Morten Shearman Kirkegaard and Peter Wilhelmsen devised a method to dump Dallas DS5002FP chips.
Anybody familiar with arcade games will know that these chips are found on a number of Gaelco games that were released in the 1990s.
The chips are particularly evil because they have sophisticated anti-tamper methods with code stored encrypted in a battery backed SRAM chip. Just looking at them funny can cause them to fail. Until now nobody with any emulation connections has been able to dump them.
The guys published a paper on their methods, it can be found here. It outlines the weakness that was exploited, and the code + hardware that was used to do it.
What we’ve found is that a number of these Gaelco games do seem to already be on their last legs, system11 recently had a malfunctioning Glass board, and the World Rally 2 board that was used for these tests also had a pre-existing fault which turned out to be due to at least one byte going bad in the internal SRAM. It’s absolutely critical that these things are dumped soon or chances are they’ll no longer work. It’s also important that each one is dumped twice from different PCBs to guard against bad bits that might influence how the games run.
The main benefit in terms of MAME from this dumping process is that World Rally 2 now appears to be playable after I took the time to track down the bad byte (it was in the steering code, which is mostly shared with the original World Rally luckily enough) Here is a video of it running in MAME.
World Rally 2 seems fully playable
Touch and Go was also dumped, and appears to run, although has trouble finding it’s high score data for reasons I haven’t yet figured out. Unless I’m mistaken (which is possible) the games actually use the SRAM not only to store critical game code and data, but also in some cases it appears to store scores and even as temporary work ram. That actually scares me because it means one crash of the game while the CPU is in a state with memory access could potentially wipe out important game data, which might be how some of these bad bytes came about. Touch and Go has the same sound problems as the Korean set, but that’s not surprising as that seems to be an issue in the Gaelco sound core and needs investigating.
The other thing that was dumped at this time is TH Strikes Back (aka Thunder Hoop 2) but unfortunately even with the DS5002 dump the game is still crashing when you reach the end of a level. This is a big improvement on before, but we currently don’t know if this crash is a dumping error (faulty PCB?) or an emulation bug (the i8051 core that’s used as the basis of the DS5001FP emulation isn’t as well tested as many others) Here’s a video showing the first level. I did work out a level select cheat, and you get similar problems at the end of all but 1 of the other levels.
TH Strikes Back can be played until the first boss, but then crashes
Thanks to the generosity of people including Charles MacDonald, Brian Troha and Darksoft at least one copy of most of the other PCBs is on the way to be dumped, or to be used as verification for the dumps that have been done. As I said, ideally at least 2 copies of each board are needed and given the high level of risk involved in the process (there’s always a chance of it completely failing) in some cases more might be needed.
We have not managed to source a working copy of the ‘Nova Desitec’ gambling / poker Game “Gran Tesoro? / Play 2000” (title could be incorrect) which is the only other title confirmed to use this protection chip. Even back when that was dumped the two boards that were found were both completely dead, so if you do have a working one of those, or any other previously unknown board using the DS5002FP then you should probably consider donating it to the cause because as mentioend these things really do seem to be on their way out at this point.
World Rally 2 screenshots, you can see the direction indicators that were missing before
An Alligator Hunt PCB that has been sent by Darksoft for tests, cover for DS5002FP not removed
A Glass PCB that was used in early testing, but unfortunately killed
The Gran Tesoro? / Play 2000 PCB, already dead, anybody have a working one?
nice work haze
keep it up hope nothing is lost to time here
Fantastic progress!
Well is pity that there are still problems on the games,my favorite TH strikes back crash my heart too,but hey …you are near to the end!
By the way to ask,is really exist a cheat you can choose levels?
And the crash is at the bosses?
MY COMPLIMENTS FOR ALL THE WORK,AND OF COURSE THE DONATORS AS WELL!
Some nice progress with this game, i guess should a second ds5002fp be successfully read
out you’ll be closer to knowing the cause of what makes TH Strikes back crash during the boss
fights, i wonder though if it could be some as yet unemulated graphical effects the game triggers
for the bosses..??
it’s definitely not a graphical effect as it breaks the gameplay, you die instantly.
also in attract mode the platforms don’t drop when you reach the end of a rail (also confirmed with level select cheat playing level 2)
Hallo!
I remember this video 5 years ago,uploaded by an owner of the game…
I hope it may helps…
https://www.youtube.com/watch?v=GSfqhtAM9a0
Also WORLD RALLY
https://www.youtube.com/watch?v=PqnnsH2aPi8
this game dumped for mame 0.187 or waint next version ?
Witch one?
AFAIK…..
TH2
The game is already in MAME,if you mean this,but if i read well,it has still problems,so if there is no solution until Wednesday (0.188) ,then it will be still no working ,unless a miracle happens!Lot of progress but…
WR2
It is in better condition,and maybe it will appears in 0.188!
This is all I know ,and of course the only definitely answer ,will be given by the MAMEDEVS on Wednesday .
This is nice and all that, but why have you not started on the Laseractive emulation project?
because they don’t have unlimited time,and thousands hands maybe!
Gaelco’s emulation by the way,was the most difficult….
David, you’re the #1! Keep on the good work. You’re making history !
Love you.
Hallo David!
Is it possible to share this special cheat of TH2?
“” did work out a level select cheat, and you get similar problems at the end of all but 1 of the other levels.”
At least to play the levels ,without boses?
Thanks in advance!
It’s sad how many drivers are either busted or non functional in mame. Then you have the 3d arcade games that are extremely difficult to work on that people just can’t find the time to do anything with. Like for example I used to play a really old namco game called cyber sled in the arcade yet when I went to play it in mame the game crashed after beating the 3rd level. It Literally sucked out all the enjoyment I had while playing it making me not want to use mame ever again. Even in mametesters I saw the system 21 driver was basically one of those things no one wants to touch because of bad code =/
https://pastebin.com/FpyDVDks
is the thoop2 level cheat, paste it in thoop2.xml, put that file in the ‘cheat’ folder and set it before starting the game, it will still show level 1, but will run a different level. of course they’re all buggy due to the bad SRAM dump, so you’re better off just waiting..
THANK YOU!
Just for the memories David!
No need to break a record,just to remember a few things!
Of course i will wait,for the correct and full playable game,but until you can find a new board to dump it correctly,i can play a little!
Where can we get wr2_dallas.bin file?
Thank you for your hard work on Dallas DS5002FP! You are GENIUSES!
Hi, great work.
I have a question.
If you have an original World Rally 2 board and the battery dead. Do you have the file wr2dallas.bin to be able to rebuild it? Or how can I make a copy of the chip while the battery is not dead?
Thank you very much,