Help dumping Mega Drive game w/DPF or MGH

@ MarioInside: From a fellow collector in South America, I bought it with the intention of dumping since for some reason it hasn't been done yet. If I can manage to get this and 2-3 others dumped that should cover all known unlicensed titles.

Thank you for the clarifications. I was under the impression from the previous posts that using either of these things would not produce any type of results.

Just verified this. Using US model 1 Genesis still displays the "produced by or under license from" screen and boots as any other game. Does not boot on a Sega Nomad.

I mention this because all units I have used (of any type or manufacturer) will not dump anything beyond what their own RAM size is. For example, a 32m cart is detected by the 24m DPF as a 24m cart. A 24m cart is detected by the 16m MGH as a 16m cart and only dumps the first 16m of the total game.

I ran into this dumping The King of Fighters 2000 (a 24m SNES cart) with my MGH. It was detected as a 16m game would only dump the first 16m of the game.

To clarify, I was able to dump 2M of Pier Solar, not this game.

The reason I mentioned that is Pier Solar does not show up on the DPF at all, yet shows up as a 16m cart in the MGH and dumps normally.

Also this cartridge will not work at all with a Game Genie attached.

If any member has either a SCD transfer cable or a Retrode I could borrow I would certainly appreciate it, it would really help in getting these last two or three MD games dumped.

 

It doesn't have anything to do with the RAM, just the poor dumping algorithms. The MD uses a bankswitching scheme for most games over 16M, that's why the MGH can't detect more, it's too stupid.

This is because of bankswitching or strange decoding, or just because the MGH's poor algorithms. I recall the MGH requiring you to backup games to RAM before to disk, but I don't think 24M MGH can backup >16M games for either console anyway.

It will help getting it dumped, but to clarify you will NOT be able to dump it with a SCD transfer cable. You will be able to dump part of it which can be analyzed and be used to possibly dump the rest with a lot of additional help...

Eke, are you sure the Retrode actually implements the full address bus and /AS? Seems more likely it'd just use the regular cartridge select like all copiers. I was thinking the MGH data might be valid, but if the cart select isnt' used for decoding the data could be open bus.

 

Then scratch my theory about the /CART line, it seems there is nothing special here. The problem is probably that these devices does not pass all the needed signals and can't read the ROM. And I think the Sega Nomad is missing some of the cartridge port signals too. They are generally not used by official games so it didn't matter.

Actually, that's not entirely true: the bankswitching is always part of the cartridge hardware (controlled by software) and as for official games, is only present in a few cartridges where backup RAM (usually mapped in the upper 2MB area) and ROM shares the same area. Afaik, the only cartridges using it are Beyond Oasis/Legend of Thor, Phantasy Star IV & Sonic 3 (this one is only 2MB but this was done to work with Sonic & Knuckles lock-on). Super Street Fighter 2 also uses some bankswitching because it's larger than 4MB.

I think you are right, Retrode probably does not simulate all the signals but only the usually required ones. That means your only way to dump the boot program is through the console itself, via the Sega CD transfer cable. Or you can send your cartridge to that guy that I linked a few post above, he is serious. I'd also love this game being dumped and emulated so I would help with the ROM analysis if necessary.

 

My apologies in advance for the overtly long post.

I guess I should start by saying I purchased the parts to build the SCD transfer cable, hopefully I can pull some type of working information from the Super Mario World 64 cart.

Before I start let me relate something that happened previously. I was in contact with D4S, going back and forth with him about dumping and cracking a few unlicensed SNES games I had that weren't available. During that I mentioned that I'd like find a crack for The King of Fighters '99 for Mega Drive, since the existing ROM dump has copy protection and doesn't work on anything but HazeMD. I my dump was the same as the existing available dump. He did crack it, along with the two SNES games (Street Fighter EX + Alpha and The King of Fighters 2000). You can check his work out here.

KoF '99 is an odd duck. An uncracked ROM boots to some type of error screen in Chinese. D4S didn't go into specifics on the protection, but the game played fine in my Everdrive and that was really all that mattered to me. The strange thing was, it still did the error screen when I played it in my Sega Nomad with the Everdrive. Both he and I were kind of at a loss for and explanation, especially when the cracked version worked fine on a Tototek flash cart with the Nomad.

Today (thanks to member Bramsworth) I got a copy of another obscure, unlicensed Mega Drive game, a prequel to Yang Warrior Family. At least it looks that way, either that or someone was very inspired by this game when they made Yang Warrior Family.

So I pop it in my system (US Genesis model 1) and I'm greeted by this quickly repeating sound effect accompanied by a black screen. The sound was similar to a CD skipping. Cracked the cart open (looked to be brand new) and checked the PCB out, it was two globtops and no chips. I was hoping I'd at least be able to pull something off of it to work with.

The DPF picked it up as a 16m game, dumped it without any problems. When playing the dump it was just a black screen. Playing the cart through the DPF was the same thing. Tried it in a MGH, redumped it, same thing. Now here comes the strange part. I dumped the cart to the DRAM in the MGH, booted it from there and it sorta worked! Turns out the skipping sound effect was actually the title screen music resetting very quickly. The music played against a black screen, and if I pressed start it went to the title screen where you pick one or two players. When you pressed start to begin the game (A,B, or C did nothing) it returned back to the black screen. Obviously there was some type of weird programming going on. I went back and flashed the ROM to both the Everdrive and Tototek carts, both producing the same results as playing the game from the MGH DRAM.

Then I remembered Eke mentioning in the Everdrive forum about stuff programmed with the Tomsoft SDK not working with systems using TMSS. The actual cart bypassed the "Produced by or under license from" screen and went straight into the skipping music. So I tried anything I could think of; I set the system to Japanese (worked for Death Caliber and Deer Hunter), tried a Pro Action Replay, a Game Genie, all did nothing. Put the 32x on, was then greeted by the "Produced by.." screen, and then got to the looping press start screen I had when using the flash carts!

So then, on a whim, I remembered my experience with KoF '99 and shoved it into my Nomad. It completely bypassed the "Produced by.." screen and booted straight to the freaking game, and it worked 100%!

Obviously this thing would work on clone systems or pre-TMSS Sega consoles, although I don't have either to verify. And while the actual cart works in a Nomad, both the Everdrive and Mega Cart behave exactly the same in the Nomad as in the Genesis.

Ideas?

Edit: ROM behaves the same on emulators as it does on flash carts.

 

Will you be releasing these? Getting these into as many hands as possible is the surest way to preserve them.

 

He already has been sharing, plus I know him and the answer is yes =p

 

Oh good. I'm glad to hear that.

 

Managed to get a clone Genesis console and verified that The Battle of Red Cliffs cartridge does indeed work properly on it. I really don't understand why the TMSS issue affected the ROM dump in the way that it did though, but I'm not too knowledgeable on the subject to start with.

And just to further cloud the TMSS issue, Super Mario World 64 will not boot on any non-TMSS system, both clones and the Sega Nomad.

Super Mario World 64 is obviously a bust, at least temporarily. Does anyone want to take a shot at properly cracking some of these ROMs? So far I've got these dumped that need properly cracked:

The Battle of Red Cliffs - Mega Drive
Soul Edge VS Samurai Spirits - Mega Drive
Soul Edge VS Samurai Spirits - SNES

 

You can upload them somewhere and I will have a look and try to emulate the protection (at least the MD games). If you have a partial dump of Super Mario World 64, you should upload it too so it can be analysed. Making these things public and available to hackers is the best way to eventually make some progress.

As for "The Battle of Red Cliffs", it is already dumped (a quick google search on "g_redclf" should help you) and is emulated by HazeMD. The ROM format is a little weird, with .mdx extension (so far I only found two games using this extension, the other one being a chinese version of Traysia). To convert .mdx ROM file into normal .bin (or .gen) format:

1) remove the first 4 bytes and the last byte
2) XOR each byte with 0x40

"The Battle of Red Cliffs" uses additional copy-protection which is similar to the one used in other unlicensed games: on-board registers are mapped to $400000, $400002, $400004 and $400006 addresses in 68k space. That game expects $55 to be returned from $400000 and $AA from $400004 (maybe other registers are tested at some other points, I don't know but it seems like those address/values are common to many unlicensed protected games).
A patch would need to find every location in the ROM where the game checks these addresses and replace the conditional branches into normal branches.

 

I agree. The more people that can take a look at them the quicker and more likely the protection can be figured out and a workaround devised.

 

I agree, but only partially. If these things get distributed and start spreading around when they're not even properly cracked then you've got a bunch of non-working roms and confused people. There's already some stuff like this in the GoodSet that's pretty annoying. Makes more sense to pass it around to people that can actually do something with it, then put it out there to everyone once that's working.

Of course, it gets a bit more tricky if absolutely no one offers any help, but it looks like Eke might offer his assistance so at the moment we might be fine

 

It's been a couple of months, has there been any more progress on getting these to work?

 

Everything I've been working on so far is done is pretty much done, with the exception of Super Mario World 64. I'm hoping to at least have a full or partial dump of it done by this week. Hercules 2 for SNES is a bust for now since I can only get 16m of the 20m to dump. You can find links to everything in this thread and this other thread.

There are a few things I still need to upload and provide links to; the Mega Drive version of Soul Edge VS Samurai Spirits (which is cracked properly), Street Fighter III: 18 Person for MD and Digimon Ruby for GBA. Waiting on SNES carts of A Bug's Life and Aladdin 2000 to arrive also.

Just to clarify one thing: I noticed on another forum someone had pasted my initial post and some other bits and pieces from this thread and insinuated this was an attempt to dump and distribute Pier Solar. It isn't.

 

Finally cobbled together a SCD transfer cable and reassembled my 1997 computer out of the closet to dump this POS. Got everything fired up and..

The SMW64 cart still boots with pin B32 covered.

I have checked and double checked it, even attempted to cover both it and the corresponding pin on the A side of the PCB. The cart always boots straight away.

Ideas?

 

You verified CD unit is connected and running but it still boots straight to cartridge ? Do you still see the license screen when CD is powered ?

I *think* what happens is that the cartridge somehow takes priority on the usual BOOT ROM because it uses its own address decoding. Basically, when the MD CPU resets and starts reading instructions from bus, cartridge code is returned, not internal CD BOOTROM.

When CD unit is not connected, it seems however than MD BOOT ROM is running as usual since you can see the license screen. Maybe the cartridge uses some logic to know when TMSS is running and when enable address decoding or not. That could also explain why the game does not work on systems without TMSS.

Anyway, with the fact the game is most likely using its own address decoding, I fear that the Sega CD transfer program would simply not work. Indeed, the program probably expects to read cartridge data from $400000-$7FFFFF area, where cartridge chip select is usually generated by the console when B32 is not connected (this is how RAM cartridge is accessed in CD booting mode). But this game completely ignores this chip select and uses other signals to know when it should return ROM data. I guess the only way to dump it is to build a specific hardware solution that assert those signals.

 

Checked and double checked everything, along with having a test cart (Sonic 2) that I used to verify the SCD transfer cable was assembled and working.

With B32 covered SMW64 skips the "produced by" screen and goes straight to the game when the console is powered on, just like it would do normally. Sonic 2 with B32 covered booted to the SCD.

I find it very odd that games with TMSS issues that will not work on a stock MD (such as unlicensed games or pirate multi-carts) will work fine on a Sega Nomad yet SMW64 refuses to boot on it. I was always under the impression that the hardware inside the Nomad was basically the exact same as a model 2 MD but that says otherwise.

 

Pretty sure the cartridge drives the MD 68k bus so game is running instead of BOOT ROM program (on CD side).

It is known that Nomad does not have the same cartridge port pinout as default console models (MD1, MD2, with or without TMSS, they all should have the same pinout) and some signals apparently are missing.

As said earlier, SMW64 most likely uses its own address decoding scheme which is not the traditional one (/CE i.e B17 as ROM chip select) but relies on all address lines (except VA19, which seems to indicate the ROM is 512k, mirrored in first MB), /AS (B18) and /DTACK (B20) signals. If any of those signals are not present on cartridge port, it probably does not boot.

 

x

 

Do you need to dump standard games or anything a little more special?

Does building your own count? You could wire a MD connector to a 42 pin socket and dump a lot of games using a device programmer. Or if you have a copier for another console you could make an adapter cartridge. Or you could build something that will dump games copiers cannot, using some logic chips using a USB MCU, parallel port or an Arduino or any other I/O method.

 

x