More Toys :)

      2 Comments on More Toys :)

So it’s been a while. akubi sent me some of her games that contain interesting PCBs — the most outstanding being DMG-Z01-01 followed by DMG-KECN-SP. Still no idea why they put an extra transistor on the latter tho… The former has some weird ROM where Sharp combined 2x 16Mbit in one package (LH5S5WTI).

Still working on figuring out the PALCE16V8 on SA8MBT6-2 used by Gedou Zhenlue 2002. I found the programming algorithm in some obscure Indonesian thesis. Now I need to build a cheep-ass programmer, then see if the security bits can be fooled by reversing the power sequencing for programming (some forum posts claim that’s how you do it).

Notwithstanding that I don’t have time for much of anything right now, I couldn’t refrain from spending some money on eBay. I’m now a proud owner of a DMG-QLA-01… err… a 4-Player adapter for the original DMG. I originally bought one in Japan, but it was literally in the only package that managed to get lost — with a copy of Rockman & Forte for WSC and some DMG games no less πŸ™ Of course, there’s a little Motorola MC68HC05P71)I shamelessly stole the CPU info from Jeff Frohwein; not sure how he determined it, but pinout matches. in there (actually, it’s quite a neat CPU) which is still undumped as far as I can tell. I always wanted to do some hobo decapping, just need the right tools and the right incentive. Still not sure if it’s such a great idea to use chemicals that can burn my lungs away, but… YOLO πŸ˜€

Anyway, shelled out some money for an official rumble dev cart, DMG-B03-11 (no pre-release game on it tho…). Operation isn’t as straightforward as one might have hoped, but I’m getting there. I already figured out how to access SRAM (yeah, it needed figuring out) and read the manufacturer information from the flash chip. Reading the actual game was no problem at all (kind of obvious, though). Made a schematic and marked down some preliminary findings about MBC5-D, the development version of the MBC5.

Then I got a Bung Exchanger and a 64M flash cart (actually, a “Mr. Flash” cartridge; the exchanger is unmarked, but has Bung chips on it) for cheap. Gathered some software from back in the day. Now I just need a printer port. Probably going to see if I can get one for dirt cheap that’s still reliable. Then I spent even more euros and acquired a GBDSO2)Game Boy Digital Sampling Oscilloscope and an ELV GBD 13)ELV Game Boy Datalogger 1 [German].

I managed to break the GBD 1 while undoing the casing — in case you need to open it, too: Don’t put a knife under either of the bottom sides of the case. You’ll catch on the inductances and break their legs off. It should be straightforward to fix though. It did work before my opening the case, so go figure πŸ˜›

Well, so much for now, I guess. I just barely managed to fix my GB dumper — yet again. Apparently, the FTDI chip’s clock input lead is having a hard time staying connected to its clock line, so the baud rates don’t match up anymore. Of course, I changed the original 187500 baud used by Kraku & Chroost to 750000 baud, because I hate waiting on my dumps. 32Mbit take long as is. Might look into a nicer solution as a redesign of my VUE Cart Reader design. Basically, pop in the other GEC, nix two DFF8s and it should work at breezing speeds. DFU over USB included. But I’m somewhat tight on time right now, so maybe I’ll think about it “next week”-ish.

   [ + ]

1. I shamelessly stole the CPU info from Jeff Frohwein; not sure how he determined it, but pinout matches.
2. Game Boy Digital Sampling Oscilloscope
3. ELV Game Boy Datalogger 1 [German]

Sachen Update

      Comments Off on Sachen Update

So thanks to BigFred from no-intro, I got my hands on more Sachen cartridges.
A few were mono cartridges, which I managed to dump using my 4B-007 code.

Unlocking color cartridges, which are compatible with CGB as well as DMG works just fine in DMG mode. However, the internal mechanics work differently, so I’ll have to update the wiki shortly. Figuring out how to unlock them in CGB mode took quite some time, because I forgot to mark the #CS signal as being connected to the mapper πŸ˜‰ CGB and DMG mode do not refer to whether or not the game will run in color, they actually do make use of common Game Boy identification methods.

Well, anyway, I figured out how to unlock them in CGB mode as well and I believe I have a correct state machine figured out. I got to contribute some code to higan to properly emulate these mappers, but I digress.

So the actual pretty fucking huge deal is that many of the regular 4B color cartridges actually contain multiple ROMs in them and — depending on some solderable/cuttable links on the PCB — boot up in 8B-mode or 16-in-1 (16B anyone?) 16B-mode. Currently checking back with BigFred if he’s OK with me cutting some traces on his game PCBs though…

So yeah, exciting news. I also prepared schematics for most of them, though documenting chip-on-board is somewhat bothersome. I’m also convinced that they used 3D wire bonding technology and for some reason ROMs that are much bigger than their games — that must have been expensive… For instance, Thunderblast Man is 2 Mbit, yet its Chinese counterpart requires 4 Mbit to function correctly and has an 8 Mbit thus contains another 2 Mbit ROM πŸ™‚

So guessing some pinouts for them isn’t so straightforward 😐 But I’ll do my best guesstimate and that has to be enough, I guess.

Sachen 4B Mono Mapper

      Comments Off on Sachen 4B Mono Mapper

This information is superseded, see Sachen Mappers.

I thought I might as well update that within hours of opening my 4B-007 cartridge I managed to dump it. Basically, the mapper has at least four registers.

  • Lock register: Whether the mapper is unlocked or not, see below
  • 0x0000-0x1FFF: base ROM bank register; select absolute base RB @ 0x0000-0x7FFF
  • 0x2000-0x3FFF: ROM bank register; switch logical RB @ 0x4000-0x7FFF
  • 0x4000-0x7FFF: ROM bank mask register; select mapping mask for absolute RBs

Basically, the mono variant of the Sachen 4B mapper has two modes of operation, which I call locked and unlocked. It defaults to locked after reset.
This is used to display the Sachen logo instead of the Nintendo logo for the DMG bootstrap ROM. While locked, the mapper will OR the actual ROM address with 0x0080 (i.e. A7 always set).
The unlock sequence is 0x31 writes to VRAM/WRAM/SRAM (A15 set) intermixed with 0x30 reads from ROM (A15 reset); #CS is don’t care. Write->read transitions as well as read->write transitions are counted and one needs 0x30 of each, 0x60 total.
As far as I could tell, all other functionality is unaffected by the lock register, i.e. switching banks, remapping etc. will all work while locked. The only way to lock the mapper after unlocking is to reset it.

The ROM bank register functionality should be obvious. Bank is zero-adjusted like e.g. MBC1. However, zero-adjustment is done on all 8 bits while writing to the register, which itself is only 6 bits wide (D5..D0)1)I could not test if D5..D4 actually effect mapped bank, due to 4B-007 only containing 0x10 ROM banks.. So it is technically possible to map RB 0x00 to 0x4000-0x7FFF when abusing the overflow of this register or having a ROM smaller than 0x10 RBs2)Depending on D5..D4 of the ROM bank register affecting mapping, smaller than 0x40 resp. 0x20 ROM banks..

Base ROM bank and RB mask register are used for remapping 0x0000-0x7FFF to be based on a new base ROM bank3)It is reasonable to assume that both of these register are at least four bits and at most #active bits in ROM bank register wide.. Both are writable while the ROM bank register D5..D4 contains 0b11 without limitation.
The mapping function is: (rb & ~mask) | (mask & rb_base).

Too bad Sachen screwed up (on 4B-007 at least) and actually writes the base RB to the mask register and the mask to the base RB register, thus all games having broken masking. But due to power-of-2 sizes of RBs and masks, it turns out that only a few extra RBs are mappable which shouldn’t be instead of the games skipping ROM banks.

I noticed that the Sachen logo check was disabled in the mapped games4)VRAM comparison of logo area starting at 0x8010. I also noticed that games do write to 0x0000-0x1FFF while being mapped, so this may have some effect (possibly SRAM) either on the original Sachen 1B mapper or on both the 1B and 4B mono mappers.

   [ + ]

1. I could not test if D5..D4 actually effect mapped bank, due to 4B-007 only containing 0x10 ROM banks.
2. Depending on D5..D4 of the ROM bank register affecting mapping, smaller than 0x40 resp. 0x20 ROM banks.
3. It is reasonable to assume that both of these register are at least four bits and at most #active bits in ROM bank register wide.
4. VRAM comparison of logo area starting at 0x8010

Opening Sachen “4 in 1” 4B-007

      Comments Off on Opening Sachen “4 in 1” 4B-007

So I recently acquired a Sachen game, 4B-007 “4 in 1”. Of course, I had to open it somehow to look inside… Cartridges are a bit smaller than regular Game Boy cartridges and they lack a screw at the back. So with no easy way to open it and prying and shoving on the edges not helping, I had to resort to a more forceful approach. So I used my trusty dremel to dremel the back off where the screw was supposed to be.

I pretty much dremeled away until I could make out what was holding the shells together. I hit part of the PCB — see that green smear :)? — but no worries there.

So after violently separating the shells, I now know how they were assembled. Turns out they used four snap-fit lugs on the sides — 1.0cm and 4.4cm down from the top edge on both sides, in case you were wondering — as well as a press-fit connection instead of a screw. Basically, what you can see in the shell images are the outer hub on the back shell with a hole in it where I dremeled the base of the shaft away. And yes, I just googled these terms.

Press-Fit JointPart of the shaft can be seen in the hub on the front shell. The hub on the front shell in turn is a shaft of its own for the hub on the back shell. No idea if there are barbs at the end of the inner shaft, I doubt it though.
The picture on the left shows what it would look like if I had not broken it. Blue hub and shaft on the back shell, red hub on the front shell; not to scale.

These cartridges were obviously never made with servicing or opening in mind. It should be possible to gently unhinge the lugs and then pull the press-fit joint apart, but it probably requires a really sensitive approach to work without telltale signs of the cartridge having been opened.

Well, the inside was kind of a let-down. I was kind of eager to find a full-size PCB with mapper plus ROM. What I found was a reduced-size PCB called SA-111 with a COB glob-top. This is actually mapper and ROM in one. I already found out how the Sachen mapper fools the DMG, but I need some time to merge the changes into a dumper firmware to dump the ROM. Also notice how the two holes on the left are actually pads for an electrolytic capacitor which was not fitted and not vias.

See also a related post here, which I only found after brutalizing my game.

TAMA5 update

      Comments Off on TAMA5 update

So I took the time to look at all my cartridges now. So far all have the same PCB serial, 020309E4-01-1. Other data in the following table.

ROM (TAMA7) MCU (TAMA6) Interface (TAMA5)
B9748 43903A 9752H 9749 EAH1
B9748 43906A 9730H 9726 EAA1
C9749 43896B 9731H 9725 EAD1
J9748 43860A 9728H 9726 EAB1
C9749 43908A 9727H 9725 EAI1
B9748 43906A 9730H 9726 EAA1

Somewhat disappointing: all contain the same ROM. I had hoped that some of the letters would indicate a ROM revision, but alas, seems to be a date code, or manufacturer code etc.

Game Boy Peripherals

      1 Comment on Game Boy Peripherals

So yeah, I took apart some Game Boy peripherals, namely the Zok Zok Heroes Full Changer, the GB Mobile Adapter (CGB-005PD/PDC version/blue) as well as the DOL-11 Game Cube to Game Boy Advance link cable. So yeah, expect some future updates on these πŸ™‚ I already drew schematics for the Full Changer as well as DOL-11. Didn’t find the muse to do CGB-005PD, yet.

I also finished the hardware for testing the MBCs, now I just need a decent software implementation for parsing some custom language to describe the data flow and I’m ready to test it. I plan to test MBC3 first to confirm pin-out/one missing pin I suspect is RAM_ENABLE, then move on to MBC30 to confirm its pin-out as well as several pins I’m not 100% sure of. The more exotic MBCs will have to be dealt with after that. I foresee some software changes along the way, so I do the easy ones first so software will hopefully be stabilized by the time I get to the more complex MBCs.

I also ordered a bunch of TAMA5 resp TAMA6. I’m somewhat hopeful though that the mask ROM can be read through the GEC, as the first RB of the game contains a bunch of calls to read and write some data. However, these could all be for the RTC :-/ Speaking of mask ROMs, the Full Changer has a MCU with custom mask ROM too, but I only have two of those and don’t feel like shelling out a lot of money to get more. Not sure how to extract the mask ROM anyway, as the only option open to me seems ghetto acid + USB cam style for now — or very expensive laboratory for which I’d have to ship the ICs halfway around the world.

Anyway, I guess this counts as an update πŸ™‚

GB Memory Cartridge

      1 Comment on GB Memory Cartridge

So I just finished reviewing the menu ROM of one of my carts (the other one is missing the G-MMC1 chip…) and as dreadfully expected, the stupid MX15002 (G-MMC1) is actually an SoC by Megachips (they call them LSI for I guess Large Scale Integration). So pretty much proprietary SoC/ASIP with proprietary software – great -_-”

GBMC Check Menu.

GBMC Check Menu.

So yeah, registers are mapped into ROM space. The menu cart has a little test program that can be activated by editing WRAM: set 0:C239 to 0xFF and 0:C000 to <>0x55. It will test the register map, start-up data (0xA8 0x00 0x00, which must somehow contain ROM bank/size, RAM bank/size, Mapper?), see if all mapped ROM banks can be accessed, see if single and double speed access are ok by checking the ROM check sum. If all checks are OK, it tries to boot the menu (which fails on emulators). I’ll cover the command sequences on the wiki when I find some free time to do so.

The menu comes in four different flavors: DMG, SGB, CGB, and an unused CGB + PocketPrinter flavor. SGB mode is DMG mode with better sound, CGB mode is colorful. Apparently, the menu would detect when the PocketPrinter was connected and show this background instead of the usual background. Code, graphics and tilemap are there, but it’s never used. Haven’t dug much into whether any PocketPrinter code is still present, but I looked at most of the code and nothing stood out too much…

So yeah, probably going to check next if the G-MMC1 will let me write to flash directly or if it will prevent that ;).

Small 2014 update

      Comments Off on Small 2014 update

So I’ve been somewhat busy tracking down some unconfirmed Gameboy cartridges from the no-intro set. Glad to say that right now only German PokΓ©mon Yellow is missing from German DMG games πŸ™‚ Have some other games in store I dumped and forgot about, but will commit them to DoM soon enough πŸ˜‰

Been somewhat busy today working on the VUE Cart Reader some more after I dumped my entire collection a few weeks ago. I just finished write support and the firmware is now complete — just missing some optimizations I’m not sure are worth it… The host app now has a Reader::bulk_read function instead of Reader::do_it3, too πŸ˜‰
That’s my first project using LUFA and libusb (blocking API, no firmware support for concurrent operations) and I have to say, it does take some time getting used to. libusb not so much as LUFA. I swear Dean Camera fucking loves his global variables -_-”
Well, just a little bit more polishing and I’m going to upload it here, schematics and all.

Speaking of schematics, I guess it’s time to upload those Game Boy and Virtual Boy cartridge schematics I had been talking about earlier. This will probably go into the wiki once I’m somewhat confident I triple-checked everything — already went over it twice and still found some signals that mysteriously vanished from revision to revision. Git sucks for binary files (which it detects Altium schematics to be…), so I’m kind of doing back to stone-age versioning of PDF files :-/

Well, I guess there hasn’t been going on much more, really.

Wonderswan Cartridges

      Comments Off on Wonderswan Cartridges

Heya,

back from holidays. So I decided to finally open up my WonderSwan games (all nine of them) from back in the day in 2007. I used a Torx 6 (T6) screwdriver for the cartridges as well as the WonderSwan Crystal (which might actually be T7). The edge connector has 48 pins starting on the very left when the cartridge is upright, label facing out of the WonderSwan (the receptacle inside the SwanCrystal had numbers).

First thing I noticed was the complete lack of obvious ROM and cartridge codes. To my surprise, Bandai used OTP ROMs, which explains the lack of ROM version codes. No visible stamps (like for Nintendo revisions and presumably place of origin) on the cartridges either. There’s a sticker on the back of each PCB though, 8 arabic digits, no obvious pattern.

Codes seem to be SWJ-(developer)[C](game number; 2 or 3 digits)[game version].

I have developers BAN for BANDAI and SQR for SquareSoft. Optional C means Wonderstan Color. Arabic game number is somewhat self-explanatory. Optional alphanumeric game version, i.e. SWJ-BAN01C is Digimon Adventure Anode Tamer, SWJ-BAN01D is Digimon Adventure Cathode Tamer. Digimon Link System “Digital Partner” has two numbers, SWJ-BAN02C and SWJ-BAN02F. Some carts were apparently also numbered consecutively on their label, though only my Digimon carts feature this.

PCB codes aren’t much help either, as its seemingly only (PTE|PTS|WSS)-[0-9]{4}[A-Z]?. All my PTE carts have the Bandai 2001 controller, all my PTS carts have the Bandai 2003 controller. My single WSS cart has Bandai 2003, though it conspicuously lacks the “Bandai” text. Alphanumeric revisions, with no letter for initial and A (and presumably B, C, …) for following revisions.

Notably, Digimon Adventure 02 Tag Tamers is SWJ-BAN032 (my only 3-digit cart), does not have a WonderSwan Color/Crystal logo, yet features a PTS pcb.

I have the following PCBs

  • PTE-0016: beatmania for WonderSwan
  • PTE-0021C: WonderSwan Mainboard
  • PTE-0037
  • PTE-0037A
  • PTS-0108
  • PTS-0114: Digimon Link System Wireless Adapter PCB
  • PTS-0133
  • PTS-0133A
  • PTS-0148A: WonderSwan Crystal Mainboard
  • WSS-0003

So yeah, that’s it for now. Still working on the Virtual Boy dumper software tho πŸ˜‰ However, I already did order a “junk” WonderSwan Color from eBay for a spare edge connector receptacle, so I might build a dumper for this in the future. Kinda wish I had gone with a “universal” adapter style like the Retrode, so I could “just” transform my Virtual Boy dumper into a WonderSwan Dumper. Oh well…

EDIT: The junk WonderSwan arrived and I updated the PCB list above to include it. Also, luckily it was only considered junk because of appearance, not because it didn’t work πŸ™‚

VUE News

      Comments Off on VUE News

VUE Cart Reader v1.1In other news: I built a Virtual Boy dumper, which I dubbed “VUE Cart Reader” after the “GB Card Flasher” by Kraku & Chroost.

I pestered no-intro’s shippa into creating a source table for Virtual Boy and will proceed to dump all of my games (almost the entire library, sans the top 3) in due course (though I got delayed, see last post xD). So stay tuned for that update πŸ˜‰

Will probably release schematics and software when I’m done with that. It’s basically an ATmega32U2 using the LUFA USB stack, some I/O extenders and the cart connector from a donor VB, as you can see above.
However, host side software is stuck in infancy using libusb. Currently, I implemented do_it{0,1,2} to dump data and did not code a proper user library/API… So I definitely aim to improve that before I dump the rest of the games, because I know I’ll slack off if I dump all of them first πŸ™‚

P.S.: I also set up a repository at github.com/Tauwasser/GBCartFlasher1)This used to be gitorious.org/gb-cart-reader, but the repo moved when gitorious shut down. for my C re-implementation of the GB Cart Flasher firmware. I wanted to consolidate and push my different branches onto there (I have a few for dumping special games), but then I found BitBucket, so I guess I’ll move there before doing that πŸ™‚ So still more stuff on the agenda for now.

   [ + ]

1. This used to be gitorious.org/gb-cart-reader, but the repo moved when gitorious shut down.