Heya, I’m not dead :D

Hey, so a lot has happened recently. First off, I moved cities for a new job and that’s why my coverage has been spotty to say the least. Unfortunately, I’ll only really get settled November-ish, maybe a bit sooner.

What did I do since February you ask? Well, I looked into disassembling Devil Children Black, Red and White Book. But that hasn’t really broken the off-the-ground mark yet, because I’m super picky about automating as much as possible including function call arguments and stack manipulation. I might have to scale back my expectations from unreasonable to barely doable tho *le sigh*

Then I have been dumping a small number of European Gameboy games (should all be in DoM by now) and importing some stuff from Taiwan for release in the near future or whenever, see post below. Basically, I’m not releasing because I’m unsure about the classification, but if no info turns up, I’ll just have to do it anyway and maybe recat later.

There is also MMM01 research stuff I almost completed (one bit’s functionality — if any — still eludes me) but had no time to clean up yet and put in the wiki. Code describing the functionality is in MESS though.

Then I went on to document/dump some Gowin games lent to me by various individuals, but only got so far as to fully verify one dump and document one PCB — which turned out to be the more interesting one anyway.

So right now there’s plans for Sachen, Gowin, Datel, some random Sintax games, misc Gameboy MBC research stuff, some disassembly stuff and probably some other stuff I forgot. I also want to get into Virtual Boy homebrew more and might think about dumping my WonderSwan collection or lending it to somebody who can dump them easily. It’s unfortunate that I tend to get super busy and drawn into work all the time, but then again, having a job beats living on the streets 😉

More Sachen Updates Incoming

So I recently acquired more Sachen games, among them are 31B-001 (Taiwanese version), 16B-002 (2x 8B with switch), the elusive 6B-001, which I guess is now confirmed to exist and an unknown 16B variant featuring the Mahjong titles and a wide selection of other titles, meaning it’s not just two 4B/8B ROMS back-to-back.

I then went on to actually automagically split the ROMs into individual sub-ROMs and compare them for revision differences etc. This yielded some boring results, where the combined 4B ROMs have no header, an unencrypted header or a different entry-point to fool Sachen’s own simple logo-based copy protection. The most interesting thing I found is a 5-in-1 cartridge featuring Stotris and the Mahjong titles as opposed to the regular 4B-003 4-in-1 cartridge.

The menus are about the same, and Stotris has even the same entry point for both entries, so it’s likely that – Sachen being Sachen – it’s actually the same game code with just a few different arguments passed to it for Stotris 1 and Stotris 2. Still, it’s a fun little discovery, anyway 🙂

The rest of the games will be put up on DoM shortly and I’ll keep updating the other Sachen post I made below with dump dates etc. I documented the different 4B color menus and what solder options will trigger them. Of course, half the menus are broken, because why not, and both 16B menus might have a bug… fun. Still, probably going to try in MESS to see if the games load properly anyway.

I also took some time to update my WP site theme, so if anything is broken, that’s probably why 🙂

More MIN measuring fun

Pokémon Mini So I tried to evoke a response of my comatose Pokémon Mini again, but nothing on the supposed CN3-23 (#RD?) or CN3-29 (FR?) lines. Pictures of the patient on the left.

As I said above, CN3-23 wouldn’t budge, CN3-29 stays low the whole time. I get the feeling that maybe CN3-29 is actually an input for some LCD status signal (#DOF?; MIO?) and that’s why the MIN panics when the LCD seemingly doesn’t come out of reset? I might try to pull it up via a resistor next time when I measure stuff.

This time I used the “Nth” triggering option of my scope to look at the LCD signals some more. I used this feature to determine the sequence I got to see so far:
Pokémon Mini Init Sequence

  • 1x write to command register
  • 8x the following sequence:
    • 3x writes to command register
    • 96x writes to data register
  • 2x writes to command register
  • 16x writes to command register
  • 1x write to command register
The first 806 writes take roughly 9ms, while the final write occurs at 350ms after the initial write access — which leads me to believe that’s roughly the time when the MIN gives up and enters some indeterminate state where it won’t turn off any more. So we have 8 writes of 96 bytes in the first frame, i.e. 8x (96 x 8) 1bpp pixels of data, which seems right. The three writes preceding every sequence do the setup for that row of data.

Two more pictures of my setup and the final seconds of the CN3-23 (#RD?) pad. For reset, I use tweezers to hit the two pads while holding an additional probe in place for A0 (some of the time anyway).

MIN progress

So I broke my Pokémon Mini (MIN) trying to solder some wire-wrap onto the LCD connector. Wire-wrap was of course as big as each pin and pitch was only 0.5mm, so yeah… That didn’t work out.

I was going to check out the display signals while actually seeing the display work. Alas, having broken something in the connector (possibly related to me melting it with my soldering iron *oops*), I took the connector off (0.5mm 29pin FFC with connection on PCB side [down, below]), soldered the darn wire-wrap onto the PCB pads — and managed to halfway rip off CN3-23 in the process *yay me* — and used my scope to make some waveform shots. This is the result:

CN3-23 – #RD?
CN3-24 – #WR
CN3-25 – A0
CN3-27 – #CS
CN3-28 – 18.7 kHz square wave (CL?)
CN3-29 – static 0 (FR?)

My scope traces only clearly show A0, #WR, #CS and CL. #RD is always 1, FR is always 0. However, the SED1565 datasheet really put things into perspective. The native LCD FFC pinout closely matches the condensed pinout found on CN3 resp the MIN LCD FFC. Since only two signals weren’t clearly identified and their default polarities match, I think this is a good fit for now. Providing an external clock and external FR might also be useful for the MIN to do cool LCD effects as well as turn the LCD off when in power down mode.

Connector and signal names as in my preliminary MIN Mainboard schmatic (which I just updated). BTW, the boost converter (StepUpConverter in schematic) works nothing like what was in the v1.0. Pin PG is an enable that will take the output voltage VOUT from ~1V to ~3V. Pin EN is actually used to turn the boost converter off again, I think (odd voltages on that pin…). I was working on a proper schematic for that sub-board itself anyway, which is why I did not bother updating the schematic for v1.1.

Incidentally, the display not being there somehow prevented the MIN from turning off. Or maybe I just wasn’t patient enough (had to press the buttons using tweezers). Or maybe I broke the #RD pin by shorting it and the MIN entered an infinite loop trying to read from the display? I’ll probably never know.

Sachen Mono Update

Just wanted to let everybody know that finally, all Sachen 4 in 1 Mono games were dumped and put into DoM by yours truly. I would like to point out that taizou and BigFred lent a hand in letting me borrow their games.

Small DoM Update

So I noticed I neglected to update DoM with the mono 4B games I had already dumped. I did so now. All redumps are in as well as new entries for 4B-001, 4B-004, 4B-006, 4B-008. I updated the last Sachen post as well.

Maybe a bit more info on color Sachen games. As mentioned in the earlier blog post, BigFred and I weren’t sure how to handle 4B Color games yet, so I held off putting them into DoM for the time being. BigFred being a no-intro High Council member and all 😉

In other related news: I now own three Sintax games:

  • Zauberringkönig II
    (A Lord of the Rings – Two Towers rip-off)
  • Donkey Kong 5 – Die Reise durch die Zeit
    (Donkey Kong 5 – The Journey through Time)
  • The Incredible Hulk
    (Graphics hack of Lao Fuzi Chuanqi)

Currently looking at the logo switch code. It’s all complicated by the fact that Sintax connected the full GEC1)Game Edge Connector. (ok, sans PHI and AIN) to their mapper.

Judging from the information I gathered from taizou’s hhugboy (a fork of GEST with support for mappers of unlicensed games) and personal correspondence, Sintax also implemented a bizarre copyright-scheme of bit-swapping and XORing the ROM data and sure enough, the mapper has a dedicated data bus for the ROM.

My initial tests however uncovered two things:

  • Sintax’s logo switching is buggy and switches logos one byte before the last logo byte is read, resulting in different logos on DMG and CGB. CGB is lucky in that the Sintax logo and Nintendo logo both have the last low nibble at 0xF. It’s the upper nibble that changes between DMG and CGB (0x3 vs 0x1).
  • Sintax do seem to switch the complete logo (RA7 trick, like Sachen, more elaborate though), so they didn’t really need to keep the upper “Nintendo” part. Maybe there’s another bug where the upper part is switched back every second byte that I just haven’t uncovered yet?! Gotta get those oscilloscope traces 🙂

A gallery of popular logos follows:

   [ + ]

1. Game Edge Connector.

Small Sachen Update

So I received more Sachen carts in the mail today and finally confirmed that Sachen’s MMC1 also has 8 high address lines, as could be guessed from the zero-adjustment being performed on all 8 data bits. Probably now going to change the dumper to read RB 0x00 from 0x4000-0x7FFF by using masking instead of ROM aliasing. Anyway, I updated the wiki page accordingly.

I also received two Sintax carts. One is currently not working, though I managed to boot it up once after like a hundred tries. Not sure what’s wrong with it yet. Anyway, they feature “Deutsche Vision”, aka shoddy German translation 😛 One is “Donkey Kong 5”, the other is “Incredible Hulk” (CGB-SYS-USA, for some reason…).

One Week Later…?

Next week… Now you know how that worked out… Anyway, I was recently contacted on no-intro about an update on the Sachen dumps. And I thought why not share my current progress with the rest of the world 🙂

So, currently dumped physical media:

1B:
---

001  - Beast Fighter         // two different versions/revisions so far
002* - Jurassic Boy II
003* - Thunderblast Man (ROW)
003* - Rocman X         (TW)
004  - Street Hero
005  - 2002 Gedou Zhanlue    // WIP

* The numbers might have been switched between
  Taiwanese (TW) and Rest-of-World (ROW) releases.

4B: (Mono)                   6B:
----------                   ---
                             
001                          001
002                          
003*
004
005
006
007
008
009

* 4B-003 was found inside Rocman X's ROM. It's assumed it is the
  Mono version as the CGB compatibility flag is reset at 0x0143.

4B: (Color)     8B:    16B:        31B:
-----------     ---    ----        ----
                                   
001             001    002         001 - Mighty Mix (TW)
004             002    ???         001 - Mighty Mix (ROW)
005
006
007
008
009

Now is a good time to mention that I finally put the Sachen MMC2 information on the wiki page.

All 4B (mono) games I encountered so far were single ROMs with a single 4-in-1 collection on them (“standalone”). Some 1B games were distributed standalone as well. Now, all 4B (color) games I have encountered so far were not standalone 4-in-1 games! They were doubled up as two 4-in-1 games inside a single ROM — as a COB ROM/Mapper combo. Which game boots up is selected via two solderable/cuttable links on the cartridge PCB. SL1 connects to the OPT1 pin of the MMC2. SL2 (CL1) connects to OPT2 of the MMC2. (OPT1 and OPT2 are tentative names.)

RA18 is whatever ROM bank is selected or OPT1. This means, either RB 0x00 or 0x10 are the base ROM bank when loading up. As foresight would have it, RB 0x00 contains code for one 4-in-1 game, while RB 0x10 contains code for another, different 4-in-1 game.

For all cartridges I have inspected so far, the following was true: #ROM_CE := A15 or RA20 or OPT2. That means, the ROM is deselected for any bus address greater equal 0x8000, which is regular cartridge behavior. However, selecting RB 0x40 will also disable the ROM, as will selecting RB 0x20 when SL2 (CL1) is closed, because that feeds RA19 straight to OPT2.

Therefore, the following configurations can be achieved:

SL1 SL2 |
   (CL1)|
--------+-----
 0   0  | Base 0x00, #RB = 0x40
 0   1  | Base 0x00, #RB = 0x20
 1   0  | Base 0x10, #RB = 0x20 (0x10-0x1F, 0x30-0x3F)
 1   1  | Base 0x10, #RB = 0x10

0 open, 1 closed.

All 4-in-1 (color) games I have seen were 0x20 ROM banks, i.e. 4 Mbit/512kB. Now, menu for collection 4B#0 sits at RB 0x00, menu for collection 4B#1 sits at RB 0x10. However, there is more to this! As it turns out, menus are coded to test for the PCB settings by comparing what they read in RB 0x00 vs. RB 0x20 and RB 0x40 etc. If the whole 0x20/0x40 banks are accessible, but 0x20 aliases to 0x00, then an 8-in-1 menu will load! If 0x20 does not alias to 0x00 and has the right 4-in-1 Color collection ID in its header, then a 16-in-1 menu will load! That’s great news, because it means potentially collecting less games to preserve all content!

So my working hypothesis is as follows:

4B-001 \
       | ---- 8B-001 \
4B-009 /             |
                     | ---- 16B-001
4B-002 \             |
       | ---- 8B-002 /
4B-004 /

4B-005 \
       | ---- 8B-003 \
4B-006 /             |
                     | ---- 16B-002
4B-007 \             |
       | ---- 8B-004 /
4B-008 /

So two 4B games are one set, two sets make a 8B set and two 8B sets make a 16B set. I have to acknowledge two things:

  • a) all games I currently checked out conformed to this hypothesis, but that does not mean that it holds for all games out there. There might be standalone 4B (color) games, as BigFred noted.
  • b) It’s not entirely certain any 16B dies with an 8 Mbit ROM were actually produced.

As this fcgamer blog post mentions, 16B games come with a switch that enables either 8B collection inside the cartridge. So presumably, that means there are two 8B dies in the cartridge and the switch toggles between them. Presumably they don’t contain a single mapper/8Mbit ROM COB glob top.

As can be seen from the initial table of dumped media, we’re basically missing one whole 8B collection, because neither 4B-002, 4B-004, nor 8B-002 have been dumped. All the others should in theory be identical to what’s been dumped until now.

As I mentioned above, some — but not all — 1B games come as standalone as well. This includes Thunderblast Man as well as Beast Fighter and Street Hero. There is however a Thunderblast Man, Jurassic Boy II combo ROM. Selection works the same as 4B games, using the two solderable/cuttable links. Rocman X comes as a combo with 4B-003. It’s unknown if 4B-003 is the color version or the mono version1)The game does not make use of the CGB features in any way, which is why BigFred classified it as “Game Boy” rather than “Game Boy Color” for now..

However, a YouTube video 2)Thanks to ssjbrollyus for making me aware of the video’s existence. purports to show the Color 4-in-1 version, yet, is mono all the way. Seeing as all 4B (mono) games came as standalone games, this might indicate that it’s actually the 4-in-1 Color version of the game and that Sachen just made 4B-003 (mono) compatible to CGB by using their Sachen MMC2 without adding colors.

This would also fit my established time-frame of all mono games being standalone and using SA-111 or TG-001/TG-002 PCBs. Notable exception: a Beast Fighter on SA8MBT6-2 was lent to me, which is a different version than the other two Beast Fighters I had dumped to far.

Worth mentioning: Rocman X and Thunderblast Man are the same ROM. They load different sprites by checking for RB aliasing at boot-up. The 31B-001 TW and ROW versions contain Rocman and TBM respectively and get around the RB aliasing code by simply writing the correct value into RAM and jumping to the actual init code3)31B-001 TW and ROW contain other changes as well..

Aaaaand…. That’s it :D! It takes a lot of nerve to keep all these factoids straight… There’s probably some more words needed for an outsider to understand all this, but I already feel like rambling at about 1000 words now, so I’ll just stop.

EDIT 1: Mighty Mix ROW dumped.
EDIT 2: 4B-005 Color dumped.
EDIT 3: 4B-008 Color dumped.
EDIT 4: Updated the list. 6B-001 does exist and is dumped, 16B-002 dumped, 31B-001 TW redumped, unknown 16B-??? dumped (features mahjong + other games).

   [ + ]

1. The game does not make use of the CGB features in any way, which is why BigFred classified it as “Game Boy” rather than “Game Boy Color” for now.
2. Thanks to ssjbrollyus for making me aware of the video’s existence.
3. 31B-001 TW and ROW contain other changes as well.

More Toys :)

So it’s been a while. akubi sent me some of her games that contain interesting PCBs — the most outstanding being DMG-Z01-01 followed by DMG-KECN-SP. Still no idea why they put an extra transistor on the latter tho… The former has some weird ROM where Sharp combined 2x 16Mbit in one package (LH5S5WTI).

Still working on figuring out the PALCE16V8 on SA8MBT6-2 used by Gedou Zhenlue 2002. I found the programming algorithm in some obscure Indonesian thesis. Now I need to build a cheep-ass programmer, then see if the security bits can be fooled by reversing the power sequencing for programming (some forum posts claim that’s how you do it).

Notwithstanding that I don’t have time for much of anything right now, I couldn’t refrain from spending some money on eBay. I’m now a proud owner of a DMG-QLA-01… err… a 4-Player adapter for the original DMG. I originally bought one in Japan, but it was literally in the only package that managed to get lost — with a copy of Rockman & Forte for WSC and some DMG games no less 🙁 Of course, there’s a little Motorola MC68HC05P71)I shamelessly stole the CPU info from Jeff Frohwein; not sure how he determined it, but pinout matches. in there (actually, it’s quite a neat CPU) which is still undumped as far as I can tell. I always wanted to do some hobo decapping, just need the right tools and the right incentive. Still not sure if it’s such a great idea to use chemicals that can burn my lungs away, but… YOLO 😀

Anyway, shelled out some money for an official rumble dev cart, DMG-B03-11 (no pre-release game on it tho…). Operation isn’t as straightforward as one might have hoped, but I’m getting there. I already figured out how to access SRAM (yeah, it needed figuring out) and read the manufacturer information from the flash chip. Reading the actual game was no problem at all (kind of obvious, though). Made a schematic and marked down some preliminary findings about MBC5-D, the development version of the MBC5.

Then I got a Bung Exchanger and a 64M flash cart (actually, a “Mr. Flash” cartridge; the exchanger is unmarked, but has Bung chips on it) for cheap. Gathered some software from back in the day. Now I just need a printer port. Probably going to see if I can get one for dirt cheap that’s still reliable. Then I spent even more euros and acquired a GBDSO2)Game Boy Digital Sampling Oscilloscope and an ELV GBD 13)ELV Game Boy Datalogger 1 [German].

I managed to break the GBD 1 while undoing the casing — in case you need to open it, too: Don’t put a knife under either of the bottom sides of the case. You’ll catch on the inductances and break their legs off. It should be straightforward to fix though. It did work before my opening the case, so go figure 😛

Well, so much for now, I guess. I just barely managed to fix my GB dumper — yet again. Apparently, the FTDI chip’s clock input lead is having a hard time staying connected to its clock line, so the baud rates don’t match up anymore. Of course, I changed the original 187500 baud used by Kraku & Chroost to 750000 baud, because I hate waiting on my dumps. 32Mbit take long as is. Might look into a nicer solution as a redesign of my VUE Cart Reader design. Basically, pop in the other GEC, nix two DFF8s and it should work at breezing speeds. DFU over USB included. But I’m somewhat tight on time right now, so maybe I’ll think about it “next week”-ish.

   [ + ]

1. I shamelessly stole the CPU info from Jeff Frohwein; not sure how he determined it, but pinout matches.
2. Game Boy Digital Sampling Oscilloscope
3. ELV Game Boy Datalogger 1 [German]

Sachen Update

So thanks to BigFred from no-intro, I got my hands on more Sachen cartridges.
A few were mono cartridges, which I managed to dump using my 4B-007 code.

Unlocking color cartridges, which are compatible with CGB as well as DMG works just fine in DMG mode. However, the internal mechanics work differently, so I’ll have to update the wiki shortly. Figuring out how to unlock them in CGB mode took quite some time, because I forgot to mark the #CS signal as being connected to the mapper 😉 CGB and DMG mode do not refer to whether or not the game will run in color, they actually do make use of common Game Boy identification methods.

Well, anyway, I figured out how to unlock them in CGB mode as well and I believe I have a correct state machine figured out. I got to contribute some code to higan to properly emulate these mappers, but I digress.

So the actual pretty fucking huge deal is that many of the regular 4B color cartridges actually contain multiple ROMs in them and — depending on some solderable/cuttable links on the PCB — boot up in 8B-mode or 16-in-1 (16B anyone?) 16B-mode. Currently checking back with BigFred if he’s OK with me cutting some traces on his game PCBs though…

So yeah, exciting news. I also prepared schematics for most of them, though documenting chip-on-board is somewhat bothersome. I’m also convinced that they used 3D wire bonding technology and for some reason ROMs that are much bigger than their games — that must have been expensive… For instance, Thunderblast Man is 2 Mbit, yet its Chinese counterpart requires 4 Mbit to function correctly and has an 8 Mbit thus contains another 2 Mbit ROM 🙂

So guessing some pinouts for them isn’t so straightforward 😐 But I’ll do my best guesstimate and that has to be enough, I guess.