Page 3 of 5

Re: Pirate Kid Dracula reverse engineering

Posted: Thu Dec 29, 2016 2:47 pm
by Fisher
I'm dumping using Uniflash and a compact flash in a IDE adaptor.
The CF makes easy to upload stuff.
I can do anything that's necessary to RE this.
It can be faster if I don't need to modify the hardware.

If I remember correctly, Uniflash's source was released sometime ago.
It is written in Pascal, if I remember well.
Maybe this can be useful. Can it?

Re: Pirate Kid Dracula reverse engineering

Posted: Thu Dec 29, 2016 3:35 pm
by lidnariq
Hm, I found it: http://www.rainbow-software.org/uniflash/
but I never learned Pascal and don't yet have a copy of Turbo Pascal on hand...

Let's see if I can summarize what things I believe are true with the new data:
* Pins 12, 13, 15, 19 are known exactly
* Pins 17 and 18 are "latched value of D1 and D0 on writes to $8004"
* Pin 16 seems to be "become high on write to $C008; become low on write to $C00C; otherwise retain state"
* Pin 14 (/IRQ) seems to be "become high on write to $C004 or $C00C; become low when ((Cnt&86)==86); otherwise retain state"

So I think we can describe exactly what's going on now?
Mask: $C00C
- Writes to $8000, $8008, $800C, $C000: ignored
- Writes to $8004: same as last time
- Writes to $C004: Acknowledge IRQ
- Writes to $C008: Allow counter to run
- Writes to $C00C: Acknowledge IRQ and hold counter at 0
Counter counts PPU A13 falling edges; after 86 (two scanlines) it automatically zeroes its counter and asserts /IRQ.

This style of IRQ means that the program could explicitly choose an X coordinate (within 8 pixel granularity) where to get IRQs by clocking it a few times in vblank (ldx #$FF / stx $2006 / stx $2006 / bit $2007) before rendering starts. There should be no X drift due to IRQ latency.


Does this sound right to the other people looking?

Re: Pirate Kid Dracula reverse engineering

Posted: Fri Dec 30, 2016 2:41 am
by Fisher
Great guys!!
Seems to be almost finished.
Just let me know when I can put this thing back together (when no more tests/dumps are needed).
I hope that zxbdragon finally can fgure out the inner workings of this pirate cartridge.
It's really nice to help.

Re: Pirate Kid Dracula reverse engineering

Posted: Fri Dec 30, 2016 2:45 am
by zxbdragon
Thank you!But I have no solve this IRQ.I'll wait for JOE!

Re: Pirate Kid Dracula reverse engineering

Posted: Fri Dec 30, 2016 3:54 am
by Joe
zxbdragon wrote:I'll wait for JOE!
I'll take a look on Monday and write the mapper doc if we've got everything figured out. (I'm on vacation this weekend.)

Re: Pirate Kid Dracula reverse engineering

Posted: Mon Jan 02, 2017 8:11 pm
by Joe
I didn't see anything that disagreed with lidnariq, so here's the mapper doc in Disch's style.

Code: Select all

========================
=  Mapper "18-72"      =
========================


Example Games:
--------------------------
Akumajou Special: Boku Dracula-kun (pirate version)


Notes:
--------------------------
This mapper is another pirate VRC2b, this time with IRQs and VRC4-style
mirroring.

A mapper number hasn't been assigned to this particular board yet.


Registers:
---------------------------
There are two sets of registers: the VRC2 registers, and the Extra registers.
Writes will affect both sets of registers!


VRC2 registers range, mask: $8000-$FFFF, $F003

$8000-$8003:  [...P PPPP]   Same as VRC2b (PRG select 0)
$9000-$9003:  [.... ...M]   VRC2 mirroring control (see extra registers)
                       |
                       +- 0: vertical (A10); 1: horizontal (A11)

$A000-$A003:  [...P PPPP]   Same as VRC2b (PRG select 1)
$B000-$E003:  [.... CCCC]   Same as VRC2b (CHR select)



Extra registers range, mask: $8000-$FFFF, $C00C

$8004:        [.... ..XX]   Extended mirroring control
                      ||
                      ++- Extended mirroring control
                           0x: Let VRC2 control mirroring
                           10: one-screen, lower bank (overrides VRC2)
                           11: one-screen, upper bank (overrides VRC2)

$C004:        [.... ....]   Acknowledge IRQ
$C008:        [.... ....]   Start IRQ counter
$C00C:        [.... ....]   Acknowledge IRQ and hold IRQ counter at 0


Mirroring behavior:
---------------------------
Games will write to $9004 to affect both the VRC2 mirroring register ($9000)
and the Extra mirroring register ($8004) at the same time. The result is like
VRC4 mirroring:

$9004 [.... ..MM]   Combined VRC2 and Extra mirroring control
              ||
              ++- VRC4 mirroring
                   00: Vertical
                   01: Horizontal
                   10: One-screen, lower bank
                   11: One-screen, upper bank

The VRC2 will remember the last setting written to it, even if the Extra
mirroring control is overriding it.


IRQ behavior:
---------------------------
The IRQ counter counts falling edges of PPU A13. The IRQ is asserted every time
the counter reaches 86. When the counter reaches 86, it's automatically reset
to 0. This results in one IRQ every two scanlines, as long as the counter is
running. Writing to Extra register $C004 or $C00C will acknowledge the IRQ.
Writing to Extra register $C00C will hold the counter at 0, and writing to
Extra register $C008 will allow the counter to resume.

Games will typically write to addresses like $F004/$F008/$F00C to control the
IRQ without affecting the VRC2's registers.
Let me know if you have any questions or spot any mistakes.

Re: Pirate Kid Dracula reverse engineering

Posted: Mon Jan 02, 2017 9:39 pm
by zxbdragon
Joe wrote:I didn't see anything that disagreed with lidnariq, so here's the mapper doc in Disch's style.

Code: Select all

========================
=  Mapper "18-72"      =
========================


Example Games:
--------------------------
Akumajou Special: Boku Dracula-kun (pirate version)


Notes:
--------------------------
This mapper is another pirate VRC2b, this time with IRQs and VRC4-style
mirroring.

A mapper number hasn't been assigned to this particular board yet.


Registers:
---------------------------
There are two sets of registers: the VRC2 registers, and the Extra registers.
Writes will affect both sets of registers!


VRC2 registers range, mask: $8000-$FFFF, $F003

$8000-$8003:  [...P PPPP]   Same as VRC2b (PRG select 0)
$9000-$9003:  [.... ...M]   VRC2 mirroring control (see extra registers)
                       |
                       +- 0: vertical (A10); 1: horizontal (A11)

$A000-$A003:  [...P PPPP]   Same as VRC2b (PRG select 1)
$B000-$E003:  [.... CCCC]   Same as VRC2b (CHR select)



Extra registers range, mask: $8000-$FFFF, $C00C

$8004:        [.... ..XX]   Extended mirroring control
                      ||
                      ++- Extended mirroring control
                           0x: Let VRC2 control mirroring
                           10: one-screen, lower bank (overrides VRC2)
                           11: one-screen, upper bank (overrides VRC2)

$C004:        [.... ....]   Acknowledge IRQ
$C008:        [.... ....]   Start IRQ counter
$C00C:        [.... ....]   Acknowledge IRQ and hold IRQ counter at 0


Mirroring behavior:
---------------------------
Games will write to $9004 to affect both the VRC2 mirroring register ($9000)
and the Extra mirroring register ($8004) at the same time. The result is like
VRC4 mirroring:

$9004 [.... ..MM]   Combined VRC2 and Extra mirroring control
              ||
              ++- VRC4 mirroring
                   00: Vertical
                   01: Horizontal
                   10: One-screen, lower bank
                   11: One-screen, upper bank

The VRC2 will remember the last setting written to it, even if the Extra
mirroring control is overriding it.


IRQ behavior:
---------------------------
The IRQ counter counts falling edges of PPU A13. The IRQ is asserted every time
the counter reaches 86. When the counter reaches 86, it's automatically reset
to 0. This results in one IRQ every two scanlines, as long as the counter is
running. Writing to Extra register $C004 or $C00C will acknowledge the IRQ.
Writing to Extra register $C00C will hold the counter at 0, and writing to
Extra register $C008 will allow the counter to resume.

Games will typically write to addresses like $F004/$F008/$F00C to control the
IRQ without affecting the VRC2's registers.
Let me know if you have any questions or spot any mistakes.
Thank you! I to try.
It's better if have FCEUX code

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 12:12 am
by zxbdragon
Try to fail

c008
counter = data?

clock
is
counter++;
if(counter >=86)
{
counter=0;
return true;
}
?

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 1:02 am
by lidnariq
zxbdragon wrote:c008
counter = data?
No—there's no way for the data to get into the counter
counter++;
if(counter >=86)
{
counter=0;
return true;
}?
That does look like what I think FCEUX IRQs do. How are you getting a callback on every falling edge of PPU A13?

If there's no way for that, you might be able to fake this with a normal FCEUX IRQ that fires every other scanline, but I don't know if that'll work.
Joe wrote:Mapper "18-72"
I might tentatively use the label on the mask ROMs, "NCN-18"

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 5:55 am
by zxbdragon
lidnariq wrote:
zxbdragon wrote:c008
counter = data?
No—there's no way for the data to get into the counter
counter++;
if(counter >=86)
{
counter=0;
return true;
}?
That does look like what I think FCEUX IRQs do. How are you getting a callback on every falling edge of PPU A13?

If there's no way for that, you might be able to fake this with a normal FCEUX IRQ that fires every other scanline, but I don't know if that'll work.
Joe wrote:Mapper "18-72"
I might tentatively use the label on the mask ROMs, "NCN-18"
I can't solve

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 12:20 pm
by lidnariq
Yeah, I suspect that FCEUX doesn't give you the tools necessary to implement this mapper.

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 2:26 pm
by Fisher
Well, looks like the hardware was all figured out.
I think my small paricipation is over.
Should I reassemble the cartridge?

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 3:06 pm
by lidnariq
I think we're set, and you should feel free.

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 5:16 pm
by Fisher
Cool.
I'm really glad I could help.

Re: Pirate Kid Dracula reverse engineering

Posted: Tue Jan 03, 2017 8:02 pm
by zxbdragon
Who is it done ?