- For making cartridges of your Super NES games, see Reproduction.
The NSS is an arcade cabinet that can hold up to three slightly customized SNES games. The SNES part is quite simple: A game over flag at port 4016h.W.bit2 (used in "skill mode"), and a DIP-Switch input at 4200h.R for changing difficulty (on cartridges that DO have DIP-switches).
Then there's a Z80 CPU for handling coin input and such things (similar as in NES Playcoice 10 and SNES SFC-Box). The Z80 BIOS is very unstructured and messy. After 2-3 days, I've basically figured out most of the I/O ports.
For the button input, I am still unsure about which-bit-is-which-button in some cases.
Serial OSD chip access is (maybe intentionally) programmed in confusing fashion with mirrored I/O addresses and plenty nonsense bits. Apart from that, it's using a straight address + character/attribute transmission. Character numbers for A-Z, a-z, 0-9, # and space are quite obvious (though non-ASCII). Underline and (I think) 3bit RGB color are looking simple. There should be special commands for character size and BG color and maybe other features. And for dumping the full charset with all symbols and punctuation marks, it'd be nice to run a Test-EPROM on real hardware sooner or later.
RTC and EEPROM are also serially accessed, but that part looks simple. Finally, there's some sort of 8pin "CIC" chip in the cartridges - it seems to be accessed by Writing-and-Reading-and-Jumping-To address E37Fh. I've no clue how THAT is working.
And, for making own games, understanding the format of the Instruction ROM (32K EPROM) would be also important. Title is at DEF1h. Checksum LSB and MSB are unconventionally found via pointers at C032h and DFFEh. The 32h-byte "CIC" key seems to be found at [C034h]. And somehere, there must be some kind of entrypoint.
Anyways, does somebody have a NSS at home? At the moment, I am having some basic questions:
Is it possible to light more than one of the three game LEDs? Or to disable ALL LEDs? If not, then the LEDs might be just bound to the slot-selection bits (and then, it'd be ridiculous to search for separate LED enable bits).
What are the Test and Credit buttons doing? I guess one (which?) adds a credit? And the other one shows up the Bookkeeping/Coinage/Selftest menu?
And can somebody verify the part number of the OSD chip? According to http://mamedev.org/source/src/mame/drivers/nss.c.html it's a "Mitsubishi M50458-001SP" chip. But then... that nss.c file is wrong on almost every possible detail concerning Memory and I/O, and even the pin-number of the 100pin slot is wrong. Alltogther, the file seems to be more aiming at a good laugh than actually emulating the NSS hardware.
Wouldn't be too surprised if the M50458-001SP part number is wrong, too. Seems to be quite impossible to find a datasheet for that chip. But, it DOES seem exist. There are a few non-NSS pages mentioning it, including pinouts, schematics, and even some sample-code.
Since you are focusing on it, would you be willing to help with another part of the NSS?
I'd like to know the DIP switch settings for all NSS carts. For instance, here is ActRaiser:
Code: Select all
<setting name="Difficulty"> <option value="0x0000" name="Easy"/> <option value="0x0001" name="Normal"/> <option value="0x0002" name="Hard"/> <option value="0x0003" name="Expert"/> </setting> <setting name="Lives"> <option value="0x0000" name="5 lives"/> <option value="0x0004" name="4 lives"/> <option value="0x0008" name="3 lives"/> <option value="0x000c" name="2 lives"/> </setting> <setting name="Minute Speed"> <option value="0x0000" name="60 seconds"/> <option value="0x0010" name="54 seconds"/> <option value="0x0020" name="48 seconds"/> <option value="0x0030" name="42 seconds"/> </setting>
I believe the MESS team has told me that some of the NSS dumps are "suspect", and may just be forgeries of regular games.
Although some likely really don't have DIP switch settings at all.
So it would be great if we could redump and reverify all the NSS games.
The arcade machines are a very rare find though. And they're freaking huge :/
Also ... can you explain the game over flag in a bit more detail? How does one go about triggering that? What is skill mode? When I put ActRaiser into expert mode, I get game over normally when I run out of lives. I'd love to see a video of it triggered, too. Like the SFC Box, I don't intend to simulate the non-SNES overlay hardware, but it would be good to do a rough simulation of this feature.
Obscure stuff is interesting. I guess most people never heard of that thing - at least, I never ever heard of it, until doing some NES playchoice 10 research last week.As always, I am in awe that you're willing to take on such obscure hardware
Okay, but now, that is TOO obscure. I'll try to add a DIP-switch option somewhere in the no$sns gui, so one can try what happens. Or otherwise, even without emulating it, one could just look at the opcodes that read 4200h.I'd like to know the DIP switch settings for all NSS carts.
Yup, Act Raiser is doing a 16bit read there (but uses only the lower some bits)... I would guess that 4201h..42FFh are just mirrors of 4200h.(You OR all the options and that's what $4200-4201 returns when read.)
I think the BIOS and INST-ROM are suspect by themselves. There are a lot of unused regions that are filled with unused code fragments (such like 50 opcodes from a "used" region, copied into an "unused" region). It's pretty hard to separate between meaningful code/data and garbage - on the other hand that's making it difficult to create own games or bootlegs - so far, if the dumps contain working PRG-ROMs and INST-ROMs, then they are probably original NSS games.I believe the MESS team has told me that some of the NSS dumps are "suspect", and may just be forgeries of regular games.
There seem to be 3 different cartridge PCBs, type A without SRAM and without DIP switches. Type B with SRAM and optional DIP switches. And Type C is same as B, but with bigger ROM (on two ROM chips).Although some likely really don't have DIP switch settings at all.
So it would be great if we could redump and reverify all the NSS games.
In practice, the DIPs seem to be installed only on Type C boards.
4016h.W.Bit2 is just a normally unused joypad output. Act Raiser sets that bit upon game over. Actually it seems to toggle the bit twice (don't know why twice). On the Z80 side that signal should probably show up in one of the I/O ports, and the Z80 could then reset the SNES and display some insert coin message. I haven't got that far yet to see what happens exactly.Also ... can you explain the game over flag in a bit more detail? How does one go about triggering that?
I haven't emulated the configuration menu yet, but there seem to be two modes: In Skill Mode the game does probably end when you lost all lives. And in the other mode one can set a Minute:Second time limit per credit, and the game should then end when you run out of time/money.What is skill mode? When I put ActRaiser into expert mode, I get game over normally when I run out of lives.
Judging from photos, there seem to be 1-credit games and 2-credit games. Which probably means that one needs more money for the latter ones. Don't know if that can be configured in the Coinage screen, or if it's preset in the INST ROMs or "CIC" chip.
> Okay, but now, that is TOO obscure.
I dunno, I thought it was really cool. I understand it's a pain to do so, but I generate the GUI based on the XML when you first load the cart, so you can set how you want it to play.
For ActRaiser more than any other game, it's really nice. The real ActRaiser requires you to beat the game before you can play a limited "arcade" mode that's every -other- level.
The NSS game lets you skip story mode, play -every- level, and the DIP settings give you lots of skill settings. To me, the DIP settings are much more interesting than the insert coin and game selection overlays. I am still happy you are researching the latter of course. Everything that can be preserved should be.
> Yup, Act Raiser is doing a 16bit read there (but uses only the lower some bits)... I would guess that 4201h..42FFh are just mirrors of 4200h.
I got that impression when AR only used 6-bits. It would be great to confirm whether 4201-42FF are open bus or mirrors of 4200. I just let you control both bytes just in case, until we verify all games' DIP settings.
> on the other hand that's making it difficult to create own games or bootlegs
Unfortunately there are two bootlegs on eBay now =(
http://www.ebay.com/itm/Nintendo-super- ... 231f14d0f5
http://www.ebay.com/itm/Nintendo-super- ... 231f14f657
This page lists Super Copa on the display, which AFAIK was not an NSS game. It's also an insanely rare commercial cart from Mexico/Brazil only:
http://distritofederal.quebarato.com.mx ... 731AC.html
Hopefully the real ones come on mask ROMs, so you can easily spot fakes before dumping. The non-standard connector won't make dumping easy, either. Nor will the scarcity.
EDIT: they are apparently all EEPROMs, shit :(
That makes absolute verification from one board impossible.
> In practice, the DIPs seem to be installed only on Type C boards.
Ah, neat. So there were 14 games total.
Do we know the type of each of the 14 games?
Or even better, do we have PCB scans of all 14 somewhere?
Knowing a game were type A or B to skip testing for DIP settings would be nice.
Heh, here I thought the DIPs were software-based, and accessible in the arcade operator's menu. I sure hope there's at least a manual or something for arcade operators to know how the DIPs work.
> 4016h.W.Bit2 is just a normally unused joypad output.
Oh, are you saying "Bit1-Bit8", or "Bit0-Bit7"? If the former, that's a fairly obvious choice to use controller Data2 line. If the latter, then that's pretty darn neat since the stock SNES doesn't use the third bit at all.
FWIW, I always start from zero when indexing bits with bytes.
> I haven't got that far yet to see what happens exactly.
Ah, so untested for now. Okay then, I won't support it for now. I look forward to more research :D
You mean like the 2nd bit in the 2-bit joypad INPUT register?Oh, are you saying "Bit1-Bit8", or "Bit0-Bit7"? If the former, that's a fairly obvious choice to use controller Data2 line.
No, I meant the 3rd bit in the 3-bit joypad OUTPUT register.
The register is always 3-bit wide, nothing new there, though, in normal SNES consoles, the pins for bit1-2 are left unconnected.
Oops, yeah, my mistake.
> No, I meant the 3rd bit in the 3-bit joypad OUTPUT register.
That's even more surprising to me. I was under the impression the register was 1-bit wide, and was connected to LATCH for both joypads.
> The register is always 3-bit wide, nothing new there, though, in normal SNES consoles, the pins for bit1-2 are left unconnected.
Do you know where the pins are in the SNES? I use bit0 for sending serial data to my PC from the SNES. If I could solder two extra wires to send three bits at a time, I could send a byte on three writes instead of eight.
And now I have to wonder what $4016w.d1 is for on the NSS :P
Okay, but back to the NSS - first, some questions about the 8pin protection chip:
Did somebody ever manage to dump one of that chips (assuming that it DOES contain memory)?
Did somebody ever identify the chip? The part number is reportedly scratched off (or at least hidden under the sticker). Probably it's a serial PROM, same or similar as the RP5H01 chips used on Playchoice 10 cartridges.
Did somebody ever identify the pinouts? At least GND and VCC should be VERY simple to identify; and even that info would help to find out if it's a RP5H01 or not, and if it's wired to TEST mode or not.
On the Z80 side, I've figured out how the protection chip is accessed. The jumps to the memory mapped I/O port at E37Fh are apparently causing RST opcodes to be executed. Obviously not RST 0 (reset), but two of the other seven RST opcodes (one for receiving "0" bits from PROM, and one for "1" bits).
The RST handler are then doing some confusing address indirections, and do finally end up at two small procedures in INST ROM, which do then return the PROM bit in CY flag. And alongsides, the PROM data is XORed with other rotated values.
After that reading/xoring/rotations, one does have 32h bytes data: The number of "0" bits in the checksum for that region indicates how to handle the checksum of another region (which is addressed by the last two bytes of the 32h-byte data, and a bit from 2nd byte). Aside from being used as address, the last 2 bytes are also containing the expected checksum; eventually XORed by other bytes; depending on the number of "0" bits. Confusing, eh? Might be getting difficult to get that well-described, or to produce homebrew games for the NSS.
The 2nd byte does also contain a 8bit GameID, if there's already a cartridge with same ID in one of the other slots, then the NSS won't show the cartridge in the game menu. That 8bit ID might have caused problems in case there would have been more than 256 games relesed.
Don't know yet what the other bytes in the 32h-byte area are used for. I am afraid that they might contain important stuff like entrypoints to INST ROM - so, without also having dumped the protection chips, the INST ROM dumps might turn out to be totally useless.
As long as the exact spelling of the title is known, one can write a brute-force program to find the correct decryption key. That is, yes, a very stupid idea, I wasted some days until I got it working, but I didn't have the real PROM chips, and thus couldn't dump them the normal way.
Currently, the brute-force approach takes around a minute to find the key (it needs to brute on the first 24bit (16 million combinations) to be able to decrypt only the 1st byte of the title). But, eight of the 9-key bytes seem to be also stored in (almost) unencrypted form somewhere in the INST ROM. The only problem is that the location of that data is encrypted via the PROM. Anyways, there only 8192 bytes of the ROM used, so feeding key bytes from all possible ROM addresses should be around 2000 times faster than the current 16 million times bruting.
The BIOS is quite some beast. At first glance it looks totally amateurish: For example, it doesn't have ONE menu function that shows the currently selected menu item. No, it has FOUR menu functions (one separate function, depending on which if the four menu items is selected). Even stranger, it never uses that four functions, but uses a fifth menu function (that cannot show the current selection at all).
But aside from the GUI, there are some evil hacks. Like here - three overlapping procedures that share the same opcodes:
Code: Select all
0000:65DA FD 21 F1 64 ld iy,64F1 ;token_goto_if_zero 0000:65DE 18 (EA) jr 65CA ;------------------ ;*** below opcode EAh does OVERLAP with above EAh! ;------------------ cryptic_osd_callback: ;this is used on the hidden protection checks ;in the OSD write string function 0000:65DF (EA) 3F 5F jp pe,5F3F ;cryptic_osd_callback_even 0000:65E2 E2 (D9 5E) jp po,5ED9 ;cryptic_osd_callback_odd ;------------------ ;*** below opcodes D9h,5Eh do OVERLAP with above D9h,5Eh! ;------------------ token_34_osd_wrstr_indirect: 0000:65E3 D9 exx 0000:65E4 5E ld e,[hl] ;\ 0000:65E5 23 inc hl ; get string address 0000:65E6 56 ld d,[hl] ;/
The instructions are a bit disappointing. In ActRaiser, there's only one page, telling what controller buttons to use. There is really no story-mode there. Maybe there's a bit more text in other games. ActRaiser seems to have pre-allocated space for 10 pages (which would occupy 5K of used 8K area of the 32K INST ROM).
What 14 games did you mean? I know only 12 games:Do we know the type of each of the 14 games?
Or even better, do we have PCB scans of all 14 somewhere?
Code: Select all
PCB Title C Act Raiser (NSS) 1992 Enix (Two EPROMs+DIPSW) C Addams Family, The (NSS) 1992 Ocean (Two EPROMs+DIPSW) C? Contra 3: The Alien Wars (NSS) 1992 Konami (Two EPROMs+SRAM+DIPSW) C David Crane's Amazing Tennis (NSS) 1992 Abs.Ent.Inc. (Two EPROMs+DIPSW) B F-Zero (NSS) 1991 Nintendo (ROM+SRAM) C Irem Skins Game, The (NSS) 1992 Irem (Two EPROMs+DIPSW) C Lethal Weapon (NSS) 1992 Ocean (Two EPROMs+DIPSW) C NCAA Basketball (NSS) 1992 Sculptured Software Inc. (Two EPROMs+DIPSW) C? Robocop 3 (NSS) 1992 Ocean (Two EPROMs+DIPSW) A Super Mario World (NSS) 1991 Nintendo (ROM) A Super Soccer (NSS) 1992 Human Inc. (EPROM) A Super Tennis (NSS) 1991 Nintendo (ROM)
And PCB scans, the "nss.c" file describes which game uses which PCB. According to that file, there are only 3 PCB versions (A,B,C). For A and B I've found good pictures of the component sides (but none of the solder side; which would have been really helpful). And Type C seems to be quite rare - I've found only one low-res photo of that PCB. The one thing visible there is that it has only 8 DIP-switches, so Port 4101h is definitely containing some kind of garbage, no additional switches.
With the brute force proggy, I've managed to get decryption keys for 7 of the 12 games. The missing ones are:
All three Type A games - the title/spelling there is fully known, so the brute force stuff should have worked without problems. My current guess is that the PROM chip is wired differently on the Type A boards. I've found somebody who owns Type A carts, and hope to get pics of the solder side soon.
And, keys for Robocop 3 and Contra 3 are also missing. Maybe they use different PCBs, too. Or it's just a spelling problem... though I've tried most possible combinations for Robocop/RoboCop/ROBCOP 3 or III. Well, and "Contra 3: The Alien Wars" must be somehow squeezed to 21 characters, which gives near endless possibilites... not to mention that some people are referring to the NSS version as "Super Contra" or "Alien Attack"; and... in the bookkeeping screen it does even identify itself as "New Game 1". Not too much chance to get that working, not without at least seeing a screenshot of the Game Menu showing the title. But I suspect Contra 3 has been some rare semi-official prototype (with INST ROM instructions "to be announced"), so it might be impossible to find somebody who actually owns the real cartridge.
Aside from Contra 3, the other 11 games are having fully-featured INST ROMs and are looking like authentic original games to me. Amazing Tennis is a bit odd as it has GameID FFh (the others are numbered 00h and up). Making unlicensed games or bootlegs with real working INST ROMs should be more or less impossible. Well, almost impossible - next no$sns update will include a tool for doing that; but it took me 3 weeks to get there. It'll be working without decryption PROMs - so it should be still easy to separate between original and homebrew cartridges.
Sorry I don't have anything to contribute as far as NSS info, but I am curious how similar/different this is to the Playchoice instructions/protection, if you've looked into it much. I've finished the layout for a Playchoice board, substituting the RP5H01 with a CPLD. I've disassembled the system ROM a little bit, but being a total Z80 newb and examining obfuscated code is a little weird. If you ever look into it sometime, I could use any tips on how it works.
To me, it's the only cool part about the system. The rest is no more exciting than multi-game Nintendo Power cartridges.
http://arcarc.xmission.com/Arcade%20by% ... ttings.jpg
> What 14 games did you mean? I know only 12 games:
Push-Over is advertised as existing here:
http://arcarc.xmission.com/Arcade%20by% ... ame-ad.JPG
... but it seems nobody has ever actually seen it?
On the screenshot near the bottom, this person is playing Super Copa:
http://distritofederal.quebarato.com.mx ... 731AC.html
It seems that there are likely 12 games in the US. There are also international releases of games. I have seen a French copy of Super Soccer, complete with a French marquee insert for the cabinet. The ROM itself may be the English version though, I don't know. Not paying what the seller wants for it.
> And Type C seems to be quite rare - I've found only one low-res photo of that PCB.
Here is NCAA Basketball:
The DIP switches are quite hard to toggle, but there's definitely eight of them.
> The one thing visible there is that it has only 8 DIP-switches, so Port 4101h is definitely containing some kind of garbage, no additional switches.
I've left it as open bus for now, ActRaiser still plays fine. It's either a mirror of $4100 or nothing at all. I'm more interested now in what happens if you write #$02 to $4016. It seems odd for them to use lines 1 & 3 and not line 2. Random guess: gives extra credit for achieving some goal (eg certain score.)
> But I suspect Contra 3 has been some rare semi-official prototype (with INST ROM instructions "to be announced"), so it might be impossible to find somebody who actually owns the real cartridge.
I'm wondering about a lot of these games actually. The only ones I've ever actually heard of anyone owning are:
Super Mario World
> Well, almost impossible - next no$sns update will include a tool for doing that; but it took me 3 weeks to get there.
Great. We can look forward to bootlegs of the harder to find cartridges now, advertised as if they were authentic :P
People have already sold bootleg Push-Over carts using the Super Mario World INST ROM.
Playchoice relation would be interesting. I haven't yet looked too deep into the PC10 BIOS. It looks like being made by the same programmer, and the RP5H01 part is quite the same as in NSS - using RST opcodes, and even using the same databits in the E000h-EFFFh R/W area, and spitting out the same 16-byte data (9 bytes plus mirrors/padding).
Don't know what the PROM is used for at software side on PC10s... There seems to be a homebrew replacement BIOS that works without PROMs - but I don't know if that BIOS can actually decrypt original games without the PROM ? (Assuming that the PC10 PROMs are containing decryption keys, too).
That sounds interesting. Is that only a layout - or do you already have a RP5H01 clone tested & working on real PC10 hardware? I am wondering what comes out exactly from the DATA and COUNTER OUT pins:I've finished the layout for a Playchoice board, substituting the RP5H01 with a CPLD.
COUNTER OUT should output address bit 5. According to the RP5H01 datasheet, the address starts at zero. So I'd expect the pin to output 32 "null" bits, then 32 "ones", and so on. But, the signal arriving at the PC10/NSS I/O ports is exactly vice-versa: Starts with 32 "ones", then 32 "nulls". Do you know if that inversion takes place in the RP5H01 chip? Or is it inverted on the PC10 mainboard?
DATA arrives at the PC10/NSS I/O ports as how it is stored in the pc10/mame "security.prm" files (aside from the wrong bit-order; storing bit0 (the first bit) in bit7 of the first byte of the file is total nonsense - it doesn't match up with the datasheet, nor with the BIOS functions, nor with the text/letters contained in the PROM).
Anyways, what I wanted to say was: The "null" bits in the .prm file arrive as "null" bits in the I/O ports. But I am wondering if that is really correct (inverted COUNTER OUT and un-inverted DATA looks like a odd combination). Do you know if the security.prm files are containing bits exactly as seen on the DATA pin? Ie. the "padding bytes" are FFh? Or could it be vice-versa, padding 00h?