Morten Shearman Kirkegaard and Peter Wilhelmsen built an FPGA based board that plugs into the program ROM socket on a PGM2 board.
Doing this allows direct control over what the IGS036 CPU reads, and allows us to monitor all bus signals to and from the external ROM.
The hardware setup they created looks like this
With this, and existing knowledge of the encryption scheme they were able to modify the code running on the board while it was running, thus allowing their own code to be injected. Code was added to read the internal ROM space at 0x0000 to 0x3fff, as we didn’t know how the video hardware worked at this point the value read was then used as an offset to read into external rom, the bus signals were monitored meaning we could translate our external rom read offset back into the byte value for each address in the internal rom. This proved successful. Surprisingly, unlike the later PGM1 games there wasn’t even an Execute Only area on the PGM2 CPU being read (Oriental Legend 2) so they managed to get a complete dump.
All the actual dumping was done without the PGM2 board hooked up to monitor / display, but instead simply by looking at what the FPGA was sending back. (Earlier testing to get the setup built obviously did make use of an actual monitor)
Anyway, it was easy enough to see some of the startup strings in the internal ROM.
Hooking this up to MAME revealed a few things, first of all the internal ROM code really doesn’t like the ARM7/ARM9 MMU implementation; it could be different here, so for the time being I’ve disabled it if the CPU type is IGS036. That allowed a few basic devices to be hooked up, which gave the following
After that the code rather jumped into the weeds, clearly there are other ARM9 bugs in MAME, as the code flow below shows
Obviously it shouldn’t be jumping straight back into the middle of a BL (HI) / BLX (LO) combo. This one seems relatively easy to fix, it was simply adding 4 to an address where it should add 2.
Even with that fixed, the code ends up going off the rails tho. More investigation is needed, but this is a good start.
btw, if anybody has “Jigsaw World Arena” or “Puzzle of Ocha / Ochainu No Pazuru” we could do with borrowing them. They used to sell for dirt cheap relative to the other PGM2 titles at the time (around $250 – $300) but lately they haven’t been showing up for anything like that. They’re single board PGM2 games that were only distributed in Japan to the best of our knowledge. The internal ROM is different for every game, so they will need dumping using the methods outlined here. Apart from those 2 boards we have access to at least one of each other game (although AFAIK only the China regions – internal ROM controls the region)
Further note, please don’t post links to that ghastly hack of MAME with badly hacked in PGM2 support, it’s loaded with anti-debugger nasties, has no source and it doesn’t seem safe to run (it blew up my VM image) and is entirely the wrong way of going about things. The point of the work being done here is to actually get it done as it should have been done.
“Ocha-Ken no Puzzle”. That’s the actual name, if it serves. I thought Jigsaw World Arena was never released in a final form, even though it was widely shown in tests and whatnot.
Good luck with the PGM 2; hopefully it somehow helps to finish PGM emulation too — you put much effort there, didn’t you.
yeah, people are saying they’re prototypes now, but they used to be available for cheap compared to the other PGM games, so I think that’s just people copy+pasting sources and using it to justify ridiculous prices.
Well, Ocha-Ken certainly had an official release by Alta (formerly “Annex”), though quite a bit later than initially planned (AM Journal lists it in 2010, March:
http://www.am-j.co.jp/newmachine/201003/001.html
…but AM-Net dates the last public test in November 2010:
http://blog.am-net.jp/article/41701001.html
Seems it was sold in December, though it had to have quite a limited distribution). Photo with the stickers you only find in final-form, official releases:
http://obn.sakura.ne.jp/20150117_pcb_3_s.jpg
http://garakuta.homelinux.org/~nosuke/diary/diary.html?y=2015&m=1&d=17&n=1
I’m still to confirm this, but it could very well be Moo Niitani’s [Puyo-Puyo, Potchi to Nyaa] last arcade game.
Made some research on Jigsaw World Arena and I couldn’t find any proof of it getting a final release. It was usually tested and shown together with Ocha-Ken but nor AM Journal nor Arcadia Magazine ever featured it with a release date, it seems.
Very nice read Haze!
I hope you all get the PGM 2 fully figured out. I’m all for getting Arcade games to work exactly how they worked & played too. Do you think also that if the developers had made there games to run & play without any slowdown, pixel faults, wrong sound & bad syncing. Basically to run perfect they would have & that MAME will allow you to do that? As near as perfect as possible really or to work better than in the Arcade.
Thanks for those hacked PGM2 games i need to install a new windows. F* them.
Thanks haze for the news.
@Agard: MAME will never enhance/upgrade games. We present them exactly as they were because we don’t presume to know better than the talented people who made the games.