It is currently Sat Jun 24, 2017 7:01 pm

All times are UTC - 7 hours



Forum rules


Related:



Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: More Bootleg Games
PostPosted: Wed Feb 08, 2017 4:40 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 517
Just found out that there are four more "copy-protected" bootleg games, similar to those mentioned by d4s ages ago: viewtopic.php?f=12&t=4417 (and as summarized here: http://problemkaputt.de/fullsnes.htm#sn ... edvariants ).

Squirrel (2MB, CRC32=BAD1D9B8h) this is just using the same "bitswap" feature as most of the other games (A Bug's Life, Aladding 2000, etc.).

Marvel Super Heroes vs Street Fighter (2MB, CRC32=CDB590E4h) this is doing the same "bitswap", too, but accessed via different memory addresses. Instead of Read=80-xx:8000-FFFF and Write=88-xx:8000-FFFF, it's using Read=4x:8xx0 and Write=4x:8xx2. I don't know which addresses it's mirrored to exactly. Some used addresses are:
-- Write Area = 40:8182, 46:80E2, 4E:8062, 4E:88E2
-- Read Area = 40:8180, 46:80E0, 4E:8060, 4E:88E0
bank might be 40-4F, or maybe 40-7D, and maybe also C0-FF
offs might be 8000-8FFF, or maybe 8000-FFFF, or 0000-FFFF
R/W might be indicated by A1 address line, and/or by read/write signals
the whole hardware might be same as in the other "bitswap" carts, but wired to different address lines, or it might be even wired exactly the same (it's unknown if the other "bitswap" carts are mapping anything to bank 40-7D).

Dragon Ball Z - Final Bout (2MB, CRC32=5BBA4EB3h) this seems to use the same "constant" feature as Soul Blade. Or at least it can be emulated that way. On the other hand, Soul Blade didn't really verify the 55h,0Fh,AAh,F0h constants (it's working okay even replacing that constants by FFh,FFh,FFh,FFh). If the verification in Dragon Ball is equally weak then it might work with other constants, too. So it's hard to tell how the cartridge really works (unless when physically dumping the constants from the cartridge).

Campeonato Brasileiro 2 (2MB, CRC32=CBE9A9BDh) this is using some new feature, and I haven't fully figured out it's working yet. It looks as if each 2nd 32Kbyte ROM bank is "encrypted" via some relative simple XOR pattern:
The game writes [C002C1h]=4126h shortly after reset, and data in odd ROM banks seems to be corrupted/encrypted (eg. opcodes at 87CCB7h seem to be XORed by 03h, or by 01h and/or other values in some cases).
That is, when dumping the game without initializing the XOR pattern (which is probably done by the [C002C1h] write). If it's initialized properly then it should return clean "decrypted" data (without needing the XOR by 03h), but the game is probably changing the XOR pattern for different ROM areas, so it would be best to get a dump that has clean "encrypted" data, and then to figure out how to decrypt/emulate it.

Some MORE bootleg games are mentioned here: http://bootleggames.wikia.com/wiki/Category:SNES_games - I haven't tried them and don't know if they do contain protection hardware, too. If somebody wants to try: If they don't work in no$sns then they are probably containing protection hardware (which would be nice to know).
If they do work (would be nice to know too), then they are unprotected (or already emulated, like A Bug's Life, Aladdin, Soul Blade etc.)

PS. photos for the different bootleg cartridges would be also interesting (with PCB front/back sides).


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 08, 2017 9:56 am 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 282
Location: FL
Sometime last year I got a copy of the Squirrel ROM dump from someone who had asked me to crack it, and I sent them a patch but I have no idea if it or the ROM was ever publicly released. I actually didn't know d4s had documented that bitswap protection until a short time after I finished cracking it, but Squirrel has so many instances of "write a constant value, read it back, compare to another constant value" that it was pretty easy to put all the values side-by-side and figure out the correct bit order.

The same person sent me a copy of DBZ Final Bout (which I also cracked but was still unplayable due to the dump having several ROM banks missing), and a copy of Hercules which seemed to be a good dump but I don't know if I would have been able to figure out the protection without having an actual physical copy available (IIRC it just has some weird address mapping which it relies on in a lot of places).


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 08, 2017 10:48 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 517
Hercules with weird address mapping sounds like yet another protection mechanism. Do you have some more info on how it works? And is it a fixed "interleaved" mapping, or is it supporting some kind of "bank-switching" via I/O ports?

Oh, and forgot to mention: If somebody wants to debug such games in no$sns: Go to "Debug" options, and change "Invalid Memory Accesses" setting to "Halt", so the debugger will stop whenever hitting unexpected writes to the (unemulated) I/O ports in ROM area.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 08, 2017 1:45 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 282
Location: FL
I'll have to check it again when I get home from work, though I'm pretty sure there were no I/O ports involved, just unusual address decoding.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Sat Feb 11, 2017 10:13 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 517
I've got some PCB photos for bootleg carts...

First of, Squirrel (using the "standard bitswap" stuff, containing a CIC, ROM, and some mapping/protection logic):
Attachment:
Squirrel.jpg
Squirrel.jpg [ 37.22 KiB | Viewed 886 times ]


Next, something called 101 Dalmatas (I don't know what kind of protection hardware this has - if any):
Attachment:
101 Dalmatas.jpg
101 Dalmatas.jpg [ 26.88 KiB | Viewed 886 times ]


Then there's Campeonato Brasileiro 2 (this a really weird hardware design, apparently they've re-used some older PCB, and then soldered another "extension-PCB" underneath of it, presumably with some extra protection hardware on it, which seems to "encrypt" parts of the ROM):
Attachment:
Campeonato Brasileiro 2 (dual PCB version - component side).jpg
Campeonato Brasileiro 2 (dual PCB version - component side).jpg [ 70.18 KiB | Viewed 886 times ]

Attachment:
Campeonato Brasileiro 2 (dual PCB version - solder side).jpg
Campeonato Brasileiro 2 (dual PCB version - solder side).jpg [ 91.77 KiB | Viewed 886 times ]


However, Campeonato Brasileiro 2 does also exist as single-PCB version (from what I got told, the dumps for single-PCB and dual-PCB versions are identical, so the encryption hardware seems to exist in both versions, and the dumps seem to be "stable" despite of the uninitialized I/O port; maybe the single-PCB does have all the extra protection logic contained in the PAL, or in the black blob, or on the PCB back side, or whatever):
Attachment:
Campeonato Brasileiro 2 (single PCB version - component side).jpg
Campeonato Brasileiro 2 (single PCB version - component side).jpg [ 43.39 KiB | Viewed 886 times ]


CLE seems to own one of the Campeonato Brasileiro 2 versions, and knows somebody owning the other version, so there might be some chance to get better photos with legible chip part numbers, which would give some insight on if/how the ROM is being encrypted.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 15, 2017 8:25 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 282
Location: FL
nocash wrote:
Hercules with weird address mapping sounds like yet another protection mechanism. Do you have some more info on how it works? And is it a fixed "interleaved" mapping, or is it supporting some kind of "bank-switching" via I/O ports?


Some of the stuff it does is simple mirroring checks:

Code:
00beb9 lda $048020,x
00bebd cmp $848020,x
00bec1 bne $bec7
00bec3 jml $00be97


After that, it does more tricky stuff involving DBR and indirect reads, like this:

Code:
009b27 lda $8700,x   [829f20] A:8282 X:1820 Y:0007 S:01e8 D:0000 DB:82 nvmxdIzC V:147 H: 16 F:35
009b2a and #$f00f             A:0000 X:1820 Y:0007 S:01e8 D:0000 DB:82 nvmxdIZC V:147 H: 16 F:35
009b2d tay                    A:0000 X:1820 Y:0007 S:01e8 D:0000 DB:82 nvmxdIZC V:147 H: 22 F:35
009b2e plb                    A:0000 X:1820 Y:0000 S:01e8 D:0000 DB:82 nvmxdIZC V:147 H: 26 F:35
009b2f sep #$20               A:0000 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvmxdIZC V:147 H: 33 F:35

[...]

009c68 lda [$24],y   [3ae03c] A:0001 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvMxdIZC V:147 H: 79 F:35
009c6a sta $17f2     [0017f2] A:0001 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvMxdIzC V:147 H: 91 F:35
009c6d ldx #$0000             A:0001 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvMxdIzC V:147 H: 99 F:35
009c70 iny                    A:0001 X:0000 Y:0000 S:01e9 D:0000 DB:00 nvMxdIZC V:147 H:105 F:35
009c71 lda [$24],y   [3ae03d] A:0001 X:0000 Y:0001 S:01e9 D:0000 DB:00 nvMxdIzC V:147 H:108 F:35
009c73 cmp $17f2     [0017f2] A:0000 X:0000 Y:0001 S:01e9 D:0000 DB:00 nvMxdIZC V:147 H:120 F:35
009c76 bne $9c91     [009c91] A:0000 X:0000 Y:0001 S:01e9 D:0000 DB:00 NvMxdIzc V:147 H:128 F:35


It's obviously just some weird interleaved mapping but I haven't really attempted to figure out how it's supposed to be set up. Do you know of any other bootlegs that do something similar?


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Fri Feb 24, 2017 12:46 pm 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 517
Got better pictures and component list for the Campeonato Brasileiro 2 dual-PCB version (thanks to CLE)...
Code:
Upper Board "DA516S G16B" components from Left to Right:
  GS74LS161, 9411 (CIC)
  Black Blob (ROM)
  MALAYSIA 895 532FF, TI TIBPAL16L8-15CN
Lower Board "SNFTFIX" components from Left to Right:
  PALCE 16V8H-25, PC/4 9635ABA M
  PALCE 16V8H-25, PC/4 9635ABA M
  SN74LS260N, XAB9434 (dual 5-input NOR gates)

So yeah, three PALs, that's pretty much weirder than expected. And when just gazing at the photos, one couldn't even guess how the PALs are programmed : /
Attachment:
Campeonato Brasileiro 2 (dual PCB version - hires - component side).jpg
Campeonato Brasileiro 2 (dual PCB version - hires - component side).jpg [ 127.7 KiB | Viewed 661 times ]

Attachment:
Campeonato Brasileiro 2 (dual PCB version - hires - solder side).jpg
Campeonato Brasileiro 2 (dual PCB version - hires - solder side).jpg [ 129.35 KiB | Viewed 661 times ]


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Sun Feb 26, 2017 10:16 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 517
Hercules (2MB, CRC32=45874D3Dh) appears to be just the "constant" pattern:
Code:
Copy-Protected Bootlegs (Soulblade "constant" variant)
This type is used by three games:
  Dragon Ball Z - Final Bout            2MB, CRC32=5BBA4EB3h
  Hercules                              2MB, CRC32=45874D3Dh
  Soul Blade                            3MB, CRC32=C97D1D7Bh
The protection hardware consists of a read-only pattern, mapped to:
  80-BF:8000-FFFF  Filled with a constant 4-byte pattern (55h,0Fh,AAh,F0h)
  C0-FF:0000-FFFF  Open bus (not used)

Concerning mapping/mirroring, the only special is that it's mapping the constants at bank 80h and up (instead of mirroring the ROM in that place).
Not absolutely sure if the three games are really all using the exact same pattern, but for emulation, they are all working okay when using that "55h,0Fh,AAh,F0h" values.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Mon Feb 27, 2017 8:03 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 517
I've foolishly (*) spent several hours on gazing at the Campeonato Brasileiro 2 protection, and after all, it seems to be very simple, with only three bits envolved (D0, D1, and A16):
Code:
  D0 = D0 XOR A16   ;inverted bit
  D1 = D1 OR A16    ;missing bit

Writing [C002C1h]=4126h should unlock the missing bit, but I am afraid that chances are less than 0.001% to find somebody who does own the cart and knows how to write 4126h to [C002C1h], so it's probably almost impossible to dump the game - despite of the bloody simple protection : /

(*) foolishly because it really took me several hours until I had realized that bit1 was missing ; (

EDIT: Dumping the game could be done using one of the following ideas:
- By hardware: Rewire D1 in the game cart to bypass the protection PAL.
- By firmware: Reprogram your dumping device firmware to do [C002C1h]=4126h.
- By software: Use hotswapping to transfer D1 from ROM to SRAM in a flashcart.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: UnDisbeliever and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group