The security chip is a sort of number tumbler based on the bits coming in and going out, I think it is too complex to just use a PLD. I had considered just skipping making a chip and emulating the serial communication as it's pretty simplistic bit math but haven't had time to give it a try. However if you're aware of a method that already exists to make the chip I'm all ears.
- Thread starter twistedsymphony
- Start date
I had heard someone mention that they could replace them with a PLD but after looking at the MAME driver for the protection chip I came to the same conclusion you did. Would definitely be interested in a simple chip solution.
Probably the easiest way is to buy a bootleg ZN rom board (bloody roar 2 for example) or converted rom board and employ what they did. Solutions exist out there, it's just not a cut and paste solution though.
The bootleggers use this chip:
https://www.mouser.co.uk/datasheet/2/268/doc1001-1180642.pdf
Yes it's a shame that nobody snapped up that bootleg... Plenty more fish in the sea.
You could disassemble the non-gnet games and copy the mod to the original rom variant and try that.
Problem is getting the gnet mod bios thing running in mame to get a disassembly.
I have a Bloody Roar 2 bootleg here. Unfortunately, it's not a very good one as it locks up during the intro. If you start the game before it, you can play it up to some point. I don't think you can finish it though.
Anyway, can I do something meaningful with it? Is it of some use to someone here?
Anyway, can I do something meaningful with it? Is it of some use to someone here?
do they use that on the main board as well? it doesn't look like it'd be pin compatible.
Sounds like it's not a good crack if there's lock ups, but it's still worth checking out
It needs to be dumped, and possibly the security chip traced out.
Anyone with desoldering skills and the AT89c4051 in the device list will do.
Providing the bios is not required to dump the rest will be a fairly simple job
Now that's a good question, a picture of the bottom board of this bootleg will have all the answers.
Is the bios modified, and is the security chip original...
Obviously the bootleg top board has been re-designed. a small adapter will be required for the replacement on an origianl.
Thinking about this you could likely develop a Capcom ZN2 multi similar to Apocalypse's C2 Multi without patching any of the ROMs. If you used one of these MCUs there's enough unused data lines that you could use a few of them to select which key algorithm it's emulating. This assuming none of the Capcom customs on the ROM board are game specific.
Here's pics of the board:
The AT89c4051 is socketed and I have it in my programmer's device list, however, reading it I just get 4 KB of FF.
Attachments
This one is slightly different to the one i've seen, maybe yours is an older version:
http://www.happy-manor.com/itm/459260/71605/Arcade-PC-Board/KONAMI/Bloody-Roar-II-PC-K106
Bad news about the surface mounted rom, your one has some of the program in the SMT MX chip instead of 2x 160's.
The 27c160 in the socket should be dumped anyway, maybe Coolfox or someone will be up for dumping the tricky one (i have no adapters).
Looks like the atmel has a security bit, that's a bummer.
Good news is that it's spoofing the security using only 2 wires?!?
And the atmel looks like it's controlling the OKI. and not the protection?
Maybe it's simpler than copying the chip anyway.
With a hack that simple it's more than likely a code patch with the bare minimum connected in place of the chips for the board to function.
Has the mainboard surface mounted bios been changed?
http://www.happy-manor.com/itm/459260/71605/Arcade-PC-Board/KONAMI/Bloody-Roar-II-PC-K106
Bad news about the surface mounted rom, your one has some of the program in the SMT MX chip instead of 2x 160's.
The 27c160 in the socket should be dumped anyway, maybe Coolfox or someone will be up for dumping the tricky one (i have no adapters).
Looks like the atmel has a security bit, that's a bummer.
Good news is that it's spoofing the security using only 2 wires?!?
And the atmel looks like it's controlling the OKI. and not the protection?
Maybe it's simpler than copying the chip anyway.
With a hack that simple it's more than likely a code patch with the bare minimum connected in place of the chips for the board to function.
Has the mainboard surface mounted bios been changed?
I received the ROM board without a mainboard and just stuck it on a stock ZN-1. I didn't even connect the two wires. Maybe the issues with the game came from that?
Dumps of the two other socketed roms can be found here:
https://www.sendspace.com/file/z1elmo
I have no way of dumping the MX chip. I can remove it if someone wants to dump it.
Dumps of the two other socketed roms can be found here:
https://www.sendspace.com/file/z1elmo
I have no way of dumping the MX chip. I can remove it if someone wants to dump it.
Last edited:
Sweet, thanks for the dump! Will have a scan over it soon and see if there's any changes.
Yes that 'socket' should be in place of the mainboard's cat702. (ic652)
Take your cat chip out and try it with that in place, see if it fixes the problems
Looks like the bios lockout has been defeated because it boots / runs (kinda) on a random motherboard with the wrong mainboard bios / cat chip.
Highly advanced bootleg right there (if it runs correctly with the mod in place)
If nobody on here wants to do the dump i will ask in the dumping union.
*** EDIT *** Yes roms are modified.
Run through romcmp 2 vs. 9 files:
Code:
at27c010.bin 1111xxxxxxxxxxxxx = 0xFF
br2_u0412.412 1xxxxxxxxxxxxxxxxxx = 0xFF
br2_u049.049 1xxxxxxxxxxxxxxxxxx = 0xFF
rom-2b.210 1ST AND 2ND HALF IDENTICAL
at27c010.bin br2_u0412.412 [3/4] 95.651245%
at27c010.bin br2_u049.049 [3/4] 95.651245%
at27c010.bin br2_u0412.412 [4/4] 95.651245%
at27c010.bin br2_u049.049 [4/4] 95.651245%
27C160.bin [2/4] flash0.021 [odd 1/2] 5.271530%
27C160.bin [3/4] flash1.024 [odd 1/2] 4.819298%
27C160.bin [4/4] flash0.021 [odd 2/2] 3.338814%
27C160.bin [1/4] flash1.024 [even 1/2] 2.874374%
rom-1a.028 NO MATCH
rom-1b.29 NO MATCH
rom-2a.026 NO MATCH
rom-2b.210 NO MATCH
rom-3.336 NO MATCH
Last edited:
The protection in the ZN platform is a serial bus so it's not surprising that only 2 pins are necessary.
Yep and it's in use directly by the atmel quad and that's a shame..
So traced out the cat 702 on a pcb.
pin
1 - n/c?
2 - 5v
3 - 5v
4 - 5v
5 - tied with 6 / b21 on connector
6 - tied with 5 / b21 on connector
7 - a20 on connector
8 - a21 on connector
9 - 5v
10 - gnd
11 - gnd
12 - n/c?
13 - 5v
14 - b19 on connector
15 - 5v
16 - n/c?
17 - 5v
18 - 5v
19 - 5v
20 - 5v
that makes the signals b21, a21, a20 and b19
seems right as 5+7 are connected to the base board on that bootleg.
I have studied the picture a little better and it looks like the 2 feeds are going into the atmel quad.
It also looks like the edge connector signals are going directly into there too.
What is the chip code on the atmel? More than likely secured up anyway like the first one.
Hopefully the last rom contains some meat + potatoes, otherwise reversing this one is a dead end.
The dumped rom looks good (text strings etc) but without the rest it can't be loaded up / split back to it's correct size.
So traced out the cat 702 on a pcb.
pin
1 - n/c?
2 - 5v
3 - 5v
4 - 5v
5 - tied with 6 / b21 on connector
6 - tied with 5 / b21 on connector
7 - a20 on connector
8 - a21 on connector
9 - 5v
10 - gnd
11 - gnd
12 - n/c?
13 - 5v
14 - b19 on connector
15 - 5v
16 - n/c?
17 - 5v
18 - 5v
19 - 5v
20 - 5v
that makes the signals b21, a21, a20 and b19
seems right as 5+7 are connected to the base board on that bootleg.
I have studied the picture a little better and it looks like the 2 feeds are going into the atmel quad.
It also looks like the edge connector signals are going directly into there too.
What is the chip code on the atmel? More than likely secured up anyway like the first one.
Hopefully the last rom contains some meat + potatoes, otherwise reversing this one is a dead end.
The dumped rom looks good (text strings etc) but without the rest it can't be loaded up / split back to it's correct size.
This is the comparison of the AT89C4051 vs the CAT702 that I did earlier:
Code:
AT89C4051 - CAT702
01 - RST/VPP - ?
02 - P3.0 (RXD) - +5V
03 - P3.1 (TXD) - +5V
04 - XTAL2 - +5V
05 - XTAL1 - Select
06 - P3.2 (INT0) - Select
07 - P3.3 (INT1) - Clock
08 - P3.4 (T0) - Data In
09 - P3.5 (T1) - +5V
10 - GND - GND
11 - P3.7 - GND
12 - P1.0 (AIN0) - ?
13 - P1.1 (AIN1) - +5V
14 - P1.2 - Data Out
15 - P1.3 - +5V
16 - P1.4 - ?
17 - P1.5 - +5V
18 - P1.6 - +5V
19 - P1.7 - +5V
10 - VCC - +5VAT89C4051 pinout from here: https://www.mouser.co.uk/datasheet/2/268/doc1001-1180642.pdf
if pins 5 and 6 are just tied together then it might be possible to clip pins 4 and 5 off of the AT89C4051 and program it as a drop in replacement.
the select line on pin 6 and the clock line on pin 7 correspond to the interrupt pins, which is perfect and then the data in and data out pins are on GPIO positions and everything else could largely be ignored.
Do we even need the dump from the bootleg? the logic is mapped out in the mame driver. Whats to stop us from just using that?
