0x11936A8, 0x151B0	bin	LBA 0x400: sound tables
0x126B3C8	bin	LBA 0x432: sound samples
0x1518FA8

0x18D0268	ram.mfs
0x3D7A028	copy of fonts from IPL

For Nemu NOP 80032188!
0x1527890 for IPL music; 0x2BE480

+_+	addresses and functions

8001FA00	0x206E8	Thread: LeoWrk

80020250	0x20F38	A2=size of A1 LBAs starting at LBA A0

800203A0	V0=p->IPL EPI handle @80154A30, creating if necessary

800278A0	0x28588	send or jam (A2) msg A1 to queue A0

80027D40	0x28A28	read or wait (A2) to write msg f/ queue A0 to A1

80028624	getting an inf. loop here due to stack corruption
	while not call 8002E0A0():	# True if SP Status and SP Busy clear
		pass
	call 80032180(0x125)	# SP Status = A0
80028670

80029E10	create thread

8002A3D0	0x2B0B8	cache A2 bytes at A1 before hardware write


8002B850	0x2C538
	@0x2C5EC	creates the E/PI thread
	800732C0 = (1, 801568C0, [800B3458], 80157A70, 801564C8, 8002BDD0, 8002E710)	(flag, thread, req, callback, busy, f(PI), f(EPI))
8002B9C0	0x2C6A8	Thread: E/PI

8002BDD0	0x2CAB8	PI for boot device

(check this one!)
8002DDB0	0x2EA98	send EPI read or write (A2) request A1 using EPI handle A0
	accepts: A0=p->EPI handle, A1=p->req, A2=mode (0:EPI read, 1:EPI write)

8002DFC0	0x2ECA8	create queue A0 with A2 msgs at A1
8002DFF0	0x2ECD8	cache A2 bytes at A1 before hardware read

8002FB00	0x307E8	V0=0 if not @800732C0 else p->E/PI request queue

8002FCA0	0x30988	write word A2 to A1 using EPI handle A0

80154A30	p->EPI IPL handle
80154AB0	p->EPI ASIC handle

+_+	changes

alternate:
0x20788	8001FAA0	LeoWrk: remove ASIC Status and error detection, plus set default values
3C058000	LUI	A1,8000
...
0xE398
8CA501A0	LW	A1,01A0 (A1)
3C06A002	LUI	A2,A002
1000000A	BEQ	R0,R0,+10
ACC5FAE0	SW	A1,FAE0 (A2)
original:
0x20788	8001FAA0	LeoWrk: remove ASIC Status and error detection, plus set default values
3C050100	LUI	A1,0100	;default ASIC Status value
...
0x20798
3C068015	LUI	A2,8015
1000000B	BEQ	R0,R0,+11
ACC54B30	SW	A1,4B30 (A2)
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
...
0x20988	alter a branch over eliminated code
10200036	BEQ	AT,R0,+0x36
...
0x209DC	8001FCF4	0x88 of zeroes!
0x20A64	8001FD7C
0C007F9F	JAL	8001FE7C	;directly read disk header to 800C86E0
00000000	NOP
change some pointers!	8001FCF4 -> 8001FD7C
0x74938, 0x7493C, 0x74940, 0x74944, 0x7494C, 0x74950, 0x74958

0x20B64	8001FE7C	rewritten: directly read disk header from ROM, return 0
27BDFFE8	ADDIU	SP,SP,FFE8
3C058015	LUI	A1,8015
AFBF0014	SW	RA,0014 (SP)
8CA249B0	LW	V0,49B0 (A1)
24041000	ADDIU	A0,R0,1000
24A562E0	ADDIU	A1,A1,62E0
240600E8	ADDIU	A2,R0,00E8
0C0081F4	JAL	800207D0	;read A2 bytes from offset A0 to rdram A1
A4400004	SH	R0,0004 (V0)
8FBF0014	LW	RA,0014 (SP)
00001025	OR	V0,R0,R0
03E00008	JR	RA
27BD0018	ADDIU	SP,SP,0018
0x180 zeroes

0x20DA4	800200BC	rewritten: process disk read or write (A1) request at 801549B0 using base LBA 0
00002825	OR	A1,R0,R0
0x20DA8	800200C0	rewritten: process disk read or write (A1) request at 801549B0 using base LBA A0
27BDFFE0	ADDIU	SP,SP,FFE0
AFBF001C	SW	RA,001C (SP)
AFB00018	SW	S0,0018 (SP)
3C108015	LUI	S0,8015
8E0649B0	LW	A2,49B0 (S0)	;A1=p->leocmd
A2054A0A	SB	A1,4A0A (S0)	;80154A08[2] = mode
8CCA0014	LW	T2,0014 (A2)	;T2=p->target
8CC2000C	LW	V0,000C (A2)	;V0=lba
8CC50010	LW	A1,0010 (A2)	;A1=num
00822021	ADDU	A0,A0,V0	;A0=actual LBA
00854021	ADDU	T0,A0,A1
2D0110DD	SLTIU	AT,T0,10DD	;True if valid
14200004	BNE	AT,R0,tobytes
260B4968	ADDIU	T3,S0,4968
24090220	ADDIU	T1,R0,0220
1000001D	BEQ	R0,R0,return
A4C90004	SH	T1,0004 (A2)
A4C00004	SH	R0,0004 (A2)
AE0449C0	SW	A0,49C0 (S0)
AE0B4A0C	SW	T3,4A0C (S0)	;80154A08[4:8] = p->thread to notify
AE0A4A10	SW	T2,4A10 (S0)	;80154A08[8:12] = p->rdram
0C008095	JAL	80020254	;A2=size of A1 LBAs starting at LBA A0
26064A18	ADDIU	A2,S0,4A18	;80154A08[16:20] = size
8E0549C0	LW	A1,49C0 (S0)
00002025	OR	A0,R0,R0
0C008095	JAL	80020254	;A2=size of A1 LBAs starting at LBA A0
26064A14	ADDIU	A2,S0,4A14	;80154A08[12:16] = hardware offset
92014A0A	LBU	AT,4A0A (S0)	;mode
8E044A10	LW	A0,4A10 (S0)	;p->target
14200003	BNE	AT,R0,+3
8E054A18	LW	A1,4A18 (S0)	;size
0C00B7FC	JAL	8002DFF0	;cache A2 bytes at A1 before hardware read
27FF0008	ADDIU	RA,RA,0008
0C00A8F4	JAL	8002A3D0	;cache A2 bytes at A1 before hardware write
00000000	NOP
24020004	ADDIU	V0,R0,0004
26044AB0	ADDIU	A0,S0,4AB0
26054A08	ADDIU	A1,S0,4A08
92064A0A	LBU	A2,4A0A (S0)
0C00B76C	JAL	8002DDB0	;send EPI read or write (A2) request A1 using EPI handle A0
AC820014	SW	V0,0014 (A0)	;epi+20 = 2: cart request
26044968	ADDIU	A0,S0,4968
00002825	OR	A1,R0,R0
0C009F50	JAL	80027D40	;wait to write msg f/ queue
24060001	ADDIU	A2,R0,0001
8FBF001C	LW	RA,001C (SP)
8FB00018	LW	S0,0018 (SP)
03E00008	JR	RA
27BD0020	ADDIU	SP,SP,0020

0x20F38	80020250	alt. entry: size of A1 LBAs starting at LBA 0x18
24840018	ADDIU	A0,A0,0018	;last step
...
0x20F74
10000038	BEQ	R0,R0,+0x38
...
0x20F84	change the order, then move third op to start of function
12200031	BEQ	AT,V0,+0x31
24020001	ADDIU	V0,R0,0001

0x210CC	800203E4	IPL->cartROM
3C18B3CD	LUI	T8,B148	B3CDA028
3C048015
3718A028	`ORI	T8,T8,7890	;inserted, -0xA0000
A20F0004
AE18000C
A2000009
AE000010
24849444
0C005AD8
24050060
3C07A460	LUI	A3,A460
34E30010	ORI	V1,A3,0010
8C620000
`3C07A460	moved!
...
0x2115C	80020474	read the EPI settings from beginning of cartrom
3C01A000	LUI	AT,A000
8C2E0308	LW	T6,0308 (AT)

0x211E8	80020500	rewrite: send disk inquiry
3C028015	LUI	V0,8015
8C4849B0	LW	T0,49B0 (V0)
240C0001	ADDIU	T4,R0,0001
AD00000C	SW	R0,000C (T0)
A10C000D	SB	T4,000D (T0)
A10C000E	SB	T4,000E (T0)
03E00008	JR	RA
A1000004	SB	R0,0004 (T0)

0x212AC	800205C4	modify ASIC EPI handle at creation
24020040	ADDIU	V0,R0,0040
24030007	ADDIU	V1,R0,0007
3C0EAFF9	LUI	T6,AFF9
240F0003	ADDIU	T7,R0,0003
24181201	ADDIU	T8,R0,1201
25CED828	ADDIU	T6,T6,D828	;ASIC correction AFF8D828
3C048015	<untouched>
A6020004	SH	V0,0004 (S0)	;800B94B0[4:] = 0040 07 03 1201 ---- AFF8D828
AE0E000C	SW	T6,000C (S0)
A6180008	SH	T8,0008 (S0)
A2030006	SB	V1,0006 (S0)
A20F0007	SB	T7,0007 (S0)

0x21398	800206B0	rewritten: read disk ID directly from cart header
27BDFFE8	ADDIU	SP,SP,FFE8
3C058015	LUI	A1,8015
AFBF0014	SW	RA,0014 (SP)
8CA549B0	LW	A1,49B0 (A1)
A4A00004	SH	R0,0004 (A1)
24040018	ADDIU	A0,R0,0018
24060020	ADDIU	A2,R0,0020
0C0081F4	JAL	800207D0	;read A2 bytes from offset A0 to rdram A1
8CA5000C	LW	A1,000C (A1)
8FBF0014	LW	RA,0014 (SP)
08008453	J	8002114C	; unset disk changed flag in leo status flags
27BD0018	ADDIU	SP,SP,0018

0x214B8	800207D0	inserted: read A2 bytes from A0 to rdram A1
27BDFFE8	ADDIU	SP,SP,FFE8
AFBF0014	SW	RA,0014 (SP)
3C038015	LUI	V1,8015
AC664A18	SW	A2,4A18 (V1)
24624968	ADDIU	V0,V1,4968
3C01000B	LUI	AT,000B
AC644A14	SW	A0,4A14 (V1)
AC654A10	SW	A1,4A10 (V1)
AC624A0C	SW	V0,4A0C (V1)
00A02025	OR	A0,A1,R0
00C02825	OR	A1,A2,R0
0C00B7FC	JAL	8002DFF0	;cache A2 bytes at A1 before hardware read
AC614A08	SW	AT,4A08 (V1)
0C00BEC0	JAL	8002FB00	;V0=0 if not @800732C0 else p->E/PI request queue [@800732C8]
00000000	NOP
3C058015	LUI	A1,8015
00402025	OR	A0,V0,R0
00003025	OR	A2,R0,R0
0C009E28	JAL	800278A0	;send msg A1 to queue A0
24A54A08	ADDIU	A1,A1,4A08
3C048015	LUI	A0,8015
24060001	ADDIU	A2,R0,0001
00002825	OR	A1,R0,R0
0C009F50	JAL	80027D40	;wait to write msg f/ queue
24844968	ADDIU	A0,A0,4968
8FBF0014	LW	RA,0014 (SP)
03E00008	JR	RA
27BD0018	ADDIU	SP,SP,0018

0x21528	80020840	eliminate 7 lines here to falsify reading ASIC Status
alternate:
3C01B3E1	LUI	AT,B3E1
3C0FA002	LUI	T7,A002
3C0E8015	`LUI	T6,8015
8C213270	LW	AT,3270 (AT)	;AT = gameID
8DE2FAE0	LW	V0,FAE0 (T7)	;V0 = cur. gameID
3C030100	`LUI	V1,0100
54410002	BNEL	V0,AT,+2
ADC04B30	SW	R0,4B30 (T6)
ADC34B30	SW	V1,4B30 (T6)
ADE1FAE0	SW	AT,FAE0 (T7)
8DCE4B30

0x21DA8	800210C0	leo reset -> unconditonal return

0x23B88	80022EA0	disk start/stop
3C018015	LUI	AT,8015
8C2149B0	LW	AT,49B0 (AT)
03E00008	JR	RA
A4200004	SH	R0,0004 (AT)

0x23C78	80022F90	IPL verification test function
	0x23CF4	change base to ROM, change test to data at 0x1010
	3C19B000	LUI	T9,B000
	....
	0x23D18
	3C016C78	LUI	AT,6C78
	34218490	ORI	AT,AT,8490

0x23D48	80023060	disk select
3C018015	LUI	AT,8015
8C2149B0	LW	AT,49B0 (AT)
03E00008	JR	RA
A4200004	SH	R0,0004 (AT)

0x24148	80023460	disk rezero
3C028015	LUI	V0,8015
8C4E49B0	LW	T6,49B0 (V0)
A44049C2	SH	R0,49B2 (V0)
A04049C7	SB	R0,49B7 (V0)
A04049C8	SB	R0,49B8 (V0)
03E00008	JR	RA
A1C00004	SB	R0,0004 (T6)

0x24828	80023B40	rewritten: read time from drive
3C038015	LUI	V1,8015
3C048000	LUI	A0,8000
8C6F49B0	LW	T7,49B0 (V1)
908B01B1	LBU	T3,01B1 (A0)
908201B2	LBU	V0,01B2 (A0)
909801B3	LBU	T8,01B3 (A0)
A1E2000E	SB	V0,000E (T7)
908801B4	LBU	T0,01B4 (A0)
A1F8000F	SB	T8,000F (T7)
908A01B5	LBU	T2,01B5 (A0)
A1E80010	SB	T0,0010 (T7)
908C01B6	LBU	T4,01B6 (A0)
A1EA0011	SB	T2,0011 (T7)
908E01B7	LBU	T6,01B7 (A0)
A1EC0012	SB	T4,0012 (T7)
A1EE0013	SB	T6,0013 (T7)
A1E00004	SB	R0,0004 (T7)
03E00008	JR	RA
A1EB000D	SB	T3,000D (T7)

0x27CC8	80026FE0	process disk write request
24040018	ADDIU	A0,R0,0018
08008030	J	800200C0
24050001	ADDIU	A1,R0,0001

0x283A8	800276C0	seek to LBA on disk
3C018015	LUI	AT,8015
8C2149B0	LW	AT,49B0 (AT)
03E00008	JR	RA
A4200004	SH	R0,0004 (AT)

0x2CAB8	8002BDD0	PI for boot device
@0x2CB20	8002BE38	probably correct OP to add instead of OR
03284821	ADDU	T1,T9,T0

@0x2F230	8002E548	EPI hardware LW
01475821

@0x31C80	80030F98	EPI hardware SW
01475821

0x2F3F8	8002E710	EPI for handle A0
@0x2F56C	8002E884	probably correct OP to add instead of OR
016C6821	ADDU	T5,T6,T4

+_+	IPL music samples

0x3C790
1461001E	BNE	V1,AT,+return	# if not 3 return 0
3C01013E	LUI	AT,013E
24217890	ADDIU	AT,AT,7890	# 0x1527890 - 0x140000
00273821	ADDU	A3,AT,A3