Valkyrie No Densetsu hack update (with a vengeance)

Not so long ago Hokuto left a comment on the Namco System 2 Keycus Hacks page regarding a problem with the hack for Valkyrie No Densetsu : the keycus protection chip was also used as a random number generator in the game, leading to strange behaviour alteration …

One of the baddies (Arijigoku aka Antlion) is supposed to throw round projectiles around him, in a random pattern, as you can see in the following Mame capture :

Correct random pattern in Mame with keycus emulation

My hack consisted in removing all keycus memory area calls and replacing them with the “no operation” instruction. It works well when the chip is just used as a protection (check Namco System 2 keycus hacks for more info), but it completely defeats its role as a random number generator. With my hack, the projectiles are thrown in straight lines, as you can see below :

Keycus protection removed without random number generation

In order to restore correct throw behaviour, I created a pseudo random number generation routine in 68000 assembly that I added to the program rom, and replaced previous keycus calls used to get the numbers by a call to this routine.

I had to tweak the code a few times to achieve a good enough result (ie fast and with no visible repeat pattern) as it’s not possible to have a real random number generator. It involved intensive testing in Mame as there’s no savestate available for this game, meaning that I had to speed run the first part of the game to get to the point where the problem appears at every code update …

As you can see below, it works quite well πŸ™‚ (sorry for the animated gif size)

Random throw behaviour

You can grab the updated files in the Namco System 2 Keycus Hacks page.

AGAR v1.2

I just released version 1.2 of AGAR. It’s main feature is the overhaul of the pictures tab in the pcb view : you can now directly drag and drop files from the file explorer to the pictures list. No need to use the clumsy file selector anymore, everything is handled using the mouse.

  • PNG, JPG and GIF files are supported, anything else will be silently rejected.
  • Depending on the settings, files can be resized to the specified resolution, or left untouched if No resizing is checked. Beware of large files in this case, as database size will grow really quickly !
  • Default resize value is initialized to 1024 * 768 as it was in previous versions.
  • Icons are added to every line to edit the label or remove the picture, context menu isn’t used anymore.
  • Single left click still displays the preview, and double left click the full size image.

I made some changes to the Linux version too : in previous versions the database file was created in the config directory, which could lead to permissions problems on the file when updating. The database was supposed to be in the same directory than the executable anyway (it works that way on Windows), so the file will be automatically copied to the right directory at first start. If there’s any trouble doing so, a message will be displayed with relevant information to do it manually.

Finally the binary for Windows is now x86-64, I don’t think the 32 bit version will be missed … if that’s the case drop me a line πŸ˜‰

I created a GitHub page for the project, you can access it here : https://rtoumazet.github.io/agar/ (or using the Projects tab above).

Cheers !

Namco System 2 keycus hacks

Last year Guru asked me if I could alter the program code of a Final Lap 2 so it would bypass access to the protection chip which had failed. The protection chip, known as ‘keycus’, is used on various Namco arcade systems.

Final Lap 2 runs on the System 2 hardware, 68000 based. As I have some experience about 68000 programming, I gave it a go.

The keycus is accessed between address 0xd00000 and 0xd0000f, and generally returns random numbers which are expected by the system.

Keycus ID for Final Lap 2 is C318. When you try to run the board without it, you get this message on boot up :

RAM ERROR
C00400

I did search the program rom for access to the keycus area, and bypassed them. The modified program rom was then tested successfully on real hardware.

Next on line was Final Lap 3. This one uses 2 keycus chips for protection : the C318 (same as Final Lap 2) and C341. When either of the chips fails or is removed, the message


SYSTEM DOWN!

appears at boot up.

I used the same method as for Final Lap 2, and the modified version was also confirmed working on real hardware.

I ended up patching all System 2 games using a keycus for protection, for a total of 22 games (39 different sets), listed below :

  • Bubble Trouble – Golly Ghost 2
  • Burning Force
  • Cosmo Gang the Video
  • Dirt Fox
  • Dragon Saber
  • Final Lap 2
  • Final Lap 3
  • Finest Hour
  • Golly! Ghost!
  • Kyuukai Douchuuki
  • Marvel Land
  • Mirai Ninja
  • Ordyne
  • Phelios
  • Rolling Thunder 2
  • Steel Gunner 2
  • Suzuka 8 Hours 2
  • Super World Stadium
  • Super World Stadium ’92
  • Super World Stadium ’93
  • Valkyrie No Densetsu

Files are available here or in the Download section.

All the sets have been successfully tested on Mame, but only 4 of them were tested on real hardware so far. So if you are testing one of those that have not been tested yet, don’t hesitate to send a feedback, I’ll gladly add it to the list πŸ™‚

All the hardware information used in this post was provided by Guru.

Taito – Rainbow Islands repair log

Hi there !

2 posts on the same day ? Watch out for hail πŸ˜€

A few years back I bought a Rainbow Islands pcb, the mythical Bubble Bobble sequel from Taito. I got it pretty cheaply then because of a very simple reason : the custom chip handling the colors (the infamous TC0070RGB) was in a very sorry state, and the game couldn’t run properly.

This custom chip is in a SIL package (Single In Line), soldered vertically to the pcb, making it really vulnerable to physical shocks.

The board was clean, but the custom was torn off and soldered back using component legs … as solder isn’t known for its mechanical strength, this repair couldn’t last.

Check it outΒ  :


Unsoldered legs, loose connections, etc. … there’s a lot to do !

As I had various other ongoing projects at the time, and above all I didn’t know to tackle this issue I moved on something else and forgot this board in a cardboard.

A few months back I came across someone’s website offering print draft of this custom chip. They weren’t available online anymore due to some abuse, but after some time we came to an agreement and he provided me with the files in order to do some real testing.

I ordered 5 pcb pieces from PCBWay (minimum order), and started looking for the parts needed. The pcb uses CMS 0805 parts, I never had the chance to work on a project of that scale with parts that small.

Here are the pcbs from PCBWay (I removed the markings from the picture as I don’t want the person to be annoyed because of me πŸ˜‰ )

Placing resistors before hot air soldering (it’s really small, magnifier recommended !)

Soldering done ! A bit of cleaning is needed, and I have to remove excess solder (hard to measure out with the needle), but it’s not that bad actually …

Added a socket a make testing easier.

Fresh new custom is plugged in, and …

Yikes … what’s happening ? Colors are there but seem washed out … looks like a grounding problem.

To be sure I rewired the original custom to the board, in order to rule out a pcb fault :

And everythings fine, so the problem is inside the new custom :/

After discussing back and forth with the designer, he detects a ground difference between 2 parts, and recommends me to add some kynar wire between 2 locations … I do as he says, and …

Great ! Quite happy to add this one to my collection πŸ™‚

Cheers !

AGAR 1.1.10

Hi there,

As I did a bit of cleaning in my garage, I added some new entries to my AGAR database, and I noticed that faults weren’t reloaded when editing an existing pcb : data was correctly saved in the database, but it wasn’t reloaded during the next edition.

It’s a bit annoying as if you resave the data the second time without noticing, you’ll loose the fault content. I’m surprised this bug went unnoticed this long …

Anyway, it’s now fixed, and I also fixed the way the pcb list was sorted after editing a pcb.

Both versions (Win32 and Linux) are available, check the projects tab above to get any of them.

Cheers !

New config files and MC8123 WIP

Happy new year everyone !

 

Regarding configuration files for SegaDecrypt, I decided to give libconfig a go as a replacement for my big clumsy xml file. I went for version 1.5 as the last version (1.6) has some problems preventing it to compile on my dev setup.

Now each set has its own configuration file, as you can see in the following example, extracted from a real set :


//--------------------------------
// Super Hang On Sitdown 317-0039
//--------------------------------

name =  Super Hang On Sitdown;
version =  317-0039;
protection =  FD1094;

program:
{
    files = [
         epr-10857.25, 
         epr-10859.31 
    ];
    key =  317-0039.key;
    size = 0x20000;
};

override:
{
    process_data_manually = true;
    irq_vector_lower_bound = 0x108a;
    irq_vector_upper_bound = 0x108a;
    post_decryption_copy = ( 
        (0x400, 0x1000,  DATA ),
        (0x1A22, 0x20000,  DATA )
    );
};

crc:
{
    type =  outrun ;
    storage_address = 0xFF0;
    start_address = 0x1000;
    initial_block_size = 0x1F000;
};

Almost everything can be overridden, allowing to handle specific cases required for some sets.


Now that the configuration problem is solved, I started working on the MC8123 decryption. The MC8123 is a Z80 with built-in encryption, Program opcodes and data are encrypted differently, which explains why bootleggers used doubled eproms back in the days : one half was used for the decrypted program, the other half for the decrypted data, and the correct addressing was chosen at runtime.

Using the same technique I used to decrypt FD1094 files, I should be able to generate decrypted files for MC8123.

There are some difficulties though :

  • Opcodes operands are considered as data, and they don’t have a fixed size β†’ a pass to check opcode type and operand size has to be done.
  • There are data chunks interleaved with Z80 encrypted code, and unlike FD1094 encrypted code, there are no data markers allowing to know their boundaries β†’ solution will be to consider everything as data first, and then to follow code flow from interrupts start vectors, jumps, branches, etc. in order to get the program code.
  • Previous point has some weaknesses though : some opcodes (like JP (HL) for instance) are supposed to do an unconditional jump, which destination is based on a processor register. Problem is, the register content is set up at runtime, meaning that you can’t know its value without effectively running the code.

Time to get my hands dirty !