Grumps Dream Course cart

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

Post Reply
User avatar
Guilty
Posts: 93
Joined: Fri Apr 08, 2016 5:58 pm
Location: California, USA

Grumps Dream Course cart

Post by Guilty » Tue Sep 13, 2016 4:40 pm

Firstly, yeah I know there's a subreddit for this romhack, and they all are being pansies about legal concerns. Whatever, it's not like I'm selling this thing.

Anyways.

I'm trying to play a romhack of Kirby's Dream Course on my SNES! The romhack is applied to the Japanese version. I'm trying to do this without damaging any original PCBs. But there's a multilayer copy protection getting in my way! Darn! I think the best way to proceed would be to edit the rom and skip the copyright checks.

I'm not helpless with 6502, but I've never done any spectacular romhacking before. Never touched an sfc file, to boot. But I feel like this is very possible. I just don't know what tools I ought to use.
6502 disassemblers? Nonspecific 6502 assembler? Snes debugging emulator? I think I'll need all these. My targets are:

1) SRAM size check. From what I can tell the game only checks the SRAM on boot, so I should be able to just JMP right past the check. I have no idea what the SNES sets the PC to on boot though. I'd also need to disassemble the hex, because I'm not a wizard. What tools do I need to find the boot routine? What's a recommended disassembler?

2) Checksum. This seems trickier. I'd imagine my cart will fail this test since Kirby Bowl is 2MB and my cart is 4MB. I imagine this is done by getting a checksum from the rom and then doing a simple comparison to X. So, I think I'd need to find the routine that handles the checksum, figure out what my cart evaluates to, and then replace X with that. I figure this would be really simple with a debugger, I could just step through the checksum routine. No idea how to find that, but I do know of an action replay code that sets off the copyright protection, so could I trace this back?

ANY input valued!

User avatar
Myask
Posts: 965
Joined: Sat Jul 12, 2014 3:04 pm

Re: Grumps Dream Course cart

Post by Myask » Tue Sep 13, 2016 5:16 pm

Note that the SNES uses a later chip in the 6502 family, the 65c816, iirc. (actually a Ricoh 5a22 with some extra bits and bobs)

User avatar
Guilty
Posts: 93
Joined: Fri Apr 08, 2016 5:58 pm
Location: California, USA

Re: Grumps Dream Course cart

Post by Guilty » Tue Sep 13, 2016 10:05 pm

Well that seems important! Thank you! At a glance, that doesn't seem to change too much. It looks like the 65c816's instruction set is very similar to the 6502. Now I have a better idea of what to google.

User avatar
Myask
Posts: 965
Joined: Sat Jul 12, 2014 3:04 pm

Re: Grumps Dream Course cart

Post by Myask » Tue Sep 13, 2016 10:45 pm

I'm sure yoshi will be along any moment to recommend WDC books, but http://www.oxyron.de/html/opcodes816.html is one source for just opcodes. I half-recall an opcode grid that color-coded which processor added the instruction, but…I can't seem to find it.

User avatar
Guilty
Posts: 93
Joined: Fri Apr 08, 2016 5:58 pm
Location: California, USA

Re: Grumps Dream Course cart

Post by Guilty » Wed Sep 14, 2016 4:00 pm

I've gotten my hands on Geiger's Snes9x Debugger, and I have a disassembler (which seems to be unreliable) called Dispel. I can step through the code now!

I've used HxD to change the SRAM size in my ROM to match the SRAM size that INL's snes flashboard would provide. Which is to say, I've changed the SRAM size from 64 Kb to 256 Kb.

Theoretically, the only thing I need to do now is step through my edited ROM and the original ROM side by side until the two differ. That shouldn't be too hard... the copy protection checks on boot, so this couldn't be too hard?

EDIT: Got it. I actually didn't find much in stepping through the code, but I did find an excellent tool called ucon64. I had to run it in DOS box, but it took out the SRAM check and we're all good now.

Post Reply