Game Toshokan

For hardware talk only (please avoid ROM dumper stuff)
Post Reply
Charles MacDonald
Very interested
Posts: 283
Joined: Sat Apr 21, 2007 1:14 am

Re: Decapping more Genesis chips

Post by Charles MacDonald » Fri Oct 30, 2015 7:26 am

Sik wrote:(what does Game Toshokan do, anyway? the only custom hardware in it is 128KB of RAM as far as I know)
Isn't the RAM for the games you download through the modem? Or is there something else weird about how the cart works?

User avatar
Sik
Very interested
Posts: 720
Joined: Thu Apr 10, 2008 3:03 pm
Contact:

Re: Decapping more Genesis chips

Post by Sik » Sat Oct 31, 2015 5:29 pm

Charles MacDonald wrote:
Sik wrote:(what does Game Toshokan do, anyway? the only custom hardware in it is 128KB of RAM as far as I know)
Isn't the RAM for the games you download through the modem? Or is there something else weird about how the cart works?
It is, but I have my doubts that they went with 128KB of SRAM in 1990, and the hardware provides no room for cartridge-induced delays outside the $800000-$9FFFFF range (and you'd need those delays to allow RAM refresh when using DRAM). The RAM is in the $020000-$03FFFF range ...I think so. The game dumps we have are actually modified (only Game Toshokan as-is is not altered), so I'm not sure if the RAM address range is actually that.
Sik is pronounced as "seek", not as "sick".

Charles MacDonald
Very interested
Posts: 283
Joined: Sat Apr 21, 2007 1:14 am

Re: Decapping more Genesis chips

Post by Charles MacDonald » Sat Oct 31, 2015 10:19 pm

Yeah 128K of RAM does sound like quite a lot. I ordered one and I'll report back once it arrives and I have it opened up. If it's just two 64K RAM chips I'll be really surprised -- I wonder what the retail price of Game Toshokan was back then. Had to be expensive.

User avatar
Sik
Very interested
Posts: 720
Joined: Thu Apr 10, 2008 3:03 pm
Contact:

Re: Decapping more Genesis chips

Post by Sik » Sun Nov 01, 2015 2:31 am

It came bundled with the modem I think and allowed you to connect to a service that you paid for montly, so that probably answers your question regarding the cost =P
Sik is pronounced as "seek", not as "sick".

Charles MacDonald
Very interested
Posts: 283
Joined: Sat Apr 21, 2007 1:14 am

Re: Decapping more Genesis chips

Post by Charles MacDonald » Fri Nov 13, 2015 7:01 pm

Well now I'm confused. All that's inside the Game Toshokan cartridge is a ROM, some TTL logic, and a small X24C01 serial EEPROM.
I see the retail box includes a modem and a cartridge and nothing else. So where do the downloaded games go? :?

I made a schematic of the board to figure out the memory map, which is common to any game using this 171-5878 PCB:

https://www.dropbox.com/s/ozl7e1ojfgrhi ... 8.png?dl=1

The technical details, briefly:

Code: Select all

000000-1FFFFF : ROM (up to 2MB supported)
200000-3FFFFF : Serial EEPROM mapped to D1,D0 of each address
Writing sets SDA=D0, SCL=D1. Reading returns D0=SDA and D1=GND, I suppose the latter is an identifier to indicate presence of the EEPROM device.

SCL and SDA are driven by flip-flops that are reset to zero after power up, leaving them driven low by default until you write something to $200001 to change them.
Last edited by Charles MacDonald on Sat Nov 14, 2015 3:57 am, edited 2 times in total.

Mask of Destiny
Very interested
Posts: 572
Joined: Thu Nov 30, 2006 6:30 am

Re: Decapping more Genesis chips

Post by Mask of Destiny » Fri Nov 13, 2015 8:37 pm

Well the standalone version of the Game Toshokan games are all 128KB right? Maybe a bit less than 64KB gets loaded into VRAM as the games tileset and everything else gets loaded into work RAM. Alternatively, maybe there's a library of code and assets contained in the Game Toshokan ROM and only game specific stuff gets downloaded to work RAM.

User avatar
Sik
Very interested
Posts: 720
Joined: Thu Apr 10, 2008 3:03 pm
Contact:

Re: Decapping more Genesis chips

Post by Sik » Sat Nov 14, 2015 8:05 pm

The preloaded ROMs we have are 256KB. The first half matches the Game Toshokan ROM for the most part (boot code and vblank vector aside sometimes), the second part contains the games (and has to be treated as RAM, otherwise 16t lacks music). Honestly I probably should go and do a careful recheck of every ROM though (maybe do a binary diff of every ROM against the original?), albeit I recall the inital code being the same (checks for the word "nost" and "game" included)

But yeah OK this is making things even weirder. Maybe those 128KB are actually 64KB to go in RAM and 64KB to go in VRAM that just get copied when the program starts, and on real hardware the EEPROM in the cartridge is used only to store modem settings? (but then what's up with 16t? somebody forgot to fix an address?)

EDIT: um OK guys looks like I was wrong all along
http://sik.titandemo.de/megadrive/diff_toshokan_16t.txt
(first column is address in decimal, second is the byte in octal from Game Toshokan, third is the same byte from the 16t dump)

Mind you, the Game Toshokan ROM is labeled as "Rev A" so maybe there's another revision and the dumps we have are based from that one, but we have quite a big deal here, especially because the ROM size doesn't match our expectations by a long shot.

EDIT: OK found a chunk of obviously shifted data (see address 1422). Anybody who can help me figure out how to do a proper binary diff is welcome (using Linux here, so feel free to rely on the shell), but I wonder if they edited the source code or they hacked another revision of Game Toshokan.
Sik is pronounced as "seek", not as "sick".

Charles MacDonald
Very interested
Posts: 283
Joined: Sat Apr 21, 2007 1:14 am

Re: Decapping more Genesis chips

Post by Charles MacDonald » Sat Nov 14, 2015 8:52 pm

Mine seems to be Rev. A too (the mask ROM is marked "MPR-12750A-T")

When I run it (I don't have a modem) it displays a message in Japanese with the word "OFF". Any idea if that relates to the modem or is a region check warning?

Has anyone tried faking the modem responses to see what it tries to do over the network, in terms of downloading data?

User avatar
Sik
Very interested
Posts: 720
Joined: Thu Apr 10, 2008 3:03 pm
Contact:

Re: Decapping more Genesis chips

Post by Sik » Sat Nov 14, 2015 9:11 pm

It complains that the modem is not connected (it tells you to turn off the system and plug in the modem). Maybe this helps you by-pass that? (the subroutine at $0053EE should return 2) Also something to note: at the beginning the screen may flash a color, it indicates it failed a check. Red means the modem is not connected, green means the memory is not working I believe (the EEPROM, I suppose?).

...is there any way to trick Regen into mapping an EEPROM through the header? I know it does pay attention to it when the data in the header is actually valid, but no idea how to make it know that it's EEPROM and not SRAM.

EDIT: change the word at $0053DA to a NOP ($4E71) and hope it doesn't crash.

EDIT 2: yeah tried, crashes after about two seconds (excluding the green and white screens) (・~・) I think another instruction had to be changed too but I forgot which one.

EDIT 3: replace $0049C8 with a RTS ($4E75). Don't ask me what it does (it accesses the EEPROM but no idea if it's read or write), but somehow making it return doing nothing seems to work.

EDIT 4: ...crashed much later (after I entered a phone number and it asked me to confirm). Dammit (╯°□°)╯︵ ┻━┻
Sik is pronounced as "seek", not as "sick".

Mask of Destiny
Very interested
Posts: 572
Joined: Thu Nov 30, 2006 6:30 am

Re: Decapping more Genesis chips

Post by Mask of Destiny » Sun Nov 15, 2015 12:37 am

Sik wrote:The preloaded ROMs we have are 256KB.
I was talking about the games that actually got a cartridge release like Fatal Labyrinth, Columns and Flicky. The cartridge versions of those are all 128KB.
Sik wrote:EDIT: OK found a chunk of obviously shifted data (see address 1422). Anybody who can help me figure out how to do a proper binary diff is welcome (using Linux here, so feel free to rely on the shell), but I wonder if they edited the source code or they hacked another revision of Game Toshokan.
I've done some basic disassembly of Game Toshokan and the 16t ROM that is floating around. What appears to have happened is that someone with either the source code or a disassembly essentially appended the 16t data to Game Toshokan and then inserted some code here and there to patch things so that it just starts the 16t code after running a subset of the initialization code. Those patches are what's causing the shifted data you're seeing. For instance, there's a bra.s $600 added at address $24C that shifts things by 2 bytes. Then at address $66A ($668 in Game Toshokan), some code has been inserted to copy $C800 bytes from $20000 (the start of the 16t data) to $FF0000. That code shifts things another 22 bytes (24 total).

The next routine on the 16t side in my disassembly (my disassembly method skips over unreachable code so there's a bunch of stuff skipped in the 16t disassembly) at $2E34 corresponds to one in Game Toshokan at $2DA6 for an offset of 142 bytes. There must be some more insertions in between for some reason.
Sik wrote:The first half matches the Game Toshokan ROM for the most part (boot code and vblank vector aside sometimes), the second part contains the games (and has to be treated as RAM, otherwise 16t lacks music).
Examining the code a bit more closely suggests what might be going on here. It looks like the intention was for the 16t code to work out of work RAM like it would have when using the Game Toshokan service and indeed some of the code does run from there, but when it replaces some of the jump table entries it uses addresses based on it's location in the ROM rather than where they end up in RAM. Since the code was intended to be run from RAM, it's natural for it to expect to be able to write over the area of memory it's running from. Presumably this ROM was only ever intended to run in an emulator or it's adapted from the Mega CD compilation (which presumably would have been running from Word RAM).

It seems that 16t is pretty small. The portion that's not from Game Toshokan appears to only be a bit under 50KB so the whole thing fit's comfortably in work RAM. If we want hints at how the larger games are managed we'll either need to dig deeper into the Game Toshokan code or look at the appropriate version of one of the larger games.

User avatar
Sik
Very interested
Posts: 720
Joined: Thu Apr 10, 2008 3:03 pm
Contact:

Re: Decapping more Genesis chips

Post by Sik » Sun Nov 15, 2015 2:13 am

Yeah I'm just talking about the ROMs (which are the ones with the Game Toshokan code), the CD versions were just properly ported over (16t in fact is using CD audio there, which is why emulators don't have trouble with it). Those ROMs were indeed meant to be running from an emulator... on a Dreamcast I believe? ¯\(º_o)/¯ (this is why those aren't pure dumps) Odd that they somehow still had the Game Toshokan source code around (because that kind of change does sound like a modified source code rather than a hack) I guess the actual thing just downloaded games to work RAM (that probably solves the mystery).

So this leaves Sega Channel then (and its 2MB of RAM). Does it use the 32X area? (I know the 32X has a register specifically for compatibility with the Sega Channel cartridge, so I wouldn't be surprised if that was to mess with the $800000-$9FFFFF area - I know it deals with the RAM on the cartridge and that's it)
Sik is pronounced as "seek", not as "sick".

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests