If magic was installed: return 1 if we should poweroff.
+If magic was not installed: install it and return 1 always
+.
+pADE4 RESET_INIT_INSTALL_MAGIC
+nADE4
+Copy the magic bytes at start and end of RAM
+.
+pADEE COPY_MAGIC
+pAE07 CHECK_MAGIC_START_END
+nAE07
+Check for magic marker at start and end of RAM
+Output: R1=0 of both of them match. R1=1 otherwise.
+pAE13 CHECK_MAGIC_MARKER
+nAE13
+Input: R2 points to area to check
+Output: R1=0 if the magic pattern matches. R1=1 if it doesn't
+The magic pattern is: 55AA, AA55, 5A5A, A5A5, 5456, 4345, 5448, 4756
+.
+pAE37 DELAY_LONG
+pAE50 SHOULD_POWER_OFF
+nAE50
+Test ON and OFF buttons.
+Output: R1=0 if ON is pressed or OFF is not pressed (we should turn or stay on)
+        R1=1 if OFF is pressed and ON is not pressed (we should turn off)
+.
+kAE50 Call DELAY_LONG 96 times to make a super long delay
+kAE56 Is the ON button pressed?
+kAE5B Is the OFF button pressed?
+wAE64
+wAE82 BSS_PAIRS
+wAE90
+wAE95 INITIAL_SP
+wAE96
+pAEE2 RESET
+kAEE3 Clear watchdog
+kAEE7 Configure RAM to 2 waitstates
+kAEEE Disable watchdog
+nAEF4
+Configure system:
+      Watchdog - disabled
+      Sleep - enabled
+      Voltage regulators - all disabled
+      32KHz clock - enabled
+      Video DAC - enabled
+      Audio DAC - disabled
+.
+kAEF8 Power off ADC (CSB=1)
+kAEFB Configure IOB to trigger wakeup interrupts
+kAEFE Configure special pins for IOB (CSB1, CSB2, CSB3)
+kAF03 IOB5 as output, all other pins as inputs
+nAF16
+Configure IOC pins: 88C0
+1000 1000 1100 0000
+- IOC0,1,2,3,4 as input to read system configuration
+- IOC5: TBD
+- IOC6: enable audio output (as output)
+- IOC7: power control (as output)
+- IOC8,9: CTS to controller (should be output, it's input for now)
+- IOC10,11: RTS from controller (one is input, the other is output?)
+- IOC13, 14: UART Rx/Tx (both as inputs?)
+- IOC15: Controller power? as output
+.
+kAF20 Set all port A pins as inputs
+kAF29 Initialize stack pointer so we can use CALL
+kAF2F Clear the BSS areas in RAM
+kAF3C Copy the data area to RAM
+lAF40 data_init_loop
+lAF57 endless_loop
+pAF58 EMPTY_INTERRUPT
+pAFA9 CLEAR_3WORDS_AT_27D0
+pAFB6 INIT_GLOBALS_FROM_MAGIC_AND_POWERBUTTONS
+kAFBE Spin for a little while...
+kAFC5 Check if ON button is pressed
+kAFD5 Clear 16 words at 27e0
+kAFDB Clear 16 words at 27f0 (note this erases the magic)
+pAFE2 MEMSET
+nAFE2
+Set a section of RAM to a single value:
+Inputs:
+R1: value to write
+R2: pointer to area to set
+R3: word count
+.
+wAFEA
+pe76a
+pe775
+wFBF7
+vFFF5 INTERRUPT_VECTORS
+w10000
+p1221b
+p13a1c
+p15fed GENERATE_MULTIPLIERS_TABLE
+l15ff6 loop_start
+k15ff6 loop 15 times (loop counter is in BP+0)
+l15ffd loop_is_not_done
+k16001 R3R4 = loop counter * 3
+k16005 R1 = loop counter * 3 & 255 + 07A5
+l16024 loop_is_done
+p1602a
+l16033 loop_start
+l1603a loop_body
+k1603c R4,R3 = loop_index * 6
+k16040 R1 = loop_index * 6 + 7e9
+k16043 Store -1 at loop_index * 6 + 7e9
+k1604d Store -1 at loop_index * 6 + 7ea
+k16058 Store 0 at loop_index * 6 + 7e7, 7e8
+k16067 Store 0 at loop_index * 6 + 7e5, 7e6
+l16072 end_loop
+k16094 Enable interrupts (both IRQ and FIQ)
+p1609f
+p166b7
+p16716
+p16785 MEMCLEAR_16_WORDS
+l1678d loop_start
+l16794 loop_do
+l167a5 loop_done
+p167a8
+l167b9 magic_is_installed
+l167c1 27d0_is_clear
+l167d3 27d0_is_not_clear
+l167e6 magic_not_installed
+p167e9
+p1683b
+p16857 WAIT_0844_CHANGE
+k1685f [BP] = [0844]
+k16865 [BP+1] = [0844]
+l16866 loop_start
+w1687d
+p17928
+p17a03 INIT_GPIOs
+k17a04 Select "special 1" mode for IOA (STN LCD interface)
+k17a11 Set IOA0-IOQ11 to "special" mode
+k17a15 Prepare IOB special mode (external cart select pins)
+p17a34 INIT_LCD_OUTPUT
+p17ac3 RESTORE_INTERRUPT_FLAGS
+p17ad5 IS_IRQ_ENABLED
+p17AD9 IS_FIQ_ENABLED
+p17add ENABLE_IRQ
+p17ae8 DISABLE_IRQ
+p17af5 ENABLE_FIQ
+p17b00 DISABLE_FIQ
+p17b0d DISABLE_IRQ_AND_FIQ
+p17b14 ENABLE_IRQ_AND_FIQ
+p17b1e GET_INTERRUPT_STATUS
+p17b21 SAVE_AND_SET_INTERRUPTS
+n17b21
+Change interrupt state and return the previous state, which can be used later to restore them to
+how they were
+.
+p17b2f INIT_INTERRUPT_VECTORS
+n17b2f
+Interrupt vectors from the BIOS are routed to RAM so they can be changed dynamically
+This function initializes that RAM area with CALL instructions
+.
+p17b98 ACK_ALL_INTERRUPTS
+p17ba0 CLEAR_INTERRUPTS
+k17ba2 Clear all interrupt bits
+k17bac Disable and clear PPU interrupts
+p17bba INIT_EXMEM_AND_DISABLE_FIQ
+k17bc1 R2 = [RESET - 2] = AEE2
+k17bc4 R1 = EXTMEM & F000 | [RESET - 2] | 40
+k17bc7 R2 = [ae84] & 3 = 2
+k17bc9 R1 = EXTMEM & F000 | AEE2 | 40 | 1 = ?EE3
+p17bd5
+p17be3
+p17bf1
+p17db3 IS_OFF_BUTTON_PRESSED
+p17dba IS_RESET_BUTTON_PRESSED
+p17dbf IS_ON_BUTTON_PRESSED
+p17dc6 GET_WORD_FROM_FAR
+p17dd0 PUT_WORD_TO_FAR
+p17ddb
+p17e0a MEMCPY_FROM_FAR
+n17e0a
+Parameters:
+BP+3: Source address
+BP+4: DS
+BP+5: Destination address
+BP+6: Word count
+.
+p17e1c MEMCPY_TO_FAR
+p17e2e
+p17e55
+p17ed4 SHUTDOWN_IF_016D_GT_10
+p17edd HARDWARE_INIT
+p17eec
+p17f90 DISABLE_WATCHDOG
+p17f99 CLEAR_WATCHDOG
+p17fa0 READ_IOC4_BOOTLOGO
+p17fa4 READ_IOC_LANGUAGE_SANITIZED
+w17fb1
+p17fc1 READ_IOC_LANGUAGE_RAW
+p17fc5 READ_IOC5
+p17fc9 WAIT_ALL_DMAS_AND_RESET
+k17fe0 Call reset vector
+k17ffb R1 = EXTMEM & F000
+l17fce
+p17fe8
+p17ff7 CONFIGURE_TIMER2_512HZ
+p18006 ENABLE_BLANKING_INTERRUPT
+p1800e
+p18020
+p18081 DELAY_23A0000
+p18090
+p19010
+p1901a STUB_RETURN_0
+p19024 IS_016D_GREATER_THAN_10
+p19039
+p190b3
+p182ac
+p19317
+p19ab9 CLEANUP_AND_SHUTDOWN
+l19aba wait_dma_idle
+l19abe wait_sprite_dma_idle
+k19ac3 Copy 10 words from 0:ae85 to 27e0
+k19ae3 Enable wakeup on register B
+l19b0d wait_su_idle
+p19b49 PPU_ERASE_ALL_SPRITES
+p19b5f SPU_CLEAR_ALL_CHANNELS
+p19b81 DELAY_AND_RESET
+p19b9a SPU_MAXIMIZE
+n19b9a
+Gradally increment SPU mixer outputs until they reach the maximal possible value
+.
+p19bb5 SPU_BALANCE
+n19bb5
+Gradually increment or decrement SPU mixer outputs until they both reach the neutral value of 8000.
+This avoids making a loud POP by setting them to a value directly from an unknown one.
+.
+p19bcf PPU_SPU_INIT_REGISTERS
+p19bd4 PPU_SPU_LOAD_INITVALUES
+p19be1 PPU_LOAD_INITTABLES
+n19be1
+Initialize large areas of PPU registers
+Each data entry consists of:
+- A target address,
+- A number of repetitions to perform (number of entries to write)
+- Size of an entry
+- Values for each entry
+This function loops over all of that and sets all the registers (palette, sprite data, etc) to the
+correct default values
+.
+l19bea load_one_table
+k19bea Load destination address from table
+k19bec Load repeat count from table
+k19bee Load value count from table
+l19bf1 load_one_entry
+l19bf3 load_one_value
+k19bf3 Load value from table
+w19bff PPU_SPU_initialvalues
+w19c66 PPU_inittables
+w19c7a
+p1a0a7
+p1a20a
+p1a4d6
+w1A533 RAM_DATA_SECTION
+e20000