It is currently Tue Dec 12, 2017 3:44 am

All times are UTC - 7 hours





Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Wed Dec 10, 2014 8:26 am 
Offline

Joined: Sat Aug 28, 2010 9:01 am
Posts: 199
Blog spam!

http://blog.gg8.se/wordpress/2014/12/09 ... e-fighter/

tl;dr version: I gained access to the boot ROM of a Gameboy clone called Game fighter using a clock glitching method invented by BennVenn. (I've also done a teardown of the same unit.) Solder a wire to one side of the clock crystal and brush the other side of the wire against ground. This corrupts PC and/or other registers. Do this before the boot ROM shuts itself off and catch execution of the CPU, and you can access the ROM and dump it.

The interesting part is that the boot ROM checks for another logo apart from the Nintendo logo, but only half of that logo is present in the boot ROM. (The same is true for the Nintendo logo, it only checks half the logo.) It may say RIS or KIS or maybe K13 or R13. The bottom half of the logo is shown here. (Half the Nintendo logo is also visible because I just copied the half over the logo section of a ROM to be able to convert it to an image. It would of course never appear as it does in the image, in real life.) If anyone has a clue what the logo might be, it might give clues about who made this clone.

Image

The boot ROM is also attached to this post, and you can read my disassembly below.
Code:
        ld   sp,$FFFE           ;  0000  Set up the stack pointer.

        ; Clear VRAM.
        xor  a                  ;  0003
        ld   hl,$9FFF           ;  0004
Addr_0007:
        ldd  [hl],a             ;  0007
        bit  7,h                ;  0008
        jr   nz,Addr_0007       ;  000A

        ; Set up sound.
        ld   hl,$FF26           ;  000C
        ld   c,$11              ;  000F
        ld   a,$80              ;  0011
        ldd  [hl],a             ;  0013  [$FF26] = $80 Turn on sound

        ld   [$ff00+c],a        ;  0014  [$FF11] = $80 Channel 1 wave duty
        inc  c                  ;  0015
        ld   a,$F3              ;  0016
        ld   [$ff00+c],a        ;  0018  [$FF12] = $F3 Channel 1 envelope
        ldd  [hl],a             ;  0019  [$FF25] = $F3 Channel routing
        inc  c                  ;  001A
        ld   a,$C1              ;  001B
        ld   [$ff00+c],a        ;  001D  [$FF13] = $C1 Channel 1 low frequency byte
        ld   a,$77              ;  001E
        ld   [hl],a             ;  0020  [$FF24] = $77 Master volume
       
        ; Set up graphics.
        ld   a,$FC              ;  0021
        ldh  [$FF47],a          ;  0023  [$FF47] = $FC BG palette
        ld   a,$91              ;  0025
        ldh  [$FF40],a          ;  0027  [$FF40] = $91 Turn on LCD

        ; Compare the second half of the logo in the header against
        ; the second half of the Nintendo logo stored in the boot ROM.
        ld   de,Addr_0043       ;  0029
        call Addr_0073          ;  002C
        cp   a,$34              ;  002F  Will return $34 if successful.
        jr   nz,Addr_0036       ;  0031  If not, jump to a second compare operation.
        jp   Addr_00FC          ;  0033

        ; Compare the second half of the logo in the header against
        ; the second half of the mystery logo stored in the boot ROM.
Addr_0036:
        ld   de,Addr_005B       ;  0036
        call Addr_0073          ;  0039
        cp   a,$34              ;  003C  Will return $34 if successful.
Addr_003E:
        jr   nz,Addr_003E       ;  003E  If not, get stuck in an endless loop.
        jp   Addr_00FC          ;  0040

        ; Second half of the Nintendo logo, $18 bytes
Addr_0043:
        db   $DC, $CC, $6E, $E6, $DD, $DD, $D9, $99
        db   $BB, $BB, $67, $63, $6E, $0E, $EC, $CC
        db   $DD, $DC, $99, $9F, $BB, $B9, $33, $3E

        ; Second half of mysterious RIS or KIS logo, $18 bytes
Addr_005B:
        db   $00, $00, $00, $00, $76, $66, $C6, $31
        db   $00, $19, $66, $FF, $01, $88, $38, $C7
        db   $C6, $C8, $00, $00, $00, $00, $00, $00

        ; Subroutine: Compare the cartridge header's logo against
        ; a given memory location
Addr_0073:
        ld   hl,$011C           ;  0073  Start comparing halfway into the logo
Addr_0076:
        ld   a,[de]             ;  0076
        inc  de                 ;  0077
        cp   [hl]               ;  0078
        jr   nz,Addr_0082       ;  0079
        inc  hl                 ;  007B
        ld   a,l                ;  007C
        cp   a,$34              ;  007D  $xx34 = The first byte after the header logo
        jr   nz,Addr_0076       ;  007F
        ret                     ;  0081
Addr_0082:
        ld   a,$85              ;  0082  Compare failed!
        ret                     ;  0084

        ; $77 filler bytes
Addr_0085:
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff, $ff
        db   $ff, $ff, $ff, $ff, $ff, $ff, $ff

        ; Disable the boot ROM and hand over control to the game cartridge.
Addr_00FC:
        ld   a,$01              ;  00FC Write to the ROM disable register
        ldh  [$FF50],a          ;  00FE


Attachments:
GAMEFIGHTER_ROM.zip [308 Bytes]
Downloaded 83 times
Top
 Profile  
 
PostPosted: Thu Dec 11, 2014 9:44 am 
Offline
User avatar

Joined: Sun May 27, 2012 8:43 pm
Posts: 1311
That's such a neat clone! I've hoped I could find one for a long time and swap out the CPU with a proper DMG one. It would be a great LSDJ machine with that shape to it.


Top
 Profile  
 
PostPosted: Thu Dec 11, 2014 9:57 am 
Offline

Joined: Sat Aug 28, 2010 9:01 am
Posts: 199
mikejmoffitt wrote:
That's such a neat clone! I've hoped I could find one for a long time and swap out the CPU with a proper DMG one. It would be a great LSDJ machine with that shape to it.

You mean to put a DMG CPU in this thing? No point. Iäve found the CPU to be functionally equivalent apart form the boot ROM so far. Which is an advantage since it boots instantly. I'd much sooner put a proper voltage regulator and audio amplifier in it (or prosound it). The thing is powered directly by the batteries, and the audio amplifier is discrete and complete crap (pretty much clips one side of the waveform). However, I don't really like the feel of the D-pad and select/start group of the GF.


Top
 Profile  
 
PostPosted: Fri Dec 12, 2014 9:34 am 
Offline
User avatar

Joined: Sun May 27, 2012 8:43 pm
Posts: 1311
nitro2k01 wrote:
mikejmoffitt wrote:
That's such a neat clone! I've hoped I could find one for a long time and swap out the CPU with a proper DMG one. It would be a great LSDJ machine with that shape to it.

You mean to put a DMG CPU in this thing? No point. Iäve found the CPU to be functionally equivalent apart form the boot ROM so far. Which is an advantage since it boots instantly. I'd much sooner put a proper voltage regulator and audio amplifier in it (or prosound it). The thing is powered directly by the batteries, and the audio amplifier is discrete and complete crap (pretty much clips one side of the waveform). However, I don't really like the feel of the D-pad and select/start group of the GF.

I thought one of your earlier tests revealed a minor graphical problem, something to do with timing for writes during a scanline.

Does it output actual 2bpp greyscale, and the LCD controller does the flicker-greyscale, or does it output a different signal?

You might be able to swap out D-pad parts with a DMG.


Top
 Profile  
 
PostPosted: Fri Dec 12, 2014 2:02 pm 
Offline

Joined: Sat Aug 28, 2010 9:01 am
Posts: 199
mikejmoffitt wrote:
I thought one of your earlier tests revealed a minor graphical problem, something to do with timing for writes during a scanline.

Does it output actual 2bpp greyscale, and the LCD controller does the flicker-greyscale, or does it output a different signal?

You might be able to swap out D-pad parts with a DMG.
The problem was regarding palette changes during the drawing of a scanline. This caused problems in Prehistorik Man and an artificial test ROM, only so far. Likely because the added circuitry triggers on the positive edge of the pixel clock instead instead of the negative or vice versa. I would expect the data coming out of the CPU to be identical to that coming out of a DMG, and that the mess-up happens later, but that remains to be confirmed.

And no, DMG parts don't fit. The reason is that the distance to the PCB is a few mm longer than on a DMG, and so are the buttons and the guides for the buttons. DMG buttons would otherwise fit if the case was modded, but I don't want to do destroy a unique piece like this. Maybe I should try to hunt down another one, and completely redesign the internals of one of them. :p


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group