Are these a fully decrypted boot ROM or a replacement PAL?
I focused on Ketsui and Espgaluda first, since they come from PCB sources and i have something to compare against.
In Mame, the two available bootleg dumps are in a driver that's based on ddp2 init scheme.
From my deductions the ddp2 based games (like espgal and ketsui) only use some encryption as protection.
Once decrypted they might just boot fine. I'm not sure how this works but it seems to me they are xored by a table at boot.
Mame does this in software. I'm not sure how it's done on real hardware (does the ARM cpu on the cart decrypt the game?)
If i look at mame, the two bootlegs from arcademodbios (ketbl and espgalbl) both use the ddp2 init scheme.
It means the program roms are encrypted using the same 'table' as ddp2
ketbl
pgm_arm_type2_state, init_ddp2
espgalbl
pgm_arm_type2_state, init_ddp2
void pgm_arm_type2_state::init_ddp2()
{
pgm_basic_init();
pgm_ddp2_decrypt(machine());
kov2_latch_init();
}
ddp2_decrypt is in pgmcrypt.cpp. Kov2_latch_init installs a read/write latch for an ARM area. nothing else is done in the init.
Now, the two original PCB versions of espgal and ketsui have two different encryption tables, so it's safe to say they have been at least decrypted to then be re-encrypted using the ddp2 encryption table. This had to be done otherwise the cartridge they landed on can not decrypt the program code.
Now, the roms i've posted have done away with at least the encryption table step. But there is an additional init step for the original games.
They have an install_readwrite_handler(0x400000, 0x400005) which basically means they will talk to another device at this memory range.
My next step would be to figure out the commands they expect to read/write from 0x40000x range and see what needs to be done.
Could be just a bunch of startup checks, but could also be calculations offloaded like sprite positions etc. We could at least deduct at this point the arm cpu _was_needed.
Problem is that lydz posted a pic of a board with no ARM on it. So if it looks like a duck, walks talks and quacks like a duck, the ARM must not have much to do once you patch out the (bootup?) protection..
If that is truly the case the roms i posted should just boot on a board with no arm / 027 prot whatever
They are program roms, 27C160 or 322 as needed, and see if they boot up