Charles MacDonald's Home Page

News

Current
Old News

Emulation

SMS Plus
Genesis Plus
TGEmu
Sega System 24
MAME WIP
Sega WIP
FD1094 Status
FD1094 Game Conversion

Electronics

Electronics Projects

Information

Sega Genesis
Sega Master System
Sega Game Gear
Sega SC-3000H
Sega Saturn
Nintendo Super NES
Nintendo GameCube

Miscellaneous

Video Game FAQs
Links

External Links

The Guru's ROM Dumping News
Nicola's MAME Ramblings
David Haywood's MAME WIP
Aaron Giles' Home Page
Richard Bannister
doxDev
AamirM's Homepage
Kale's Mame Wip
PC-Engine dev

Other

Contact

News (2/5)

The Data East cassette system uses a security dongle that is unique to each game. This prevents operators from duplicating a game simply by copying the audio data from a game cassette to a blank tape. There are several types of basic dongle designs, and each one has data that is specific to a particular game.

A 6502 CPU runs the BIOS and software loaded off the tape. It can exchange command and data bytes from a 8041 MCU that controls the tape drive over a serial interface. The dongle sits between the 6502 and 8041 and can modify, replace, or pass data through unaltered during communication. A loaded program can also interrogate the dongle for additional data unrelated to the 8041 or tape contents.

I've made a circuit that mimics both the 6502 and 8041 interface so all aspects of the dongle can be observed. Because some dongles also have a reset generator inside them that intializes the internal state, the dongle reader has a software-controlled power supply to force a reset condition as needed.

It has been tested successfully with a so-called Type 3 dongle. This dongle has a normal operating mode and a "PROM mode" where a 4Kx8 PROM can be read out sequentially. After a reset, values written to the data and command registers and data read from the command register are not modified. Values read from the data register have bits 6 and 7 exchanged, and bit 0 is the latched value from the previous byte that was read.

The 8041 normally uses commands in the 00-7F range and ignores higher values. This allows 80-FF to be used to send commands to the dongle that will not trigger any action on the tape drive. For the Type 3 dongle, writing Cx (where bits 3-0 don't matter) enables PROM mode. Now, writing any value to the command register loads bits 12-8 of a 12-bit counter and bits 3-0 are reset to zero. Reading the command register returns a byte from the PROM at the current address, then the counter is incremented by one. The counters wrap from offset FFF to zero. In this way the loaded program can read out the entire PROM content.

Oddly enough the 8041 interface seems to be disabled in this mode. Writing to the data register or command register will tristate the data bus, causing the 8041 to latch an open-bus value. Likewise, reading the data register returns an open-bus value as well. There are no resistors on the BIO-8 board or in the Type 3 dongle to pull the data lines into a known state, so the actual value that is present will fluctuate.

Perhaps after receiving the Cx command the 8041 knows to ignore all future communciation with the 6502. Once the power has been cycled the system and dongle will reset and normal operation resumes, with the tape drive being accessible again. Once I get some other types of dongles to experiment with I'll post an update about how they work.

Old News (1/6)

I recently dumped the internal ROM for Wing's "7 Smash". The ROM was trojaned in a similar way to Pinkiri 8 and other Wing games that are now emulated in MAME.

This board uses a HD647180 MCU (in a huge 90-pin SDIP package) with 16K of internal ROM and up to 128K of external ROM. The external ROM contains program code so it isn't particularly hard to get control of the system by inserting your own software into the ROM once you've made a NOP sled or identified the entry points.

To get the internal ROM data out I used my 8-bit EPROM emulator which can also emulate RAMs. The two red wires in the picture are used to tap into the system reset signal from the MB3771 and part of the glue logic which generates a write strobe for memory locations. This allows the trojan program to write back into emulator memory to store data. Once it had copied the internal ROM to RAM (and generated a checksum) I just had to download the emulator RAM and that was it.

If any more of these games come up in the future it should be fairly easy to get them dumped.

Old News (1/1)

Here's some Saturn and PSX info:

The ROM replacement is designed to be used with an EPROM emulator connected to the flash memory socket of a PSX Action Replay or similar device. It functions as a loader for a small (~32K) program appended to the ROM, which is copied to work RAM at $80010000 and executed as a subroutine. The appended program can return to the caller to continue with the BIOS boot process if necessary.

The AR and most clones use a 78L05 regulator which is not sufficient to power an EPROM emulator, I had to replace mine with a full-sized 7805. The cheaper variants just use a zener diode to knock down 7.5V to 5V and have no real regulator, so more changes will be necessary.

I've been having a lot of fun playing the fan-translated version of Persona 2: Innocent Sin. The people responsible did an incredible job hacking up the original game for the rest of us to enjoy, and it's thrilling to think they are working on Soul Hackers next:

Incidentally Atlus localized the PSP version of Innocent Sin, but purists will probably want to play it on the PSX like it was intended.