What's new

Niko

Champion
Joined
Sep 22, 2015
Messages
1,189
Reaction score
1,884
Location
Louisville, Kentucky
I'm not even sure where to start with this, so I'm starting here.

Many years ago before Neo flash carts existed, I discovered a sound glitch in Samurai Shodown V Special that presented in all bootlegs and when played in MAME but did NOT exist on original hardware.

To make a long story shorter, it was discovered that the V-Rom decryption in MAME for Samurai Shodown V Special ( and possibly all PCM2 games ) was incorrect. Razoola ended up comparing the decrypted/unscrambled voice sample between Samurai Shodown 5 and Samurai Shodown 5 Special and found the first 2 bytes of each V-Rom were being decrypted incorrectly and shared the corrected values.

So at this point you're probably asking yourself, "who cares? Bootlegs are crap and why use MAME when we have flashcarts!". Well boys and girls, all flashcart options and even MiSTer require the roms be decrypted prior to running.

On the NeoSD the V-Roms are patched in memory. I'm not sure if the Darksoft multi is doing the same, but the issue definitely exists on the MiSTer and I noticed the SMDB for the Darksoft flash cart that comes with the Hardware Target Game Database has the checksums of the BAD V-Roms.

So the question is, how do we fix this? How do we stop circulating this improperly decrypted rom? Do we start with the Hardware Target Game Database? Do we start with our pirate friends distributed the "roll-up packs"? Is there a tool for converting MAME roms to the format accepted by the Darksoft flashcart that could "correct" the rom after decryption?

Here is a sample of the audio glitch. Listen for the "pop" at the end of pronouncing "Basara". Or fire the game up on your MiSTer and select Basara to hear it in person.

Obviously the V-Roms are copyrighted so I cant just share them openly online. But here is a diff of the BAD vroma0 ( left ) and the CORRECT vroma0 ( right ). So feel free to patch it yourself, or shoot me a PM.

Code:
niko@Eva01:/media/niko/7911A70B74F7E10B/MISTER/temp$ diff -y --suppress-common-lines vroma0.old.hex vroma0.hex
00006bc0  ab 00 80 80 80 08 00 80  80 80 08 08 08 08 08 08  | |    00006bc0  08 00 80 80 80 08 00 80  80 80 08 08 08 08 08 08  |
0000ed40  08 08 08 08 08 08 08 08  08 08 08 08 08 08 08 08  | |    0000ed40  08 89 08 08 08 08 08 08  08 08 08 08 08 08 08 08  |
00016bc0  6e 35 42 21 82 00 8a c9  80 18 9a ca db ba e9 a8  | |    00016bc0  82 35 42 21 82 00 8a c9  80 18 9a ca db ba e9 a8  |
0001ed40  31 da 9b 21 23 8b b8 14  09 f9 33 51 9a 9b 01 36  | |    0001ed40  31 8f 9b 21 23 8b b8 14  09 f9 33 51 9a 9b 01 36  |

The ROMs affected by this are as follows ( Pretty much any version of Samurai Shodown 5 Special or Perfect ):
samsh5sp
smsh5sph
smsh5spo
samsh5pf
 
Last edited:
Thanks for sharing! :) I remember reading posts from you about this a long time ago.. (not here).
Hopefully some of the wizards here can implement it in some tool for ease of use.

My Samsho 5 special boot has this exact issue.. tempted to open it up and see if it could be fixed.. :D
 
Thanks for sharing! :) I remember reading posts from you about this a long time ago.. (not here).
Hopefully some of the wizards here can implement it in some tool for ease of use.

My Samsho 5 special boot has this exact issue.. tempted to open it up and see if it could be fixed.. :D

Unfortunately I think its going to be one of those cases where its not going to get fixed until PCM2 decryption in MAME is fixed.

On another note, you can fix your cart, I replaced the V rom in my AES SamSho5 Perfect.
 
Unfortunately I think its going to be one of those cases where its not going to get fixed until PCM2 decryption in MAME is fixed.

On another note, you can fix your cart, I replaced the V rom in my AES SamSho5 Perfect.

I dont know if the Vrom in my cart is encrypted or not.. I guess this needs to be patched in its decrypted state?
Ill open it up tonight and check the pcbs.. its one of those newer boots, prolly same pcbs as the perfect ones on aliexpress

How was yours? already using decrypted roms? or PCM2 on a cpld?
 
Hi Niko. I remember your original post about this now, and I'm sorry I had forgotten about this. I agree it sucks that a lot of people have the incorrect data. I did notice, however, that the one from the NeoSD pack that used to be distributed on n-g.com appears to be correct. At least the plain one labeled Samurai Shodown V Special.

I bought one of those SSVP bootleg carts with the small boards just to have something to put on the shelf for that. Unfortunately it has the problem, and I have no idea how to go about flashing the roms on one of these carts.
 
I dont know if the Vrom in my cart is encrypted or not.. I guess this needs to be patched in its decrypted state?
Ill open it up tonight and check the pcbs.. its one of those newer boots, prolly same pcbs as the perfect ones on aliexpress

How was yours? already using decrypted roms? or PCM2 on a cpld?
It will be decreypted vrom.

Hi Niko. I remember your original post about this now, and I'm sorry I had forgotten about this. I agree it sucks that a lot of people have the incorrect data. I did notice, however, that the one from the NeoSD pack that used to be distributed on n-g.com appears to be correct. At least the plain one labeled Samurai Shodown V Special.

I bought one of those SSVP bootleg carts with the small boards just to have something to put on the shelf for that. Unfortunately it has the problem, and I have no idea how to go about flashing the roms on one of these carts.

On my board, the flash that the V-Rom was stored on was labeled. It had been marked with a “V” using marker.

I initially probbed the address/data lines and used JTAG boundary scan to dump the contents. It was just the two V-Roms concatenated. Unfortunately it was not possible to rewrite the flash while it was on the PCB. So I bought some new flash memory, flashed the correctly decrypted V-Roms, and swapped it out.

Here is the Flash I used.

http://d.digikey.com/dc/KnEa49LIxeP...7FAa0yXPlvlgY924XKw==/z0nd07N0301XpHqjSCsUK00

Here are a few pics when I was initially working on the PCB last year.

2A916786-CF8C-4083-9716-905D54CD0271.jpeg

31CF2295-A863-4AEE-8CDB-EE3B5E7E669D.jpeg

7F12ECB1-8790-4939-834E-A2EDEB5FB1B6.jpeg
 
Last edited:
Nice!! Thanks for explaining! I think I have a couple of IS29GL256 somewhere.. one of those should be a perfect match!
 
Thanks for all the documentation, Niko! I've never flashed these kinds of chips before, so this will be a project if I choose to fix it (I definitely want to). I don't have much time to figure out projects these days, unfortunately, and this cart was really just an impulse purchase to put on the shelf, so this sucks.
 
Thanks for all the documentation, Niko! I've never flashed these kinds of chips before, so this will be a project if I choose to fix it (I definitely want to). I don't have much time to figure out projects these days, unfortunately, and this cart was really just an impulse purchase to put on the shelf, so this sucks.

You might be able to purchase some pre-flashed memories online from buyicnow or one of the other suppliers. Hell, you might even be able to find someone on the forum. I'd offer to do it, but all my tools are packed up at the moment.

Swapping out the chip is easy, its a little daunting at first being a TSOP-56. But I was able to knock it out first try with my Hakko iron and using the "drag soldering" technique. Desoldering the old chip is also a breeze with chipquik. It honestly took longer to open the cart and get my tools and table prepped then doing the actual work. lol
 
hmm mine was a MSP55LV128T that I cant seem to find any datasheet on :/.. wonder if my segger j-link can read it from the pcb...

IMG_2313.JPG
 
hmm mine was a MSP55LV128T that I cant seem to find any datasheet on :/.. wonder if my segger j-link can read it from the pcb...

IMG_2313.JPG

Doing a quick visual comparison with the MT28EW256 data sheet, it looks to be the same.

OE is grounded so you won’t be able to flash it in circuit.

Can you also share a pic of your entire board? Also where did you buy it?
 
Doing a quick visual comparison with the MT28EW256 data sheet, it looks to be the same.

OE is grounded so you won’t be able to flash it in circuit.

Can you also share a pic of your entire board? Also where did you buy it?

Sorry it took so long m8, kid got sick and somewhat chaotic weekend :S

Here are some pics.. bought it from a guy on ebay losirmagic or something.. he prolly gets them from aliexpress by the looks of the pcb.
IMG_2315.JPG

IMG_2316.JPG
 
Last edited:
I wonder which flash contains the V rom.. I saw that all on your board were named "P" on the pcb..

My board have P1, P2, and the one to the right is not named at all.. looking at your board again make me think it actually might be the oned marked P1 on the pcb???
 
I found a suitable flash and have patched the Vrom so I am good to go, but should maybe try to get my j-link going to be sure not removing the wrong chip..
 
oh crap! I didnt have any adapter for the s29gl128! fekk.. hmm the BA016 adapter for my programmer costs 200€, and that kinda defeats the whole thing :(.
Wonder if I can mod the PCB temporarily to reflash the current chip instead via jtag? would that be possible?
 
oh crap! I didnt have any adapter for the s29gl128! fekk.. hmm the BA016 adapter for my programmer costs 200€, and that kinda defeats the whole thing :(.
Wonder if I can mod the PCB temporarily to reflash the current chip instead via jtag? would that be possible?
Would be difficult but not impossible.

I used a USB Flashcat which is fairly inexpensive, but still a bit of an investment if you only need it once.
 
Back
Top