What's new

defor

Professional
Joined
Sep 25, 2015
Messages
574
Reaction score
398
Location
Washington, DC
Taiko Drum Master
太鼓の達人 / 太鼓之达人
Region Hacking

©2016 eastrain design

Some time in late 2015, I was put in contact with some Taiko bootleggers (feel free to argue the semantics of what they were doing elsewhere) who were having trouble getting Japanese versions of Taiko Drum Master 11 and later to run on their Taiko Drum Master 11/12: Asian Edition Cabinet, and that the Asian Edition would not run on a Japanese System 256 PCB.

Offhand, this seems impossible, as, up to that point, there were no documented cases of actual REGION locking in any game on the system, so I was intrigued.
I obtained a copy of the game and found, lo and behold, exactly what was said to be happening.
The game would appear to boot, and hang with "SYSTEM ERROR" on the screen.

Clearly, the games were booting, so the issue was NOT with the Sony Mechacon or MagicGate being different or changed, and it seemed unlikely that an entire region would get a custom ROM version PCB just to run 2 games.

After consulting with l_oliveira, we came to the conclusion that it was theoretically possible that the the NVRAM on the system might be different (this is where a traditional PlayStation 2 stores system settings and the like)

Through the magic of the internet, I was able to convince my newfound foreign pirate friends to dump their NVRAM with an eprom reader and send it my way.
Somewhat surprisingly, we were right on the money with this guess!

Here's the contents of the NVRAM of a Japanese System 256:
Code:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

And here's the contents of the NVRAM of the Asian version:
Code:
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
321FC7FA D6EEF01C FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

TLDR: You may note that "32 1F C7 FA D6 EE F0 1C" hanging out in there...
Yep! the "Asian Edition" versions of Taiko 11/12 check for that data in the NVRAM and WILL NOT BOOT IF IT'S NOT THERE, and conversely, the Japanese versions of 11/12/13/14, which appear to be the only other games with region checks of any sort, they check for the presence of the same data string and WILL NOT BOOT IF IT IS THERE.

So what to do...
First thing, I made myself an "Asian Edition System 256"... that was simple, boring, and ultimately unsatisfying, as I now had a PCB that would play 2 more games, but now would NOT play 4 others due to the JPN->ASIA lockout imposed on Taiko 11,12,13,14.

Time Passed...
 

Attachments

  • System2X6-TDM-NVRAM-Hacks-Xdelta.zip
    5.6 KB · Views: 220
Last edited:

defor

Professional
Joined
Sep 25, 2015
Messages
574
Reaction score
398
Location
Washington, DC
...Time Passed

I sat on the project again for a good while while because searching for this string in any of the binaries on the Asian and Japanese dongles proved fruitless, but came back to it a few months later, this spring, while doing some dongle testing.
This time, I searched for partial fragments of the hex string, finding success with "32 1F C7 FA D6" as you can see below:

TEBGAME-LOCKOUT.png


Now, as you'll notice, the string is all there, simply broken up 32 1F C7 FA D6 EF EE F0 1C by the unknown data byte (0xEF).
This is the nature of most ***GAME files on the System 246/256; that is to say that they're using an as of yet unknown compression/encryption mechanism to prevent simple edits to their code. Offhand, this looked more like a dictionary style compression that reduces the number of common data fragments by deduplication. In these schemes, if you're lucky enough to have a unique string, you can usually edit it without much consequence, or at most, a possible checksum violation.

So what to do?
Well, as we've seen, the data that's normally at that location in the Japanese/Worldwide version of the NVRAM is all 0xFF 's .. so let's replace the problematic data with that, but let's NOT replace that stray 0xEF, and simply treat it as if it's not there:

TEBGAME-PATCHED.png


And guess what? It works like a champ!


So with that, I created patches for both 11 and 12 Asian Edition, that will now allow them to work on any system EXCEPT the Asian PCB's, because the data in the NVRAM now doesn't match this patched version...
Sadly, until we understand the compression of the ***GAME files, we're a bit out of luck on actually patching around the actual lockout entirely...

BUT!

Since we're already in the process of patching, and it's good to be nice our friends on the other side of the globe, Namco made the process of making a truly universal version of the Japanese games ridiculously easy. Given what we know, the NVRAM in that location is either FF FF FF FF FF FF FF FF or 32 1F C7 FA D6 EE F0 1C, and we know that the Japanese versions won't boot if 32 1F C7 FA D6 EE F0 1C is present, what could we modify it to look for instead?

HOW ABOUT ANYTHING EXCEPT THOSE TWO VALUES!

So, given that there's only two values we can't choose from and 2^(8*8) or 1.84467440737096e19 (minus 2) possible GOOD combinations, what's the simplest we can all agree on? I decided to go with 00 00 00 00 00 00 00 00...
Yes it's boring, but might as well pick something standard.

Anyway, on my newly crafted "Asian Edition 256", all four Japanese versions of Taiko 11-14 test as working fine, and the same versions also work fine on the Japanese/Worldwide 256 PCB's.

Here's a quick rundown of all the patches (Xdelta versions have been attached to the first message as well):

NM00044 T111001-NA-A, Ver.A09
Taiko 11:
FIND: 32 1F C7 BF FA D6 EE F0 1C
REPLACE: 00 00 00 BF 00 00 00 00 00

NM00046 T111004-NA-A, Ver.A10
Taiko 11 Asian Edition:
FIND: 32 1F C7 FA D6 EF EE F0 1C
REPLACE: FF FF FF FF FF EF FF FF FF

NM00051 T121001-NA-A, Ver.A07
Taiko 12:
FIND: 32 FF 1F C7 FA D6 EE F0 1C
REPLACE: 00 FF 00 00 00 00 00 00 00

NM00054 T121004-NA-A, Ver.A03
Taiko 12 Asian Edition:
FIND: 32 1F C7 FA D6 EE 97 F0 1C
REPLACE: FF FF FF FF FF FF 97 FF FF

NM00056 T1301-NA-A, Ver.A02
Taiko 13:
FIND: 32 1F C7 FA D6 EE F0 C9 1C
REPLACE: 00 00 00 00 00 00 00 C9 00

NM00057 T141001-NA-A, Ver.A03
Taiko 14 & Taiko 14 More:
FIND: 32 FF 1F C7 FA D6 EE F0 1C
REPLACE: 00 FF 00 00 00 00 00 00 00

So, If you can test these, feel free to let me know what you think, and if you have any problems, let me know in this thread!
So far, my other two testers are very happy with their patched dongles, but unforeseen circumstances can always pop up!
 
Last edited:

Dion

Student
Joined
Mar 12, 2016
Messages
137
Reaction score
55
this maybe a stupid question, but which nvram do you mean? not the dongle, right? because afaik, the dongle content is larger than 2kB.
 

defor

Professional
Joined
Sep 25, 2015
Messages
574
Reaction score
398
Location
Washington, DC
Correct, the NVRAM in question is on the motherboard, not the dongle.
Chip is the BR9080F circled in the photos below:
S256-NVRAM-LOCATION.png


If you want to program it directly, the chip has to be removed from the board.
A programming clip won't work due to other devices becoming partially powered during the programming process.
 

Attachments

  • S256-NVRAM-DETAIL.png
    S256-NVRAM-DETAIL.png
    815.5 KB · Views: 356
Last edited:

l_oliveira

Professional
Joined
Jun 26, 2015
Messages
540
Reaction score
552
Location
Brazil
If you can boot random ELFs with a hacked dongle, why not make a program that actually erase the "ASIA" flag?

It could be even like run once and if not found, add the flag... If found, delete the flag. Actually something very useful.
 

defor

Professional
Joined
Sep 25, 2015
Messages
574
Reaction score
398
Location
Washington, DC
What you're talking about is less compatibility patches for games, and more about the bigger picture- these outstanding "Asian" 256's with the lockout code pre-injected in the NVRAM and gaining the ability to convert an ASIA 256 to a JPN/EXP/USA 256 via software, instead of via hardware reprogramming of the NAND. This is a great idea for anyone out there stuck with an ASIAN PCB, but outside the scope of my abilities at present-If you, or someone you know would like to give it a shot, I'm more than happy to be a guinea pig to test and re-dump the NAND after a soft-reprogramming to verify.

Personally, I'd love to see the possibility of a unified tool to initialize the System Time (bonus points if it could use the USB network adapter but into most 2X6's to connect to an NTP server), as well as flash or initialize this NVRAM data (iirc the 246 actually HAS data in the NVRAM, but I'll have to dump it again to verify). Right now, there's only a few games that can set the time from their service menu (Soul Calibur 3 being one).

Its definitely great to be thinking about things like creating new tools and content for the 2X6 outside of just the games Namco & co. created for the system!
 
Top