Taiko Drum Master - Region Hack Development & Testing Thread

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Taiko Drum Master - Region Hack Development & Testing Thread

      Taiko Drum Master
      太鼓の達人 / 太鼓之达人
      Region Hacking
      ©2016 eastrain design



      Some time in late 2015, I was put in contact with some Taiko bootleggers (feel free to argue the semantics of what they were doing elsewhere) who were having trouble getting Japanese versions of Taiko Drum Master 11 and later to run on their Taiko Drum Master 11/12: Asian Edition Cabinet, and that the Asian Edition would not run on a Japanese System 256 PCB.

      Offhand, this seems impossible, as, up to that point, there were no documented cases of actual REGION locking in any game on the system, so I was intrigued.
      I obtained a copy of the game and found, lo and behold, exactly what was said to be happening.
      The game would appear to boot, and hang with "SYSTEM ERROR" on the screen.

      Clearly, the games were booting, so the issue was NOT with the Sony Mechacon or MagicGate being different or changed, and it seemed unlikely that an entire region would get a custom ROM version PCB just to run 2 games.

      After consulting with l_oliveira, we came to the conclusion that it was theoretically possible that the the NVRAM on the system might be different (this is where a traditional PlayStation 2 stores system settings and the like)

      Through the magic of the internet, I was able to convince my newfound foreign pirate friends to dump their NVRAM with an eprom reader and send it my way.
      Somewhat surprisingly, we were right on the money with this guess!

      Here's the contents of the NVRAM of a Japanese System 256:
      Display Spoiler

      Source Code: System 256 (JPN/EXP/USA).nvram

      1. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      2. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      3. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      4. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      5. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      6. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      7. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      8. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      9. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      10. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      11. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      12. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      13. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      14. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      15. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      16. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      17. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      18. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      19. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      20. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      21. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      22. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      23. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      24. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      25. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      26. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      27. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      28. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      29. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      30. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      31. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      32. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      Display All



      And here's the contents of the NVRAM of the Asian version:
      Display Spoiler

      Source Code: System 256 (Asian).nvram

      1. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      2. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      3. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      4. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      5. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      6. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      7. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      8. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      9. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      10. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      11. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      12. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      13. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      14. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      15. 321FC7FA D6EEF01C FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      16. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      17. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      18. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      19. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      20. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      21. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      22. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      23. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      24. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      25. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      26. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      27. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      28. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      29. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      30. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      31. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      32. FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
      Display All


      TLDR: You may note that "32 1F C7 FA D6 EE F0 1C" hanging out in there...
      Yep! the "Asian Edition" versions of Taiko 11/12 check for that data in the NVRAM and WILL NOT BOOT IF IT'S NOT THERE, and conversely, the Japanese versions of 11/12/13/14, which appear to be the only other games with region checks of any sort, they check for the presence of the same data string and WILL NOT BOOT IF IT IS THERE.

      So what to do...
      First thing, I made myself an "Asian Edition System 256"... that was simple, boring, and ultimately unsatisfying, as I now had a PCB that would play 2 more games, but now would NOT play 4 others due to the JPN->ASIA lockout imposed on Taiko 11,12,13,14.

      Time Passed...
      Files

      The post was edited 5 times, last by defor ().

    • ...Time Passed

      I sat on the project again for a good while while because searching for this string in any of the binaries on the Asian and Japanese dongles proved fruitless, but came back to it a few months later, this spring, while doing some dongle testing.
      This time, I searched for partial fragments of the hex string, finding success with "32 1F C7 FA D6" as you can see below:



      Now, as you'll notice, the string is all there, simply broken up 32 1F C7 FA D6 EF EE F0 1C by the unknown data byte (0xEF).
      This is the nature of most ***GAME files on the System 246/256; that is to say that they're using an as of yet unknown compression/encryption mechanism to prevent simple edits to their code. Offhand, this looked more like a dictionary style compression that reduces the number of common data fragments by deduplication. In these schemes, if you're lucky enough to have a unique string, you can usually edit it without much consequence, or at most, a possible checksum violation.

      So what to do?
      Well, as we've seen, the data that's normally at that location in the Japanese/Worldwide version of the NVRAM is all 0xFF 's .. so let's replace the problematic data with that, but let's NOT replace that stray 0xEF, and simply treat it as if it's not there:



      And guess what? It works like a champ!


      So with that, I created patches for both 11 and 12 Asian Edition, that will now allow them to work on any system EXCEPT the Asian PCB's, because the data in the NVRAM now doesn't match this patched version...
      Sadly, until we understand the compression of the ***GAME files, we're a bit out of luck on actually patching around the actual lockout entirely...

      BUT!

      Since we're already in the process of patching, and it's good to be nice our friends on the other side of the globe, Namco made the process of making a truly universal version of the Japanese games ridiculously easy. Given what we know, the NVRAM in that location is either FF FF FF FF FF FF FF FF or 32 1F C7 FA D6 EE F0 1C, and we know that the Japanese versions won't boot if 32 1F C7 FA D6 EE F0 1C is present, what could we modify it to look for instead?

      HOW ABOUT ANYTHING EXCEPT THOSE TWO VALUES!

      So, given that there's only two values we can't choose from and 2^(8*8) or 1.84467440737096e19 (minus 2) possible GOOD combinations, what's the simplest we can all agree on? I decided to go with 00 00 00 00 00 00 00 00...
      Yes it's boring, but might as well pick something standard.

      Anyway, on my newly crafted "Asian Edition 256", all four Japanese versions of Taiko 11-14 test as working fine, and the same versions also work fine on the Japanese/Worldwide 256 PCB's.

      Here's a quick rundown of all the patches (Xdelta versions have been attached to the first message as well):

      NM00044 T111001-NA-A, Ver.A09
      Taiko 11:
      FIND: 32 1F C7 BF FA D6 EE F0 1C
      REPLACE: 00 00 00 BF 00 00 00 00 00

      NM00046 T111004-NA-A, Ver.A10
      Taiko 11 Asian Edition:
      FIND: 32 1F C7 FA D6 EF EE F0 1C
      REPLACE: FF FF FF FF FF EF FF FF FF

      NM00051 T121001-NA-A, Ver.A07
      Taiko 12:
      FIND: 32 FF 1F C7 FA D6 EE F0 1C
      REPLACE: 00 FF 00 00 00 00 00 00 00

      NM00054 T121004-NA-A, Ver.A03
      Taiko 12 Asian Edition:
      FIND: 32 1F C7 FA D6 EE 97 F0 1C
      REPLACE: FF FF FF FF FF FF 97 FF FF

      NM00056 T1301-NA-A, Ver.A02
      Taiko 13:
      FIND: 32 1F C7 FA D6 EE F0 C9 1C
      REPLACE: 00 00 00 00 00 00 00 C9 00

      NM00057 T141001-NA-A, Ver.A03
      Taiko 14 & Taiko 14 More:
      FIND: 32 FF 1F C7 FA D6 EE F0 1C
      REPLACE: 00 FF 00 00 00 00 00 00 00

      So, If you can test these, feel free to let me know what you think, and if you have any problems, let me know in this thread!
      So far, my other two testers are very happy with their patched dongles, but unforeseen circumstances can always pop up!

      The post was edited 1 time, last by defor ().

    • Correct, the NVRAM in question is on the motherboard, not the dongle.
      Chip is the BR9080F circled in the photos below:


      If you want to program it directly, the chip has to be removed from the board.
      A programming clip won't work due to other devices becoming partially powered during the programming process.

      The post was edited 2 times, last by defor ().

    • What you're talking about is less compatibility patches for games, and more about the bigger picture- these outstanding "Asian" 256's with the lockout code pre-injected in the NVRAM and gaining the ability to convert an ASIA 256 to a JPN/EXP/USA 256 via software, instead of via hardware reprogramming of the NAND. This is a great idea for anyone out there stuck with an ASIAN PCB, but outside the scope of my abilities at present-If you, or someone you know would like to give it a shot, I'm more than happy to be a guinea pig to test and re-dump the NAND after a soft-reprogramming to verify.

      Personally, I'd love to see the possibility of a unified tool to initialize the System Time (bonus points if it could use the USB network adapter but into most 2X6's to connect to an NTP server), as well as flash or initialize this NVRAM data (iirc the 246 actually HAS data in the NVRAM, but I'll have to dump it again to verify). Right now, there's only a few games that can set the time from their service menu (Soul Calibur 3 being one).

      Its definitely great to be thinking about things like creating new tools and content for the 2X6 outside of just the games Namco & co. created for the system!