As mentioned in the previous logs, if you have used this method, you may able to get the dump and run this binary in the EmuVT emulator.

So on about last year, I actually dissected the flow of the program and written it into a piece of paper. This analysis does not include how the game menu works and the test screen - only the startup.

Using the EmuVT emulator and putting breakpoints one by one, I managed to see things like:

• Getting the starting address at $7FFFC.
• Initializing registers at $412B and $412C.
• Dumping about 15 values into the $4200. 
• It went on jumping back and forth around addresses $60000 and $70000. Most of the TFT startup and the menu, and Aaronix test screen logic are situated at $60000.
• OneBus switching seems to be performed in RAM. 
• The TFT initialization seems to follow a pattern. There are multiple loads and stores, and digging the pattern in Google, the model is actually GC9306. Datasheet here.
• The register $4233 possibly controls the 16-bit parallel LCD outputs to be a GPIO or the parallel LCD. When it is set at $84, this might becomes a GPIO - during the TFT initialization it does this. When done the initialization routines, this is set at $04. 
• The functions that write the command and data to the TFT uses $4230 and $4231. At $4233 again if it is a write command, $94 is written. If it is a write data, $D4 is written.
• Finally, around the starting point of the game menu, $412C is written $0F to enable the backlight.

These are also verified using the homebrew flash emulator that dumps part of the ROM ($60000-$80000) into the Teensy 4.1. 

With the flash emulator, using the stripped ROM, I managed to try adding a while loop at certain places in the ROM (usually 4C xx xx) to 'halt' the program. This is useful when I want to see when the backlight gets switched on. Initially, it is thought that the backlight is switched on at the TFT initialization routines. However, putting the command inside does not work (backlight doesn't lit up), and I had to try adding this 'halt' between the function calls when the menu is running. When one of the locations are being known to switch on the backlight, I focused into it and found out that putting the $0F into the $412C actually does this thing.

I dumped two of these ROMs (one bought in 2020, and another somewhere later) and one of them have swapped bits 1-2 and 9-10 at the data pins! Some of them have very different starting vectors too - one started at $FF00, and one at $FEF5. However, they all use the same mentioned registers and these apps could possibly work on another similar Sup 400-in-1 consoles.

One more issue - where are the registers that controls the external sound speakers?