It is currently Mon Oct 23, 2017 5:36 pm

All times are UTC - 7 hours



Forum rules


Related:



Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: More Bootleg Games
PostPosted: Wed Feb 08, 2017 4:40 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 531
Just found out that there are four more "copy-protected" bootleg games, similar to those mentioned by d4s ages ago: viewtopic.php?f=12&t=4417 (and as summarized here: http://problemkaputt.de/fullsnes.htm#sn ... edvariants ).

Squirrel (2MB, CRC32=BAD1D9B8h) this is just using the same "bitswap" feature as most of the other games (A Bug's Life, Aladding 2000, etc.).

Marvel Super Heroes vs Street Fighter (2MB, CRC32=CDB590E4h) this is doing the same "bitswap", too, but accessed via different memory addresses. Instead of Read=80-xx:8000-FFFF and Write=88-xx:8000-FFFF, it's using Read=4x:8xx0 and Write=4x:8xx2. I don't know which addresses it's mirrored to exactly. Some used addresses are:
-- Write Area = 40:8182, 46:80E2, 4E:8062, 4E:88E2
-- Read Area = 40:8180, 46:80E0, 4E:8060, 4E:88E0
bank might be 40-4F, or maybe 40-7D, and maybe also C0-FF
offs might be 8000-8FFF, or maybe 8000-FFFF, or 0000-FFFF
R/W might be indicated by A1 address line, and/or by read/write signals
the whole hardware might be same as in the other "bitswap" carts, but wired to different address lines, or it might be even wired exactly the same (it's unknown if the other "bitswap" carts are mapping anything to bank 40-7D).

Dragon Ball Z - Final Bout (2MB, CRC32=5BBA4EB3h) this seems to use the same "constant" feature as Soul Blade. Or at least it can be emulated that way. On the other hand, Soul Blade didn't really verify the 55h,0Fh,AAh,F0h constants (it's working okay even replacing that constants by FFh,FFh,FFh,FFh). If the verification in Dragon Ball is equally weak then it might work with other constants, too. So it's hard to tell how the cartridge really works (unless when physically dumping the constants from the cartridge).

Campeonato Brasileiro 2 (2MB, CRC32=CBE9A9BDh) this is using some new feature, and I haven't fully figured out it's working yet. It looks as if each 2nd 32Kbyte ROM bank is "encrypted" via some relative simple XOR pattern:
The game writes [C002C1h]=4126h shortly after reset, and data in odd ROM banks seems to be corrupted/encrypted (eg. opcodes at 87CCB7h seem to be XORed by 03h, or by 01h and/or other values in some cases).
That is, when dumping the game without initializing the XOR pattern (which is probably done by the [C002C1h] write). If it's initialized properly then it should return clean "decrypted" data (without needing the XOR by 03h), but the game is probably changing the XOR pattern for different ROM areas, so it would be best to get a dump that has clean "encrypted" data, and then to figure out how to decrypt/emulate it.

Some MORE bootleg games are mentioned here: http://bootleggames.wikia.com/wiki/Category:SNES_games - I haven't tried them and don't know if they do contain protection hardware, too. If somebody wants to try: If they don't work in no$sns then they are probably containing protection hardware (which would be nice to know).
If they do work (would be nice to know too), then they are unprotected (or already emulated, like A Bug's Life, Aladdin, Soul Blade etc.)

PS. photos for the different bootleg cartridges would be also interesting (with PCB front/back sides).


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 08, 2017 9:56 am 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 329
Location: FL
Sometime last year I got a copy of the Squirrel ROM dump from someone who had asked me to crack it, and I sent them a patch but I have no idea if it or the ROM was ever publicly released. I actually didn't know d4s had documented that bitswap protection until a short time after I finished cracking it, but Squirrel has so many instances of "write a constant value, read it back, compare to another constant value" that it was pretty easy to put all the values side-by-side and figure out the correct bit order.

The same person sent me a copy of DBZ Final Bout (which I also cracked but was still unplayable due to the dump having several ROM banks missing), and a copy of Hercules which seemed to be a good dump but I don't know if I would have been able to figure out the protection without having an actual physical copy available (IIRC it just has some weird address mapping which it relies on in a lot of places).


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 08, 2017 10:48 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 531
Hercules with weird address mapping sounds like yet another protection mechanism. Do you have some more info on how it works? And is it a fixed "interleaved" mapping, or is it supporting some kind of "bank-switching" via I/O ports?

Oh, and forgot to mention: If somebody wants to debug such games in no$sns: Go to "Debug" options, and change "Invalid Memory Accesses" setting to "Halt", so the debugger will stop whenever hitting unexpected writes to the (unemulated) I/O ports in ROM area.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 08, 2017 1:45 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 329
Location: FL
I'll have to check it again when I get home from work, though I'm pretty sure there were no I/O ports involved, just unusual address decoding.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Sat Feb 11, 2017 10:13 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 531
I've got some PCB photos for bootleg carts...

First of, Squirrel (using the "standard bitswap" stuff, containing a CIC, ROM, and some mapping/protection logic):
Attachment:
Squirrel.jpg
Squirrel.jpg [ 37.22 KiB | Viewed 2023 times ]


Next, something called 101 Dalmatas (I don't know what kind of protection hardware this has - if any):
Attachment:
101 Dalmatas.jpg
101 Dalmatas.jpg [ 26.88 KiB | Viewed 2023 times ]


Then there's Campeonato Brasileiro 2 (this a really weird hardware design, apparently they've re-used some older PCB, and then soldered another "extension-PCB" underneath of it, presumably with some extra protection hardware on it, which seems to "encrypt" parts of the ROM):
Attachment:
Campeonato Brasileiro 2 (dual PCB version - component side).jpg
Campeonato Brasileiro 2 (dual PCB version - component side).jpg [ 70.18 KiB | Viewed 2023 times ]

Attachment:
Campeonato Brasileiro 2 (dual PCB version - solder side).jpg
Campeonato Brasileiro 2 (dual PCB version - solder side).jpg [ 91.77 KiB | Viewed 2023 times ]


However, Campeonato Brasileiro 2 does also exist as single-PCB version (from what I got told, the dumps for single-PCB and dual-PCB versions are identical, so the encryption hardware seems to exist in both versions, and the dumps seem to be "stable" despite of the uninitialized I/O port; maybe the single-PCB does have all the extra protection logic contained in the PAL, or in the black blob, or on the PCB back side, or whatever):
Attachment:
Campeonato Brasileiro 2 (single PCB version - component side).jpg
Campeonato Brasileiro 2 (single PCB version - component side).jpg [ 43.39 KiB | Viewed 2023 times ]


CLE seems to own one of the Campeonato Brasileiro 2 versions, and knows somebody owning the other version, so there might be some chance to get better photos with legible chip part numbers, which would give some insight on if/how the ROM is being encrypted.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Wed Feb 15, 2017 8:25 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 329
Location: FL
nocash wrote:
Hercules with weird address mapping sounds like yet another protection mechanism. Do you have some more info on how it works? And is it a fixed "interleaved" mapping, or is it supporting some kind of "bank-switching" via I/O ports?


Some of the stuff it does is simple mirroring checks:

Code:
00beb9 lda $048020,x
00bebd cmp $848020,x
00bec1 bne $bec7
00bec3 jml $00be97


After that, it does more tricky stuff involving DBR and indirect reads, like this:

Code:
009b27 lda $8700,x   [829f20] A:8282 X:1820 Y:0007 S:01e8 D:0000 DB:82 nvmxdIzC V:147 H: 16 F:35
009b2a and #$f00f             A:0000 X:1820 Y:0007 S:01e8 D:0000 DB:82 nvmxdIZC V:147 H: 16 F:35
009b2d tay                    A:0000 X:1820 Y:0007 S:01e8 D:0000 DB:82 nvmxdIZC V:147 H: 22 F:35
009b2e plb                    A:0000 X:1820 Y:0000 S:01e8 D:0000 DB:82 nvmxdIZC V:147 H: 26 F:35
009b2f sep #$20               A:0000 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvmxdIZC V:147 H: 33 F:35

[...]

009c68 lda [$24],y   [3ae03c] A:0001 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvMxdIZC V:147 H: 79 F:35
009c6a sta $17f2     [0017f2] A:0001 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvMxdIzC V:147 H: 91 F:35
009c6d ldx #$0000             A:0001 X:1820 Y:0000 S:01e9 D:0000 DB:00 nvMxdIzC V:147 H: 99 F:35
009c70 iny                    A:0001 X:0000 Y:0000 S:01e9 D:0000 DB:00 nvMxdIZC V:147 H:105 F:35
009c71 lda [$24],y   [3ae03d] A:0001 X:0000 Y:0001 S:01e9 D:0000 DB:00 nvMxdIzC V:147 H:108 F:35
009c73 cmp $17f2     [0017f2] A:0000 X:0000 Y:0001 S:01e9 D:0000 DB:00 nvMxdIZC V:147 H:120 F:35
009c76 bne $9c91     [009c91] A:0000 X:0000 Y:0001 S:01e9 D:0000 DB:00 NvMxdIzc V:147 H:128 F:35


It's obviously just some weird interleaved mapping but I haven't really attempted to figure out how it's supposed to be set up. Do you know of any other bootlegs that do something similar?


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Fri Feb 24, 2017 12:46 pm 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 531
Got better pictures and component list for the Campeonato Brasileiro 2 dual-PCB version (thanks to CLE)...
Code:
Upper Board "DA516S G16B" components from Left to Right:
  GS74LS161, 9411 (CIC)
  Black Blob (ROM)
  MALAYSIA 895 532FF, TI TIBPAL16L8-15CN
Lower Board "SNFTFIX" components from Left to Right:
  PALCE 16V8H-25, PC/4 9635ABA M
  PALCE 16V8H-25, PC/4 9635ABA M
  SN74LS260N, XAB9434 (dual 5-input NOR gates)

So yeah, three PALs, that's pretty much weirder than expected. And when just gazing at the photos, one couldn't even guess how the PALs are programmed : /
Attachment:
Campeonato Brasileiro 2 (dual PCB version - hires - component side).jpg
Campeonato Brasileiro 2 (dual PCB version - hires - component side).jpg [ 127.7 KiB | Viewed 1798 times ]

Attachment:
Campeonato Brasileiro 2 (dual PCB version - hires - solder side).jpg
Campeonato Brasileiro 2 (dual PCB version - hires - solder side).jpg [ 129.35 KiB | Viewed 1798 times ]


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Sun Feb 26, 2017 10:16 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 531
Hercules (2MB, CRC32=45874D3Dh) appears to be just the "constant" pattern:
Code:
Copy-Protected Bootlegs (Soulblade "constant" variant)
This type is used by three games:
  Dragon Ball Z - Final Bout            2MB, CRC32=5BBA4EB3h
  Hercules                              2MB, CRC32=45874D3Dh
  Soul Blade                            3MB, CRC32=C97D1D7Bh
The protection hardware consists of a read-only pattern, mapped to:
  80-BF:8000-FFFF  Filled with a constant 4-byte pattern (55h,0Fh,AAh,F0h)
  C0-FF:0000-FFFF  Open bus (not used)

Concerning mapping/mirroring, the only special is that it's mapping the constants at bank 80h and up (instead of mirroring the ROM in that place).
Not absolutely sure if the three games are really all using the exact same pattern, but for emulation, they are all working okay when using that "55h,0Fh,AAh,F0h" values.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Mon Feb 27, 2017 8:03 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 531
I've foolishly (*) spent several hours on gazing at the Campeonato Brasileiro 2 protection, and after all, it seems to be very simple, with only three bits envolved (D0, D1, and A16):
Code:
  D0 = D0 XOR A16   ;inverted bit
  D1 = D1 OR A16    ;missing bit

Writing [C002C1h]=4126h should unlock the missing bit, but I am afraid that chances are less than 0.001% to find somebody who does own the cart and knows how to write 4126h to [C002C1h], so it's probably almost impossible to dump the game - despite of the bloody simple protection : /

(*) foolishly because it really took me several hours until I had realized that bit1 was missing ; (

EDIT: Dumping the game could be done using one of the following ideas:
- By hardware: Rewire D1 in the game cart to bypass the protection PAL.
- By firmware: Reprogram your dumping device firmware to do [C002C1h]=4126h.
- By software: Use hotswapping to transfer D1 from ROM to SRAM in a flashcart.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Sat Aug 12, 2017 12:20 am 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 329
Location: FL
I had a look at a "King of Fighters '98" dump somebody sent me this week. In addition to the usual bitswap thing (using banks $88 and $80 again), writing to $c08788 (or possibly $c00000+) appears to select which 32kb segment of ROM is visible at $008000-00ffff, e.g. in this small bit of code running from RAM:

Code:
000700 php
000701 sep #$20
000703 lda #$82
000705 sta [$9e]     [c08788]
000707 jsr $9767     [009767] // "real" code location is at 029767
00070a jsr $9815     [009815] // "real" code location is at 029815
00070d lda #$00
00070f sta [$9e]     [c08788]
000711 rep #$20
000713 plp
000714 rts


I'm not sure if it affects any other parts of the address space. This is the only snippet of code in this game which appears to rely on this mechanism and it can be hacked around fairly easily by inserting/modifying a few long jump instructions. (I don't know if "King of Fighters 2000" has the same thing, but I don't remember it being mentioned).

Unfortunately I don't have access to the actual cartridge or I could try to describe the behavior a little more accurately.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Mon Aug 14, 2017 8:18 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 329
Location: FL
http://imgur.com/a/zdTX5

Photos of the KOF'98 board sent to me by CLE, who also supplied the ROM. There's a 74LS157 on there which I presume is just muxing one or more of the address lines (I didn't look at the traces very closely yet).


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Mon Aug 14, 2017 8:57 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6303
Location: Seattle
The '157 is shuffling address lines—definitely A16 and A17, very likely A18 and probably one of A19 or A20—but the complicated part is the epoxy blob to its left, because that's what controls both when and to what those address lines are switched.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Mon Aug 14, 2017 9:09 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 329
Location: FL
Fortunately A17 is the only one that actually seems to matter for this particular game. I'm curious as to what other bootlegs might be using the same board.


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Tue Aug 15, 2017 9:41 am 
Offline

Joined: Fri Feb 24, 2012 12:09 pm
Posts: 531
Thanks for the disassembly & for the photos of the KF16 board!

The 74LS157 attached to the black blobs looks like patchwork. I wonder if they have customized the logic in the blobs for latching the ROM bank selection, or if they have just used the existing latch (for the bitswap value) from older blobs. In the latter case, the same bank-switch should also occur if the game does write 82h to the 8x:xxxx area, but that could work only if the original blob design did output the latched value on external "test" pins (the old bitswap design didn't need to output the value, except possibly for testing purposes, and of course when doing the bitswap reading via databus).

With only to known data values (82h=bankswap, and 00h=normal), one could only guess how it's working. But it looks as if it might work as so:
latched.data.bit7=0 --> pass A16..A19 to ROM address lines
latched.data.bit7=1 --> pass latched.data.bit0..3 to ROM address lines


Top
 Profile  
 
 Post subject: Re: More Bootleg Games
PostPosted: Tue Aug 15, 2017 12:00 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6303
Location: Seattle
nocash wrote:
The 74LS157 attached to the black blobs looks like patchwork. I wonder if they have customized the logic in the blobs for latching the ROM bank selection, or if they have just used the existing latch (for the bitswap value) from older blobs
I have to agree. There's a bunch of good inference that the left epoxy blob is actually multiple silicon dice underneath—the data bus connects to it twice.

That sticker (price tag?) on the back really doesn't help any. But it looks like A20-A23, D0-D7, /WR, /RESET, and /ROMSEL go into the blob, and 8 random other signals come out.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group