It is currently Sat May 27, 2017 1:08 am

All times are UTC - 7 hours





Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Pokemon Red Fake
PostPosted: Sat Sep 17, 2016 2:49 pm 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 69
I was going through my box of old broken GB carts and found this Chinese Pokemon Red clone. I got it in a lot with several carts and never did anything with it since it was clearly a fake. Since I had the cart out, I dumped the ROM to see what was in there. If anyone is interested in the file, get it here: [Removed: Pokemon_Red_Fake.zip]

Image

Code:
PCB
KT-187
1999.11.23

CHIPS
28 PIN TSOP
TOSHIBA TC55257DFTL-85V
JAPAN 9626HAK

40 PIN TSOP
FUJITSU MALAYSIA
29LV004T-12PTN
9723 F92

40 PIN TSOP
MARKS SANDED OFF
SMALL STAMP "Q D G F"

16 PIN DIP
CD74HCT139E
RCA H 615

14 PIN SOIC
TI ALS00A
19KD

20 PIN DIP
JAPAN 9535H
74HC574AP


Last edited by skaman on Mon Sep 19, 2016 12:52 am, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sat Sep 17, 2016 3:07 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 5697
Location: Seattle
Contents of that file are very similar to the contents of GoodGB "Pokemon Red (UE) [S][!].sgb". Just 14 bytes were changed:
Code:
off to from correspondingasm
0C1 F5 00 push af
0C2 3E 00 ld a,$00
0C4 EA 00 ld ($7000), a
0C6 70 00
0C7 3E 00 ld a,$a5
0C8 A5 00
0C9 EA 00 ld ($7000), a
0CB 70 00
0CC F1 00 pop af
0CD C3 00 jp $0150
0CE 50 00
0CF 01 00
103 C0 50 change reset vector
104 00 01
... so you should probably remove the link

The second (sanded off) ROM appears to be a 256KiB 'PROM, because of the mirroring across the last two quarters. (The official games just had the entire last quarter contain all 0s instead)


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sat Sep 17, 2016 4:24 pm 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 69
Image
Image


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sun Sep 18, 2016 2:29 am 
Offline

Joined: Tue Oct 06, 2015 10:16 am
Posts: 412
So, what is the effect of that change? Skipping the intro animation?


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sun Sep 18, 2016 11:40 am 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 5697
Location: Seattle
Doubtful.

The board's so dense it's really hard to tell anything.

Let's assume for the moment that the sanded-off ROM is actually a 1 MiB 'PROM instead of a 256 KiB one, and the pirates pre-expanded the fixed bank. (In the absence of two 74'08s or 74'00s, this seems likely). So there's actually 1.5 MiB of storage.

There's a 74'574: that holds the bank. Plus a little; D6 and D7 are connected but clearly do something different. The 74'00 and 74'139 almost certainly decode some combination of address lines and the /WR strobe to make a single banking register...

Pokémon Red used the MBC3. The pirates clearly didn't include an RTC here.

Somehow they must have folded the 2 bits of RAM banking in with the 6 bits of ROM banking. But without any visible changes to the ROM as dumped, I have no idea how they did that. Maybe a re-dump that doesn't assume that $0000-$3FFF is fixed would cast light?


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sun Sep 18, 2016 12:52 pm 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 69
I thought the cart was interesting because of the lack of the MBC.

Anything specific that I should try? I can modify my dumper code as needed.

:)


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sun Sep 18, 2016 1:56 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 5697
Location: Seattle
Try reading the entire $0000-$7FFF range for each bank?

If you're up for it, check what pins the 74'139 and 74'00 connect to. Part of one or the other has to select between the two ROMs... The rest has to do something with the banking register.

I "like" the DIP parts mounted SMD style on it.


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sun Sep 18, 2016 6:17 pm 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 69
I did some continuity tests on the 2 chips. Hopefully it makes some sense. If anything looks wrong, then I can recheck it.
Code:
ALS00A
1  PIN1/2(00), PIN3(574), PIN3/13/15(139)
2  PIN1/2(00), PIN3(574), PIN3/13/15(139)
3  PIN3/4/13(00)
4  PIN3/4/13(00)
5  PIN5/8(00)
6  PIN22(29LV004)
7  GND
8  PIN5/8(00)
9  PIN9/10/12(00), PIN12(574), PIN37(29LV004)
10 PIN9/10/12(00), PIN12(574), PIN37(29LV004)
11 PIN22(SANDED TSOP)
12 PIN9/10/12(00), PIN12(574), PIN37(29LV004)
13 PIN3/4/13(00)
14 VCC

CD74HCT139E
1  PIN2(574)
2  PIN36(SANDED TSOP), PIN28(TC55257)
3  PIN1/2(00), PIN3(574), PIN3/13/15(139)
4  N/C
5  CAP
6  N/C
7  N/C
8  GND
9  PIN7(TC55257)
10 N/C
11 PIN1(574)
12 N/C
13 PIN1/2(00), PIN3(574), PIN3/13/15(139)
14 PIN2(574)
15 PIN1/2(00), PIN3(574), PIN3/13/15(139)
16 VCC


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sun Sep 18, 2016 6:55 pm 
Offline

Joined: Fri Oct 24, 2014 1:56 am
Posts: 69
I think the Sanded TSOP is simply another 29LV004 chip.

I looked at the two TSOPs more closely and they differ slightly. Maybe chips out of different batches/revisions? The dimensions are close but they don't appear to be exactly the same. The legs are slightly different between the chips. The circle that designates Pin 1 is also slightly larger and deeper on the Sanded TSOP.

I corrected the stamp on the Sanded TSOP to "Q D G F".

The cart appears to be able to be configured in either 2M, 4M or 8M based on markings on the PCB.

Unfortunately, my testing of the different chips appears to have corrupted the cart. I no longer get good data when I dump it. :(


Last edited by skaman on Mon Sep 19, 2016 1:39 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Sun Sep 18, 2016 6:56 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 5697
Location: Seattle
Hmmm..

74ALS00
NAND#1: invert A15 (generate +ROMCE)
NAND#2: NAND2(/A15,/Q5)
NAND#3: invert Q5
NAND#4: NAND2(/A15,Q5)
→ Ok, the 74ALS00 is just the demultiplexer for the two ROM ICs. 29LV004 pin 37 is its /CE; the sanded ROM's pin 22 must be its.

74HCT139
demux1: select when A14 is LOW (pin 1) and A15 is LOW (pin 3,5) and ??? is high (pin 2,5)
demux2: select when A15 is LOW (pin 15) and A14 is HIGH (pin 14,11,9) and ... do something depending on whether A15 is HIGH or LOW ? that can't be right.

In hindsight, the bit where A14 and A15 connect to the '574 make me Very Suspicious.

I don't recognize its manufacturer logo, either, but that doesn't really mean much.


Top
 Profile  
 
 Post subject: Re: Pokemon Red Fake
PostPosted: Mon Sep 19, 2016 1:01 am 
Offline

Joined: Sat Aug 28, 2010 9:01 am
Posts: 159
I would have asked you to see if it responds to flash commands, like:
0x0555 <- 0xAA
0x0AAA <- 0x55
0x0555 <- 0x90
And then reading address 0000 and 0001 and see if you get a manufacturer and device id code, as a confirmation that this cart might be reusable as a flash cart. At least the chip with the markings intact looks like a flash chip based on the marking.

But after looking at the board, it seems that the /WR pin is pulled permanently high on the board, which means it can't see any writes. That's one of the pins in the fork like constellation next to the word 8M, and the corresponding traces on the next chip. It seems those traces are also extended below the chip to the other side to provide Vcc. If you really wanted to risk it, you could still lift the relevant pins and try it, but you would likely risk destroying at least those pins of the chip. Though I guess if you do, you still have a functioning pirate Pokémon cart.

You can see the pinout in various datasheets of similar standard flash ROMs like Am29LV008B. The relevant pins to lift are WR# and RY/BY#. which you should connect to either /WR on the cart bus, or VIN on the cart. Second from the right. This is often used on flash carts to avoid letting the game access the flash chip for example for detection purposes. (When new games were still being released.) The other pin you're recommended to lift and just leave unconnected is RY/BY# which would go low during flash chip erase/write operations, which would short Vcc to ground, depending on the strength of the transistor used for that function. Not ideal.

Note: The chip is what is listed as standard TSOP in the datasheet of Am29LV008B, not reverse TSOP and the chip is placed "upside down" when looking at the board as in the pictures.
Note 2: /WR and WR# mean the same thing. They just different notations for an active low signal.

_________________
Gameboy Genius (Blog) - Gameboy development forum (+wiki and file area)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group