It is currently Mon Aug 19, 2019 3:53 am

All times are UTC - 7 hours





Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Tue Jul 23, 2019 2:00 pm 
Offline

Joined: Tue Jul 23, 2019 1:30 pm
Posts: 4
Location: Kaiserslautern
Hello,

the last few days I built up this dumper (https://github.com/ClusterM/famicom-dumper) and it works fine.
I want to dump a bunch of multicart cardridges and tried to dump them with various mappers. For most of them this didn't work. (One dump acutally shows the menu in an emulator, and another one plays the background music but thats it)

Do I need to disassemble code to find out which mapper is the right one and which prg/chr size has to be used? How could that be done, or am I doing something completely wrong?


Top
 Profile  
 
PostPosted: Tue Jul 23, 2019 2:06 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 8532
Location: Seattle
4tmelDriver wrote:
Do I need to disassemble code to find out which mapper is the right one and which prg/chr size has to be used?
Yes, but sometimes text on the PCB and/or text on the ICs are good enough.
Quote:
How could that be done, or am I doing something completely wrong?
Try loading the NROM dump you have in Mesen or FCEUX(windows build, not Mac/Linux). Set a breakpoint on any write to $4020-$FFFF, and see what it writes and why.

ClusterM's lua scripts are more obvious to me how they work (in comparison to INL's lua-based dumping scripts) so I might be able to write one for you, if the hardware is obvious.


Top
 Profile  
 
PostPosted: Wed Jul 24, 2019 3:34 am 
Offline

Joined: Tue Jul 23, 2019 1:30 pm
Posts: 4
Location: Kaiserslautern
Thanks for the reply.
Most of my cardridges do have a glob top on the chip and no text on pcb, so this isn't helping a lot.

So I loaded the NROM dump into FCEUX and set the breakpoint in the debugger, but it's kinda hard to interpret for me what's going on there.
I am looking for information on how the cardridge is swichting banks, is that correct?

I uploaded the NROM dump


Attachments:
File comment: NROM dump (prg size: 32K, chr size:8K)
output.nes [40.02 KiB]
Downloaded 29 times
Top
 Profile  
 
PostPosted: Wed Jul 24, 2019 10:11 am 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 8532
Location: Seattle
... The only code at the reset vector is
ldx #0; lda $FF10,x; stp
which implies that - extremely rarely for NES games - the bankswitching register is a function of reads, instead of writes.


Separately, using my NES game fingerprint database, this NROM fragment contains parts of Aladdin 3 (Unl) and Yie Ar Kung-Fu (J) (V1.4).

Another option, if you have the list of games in the multicart, might be to see if someone's already described that multicart. You might find it in Санчез's dumping project.

I have no idea if this will work any better, but you could see if this gives a different NROM dump:
Code:
MapperName = "mystery mapper reverse engineering effort"
MapperNumber = 0
DefaultPrgSize = 32 * 1024
DefaultChrSize = 8 * 1024

function DumpPrg(size)
   print("Reading PRG...")
   ReadPrg(0xFF10,1)
   ReadAddPrg(0x8000, size)
end

function DumpChr(size)
   print("Reading CHR...")
   ReadPrg(0xFF10,1)
   ReadAddChr(0x0000, size)
end
edit: see NewRisingSun's post


Last edited by lidnariq on Thu Jul 25, 2019 12:37 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jul 24, 2019 11:15 am 
Offline

Joined: Thu May 19, 2005 11:30 am
Posts: 960
output.nes looks like a bad dump. The reset handler is almost certainly supposed to be:
Code:
LDX #$00
LDA $FF10,X
STA $0200,X <- First byte of this instruction is badly dumped
INX
CPX #$40
BNE $FF02
JMP $0200
Which would be a more standard multicart init code. The code at $FF10 which would be copied to $200-$240 then writes to $5FF0 to $5FF3 with values plausible in FK23C (iNES Mapper 176), a quite common multicart mapper.

Yes, a game list would be helpful, as would an ID code from the cartridge label (e.g. "FK-8010" or "KY-4131" or something like that), or a photograph of the menu.


Top
 Profile  
 
PostPosted: Fri Jul 26, 2019 4:17 am 
Offline

Joined: Tue Jul 23, 2019 1:30 pm
Posts: 4
Location: Kaiserslautern
Thanks for the replies and the lua script.

I can't remember what games were on the cardrige. The ID code is FK-021. I uploaded an image of it.

So it is possible that the iNes mapper 176 is used?
Which information from the wiki page do I need to write a lua script for dumping?


Attachments:
File comment: 180 in 1 FK-021
multicart.jpg
multicart.jpg [ 2.44 MiB | Viewed 1232 times ]
Top
 Profile  
 
PostPosted: Fri Jul 26, 2019 5:32 am 
Offline

Joined: Thu May 19, 2005 11:30 am
Posts: 960
I will check against the known dumps based on that picture, and if it is not already dumped, will attempt to write a lua dumping script for you. I have only written scripts for CopyNES, Kazzo and KrzysioKazzo so far, so unfamiliar with lua dumping scripts, I may make a few mistakes, so please be patient.

But in the meantime, please try redumping the NROM dump again --- if the bad bytes that I indicated remain bad even after cleaning the cartridge connector, then you may be experiencig a data-corrupting timing issue that will make it impossible to obtain a good dump even if the dumping script is correct.


Top
 Profile  
 
PostPosted: Fri Jul 26, 2019 7:35 am 
Offline

Joined: Thu May 19, 2005 11:30 am
Posts: 960
This is my modification of the original MMC3 script that came with that particular dumping device. I have never written lua before, so anybody who has, please correct any mistakes I made. If you dump the cartridge using this script, please dump it several times to make sure that you get a consistent result. I have no idea how large this cartridge really is, so I am just going with 1 MiB PRG/CHR each.
Code:
MapperName = "FK23C"
MapperNumber = 176
DefaultPrgSize = 1024 * 1024
DefaultChrSize = 1024 * 1024

function DumpPrg(size)
   local banks = math.floor(size / 0x2000)
   WriteCpu(0x5FF3, {0x00}) -- Disable extended MMC3 mode
   WriteCpu(0x5FF0, {0x01}) -- 256 KiB PRG/CHR mode
   for b = 0, banks-3, 2 do
      print("Reading PRG banks #" .. tostring(b) .. " and #" .. tostring(b+1) .. "...")
      WriteCpu(0x5FF1, {(b &0xE0) >>1})    -- Outer 256 KiB bank. >>1, because MMC3 bank has 8 KiB, while FK23C's register has 16 KiB granularity
      WriteCpu(0x8000, {6, (b &0x1F)})     -- Inner bank at $8000-$9FFF
      WriteCpu(0x8000, {7, (b &0x1F)+1})   -- Inner bank at $A000-$BFFF
      ReadAddPrg(0x8000, 0x4000)
   end

   print("Reading last PRG banks #" .. tostring(banks-2) .. " and #" .. tostring(banks-1) .. "...")
   ReadAddPrg(0xC000, 0x4000)
end

function DumpChr(size)
   local banks = math.floor(size / 0x0400)
   WriteCpu(0x5FF3, {0x00}) -- Disable extended MMC3 mode
   WriteCpu(0x5FF0, {0x01}) -- 256 KiB PRG/CHR mode
   for b = 0, banks-1, 8 do
      print("Reading CHR banks #" .. tostring(b) .. ", #" .. tostring(b+1) .. ", #" .. tostring(b+2) .. ", #" .. tostring(b+3) .. ", #" .. tostring(b+4) .. ", #" .. tostring(b+5) .. ", #" .. tostring(b+6) .. " and #" .. tostring(b+7) .. "...")
      WriteCpu(0x5FF2, {(b &0x700) >>3})    -- Outer 256 KiB bank. >>3, because MMC3 bank has 1 KiB, while FK23C's register has 8 KiB granularity
      WriteCpu(0x8000, {0, (b &0xFF)})
      WriteCpu(0x8000, {1, (b &0xFF)+2})
      WriteCpu(0x8000, {2, (b &0xFF)+4})
      WriteCpu(0x8000, {3, (b &0xFF)+5})
      WriteCpu(0x8000, {4, (b &0xFF)+6})
      WriteCpu(0x8000, {5, (b &0xFF)+7})
      ReadAddChr(0x0000, 0x2000)
   end
end

function EnablePrgRam(size)
   WriteCpu(0xA001, {0x80})
end


Top
 Profile  
 
PostPosted: Sun Jul 28, 2019 12:45 pm 
Offline

Joined: Tue Jul 23, 2019 1:30 pm
Posts: 4
Location: Kaiserslautern
Hi,
thank you very much for the script!

There were some problems with the syntax I think. The dumper didn't know the shift operator, so I changed '>>3' to '*8' and so on. And the lines containing '&' gave syntax errors (eg 'WriteCpu(0x5FF1, {(b &0xE0) >>1})'). I didn't know how to fix that and simply removed '&0xE0' - I really don't know if that was right, but the script actually worked!

After some dumps, the menu finally shows up in the emulator. (FCEUX works better than Mesen for some reason.)
Additionaly, for some reason, the menu only shows only 18 games. On the famicon clone there were more games playable (and I really don't remember ever playing Aladin)

In my upload you can find the best dump I managed to create so far.

Is it possible that the cardridge contains two different modes? One with 18 games and one with 180 games? I can't figure out why the dump contains completely different games and way less in contrast to the games it contained back then.


Last edited by 4tmelDriver on Sun Jul 28, 2019 1:11 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sun Jul 28, 2019 1:00 pm 
Offline

Joined: Thu May 19, 2005 11:30 am
Posts: 960
>>3 indeed means divide by 8.
&0xE0 means subtract the remainder of a division by 32.

The ROM actually only has 256 KiB and 128 KiB of CHR. I have sent you the trimmed ROM image via private message. You can and should remove GREEN14.NES from your previous post now.

FK23C cartridges have either solder pads or switches inside to select menu variants. Your particular cartridge has 15/18/30/52/58/160/180/288-in-1 variants. In FCEUX, soft-resetting (Ctrl+R) has the by-product of cycling through the various switch settings. For NintendulatorNRS, the per-PRG-CRC32 menus are set via a file named DIP.CFG in the emulator's directory; attached file (rename from DIP.TXT to DIP.CFG) adds an entry for your cartridge. I have no idea how to change DIP switches in Mesen.


Attachments:
dip.txt [66.33 KiB]
Downloaded 24 times
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group