Simple one-time cartridge dumping...
Moderator: Moderators
No... I am now trying for a while to approach this through emulation. (I went through all the 256 mappers again in FCEU to verify that it doesn't work now that the ROM is correct size.)lidnariq wrote:Do you have a continuity tester? I made a poor man's one once out of a AA battery, a speaker, and a 100 ohm resistor and listened for clicks.
When the value 'written' to A0 is 0, it's horizontal layout/vertical mirroring; when it's 1 it's the vertical layout/horizontal mirroring.
EDIT:
Menu works when PRG E000-FFFF = 2000, CHR 0000-1FFF = 0000
- But invokes unknown mapper functions as explained earlier
- Reads and writes $4028 once every time the song loops
Urban(Game2) works when PRG C000-FFFF = 4000, CHR 0000-1FFF = 0000, mirroring:V
Kage(Game0) works when PRG 8000-FFFF = 8000, CHR 0000-1FFF = 4000, mirroring:H
- Writes 01 to $FFA7 continuously
Goonies(Game1) works when PRG 8000-FFFF = 10000, CHR 0000-1FFF = A000, mirroring:V
- But writes like crazy to FFCA, placing 8D,8D,01 there
Arkanoid(Game3) works when PRG 8000-FFFF = 18000, CHR 0000-1FFF = C000
- Writes $2E to $4025 once
Galaxian(Game4) works when E000-FFFF = 2000, CHR 0000-1FFF = 2000, mirroring:H
- Requires custom reset jump vector simulated by menu
PRG ROM content 0000-1FFF: Unknown
MAPPER 252 IMPLEMENTATION (EDIT: Later changed to 174.)
Trap writes to $8000-$FFFF (really only $FF00-$FFFF matter). Regarding the ADDRESS (value is ignored):
- PRG 0x4000 bytes from 0x4000*v are mapped to 0x8000, where v=bits 6..4
- PRG 0x4000 bytes from 0x4000*p are mapped to 0xC000, where p=v+bit7.
OR in other words:
If bit 7 was set:
- PRG 0x8000 bytes from 0x8000*v are mapped to 0x8000, where v=bits 6..5 (bit 4 is zero)
Else
- PRG 0x4000 bytes from 0x4000*v are mapped to 0xC000, where v=bits 6..4 (mapping of $8000-$BFFF is unknown)
If bit 0 was set, mirroring is vertical, else horizontal
CHR 0x2000 bytes from 0x2000*g are mapped to 0x0000, where g=bits 3..1
This is what I figure so far. However, this only explains the first write, not the subsequential ones.
It is very similar to mappers 60 (wrong initial mapping), 58 (takes mirroring from value & wrong initial mapping), 212 (wrong initial mapping) and 231 (lacks CHR mapping), aside from differences in which address bits are taken.
EDIT: Implemented these measures in my emulator. The ROM works perfectly. Turns out I was needlessly worrying about the other writes.
How do I get to assign a mapper number? ;-) Tentatively I chose 252. (EDIT: Later changed to 174.)
EDIT: The mapper description above (arrived to independently) seems very similar to what liqnariq posted earlier, albeit with different bit indexes. I am seriously impressed by liqnariq's ability to understand the circuits.
Now, the next logical step would be to replace the ROM on the cartridge with a connection to the Arduino so I could use the Arduino as a dev cartridge! 8-) (No idea whether that is feasible really.)
Last edited by Bisqwit on Sun Jul 08, 2012 5:17 pm, edited 3 times in total.
Thanks. Do you need me to desolder the 74LS chips to see the PCB contents underneath? Because I am not particularly willing to do that, lest I accidentally damage those chips. I can take photos of the ROMless board later today (in about 10 hours) and link to them in higher resolution.80sFREAK wrote:Well done. Could you please make macro photo(or scan) of PCB? I am curious about '153 usage.
Thanks in advance
Between my earlier analysis and Bisqwit's functional description, I can tell you exactly how the '153 is set up: to fake two independent 1-of-2 multiplexers. Using the On semiconductor pin names-
Thus either A14 is transparent from the cartridge edge (when LatchedA7 is high), or is the value in LatchedA4.
Code: Select all
1 /Ea ground
2 S1 LatchedA7
3,4 I3a,I2a CPU_A14
5,6 I1a,I0a LatchedA4
7 Za PRG_A14
8 ground
16 vcc
15 /Eb ground
14 S0 LatchedA0
13,11 I3b,I1b PPU_A11
12,10 I2b,I0b PPU_A10
9 Zb CIRAM_A10
This is the best I can do with my camera that is seriously handicapped in the macro photography depertment, and has difficulties in focusing.80sFREAK wrote:Well done. Could you please make macro photo(or scan) of PCB? I am curious about '153 usage.
These are all long exposure shots taken on a tripod, to minimize changes & impact of camera shake.
Click for enlarged versions.
(If you look carefully, you can deduce which chip I removed first.)
That doesn't quite make sense; I've done a disassembly of Galaxian and although there's some repurposeable space (e.g. the music easter egg) there's not a lot — did your logs really show both the menu and galaxian executing out of $e000-$ffff ?Bisqwit wrote:Menu works when PRG E000-FFFF = 2000, CHR 0000-1FFF = 0000
- But invokes unknown mapper functions as explained earlier
- Reads and writes $4028 once every time the song loops
Galaxian(Game4) works when E000-FFFF = 2000, CHR 0000-1FFF = 2000, mirroring:H
- Requires custom reset jump vector simulated by menu
Thanks! I've been looking at a lot of PCBs lately.The mapper description above (arrived to independently) seems very similar to what liqnariq posted earlier, albeit with different bit indexes. I am seriously impressed by liqnariq's ability to understand the circuits.
Can the atmega update its outputs in less than 350ns? Finely tuned asm might work; the plain arduino code definitely isn't fast enough.Now, the next logical step would be to replace the ROM on the cartridge with a connection to the Arduino so I could use the Arduino as a dev cartridge! 8-) (No idea whether that is feasible really.)
Come to think of it, you could probably make an clever hack that would bootstrap the NES with fully deterministic code to run out of RAM and then would just allow downloading data.
I may have meant C000-FFFF for the menu. I should verify that.lidnariq wrote:That doesn't quite make sense; I've done a disassembly of Galaxian and although there's some repurposeable space (e.g. the music easter egg) there's not a lot — did your logs really show both the menu and galaxian executing out of $e000-$ffff ?Bisqwit wrote:Menu works when PRG E000-FFFF = 2000, CHR 0000-1FFF = 0000
- But invokes unknown mapper functions as explained earlier
- Reads and writes $4028 once every time the song loops
Galaxian(Game4) works when E000-FFFF = 2000, CHR 0000-1FFF = 2000, mirroring:H
- Requires custom reset jump vector simulated by menu
EDIT: Ayup. Galaxian & main menu both work when $8000-$9FFF is mapped into 8k page 0 and $E000-$FFFF is mapped into 8k page 1. Mapping $A000-$DFFF is not necessary for either program.
Main menu requires only $8000-$9FFF + vector table at $FFFx.
Galaxian requires only $E000-$FFFF + bootstrap code at $80xx.
The reason to my erroneous statement earlier was that in my tests, I set the 32k address range into a "dummy" mapping mode and only explicitly mapped $E000-$FFFF to 8k page 1. However, my "dummy" mapping mode also accidentally mapped $8000-$BFFF into the first page, which I had missed.
The Arduino runs at 16 MHz (62.5 ns per cycle), meaning it has less than 6 cycles of time to update the outputs. Seems unlikely, even if I have two boards, one dealing with PRG and the other dealing with CHR. Hmm.liqnariq wrote:Can the atmega update its outputs in less than 350ns? Finely tuned asm might work; the plain arduino code definitely isn't fast enough.Now, the next logical step would be to replace the ROM on the cartridge with a connection to the Arduino so I could use the Arduino as a dev cartridge! 8-) (No idea whether that is feasible really.)
Maybe the Raspberry Pi then :-)
Wow.
They messed up.
As I already knew, in constructing the multigame cart, they had rather systematically deleted all references to copyrights and trademark notices other than their own.
See here (above: real titlescreens, below: NTDec titlescreens; click to enlarge):
Presumably they did so to reduce the number of potential pesky contacts from concerned customers about trademark violations.
What is curious that to some degree, they also did that in the PRG-ROM data.
Legend of Kage (real):Legend of Kage (pirate):The Goonies (real):The Goonies (pirate):Urban Champion (real vs pirate):Arkanoid (real vs pirate):Galaxian (real):Galaxian (pirate):
The "copr.1984 namco" is never rendered, but they removed it anyway. They still kept "haruhisa udagawa".
But the more interesting observation comes when one looks at the CHR-ROM data.
Here's Galaxian (left: original; right: pirate):
They removed the NAMCOT logo entirely for some reason.
However, in The Goonies, they did not remove the KONAMI text (bottom left):
Possibly because it would have been a bit too difficult. The Konami logo is embedded in 1-bpp graphics that overlaps with another 1-bpp graphics item. A neat trick that Konami used for increasing the mileage for CHR data.
The Legend of Kage and Urban Champion were not modified at all, either. (But there was nothing to change, really.)
But now, this is what they did to Arkanoid:
No, they did not remove the TAITO logo, even though that would have been easy. They removed half of the game! What's that "JALECO" text doing there? Turns out that through their incompetence, they somehow put graphics of a wrong game in the cartridge. If I understand correctly, that graphics is from Argus.
I verified it in an emulator, by poking the RAM directly to warp to stage 33. Left: Real Arkanoid. Right: NTDec Arkanoid.
Oh, it did not even bother to switch VROM pages.
Granted, this is the last stage of the game, and there are approximately zero players who can get that far in the game, but still, if anyone did, they would have been somewhat disappointed.
EDIT: They also did something that made the music player easter egg in Galaxian not working. Probably the bootstrapper intervenes somehow.
They messed up.
As I already knew, in constructing the multigame cart, they had rather systematically deleted all references to copyrights and trademark notices other than their own.
See here (above: real titlescreens, below: NTDec titlescreens; click to enlarge):
Presumably they did so to reduce the number of potential pesky contacts from concerned customers about trademark violations.
What is curious that to some degree, they also did that in the PRG-ROM data.
Legend of Kage (real):
Code: Select all
530 a2 44 86 03 a2 02 86 04 a2 07 a0 fd 20 4d a6 4c .D.......... M.L
540 92 a5 23 47 5e 00 54 41 49 54 4f 00 43 4f 52 50 ..#G^.TAITO.CORP
550 5f 00 31 39 38 36 ff 22 8d 31 00 50 4c 41 59 45 _.1986.".1.PLAYE
560 52 ff 22 cd 32 00 50 4c 41 59 45 52 53 ff ad 06 R.".2.PLAYERS...
Code: Select all
8530 a2 44 86 03 a2 02 86 04 a2 07 a0 fd 20 4d a6 4c .D.......... M.L
8540 92 a5 23 47 00 00 00 00 00 00 00 00 00 00 00 00 ..#G............
8550 00 00 00 00 00 00 ff 22 8d 31 00 50 4c 41 59 45 .......".1.PLAYE
8560 52 ff 22 cd 32 00 50 4c 41 59 45 52 53 ff ad 06 R.".2.PLAYERS...
Code: Select all
10 52 43 38 30 39 20 31 2c 30 20 38 36 30 31 30 37 RC809 1,0 860107
20 d7 d8 78 a9 00 85 1f ad 02 20 10 fb ad 02 20 10 ..x...... .... .
..
770 89 1a 89 9d 88 21 43 54 48 45 00 47 4f 4f 4e 49 .....!CTHE.GOONI
780 45 53 f1 00 49 53 00 41 00 54 52 41 44 45 4d 41 ES..IS.A.TRADEMA
790 52 4b fd 21 a3 4f 46 00 57 41 52 4e 45 52 00 42 RK.!.OF.WARNER.B
7a0 52 4f 53 cf 00 49 4e 43 cf fd 22 84 f2 00 31 39 ROS..INC.."...19
7b0 38 35 00 57 41 52 4e 45 52 00 42 52 4f 53 cf 00 85.WARNER.BROS..
7c0 49 4e 43 cf fd 22 c4 41 4c 4c 00 52 49 47 48 54 INC..".ALL.RIGHT
7d0 53 00 52 45 53 45 52 56 45 44 cf fe 3f 00 ff 22 S.RESERVED..?.."
7e0 69 f3 00 4b 4f 4e 41 4d 49 00 31 39 38 36 fd 22 i..KONAMI.1986."
7f0 2b 48 49 fe 22 a9 50 55 53 48 00 53 54 41 52 54 +HI.".PUSH.START
Code: Select all
10010 52 43 38 30 39 20 31 2c 30 20 38 36 30 31 30 37 RC809 1,0 860107
10020 d7 d8 78 a9 00 85 1f ad 02 20 10 fb ad 02 20 10 ..x...... .... .
..
10770 89 1a 89 9d 88 21 43 fd 48 45 00 47 4f 4f 4e 49 .....!C.HE.GOONI
10780 45 53 f1 00 49 53 00 41 00 54 52 41 44 45 4d 41 ES..IS.A.TRADEMA
10790 52 4b fd 21 a3 fd 46 00 57 41 52 4e 45 52 00 42 RK.!..F.WARNER.B
107a0 52 4f 53 cf 00 49 4e 43 cf fd 22 84 fd 00 31 39 ROS..INC.."...19
107b0 38 35 00 57 41 52 4e 45 52 00 42 52 4f 53 cf 00 85.WARNER.BROS..
107c0 49 4e 43 cf fd 22 c4 fd 4c 4c 00 52 49 47 48 54 INC.."..LL.RIGHT
107d0 53 00 52 45 53 45 52 56 45 44 cf fe 3f 00 ff 22 S.RESERVED..?.."
107e0 69 00 00 00 00 00 00 00 00 00 00 00 00 00 fd 22 i.............."
107f0 2b 48 49 fe 22 a9 50 55 53 48 00 53 54 41 52 54 +HI.".PUSH.START
Code: Select all
00003560 0c 18 16 19 1e 1d 0e 1b 22 ea 0a 1d 18 19 2f 1b |........"ê..../.|
-00003570 18 1e 17 0d 24 23 29 0e 25 01 09 08 04 2f 17 12 |....$#).%..../..|
-00003580 17 1d 0e 17 0d 18 23 c0 60 00 23 e0 08 f0 b0 a0 |......#À`.#à.ð° |
+00003570 18 1e 17 0d 24 23 29 0e 2f 2f 2f 2f 2f 2f 2f 2f |....$#).////////|
+00003580 2f 2f 2f 2f 2f 2f 23 c0 60 00 23 e0 08 f0 b0 a0 |//////#À`.#à.ð° |
00003590 a0 a0 a0 a0 a0 23 e8 08 00 0b 0a 0a 0a 0a 0a 0a | #è.........|
Code: Select all
00002500 5b 5c 5d 5e 5f 22 0c 08 01 2d 19 15 0a 22 0e 1b |[\]^_"...-..."..|
-00002510 22 4c 09 02 2d 19 15 0a 22 0e 1b 1c 22 cb 0a 60 |"L..-..."..."Ë.`|
-00002520 61 62 63 64 65 66 67 68 69 22 eb 0a 70 71 72 73 |abcdefghi"ë.pqrs|
-00002530 74 75 76 77 78 79 23 24 18 28 2d 1d 0a 12 1d 18 |tuvwxy#$.(-.....|
-00002540 2d 0c 18 1b 19 18 1b 0a 1d 12 18 17 2d 01 09 08 |-...........-...|
-00002550 06 23 66 13 0a 15 15 2d 1b 12 10 11 1d 1c 2d 1b |.#f....-......-.|
-00002560 0e 1c 0e 1b 1f 0e 0d ff 28 e3 13 1d 11 0e 2d 0e |.......ÿ(ã....-.|
+00002510 22 4c 09 02 2d 19 15 0a 22 0e 1b 1c 22 cb 0a 2d |"L..-..."..."Ë.-|
+00002520 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 eb 0a 2d 2d 2d 2d |---------"ë.----|
+00002530 2d 2d 2d 2d 2d 2d 23 24 18 2d 2d 2d 2d 2d 2d 2d |------#$.-------|
+00002540 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d |----------------|
+00002550 2d 23 66 13 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d |-#f.------------|
+00002560 2d 2d 2d 2d 2d 2d 2d ff 28 e3 13 1d 11 0e 2d 0e |-------ÿ(ã....-.|
00002570 1b 0a 2d 0a 17 0d 2d 1d 12 16 0e 2d 18 0f 29 23 |..-...-....-..)#|
Code: Select all
10 43 4f 50 52 2e 31 39 38 34 20 4e 41 4d 43 4f 20 COPR.1984 NAMCO
20 48 41 52 55 48 49 53 41 20 55 44 41 47 41 57 41 HARUHISA UDAGAWA
30 78 d8 a2 4d 9a a9 10 8d 00 20 ad 02 20 10 fb a2 x..M..... .. ...
Code: Select all
2010 a2 00 a9 00 9d 00 01 e8 e0 30 d0 f8 4c 20 e0 20 .........0..L .
2020 48 41 52 55 48 49 53 41 20 55 44 41 47 41 57 41 HARUHISA UDAGAWA
2030 78 d8 a2 4d 9a a9 10 8d 00 20 ad 02 20 10 fb a2 x..M..... .. ...
But the more interesting observation comes when one looks at the CHR-ROM data.
Here's Galaxian (left: original; right: pirate):
They removed the NAMCOT logo entirely for some reason.
However, in The Goonies, they did not remove the KONAMI text (bottom left):
Possibly because it would have been a bit too difficult. The Konami logo is embedded in 1-bpp graphics that overlaps with another 1-bpp graphics item. A neat trick that Konami used for increasing the mileage for CHR data.
The Legend of Kage and Urban Champion were not modified at all, either. (But there was nothing to change, really.)
But now, this is what they did to Arkanoid:
No, they did not remove the TAITO logo, even though that would have been easy. They removed half of the game! What's that "JALECO" text doing there? Turns out that through their incompetence, they somehow put graphics of a wrong game in the cartridge. If I understand correctly, that graphics is from Argus.
I verified it in an emulator, by poking the RAM directly to warp to stage 33. Left: Real Arkanoid. Right: NTDec Arkanoid.
Oh, it did not even bother to switch VROM pages.
Granted, this is the last stage of the game, and there are approximately zero players who can get that far in the game, but still, if anyone did, they would have been somewhat disappointed.
EDIT: They also did something that made the music player easter egg in Galaxian not working. Probably the bootstrapper intervenes somehow.
i missed notice about extra 64k for PRG ROM, shame on meBisqwit wrote:You posted to provide advice before reading to the end of the thread? Thanks, but the ROM is already dumped at proper size.80sFREAK wrote:What was the size of ROMs in multicart? What are the sizes of original games? Start from this point
Better late than never: Nestopia and GoodNES have already allocated mapper #252 to this one chinese pirate:
GoodNES 3.14 has instances of all of the following:Nestopia supports explicitly:
And kevtris has a table here
Code: Select all
case 252:
name = "WAIXING SAN GUO ZHI";
id = Type::WAIXING_SGZ;
break;
Code: Select all
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 .. 15 16 17 18 19 1A 1B .. .. .. ..
20 21 22 .. 24 25 26 .. 28 29 2A 2B 2C 2D 2E 2F .. 31 32 33 34 35 .. .. 38 39 3A .. 3C 3D 3E ..
40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 .. 52 53 .. 55 56 57 58 59 5A 5B 5C 5D 5E 5F
60 61 .. 63 .. 65 .. 67 .. 69 6A 6B 6C .. .. 6F 70 71 .. 73 74 75 76 77 78 79 .. .. .. .. .. ..
.. .. .. .. 84 85 86 .. 88 89 8A 8B 8C 8D 8E 8F .. 91 92 93 94 95 96 97 98 .. .. .. 9C .. .. 9F
.. .. .. A3 A4 A5 .. A7 A8 A9 .. AB AC AD .. AF B0 B1 B2 .. B4 .. B6 B7 B8 B9 BA BB BC BD .. BF
.. C1 .. .. C4 C5 C6 .. C8 C9 CA CB CC CD CE .. .. D1 D2 D3 D4 D5 D6 D7 D8 D9 .. DB DC DD DE ..
.. E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB .. .. .. .. F0 F1 F2 F3 F4 F5 F6 .. F8 F9 FA FB FC FD FE ..
Code: Select all
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 .. 15 16 17 18 19 1a 1b .. .. .. ..
20 21 22 .. 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a .. 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 .. 52 53 .. 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 .. 63 .. .. .. 67 68 69 6a 6b 6c .. .. .. 70 71 72 73 74 75 76 77 78 79 .. 7b .. .. 7e ..
.. .. .. .. 84 85 86 .. 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f
.. .. .. a3 a4 a5 a6 a7 .. .. aa ab ac ad .. af b0 b1 b2 b3 b4 .. b6 b7 b8 b9 ba bb bc bd .. bf
c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 .. d3 d4 d5 d6 d7 d8 d9 .. db .. dd de df
e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec .. .. .. f0 f1 f2 f3 f4 f5 f6 .. .. f9 fa .. fc .. fe ff