Pirate Kid Dracula reverse engineering
Moderator: Moderators
Re: Pirate Kid Dracula reverse engineering
I'm dumping using Uniflash and a compact flash in a IDE adaptor.
The CF makes easy to upload stuff.
I can do anything that's necessary to RE this.
It can be faster if I don't need to modify the hardware.
If I remember correctly, Uniflash's source was released sometime ago.
It is written in Pascal, if I remember well.
Maybe this can be useful. Can it?
The CF makes easy to upload stuff.
I can do anything that's necessary to RE this.
It can be faster if I don't need to modify the hardware.
If I remember correctly, Uniflash's source was released sometime ago.
It is written in Pascal, if I remember well.
Maybe this can be useful. Can it?
Re: Pirate Kid Dracula reverse engineering
Hm, I found it: http://www.rainbow-software.org/uniflash/
but I never learned Pascal and don't yet have a copy of Turbo Pascal on hand...
Let's see if I can summarize what things I believe are true with the new data:
* Pins 12, 13, 15, 19 are known exactly
* Pins 17 and 18 are "latched value of D1 and D0 on writes to $8004"
* Pin 16 seems to be "become high on write to $C008; become low on write to $C00C; otherwise retain state"
* Pin 14 (/IRQ) seems to be "become high on write to $C004 or $C00C; become low when ((Cnt&86)==86); otherwise retain state"
So I think we can describe exactly what's going on now?
Mask: $C00C
- Writes to $8000, $8008, $800C, $C000: ignored
- Writes to $8004: same as last time
- Writes to $C004: Acknowledge IRQ
- Writes to $C008: Allow counter to run
- Writes to $C00C: Acknowledge IRQ and hold counter at 0
Counter counts PPU A13 falling edges; after 86 (two scanlines) it automatically zeroes its counter and asserts /IRQ.
This style of IRQ means that the program could explicitly choose an X coordinate (within 8 pixel granularity) where to get IRQs by clocking it a few times in vblank (ldx #$FF / stx $2006 / stx $2006 / bit $2007) before rendering starts. There should be no X drift due to IRQ latency.
Does this sound right to the other people looking?
but I never learned Pascal and don't yet have a copy of Turbo Pascal on hand...
Let's see if I can summarize what things I believe are true with the new data:
* Pins 12, 13, 15, 19 are known exactly
* Pins 17 and 18 are "latched value of D1 and D0 on writes to $8004"
* Pin 16 seems to be "become high on write to $C008; become low on write to $C00C; otherwise retain state"
* Pin 14 (/IRQ) seems to be "become high on write to $C004 or $C00C; become low when ((Cnt&86)==86); otherwise retain state"
So I think we can describe exactly what's going on now?
Mask: $C00C
- Writes to $8000, $8008, $800C, $C000: ignored
- Writes to $8004: same as last time
- Writes to $C004: Acknowledge IRQ
- Writes to $C008: Allow counter to run
- Writes to $C00C: Acknowledge IRQ and hold counter at 0
Counter counts PPU A13 falling edges; after 86 (two scanlines) it automatically zeroes its counter and asserts /IRQ.
This style of IRQ means that the program could explicitly choose an X coordinate (within 8 pixel granularity) where to get IRQs by clocking it a few times in vblank (ldx #$FF / stx $2006 / stx $2006 / bit $2007) before rendering starts. There should be no X drift due to IRQ latency.
Does this sound right to the other people looking?
Re: Pirate Kid Dracula reverse engineering
Great guys!!
Seems to be almost finished.
Just let me know when I can put this thing back together (when no more tests/dumps are needed).
I hope that zxbdragon finally can fgure out the inner workings of this pirate cartridge.
It's really nice to help.
Seems to be almost finished.
Just let me know when I can put this thing back together (when no more tests/dumps are needed).
I hope that zxbdragon finally can fgure out the inner workings of this pirate cartridge.
It's really nice to help.
Re: Pirate Kid Dracula reverse engineering
Thank you!But I have no solve this IRQ.I'll wait for JOE!
Re: Pirate Kid Dracula reverse engineering
I'll take a look on Monday and write the mapper doc if we've got everything figured out. (I'm on vacation this weekend.)zxbdragon wrote:I'll wait for JOE!
Re: Pirate Kid Dracula reverse engineering
I didn't see anything that disagreed with lidnariq, so here's the mapper doc in Disch's style.
Let me know if you have any questions or spot any mistakes.
Code: Select all
========================
= Mapper "18-72" =
========================
Example Games:
--------------------------
Akumajou Special: Boku Dracula-kun (pirate version)
Notes:
--------------------------
This mapper is another pirate VRC2b, this time with IRQs and VRC4-style
mirroring.
A mapper number hasn't been assigned to this particular board yet.
Registers:
---------------------------
There are two sets of registers: the VRC2 registers, and the Extra registers.
Writes will affect both sets of registers!
VRC2 registers range, mask: $8000-$FFFF, $F003
$8000-$8003: [...P PPPP] Same as VRC2b (PRG select 0)
$9000-$9003: [.... ...M] VRC2 mirroring control (see extra registers)
|
+- 0: vertical (A10); 1: horizontal (A11)
$A000-$A003: [...P PPPP] Same as VRC2b (PRG select 1)
$B000-$E003: [.... CCCC] Same as VRC2b (CHR select)
Extra registers range, mask: $8000-$FFFF, $C00C
$8004: [.... ..XX] Extended mirroring control
||
++- Extended mirroring control
0x: Let VRC2 control mirroring
10: one-screen, lower bank (overrides VRC2)
11: one-screen, upper bank (overrides VRC2)
$C004: [.... ....] Acknowledge IRQ
$C008: [.... ....] Start IRQ counter
$C00C: [.... ....] Acknowledge IRQ and hold IRQ counter at 0
Mirroring behavior:
---------------------------
Games will write to $9004 to affect both the VRC2 mirroring register ($9000)
and the Extra mirroring register ($8004) at the same time. The result is like
VRC4 mirroring:
$9004 [.... ..MM] Combined VRC2 and Extra mirroring control
||
++- VRC4 mirroring
00: Vertical
01: Horizontal
10: One-screen, lower bank
11: One-screen, upper bank
The VRC2 will remember the last setting written to it, even if the Extra
mirroring control is overriding it.
IRQ behavior:
---------------------------
The IRQ counter counts falling edges of PPU A13. The IRQ is asserted every time
the counter reaches 86. When the counter reaches 86, it's automatically reset
to 0. This results in one IRQ every two scanlines, as long as the counter is
running. Writing to Extra register $C004 or $C00C will acknowledge the IRQ.
Writing to Extra register $C00C will hold the counter at 0, and writing to
Extra register $C008 will allow the counter to resume.
Games will typically write to addresses like $F004/$F008/$F00C to control the
IRQ without affecting the VRC2's registers.
Re: Pirate Kid Dracula reverse engineering
Thank you! I to try.Joe wrote:I didn't see anything that disagreed with lidnariq, so here's the mapper doc in Disch's style.
Let me know if you have any questions or spot any mistakes.Code: Select all
======================== = Mapper "18-72" = ======================== Example Games: -------------------------- Akumajou Special: Boku Dracula-kun (pirate version) Notes: -------------------------- This mapper is another pirate VRC2b, this time with IRQs and VRC4-style mirroring. A mapper number hasn't been assigned to this particular board yet. Registers: --------------------------- There are two sets of registers: the VRC2 registers, and the Extra registers. Writes will affect both sets of registers! VRC2 registers range, mask: $8000-$FFFF, $F003 $8000-$8003: [...P PPPP] Same as VRC2b (PRG select 0) $9000-$9003: [.... ...M] VRC2 mirroring control (see extra registers) | +- 0: vertical (A10); 1: horizontal (A11) $A000-$A003: [...P PPPP] Same as VRC2b (PRG select 1) $B000-$E003: [.... CCCC] Same as VRC2b (CHR select) Extra registers range, mask: $8000-$FFFF, $C00C $8004: [.... ..XX] Extended mirroring control || ++- Extended mirroring control 0x: Let VRC2 control mirroring 10: one-screen, lower bank (overrides VRC2) 11: one-screen, upper bank (overrides VRC2) $C004: [.... ....] Acknowledge IRQ $C008: [.... ....] Start IRQ counter $C00C: [.... ....] Acknowledge IRQ and hold IRQ counter at 0 Mirroring behavior: --------------------------- Games will write to $9004 to affect both the VRC2 mirroring register ($9000) and the Extra mirroring register ($8004) at the same time. The result is like VRC4 mirroring: $9004 [.... ..MM] Combined VRC2 and Extra mirroring control || ++- VRC4 mirroring 00: Vertical 01: Horizontal 10: One-screen, lower bank 11: One-screen, upper bank The VRC2 will remember the last setting written to it, even if the Extra mirroring control is overriding it. IRQ behavior: --------------------------- The IRQ counter counts falling edges of PPU A13. The IRQ is asserted every time the counter reaches 86. When the counter reaches 86, it's automatically reset to 0. This results in one IRQ every two scanlines, as long as the counter is running. Writing to Extra register $C004 or $C00C will acknowledge the IRQ. Writing to Extra register $C00C will hold the counter at 0, and writing to Extra register $C008 will allow the counter to resume. Games will typically write to addresses like $F004/$F008/$F00C to control the IRQ without affecting the VRC2's registers.
It's better if have FCEUX code
Re: Pirate Kid Dracula reverse engineering
Try to fail
c008
counter = data?
clock
is
counter++;
if(counter >=86)
{
counter=0;
return true;
}
?
c008
counter = data?
clock
is
counter++;
if(counter >=86)
{
counter=0;
return true;
}
?
Re: Pirate Kid Dracula reverse engineering
No—there's no way for the data to get into the counterzxbdragon wrote:c008
counter = data?
That does look like what I think FCEUX IRQs do. How are you getting a callback on every falling edge of PPU A13?counter++;
if(counter >=86)
{
counter=0;
return true;
}?
If there's no way for that, you might be able to fake this with a normal FCEUX IRQ that fires every other scanline, but I don't know if that'll work.
I might tentatively use the label on the mask ROMs, "NCN-18"Joe wrote:Mapper "18-72"
Re: Pirate Kid Dracula reverse engineering
I can't solvelidnariq wrote:No—there's no way for the data to get into the counterzxbdragon wrote:c008
counter = data?
That does look like what I think FCEUX IRQs do. How are you getting a callback on every falling edge of PPU A13?counter++;
if(counter >=86)
{
counter=0;
return true;
}?
If there's no way for that, you might be able to fake this with a normal FCEUX IRQ that fires every other scanline, but I don't know if that'll work.
I might tentatively use the label on the mask ROMs, "NCN-18"Joe wrote:Mapper "18-72"
Re: Pirate Kid Dracula reverse engineering
Yeah, I suspect that FCEUX doesn't give you the tools necessary to implement this mapper.
Re: Pirate Kid Dracula reverse engineering
Well, looks like the hardware was all figured out.
I think my small paricipation is over.
Should I reassemble the cartridge?
I think my small paricipation is over.
Should I reassemble the cartridge?
Re: Pirate Kid Dracula reverse engineering
I think we're set, and you should feel free.
Re: Pirate Kid Dracula reverse engineering
Cool.
I'm really glad I could help.
I'm really glad I could help.
Re: Pirate Kid Dracula reverse engineering
Who is it done ?