MMC5 Hacking Adventures

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

krzysiobal
Posts: 764
Joined: Sun Jun 12, 2011 12:06 pm
Location: Poland

Re: MMC5 Hacking Adventures

Post by krzysiobal » Wed Dec 19, 2018 5:28 am

My MMC5 cartridges finally arrived (my mistake - I ordered Suikoden, instead of Emperour). But the seller has 3 of them so I ordered all for tests. Unfortunately, all of them contains MMC5 (not MMC5A)
Image

Strange thing is that none of them has registers at $5207, $5208, $5209, $520A ($5208 always return $FF - probably open BUS and does not reacts for writes for $5207). There is also no M2 clock timer at $5209-$520a (they return $FF too). I even cut CL3 jumper on one of them and it did not change anything.

I briefly analyzed my and botgod's database and it looks like MMC5 is newer and they started releasing it between 9129-9136 and Just Breed is the game which should contain it with highest probability.

Code: Select all

8950AA089  MMC5  Suikoden: Tenmei no Chikai
8950AA105  MMC5  Suikoden: Tenmei no Chikai
8950AA108  MMC5  Nobunaga no Yabou: Sengoku Gunyuuden
9005AA048  MMC5  Uchuu Keibitai SDF
9006AA020  MMC5  Castlevania III: Dracula's Curse (USA)
9006AA029  MMC5  Bandit Kings of Ancient China
9008AA090  MMC5  Castlevania III: Dracula's Curse (USA)
9009AA046  MMC5  Suikoden: Tenmei no Chikai
9010AA017  MMC5  Suikoden: Tenmei no Chikai
9011AA045  MMC5  Sangokushi II
9026AA013  MMC5  Castlevania III: Dracula's Curse (USA)
9027AA024  MMC5  Ishin no Arashi
9032AA002  MMC5  Sangokushi II
9037AA033  MMC5  Sangokushi II
9042AA019  MMC5  Gunsight
9042AA025  MMC5  Nobunaga's Ambition II
9043AA001  MMC5  Daikoukai Jidai
9045AA018  MMC5  Castlevania III: Dracula's Curse (USA)
9046AA026  MMC5  Sangokushi II
9107AA013  MMC5  Romance of the Three Kingdoms II
9107AA024  MMC5  Romance of the Three Kingdoms II
9113AA024  MMC5  Shin 4 Nin Uchi Mahjong: Yakuman Tengoku
9114AA048  MMC5  L'Empereur (JPN)
9116AA003  MMC5  Laser Invasion
9117AA017  MMC5  Shin 4 Nin Uchi Mahjong: Yakuman Tengoku
9122AA019  MMC5  L'Empereur (USA)
9122AA020  MMC5  Nobunaga no Yabou: Bushou Fuuunroku
9122AA042  MMC5  Just Breed
9123AA002  MMC5  Castlevania III: Dracula's Curse (FRG)
9123AA012  MMC5  Castlevania III: Dracula's Curse (SCN)
9123AA043  MMC5  Gemfire
9126AA004  MMC5  Castlevania III: Dracula's Curse (SCN)
9126AA012  MMC5  Castlevania III: Dracula's Curse (SCN)
9126AA023  MMC5  Royal Blood
9128AA012  MMC5  Metal Slader Glory
9128AA013  MMC5  Uncharted Waters
9136BA026  MMC5A Just Breed
91378A013  MMC5A Just Breed
9141BA014  MMC5A Aoki Ookami to Shiroki Mejika: Genchou Hishi 
9141BA020  MMC5A Just Breed

User avatar
Ben Boldt
Posts: 593
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: MMC5 Hacking Adventures

Post by Ben Boldt » Wed Dec 19, 2018 1:34 pm

Oh very interesting, no wonder why these registers were missing in our original understanding of MMC5. You have motivated me to take a MMC5 letterless and put it on a breakout board and retry some of my old tests. It will take me some time to complete that; 100 wires takes a while... And probably delayed by the holidays but I will make it so I can swap my test setup between 5 and 5A easily. Especially I want to rerun my writable registers test.

It kind of begs the question - what do the CL3/SL3 pins do in MMC5 if not controlled by $5207/8?? Maybe they have a different function in this revision that makes sense to jumper them together.

I also want to revisit the scanline detection diagram with MMC5 letterless and confirm if it is the same or different. Thanks for opening the door to lots of new things to try krzysiobal!

Edit:
Now I also wonder about the PRG-RAM address bits you found in MMC5A, if they exist in MMC5.

User avatar
Ben Boldt
Posts: 593
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: MMC5 Hacking Adventures

Post by Ben Boldt » Thu Dec 20, 2018 3:11 pm

After thinking a little more about this, I realized that the current spike write test only needs 25ish connections:

CPU D0-D7
CPU A0-A14
/ROMSEL
M2
Current probing / caps

So I put that together today and I tested the current spike when writing to each of these addresses:
$5000 - $5300 (each and every address in this range for MMC5, )
$5400, 5500, 5600, 5700
$57FF, 5800, 5801, 5802
$5BFF, 5C00, 5C01

MMC5 versus MMC5A, I confirmed that MMC5 is not reacting to writes to $5207, 5208, 5209, and 520A. Also, it is not showing any reaction to writes in range $5800-5BFF.

Here is the data I recorded from MMC5 letterless, marking 9048AA033. I failed once again to inspect for any markings on the bottom of the chip while it was removed... My MMC5A has marking 9136BA033.

Code: Select all

Addr    MMC5    MMC5A
5000    9.44    8.56
5002    9.4     8.48
5003    12.12   12.36
5004    9.24    8.4
5006    9.16    8.4
5007    15.9    11.6
5010    8.84    7.96
5011    9.24    8.56
5015    8.56    7.76
5100    8.52    7.84
5101    8.36    7.64
5102    8.56    7.76
5103    8.56    7.8
5104    8.44    7.88
5105    8.44    8.12
5106    8.8     8
5107    8.52    7.64
5113    8.44    8
5114    8.44    8.08
5115    8.44    8.12
5116    8.56    8.04
5117    8.68    8.84
5120    8.96    8.68
5121    9.04    8.76
5122    9       8.68
5123    9       8.68
5124    9       8.68
5125    9.08    8.68
5126    8.96    8.64
5127    9.12    8.96
5128    8.84    8.52
5129    8.92    8.56
512A    8.88    8.4
512B    9.16    8.68
5130    8.52    8
5200    9.2     8.8
5201    8.88    8.32
5202    8.88    8.32
5203    8.68    8.12
5204    8.44    7.8
5205    8.8     8.24
5206    8.8     8.28
5207    7.8     8.68
5208    7.8     7.88
5209    7.8     11.2
520A    7.8     9.36
520B    7.8     7.2
I reran the test on both MMC5 and MMC5A because I made the test slightly different than before. In this test, I only write the value $00 -- I am no longer alternating between $00 and $FF writes. I am still toggling between writes to an invalid register and the register being tested, except now the invalid register is the same as the regsiter being tested, just with /ROMSEL inverted. Because the quantity of 1s vs 0s on the CPU address bus slightly affects the current drawn by the MMC5, this method helps keep things balanced and therefore easier to tell at a glance on the scope when the current spike got bigger or not.

In the table, MMC5 valid register spike is > 7.8, MMC5A valid register spike is > 7.2. All values should be considered relative to 7.8 or 7.2 respectively.


Edit:
I confirmed that PRG RAM A15 and A16 ARE functioning as prescribed on MMC5 letterless. ;)


Edit 2:
The MMC5 DAC voltage still holds true to the MMC5A equation found earlier:
Voltage = [(DAC value / 255) * (0.4 * AVcc)] + (0.1 * AVcc)
mmc5_letterless_dac_characteristic.png

Edit 3:
Nintendo HVC-ETROM-02 board beneath the MMC5 chip:
ETROM Board Beneath MMC5 Chip.jpg

Edit 4:
I have been reviewing this data tonight, and I found some interesting things when graphing it.
comparing writes.png
In this picture, I offset the values of the MMC5 to place them on top of MMC5A, making visual correlations easier. The first 2 items boxed correspond to $5003 and $5007. It seems they may have fixed something or took away something from $5007 (pulse 2 length counter load / timer high bits). In fact, I did have to change the vertical scale on my scope to make that measurement with the MMC5. It is not a typo. Bear in mind, the way I took these measurements, I had my microcontroller repeatedly write $00 to the register and measured with the scope running in real time. The way I did this was I modified my periodic idle read from address $0000 in the micro. Instead of reading, it does the write sequence. Because there is nothing else going on and I used a timer interrupt, the timing is extremely accurate and retriggers my scope very stable. Sorry for that tangent, but I thought I ought to explain how that way high point in the graph is real, and that this data is stable and repeatable.

Moving on to the 3rd box, this one corresponds to $5117, the ROM-only PRG bank. In MMC5, all PRG bank registers ($5113,4,5,6,7) all take relatively the same amount of current. In MMC5A, writing to $5117 has a larger effect than the others. This leads me to think that we should investigate CL3/SL3 in output 0 mode versus $5117 value when CPU address is reading from the range covered by bank $5117. Also to experiment with bit 7 in $5117 vs. CL3/SL3.

And the 4th box shows the now known-missing registers $5207,8,9,A.

cybermind
Posts: 4
Joined: Fri Mar 10, 2017 9:14 am

Re: MMC5 Hacking Adventures

Post by cybermind » Tue Dec 25, 2018 12:28 pm

There has been found a new commercial game for MMC5: https://archive.org/details/simcity-nes Looks like you guys have something more to research.

lidnariq
Posts: 9702
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: MMC5 Hacking Adventures

Post by lidnariq » Tue Dec 25, 2018 12:50 pm

Unfortunately, it looks like SimCity for the NES is "just" an ordinary ETEPROM board, with no modifications.

User avatar
Ben Boldt
Posts: 593
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: MMC5 Hacking Adventures

Post by Ben Boldt » Wed Jan 02, 2019 5:27 pm

krzysiobal - I totally glazed over and missed where you found that the MMC5 is sniffing address $2000 and $2001 for 8x8 / 8x16 mode and just realized this when Lidnariq added it to the wiki recently. I went back and did my writable register test down there and I found a few more. All of these registers definitely are being sniffed:

$2000 (PPUCTRL) <- Both MMC5 and 5A
$2001 (PPUMASK) <- Both MMC5 and 5A
$2005 (PPUSCROLL) <- Both MMC5 and 5A
$2006 (PPUADDR) <- MMC5A ONLY
$4014 (OAMDMA) <- Both MMC5 and 5A

Note that $2007 (PPUDATA) does NOT appear to be writable on MMC5A. Very interesting.

I am thinking that it might be sniffing $2005 so as to keep track of its vertical split position during horizontal scrolling. Any ideas why it is listening to these other ones? And what improvement or bugfix in MMC5A causes it to be interested in PPUADDR but not PPUDATA? I suppose you only write to PPUADDR during v-blank; maybe it is a fail-safe scanline counter reset?

tepples
Posts: 22056
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: MMC5 Hacking Adventures

Post by tepples » Wed Jan 02, 2019 5:36 pm

My first thought is it relates to the $2006-$2005-$2005-$2006 sequence (or whatever subset thereof was known to licensed devs).

User avatar
Ben Boldt
Posts: 593
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: MMC5 Hacking Adventures

Post by Ben Boldt » Wed Jan 02, 2019 6:40 pm

Update:

I tried doing reads with this current spike test and in fact it does work for that too. It revealed that MMC5 and 5A are both sniffing reads from $2002 (PPUSTATUS). Confirmed not sniffing reads or writes from $2007 on MMC5 or 5A. This test does not work for the known $FFFA/B sniffs that reset the scanline counting state machine, as expected because that is known to be an asynchronous operation and this test only finds M2 edge triggered reads/writes.

New list of known sniffs:

Code: Select all

Addr  | Name             | R/W   | Registration | MMC5 Revisions          | Purpose
------+------------------+-------+--------------+-------------------------+--------------------
$2000 | PPUCTRL          | WRITE | M2 Rising    | Both MMC5 and 5A        | 8x16 Mode Enable 1
$2001 | PPUMASK          | WRITE | M2 Rising    | Both MMC5 and 5A        | 8x16 Mode Enable 2
$2002 | PPUSTATUS        | READ  | M2 Rising    | Both MMC5 and 5A        | (unknown/unconfirmed)
$2005 | PPUSCROLL        | WRITE | M2 Rising    | Both MMC5 and 5A        | (unknown/unconfirmed)
$2006 | PPUADDR          | WRITE | M2 Rising    | MMC5A *ONLY*            | (unknown/unconfirmed)
$4014 | OAMDMA           | WRITE | M2 Rising    | Both MMC5 and 5A        | (unknown/unconfirmed)
$FFFA | NMI Vector Low   | READ  | Asynchronous | only confirmed on MMC5A | Triggers reset of scanline counter
$FFFB | NMI Vector Hi    | READ  | Asynchronous | only confirmed on MMC5A | Triggers reset of scanline counter
Last edited by Ben Boldt on Wed Jan 02, 2019 7:01 pm, edited 1 time in total.

lidnariq
Posts: 9702
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: MMC5 Hacking Adventures

Post by lidnariq » Wed Jan 02, 2019 6:47 pm

$FFFA is the NMI vector...

User avatar
Ben Boldt
Posts: 593
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: MMC5 Hacking Adventures

Post by Ben Boldt » Wed Jan 02, 2019 7:00 pm

lidnariq wrote:$FFFA is the NMI vector...
Oh duh, my bad. I will edit that post.

lidnariq
Posts: 9702
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: MMC5 Hacking Adventures

Post by lidnariq » Wed Jan 02, 2019 7:01 pm

tepples wrote:My first thought is it relates to the $2006-$2005-$2005-$2006 sequence (or whatever subset thereof was known to licensed devs).
I wouldn't assume licensed devs knew anything better than what was done in SMB3, namely: 6/6/5/5 on the title screen; 6/6/6/6/disable rendering/6/6/enable rendering/5/5 during gameplay.

User avatar
Ben Boldt
Posts: 593
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: MMC5 Hacking Adventures

Post by Ben Boldt » Wed Jan 02, 2019 7:05 pm

Ben Boldt wrote:
lidnariq wrote:$FFFA is the NMI vector...
Oh duh, my bad. I will edit that post.
It kind of begs the question - does reading the reset vector reset the MMC5? Do we know that already? I don't remember now.

Edit:
I tested MMC5A by removing and reconnecting the AVCC connection a few times until I got it into latched-reset mode, demonstrated by PRG-RAM +CE held low even with M2 toggling. I did repeated reads to all addresses $FFF0-FFFF and it did not unlatch the reset. I think that makes it unlikely that reading the reset vector triggers the MMC5 reset.

User avatar
Bregalad
Posts: 7952
Joined: Fri Nov 12, 2004 2:49 pm
Location: Chexbres, VD, Switzerland

Re: MMC5 Hacking Adventures

Post by Bregalad » Thu Jan 03, 2019 12:21 pm

I don't understand how is MMC5 reacting to $2002 reads. I understand how it can snoop writes to $2000, $2001, $2005 and $2006 for internal operation. What I don't understand is, does the MMC5

a) Fill the unused low 5 bits of $2002 with some more information

or

b) Trigger some internal operation on $2002 reads, possibly snooping the upper 3 bits showing up on the data line and using them somehow internally ?

Or something else entirely ?

tepples
Posts: 22056
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: MMC5 Hacking Adventures

Post by tepples » Thu Jan 03, 2019 12:33 pm

The MMC5 cannot fill bits 4-0 of $2002 with other information because the PPU is already driving bits 4-0 based on the value of PPUGenLatch, the last value read from or written to $2000-$3FFF.

lidnariq
Posts: 9702
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: MMC5 Hacking Adventures

Post by lidnariq » Thu Jan 03, 2019 12:55 pm

B; the PPU still drives the lower 5 bits (with garbage) and competing would invoke a bus conflict.

But I also wouldn't be surprised if the designer had hoped to add extra status bits there (i.e. "A") and it had to be removed.

Post Reply