Simple one-time cartridge dumping...

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderator: Moderators

lidnariq
Posts: 11432
Joined: Sun Apr 13, 2008 11:12 am

Post by lidnariq »

Do you have a continuity tester? I made a poor man's one once out of a AA battery, a speaker, and a 100 ohm resistor and listened for clicks.

When the value 'written' to A0 is 0, it's horizontal layout/vertical mirroring; when it's 1 it's the vertical layout/horizontal mirroring.
Bisqwit
Posts: 249
Joined: Fri Oct 14, 2011 1:09 am

Post by Bisqwit »

lidnariq wrote:Do you have a continuity tester? I made a poor man's one once out of a AA battery, a speaker, and a 100 ohm resistor and listened for clicks.
When the value 'written' to A0 is 0, it's horizontal layout/vertical mirroring; when it's 1 it's the vertical layout/horizontal mirroring.
No... I am now trying for a while to approach this through emulation. (I went through all the 256 mappers again in FCEU to verify that it doesn't work now that the ROM is correct size.)

EDIT:
Menu works when PRG E000-FFFF = 2000, CHR 0000-1FFF = 0000
- But invokes unknown mapper functions as explained earlier
- Reads and writes $4028 once every time the song loops
Urban(Game2) works when PRG C000-FFFF = 4000, CHR 0000-1FFF = 0000, mirroring:V
Kage(Game0) works when PRG 8000-FFFF = 8000, CHR 0000-1FFF = 4000, mirroring:H
- Writes 01 to $FFA7 continuously
Goonies(Game1) works when PRG 8000-FFFF = 10000, CHR 0000-1FFF = A000, mirroring:V
- But writes like crazy to FFCA, placing 8D,8D,01 there
Arkanoid(Game3) works when PRG 8000-FFFF = 18000, CHR 0000-1FFF = C000
- Writes $2E to $4025 once
Galaxian(Game4) works when E000-FFFF = 2000, CHR 0000-1FFF = 2000, mirroring:H
- Requires custom reset jump vector simulated by menu
PRG ROM content 0000-1FFF: Unknown

MAPPER 252 IMPLEMENTATION (EDIT: Later changed to 174.)
Trap writes to $8000-$FFFF (really only $FF00-$FFFF matter). Regarding the ADDRESS (value is ignored):
- PRG 0x4000 bytes from 0x4000*v are mapped to 0x8000, where v=bits 6..4
- PRG 0x4000 bytes from 0x4000*p are mapped to 0xC000, where p=v+bit7.
OR in other words:
If bit 7 was set:
- PRG 0x8000 bytes from 0x8000*v are mapped to 0x8000, where v=bits 6..5 (bit 4 is zero)
Else
- PRG 0x4000 bytes from 0x4000*v are mapped to 0xC000, where v=bits 6..4 (mapping of $8000-$BFFF is unknown)
If bit 0 was set, mirroring is vertical, else horizontal
CHR 0x2000 bytes from 0x2000*g are mapped to 0x0000, where g=bits 3..1

This is what I figure so far. However, this only explains the first write, not the subsequential ones.

It is very similar to mappers 60 (wrong initial mapping), 58 (takes mirroring from value & wrong initial mapping), 212 (wrong initial mapping) and 231 (lacks CHR mapping), aside from differences in which address bits are taken.

EDIT: Implemented these measures in my emulator. The ROM works perfectly. Turns out I was needlessly worrying about the other writes.
How do I get to assign a mapper number? ;-) Tentatively I chose 252. (EDIT: Later changed to 174.)

Image

EDIT: The mapper description above (arrived to independently) seems very similar to what liqnariq posted earlier, albeit with different bit indexes. I am seriously impressed by liqnariq's ability to understand the circuits.

Now, the next logical step would be to replace the ROM on the cartridge with a connection to the Arduino so I could use the Arduino as a dev cartridge! 8-) (No idea whether that is feasible really.)
Last edited by Bisqwit on Sun Jul 08, 2012 5:17 pm, edited 3 times in total.
80sFREAK
Posts: 275
Joined: Sat Sep 03, 2011 11:40 pm

Post by 80sFREAK »

Well done. Could you please make macro photo(or scan) of PCB? I am curious about '153 usage.
Thanks in advance
Bisqwit
Posts: 249
Joined: Fri Oct 14, 2011 1:09 am

Post by Bisqwit »

80sFREAK wrote:Well done. Could you please make macro photo(or scan) of PCB? I am curious about '153 usage.
Thanks in advance
Thanks. Do you need me to desolder the 74LS chips to see the PCB contents underneath? Because I am not particularly willing to do that, lest I accidentally damage those chips. I can take photos of the ROMless board later today (in about 10 hours) and link to them in higher resolution.
lidnariq
Posts: 11432
Joined: Sun Apr 13, 2008 11:12 am

Post by lidnariq »

Between my earlier analysis and Bisqwit's functional description, I can tell you exactly how the '153 is set up: to fake two independent 1-of-2 multiplexers. Using the On semiconductor pin names-

Code: Select all

  1   /Ea     ground
  2   S1      LatchedA7
 3,4  I3a,I2a CPU_A14
 5,6  I1a,I0a LatchedA4 
  7   Za      PRG_A14
  8   ground
  16  vcc
  15  /Eb     ground
  14  S0      LatchedA0
13,11 I3b,I1b PPU_A11
12,10 I2b,I0b PPU_A10
  9   Zb      CIRAM_A10
Thus either A14 is transparent from the cartridge edge (when LatchedA7 is high), or is the value in LatchedA4.
Bisqwit
Posts: 249
Joined: Fri Oct 14, 2011 1:09 am

Post by Bisqwit »

80sFREAK wrote:Well done. Could you please make macro photo(or scan) of PCB? I am curious about '153 usage.
This is the best I can do with my camera that is seriously handicapped in the macro photography depertment, and has difficulties in focusing.
These are all long exposure shots taken on a tripod, to minimize changes & impact of camera shake.
Click for enlarged versions.
Image Image Image Image Image Image Image

(If you look carefully, you can deduce which chip I removed first.)
80sFREAK
Posts: 275
Joined: Sat Sep 03, 2011 11:40 pm

Post by 80sFREAK »

2 Bisqwit Thank you for photos.
2 lidnariq, ah i see, it's clear now with your description :)

Arkanoid should be modified version - 16kB PRG and 8kB CHR
lidnariq
Posts: 11432
Joined: Sun Apr 13, 2008 11:12 am

Post by lidnariq »

Bisqwit wrote:Menu works when PRG E000-FFFF = 2000, CHR 0000-1FFF = 0000
- But invokes unknown mapper functions as explained earlier
- Reads and writes $4028 once every time the song loops
Galaxian(Game4) works when E000-FFFF = 2000, CHR 0000-1FFF = 2000, mirroring:H
- Requires custom reset jump vector simulated by menu
That doesn't quite make sense; I've done a disassembly of Galaxian and although there's some repurposeable space (e.g. the music easter egg) there's not a lot — did your logs really show both the menu and galaxian executing out of $e000-$ffff ?
The mapper description above (arrived to independently) seems very similar to what liqnariq posted earlier, albeit with different bit indexes. I am seriously impressed by liqnariq's ability to understand the circuits.
Thanks! I've been looking at a lot of PCBs lately.
Now, the next logical step would be to replace the ROM on the cartridge with a connection to the Arduino so I could use the Arduino as a dev cartridge! 8-) (No idea whether that is feasible really.)
Can the atmega update its outputs in less than 350ns? Finely tuned asm might work; the plain arduino code definitely isn't fast enough.

Come to think of it, you could probably make an clever hack that would bootstrap the NES with fully deterministic code to run out of RAM and then would just allow downloading data.
Bisqwit
Posts: 249
Joined: Fri Oct 14, 2011 1:09 am

Post by Bisqwit »

lidnariq wrote:
Bisqwit wrote:Menu works when PRG E000-FFFF = 2000, CHR 0000-1FFF = 0000
- But invokes unknown mapper functions as explained earlier
- Reads and writes $4028 once every time the song loops
Galaxian(Game4) works when E000-FFFF = 2000, CHR 0000-1FFF = 2000, mirroring:H
- Requires custom reset jump vector simulated by menu
That doesn't quite make sense; I've done a disassembly of Galaxian and although there's some repurposeable space (e.g. the music easter egg) there's not a lot — did your logs really show both the menu and galaxian executing out of $e000-$ffff ?
I may have meant C000-FFFF for the menu. I should verify that.

EDIT: Ayup. Galaxian & main menu both work when $8000-$9FFF is mapped into 8k page 0 and $E000-$FFFF is mapped into 8k page 1. Mapping $A000-$DFFF is not necessary for either program.
Main menu requires only $8000-$9FFF + vector table at $FFFx.
Galaxian requires only $E000-$FFFF + bootstrap code at $80xx.

The reason to my erroneous statement earlier was that in my tests, I set the 32k address range into a "dummy" mapping mode and only explicitly mapped $E000-$FFFF to 8k page 1. However, my "dummy" mapping mode also accidentally mapped $8000-$BFFF into the first page, which I had missed.

liqnariq wrote:
Now, the next logical step would be to replace the ROM on the cartridge with a connection to the Arduino so I could use the Arduino as a dev cartridge! 8-) (No idea whether that is feasible really.)
Can the atmega update its outputs in less than 350ns? Finely tuned asm might work; the plain arduino code definitely isn't fast enough.
The Arduino runs at 16 MHz (62.5 ns per cycle), meaning it has less than 6 cycles of time to update the outputs. Seems unlikely, even if I have two boards, one dealing with PRG and the other dealing with CHR. Hmm.
Maybe the Raspberry Pi then :-)
Bisqwit
Posts: 249
Joined: Fri Oct 14, 2011 1:09 am

Post by Bisqwit »

Wow.
They messed up.

As I already knew, in constructing the multigame cart, they had rather systematically deleted all references to copyrights and trademark notices other than their own.

See here (above: real titlescreens, below: NTDec titlescreens; click to enlarge):
Image Image Image Image Image
Image Image Image Image Image

Presumably they did so to reduce the number of potential pesky contacts from concerned customers about trademark violations.

What is curious that to some degree, they also did that in the PRG-ROM data.
Legend of Kage (real):

Code: Select all

     530  a2 44 86 03 a2 02 86 04  a2 07 a0 fd 20 4d a6 4c  .D.......... M.L
     540  92 a5 23 47 5e 00 54 41  49 54 4f 00 43 4f 52 50  ..#G^.TAITO.CORP
     550  5f 00 31 39 38 36 ff 22  8d 31 00 50 4c 41 59 45  _.1986.".1.PLAYE
     560  52 ff 22 cd 32 00 50 4c  41 59 45 52 53 ff ad 06  R.".2.PLAYERS...
Legend of Kage (pirate):

Code: Select all

    8530  a2 44 86 03 a2 02 86 04  a2 07 a0 fd 20 4d a6 4c  .D.......... M.L
    8540  92 a5 23 47 00 00 00 00  00 00 00 00 00 00 00 00  ..#G............
    8550  00 00 00 00 00 00 ff 22  8d 31 00 50 4c 41 59 45  .......".1.PLAYE
    8560  52 ff 22 cd 32 00 50 4c  41 59 45 52 53 ff ad 06  R.".2.PLAYERS...
The Goonies (real):

Code: Select all

      10  52 43 38 30 39 20 31 2c  30 20 38 36 30 31 30 37  RC809 1,0 860107
      20  d7 d8 78 a9 00 85 1f ad  02 20 10 fb ad 02 20 10  ..x...... .... .
..
     770  89 1a 89 9d 88 21 43 54  48 45 00 47 4f 4f 4e 49  .....!CTHE.GOONI
     780  45 53 f1 00 49 53 00 41  00 54 52 41 44 45 4d 41  ES..IS.A.TRADEMA
     790  52 4b fd 21 a3 4f 46 00  57 41 52 4e 45 52 00 42  RK.!.OF.WARNER.B
     7a0  52 4f 53 cf 00 49 4e 43  cf fd 22 84 f2 00 31 39  ROS..INC.."...19
     7b0  38 35 00 57 41 52 4e 45  52 00 42 52 4f 53 cf 00  85.WARNER.BROS..
     7c0  49 4e 43 cf fd 22 c4 41  4c 4c 00 52 49 47 48 54  INC..".ALL.RIGHT
     7d0  53 00 52 45 53 45 52 56  45 44 cf fe 3f 00 ff 22  S.RESERVED..?.."
     7e0  69 f3 00 4b 4f 4e 41 4d  49 00 31 39 38 36 fd 22  i..KONAMI.1986."
     7f0  2b 48 49 fe 22 a9 50 55  53 48 00 53 54 41 52 54  +HI.".PUSH.START
The Goonies (pirate):

Code: Select all

   10010  52 43 38 30 39 20 31 2c  30 20 38 36 30 31 30 37  RC809 1,0 860107
   10020  d7 d8 78 a9 00 85 1f ad  02 20 10 fb ad 02 20 10  ..x...... .... .
..
   10770  89 1a 89 9d 88 21 43 fd  48 45 00 47 4f 4f 4e 49  .....!C.HE.GOONI
   10780  45 53 f1 00 49 53 00 41  00 54 52 41 44 45 4d 41  ES..IS.A.TRADEMA
   10790  52 4b fd 21 a3 fd 46 00  57 41 52 4e 45 52 00 42  RK.!..F.WARNER.B
   107a0  52 4f 53 cf 00 49 4e 43  cf fd 22 84 fd 00 31 39  ROS..INC.."...19
   107b0  38 35 00 57 41 52 4e 45  52 00 42 52 4f 53 cf 00  85.WARNER.BROS..
   107c0  49 4e 43 cf fd 22 c4 fd  4c 4c 00 52 49 47 48 54  INC.."..LL.RIGHT
   107d0  53 00 52 45 53 45 52 56  45 44 cf fe 3f 00 ff 22  S.RESERVED..?.."
   107e0  69 00 00 00 00 00 00 00  00 00 00 00 00 00 fd 22  i.............."
   107f0  2b 48 49 fe 22 a9 50 55  53 48 00 53 54 41 52 54  +HI.".PUSH.START
Urban Champion (real vs pirate):

Code: Select all

 00003560  0c 18 16 19 1e 1d 0e 1b  22 ea 0a 1d 18 19 2f 1b  |........"ê..../.|
-00003570  18 1e 17 0d 24 23 29 0e  25 01 09 08 04 2f 17 12  |....$#).%..../..|
-00003580  17 1d 0e 17 0d 18 23 c0  60 00 23 e0 08 f0 b0 a0  |......#À`.#à.ð° |
+00003570  18 1e 17 0d 24 23 29 0e  2f 2f 2f 2f 2f 2f 2f 2f  |....$#).////////|
+00003580  2f 2f 2f 2f 2f 2f 23 c0  60 00 23 e0 08 f0 b0 a0  |//////#À`.#à.ð° |
 00003590  a0 a0 a0 a0 a0 23 e8 08  00 0b 0a 0a 0a 0a 0a 0a  |     #è.........|
Arkanoid (real vs pirate):

Code: Select all

 00002500  5b 5c 5d 5e 5f 22 0c 08  01 2d 19 15 0a 22 0e 1b  |[\]^_"...-..."..|
-00002510  22 4c 09 02 2d 19 15 0a  22 0e 1b 1c 22 cb 0a 60  |"L..-..."..."Ë.`|
-00002520  61 62 63 64 65 66 67 68  69 22 eb 0a 70 71 72 73  |abcdefghi"ë.pqrs|
-00002530  74 75 76 77 78 79 23 24  18 28 2d 1d 0a 12 1d 18  |tuvwxy#$.(-.....|
-00002540  2d 0c 18 1b 19 18 1b 0a  1d 12 18 17 2d 01 09 08  |-...........-...|
-00002550  06 23 66 13 0a 15 15 2d  1b 12 10 11 1d 1c 2d 1b  |.#f....-......-.|
-00002560  0e 1c 0e 1b 1f 0e 0d ff  28 e3 13 1d 11 0e 2d 0e  |.......ÿ(ã....-.|
+00002510  22 4c 09 02 2d 19 15 0a  22 0e 1b 1c 22 cb 0a 2d  |"L..-..."..."Ë.-|
+00002520  2d 2d 2d 2d 2d 2d 2d 2d  2d 22 eb 0a 2d 2d 2d 2d  |---------"ë.----|
+00002530  2d 2d 2d 2d 2d 2d 23 24  18 2d 2d 2d 2d 2d 2d 2d  |------#$.-------|
+00002540  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
+00002550  2d 23 66 13 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |-#f.------------|
+00002560  2d 2d 2d 2d 2d 2d 2d ff  28 e3 13 1d 11 0e 2d 0e  |-------ÿ(ã....-.|
 00002570  1b 0a 2d 0a 17 0d 2d 1d  12 16 0e 2d 18 0f 29 23  |..-...-....-..)#|
Galaxian (real):

Code: Select all

      10  43 4f 50 52 2e 31 39 38  34 20 4e 41 4d 43 4f 20  COPR.1984 NAMCO
      20  48 41 52 55 48 49 53 41  20 55 44 41 47 41 57 41  HARUHISA UDAGAWA
      30  78 d8 a2 4d 9a a9 10 8d  00 20 ad 02 20 10 fb a2  x..M..... .. ...
Galaxian (pirate):

Code: Select all

    2010  a2 00 a9 00 9d 00 01 e8  e0 30 d0 f8 4c 20 e0 20  .........0..L . 
    2020  48 41 52 55 48 49 53 41  20 55 44 41 47 41 57 41  HARUHISA UDAGAWA
    2030  78 d8 a2 4d 9a a9 10 8d  00 20 ad 02 20 10 fb a2  x..M..... .. ...
The "copr.1984 namco" is never rendered, but they removed it anyway. They still kept "haruhisa udagawa".

But the more interesting observation comes when one looks at the CHR-ROM data.

Here's Galaxian (left: original; right: pirate):
Image
They removed the NAMCOT logo entirely for some reason.

However, in The Goonies, they did not remove the KONAMI text (bottom left):
Image
Possibly because it would have been a bit too difficult. The Konami logo is embedded in 1-bpp graphics that overlaps with another 1-bpp graphics item. A neat trick that Konami used for increasing the mileage for CHR data.

The Legend of Kage and Urban Champion were not modified at all, either. (But there was nothing to change, really.)

But now, this is what they did to Arkanoid:
Image
No, they did not remove the TAITO logo, even though that would have been easy. They removed half of the game! What's that "JALECO" text doing there? Turns out that through their incompetence, they somehow put graphics of a wrong game in the cartridge. If I understand correctly, that graphics is from Argus.
I verified it in an emulator, by poking the RAM directly to warp to stage 33. Left: Real Arkanoid. Right: NTDec Arkanoid.
Image Image
Oh, it did not even bother to switch VROM pages.
Granted, this is the last stage of the game, and there are approximately zero players who can get that far in the game, but still, if anyone did, they would have been somewhat disappointed.
Image Image

EDIT: They also did something that made the music player easter egg in Galaxian not working. Probably the bootstrapper intervenes somehow.
80sFREAK
Posts: 275
Joined: Sat Sep 03, 2011 11:40 pm

Post by 80sFREAK »

What was the size of ROMs in multicart? What are the sizes of original games? Start from this point
Bisqwit
Posts: 249
Joined: Fri Oct 14, 2011 1:09 am

Post by Bisqwit »

80sFREAK wrote:What was the size of ROMs in multicart? What are the sizes of original games? Start from this point
You posted to provide advice before reading to the end of the thread? Thanks, but the ROM is already dumped at proper size.
80sFREAK
Posts: 275
Joined: Sat Sep 03, 2011 11:40 pm

Post by 80sFREAK »

Bisqwit wrote:
80sFREAK wrote:What was the size of ROMs in multicart? What are the sizes of original games? Start from this point
You posted to provide advice before reading to the end of the thread? Thanks, but the ROM is already dumped at proper size.
:oops: i missed notice about extra 64k for PRG ROM, shame on me :oops:
lidnariq
Posts: 11432
Joined: Sun Apr 13, 2008 11:12 am

Post by lidnariq »

Better late than never: Nestopia and GoodNES have already allocated mapper #252 to this one chinese pirate:

Code: Select all

case 252:

    name = "WAIXING SAN GUO ZHI";
    id = Type::WAIXING_SGZ;
    break;
GoodNES 3.14 has instances of all of the following:

Code: Select all

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 .. 15 16 17 18 19 1A 1B .. .. .. ..
20 21 22 .. 24 25 26 .. 28 29 2A 2B 2C 2D 2E 2F .. 31 32 33 34 35 .. .. 38 39 3A .. 3C 3D 3E ..
40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 .. 52 53 .. 55 56 57 58 59 5A 5B 5C 5D 5E 5F
60 61 .. 63 .. 65 .. 67 .. 69 6A 6B 6C .. .. 6F 70 71 .. 73 74 75 76 77 78 79 .. .. .. .. .. ..
.. .. .. .. 84 85 86 .. 88 89 8A 8B 8C 8D 8E 8F .. 91 92 93 94 95 96 97 98 .. .. .. 9C .. .. 9F
.. .. .. A3 A4 A5 .. A7 A8 A9 .. AB AC AD .. AF B0 B1 B2 .. B4 .. B6 B7 B8 B9 BA BB BC BD .. BF
.. C1 .. .. C4 C5 C6 .. C8 C9 CA CB CC CD CE .. .. D1 D2 D3 D4 D5 D6 D7 D8 D9 .. DB DC DD DE ..
.. E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB .. .. .. .. F0 F1 F2 F3 F4 F5 F6 .. F8 F9 FA FB FC FD FE ..
Nestopia supports explicitly:

Code: Select all

00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 .. 15 16 17 18 19 1a 1b .. .. .. ..
20 21 22 .. 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a .. 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 .. 52 53 .. 55 56 57 58 59 5a 5b 5c 5d 5e 5f 
60 61 .. 63 .. .. .. 67 68 69 6a 6b 6c .. .. .. 70 71 72 73 74 75 76 77 78 79 .. 7b .. .. 7e ..
.. .. .. .. 84 85 86 .. 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f 
.. .. .. a3 a4 a5 a6 a7 .. .. aa ab ac ad .. af b0 b1 b2 b3 b4 .. b6 b7 b8 b9 ba bb bc bd .. bf 
c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 .. d3 d4 d5 d6 d7 d8 d9 .. db .. dd de df 
e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec .. .. .. f0 f1 f2 f3 f4 f5 f6 .. .. f9 fa .. fc .. fe ff
And kevtris has a table here
Bisqwit
Posts: 249
Joined: Fri Oct 14, 2011 1:09 am

Post by Bisqwit »

lidnariq wrote:Better late than never: Nestopia and GoodNES have already allocated mapper #252 to this one chinese pirate:
<...>
<tables>
Allright, let's make it 0xAE i.e. 174 then :-)
How do I rename the Wiki article?
Post Reply