DragonBallZ / How hackers ported games to different mappers?

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

Post Reply
krzysiobal
Posts: 759
Joined: Sun Jun 12, 2011 12:06 pm
Location: Poland

DragonBallZ / How hackers ported games to different mappers?

Post by krzysiobal » Sat Feb 16, 2019 3:52 pm

I got quite interesting pirate port of `Dragon Ball Z Gaiden - Saiya Jin Zetsumetsu Keikaku (J)`, which originally uses #16 (BANDAI 24C02) mapper.

Image Image Image Image Image Image

But `hackers` ported it to some custom mappers - they used VRC4 chip but connected it a little bit differently, causing two 16kB PRG banks + added few more chips to control external EPROM, which results in the following mapper:

Code: Select all

1. Classic VRC regs (mask is 1111100000001100 / $f80c, no bus conflicts)
  1.1. PRG (swap mode bit is ignored)
    $8000         $c000
    +-------------+-------------+
    |$a000/$a004/ |     -1      | [...P PPPP]
    |$a008/$a00c  |             |
    +-------------+-------------+
  
  
  1.2. CHR
    $0000 $0400 $0800 $0c00 $1000 $1400 $1800 $1c00
    +-----+-----+-----+-----+-----+-----+-----+-----+
    |$b000|$b008|$c000|$c008|$d000|$d008|$e000|$e008|  [.... LLLL]
    |$b004|$b00c|$c004|$c00c|$d004|$d00c|$e004|$e00c|  [...H HHHH]
    +-----+-----+-----+-----+-----+-----+-----+-----+
  
  1.3. Mirroring (meaning same as on regular VRC4)
    $9000, 9004, $9008, $900c:
  
  1.4. IRQ (meaning same as on regular VRC4)
    $f000:  IRQ Latch, low 4 bits
    $f004:  IRQ Latch, high 4 bits
    $f008:  IRQ Control
    $f00c:  IRQ Acknowledge

2. Additional regs for controlling 2kB serial EEPROM (bus conflicts)
  2.1. Write (only address bit matters)
    A~[1...1........EEE], D~[.... ....]
                    |||
                    ||+-- latch data to EPROM DI line
                    |+--- latch clock value
                    +---- latch chip enable
  2.2. Read (returns value in any range where nothing is mapped, presumably $4020-$6fff)
    D~[.... ...E]
               |
               +--------- read value from EPROM DO line
But my question is how hackers at that time were able to hack those games? If I see at the difference between original vs pirate ROM, there are tens of places where they had to change mapper register address.
And it wasn't time where debuggers, emulators and the NES knowledge was so popular so how they know where are all the places to patch? Was it jus done automatically by searching 8DXXXX (STA $old) opcode and replacing it with `STA $new`?

Image
Attachments
patch over Dragon Ball Z Gaiden - Saiya Jin Zetsumetsu Keikaku (J).ips
(1.27 KiB) Downloaded 221 times

User avatar
Ben Boldt
Posts: 592
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: DragonBallZ / How hackers ported games to different mapp

Post by Ben Boldt » Sun Feb 17, 2019 9:07 am

I think that you would build a circuit that triggers a latch of the entire PRG address bus based on a higher order address bit changing, basically capturing the ROM address any time a bankswitch occurred. The trigger would be just 1 input, any time that input changes, and pick 1 of the higher order address bits to hook it to. You would then run this circuit lots of times while playing the game, and periodically changing your trigger to different higher-order PRG/CHR address bits. I think if you kept doing this lots of times while playing the game you would eventually find most/all of them.

krzysiobal
Posts: 759
Joined: Sun Jun 12, 2011 12:06 pm
Location: Poland

Re: DragonBallZ / How hackers ported games to different mapp

Post by krzysiobal » Sun Oct 06, 2019 12:45 pm

I've found another Dragon Ball Z cartridge. Mapper is identical as above, but instead of PRG-ROM/CHR-ROM/Mapper chips, there are blobs. And place to solder 6264 CHR-RAM. And one additional feature:

Code: Select all

A~[1...1........ceee]
                |   
                |
                |
                |
                +---- CHR-ROM enable (0) or disable (1);
CHR-RAM, when soldered, is always enabled at $0000, so no idea what is purpose of that bit.
Anyway, PRG-ROM chip read backs as garbage, but CHR-ROM is ok. Comparing with:
Dragon Ball Z Gaiden - Saiya Jin Zetsumetsu Keikaku (J)
gives 100% match, so this is the same game as above.

Image Image Image

--

And yet another one - this Dragon Ball Z4, using the same modified VRC4 mapper (but without EPROM and CHR-RAM in place of CHR-ROM) is in fact `Datach - Dragon Ball Z - Gekitou Tenkaichi Budou Kai (J).

Half of the Datach logo was cleared as defense against copyright claims?
More "economic" way of forcing VRC4 to 16kB+16kB PRG bank - instead of 74139 - diode and resistor.

Image Image Image Image Image Image Image Image
Attachments
patch (apply over Datach - Dragon Ball Z - Gekitou Tenkaichi Budou Kai (J)].ips
(5.65 KiB) Downloaded 144 times

NewRisingSun
Posts: 1216
Joined: Thu May 19, 2005 11:30 am

Re: DragonBallZ / How hackers ported games to different mapp

Post by NewRisingSun » Sun Oct 06, 2019 1:16 pm

This is NES 2.0 Mapper 529, except for the additional EEPROM on YY0807. YY0807 can be added to mapper 529, with the EEPROM being emulated in the presence an appropriate value in the NES 2.0 header's PRG-NVRAM size field.

Post Reply