December 19th, 2009
This was marked as ‘Cross Bingo’, but according to the title screen is ‘Poker Carnival’. The text Cross Bingo does appear ingame however, maybe it’s an alt name, for an undumped set?
It also had a fairly trivial protection, which Kale figured out. That’s the last of the (currently dumped) gambling games running in subsino.c. For the next MAME update Super Moto is greatly improved, and the other titles now appear to be functional.
Posted by Haze at December 19th, 2009 19:03
Comments
ehhh.. What should be commented about this?
Most like i ask what makes you guys work on these drivers?
Good thing is i am the first for the first time (i was while typing this) and….
Ronaldo, do shine much in the corinthians.
I worked on the driver because the encryption presented an interesting challenge, even if it turned out to be rather simple in the end.
good work,Haze,keep up the good Mame work,Merry christmas!
Hi David, my eprom burner should arrive in 2-3 days max :)
I have Pipi&bibi’s ASIA version. interestingly, it uses a 68000P10 and a Z08400B (z80 @ ?) There is 2 OSC, the one nearest the 68000 is OSC1 @ 10.000Mhz and the one near the program roms is 27.000 Mhz.
It’s an original Toaplan TP-025 board. There is no special chip on chip like the japanese version.
Also, i bought and got 2 sega system16 games : eswat and altered beast. There is something that i find strange. It’s stated in mame that the z80 use on these boards is clocked at 5mhz, but on my eswat board it’s using a NMOS z0840006PSC for sound processing, meaning it’s a z80 clocked @ 6 mhz. Why is it reported as working as 5mhz in mame ? thanks for enlighting me David ;)
The rating on the part doesn’t determine the speed it runs at. You can run a 6mhz rated Z80 at 5mhz, the actual speeds depend on the OSCs.
In the case of the Sega PCBs the OSC driving the Z80 is the 10Mhz one, with a divide by 2, giving 5Mhz.
Interesting to hear about your Pipibibi’s. It sounds like the parent set in MAME, that has a Z80 for sound, although I did actually think it was taken from the bootleg set. I imagine what actually happened is Toaplan produced some with the custom CPU and some without, and the bootleggers took the easy option and bootlegged the one without. That would also explain why none of the other games were bootlegged (with original sound)
Note, the region is some kind of Jumperpad on the board, so it’s possible your set will just be a 100% match for the parent set. It’s worth checking tho, because Toaplan did release multiple revisions of several of their games.
Yep, i have checked the source code for pipi & bibi, and the TP-025 seems to be not in.
Hi David, i got my eprom burner today :
I found something interesting about Zero Team.
What is marked as zeroteam, is in fact the version i have, Zero team USA. I have compared via the CRC’s of my code roms once read.
Next : Joe and mac bootleg you remember ? Here are the roms :D
http://www.yousendit.com/download/VGljclVBMm1vQUozZUE9PQ
Please tell me if everything is fine :D
The rom you’ve got marked as the Z80 rom just contains the first 64kb of one of the graphic roms instead. It looks like your programmer software may have buffered that, and saved it out instead of actually dumping the z80 program? A rather odd problem I have to say.
Also 68k rom 3 actually seems to be more sound samples? and it seems that I don’t have the actual last part of the 68k program. A bit confusing this one, but some things definitely seem to be bad, or missing.
Sorry David, i had no small sticker on the roms.
There is only 6 ROMS on the board.
I have redumped the roms. I think it’s only a problem of rearranging them (i have tried to determine what is what.
* The 2 2048kb roms are GFX banks
* the z80 rom contains a hint about technos z80 sound driver.
* the 68K roms have inside reversed (byteswapped words)
* lastly there is a 512kb sample rom.
here is the redump :
http://www.yousendit.com/download/VGlmTkFveDNFd2NLSkE9PQ
A quick glance suggests this is a lot more logical, both 68k roms now contain 68k code/data, and the z80 rom contains proper z80 code.
Cool :D Btw, i think i also got a Blood Bros Set 3 :D Here it is :
http://www.yousendit.com/download/VGlmTkF0dENoeVlLSkE9PQ
i saw it by checking the CRCs. They are different from actual set 1 and 2 ;)
thanks for checking their correctness :)
For the Caveman Ninja (Joe & Mac) bootleg they’ve moved a lot of video registers around, have more main ram, and have used a different sprite-ram format for the sprites.
It currently boots (using the original gfx roms for now), but the backmost layer is missing, and the sprites are a mess due to the changes they’ve made.
I’ll work out how to decode the new graphic roms in a moment (it looks like the content of them is the same as the normal sets, but the data is stored in a different format, using far fewer roms)
Figuring out the video hardware changes shouldn’t be too hard, but may take time. I’m guessing the sound program is ripped from Block Out, like the StoneAge bootleg is, as that’s a Technos game.
Yep, the Blood Bros is a previously undumped set, there are a number of code changes, and the entire code is shifted, so it’s clearly a legitimate alt revision that wasn’t previously supported. I can’t tell you the exact gameplay differences, but it’s a nice find.
Next nice finding ? My Pipi&bibi’s dump differs from the code roms actually supported :D hehehe ;)
Another alt version :D (note all the other roms are the same as the z80 version)
Please find them here :
http://www.yousendit.com/download/VGlmRE9zTkxCMTRLSkE9PQ
yes, that’s also a legitimate alt set, there is an additional RTS instruction added in a block of code, causing a various other code shifts and offset changes.
Again, I can’t see any visible changes, but most of the time it’ll be something like a bug fix made to one of the sets.
Another good one, about knights of the round David this time.My is like Knights set considering the CRCs. This game uses maskroms for graphics dumpable as Eprom 27C4100. This has allowed me to discover this :
1) rom loading order in mame is wrong as is the naming. Here is the correct positioning on the board and names:
KR-5M (crc 9E36C1A4) in position 01
KR-1M (crc F095BE2D) in position 02
KR-7M (crc C5832CAE) in position 03
KR-3M (crc 179DFD96) in position 04
KR-6M (crc 6DD13A0F) in position 05
KR-2M (crc 0200BC3D) in position 06
KR-8M (crc 37FA8751) in position 07
KR-4M (crc 0BB2B4E7) in position 08
They are all Fujitsu MB834200B-15 maskrom (27C4100). Now the correspondance between the actual roms in mame via CRCs and my original KOTD
CPS-1 board :
ROMX_LOAD( “kr_gfx1.rom”,CRC(9e36c1a4)
ROMX_LOAD( “kr_gfx3.rom”,CRC(c5832cae)
ROMX_LOAD( “kr_gfx2.rom”,CRC(f095be2d)
ROMX_LOAD( “kr_gfx4.rom”,CRC(179dfd96)
ROMX_LOAD( “kr_gfx5.rom”,CRC(1f4298d2)
ROMX_LOAD( “kr_gfx7.rom”,CRC(37fa8751)
ROMX_LOAD( “kr_gfx6.rom”,CRC(0200bc3d)
ROMX_LOAD( “kr_gfx8.rom”,CRC(0bb2b4e7)
MAME => REAL CPS1 BOARD
KR_GFX1.rom => KR-5M.rom (9e36c1a4)
KR_GFX3.rom => KR-7M.rom (c5832cae) KR-1M.rom (f095be2d) KR-3M.rom (179dfd96)
KR_GFX5.rom => KR-6M.rom (1f4298d2)
KR_GFX7.rom => KR-8M.rom (37FA8751)
KR_GFX6.rom => KR-2M.rom (0200BC3D)
KR_GFX8.rom => KR-4M.rom (0BB2B4E7)
oups there has been a problem with the last post :(
KR_GFX1.rom => KR-5M.rom (9e36c1a4)
KR_GFX3.rom => KR-7M.rom (c5832cae) KR-1M.rom (f095be2d) KR-3M.rom (179dfd96)
KR_GFX5.rom => KR-6M.rom (1f4298d2)
KR_GFX7.rom => KR-8M.rom (37FA8751)
KR_GFX6.rom => KR-2M.rom (0200BC3D)
KR_GFX8.rom => KR-4M.rom (0BB2B4E7)
KR_GFX1.rom => KR-5M.rom (9e36c1a4)
KR_GFX3.rom => KR-7M.rom (c5832cae)
KR_GFX2.rom => KR-1M.rom (f095be2d)
KR_GFX4.rom => KR-3M.rom (179dfd96)
KR_GFX5.rom => KR-6M.rom (1f4298d2)
KR_GFX7.rom => KR-8M.rom (37FA8751)
KR_GFX6.rom => KR-2M.rom (0200BC3D)
KR_GFX8.rom => KR-4M.rom (0BB2B4E7)
swap the 2nd and 3rd roms ;) loading order is incorrect.
are you talking about an original Knights of the Round board, or a bootleg?
I agree, the naming doesn’t look perfect in MAME compared to other sets, but your suggestion doesn’t seem to match up too well with anything else either.
There are also different ROM boards for the game, which may have different numbering. Knowing exactly which one you’re talking about would help.
For a better example of the prefered MAME naming convention check the 3wonders set GFX roms.
“rt-5m.7a” is “rom label . position”
which we’ve found to be the most useful format for people wanting to repair / diagnose faulty boards etc.
hi haze
keep on the good work ,
i wanted to say thanx any time i play b rap boys i think about u :)
thnx for making this possible
–
anything new about zero team?
I am of course talking about my Knights of the round original game board.
KR_GFX1.rom => KR-5M.3A (9e36c1a4)
KR_GFX3.rom => KR-7M.4A (c5832cae)
KR_GFX2.rom => KR-1M.5A (f095be2d)
KR_GFX4.rom => KR-3M.6A (179dfd96)
KR_GFX5.rom => KR-6M.7A (1f4298d2)
KR_GFX7.rom => KR-8M.8A (37FA8751)
KR_GFX6.rom => KR-2M.9A (0200BC3D)
KR_GFX8.rom => KR-4M.10A (0BB2B4E7)
I have changed the .rom by .position as requested.
KR-XM is the marking you can read on original maskroms used by capcom.
My set is the one you call in mame ‘knights’91635B-2.
Those 2 roms must be in this order :
KR_GFX3.rom => KR-7M.4A (c5832cae)
KR_GFX2.rom => KR-1M.5A (f095be2d)
And not
KR_GFX2.rom => KR-1M.5A (f095be2d)
KR_GFX3.rom => KR-7M.4A (c5832cae)
Oups sorry again, the 2 maskroms swap are these :
KR-5M.3A (crc 9E36C1A4) in position 01
KR-1M.4A (crc F095BE2D) in position 02
KR-7M.5A (crc C5832CAE) in position 03
KR-3M.6A (crc 179DFD96) in position 04
KR-6M.7A (crc 6DD13A0F) in position 05
KR-2M.8A (crc 0200BC3D) in position 06
KR-8M.9A (crc 37FA8751) in position 07
KR-4M.10A (crc 0BB2B4E7) in position 08
This is good :
KR-1M.4A (crc F095BE2D) in position 02
KR-7M.5A (crc C5832CAE) in position 03
This is not :
KR_GFX3.rom => KR-7M.4A (c5832cae)
KR_GFX2.rom => KR-1M.5A (f095be2d)
I apologize again for getting wrong :(
Well, the order that the roms are loaded in MAME doesn’t really matter too much, how / where they’re loaded does.
If they were being loaded at the incorrect addresses then the game would have severely broken graphics ;)
Of course, renaming the roms, based on your checksum comparisons makes sense as it provides more useful information.
oki :D Any news about the joe and mac set ?
I’ve submitted what I’ve done so far, it boot’s, you can coin it up, but the sprites are a mess, and backgrounds are mostly missing, and I haven’t hooked up the alt. sound hardware yet.
Kinda busy over Christmas, so I might not get a proper chance to look at it in detail for a while.
@Dlfrsilver: thank you for helping! Just another question to do a good rename on all roms of that set. How are named these roms on your pcb? (always using “rom label . position”)
MAME => REAL CPS1 BOARD
kr_23e.rom (1b3997eb) => ?
kr_22.rom (d0b671a9) => ?
kr_09.rom (5e44d9ee) => ?
kr_18.rom (da69d15f) => ?
kr_19.rom (bfc654e9) => ?
Very useful your informations, thanks again!
Ok I’ve improved the sprites on the Caveman Ninja bootleg, but it still needs background fixes, and sound.
@Dlfrsilver: thank you for helping! Just another question to do a good rename on all roms of that set. How are named these roms on your pcb? (always using “rom label . position”)
MAME => REAL CPS1 BOARD
kr_23e.rom (1b3997eb) => ? KR-23e.8F
kr_22.rom (d0b671a9) => ? KR-22.7F
kr_09.rom (5e44d9ee) => ? KR-09.11A
kr_18.rom (da69d15f) => ? KR-18.11C
kr_19.rom (bfc654e9) => ? KR-19.12C
Very useful your informations, thanks again!
@David : Thank you for the hard work ;)
About my Caveman ninja jamma board hardware :
CPU : 68000 @ 12Mhz (OSC1 24.000Mhz)
Snd CPU : z80 @ 8 Mhz (OSC2 16.000Mhz)
sound chip : Oki M6295 + YM2151 @ 8 mhz
u4 doesn’t include the sprite fixes btw, they didn’t make it in time.
Merry Christmas yall.
Saw several hours ago the latest Andrew’s WIP, so I’m wondering if Kale and you will look into the hng64 driver once again. Six eyes will be able to find out more things than 2 or 4.
Merry Christmas Haze, have some nice vacations.
Our job on the hng64 is mostly over, it basically needs the 3d and the roz hooked up properly (and several cosmetic fixes like the mosaic, the tilemap blend etc.)…the non-working inputs in most games is mostly a matter of effort rather than true difficulty afaik.
Hello,Kale,merry christmas,I have a question that your Mame to do list in your homepage not updated for a while,so these if you work on?
Yes, it on my todo list to update the todo list ;)
All those “minor” things seem to justify a comeback to the driver, but it’s just my opinion, I’m not demanding anything and my posts come from my own ignorance.
Most of my comments here have always been provoked by hng64 WIPs, but I really appreciate all the work you are doing even if I don’t specifically say so, so please, continue working for the MAME comunity, a lot of us are really thanking you for your efforts. I love what both of you accomplish together, you make a rather nice developer couple, and you are able to make people feel that nothing is impossible.
Thank you, you’re going to have all my support forever.
The problem is HNG64 is pretty hard to get right.
All Andy has managed to do so far is refactor the code and stop the racing games crashing (+ identified some object types as quads etc.)
The interrupt generation, and buffer flags, so that it can send multiple 3d packets per frame still arne’t understood. I imagine it’s some combination of buffer busy / interrupt when finished / swap buffers multiple times per frame, so that it can render the complete scene. There are however lots of interrupts, some of which we’re not even generating right now, and none of which are really understood. Andy is going to have to figure this out if the 3d Rendering is to be properly fixed. I imagine Samurai Shodown 64 running far too fast (at 100% speed) has something to do with these flags too, and for the same reason it never sends any real 3d.
For the remaining mixing / priority issues all the games are setting things up in a very different way, it gives very little scope for cross-referenceing, and thus is very hard to figure things out. Also MAME doesn’t natively support various features, so they have to be custom coded in the driver. The only thing I have slight leads on is proper emulation of the ROZ floor in Fatal Fury, which seems to be based on the standard ROZ stuff, but with some changes I don’t understand yet. Buriki One however is even stranger, and only populates line-data for every other scanline on the Roz Floor.
Phil hasn’t got back to me / Kale on the sound side of things yet.
For proper I/O the I/O MCUs really need decapping and emulating. It might also need extra interrupts.
We still don’t know what the Z80 based CPU is really for (I’m guessing just networking, even if it’s overkill for that)
I’d love to see a perfect HNG64 emulator as much as you, or anybody else, but for me it’s pretty much reached the limits of reasonable guessing, and hardware tests on such a system are out of my software field (and also require quite significant modifications to the hardware eg. the rom board, installation of sockets etc. because it’s all SMT Mask Roms.
Maybe when one of the devs who’s better with such CPUs and systems takes another look at it things will improve, Aaron however seems far too busy refactoring the entire MAME codebase every other month, Ville has been banished to living up the rear-end of a Goblin, ElSemi is suffering from Real-Life syndrome, and the number of capable new devs is almost 0.
I know it’s not an easy task, but I had little to lose by asking.
What about looking into adding those rendering features into the MAME drawing core? I guess that adding things like additive blending will also help reducing code on several other drivers, won’t it?
I’m not sure it would, Aaron did the reverse for the PsikyoSH blending, taking it OUT of the core and putting it in the driver which is a good indication that he doesn’t want uncommon features in the core (makes sense really)
There are only a handful of systems that require additive blending, and they need custom rendering for different reasons anyway (suprnova has compressed sprites, and a funky priority system, the others I know of are 3d systems, not sprite based)
“Ville has been banished to living up the rear-end of a Goblin”
Am I the only one who doesn’t get this reference, concerning Ville?
Heh, I mean he’s been consumed by MMORPG games, specifically World of Warcraft. I’m not too fond of them myself ;)
Yepaaa :D i’m not fond at all about WoW.
David, about Zero Team, i have looked on Guru’s site, and seen the seibu custom chip like the big one called SEI252. This one looks like having something in it, because it’s very thick compared to any other chip (like others SEIXXX custom chips).
don’t you think ? :)
We’ve (hopefully) identified what the custom protection chip actually is on the seibu boards.
Sadly it’s not good news, they’re effectively a lot like early versions of those FGPA chips you see, the ones where people program entire arcade emulators and machines within them.
In this case, it’s an earlier chip, but the concept is similar, it can be programmed to be almost anything, including acting like a virtual CPU with virtual ROM etc. The problem is, that means there is no real internal ROM to dump, or emulate, and even if you could dump the chip the data would be meaningless as it would simply be the configuration data in a very specific format for that device, and short of doing a gate-level simulation of the device (impossible without knowing it’s exact internal structure) it can’t be ‘emulated’.
Protection simulation for the games looks to be the only real option, and while there is always a risk of simulations being inaccurate, there isn’t really much choice here. Even doing a simulation is hard, because Seibu did a good job of the protection system and in making things non-obvious. Even with hardware tests it’s going to be a very tough one to simulate properly.
The Seibu stuff is being looked at, but people have been looking at it for 10 years with no real results, so I really can’t give any promises on when Zero Team etc. will be emulated.
Even after they are, the ‘new’ versions of Zero Team and Raiden 2 present a different challenge, as they use a completely different protection chip.
Very good infos in your last comments Haze. I hope they get added to the relevant drivers.
Thanks David for the informations. Maybe there is a possibility (expensive) to get the logic of it ?
I mean you agree that the ROM code access this chip right ? Is there even a smallish possibility to see and “try to figure” what data the SEI252 pull out ?
One idead would be to fully disassemble the game program, resourcing it and checking when it tries to access custom chips and what it tries to do with them.
About simulation inaccuracies, don’t worry, you have my videos, and i can myself check with my board if necessary ;)
Dr nicola Salmoria and Andreas Naive have looked the beast (i speak of raiden II at least).
also, is the board in itself protected ? by hacking the game rom in order to make the board cheat or find informations about chips ?
All possibilities must be explored :D
also here is a little view of what is linked to what :
The sound part :
Zero Team hardware use a z80 as sound CPU marked
Z88400AB1 Z80ACPU (Z80A @ 4 mhz) driving a YM3812.
the sound system has a SIE150 custom 100 pins chip tied to it, and linked to 1x LH5116-10 ram and 2x T6116S45L RAMs.
The Nec V30 @ 16 mhz is directly connected to a big custom SEIBU chip which references on it were scratched intentionaly. It is not linked to RAM chips whatsoever
This big seibu chip unknown (no marking on it)
is the biggest square on the board is actually
184 Pins. Thi chip is directly connected to
4 ram chips named M5M5278P-35, to the cop-X D2 rom, and the 4 program roms.
the 2 Seibu maskrom called ’seibu MUSHA BACK-2′ and ’seibu MUSHA BACK-1′ as roms SEIBU 7 and 8 are linked to the custom chip SEI0200 TC110G21AF 100 pins rectangular chip, which is itself tied to 2 Sony CXK5863P-30 RAM chips.
Lastly, the 2 sprites roms called ‘SEIBU MUSHA OBJ-2 TC5316200BP-G701′ and ‘SEIBU MUSHA OBJ-1 TC5316200BP-G700′ are tied to the custom chip SEI251 SB03-012, which has just aside it an OSCILLATOR (the only one on the board btw !) Kyocera clocked at 28.6360Mhz. The SEI251 is linked to 2 rams LH5116D-10.
I hope this will help a bit.
Raiden 2 board and Zero Team boards are different, they don’t use the same amount of custom chips, and use a different audio system.
I hope these informations would be helpful ; If you need close pictures of the board, tell me, i will upload close-ups.
The big 184 pin with the marking erased is a SEI1000. And Zero Team hardware looks like the one used on legionnaire from Tad corporation.
Yeah, the custom badges on the parts don’t actually tell you what they really are tho.
We’re doing what we can for the Seibu emulation, but as I’ve said the only thing we can do is figure out how the chip works through a combination of studying the game behavior, and running test cases to attempt to understand what they’re using the chip before.
The ‘overall’ function of the chip is fairly clear in some games such as Heated Barrel (which is being used for the tests) but hopefully the same board can be used to get a more in depth understanding of the device, and how it interacts with the system; it’s the same protection on all the games, but used in different ways.
Andreas / Nicola deal with encryption, and the only encryption on Raiden 2 is with the sprite graphics, and is already 95% complete. Zero Team sprites haven’t been decrypted, but are likely to be the same thing but with different tables. Once the protection is understood I imagine they’ll add figuring out the rest of the gfx decryption to their todo lists. Until then there is little point.
btw I think it’s the SEI1000 that we think is the chip containing the protection logic; the COPX-D2 rom is some kind of maths lookup table, probably used for sin/cos or 1/x type operations so it makes sense if the protection chip is connected to that.
It has a great deal of control over the system, RAM, ROM etc. so it also makes sense if it’s tied to the main program roms, and CPU (so all memory access can pass through it, and potentially be intercepted, redirected etc.)
I guess too ;) Well at least the rom dumped are good, that’s a good thing too to start.
In fact, what’s good is that Seibu while using a very hard protection system, has clearly seperated
the board by parts. This is how i have written above how it’s on the board.
I won’t be surprised if the SEI1000 would be simply a processor. What king of ASM is in the COPX-D2 rom ? This would allow to determine the processor type
of SEI1000. I know the SEI251 must have some RAM inside because i have read in MAWS that there is a message on one moment saying ‘SEI251 initialised’ Initializing what ? RAM ? ROM ? special internal circuit ? MMhhhhh…. Wonder what it could be.
What amazed me, is that what we call main CPU actually (Nec V30@16 mhz) has too few connexions on the board. It’s tied at 98% on the SEI1000. It appears to be too isolated, when the SEI1000 is connected to MANY parts (RAM, ROMS, other custom chips).
Well, the SEI1000 acts as the system controller, everything the V33 requests goes through it. As I’ve said, if it’s what we think it is (based on a board which had original markings on the chip) it’s definitely not a cpu.
Basically, due to where it is on the board they could have done anything they want with it, intercepted and altered anything going on between the mainCPU and other components. Thankfully(!) they just seem to have used the same type of protection on all the games.
Of course, there could be some surprises we don’t know about yet, that’s why I’ve said it’s hard for a simulation to be accurate because one innocuous byte write could actually be triggering a whole bunch of unknown behaviors on the board, changing the game in subtle ways; look how long it got to get bubble bobble perfect (and it that case, we were lucky, because it was a proper MCU with proper rom that could eventually be dumped and emulated. All the old simulations were found to be inaccurate tho)
The V30 David. The V33 is used on the raiden II hardware used by New Zero Team, but not the Zero Team hardware ;) which is made of V30+Z80+YM3812.
Yeah sorry, V30. The V33 based stuff is different, and has the COPD3, which seems more like a normal MCU (but the code it uploads to it is encrypted, and nobody has managed to make any sense of it)
If the code for that MCU was decrypted, those might actually be easier to emulate.
Haze,Happy new year,in 2010 I hope Mame can finish the seibu mcu 、Toaplan 2 sound CPU decryption、double wing issues and sound、NMK sound issues、Black Touch 96、Tatsumi Video issues、Hooking up the DJBoy / Heavy Unit MCUs dumped by the Deacpping project…
Hello David, Happy new Year 2010, all the best, health, job, and love ;)
