Pokemon Red Fake
Page 1 of 1

Author:  skaman [ Sat Sep 17, 2016 2:49 pm ]
Post subject:  Pokemon Red Fake

I was going through my box of old broken GB carts and found this Chinese Pokemon Red clone. I got it in a lot with several carts and never did anything with it since it was clearly a fake. Since I had the cart out, I dumped the ROM to see what was in there. If anyone is interested in the file, get it here: [Removed:]




9723 F92


RCA H 615



Author:  lidnariq [ Sat Sep 17, 2016 3:07 pm ]
Post subject:  Re: Pokemon Red Fake

Contents of that file are very similar to the contents of GoodGB "Pokemon Red (UE) [S][!].sgb". Just 14 bytes were changed:
off to from correspondingasm
0C1 F5 00 push af
0C2 3E 00 ld a,$00
0C4 EA 00 ld ($7000), a
0C6 70 00
0C7 3E 00 ld a,$a5
0C8 A5 00
0C9 EA 00 ld ($7000), a
0CB 70 00
0CC F1 00 pop af
0CD C3 00 jp $0150
0CE 50 00
0CF 01 00
103 C0 50 change reset vector
104 00 01
... so you should probably remove the link

The second (sanded off) ROM appears to be a 256KiB 'PROM, because of the mirroring across the last two quarters. (The official games just had the entire last quarter contain all 0s instead)

Author:  skaman [ Sat Sep 17, 2016 4:24 pm ]
Post subject:  Re: Pokemon Red Fake


Author:  calima [ Sun Sep 18, 2016 2:29 am ]
Post subject:  Re: Pokemon Red Fake

So, what is the effect of that change? Skipping the intro animation?

Author:  lidnariq [ Sun Sep 18, 2016 11:40 am ]
Post subject:  Re: Pokemon Red Fake


The board's so dense it's really hard to tell anything.

Let's assume for the moment that the sanded-off ROM is actually a 1 MiB 'PROM instead of a 256 KiB one, and the pirates pre-expanded the fixed bank. (In the absence of two 74'08s or 74'00s, this seems likely). So there's actually 1.5 MiB of storage.

There's a 74'574: that holds the bank. Plus a little; D6 and D7 are connected but clearly do something different. The 74'00 and 74'139 almost certainly decode some combination of address lines and the /WR strobe to make a single banking register...

Pokémon Red used the MBC3. The pirates clearly didn't include an RTC here.

Somehow they must have folded the 2 bits of RAM banking in with the 6 bits of ROM banking. But without any visible changes to the ROM as dumped, I have no idea how they did that. Maybe a re-dump that doesn't assume that $0000-$3FFF is fixed would cast light?

Author:  skaman [ Sun Sep 18, 2016 12:52 pm ]
Post subject:  Re: Pokemon Red Fake

I thought the cart was interesting because of the lack of the MBC.

Anything specific that I should try? I can modify my dumper code as needed.


Author:  lidnariq [ Sun Sep 18, 2016 1:56 pm ]
Post subject:  Re: Pokemon Red Fake

Try reading the entire $0000-$7FFF range for each bank?

If you're up for it, check what pins the 74'139 and 74'00 connect to. Part of one or the other has to select between the two ROMs... The rest has to do something with the banking register.

I "like" the DIP parts mounted SMD style on it.

Author:  skaman [ Sun Sep 18, 2016 6:17 pm ]
Post subject:  Re: Pokemon Red Fake

I did some continuity tests on the 2 chips. Hopefully it makes some sense. If anything looks wrong, then I can recheck it.
1  PIN1/2(00), PIN3(574), PIN3/13/15(139)
2  PIN1/2(00), PIN3(574), PIN3/13/15(139)
3  PIN3/4/13(00)
4  PIN3/4/13(00)
5  PIN5/8(00)
6  PIN22(29LV004)
7  GND
8  PIN5/8(00)
9  PIN9/10/12(00), PIN12(574), PIN37(29LV004)
10 PIN9/10/12(00), PIN12(574), PIN37(29LV004)
12 PIN9/10/12(00), PIN12(574), PIN37(29LV004)
13 PIN3/4/13(00)
14 VCC

1  PIN2(574)
2  PIN36(SANDED TSOP), PIN28(TC55257)
3  PIN1/2(00), PIN3(574), PIN3/13/15(139)
4  N/C
5  CAP
6  N/C
7  N/C
8  GND
9  PIN7(TC55257)
10 N/C
11 PIN1(574)
12 N/C
13 PIN1/2(00), PIN3(574), PIN3/13/15(139)
14 PIN2(574)
15 PIN1/2(00), PIN3(574), PIN3/13/15(139)
16 VCC

Author:  skaman [ Sun Sep 18, 2016 6:55 pm ]
Post subject:  Re: Pokemon Red Fake

I think the Sanded TSOP is simply another 29LV004 chip.

I looked at the two TSOPs more closely and they differ slightly. Maybe chips out of different batches/revisions? The dimensions are close but they don't appear to be exactly the same. The legs are slightly different between the chips. The circle that designates Pin 1 is also slightly larger and deeper on the Sanded TSOP.

I corrected the stamp on the Sanded TSOP to "Q D G F".

The cart appears to be able to be configured in either 2M, 4M or 8M based on markings on the PCB.

Unfortunately, my testing of the different chips appears to have corrupted the cart. I no longer get good data when I dump it. :(

Author:  lidnariq [ Sun Sep 18, 2016 6:56 pm ]
Post subject:  Re: Pokemon Red Fake


NAND#1: invert A15 (generate +ROMCE)
NAND#2: NAND2(/A15,/Q5)
NAND#3: invert Q5
NAND#4: NAND2(/A15,Q5)
→ Ok, the 74ALS00 is just the demultiplexer for the two ROM ICs. 29LV004 pin 37 is its /CE; the sanded ROM's pin 22 must be its.

demux1: select when A14 is LOW (pin 1) and A15 is LOW (pin 3,5) and ??? is high (pin 2,5)
demux2: select when A15 is LOW (pin 15) and A14 is HIGH (pin 14,11,9) and ... do something depending on whether A15 is HIGH or LOW ? that can't be right.

In hindsight, the bit where A14 and A15 connect to the '574 make me Very Suspicious.

I don't recognize its manufacturer logo, either, but that doesn't really mean much.

Author:  nitro2k01 [ Mon Sep 19, 2016 1:01 am ]
Post subject:  Re: Pokemon Red Fake

I would have asked you to see if it responds to flash commands, like:
0x0555 <- 0xAA
0x0AAA <- 0x55
0x0555 <- 0x90
And then reading address 0000 and 0001 and see if you get a manufacturer and device id code, as a confirmation that this cart might be reusable as a flash cart. At least the chip with the markings intact looks like a flash chip based on the marking.

But after looking at the board, it seems that the /WR pin is pulled permanently high on the board, which means it can't see any writes. That's one of the pins in the fork like constellation next to the word 8M, and the corresponding traces on the next chip. It seems those traces are also extended below the chip to the other side to provide Vcc. If you really wanted to risk it, you could still lift the relevant pins and try it, but you would likely risk destroying at least those pins of the chip. Though I guess if you do, you still have a functioning pirate Pokémon cart.

You can see the pinout in various datasheets of similar standard flash ROMs like Am29LV008B. The relevant pins to lift are WR# and RY/BY#. which you should connect to either /WR on the cart bus, or VIN on the cart. Second from the right. This is often used on flash carts to avoid letting the game access the flash chip for example for detection purposes. (When new games were still being released.) The other pin you're recommended to lift and just leave unconnected is RY/BY# which would go low during flash chip erase/write operations, which would short Vcc to ground, depending on the strength of the transistor used for that function. Not ideal.

Note: The chip is what is listed as standard TSOP in the datasheet of Am29LV008B, not reverse TSOP and the chip is placed "upside down" when looking at the board as in the pictures.
Note 2: /WR and WR# mean the same thing. They just different notations for an active low signal.

Page 1 of 1 All times are UTC - 7 hours
Powered by phpBB® Forum Software © phpBB Group