vsmile: Continue annotating...
diff --git a/vsmile/listfile b/vsmile/listfile
index c27fcfb..6e1e638 100644
--- a/vsmile/listfile
+++ b/vsmile/listfile
@@ -8,10 +8,25 @@
 l0000 magic_start
 
 z0010
+w07a2 slot_counter_something
 w07a3 interrupt_nesting_counter_low
 w07a4 interrupt_nesting_counter_high
 z07a5
-w0842
+w07a7 fiq_nesting_counter
+w07b9 irq2_nesting_counter
+w07bf irq5_nesting_counter
+w07ce irq6_nesting_counter
+w07d7 irq7_nesting_counter
+w07dd irq1_nesting_counter
+w07e0 irq3_nesting_counter
+w07e3 irq4_nesting_counter
+z07e5 slot_buffer_something
+n07e5
+In blocks of 6 bytes, with the one at offset 5 being some kind of ID?
+.
+
+w0842 int_something842
+w0843 int_something843
 w0844 INT_COUNTER_LOW
 w0845 INT_COUNTER_HIGH
 
@@ -22,13 +37,18 @@
 previous state.
 .
 
+w0847 int_something847
+w0848 int_something848
+w0849 int_something849
+w084a int_something84a
+
 n084b
 The BIOS routes interrupt here in RAM, this area is initialized with jumps to the ROM but can be
 modified at runtime to re-route the interrupts to different routines if needed.
 .
 l084B BREAK
 l084D FIQ
-l084F IRQ0
+l084F IRQ0_PPU
 l0851 IRQ1
 l0853 IRQ2
 l0855 IRQ3
@@ -37,10 +57,32 @@
 l085B IRQ6
 l085D IRQ7
 
-l087c LAYERA_TILEMAP_PTR
-l087d LAYERA_ATTRS_PTR
+w085f PPU_INTERRUPT_SEMAPHORE
+
+n0878
+Pointer to an array of layer descriptor structures (10 words each).
+Each struct content:
+	0    Offset to attributes
+	1    Segment to attributes
+	2    Offset to tilemap
+	3    Segment to tilemap
+	4
+	5
+	6
+	7
+	8
+	9
+.
+w0878 offsetbase_something_10word
+w0879 segment_something_10word
+
+w087c LAYERA_TILEMAP_PTR
+w087d LAYERA_ATTRS_PTR
 z087e LAYERB_TILEMAP
 
+w0889 SPRITE_TILEBASE_PTR
+w0888 SPRITE_ATTR_PTR
+
 w090e CTRLRA_BUTTON
 w090f CTRLRA_COLOR
 w0910 CTRLRA_UPDOWN
@@ -80,6 +122,8 @@
 l2813 PPU_LAYERA_CONTROL
 l2814 PPU_LAYERA_TILEMAP
 
+l2816 PPU_LAYERB_X
+l2817 PPU_LAYERB_Y
 l2818 PPU_LAYERB_ATTRS
 l2819 PPU_LAYERB_CONTROL
 l281A PPU_LAYERB_TILEMAP
@@ -120,6 +164,8 @@
 l3d25 R_ADC_CTRL
 l3d29 R_WAKEUP_SRC
 l3D2A R_WAKEUP_TIME
+l3d2c R_RANDOM1
+l3D2D R_RANDOM2
 l3d2e R_FIQ_SEL
 l3d2f DS
 l3D30 R_UART_CTRL
@@ -129,7 +175,10 @@
 l3D34 R_UART_BAUD_H
 l3D35 R_UART_TX
 l3D36 R_UART_RX
+l3e00 R_GPDMA_SRC_SEG
+l3e01 R_GPDMA_SRC_OFF
 l3e02 R_GPDMA_WORDCOUNT
+l3e03 R_GPDMA_TARGET
 n4000
 Start of ROM area
 .
@@ -346,6 +395,16 @@
 peaf4
 peaff
 pf606
+
+pf616
+lf61f
+lf623
+lf635
+lf640
+lf64f
+lf693
+lf6f3
+
 wfaea
 pfbb7
 lfbc0
@@ -363,6 +422,24 @@
 l12307 ret_1221b
 p1230a
 p13a1c
+
+p14d21
+k14d31 Disable 32KHz clock and video DAC
+k14d3d Clear IOC10 (controller A RTS?)
+l14d42
+l14d4a
+l14d51
+l14d5b
+l14d5f
+l14d72 Disable_clock_and_return_0
+
+p14d7a
+p14f25
+
+p15df0
+k15e16 I am confused because MEMCPY_FROM_FAR takes 4 arguments, where are the 2 other?
+p15e28
+
 p15fed GENERATE_MULTIPLIERS_TABLE
 l15ff6 loop_start
 k15ff6 loop 15 times (loop counter is in BP+0)
@@ -416,11 +493,40 @@
 p172dd Something_SpriteTile
 p172fd Something_SpriteAttrs
 p1731f
-p1732b
+
+p1732b SET_SPRITE
+k17330 Parameter 3: sprite number
+k17332 R4 = Sprite address
+k17335 Parameter 2: sprite char
+k17338 Parameter 0: sprite X
+k1733a Parameter 1: sprite Y
+
+
+p17341 ALLOC_SPRITE
+n17341
+Find an unused sprite (character set to 0 and palette set to C)
+Set palette to 0 to mark the sprite as allocated
+Return sprite number in R1
+.
+l17346
+l1734e
+l17351 sprite_found
+
+p17356 FREE_SPRITE
+n17356
+Reset all registers for a sprite to 0, except palette attribute which is set to C
+Parameter on stack: sprite number
+.
+
 p17371 ENABLE_27MHZ_CLOCK
 p17379 DISABLE_27MHZ_CLOCK
-p17382
-p17397
+
+p17382 GET_ATTRIBUTE_FROM_LAYER_DESCRIPTOR
+k17385 R1 = Param
+k17387 R3 = Param * 10
+k1738B R3 = Param * 10 + 2 + [0878]
+
+p17397 GET_TILE_FROM_LAYER_DESCRIPTOR
 p173ab
 
 p17437 MEMSET_V_R1_DEST_R2_COUNT_R3
@@ -445,16 +551,19 @@
 l1750d
 
 p17518 LOAD_888_AND_889_FROM_879_878_TABLE
-p17542 HEX2DEC_TENS
+p17542 LOOKUP_LSR4_28140A05
 w1754d
-p17551
+p17551 LOOKUP_LSR4_40201008
 w1755c
-p17560
+p17560 LOOKUP_LSR6_20100804
 w1756c
-p17570
+p17570 LOOKUP_LSR6_1E0F0804
 w1757c
 
-p17580
+p17580 ACTIVATE_LAYERB_BACKGROUND_FROM_DESCRIPTOR
+k17589 USe single attribute register, enable "background" mode
+k175aa Enable the layer
+
 p175af
 p175d7 SET_PALETTE_FROM_LAYER_STRUCT
 p175e5 LAYERATTRS_GENERATE_PALETTE_INDIRECTJUMP
@@ -495,12 +604,13 @@
 l176f9 configure_layera
 
 p17708 LOAD_LAYERB_TILEMAP
+
 p17713 SPRITE_dosomething
 l17724
 l17746
 l1774d
 l1774f
-l1775d
+l1775d ret_17713
 
 p17760
 p177a9
@@ -512,6 +622,7 @@
 l177ee
 p177f1
 p17860
+l17872
 p1787f
 l17893
 l178a2
@@ -586,9 +697,48 @@
 k17bc4 Bus arbitration default value
 k17bc7 Waitstates configuration
 k17bc9 Final value of EXT_MEM_CTRL register
-p17bd5 interrupt_exit
-p17be3
-p17bf1
+
+p17bd5 INT_RAMVEC_BREAK
+l17be1
+p17be3 INT_RAMVEC_FIQ
+l17bef
+
+p17bf1 INT_RAMVEC_IRQ0_PPU
+n17bf1
+unSP 1.0 does not allow interrupt nesting. So the interrupt handlers are written in a way that
+exits interrupt handling mode as soon as possible, and then jump to the interrupt processing
+routine using a RETI instruction (to an address pushed on the stack). The interrupt handling is
+then protected with a software semaphore to aovid calling the routine while it is already running.
+.
+k17bf3 Clear the hardware interrupt
+k17bfa Check if the interrupt handling routine is already running
+k17c01 Perform a "fake" RETI to re-enable interrupts and jump to the actual handling code
+l17c06 ppu_int_exit
+
+p17c08 handle_ppu_interrupt_normalmode
+n17c08
+Input: BP contains the 3 low bits of PPI_IRQ_STATUS/CONTROL (active interrupts)
+.
+k17c08 blanking interrupt handling
+l17c16 inc_counter_nooverflow
+k17c1c Request an ADC conversion every 16 frames
+l17c20 not_multiple_of_16
+l17c2a
+l17c3c no_blanking_irq
+k17c3c Video Timing IRQ handling
+l17c48 no_vdo_irq
+k17c48 Sprite DMA IRQ handling
+l17c54 no_dma_irq
+k17c54 Clear the interrupt semaphore so that the interrupt handler can be called again
+
+p17c59 INT_RAMVEC_IRQ1
+p17c67 INT_RAMVEC_IRQ2
+p17c95 INT_RAMVEC_IRQ3
+p17cd4 INT_RAMVEC_IRQ4
+p17ce2 INT_RAMVEC_IRQ5
+p17d0b INT_RAMVEC_IRQ6
+p17d43 INT_RAMVEC_IRQ7
+
 p17db3 IS_OFF_BUTTON_PRESSED
 p17dba IS_RESET_BUTTON_PRESSED
 p17dbf IS_ON_BUTTON_PRESSED
@@ -615,31 +765,83 @@
 BP+6: Word count
 .
 p17e1c MEMCPY_TO_FAR
-p17e2e
-k17e31 Some kind of memcpy from far memory, again...
-k17e4a Push new values for SR and PC to the stack and use RETF to go there
-k17e37 Set DS, the old and complicated way...
-w17e52
 
-p17e55
+p17e2e COPY_TO_RAM_AND_EXECUTE_SRPC
+n17e2e
+Copy a piece of code to RAM (on the stack) and then execute it from there.
+Parameters: Segment:Offset of routine to call, and routine size in bytes
+.
+k17e31 R4 = Param0 = Size
+k17e35 R3 = Param1 = Src Offset
+k17e36 R1 = Param2 = Src Segment
+k17e37 Set DS, the old and complicated way...
+k17e3f Copy the pointed data onto the stack
+k17e4a Push SR:PC for the return thunk, the called function will return there
+k17e4e Push SR:PC for the routine copied in RAM, then call it using RETF
+p17e52 COPY_TO_RAM_RETURN_STUB
+n17e52
+Used by the routine above to return execution to the normal flow
+.
+
+p17e55 COPY_TO_RAM_AND_EXECUTE_PCSR
+n17e55
+Same as above, but the address to jump to is pushed as PC:SR instead of SR:PC on the stack?
+.
 l17e6c
 l17e6a
-p17e7c
+p17e79 COPYTORAM_PCSR_RETSTUB
+
+p17e7c MEMCPY_SIMPLE
+n17e77
+Simple memcpy from and to the current active segment.
+Params: Source, Destination, Size in words
+.
 l17e83
 l17e86
-l17e99 dma_wait
-l17eab dma_wait2
-l17eb0 dma_wait3
+
+p17e89
+p17e96 HWRNG_GET_RANDOM2
+
+p17e99 DMA_COPY
+n17e99
+Perform a memory copy using GPDMA. Waits for the transfer to complete before returning.
+Parameters on the stack:
+- Source Segment:Offset
+- Target
+- Word count
+.
+l17eab dma_wait
+
+p17eb0 DMA_COPY_ASYNC
+n17eb0
+Starts a DMA transfer, DOES NOT wait for it to terminate.
+Parameters on the stack:
+- Source Segment:Offset
+- Target
+- Word count
+.
+
+p17ec3 DMA_COPY_SYNC_REG
+n17ec3
+Sync DMA transfer (function waits for transfer to be completed)
+Parameters from registers:
+- R1:R2: Source Segment:Offset
+- R3: Destination
+- R4: Word count
+.
+
 p17ed4 SHUTDOWN_IF_016D_GT_10
 p17edd HARDWARE_INIT
-p17eec
-l17efe
+
+p17eec TEST_ONOFFRESET_BUTTONS
+l17f10 on_button_not_pressed
 l17f18
-l17f29
+l17f29 on_or_reset_pressed
 l17f32
 l17f38
 l17f3c
-l17f69
+l17f69 ret_17eec
+
 p17f6d SET_080d
 p17f75 GET_080d
 p17f78
@@ -683,7 +885,9 @@
 p17fe8 CONFIGURE_EXTMEM
 p17ff7 CONFIGURE_TIMER2_512HZ
 p18006 ENABLE_BLANKING_INTERRUPT
+
 p1800e find_slot_something
+l18016 findslot_loop
 l18020 return_1
 
 p18023
@@ -705,10 +909,19 @@
 p19010 STUB_RETURN_0_a
 p1901a STUB_RETURN_0_b
 p19024 IS_016D_GREATER_THAN_10
+l19034 ret0_19024
+l19037 ret_19024
 p19039
+p19073
 p190b3
+p192ac
+p192dc
+
 p19317
+l19353 ret_19317
+
 w19356
+p19632
 p19ab9 CLEANUP_AND_SHUTDOWN
 l19aba wait_dma_idle
 l19abe wait_sprite_dma_idle