What's new
By:
Filters

NBA Rewind 4 Jam (was: NBA Jam TE hacking.)

Asure

Asure

Grand Master
Joined
Jul 24, 2015
Messages
616
Reaction score
772
Location
Netherlands
Did some hacking on NBA Jam TE so it would run on any T-Unit.

The security is quite devious. And unique per ASIC. The ASIC has functions of moving around data, but it also adds some hidden ram which is visible to the main cpu.
On NBA Jam/TE this hidden ram is used in conjunction with a table inside the asic.

The flow is like this:

Main game:
This has a function called 'seccal1'
Basically this is an obfuscated jump. The first action is when the demo game starts and sits in attract..

BB.ASM
Code: 
 SUBR    demogame_start            ;Demo mode entry
    JSRP    scrn_scaleininit    ;Hide display
    movi    security_chk->1df60,a8

The offset is loaded into A8 and stuff resumes. Eventually it comes to this point:

BB.ASM
Code: 
;-----------
;This is checksummed!
seccall1
    move    a8,a1            ;>Check security
    addi    >1df60,a1
    getpc    a7
    addi    >40,a7
    move    a7,-*sp,L
    jump    a1            ;Rets: A0=0 if OK!
seccall1end
;-----------

The JUMP A1 is basically 'jump security_check'
There is never a direct call to the routine below, all of them are obfuscated. There are several calls to this point from game flow btw.

UTIL.ASM
Code: 
 SUBR    security_chk     ;Note: this is at FF849B30 in rom
    .if    SECDB
    clr    a0
    rets

A big nice pointer for debugging, it seems to want A0=0 and the rets if we read this properly.. :)
Also great, there is no 'this is checksummed' note here, so we can do as we please. (or not, more on this later.)

I had thought to replace the security tables, functions etc, but just patched this. And it seems to work fine. Except, when i tried real hardware, i would get strange random bugs.
Balls with wierd gravity, the scrolling of the playfield breaks.. But not always, I could play a game perfectly fine.

It turns out both 'seccal1' and 'security_chk' are read from rom, by rom, which is near impossible to find using the mame debugger. Also with any other debugger. Or i lack the knowledge how to do it.
This checksumming is also referred to by the comment in the code earlier. Except where was it doing this? After some more searching and debugging it turns out it's this little tidbit.
This code gets called when game is around 3rd quarter, and displays player stats. This condition is also met several times during attract loop..
I cleaned it up and left some stuff out for readability.

BB.ASM
Code: 
#tag7
    movi    P4DATA,a11        ;A11=*plyr data
    calla    refill_turbo
    calla    prt_top_scores        ;Update scores at scrn top
    calla    prt_cr_timers

    movi    seccall1+>3df2,a0    ;>Chksum security call code
    movk    (seccall1end-seccall1)/16,b0
    movi    ->259e0d-2,a8        ;1st value
#csumlp    move    *a0(->3df2),a1
    add    a1,a8
    addk    16,a0
    dsj    b0,#csumlp                    ;>Chksum security_chk code
    movi    security_chk+>4bbb,a0
    movi    68+128*2,b0        ;#Words
#csmlp    move    *a0(->4bbb),a1
    add    a1,a8
    addk    16,a0
    dsj    b0,#csmlp

    SLEEPK    5
    calla    update_scorebrd
    CREATE0    security_trashstuff    ;Pass A8

And here's security_trashstuff

BB.ASM
Code: 
#*******************************
* Trash free object list because security failed (Process)
* A8=Security status (-2=OK!)

 SUBRP    security_trashstuff

    addk    2,a8
    jrz    #x        ;OK?
    movi    TSEC*60*5+1,a0
    calla    RNDRNG0   ;Comment by Asure, this is a random number generator
    addi    TSEC*60*4-3,a0
    calla    PRCSLP        ;Sleep 5-9 minutes
    movi    OFREE,a1
    movk    10,a2
#lp    move    *a1,a1,L
    dsj    a2,#lp
    move    a0,*a1,L    ;Trash 10th free objs *next (-1)

#x    DIE

This uses some macros and creates a 'process' (handled by mproc.asm) which is basically how the T-Unit handles multitasking. The games run as a sort of multitasking OS.
This code runs in a loop, can sleep, linger, awaken, get killed, die by itself when done etc.

So here's the deal. If A8 is not '-2' we do nasty stuff. Randomly between 5-9 minutes. A match is 1m30s. So around 3rd quarter, stuff starts to break. And getting into the next quarter does some auto fixing of registers, so it looks less broken, but still breaks. With some luck we have 9 minutes, and nothing breaks. Arghh. Evil.

Anyway to patch this:
- seccal1 is still the same
- security_chk is just doing CLR A0; RETS now. No calculations w/ hidden ram. Probably faster.
- security_trashstuff just does a DIE now. It still gets created as a process and ends up in the list for a few ms but then just dies.

image.png


With this patched into TE 2.1 the game runs on my standard NBA Jam board fine. (Also tested TE 2.1 Rewind roms.)

This was all very top secret. The MK2 code that was leaked did _not_ contain these routines, but they were still referenced and preventing the game to compile when i started working on it.
I guess when they gave this code to the psx developers it was sanitized.
Also in MK1 5.0 for t-unit, there is similar code, but i could not find any cksum on it yet. I also have that patched, but maybe i'll create a different topic for it some day. (It is quite simple.)

Anyway, yes, this means we can have a multi T-Unit.
MK1, Nba Jam, Nba Jam TE, NBA Jam TE Rewind. (I don't care about TROG!)
And MK2 with DCS soundboard.. or maybe aftermarket sound board? or an FPGA alternative sound board.)
Probably the Dredd proto if i find free time to look at it. I don't know how @Hammy patched it yet.

An educated hacker could now go and make some roms with the pointers above, and probably something will end up on Ebay. Should i set up a paypal donate button? Mweh. I didn't think this through when i started this for knowledge and fun. I don't even have enough eproms and t-unit boards to work with lol. I hope it at least makes for a nice read.
 
Last edited:
TE on standard h/w is fantastic! I did not think it was easy with all those CALC's going on.

RE: Dredd, if you don't get time for it i'll re-crack it next year when time is more free...
 
Wow awesome news! Would love to have mk1 & mk2 on same board. I have NBA JAM, NBA JAM TE, MK2, but no mk1 T board :(
Do all of them use the same soundboard? (ex mk2)
 
Last edited:
bytestorm said:
Wow awesome news! Would love to have mk1 & mk2 on same board. I have NBA JAM, NBA JAM TE, MK2, but no mk1 T board :(
Do all of them use the same soundboard? (ex mk2)
Click to expand...
Judge Dredd, NBA Jam, NBA Jam Tournament Edition, and Mortal Kombat all use the ADPCM sound board. and you know Mortal Kombat II uses the DCS sound board. you'll therefore be able to grab most of the T-unit games. I have several NBA Jam boards, I should turn one into Judge Dredd someday even though I think the game is abysmal to play. LOL
 
Wow, great work!

The NBA JTE hack with MJ and everyone would be great to get on all the Tunits!
 
XtraSmiley said:
Wow, great work!

The NBA JTE hack with MJ and everyone would be great to get on all the Tunits!
Click to expand...
I'm particular about them being original like I remember them from 30 years ago but that project blows my mind that it's even a thing.
 
My boardsets are missing a soundboard or 2.. making a repro of the soundboard wouldnt be difficult, but sourcing original components will be a pain.. most yamahas and motorola 6809 I have bought last 2 years have been fakes.. and I dont have the skills to use fpgas instead of em.. might not matter much now since fpgas still are unobtainium :(
 
bytestorm said:
My boardsets are missing a soundboard or 2.. making a repro of the soundboard wouldnt be difficult, but sourcing original components will be a pain.. most yamahas and motorola 6809 I have bought last 2 years have been fakes.. and I dont have the skills to use fpgas instead of em.. might not matter much now since fpgas still are unobtainium :(
Click to expand...
I don't have any experience with FPGAs but like a universal sound board would be awesome. I'm sure that's what the Mister does, doesn't it?
 
Yeah it would be possible since most, if not all, the components are available in the repositories. But I have no idea how to take the verilog files and make the fpga actually replace a specific component (voltage level translation aside). It would be so cool to make “new” replacement chips like furrtek has done with the many neo geo customs.. but I just don’t have the programming skills/verilog knowledge :(
 
Last edited:
I've thought about how to do a multi, and T-Unit + special dual soundboard would be nice target. However, there's some Y-Unit games we have running that could work on the T-Unit as well, and they also use a different sound board (Narc/Trog/Smash/Carnage). We don't have sound code for those games, and they use the the older sound board. So it would have to be a custom sound board that can emulate all three types. I do not think this would be very hard to do, the interface with the board is pretty simple, but i lack the skills to do it.

I'm having a hard time with some T-Units as it is, i have two with broken ram which i don't really understand as they are all on the same bus/connected except some we/ce/oe signals that i already traced. I both cases UA13 just acts like it's not on the board (I get the same errors when it's on or off board.).

It's just a matter of free time and a good workspace/setup but real life and day job are 'in the way' so to speak :)
 
Last edited:
Asure said:
I've thought about how to do a multi, and T-Unit + special dual soundboard would be nice target. However, there's some Y-Unit games we have running that could work on the T-Unit as well, and they also use a different sound board (Narc/Trog/Smash/Carnage). We don't have sound code for those games, and they use the the older sound board. So it would have to be a custom sound board that can emulate all three types. I do not think this would be very hard to do, the interface with the board is pretty simple, but i lack the skills to do it.

I'm having a hard time with some T-Units as it is, i have two with broken ram which i don't really understand as they are all on the same bus/connected except some we/ce/oe signals that i already traced. I both cases UA13 just acts like it's not on the board (I get the same errors when it's on or off board.).

It's just a matter of free time and a good workspace/setup but real life and day job are 'in the way' so to speak :)
Click to expand...
Total Carnage uses ADPCM sound board like Terminator 2. though I think both of those games used the older revision of it. (different component placement). I'm curious how NARC will work cause it used its own sound board with independent CPUs for the FM and digitizer sections.

when I get moved next month I'll be able to do whatever hardware testing you need because I have multiples of all these games.
 
Ah yes, i'd forgotten about Narc's special sound board.
For the other games.. several approaches.

My preferred one would be to emulate / replace a DCS type board.
The games just send a command to the boards (except narc as stated by @mecha).
The board does the rest. This is already implemented in the Pinsound boards (WPC-S) but i don't think it's open source. I think we can do it cheaper in software, on a RPi 3/4 with a hat board that has a sound amp. This way we can have high quality sounds in all the games, better than the original. For MK2 there's cd audio from the PSX and i think some PC versions. Same for NBA's.
We have all the DCS sound tools to recreate a set of sound roms for games as needed. DCS sound emulation cores exist, also M1 player (closed source?)
Sound I/O hooked up to gpio from the PI. Alternative just emulate the default t-unit board, and dcs and whatever is needed, some dips on the pi hat to control board type..

This would require designing the hat board, coding some software around it to read the gpio etc etc.
There's plenty of ym2151 cores, a good adsp-2105 core as well.
I lack time and it's a niche market. Maybe good if you target the pinball guys too, they pay $400 for a pinsound board now. Call it pisound board haha.

I'm off to bed, but this is the future. These boards will only get more expensive because of hacks like i did, and the hardware will die eventually.
 
Asure said:
Ah yes, i'd forgotten about Narc's special sound board.
For the other games.. several approaches.

My preferred one would be to emulate / replace a DCS type board.
The games just send a command to the boards (except narc as stated by @mecha).
The board does the rest. This is already implemented in the Pinsound boards (WPC-S) but i don't think it's open source. I think we can do it cheaper in software, on a RPi 3/4 with a hat board that has a sound amp. This way we can have high quality sounds in all the games, better than the original. For MK2 there's cd audio from the PSX and i think some PC versions. Same for NBA's.
We have all the DCS sound tools to recreate a set of sound roms for games as needed. DCS sound emulation cores exist, also M1 player (closed source?)
Sound I/O hooked up to gpio from the PI. Alternative just emulate the default t-unit board, and dcs and whatever is needed, some dips on the pi hat to control board type..

This would require designing the hat board, coding some software around it to read the gpio etc etc.
There's plenty of ym2151 cores, a good adsp-2105 core as well.
I lack time and it's a niche market. Maybe good if you target the pinball guys too, they pay $400 for a pinsound board now. Call it pisound board haha.

I'm off to bed, but this is the future. These boards will only get more expensive because of hacks like i did, and the hardware will die eventually.
Click to expand...
I don't know if you post at KLOV, but braedel there came up with a Arduino gimmick that plays all the sounds in those sound boards. he's done it with Smash TV CVSD but I'm sure it works with the ADPCM boards the same way. I'm sure we can combine some brains together to create something revolutionary. I have a bunch of bad Revolution X sound boards, it would be wild to find a way to resurrect those.
 
Asure said:
Did some hacking on NBA Jam TE so it would run on any T-Unit.

The security is quite devious. And unique per ASIC. The ASIC has functions of moving around data, but it also adds some hidden ram which is visible to the main cpu.
On NBA Jam/TE this hidden ram is used in conjunction with a table inside the asic.

The flow is like this:

Main game:
This has a function called 'seccal1'
Basically this is an obfuscated jump. The first action is when the demo game starts and sits in attract..

BB.ASM
Code: 
 SUBR    demogame_start            ;Demo mode entry
    JSRP    scrn_scaleininit    ;Hide display
    movi    security_chk->1df60,a8

The offset is loaded into A8 and stuff resumes. Eventually it comes to this point:

BB.ASM
Code: 
;-----------
;This is checksummed!
seccall1
    move    a8,a1            ;>Check security
    addi    >1df60,a1
    getpc    a7
    addi    >40,a7
    move    a7,-*sp,L
    jump    a1            ;Rets: A0=0 if OK!
seccall1end
;-----------

The JUMP A1 is basically 'jump security_check'
There is never a direct call to the routine below, all of them are obfuscated. There are several calls to this point from game flow btw.

UTIL.ASM
Code: 
 SUBR    security_chk     ;Note: this is at FF849B30 in rom
    .if    SECDB
    clr    a0
    rets

A big nice pointer for debugging, it seems to want A0=0 and the rets if we read this properly.. :)
Also great, there is no 'this is checksummed' note here, so we can do as we please. (or not, more on this later.)

I had thought to replace the security tables, functions etc, but just patched this. And it seems to work fine. Except, when i tried real hardware, i would get strange random bugs.
Balls with wierd gravity, the scrolling of the playfield breaks.. But not always, I could play a game perfectly fine.

It turns out both 'seccal1' and 'security_chk' are read from rom, by rom, which is near impossible to find using the mame debugger. Also with any other debugger. Or i lack the knowledge how to do it.
This checksumming is also referred to by the comment in the code earlier. Except where was it doing this? After some more searching and debugging it turns out it's this little tidbit.
This code gets called when game is around 3rd quarter, and displays player stats. This condition is also met several times during attract loop..
I cleaned it up and left some stuff out for readability.

BB.ASM
Code: 
#tag7
    movi    P4DATA,a11        ;A11=*plyr data
    calla    refill_turbo
    calla    prt_top_scores        ;Update scores at scrn top
    calla    prt_cr_timers

    movi    seccall1+>3df2,a0    ;>Chksum security call code
    movk    (seccall1end-seccall1)/16,b0
    movi    ->259e0d-2,a8        ;1st value
#csumlp    move    *a0(->3df2),a1
    add    a1,a8
    addk    16,a0
    dsj    b0,#csumlp                    ;>Chksum security_chk code
    movi    security_chk+>4bbb,a0
    movi    68+128*2,b0        ;#Words
#csmlp    move    *a0(->4bbb),a1
    add    a1,a8
    addk    16,a0
    dsj    b0,#csmlp

    SLEEPK    5
    calla    update_scorebrd
    CREATE0    security_trashstuff    ;Pass A8

And here's security_trashstuff

BB.ASM
Code: 
#*******************************
* Trash free object list because security failed (Process)
* A8=Security status (-2=OK!)

 SUBRP    security_trashstuff

    addk    2,a8
    jrz    #x        ;OK?
    movi    TSEC*60*5+1,a0
    calla    RNDRNG0   ;Comment by Asure, this is a random number generator
    addi    TSEC*60*4-3,a0
    calla    PRCSLP        ;Sleep 5-9 minutes
    movi    OFREE,a1
    movk    10,a2
#lp    move    *a1,a1,L
    dsj    a2,#lp
    move    a0,*a1,L    ;Trash 10th free objs *next (-1)

#x    DIE

This uses some macros and creates a 'process' (handled by mproc.asm) which is basically how the T-Unit handles multitasking. The games run as a sort of multitasking OS.
This code runs in a loop, can sleep, linger, awaken, get killed, die by itself when done etc.

So here's the deal. If A8 is not '-2' we do nasty stuff. Randomly between 5-9 minutes. A match is 1m30s. So around 3rd quarter, stuff starts to break. And getting into the next quarter does some auto fixing of registers, so it looks less broken, but still breaks. With some luck we have 9 minutes, and nothing breaks. Arghh. Evil.

Anyway to patch this:
- seccal1 is still the same
- security_chk is just doing CLR A0; RETS now. No calculations w/ hidden ram. Probably faster.
- security_trashstuff just does a DIE now. It still gets created as a process and ends up in the list for a few ms but then just dies.

image.png


With this patched into TE 2.1 the game runs on my standard NBA Jam board fine. (Also tested TE 2.1 Rewind roms.)

This was all very top secret. The MK2 code that was leaked did _not_ contain these routines, but they were still referenced and preventing the game to compile when i started working on it.
I guess when they gave this code to the psx developers it was sanitized.
Also in MK1 5.0 for t-unit, there is similar code, but i could not find any cksum on it yet. I also have that patched, but maybe i'll create a different topic for it some day. (It is quite simple.)

Anyway, yes, this means we can have a multi T-Unit.
MK1, Nba Jam, Nba Jam TE, NBA Jam TE Rewind. (I don't care about TROG!)
And MK2 with DCS soundboard.. or maybe aftermarket sound board? or an FPGA alternative sound board.)
Probably the Dredd proto if i find free time to look at it. I don't know how @Hammy patched it yet.

An educated hacker could now go and make some roms with the pointers above, and probably something will end up on Ebay. Should i set up a paypal donate button? Mweh. I didn't think this through when i started this for knowledge and fun. I don't even have enough eproms and t-unit boards to work with lol. I hope it at least makes for a nice read.
Click to expand...
What happens if I burn the Asic-patched Rewind ROMS and put in TE hardware ? Will it still work? I have a couple boards I am trying to bring back to life and would love to make one set of roms that pass Checksum to test both TE and reg JAM if I could.

Also, where is the "Buy me a beer" donate button?
 
SCUBA King said:
What happens if I burn the Asic-patched Rewind ROMS and put in TE hardware ? Will it still work? I have a couple boards I am trying to bring back to life and would love to make one set of roms that pass Checksum to test both TE and reg JAM if I could.
Click to expand...
The asic functions are 99% the same between the boards as far as i can tell. It's just the hidden memory mapper that differs along with the calculation table. And my hacked rom does not care about the tables or hidden ram. It does need the asic on the board to move around data, it just doesn't matter which Asic.. the ones from NBA and TE sure work, I didn't test on MK1 / MK2 Asic.

SCUBA King said:
Also, where is the "Buy me a beer" donate button?
Click to expand...
Well, i didn't do it for the money, just for the technical challenge and distract myself from general things in life.
 
Asure said:
The asic functions are 99% the same between the boards as far as i can tell. It's just the hidden memory mapper that differs along with the calculation table. And my hacked rom does not care about the tables or hidden ram. It does need the asic on the board to move around data, it just doesn't matter which Asic.. the ones from NBA and TE sure work, I didn't test on MK1 / MK2 Asic.


Well, i didn't do it for the money, just for the technical challenge and distract myself from general things in life.
Click to expand...
I was trying to assist Scuba with another of his 800 problems and whilst perusing the NBA Jam schematics I found that the scaler/ASIC is actually called "FPGA" on the sheet.

Eugene Jarvis called the DMA Special Chips on Robotron hardware GPUs! LOL
 
Asure said:
Super High Impact is not a T-Unit board.
Click to expand...
oh you are right, dang it I checked it online just a week ago and already forgot.. well, if there are any chances for a mk1 patch to try mk1 on a mk2 pcb, please let me know :D

my initial hopes way back, when I bought the high impact boards was to save it for a mk1 4.0 conversion in case it ever came around :)
 
You must log in or register to reply here.
Back
Top