What's new
By:
Filters

BOUNTY for Taito G-Net CF Conversions.

Well the other chip is the CPLD, so it seems the bootleggers found it easier to do a CPLD instead of writing a program for the micro controller.

Good news and bad news with the CPLD, I need to speak to a few people about it... maybe it's not so bad to read out :)
 
nem said:
I received the ROM board without a mainboard and just stuck it on a stock ZN-1. I didn't even connect the two wires. Maybe the issues with the game came from that?

Dumps of the two other socketed roms can be found here:

https://www.sendspace.com/file/jza92e

I have no way of dumping the MX chip. I can remove it if someone wants to dump it.
Click to expand...
Hammy said:
*** EDIT *** Yes roms are modified.

Run through romcmp 2 vs. 9 files:

Code: 
at27c010.bin                                           1111xxxxxxxxxxxxx = 0xFF
                        br2_u0412.412                1xxxxxxxxxxxxxxxxxx = 0xFF
                        br2_u049.049                 1xxxxxxxxxxxxxxxxxx = 0xFF
                        rom-2b.210              1ST AND 2ND HALF IDENTICAL
at27c010.bin            br2_u0412.412 [3/4]      95.651245%
at27c010.bin            br2_u049.049 [3/4]      95.651245%
at27c010.bin            br2_u0412.412 [4/4]      95.651245%
at27c010.bin            br2_u049.049 [4/4]      95.651245%
27C160.bin   [2/4]      flash0.021   [odd 1/2]  5.271530%
27C160.bin   [3/4]      flash1.024   [odd 1/2]  4.819298%
27C160.bin   [4/4]      flash0.021   [odd 2/2]  3.338814%
27C160.bin   [1/4]      flash1.024   [even 1/2] 2.874374%
                        rom-1a.028              NO MATCH
                        rom-1b.29               NO MATCH
                        rom-2a.026              NO MATCH
                        rom-2b.210              NO MATCH
                        rom-3.336               NO MATCH
Click to expand...
The link is dead, does anyone still have a copy?
 
Reuploaded it here:

https://www.sendspace.com/file/z1elmo

I also have the MX chip desoldered. Problem is the Superpro is just erroring out when trying to read it. So either the adapter I have for it is the wrong one or I cooked the chip while removing it. Anyone here interested in trying to dump it?
 
Trying to find someone..

It needs the flash dumping also, not the easiest of jobs.
 
nem said:
I received the ROM board without a mainboard and just stuck it on a stock ZN-1. I didn't even connect the two wires. Maybe the issues with the game came from that?
Click to expand...
What are the marking on the chips ic353 (bios) & ic652 (cat702) on the motherboard?
 
No clue. I have long since sold the motherboard and I'm left with just the cart.
 
nem said:
No clue. I have long since sold the motherboard and I'm left with just the cart.
Click to expand...
That is a shame, I have a reasonable idea how the protection works on these bootlegs but I can't see how it could work on any motherboard. In fact I can't make it work on the motherboard I'd expect it to work with either.
 
Last edited:
The motherboard must of came / got sold with a game, whatever original software worked on there should give an idea.

Is all the program data dumped for this bootleg then? one of the dumped roms looks like for the OKI.

Do you have the g-net conversions booting in mame yet?
 
Hammy said:
The motherboard must of came / got sold with a game, whatever original software worked on there should give an idea.

Is all the program data dumped for this bootleg then? one of the dumped roms looks like for the OKI.

Do you have the g-net conversions booting in mame yet?
Click to expand...
Only two of the bloody roar 2 roms are dumped. One of the ROMs is for the OKI & the other is for the CAT702 replacement.

The CPLD appears to just grab a byte from the ROM and bit shift it out. Only a small part of the game boot is encrypted and so a replay attack is practical. The beasorizer bootleg that is already in MAME has a similar ROM, oddly they used a 16 bit EPROM and the upper and lower bytes of each word are identical.

The file seems to include the responses from the CAT702 on the motherboard and the one on the gameboard.

However after 0x50 bytes, this dump and the one from beastorizer diverge from what MAME normally returns and the game crashes. This might be an emulation issue that eventually fixes itself (the bios retries accesses if it gets data it doesn't like, so it might not be working properly anyway) or it might be that the CPLD does something more complex than just shifting each byte out from the start of the ROM to the end.

I can't currently see how either game would boot on anything other than a raizing motherboard with ET01 CAT702 and -54 BIOS. It's possible they found some way of exploiting the bios & I'm missing some crucial part of making it work.

Which does raise the question what game they were using as the donor, as we don't have any other games dumped for this motherboard at all. It's possible that raizing knocked out the bootlegs themselves, to avoid paying Sony some licence fee. If Sony supplies the CAT702 programmed, then it's an easy way of enforcing some form of per game license fee. All they had to do was order a few hundred motherboards as spares.

A few years later the raizing motherboard was used by someone else for Bust A Move 2, while raizing themselves switched to releasing games on Tecmo motherboards (MG01 CAT702, -61 BIOS). I'm not sure of why they would switch round like that, the CAT702 devices normally follow a naming pattern based on the publisher.

A logic analyser dump of the serial stream from the bootleg as it starts up would help figure out what is going on, I'm out of ideas & I don't want to get bogged down. So I've put a note in the source & I'm going to move on. You or anyone else is more than welcome to take a look, I might be missing something obvious.

I don't see any point in trying to duplicate it for making other bootlegs, now we know how the CAT702 works then adding an extra ROM is more complex. In fact it's the mask roms that is the biggest hurdle.

I've thought about supporting the g-net conversions in MAME, however someone on DU is friends with arcademodbios and so it's currently on hold. I don't tend to speculate on things I might do in the future, to avoid over committing myself.
 
Last edited:
smf said:
Only two of the bloody roar 2 roms are dumped. One of the ROMs is for the OKI & the other is for the CAT702 replacement.
The CPLD appears to just grab a byte from the ROM and bit shift it out. Only a small part of the game boot is encrypted and so a replay attack is practical. The beasorizer bootleg that is already in MAME has a similar ROM, oddly they used a 16 bit EPROM and the upper and lower bytes of each word are identical.

The file seems to include the responses from the CAT702 on the motherboard and the one on the gameboard.

However after 0x50 bytes, this dump and the one from beastorizer diverge from what MAME normally returns and the game crashes. This might be an emulation issue that eventually fixes itself (the bios retries accesses if it gets data it doesn't like, so it might not be working properly anyway) or it might be that the CPLD does something more complex than just shifting each byte out from the start of the ROM to the end.
Click to expand...
Thanks for the detailed explanation! No wonder was a bit baffled by the dumps.. No program LOL

smf said:
I can't currently see how either game would boot on anything other than a raizing motherboard with ET01 CAT702 and -54 BIOS. It's possible they found some way of exploiting the bios & I'm missing some crucial part of making it work.

Which does raise the question what game they were using as the donor, as we don't have any other games dumped for this motherboard at all. It's possible that raizing knocked out the bootlegs themselves, to avoid paying Sony some licence fee. If Sony supplies the CAT702 programmed, then it's an easy way of enforcing some form of per game license fee. All they had to do was order a few hundred motherboards as spares.
Click to expand...
Raizing would of had access to the real original sound chips, it's gotta be a bootleg due to the lower quality OKI being used.
I guess the 2 wires going to the bottom board feed the game with the ET01 data, but as you say it does not explain the bios lock...

The guy who will be doing the dump will have some ZNx motherboards to test it on hopefully and we can get an answer.

smf said:
I don't see any point in trying to duplicate it for making other bootlegs, now we know how the CAT702 works then adding an extra ROM is more complex. In fact it's the mask roms that is the biggest hurdle.
Click to expand...
This is clear now, there's a much better way :)
Mask roms for the capcom stuff won't be an issue but the surface mounted masks for tecmo / taito etc stuff are a bit of a setback.

smf said:
I've thought about supporting the g-net conversions in MAME, however someone on DU is friends with arcademodbios and so it's currently on hold. I don't tend to speculate on things I might do in the future, to avoid over committing myself.
Click to expand...
Haha, a lot to say here but let's just say no comment for this one... Other than the big surprise he has any friends left :)
 
Hammy said:
Raizing would of had access to the real original sound chips, it's gotta be a bootleg due to the lower quality OKI being used.I guess the 2 wires going to the bottom board feed the game with the ET01 data, but as you say it does not explain the bios lock...
Click to expand...
The output from both of the cat702 chips are wired together, but when they aren't active the outputs float. If they just captured the data on the output pin, then they would get the output from both cat702. My guess is the outputs get AND'd so as long as the bootleg is outputting what the motherboard cat702 outputs, then it's fine. If the cat702 replacement is always active then you might be able to remove the cat702 from the motherboard and still boot.

No idea what the two wires are for. Where do they go to on the game board?

For the ultimate experience you need a brand new top board with loads of ram, an sdcard and a decent fpga which could emulate qsound or any of the YM chips. It's a lot of work and would be relatively expensive, but you could run anything on it (well except primal rage 2, unless you upgraded the motherboard to 8mb of ram)

I don't know arcademodbios and other than him making money, I don't know why he would be unpopular.

This message board is annoying, is there a way to switch it into a mode where you can easily copy and paste the quotes?
 
smf said:
This message board is annoying, is there a way to switch it into a mode where you can easily copy and paste the quotes?
Click to expand...
Click the empty box in the upper-left when typing a reply to see the bbcode version which is easier to edit.
 
I'll add $10 per game as well for most, and $50 for any of the 3 'viable' games (bloody roar, nba jam, puzzle bobble 2)
 
sammargh said:
smf said:
This message board is annoying, is there a way to switch it into a mode where you can easily copy and paste the quotes?
Click to expand...
Click the empty box in the upper-left when typing a reply to see the bbcode version which is easier to edit.
Click to expand...
doh, thanks. how did I miss that.

theoddtech said:
I'll add $10 per game as well for most, and $50 for any of the 3 'viable' games (bloody roar, nba jam, puzzle bobble 2)
Click to expand...
It's a different Bust A Move 2. In countries where Puzzle Bobble was released as Bust A Move, they released the other Bust A Move as Bust A Groove.
 
You must log in or register to reply here.
Back
Top