Pirate Kid Dracula reverse engineering

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

User avatar
Fisher
Posts: 1093
Joined: Sat Jul 04, 2015 9:58 am
Location: -29.794229 -55.795374

Re: Pirate Kid Dracula reverse engineering

Post by Fisher » Thu Dec 29, 2016 2:47 pm

I'm dumping using Uniflash and a compact flash in a IDE adaptor.
The CF makes easy to upload stuff.
I can do anything that's necessary to RE this.
It can be faster if I don't need to modify the hardware.

If I remember correctly, Uniflash's source was released sometime ago.
It is written in Pascal, if I remember well.
Maybe this can be useful. Can it?

lidnariq
Posts: 9663
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Pirate Kid Dracula reverse engineering

Post by lidnariq » Thu Dec 29, 2016 3:35 pm

Hm, I found it: http://www.rainbow-software.org/uniflash/
but I never learned Pascal and don't yet have a copy of Turbo Pascal on hand...

Let's see if I can summarize what things I believe are true with the new data:
* Pins 12, 13, 15, 19 are known exactly
* Pins 17 and 18 are "latched value of D1 and D0 on writes to $8004"
* Pin 16 seems to be "become high on write to $C008; become low on write to $C00C; otherwise retain state"
* Pin 14 (/IRQ) seems to be "become high on write to $C004 or $C00C; become low when ((Cnt&86)==86); otherwise retain state"

So I think we can describe exactly what's going on now?
Mask: $C00C
- Writes to $8000, $8008, $800C, $C000: ignored
- Writes to $8004: same as last time
- Writes to $C004: Acknowledge IRQ
- Writes to $C008: Allow counter to run
- Writes to $C00C: Acknowledge IRQ and hold counter at 0
Counter counts PPU A13 falling edges; after 86 (two scanlines) it automatically zeroes its counter and asserts /IRQ.

This style of IRQ means that the program could explicitly choose an X coordinate (within 8 pixel granularity) where to get IRQs by clocking it a few times in vblank (ldx #$FF / stx $2006 / stx $2006 / bit $2007) before rendering starts. There should be no X drift due to IRQ latency.


Does this sound right to the other people looking?

User avatar
Fisher
Posts: 1093
Joined: Sat Jul 04, 2015 9:58 am
Location: -29.794229 -55.795374

Re: Pirate Kid Dracula reverse engineering

Post by Fisher » Fri Dec 30, 2016 2:41 am

Great guys!!
Seems to be almost finished.
Just let me know when I can put this thing back together (when no more tests/dumps are needed).
I hope that zxbdragon finally can fgure out the inner workings of this pirate cartridge.
It's really nice to help.

zxbdragon
Posts: 488
Joined: Mon Dec 12, 2011 8:15 pm

Re: Pirate Kid Dracula reverse engineering

Post by zxbdragon » Fri Dec 30, 2016 2:45 am

Thank you!But I have no solve this IRQ.I'll wait for JOE!

Joe
Posts: 437
Joined: Mon Apr 01, 2013 11:17 pm

Re: Pirate Kid Dracula reverse engineering

Post by Joe » Fri Dec 30, 2016 3:54 am

zxbdragon wrote:I'll wait for JOE!
I'll take a look on Monday and write the mapper doc if we've got everything figured out. (I'm on vacation this weekend.)

Joe
Posts: 437
Joined: Mon Apr 01, 2013 11:17 pm

Re: Pirate Kid Dracula reverse engineering

Post by Joe » Mon Jan 02, 2017 8:11 pm

I didn't see anything that disagreed with lidnariq, so here's the mapper doc in Disch's style.

Code: Select all

========================
=  Mapper "18-72"      =
========================


Example Games:
--------------------------
Akumajou Special: Boku Dracula-kun (pirate version)


Notes:
--------------------------
This mapper is another pirate VRC2b, this time with IRQs and VRC4-style
mirroring.

A mapper number hasn't been assigned to this particular board yet.


Registers:
---------------------------
There are two sets of registers: the VRC2 registers, and the Extra registers.
Writes will affect both sets of registers!


VRC2 registers range, mask: $8000-$FFFF, $F003

$8000-$8003:  [...P PPPP]   Same as VRC2b (PRG select 0)
$9000-$9003:  [.... ...M]   VRC2 mirroring control (see extra registers)
                       |
                       +- 0: vertical (A10); 1: horizontal (A11)

$A000-$A003:  [...P PPPP]   Same as VRC2b (PRG select 1)
$B000-$E003:  [.... CCCC]   Same as VRC2b (CHR select)



Extra registers range, mask: $8000-$FFFF, $C00C

$8004:        [.... ..XX]   Extended mirroring control
                      ||
                      ++- Extended mirroring control
                           0x: Let VRC2 control mirroring
                           10: one-screen, lower bank (overrides VRC2)
                           11: one-screen, upper bank (overrides VRC2)

$C004:        [.... ....]   Acknowledge IRQ
$C008:        [.... ....]   Start IRQ counter
$C00C:        [.... ....]   Acknowledge IRQ and hold IRQ counter at 0


Mirroring behavior:
---------------------------
Games will write to $9004 to affect both the VRC2 mirroring register ($9000)
and the Extra mirroring register ($8004) at the same time. The result is like
VRC4 mirroring:

$9004 [.... ..MM]   Combined VRC2 and Extra mirroring control
              ||
              ++- VRC4 mirroring
                   00: Vertical
                   01: Horizontal
                   10: One-screen, lower bank
                   11: One-screen, upper bank

The VRC2 will remember the last setting written to it, even if the Extra
mirroring control is overriding it.


IRQ behavior:
---------------------------
The IRQ counter counts falling edges of PPU A13. The IRQ is asserted every time
the counter reaches 86. When the counter reaches 86, it's automatically reset
to 0. This results in one IRQ every two scanlines, as long as the counter is
running. Writing to Extra register $C004 or $C00C will acknowledge the IRQ.
Writing to Extra register $C00C will hold the counter at 0, and writing to
Extra register $C008 will allow the counter to resume.

Games will typically write to addresses like $F004/$F008/$F00C to control the
IRQ without affecting the VRC2's registers.
Let me know if you have any questions or spot any mistakes.

zxbdragon
Posts: 488
Joined: Mon Dec 12, 2011 8:15 pm

Re: Pirate Kid Dracula reverse engineering

Post by zxbdragon » Mon Jan 02, 2017 9:39 pm

Joe wrote:I didn't see anything that disagreed with lidnariq, so here's the mapper doc in Disch's style.

Code: Select all

========================
=  Mapper "18-72"      =
========================


Example Games:
--------------------------
Akumajou Special: Boku Dracula-kun (pirate version)


Notes:
--------------------------
This mapper is another pirate VRC2b, this time with IRQs and VRC4-style
mirroring.

A mapper number hasn't been assigned to this particular board yet.


Registers:
---------------------------
There are two sets of registers: the VRC2 registers, and the Extra registers.
Writes will affect both sets of registers!


VRC2 registers range, mask: $8000-$FFFF, $F003

$8000-$8003:  [...P PPPP]   Same as VRC2b (PRG select 0)
$9000-$9003:  [.... ...M]   VRC2 mirroring control (see extra registers)
                       |
                       +- 0: vertical (A10); 1: horizontal (A11)

$A000-$A003:  [...P PPPP]   Same as VRC2b (PRG select 1)
$B000-$E003:  [.... CCCC]   Same as VRC2b (CHR select)



Extra registers range, mask: $8000-$FFFF, $C00C

$8004:        [.... ..XX]   Extended mirroring control
                      ||
                      ++- Extended mirroring control
                           0x: Let VRC2 control mirroring
                           10: one-screen, lower bank (overrides VRC2)
                           11: one-screen, upper bank (overrides VRC2)

$C004:        [.... ....]   Acknowledge IRQ
$C008:        [.... ....]   Start IRQ counter
$C00C:        [.... ....]   Acknowledge IRQ and hold IRQ counter at 0


Mirroring behavior:
---------------------------
Games will write to $9004 to affect both the VRC2 mirroring register ($9000)
and the Extra mirroring register ($8004) at the same time. The result is like
VRC4 mirroring:

$9004 [.... ..MM]   Combined VRC2 and Extra mirroring control
              ||
              ++- VRC4 mirroring
                   00: Vertical
                   01: Horizontal
                   10: One-screen, lower bank
                   11: One-screen, upper bank

The VRC2 will remember the last setting written to it, even if the Extra
mirroring control is overriding it.


IRQ behavior:
---------------------------
The IRQ counter counts falling edges of PPU A13. The IRQ is asserted every time
the counter reaches 86. When the counter reaches 86, it's automatically reset
to 0. This results in one IRQ every two scanlines, as long as the counter is
running. Writing to Extra register $C004 or $C00C will acknowledge the IRQ.
Writing to Extra register $C00C will hold the counter at 0, and writing to
Extra register $C008 will allow the counter to resume.

Games will typically write to addresses like $F004/$F008/$F00C to control the
IRQ without affecting the VRC2's registers.
Let me know if you have any questions or spot any mistakes.
Thank you! I to try.
It's better if have FCEUX code

zxbdragon
Posts: 488
Joined: Mon Dec 12, 2011 8:15 pm

Re: Pirate Kid Dracula reverse engineering

Post by zxbdragon » Tue Jan 03, 2017 12:12 am

Try to fail

c008
counter = data?

clock
is
counter++;
if(counter >=86)
{
counter=0;
return true;
}
?

lidnariq
Posts: 9663
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Pirate Kid Dracula reverse engineering

Post by lidnariq » Tue Jan 03, 2017 1:02 am

zxbdragon wrote:c008
counter = data?
No—there's no way for the data to get into the counter
counter++;
if(counter >=86)
{
counter=0;
return true;
}?
That does look like what I think FCEUX IRQs do. How are you getting a callback on every falling edge of PPU A13?

If there's no way for that, you might be able to fake this with a normal FCEUX IRQ that fires every other scanline, but I don't know if that'll work.
Joe wrote:Mapper "18-72"
I might tentatively use the label on the mask ROMs, "NCN-18"

zxbdragon
Posts: 488
Joined: Mon Dec 12, 2011 8:15 pm

Re: Pirate Kid Dracula reverse engineering

Post by zxbdragon » Tue Jan 03, 2017 5:55 am

lidnariq wrote:
zxbdragon wrote:c008
counter = data?
No—there's no way for the data to get into the counter
counter++;
if(counter >=86)
{
counter=0;
return true;
}?
That does look like what I think FCEUX IRQs do. How are you getting a callback on every falling edge of PPU A13?

If there's no way for that, you might be able to fake this with a normal FCEUX IRQ that fires every other scanline, but I don't know if that'll work.
Joe wrote:Mapper "18-72"
I might tentatively use the label on the mask ROMs, "NCN-18"
I can't solve

lidnariq
Posts: 9663
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Pirate Kid Dracula reverse engineering

Post by lidnariq » Tue Jan 03, 2017 12:20 pm

Yeah, I suspect that FCEUX doesn't give you the tools necessary to implement this mapper.

User avatar
Fisher
Posts: 1093
Joined: Sat Jul 04, 2015 9:58 am
Location: -29.794229 -55.795374

Re: Pirate Kid Dracula reverse engineering

Post by Fisher » Tue Jan 03, 2017 2:26 pm

Well, looks like the hardware was all figured out.
I think my small paricipation is over.
Should I reassemble the cartridge?

lidnariq
Posts: 9663
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Pirate Kid Dracula reverse engineering

Post by lidnariq » Tue Jan 03, 2017 3:06 pm

I think we're set, and you should feel free.

User avatar
Fisher
Posts: 1093
Joined: Sat Jul 04, 2015 9:58 am
Location: -29.794229 -55.795374

Re: Pirate Kid Dracula reverse engineering

Post by Fisher » Tue Jan 03, 2017 5:16 pm

Cool.
I'm really glad I could help.

zxbdragon
Posts: 488
Joined: Mon Dec 12, 2011 8:15 pm

Re: Pirate Kid Dracula reverse engineering

Post by zxbdragon » Tue Jan 03, 2017 8:02 pm

Who is it done ?

Post Reply