Morten Shearman Kirkegaard and Peter Wilhelmsen built an FPGA based board that plugs into the program ROM socket on a PGM2 board.
Doing this allows direct control over what the IGS036 CPU reads, and allows us to monitor all bus signals to and from the external ROM.
The hardware setup they created looks like this
With this, and existing knowledge of the encryption scheme they were able to modify the code running on the board while it was running, thus allowing their own code to be injected. Code was added to read the internal ROM space at 0x0000 to 0x3fff, as we didn’t know how the video hardware worked at this point the value read was then used as an offset to read into external rom, the bus signals were monitored meaning we could translate our external rom read offset back into the byte value for each address in the internal rom. This proved successful. Surprisingly, unlike the later PGM1 games there wasn’t even an Execute Only area on the PGM2 CPU being read (Oriental Legend 2) so they managed to get a complete dump.
All the actual dumping was done without the PGM2 board hooked up to monitor / display, but instead simply by looking at what the FPGA was sending back. (Earlier testing to get the setup built obviously did make use of an actual monitor)
Anyway, it was easy enough to see some of the startup strings in the internal ROM.
Hooking this up to MAME revealed a few things, first of all the internal ROM code really doesn’t like the ARM7/ARM9 MMU implementation; it could be different here, so for the time being I’ve disabled it if the CPU type is IGS036. That allowed a few basic devices to be hooked up, which gave the following
After that the code rather jumped into the weeds, clearly there are other ARM9 bugs in MAME, as the code flow below shows
Obviously it shouldn’t be jumping straight back into the middle of a BL (HI) / BLX (LO) combo. This one seems relatively easy to fix, it was simply adding 4 to an address where it should add 2.
Even with that fixed, the code ends up going off the rails tho. More investigation is needed, but this is a good start.
btw, if anybody has “Jigsaw World Arena” or “Puzzle of Ocha / Ochainu No Pazuru” we could do with borrowing them. They used to sell for dirt cheap relative to the other PGM2 titles at the time (around $250 – $300) but lately they haven’t been showing up for anything like that. They’re single board PGM2 games that were only distributed in Japan to the best of our knowledge. The internal ROM is different for every game, so they will need dumping using the methods outlined here. Apart from those 2 boards we have access to at least one of each other game (although AFAIK only the China regions – internal ROM controls the region)
Further note, please don’t post links to that ghastly hack of MAME with badly hacked in PGM2 support, it’s loaded with anti-debugger nasties, has no source and it doesn’t seem safe to run (it blew up my VM image) and is entirely the wrong way of going about things. The point of the work being done here is to actually get it done as it should have been done.