- Thread starter 98pacecar
- Start date
Well, these could be tested by somebody on a non-encrypted board, see if they boot and report back 
I didn't have the time to check how the bootup process is done on a normal cart.
I do not have a PGM mainboard or carts to test with. Not sure if any protection is in place (other than bootup/decryption).
View attachment ddp3_fully_decrypted.zip
View attachment ddp3blk_fully_decrypted.zip
View attachment espgald_v100.zip
View attachment ketsui_fully_decrypted.7z
I didn't have the time to check how the bootup process is done on a normal cart.
I do not have a PGM mainboard or carts to test with. Not sure if any protection is in place (other than bootup/decryption).
View attachment ddp3_fully_decrypted.zip
View attachment ddp3blk_fully_decrypted.zip
View attachment espgald_v100.zip
View attachment ketsui_fully_decrypted.7z
Is there a non-encrypted board? or is it just a board with the security chip removed?
I'll try a couple in my Martial Masters and report back, but I'm skeptical any of them will work unless we also know what needs to be changed with the PAL or other "rewiring"
on my Martial Masters with the Security chip, security eprom and security PAL removed and the main program rom replaced with your decrypted ketsui ROM I get a static screen with purple artifacts all over it.
this is the same result I got using the bootleg rom that people have been using for successful conversions on other PCBs.
I focused on Ketsui and Espgaluda first, since they come from PCB sources and i have something to compare against.
In Mame, the two available bootleg dumps are in a driver that's based on ddp2 init scheme.
From my deductions the ddp2 based games (like espgal and ketsui) only use some encryption as protection.
Once decrypted they might just boot fine. I'm not sure how this works but it seems to me they are xored by a table at boot.
Mame does this in software. I'm not sure how it's done on real hardware (does the ARM cpu on the cart decrypt the game?)
If i look at mame, the two bootlegs from arcademodbios (ketbl and espgalbl) both use the ddp2 init scheme.
It means the program roms are encrypted using the same 'table' as ddp2
ketbl
pgm_arm_type2_state, init_ddp2
espgalbl
pgm_arm_type2_state, init_ddp2
void pgm_arm_type2_state::init_ddp2()
{
pgm_basic_init();
pgm_ddp2_decrypt(machine());
kov2_latch_init();
}
ddp2_decrypt is in pgmcrypt.cpp. Kov2_latch_init installs a read/write latch for an ARM area. nothing else is done in the init.
Now, the two original PCB versions of espgal and ketsui have two different encryption tables, so it's safe to say they have been at least decrypted to then be re-encrypted using the ddp2 encryption table. This had to be done otherwise the cartridge they landed on can not decrypt the program code.
Now, the roms i've posted have done away with at least the encryption table step. But there is an additional init step for the original games.
They have an install_readwrite_handler(0x400000, 0x400005) which basically means they will talk to another device at this memory range.
My next step would be to figure out the commands they expect to read/write from 0x40000x range and see what needs to be done.
Could be just a bunch of startup checks, but could also be calculations offloaded like sprite positions etc. We could at least deduct at this point the arm cpu _was_needed.
Problem is that lydz posted a pic of a board with no ARM on it. So if it looks like a duck, walks talks and quacks like a duck, the ARM must not have much to do once you patch out the (bootup?) protection..
If that is truly the case the roms i posted should just boot on a board with no arm / 027 prot whatever
They are program roms, 27C160 or 322 as needed, and see if they boot up
The MM board, if it's original is probably set up to decrypt the program rom using the ARM.
As i said, i don't know how to disable encryption on real hardware :/
Lydz didn't post clear instructions or high res pictures on how he disabled it on the cart posted.
Assumption: PALS are needed for gfx/audio decoding and setup of the arm/prot config? Lydz also mention D1
Pin 1 of U4 does not need to be lifted, as the pad on the PCB is unconnected. I believe you would still need to run a wire to it for Vcc though. Here is a converted cart I was playing around with to confirm:DoDonpachi Dai Ou Jou Black Label conversion on Knight of Valour Super Heroes:
I can't guarantee there's no mistake in the information given, I don't have any donor cart to do the conversion from scratch myself.
Also file names in the MAME romsets don't correspond to the donor used here so I've tried to figure this out.
The model cart being borrowed from @oneleaf86, I don't want to mess to much with it (i.e. desoldering chips and dumping them).
Donor PCBs look like this:
Link to the needed files:
http://www.filedropper.com/ddpdojblkbl
Chips needed:
- 1 * 27C322
- 4 * MX26L6420
- 1 * MX29L3211
Burn the files in the appropriate devices:
ddp_doj_u1.bin => 27C322 (U1)
t04401w064.u19 => MX26L6420 (U11)
a04401w064.u7 => MX26L6420 (U1)
a04402w064.u8 => MX26L6420 (U3)
b04401w064.u1 => MX26L6420 (U6)
m04401b032.u17 => MX29L3211 (U4)
Hardware mod:
PROG board:
1) Pull ROMs U1 & U11
2) Install new U1 and U11 but don't solder pin 23 of U11, lift it
3) Connect lifted pin of U11 to 3.3V from left pad of U13 (see top right corner of first pic)
GFSAMPLES board:
1) Pull ROMs U1, U3, U4 & U6.
2) Install new U1, U3, U4 & U6 but don't solder pins 23, lift them. Pin 1 of U4 must also be lifted.
3) Connect lifted pins of U1, U3, U4 & U6 to 3.3V from U13
Another concern I have is that the bypass capacitors are being bypassed (heh). As you can see in the following picture, the bypass caps are obviously tied to the power lines, and since we are delivered 3.3V, we need to lift those pins. Decoupling caps are not strictly necessary, but it's worth pointing out that it may cause some unpredictable behavior:
KalessinDB
Grand Master
Lydz on Taobao seems to have both black and white label ddp available on the same cart, though no one has actually gotten one afaik so we're just going from screenshots. Sheep is using the "standard" conversion that only does black label.
BanishingFlatsAC
Champion
sheep_nova
Grand Master
Hi,
I'm sheep_nova,^+^.
I'm sheep_nova,^+^.
Excellent to see you on the forums, I'm sure you're going to run into a lot of people on here that have bought your goods
Welcome @sheep_nova, can’t wait to get my Ketsui cart 
BanishingFlatsAC
Champion
@sheep_nova welcome aboard. Thanks for offering the service you do at an affordable price!
Welcome, you know me already - that's for sure
Indeed. I just became a sheep_nova customer today and bought a PGM mobo!Excellent to see you on the forums, I'm sure you're going to run into a lot of people on here that have bought your goods
