SpritesMind.Net

Posted: **Tue Oct 30, 2012 7:05 pm**

ok, someone sent me his cartridge so i could mess with it and i have been able to have the cartridge extra hardware reverse-engineered (maybe not 100% completely but still more than needed to emulate the protection !)

i have been using a SGC explorer, which is a very nice teensy-based MD cartridge board interface build by Bruno Freitas, who was kind enough to offer me one a few month ago

http://www.brunofreitas.com/node/42

the cool thing with this board is that it can manage all necessary signals of the cartridge connector and you can reproduce the same access as the game is doing

after MANY hours of register poking, investigations and guess work, here is a summary of my notes

--------------------------
Memory Map (cartrige area)
--------------------------
$000000-$07ffff: lower 512KB ROM
$080000-$0fffff: mirror of $000000-$07ffff (VA19 not connected)
$100000-$5fffff: not mapped
$600000-$67ffff: internal hardware (see below)
$680000-$6fffff: mirror of $600000-$67ffff (VA19 not connected)
$700000-$7fffff: not mapped

-----------------
Internal Hardware
-----------------

(read)
~~~~~~
$600000-$60ffff: upper 512KB ROM selected bank (8 x 64K banks)
$610000-$61ffff: upper 512KB ROM selected bank (8 x 64K banks)
$620000-$62ffff: return alternate 4K chunks of $ff and $00 (fixed to last ROM bank ?)
$630000-$63ffff: mirror of $620000-$62ffff
$640000: not mapped
$640001: always return $00
$640002-$65ffff: mirror of $640000-$640001
$660000: not mapped
$660001: DATA1 register, see notes below
$660002: not mapped
$660003: DATA1 register + 1
$660004: not mapped
$660005: DATA2 register, see notes below
$660006: not mapped
$660007: DATA2 register + 1
$660008: not mapped
$660009: DATA3 register, see notes below
$66000a: not mapped
$66000b: DATA3 register + 1
$66000c: not mapped
$66000d: DATA3 register + 2
$66000e: not mapped
$66000f: DATA3 register + 3
$660010-$66ffff: mirror of $660000-$66000f
$670000: not mapped
$670001: see notes below (1)
$670002: not mapped
$670003: return same value as $670001 anded with 0x7f
$670004-$67ffff: mirror of $670000-$670003

(write)
~~~~~~~
$600000: n.a (!UWR not connected)
$600001: CTRL1 register (see below)
$600002: n.a (!UWR not connected)
$600003: DATA4 register, see notes below (2)
$600004-$60ffff: mirror of $600000-$600003
$610000: n.a (!UWR not connected)
$610001: n.a ?
$610002: not mapped (!UWR not connected)
$610003: CTRL2 register (see below)
$610004-$61ffff: mirror of $610000-$610003
$620000-$63ffff: n.a ?
$640000: n.a (!UWR not connected)
$640001: DATA5 register
$640002: n.a (!UWR not connected)
$640003: DATA6 register
$640004-$64ffff: mirror of $640000-$640003
$650000-$65ffff: n.a ?
$660000: n.a (!UWR not connected)
$660001: ??? (usually set to $00 after writing to $670001, sometimes set to the same value as $670001 ?)
$660002-$66ffff: n.a ?
$670000: n.a (!UWR not connected)
$670001: CTRL3 register (see below)
$670002: n.a (!UWR not connected)
$670003: n.a ?
$670004-$67ffff: mirror of $670000-$670003

CTRL1 register ($600001):
~~~~~~~~~~~~~~~~~~~~~~~~~
D7-D3: n.a ?
D2-D0: DATA4 write mode, see notes below (2)

CTRL2 register ($610003):
~~~~~~~~~~~~~~~~~~~~~~~~~
D7: enable (resp. disable) $600000-$6fffff ROM bank-switching & $670001-$670003 output when set (resp. cleared)
D6-D0: n.a ?

CTRL3 register ($670001):
~~~~~~~~~~~~~~~~~~~~~~~~~
D7: enable (resp. disable) DATA1/DATA3 registers update on $670001 reads when set (resp. cleared)
D6: select $670001 output mode, see notes below (1)
D5: select DATA register being updated on $670001 reads when bit7 is set (0: DATA1, 1: DATA3)
D4-D2: select upper 512K ROM bank (8x64K banks) mapped to $600000-$60ffff when CTRL2 bit7 is set
D1-D0: n.a ?

NOTES:
~~~~~~
(1) reading $670001 returns:
- $00 if CTRL2 bit7 is cleared
- DATA5 & DATA6 if CTRL2 bit7 is set and CTRL3 bit6 is set
- DATA5 ^ 0xFF if CTRL2 bit7 is set and CTRL3 bit6 is cleared

when CTRL3 bit7 is set, reading $670001 updates the value in:
- DATA1 if CTRL3 bit5 is cleared: DATA1 = ((DATA5 << 1) ^ DATA4) & 0xfe
- DATA3 if CTRL3 bit5 is set: DATA3 = (DATA6 << 2) & 0xfc

(2) writing $600003 updates:
- DATA4 register: DATA4 = data
- DATA1 register if write mode (CTRL1 bits 0-2) is set to $0: DATA1 = ((DATA5 << 1) ^ data) & 0xfe
- DATA2 register if write mode (CTRL1 bits 0-2) is set to $1: DATA2 = data & 0xfe
- upper 512K ROM bank (8x64K banks, using D2-D4) mapped to $610000-$61ffff if write mode (CTRL1 bits 0-2) is set to $7
- no effect (?) if write mode is set to $2,$3,$4,$5,$6 (game sometimes sets write mode to $6 and writes $00 or $01 to $600003)

(3) random quirks:
- writing DATA5 or DATA6 registers does NOT immediately change the value returned in DATA1 or DATA3 when proper CTRL3 bits are set, the change is only effective after reading $670001
- similarely, when mode=$0, any writes to DATA4 register immediately change the value returned in DATA1 but calculation will not use the last value written in DATA5 unless $670001 was read in between
- setting CTRL3 bit7 seems to immediately update the value returned in DATA1/DATA3 if DATA4/DATA5 was changed but switching CTRL3 bit5 will not take effect until next write to DATA4/DATA5 followed by $670001 read
- internal registers might be non-volatile, previous state seems to be restored on power-on

As you can see, it seems the ROM is actually 1MB but i noticed similar 4 kB (or so) chunks of $ff and $00 in the various 64k bank that can be accessed through $600000-$60ffff and $610000-$61ffff as in the lower 512KB, so i suspect the initial ROM was initially 512kB then expanded to 1MB by copying out some chunks of data to upper 512kB. Also notice how VA19 is disconnected on the cartridge port, to ensure the upper area can not be directly accessed.

There is no public ROM available as i promised it to the cartridge owner and it' s up to him to decide when he wants to release it (I think he wants to get it fixed first). Indeed, it doesn't work with any existing emulator (except genesis plus gx) anyway and would probably be kind of hard (but not impossible I guess) to patch copy protection and bank-switching. All the infos are there though...

Posted: **Tue Oct 30, 2012 7:13 pm**

Naiss info !

Posted: **Wed Oct 31, 2012 2:56 pm**

Wow, great job hacking that thing!

Must be some strange hardware inside the cart?

Posted: **Thu Nov 15, 2012 12:47 pm**

When will be available public rom of Super Mario World 64 ?

Posted: **Thu Nov 15, 2012 11:33 pm**

magicrip wrote:When will be available public rom of Super Mario World 64 ?

Eke wrote:There is no public ROM available as i promised it to the cartridge owner and it' s up to him to decide when he wants to release it

Posted: **Fri Nov 16, 2012 12:49 pm**

bobthebuilder Thanks Cap!

I personally would like to know - is the owner plans to publish a dump or not ? (who knows, maybe he is one of these hoarder-type persons?)
So, if not - other people can buy cart, dump it (using information kindly provided by Eke) and share the rom.
If yes - well, we must just relax and wait

Posted: **Thu Nov 22, 2012 10:49 am**

Posted: **Thu Nov 22, 2012 12:06 pm**

Sorry but who are you again ? Do i owe you something?

I am not greedy, i am simply respecting my promise. If i didn't, i probably would not have access to this kind of rare games and would not be able to document and emulate them. I don't really care about anything else and definitively not random internet people who only register on forums to beg for roms. I think there are also more infos here than needed to get it dumped if you really want it, so much for being greedy.

Posted: **Thu Jan 17, 2013 9:24 am**

So the dump has been released (on the Pirated Games Central forum), and I noticed an interesting thing (race condition) when trying to patch it to get it to work on any emulator: sound effects stop working after the first one. It turns out the game does not disable interrupts in its play sound routine, so the VInt, which handles music for the title screen and first stage, gets control, unlocking the Z80 too early, causing the Z80 to jump into the ROM bank area and panic. This happens in both Gens/GS and Kega Fusion But this doesn't happen on real hardware, as videos have shown, so... what is going on here? Do we have VInt timings wrong? Thanks.

Posted: **Thu Jan 17, 2013 10:00 am**

Have you tried logging all the access to $6xxxxx ? I think i remember it was accessed from Z80 (through banking) so Z80 program would need to be patched as well (hopefully it is not somehow uncompressed).

Good luck with the patch, i tried a bit but gave up pretty fast since it's not really trivial and i prefer to emulate the protection anyway. I believe it requires some ASM insertion to remap $60xxxx and $61xxxx access to the proper location in ROM ($08xxxx-$0fxxxx) since the banks index seems to be calculated and passed as parameter to a common function (hopefully there is only a few ot these functions to patch).

I could not find copy-protection lockouts so i am not sure where the computed logics returned by on-board registers are used but i guess this would need to be patched as well.

Posted: **Thu Jan 17, 2013 12:55 pm**

Download Super Mario World 64 for SMD.

Posted: **Fri Jan 18, 2013 12:52 am**

I had a crack at it.

Posted: **Fri Jan 18, 2013 1:40 am**

Gigasoft wrote:I had a crack at it.

That works pretty good! I ran it on my CDX far enough to remember that SMW sucks and I hate it with all my guts.

Posted: **Fri Jan 18, 2013 8:38 am**

Honestly the game is far from the original in term of gameplay :p

Posted: **Fri Jan 18, 2013 11:49 am**

Gigasoft wrote:I had a crack at it.

That was fast... good job

SpritesMind.Net

Super Mario 64 for Genesis - dump quest (need pics of pcb!)