It is currently Tue Oct 17, 2017 10:55 pm

All times are UTC - 7 hours



Forum rules


Related:



Post new topic Reply to topic  [ 193 posts ]  Go to page Previous  1 ... 5, 6, 7, 8, 9, 10, 11 ... 13  Next
Author Message
PostPosted: Sun Oct 25, 2015 12:05 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
Addressing is done via the MBC, set the bank then a write to $4000 = Bank offset + $0000, $4001 = Bank Offset + $0001 etc...

Not sure if Bank0 is bank zero or 1 on this MBC, need to confirm that too.

ID's are $C2 and $83.

I'll get back to you with the hidden data string.


Top
 Profile  
 
PostPosted: Sun Oct 25, 2015 12:35 pm 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 75
nocash wrote:
Good findings! I didn't have tried CMD 20h/21h. But tested them today, setting/clearing bit3 happens here, too. And the effect... it looks as if FLASH reads are disabled when bit3=1 (on a SNES, I am getting open-bus values when reading the ROM area, ie. retrieving the MSB of the ROM address as open bus data value).

CMD 40h-4Fh are just aren't doing anything special? Ah, or is their "special" effect that they don't reset the chip to return 7Dh bytes when reading port 2400h-2407h (unlike most other CMDs which do have that "reset to 7Dh" effect)?

CMD FFh doesn't seem to work for me. It doesn't change the port 2400h-2407h values, and also doesn't issue a RESET. Maybe it works only in relation to other values being sent prior to CMD FFh? And you are sure that you've used CMD FFh, aren't you? Asking because CMD 00h would have roughly the same effect as what've described (setting the 8 registers to "2A E0 2A 2A FF FF FF FF" in my cart).
The 'variable' bytes that you are receiving (E0 or F0, and 8F and 9F) are looking like some unstable/uninitialized stuff. Are there any cases where you are always getting the SAME values? Like always getting the same values after power-up? Or getting different values only when using different cartridges?


Yes, when I turn bit3 on, I only get FFs back from the flash (at least in the mapping area - that's where I've been looking for changes).

I can't tell if 0x40-0x4F are doing anything. You're right that I noticed them because they return values other than 0x7D on the ports. I've had times where CMDs 0x44-0x47 give back other values (sequences of 0xF0 and 0x7D) than the normal 2A type sequence. I was hammering commands to 0x2400 when I got those other values so I need to go back and try to isolate what caused those changes to see if there's any significance.

For CMD 0xFF, I get those strange values when incrementing up from CMD 0x0. So the preceding CMD is 0xFE. Must be an invalid command?

I've basically been using two different carts for testing. The Blank cartridge and the 2nd Derby 98 cart. If I screw those carts up, then there's really no loss. Results have been the same between the carts.


Top
 Profile  
 
PostPosted: Sun Oct 25, 2015 4:30 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
The mystery is now more... Mysterious!

We know flash writing is exclusively via Function 1. We also know that the Flash I/O bus is tied directly to the cart bus. The question now becomes, how can both the final byte of Function 1 (0xA5) be written AND the controller IC take control of the Flash I/O bus? Is there an internal clock/timer that waits for x uS then issues the command, expecting the game boy to be done with the bus?

Does the controller issue the flash command on the rising edge of WR when the game boy releases control of the cart bus?

A quick probe with the logic analyser will get to the bottom of it, but at least now I know why my interface isn't communicating with the flash like the game boy does...

Edit -

After much tweaking of my code it appears the controller IC waits 1 time constant as determined by an external R/C network - from the rising edge of WR to when the Flash command is issued. I'll find the exact number when I get home. Now that's sorted I can talk to the Flash IC from the PC.

Do you think the SNES cart works on a similar principal?

Next up, get to the bottom of this un-mapped ROM info. I'm hesitant in erasing the cart as I've read (Mootans site) that a chip erase also erases the ROM info as well as a serial number. As this is an original cart I'd like to at least note the data before it's gone forever!


Top
 Profile  
 
PostPosted: Sun Oct 25, 2015 7:57 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
No reply with instruction 71,38 or D0

I'll write some code to cycle through them all. 70, 90, F0 are all valid flash commands. I think the data on the GB cart is stored in SRAM, only half of it is accessible via the game boy.

To get the magic ROM data you talk only with the controller IC, not the flash. And initial probes don't show any WR activity when getting the data. WR between flash and SRAM are linked. I'll monitor SRAM CE + OE when issuing the request. If it's stored in there I'll need to find the controller command to modify it.

I might dig through Mootans program again to see if I missed anything.


Top
 Profile  
 
PostPosted: Mon Oct 26, 2015 8:16 pm 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 75
Ok, got some interesting results fooling around with flash commands.

I was trying different commands for the flash command sequence third data cycle. The flash chip seems to respond to a couple undocumented commands.

Data 0x55, 0xAA, 0x60.
Data 0x55, 0xAA, 0x77.

EDIT: More testing to do...


Last edited by skaman on Tue Oct 27, 2015 1:25 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Oct 26, 2015 9:29 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
Are they the first half of the instruction, or the second?

The 0x60 is used for sector protect/unprotect, I used this one myself to unlock sector 0.


Top
 Profile  
 
PostPosted: Wed Oct 28, 2015 2:53 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
Not sure if this has been covered, but when writing to the flash in byte/buffer mode, don't send the last byte twice. If that byte happens to be 0xF0 it will terminate the write sequence. I've had no issues sending 0x00 as the confirmation byte to the last address.

Found this, could be of interest. Some Macronix chips seems to have internal bank switching to expand the addressable ROM space. GBA specific but could easily be used on other Nintendo contracted flash chips.

Bank Switching (devices bigger than 64K only)
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=B0h (select bank command)
[E000000h]=bnk (write bank number 0..1)
Specifies 64K bank number for read/write/erase operations.
Required because gamepak flash/sram addressbus is limited to 16bit width.


Top
 Profile  
 
PostPosted: Thu Oct 29, 2015 2:15 am 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 75
Finally got around to dumping my GB Memory carts. If you're disassembling Mootan's program, then the options to load and save the NP register are under the menu that appears when you right-click the FlashManager window. Using Mootan's FlashManager and my version of the EZ-USB adapter, I dumped the "NP Register" for my 6 NP carts.

Code:
Cart:  Spy vs Spy (No Menu)
Register (Corrected):
B4 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 08 00 00 00 43 47 42 20
2D 41 53 36 4A 2D 20 20 82 53 82 56 82 62 83 58
83 70 83 43 81 40 83 41 83 93 83 68 81 40 83 58
83 70 83 43 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 30 36 2F 31 31 2F 32 30 30 31 31 36
3A 34 35 3A 33 39 4C 41 57 30 36 34 38 33 10 00
30 47 99 09 07 13 47 38 FF FF FF FF FF FF 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

EDIT:  I guess I cut and pasted the wrong register dump for Spy vs Spy.

Cart:  Beat Mania GB (No Menu)
Register:
B4 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 08 00 00 00 44 4D 47 20
2D 41 4F 4F 4A 2D 20 20 82 51 82 58 82 60 82 82
82 85 82 81 82 94 82 8D 82 81 82 8E 82 89 82 81
82 66 82 61 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 30 34 2F 31 35 2F 32 30 30 31 31 39
3A 32 34 3A 30 32 4C 41 57 30 31 30 30 35 01 00
30 26 00 03 31 09 10 14 FF FF FF FF FF FF 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Cart:  Pocket Puyo Puyo Tsuu (with Menu)
Register:
A8 00 00 2C 04 00 FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 1C 00
30 2B 00 04 07 09 25 21 FF FF FF FF FF FF 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Cart:  2-in-1 (with Menu)
Kaeru no Tame ni Kane wa Naru
SAME GAME
Register:
A8 00 00 31 04 00 2D 14 04 FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 02 00
30 11 99 11 01 14 27 18 FF FF FF FF FF FF 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Cart: 3-in-1 (with Menu)
Pac-Man
Namco Collection Vol. 1
Yakuman
Register:
A8 00 00 28 04 00 30 08 00 08 18 00 FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 02 00
30 1B 99 10 23 15 18 37 FF FF FF FF FF FF 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Cart: 5-in-1 (with Menu)
Alleyway
Pac-Man
Tennis
Doraemon Kart
Jinsei Game
Register:
A8 00 00 08 04 00 28 08 00 08 0C 00 4C 90 00 4C
98 04 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 03 00
30 18 00 03 31 08 42 37 FF FF FF FF FF FF 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

For the multi-game carts, the games are listed as they appear in the menu.

The Beat Mania and Spy vs Spy registers are interesting in that they have the name/date/time/location programming information in the register area. The multi-game carts all have the programming info stored in the Menu.

EDIT: Corrected Spy vs Spy register.


Last edited by skaman on Thu Oct 29, 2015 12:42 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Oct 29, 2015 2:44 am 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
I dont have the hardware so I don't get to see what you see in mootans software, I just see the hex and machine code...

Can you trace the instruction set to get that data? See what commands are issued?


Top
 Profile  
 
PostPosted: Thu Oct 29, 2015 4:05 am 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 75
I must have cut and pasted the wrong register data for Spy vs Spy. Corrected the data in my preceding post.

I'm terrible at assembly code and have limited experience with IDA but I'll look further to see if I can make sense of anything. The associated text is "Load NP Register" and "Save NP Register". There are other strings "Open NP Register File" and "Save NP Register File".


Last edited by skaman on Thu Oct 29, 2015 12:43 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Oct 29, 2015 4:22 am 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
I'll take a look for those strings, thanks.

Maybe install a port sniffer / traffic analyser etc and dump all lpt data to a file? Would be the easiest method as you have all the right hardware.

It will reveal the correct flash command sequence to read and write this magic data. Hopefully the same command set for the snes chips

https://technet.microsoft.com/en-us/sys ... 96644.aspx


Top
 Profile  
 
PostPosted: Fri Oct 30, 2015 1:32 pm 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 530
Didn't knew that mootan's tool can read/write the hidden mapping data - that stuff might be very useful to figure out how it works.
Which utility are you using exactly, and do you have the source code for it, or only the .exe file?

I have checked http://mootan.hg.to/fmgbx/ and there is "FlashManager for GBx v1.10 (English Ver.)" (plain .exe) and "FlashManager for GBx v0.01 (VC7 MFC Project) (Source code, but it looks old... does that version include nintendo power stuff?).
EDIT: Going by the japanese text underneath of the download links, it looks as if "NP 8M" support was added in v1.00, so there seems to be no source code released for it.

I've had a look at the .exe, and it seems to be pushing function parameters (eg. address and data) on stack (prior to the function calls). So, when searching for opcodes like "push 00005555", the following "call" opcode might be the "write_data_to_address" function, and putting a breakpoint on that function could be useful to see what gets written to the cart.
Of course, if it's doing a lot of initialization & card detection prior to the "interesting" stuff, then it could be difficult to find the relevant writes.
Searching for "push 00000038" and "push 000000D0" opcodes might also reveal something (there are some such pushes, but I haven't spotted any eye-catching "push 38" being followed by a "push D0" shortly thereafter).

For executing the "Load/Save NP Register" functions, I guess that would only work when having the corresponding hardware connected? I could connect an old bung GBx reader to my PC, but it would probably still refuse to do anything without having a gameboy NP cart attached - or does the "Load/Save NP Register" stuff work without cartridge connected?


Top
 Profile  
 
PostPosted: Fri Oct 30, 2015 11:38 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
No, No source. I don't have the hardware either so I can't debug it in real time. I've been searching for the flash writethrough command, once found I mark the routines it uses then work backwards looking for calls etc... Haven't had much luck yet, If someone has the hardware and a real LPT port they could sniff the data using portmon.

Skaman has sent me USB traffic to and from his EZ-USB adaptor but a lot of the important stuff is obscured with the overhead to control the EZ-USB.

One thing I did notice is the software sets SRAM Bank 0x0A, then bank 0x00 3 times, then reads from the cart. I've replicated this and I've found data from 0x2000 when reading with CS active (not RD)

This is interesting because I've erased my Flash, and written 0xFF to the entire SRAM yet this data is still there and it is static, not just noise.

I can't tell if this is the magic data because I have no way of getting the correct data out of the cart, it doesn't look like Skaman's dumps though my cart came with a single ROM, no boot menu.


Top
 Profile  
 
PostPosted: Sun Nov 08, 2015 1:40 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
Success! A big thanks to skaman!!

(must write 0x77 twice)

NP Data from what was once Mario Bros.

B5 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 08 00 40 00 43 47 42 20 2D 41 48 59 4A 2D 20 20 82 4F 82 57 82 60 83 58 81 5B 83 70 81 5B 83 7D 83 8A 83 49 83 75 83 89 83 55 81 5B 83 59 83 66 83 89 83 62 83 4E 83 58 20 20 20 20 30 37 2F 33 31 2F 32 30 30 30 31 33 3A 33 31 3A 33 38 4C 41 57 30 33 33 34 37 01 00 30 25 00 03 01 00 12 57 FF FF FF FF FF FF 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Now to erase it, and re-write it! Oh, and issuing a chip erase will not destroy this data.


Top
 Profile  
 
PostPosted: Sun Nov 08, 2015 9:42 pm 
Offline

Joined: Sat Mar 29, 2014 10:01 pm
Posts: 107
Location: Australia
From the data skaman has sent I think I have it decoded. Untested...


0x0120<01, 0x013F<A5 - Unknown

0x0120<02, 0x013F<A5 - unknown

[0x5555] < AA
[0x2AAA] < 55
[0x5555] < F5 or A0.... Not sure which is a write, the bus log is bi-directional with no indication.

Read bus and wait for something

[0x5555]<AA
[0x2AAA]<55
[0x5555]<60

Read bus and wait for something...

[0x5555]<AA
[0x2AAA]<55
[0x5555]<E0

Read bus and wait for something

0x0120<03, 0x013F<A5
0x0120<08, 0x013F<A5

Send 256 bytes of NP Magic Data ......

There may be a verification command following


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 193 posts ]  Go to page Previous  1 ... 5, 6, 7, 8, 9, 10, 11 ... 13  Next

All times are UTC - 7 hours


Who is online

Users browsing this forum: marvelus10 and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group