Reverse Engineering the CIC
Moderator: Moderators
- infiniteneslives
- Posts: 2104
- Joined: Mon Apr 04, 2011 11:49 am
- Location: WhereverIparkIt, USA
- Contact:
Re: Reverse Engineering the CIC
Hard to know what caps you have exactly. Perhaps they are/should be fine, a photo would prob help us help you.
If you're gonna play the Game Boy, you gotta learn to play it right. -Kenny Rogers
Re: Reverse Engineering the CIC
I have used an original NES-SLROM board. No custom made baords.
This one, to be exact: http://bootgod.dyndns.org:7777/profile.php?id=14
Desoldered the CIC, programmed the Attiny13A with the correct fuse settings, installed it as follows:
Pin 1 - NC
Pin 2 - CIC Hole 6 (Cart #71)
Pin 3 - NC
Pin 4 - CIC Hole 8 (GND)
Pin 5 - CIC Hole 1 (Cart #35)
Pin 6 - CIC Hole 2 (Cart #34)
Pin 7 - CIC Hole 7 (Cart #70)
Pin 8 - CIC Hole 16 (VCC)
P.S. 2 out of 3 are working, tested in that board as well. So I doubt it is capacitor related but maybe a faulty Attiny13A.
Either way, new Attiny13A are on their way and I will test them once I get them.
This one, to be exact: http://bootgod.dyndns.org:7777/profile.php?id=14
Desoldered the CIC, programmed the Attiny13A with the correct fuse settings, installed it as follows:
Pin 1 - NC
Pin 2 - CIC Hole 6 (Cart #71)
Pin 3 - NC
Pin 4 - CIC Hole 8 (GND)
Pin 5 - CIC Hole 1 (Cart #35)
Pin 6 - CIC Hole 2 (Cart #34)
Pin 7 - CIC Hole 7 (Cart #70)
Pin 8 - CIC Hole 16 (VCC)
P.S. 2 out of 3 are working, tested in that board as well. So I doubt it is capacitor related but maybe a faulty Attiny13A.
Either way, new Attiny13A are on their way and I will test them once I get them.
- infiniteneslives
- Posts: 2104
- Joined: Mon Apr 04, 2011 11:49 am
- Location: WhereverIparkIt, USA
- Contact:
Re: Reverse Engineering the CIC
At a glance, your wiring is fine (as expected since some chips work). But I have no idea how long your wires are or other things that a photo would help portray. I did have similar issues where some chips worked and some didn't with some of Jim's Cool first attiny13 NES CIC builds. He found the bug and fixed it, never shared with me what the problem was. Not of much help, but perhaps your issue with krikzz implementation is related. First I've heard of it though, and there's quite a few people using his attiny13 NES CIC implementation AFAIK.
If you're gonna play the Game Boy, you gotta learn to play it right. -Kenny Rogers
Re: Reverse Engineering the CIC
Found out my problem.
I set the fuse bits first instead of writing it with a GQ-4X resulting in ID FFFF making it useless to progam with a GQ-4X.
However, the TL866 recognized the Attiny13A and its ID. So i thought I could continue with the proper fuse settings.
While programming worked well the AVRCIC never worked in that said cart. Luckily I had another cart with a working AVRCIC. So I switched them out. The SLROM cart now works fine, but the other doesn't, obviously.
So I just programmed one using the TL866 ONLY. Reset the console a few times and hey, both carts work.
I also found out, if you program it with a GQ-4X. Set the fuse bits LAST. First program the HEX file.
Thanks for the help though.
I set the fuse bits first instead of writing it with a GQ-4X resulting in ID FFFF making it useless to progam with a GQ-4X.
However, the TL866 recognized the Attiny13A and its ID. So i thought I could continue with the proper fuse settings.
While programming worked well the AVRCIC never worked in that said cart. Luckily I had another cart with a working AVRCIC. So I switched them out. The SLROM cart now works fine, but the other doesn't, obviously.
So I just programmed one using the TL866 ONLY. Reset the console a few times and hey, both carts work.
I also found out, if you program it with a GQ-4X. Set the fuse bits LAST. First program the HEX file.
Thanks for the help though.
- infiniteneslives
- Posts: 2104
- Joined: Mon Apr 04, 2011 11:49 am
- Location: WhereverIparkIt, USA
- Contact:
Re: Reverse Engineering the CIC
Ahh yeah those tools are pretty terrible for programming microcontrollers. For AVRs, I would highly recommend any devices that allow you to use avrdude, allows you to be much more explicit with what's getting programmed exactly and when.
If you're gonna play the Game Boy, you gotta learn to play it right. -Kenny Rogers
Re: Reverse Engineering the CIC
Inbound link
The description of the recently uploaded video "Secrets of the Nintendo CIC Chip - Early Cartridge Anti-Piracy" by Modern Vintage Gamer links to this topic.
The description of the recently uploaded video "Secrets of the Nintendo CIC Chip - Early Cartridge Anti-Piracy" by Modern Vintage Gamer links to this topic.
-
- Posts: 131
- Joined: Wed Apr 05, 2006 10:12 am
- Location: PA, USA
- Contact:
Re: Reverse Engineering the CIC
At long last, the trick to entering the ROM dump/debug mode of the SM590 was figured out earlier today by Sean Riddle:
http://www.seanriddle.com/sm590/
specifically http://www.seanriddle.com/sm590/sm590dump.txt
We now have electronic dumps of:
3193A
6113 non-A (which matched the dump done by neviksti using decap+stain back in 2006ish)
RFC-CPU10 (AKA R.O.B.)
We still need dumps or redumps of:
6113A (is this just a dieshrink of 6113 with the same code?)
3195 PAL-x
3195A PAL-x (dieshrink of 3195?)
3196 PAL-y
3197 (korea)
3198 (famicombox cart CIC)
3199 (famicombox coin timer)
(PAL-x and PAL-y are technically PAL-B and PAL-A but I may have the order backwards so I wanted to note that)
The following are SM595 instead of SM590 but probably dump the same way
F411 (SNES NTSC, 1991 consoles?)
F411A (SNES NTSC, 1992 consoles?)
F411B (SNES NTSC, 1993 and later?)
F413 (SNES PAL)
F413A and B if they existed.
LN
http://www.seanriddle.com/sm590/
specifically http://www.seanriddle.com/sm590/sm590dump.txt
We now have electronic dumps of:
3193A
6113 non-A (which matched the dump done by neviksti using decap+stain back in 2006ish)
RFC-CPU10 (AKA R.O.B.)
We still need dumps or redumps of:
6113A (is this just a dieshrink of 6113 with the same code?)
3195 PAL-x
3195A PAL-x (dieshrink of 3195?)
3196 PAL-y
3197 (korea)
3198 (famicombox cart CIC)
3199 (famicombox coin timer)
(PAL-x and PAL-y are technically PAL-B and PAL-A but I may have the order backwards so I wanted to note that)
The following are SM595 instead of SM590 but probably dump the same way
F411 (SNES NTSC, 1991 consoles?)
F411A (SNES NTSC, 1992 consoles?)
F411B (SNES NTSC, 1993 and later?)
F413 (SNES PAL)
F413A and B if they existed.
LN
"When life gives you zombies... *CHA-CHIK!* ...you make zombie-ade!"
Re: Reverse Engineering the CIC
How can I help with dumps of the Famicombox CIC? I would like to figure this out for my self but happy to share... where do I start?
Re: Reverse Engineering the CIC
If you're comfortable with a soldering iron, follow these instructions (also linked above).
Re: Reverse Engineering the CIC
Sure thing... I own an arcade so I’m not afraid of the soldering iron. I never have dumped stuff before so I just want to make sure I do it correctly. I’m reading the past post so it’s taking me a bit to get caught up.
The Famicomstation should be here tomorrow. I have to repair it then I’ll start trying to get the 3198 & 3199 dumps for everyone.
The Famicomstation should be here tomorrow. I have to repair it then I’ll start trying to get the 3198 & 3199 dumps for everyone.
Re: Reverse Engineering the CIC
I've also picked up some CICs recently that I'm hoping to dump, including the two in the FamicomBox. I still need to get a way to actually collect the data. Sounds like you're a bit ahead of me. I think it'll be good to compare dumps to verify they're correct.
I don't think the FamicomStation menu ROM is available, so if you'd be willing, it would be good to have a dump of that, as well. It should differ from the FamicomBox in at least its title graphics.
I don't think the FamicomStation menu ROM is available, so if you'd be willing, it would be good to have a dump of that, as well. It should differ from the FamicomBox in at least its title graphics.
Re: Reverse Engineering the CIC
If you don't already have a favorite microcontroller, the simplest way to get the data off the pins of the SM590 micros into a computer would be to use one of FTDI's parts that allow you to hook up 8 data pins and a "latch this data" pin to the data bus and clock here, and manually switch R20, R21, and ACL. (e.g. FT245R. Lots of other FTDI parts can supposedly be configured to operate in this mode, too, e.g. FT232H)
Re: Reverse Engineering the CIC
I think I can manage the soldering bit, I am a little lost on the collection process as it’s not something I’ve done before. I would love to learn how. I see the connection and reading directions but some overly detailed directions (for the interface to record them) for someone who has never done this would help. Sorry I’m new to this and spend most of my time repairing and troubleshooting arcade games and this type of thing rarely comes up.
Re: Reverse Engineering the CIC
That's really cool information.Lord Nightmare wrote: ↑Thu Sep 12, 2019 5:25 pm At long last, the trick to entering the ROM dump/debug mode of the SM590 was figured out earlier today by Sean Riddle:
http://www.seanriddle.com/sm590/
specifically http://www.seanriddle.com/sm590/sm590dump.txt
We now have electronic dumps of:
3193A
6113 non-A (which matched the dump done by neviksti using decap+stain back in 2006ish)
RFC-CPU10 (AKA R.O.B.)
We still need dumps or redumps of:
6113A (is this just a dieshrink of 6113 with the same code?)
3195 PAL-x
3195A PAL-x (dieshrink of 3195?)
3196 PAL-y
3197 (korea)
3198 (famicombox cart CIC)
3199 (famicombox coin timer)
(PAL-x and PAL-y are technically PAL-B and PAL-A but I may have the order backwards so I wanted to note that)
The following are SM595 instead of SM590 but probably dump the same way
F411 (SNES NTSC, 1991 consoles?)
F411A (SNES NTSC, 1992 consoles?)
F411B (SNES NTSC, 1993 and later?)
F413 (SNES PAL)
F413A and B if they existed.
LN
I noticed in the disassembly the mnemonics of the code: http://www.seanriddle.com/sm590/nescic-dis.txt
don't seem to match the mnemonics in the datasheet for the sm590: https://www.datasheets360.com/pdf/2349826358003027286
Is there any info on what mnemonics were used?
edit: found it
https://hackmii.com/2010/01/the-weird-a ... erful-cic/
Last edited by Jeroen on Mon Sep 14, 2020 11:47 am, edited 1 time in total.
Re: Reverse Engineering the CIC
Well, first things first: do we have a pinout for the 3198 CIC? Tentatively looking at one SSS-UNROM board, it looks like all the pins might actually go to the card edge, which would mean there's no soldering needed at all.
What the next step after that is depends on what you want to do. As I said, you could use a FT245 or FT232H, but there are other options too.
No need to apologize! Seeking to learn a craft is something that should always be commended.Sorry I’m new to this and spend most of my time repairing and troubleshooting arcade games and this type of thing rarely comes up.