Forums

Sega Master System / Mark III / Game Gear
SG-1000 / SC-3000 / SF-7000 / OMV
Home - Forums - Games - Scans - Maps - Cheats - Credits
Music - Videos - Development - Hacks - Translations - Homebrew

View topic - Action Replay / Game Genie

Reply to topic
Author Message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Action Replay / Game Genie
Post Posted: Thu Nov 30, 2000 8:41 pm
I've been doing a bit of reading up on these, after suggesting PolestaR added support for them to his emu.

I've written a doc which you can read here, and made a program for converting Game Genie codes into meka.pat entries, which you can get here. All comments are welcome.

Maxim
  View user's profile Send private message Visit poster's website
  • Joined: 28 Sep 1999
  • Posts: 1169
Reply with quote
Post Posted: Thu Nov 30, 2000 9:47 pm
Quote
> I've been doing a bit of reading up on these, after suggesting PolestaR added support for them to his emu.

> I've written a doc which you can read here, and made a program for converting Game Genie codes into meka.pat entries, which you can get here. All comments are welcome.

Great job! Quite easy to understand the whole thing.

Now I can add GG code handling to SMS Plus. :)

Does anyone know if the ROMs for either device have been dumped?
I'd love to support the real thing, so games could be trained on an emulator..


  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Thu Nov 30, 2000 10:56 pm
Quote
> Great job! Quite easy to understand the whole thing.

Thanks :o) I had to re-write it a fair bit, as the parts I wrote at 4am this morning were a bit incoherent... I left the car bit in, though...

Quote
> Now I can add GG code handling to SMS Plus. :)

> Does anyone know if the ROMs for either device have been dumped?
> I'd love to support the real thing, so games could be trained on an emulator..

Meka.nam:

D232BBBB54246DA1,Action Replay,VER=1.02,Mapper=6

I can see a few problems with trying to fully emulate the cartridges...

1. They must have custom hardware in there, based on how I think they work. There's three mean-looking chips in my (GB) PAR, probably only one of which is a rom.

2. The actual devices only support 3 or 4 codes at once.

3. Shunting the training through the emulated Z80 would be slower - I think it takes a couple of seconds to scan all the memory locations.

4. I don't know if the PAR allows you train without resetting every time. On the GB, this is very annoying.

5. You'll need some method of loading the cheat cart and the rom. You can apparently concatenate the Mega Drive Sonic & Knuckles with a child cart and it works, but I doubt it'd work here.

Using ChaSMS's trainer, I can see that it's very fast, although there's plenty of room for improvement with it...

Maxim
  View user's profile Send private message Visit poster's website
  • Joined: 28 Sep 1999
  • Posts: 1169
Reply with quote
Post Posted: Thu Nov 30, 2000 11:55 pm

Quote
> Thanks :o) I had to re-write it a fair bit, as the parts I wrote at 4am this morning were a bit incoherent... I left the car bit in, though...

This is probably extremely useless trivia, but the Game Genie programmer (Richard Aplin) happened to be a big contributor to Master Gear.
I guess people don't mind talking when they don't have an NDA to think about - that's one advantage to being an unlicensed developer.

Quote
> D232BBBB54246DA1,Action Replay,VER=1.02,Mapper=6

I've never seen this available publically, so I will probably have to beg someone (Zoop, most likely :) into getting it.
Nice to know it actually got dumped.

Quote
> 1. They must have custom hardware in there, based on how I think they work. There's three mean-looking chips in my (GB) PAR, probably only one of which is a rom.

Usually this is fairly simple, like a few registers for the addresses and poke values, system configuration, and then extra RAM for the Pro Action Replays.

Quote
> 2. The actual devices only support 3 or 4 codes at once.

Good point. I have been adding support for the Genesis PAR II to one of my projects, and it supports 100 codes at once. So the amount of available cheats was not a big consideration. :)

Quote
> 3. Shunting the training through the emulated Z80 would be slower - I think it takes a couple of seconds to scan all the memory locations.

True.

Quote
> 4. I don't know if the PAR allows you train without resetting every time. On the GB, this is very annoying.

Probably - all the other models require lots of resetting too.

Quote
> 5. You'll need some method of loading the cheat cart and the rom. You can apparently concatenate the Mega Drive Sonic & Knuckles with a child cart and it works, but I doubt it'd work here.

This can be done, it's similar to how Meka supports the SMS BIOS, and swaps a loaded game in afterwards.

Quote
> Using ChaSMS's trainer, I can see that it's very fast, although there's plenty of room for improvement with it...

Part of my reason for emulating the cheat device(s) was to save myself from making a snazzy interface for all the menus. Not a problem under Windows, but much more difficult with DOS.
But with your reasons listed, I can see that it would be more convenient and flexible to program in a 'real' cheat finder.
Maybe I'll just do a Windows port of my own design and simplify things.


  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Update...
Post Posted: Mon Dec 04, 2000 9:44 pm
I've updated both the doc and the program. So get them again if you want.

Maxim
  View user's profile Send private message Visit poster's website
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Sat Dec 05, 2009 3:48 am
Sorry to bring back such an old thread but did you ever end up finding the SMS PAR dump? I'd be interested in running it through a disassembler to see what additional "code types"(the initial 2 characters of a code, like "00") it actually supports and what each one does. I've dug pretty deep into the firmware of Datel's AR for PS1 and would be kinda surprised if they didn't support a couple other types.

And yeah, the 4 code limitation is crap. I really gotta wonder why they did that. If they were patching ROM on-the-fly I could see there being some sort of hardware limitations but when it comes to a simply 16-bit address and 8-bit value per code, plus the fact that the PAR has its own RAM to store them in, the whole thing seems odd.

Does anyone have a PCB scan of the SMS PAR?
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Sat Dec 05, 2009 10:13 am
In order to do the patching, the device must either inject Z80 code or steal the bus, presumably once per frame. (My old doc is probably not desperately accurate in this respect since it's all guesswork from years back.) This must introduce timing problems for the games themselves, so maybe four codes was a compromise point. I can't see how the cart could distinguish a VBlank from an HBlank without screwing up the game, and delaying the Z80 in the HBlank must be very tight timing-wise.
  View user's profile Send private message Visit poster's website
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Mon Dec 07, 2009 5:53 pm
Do you have any evidence that RAM patching is done by Z80 instructions? I'm wondering if the PAR simply "overdrives" the bus data lines with the patch value when it detects access to a matching address on the address lines. As long as the PAR's output drivers are stronger than those of the addressed device(RAM chip) it would work just fine. Or if the device's drivers are too strong, the PAR could simply drive !RD high to block the device from ever seeing the read and the PAR could output the patch value on the data lines without contention.

That's basically how many modern "modchips" work for consoles like PS2 when they need to "patch" the BIOS ROM. Depending on the modchip, they either overdrive the data lines(contending with the ROM chip) or pull !CE(or !OE) high(contending with the CPU) and put the patch value on the data lines. The result is actually very reliable.

I would really need to see a decent scan of the PAR PCB and/or look at a disassembly of the PAR ROM though.
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Mon Dec 07, 2009 8:29 pm
I have no evidence at all :) Directly driving the bus would be interesting but it'd need to halt the Z80 while it did it, hence the timing problems. The trainer menus obviously all run on the Z80. I don't see how it could overpower the control or data lines, all it could do is zap them with more voltage or ground them which I think wouldn't work (at least, bus contention has quite predictable effects (bitwise ANDing) and overvolting/shorting things would destroy them fairly quickly).

The magic on the device is done mostly by custom chips so the schematics and source are of little use (presumably just reading/writing the codes/training info to/from the custom hardware). The only source of information may be the original developers/designers. We have their names but I don't think we know who any of them really are.

Richard Aplin who designed the Game Genie is more known/approachable/talks to the internets (at least, he used to).
  View user's profile Send private message Visit poster's website
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Tue Dec 08, 2009 1:37 am
Halting the Z80 would defeat the purpose since it's the Z80 that is "reading" the data lines. And I assure you that changing the voltage level from what is considered 0/1 to 1/0 is very much possible and predictable. Like I said, this is used by "modchips" for PS2(and some others) which are installed in literally millions of systems.

Anyway I have no way of proving that this is what PAR does anyway. That's just a possibility. As far as PCB scans/schematics go, I'm no stranger to "black box" hacking. Just seeing how something is connected together can give you some good insight into what it does. :D

Some day I'll probably have to buy a PAR... :P
  View user's profile Send private message
  • Joined: 25 Jul 2007
  • Posts: 589
  • Location: Melbourne, Australia
Reply with quote
Post Posted: Tue Dec 08, 2009 8:30 am
I don't have a scanner unfortunately so you'll have to make do with my crappy pictures.
par-front.jpg (152.01 KB)
par-front.jpg
par-rear.jpg (142.74 KB)
par-rear.jpg

  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Tue Dec 08, 2009 5:48 pm
djbass wrote
I don't have a scanner unfortunately so you'll have to make do with my crappy pictures.


Hey, that's a great start! Could you tell me the part numbers on those ICs? I believe the "MHS" one is "HMT-2064-5" which would make sense since that's an 8KByte SRAM.

Many thanks!
  View user's profile Send private message
  • Joined: 28 Sep 1999
  • Posts: 1169
Reply with quote
Post Posted: Wed Dec 09, 2009 4:19 am
[quote="ASMblur"]
djbass wrote
I don't have a scanner unfortunately so you'll have to make do with my crappy pictures.


Wow, this is interesting stuff. All the other PARs (and GameGenies) use a ASIC to implement the patching functionality. This is way simpler.

The two chips on the bottom are a 74HC74 (can't quite read the logic family, maybe HCT) and a PALCE20V8H PAL which just implements user-programmed glue logic.

I would bet it works something like this:

- Power-up, /reset asserted, flip flop #1 reset. This makes the PAL enable the on-board ROM instead of the cartridge ROM on the pass-through connector.

- PAR program allows the user to enter codes which are stored in the 8K SRAM, then starts the game by setting flip-flop #1. The PAL enables the cartridge ROM and the PAR program, relocated to RAM, jumps to the cartridge ROM entry point.

- The PAL detects an interrupt and enables the PAR ROM (much like a reset did) so that the code at $0038 is executed. RAM locations are patched and control is returned to the game. The switch may disable this behavior.

There is probably some extra junk to handle not triggering a patch when the PAR ROM is enabled, etc.

Some day when we have enough SMS PARs that we don't know what to do with them, the PAL can be removed and dumped. :D But I think its operation is fairly straightforward.
  View user's profile Send private message Visit poster's website
  • Joined: 27 Apr 2005
  • Posts: 420
  • Location: Australia
Reply with quote
Post Posted: Wed Dec 09, 2009 5:02 am
I've got some Game Genie PCB photos in my attachment box from some time ago.
http://www.smspower.org/forums/files/gamegeniefrontwsizeuc8_736.jpg
http://www.smspower.org/forums/files/gamegeniebackwsizetb8_355.jpg
This is only one half of the setup. The two PCBs sandwich together connected at the pin header. I'll get some pics of the other half shortly.
  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Wed Dec 09, 2009 5:33 am
Thanks for the GG pics DMEnduro! What an amazingly complex piece of hardware. :D

Charles: The PS1 PAR also used a PALCE for the CommsLink registers. PS1 was very simple though since the PAR ROM was mapped to 0x1F000000 at all times. All they had to do was hook some system calls in the kernel to make sure their patcher function got called often enough. The CommsLink was the only thing that was even remotely complicated about the hardware and you know how simple that is. :)

Do you have any idea what the PLCC is on the top, left? It has a Microchip logo and looks like it says "MICROCHIP" below that. I *think* it says "PIC2?5"(can't read the ?). If this is indeed a PIC, it must emulate the ROM. AFAIK Microchip never made any memories with parallel interface, just serial. All very curious!
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Wed Dec 09, 2009 8:04 am
Charles MacDonald wrote
- The PAL detects an interrupt and enables the PAR ROM (much like a reset did) so that the code at $0038 is executed. RAM locations are patched and control is returned to the game. The switch may disable this behavior.

So what about timing-sensitive games? Injecting code before HInt handlers run would seem dangerous. If the code that runs was from RAM it could be a lot shorter as constants could be modified instead of having to load the patch values from wherever they live.

The 8KB SRAM is presumably there for the "training" (it is overkill for storing four 32-bit numbers).

The 00 prefix may have been added for forward compatibility with a future device.

If it is really that simple then we could get probably get a long way from a look at the ROM. It would seem dumpable if we can trick it into making itself visible to the dumper, perhaps just by temporarily grounding the reset line.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 08 Jul 2001
  • Posts: 8296
  • Location: Paris, France
Reply with quote
Post Posted: Wed Dec 09, 2009 8:23 am
I have an (unverified) ROM dump of the Master System version I will try to get it up shortly.
  View user's profile Send private message Visit poster's website
  • Joined: 27 Apr 2005
  • Posts: 420
  • Location: Australia
Reply with quote
Post Posted: Wed Dec 09, 2009 9:08 am
The other part. I've labeled the throughs, as the back of the PCB is simply 5v and ground planes.
ggggcartedge.JPG (841.44 KB)
2nd PCB
ggggcartedge.JPG

  View user's profile Send private message
  • Joined: 25 Jul 2007
  • Posts: 589
  • Location: Melbourne, Australia
Reply with quote
Post Posted: Wed Dec 09, 2009 1:18 pm
Slave drivers you lot! :p

Here you go..

PAR SMS:

MHS
HMT-2064-5
8807FA 139

PALCE20V8Q
-25JC/4
324HVS9 H

T 9327H
HC74A

Microchip
27C256
15/L
9322 CEA


PAR GG:

MB8464A-10L
JAPAN 9209 M83

T 9241H
HC32A

T 9241H
HC32A

T 9320H
HC74A

PALCE20V8Q
-25JC/4
__10PNM

Microchip
27C256
15/L
9810 CEA


The switch on the SMS PAR has three states.. Off, Train, Run
The GG one simply has a red button to train cheats with (jumps to trainer menu) with the other switch to turn the cheats on/off.
par-sms-front.jpg (218.43 KB)
par-sms-front.jpg
par-sms-front2.jpg (216.44 KB)
par-sms-front2.jpg
par-sms-rear.jpg (180.72 KB)
par-sms-rear.jpg
par-gg-front.jpg (225.55 KB)
par-gg-front.jpg
par-gg-front2.jpg (245.91 KB)
par-gg-front2.jpg
par-gg-rear.jpg (226.16 KB)
par-gg-rear.jpg
par-gg-top.jpg (189.28 KB)
par-gg-top.jpg

  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Wed Dec 09, 2009 6:31 pm
Excellent work guys!

So Microchip did indeed make parallel memory: a 32KByte EPROM.

Maxim: Using the SRAM to store the codes is the only thing that makes sense in this case. I'm sure they use it for RAM dump in training mode but they would need somewhere to store the address/value pairs in "run" mode.
  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Thu Dec 10, 2009 1:43 am
Well, I gave in and bought a PAR for $32US from eBay Germany. If it arrives(who knows given the holiday season) I'll depopulate and scan it. I can dump the EPROM relatively easily so we can compare it with Bock's dump.

I'm assuming the PALCE will have the "security bit" set so I don't know if I'll be able to dump it. I do have a Cypress EZUSB FX2 board that I've used in a number of other projects which should be adequate for toggling inputs and checking the output results but I'd need some help with creating the analysis algorithm itself.
  View user's profile Send private message
  • Joined: 03 Dec 2019
  • Posts: 2
  • Location: Zoetermeer, The Netherlands
Reply with quote
PAR clone
Post Posted: Tue Dec 03, 2019 8:25 pm
Hi guys,

I've been a visitor of this forum for years but I'm thinking of contributing to it now...
I was wondering if there'd be any interest in a Master Pro Action Replay clone, what with originals being quite pricey these days...
Also I noticed a mentioning of the firmware for it but I cannot find a dump anywhere. I have dumped mine and I'm wondering if there are different rom versions...
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Tue Dec 03, 2019 8:58 pm
I disassembled it here: https://github.com/maxim-zhao/smsproactionreplay A clone would need to implement whatever it does to overlay the ROM on interrupt, which is still somewhat mysterious. There’s a credits screen with date and version number if you hold button 2 on startup.
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Wed Jan 27, 2021 10:12 am
Hi all,

I've dumped the ROM and submitted it for preservation (might also be useful to save faulty units):


https://git.redump.net/mame/commit/?id=2efc649c73c5c3bb80042bf8671640b9666f1b8f
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Wed Jan 27, 2021 10:15 am
Maxim wrote
A clone would need to implement whatever it does to overlay the ROM on interrupt, which is still somewhat mysterious.


BTW I've also dumped the PAL and cloned the whole device.
I sell repros if someone is interested.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 08 Jul 2001
  • Posts: 8296
  • Location: Paris, France
Reply with quote
Post Posted: Wed Jan 27, 2021 10:55 am
Hello,
Thanks! There are several Action Replay hardware/packaging variations, could you post a picture of your unit, its packaging and manual if any so the dump can be tied to a version if they happen to be different?
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Wed Jan 27, 2021 11:05 am
Yes sure, I'll do that (It's CIB, or CIDB, Complete In Destroyed Box :) )

[EDIT]
Added two pictures of the PCB.
Will take a pic of the box and manual later.

[EDIT 2]
Two more pics of the box, manual and code book.
20210108_174158.jpg (2.98 MB)
20210108_174158.jpg
20210109_075437.jpg (2.84 MB)
20210109_075437.jpg
20210127_150525.jpg (2.57 MB)
20210127_150525.jpg
20210127_150540.jpg (2.54 MB)
20210127_150540.jpg

  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Fri Feb 26, 2021 10:29 pm
Hmm, can I get a copy of this 32KB dump? My disassembly only covers the 16KB dump I had since ~2012.
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Sat Feb 27, 2021 7:31 am
Last edited by Apocalypse on Sat Feb 27, 2021 8:16 am; edited 1 time in total
Not sure where the file I sent to MAME ended up being hosted.

I've sent it to your email address anyway.

IIRC the high 16K contain little code at the vector addresses ($38, $66, etc.) used to "apply" the codes. Rest is empty.
The ROM is "banked" (2 x 16KB) using A14, generated by the PAL through the HC74.
20210211_182839.jpg (2.61 MB)
20210211_182839.jpg

  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Sat Feb 27, 2021 7:35 am
It’s interesting how much more complicated it is than the X-Terminator “clone”... Is there a way to explain what the PAL does?
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Sat Feb 27, 2021 8:14 am
The PAL doesn't do much really:
- generates the CLK and CLR signals for the HC74. Second latch of the HC74 selects which of the 16KB banks must be used (first one for "training", second one for "patching")
- generates AR ROM, AR RAM and cartridge ROM CE signals
  View user's profile Send private message Visit poster's website
  • Joined: 03 Dec 2019
  • Posts: 2
  • Location: Zoetermeer, The Netherlands
Reply with quote
Post Posted: Sat Feb 27, 2021 11:20 am
Apocalypse wrote
The PAL doesn't do much really:
- generates the CLK and CLR signals for the HC74. Second latch of the HC74 selects which of the 16KB banks must be used (first one for "training", second one for "patching")
- generates AR ROM, AR RAM and cartridge ROM CE signals


What was your rom version?
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Sat Feb 27, 2021 12:00 pm
1.02 in the linked metadata above.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Sat Feb 27, 2021 8:43 pm
Hmm, the way this works is kind of confusing. The upper 16KB is indeed mostly empty, it seems to mostly be debug screen that prints some internal state to the screen. It does this while relying on some code in the lower 16KB of ROM. In fact, I'm starting to suspect that it may be swapping the upper 16KB of ROM and also the on-board RAM into the lower chunk of the address space in response to writes to registers at $6000 and $2000 - but the values written seem not to matter, just the action of writing seems to cause things to happen.

I'll try and figure it out from the code a bit more...
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Sat Feb 27, 2021 10:02 pm
Last edited by Maxim on Tue Mar 02, 2021 8:41 am; edited 2 times in total
OK, so it's starting to make some more sense.

The Pro Action Replay has 32KB of ROM and 8KB of RAM. It can select either of its 16KB banks of ROM to be mapped into the lower 16KB of the Z80 address space, and if its ROM is mapped in, its RAM is too.

There is a "register" at address $6000 which seems to cause a swap between the device ROM/RAM and game ROM whenever it is written to; the value is not important. There is another register at $2000 which selects which of the two 16KB ROM banks is used - at boot it is the first.

When cheats are entered, the PAR generates code in its RAM to apply the cheats, in this form:


push af
; repeat from here
ld a,nn
ld (xxxx),a
; repeat these two lines for each code entered
pop af
jp $0035


When loading the game, the PAR enables the upper 16KB ROM bank before booting the game. Presumably the PAL then switches from game to PAR memory mode (the same as a write to $6000) when execution reaches $0038. This means interrupt handling is subverted by the code at $4038 in the PAR ROM, which jumps to this generated code. The jump back to $0035 then swaps back the game ROM and execution continues at $0038 for the original game.

This generated code is pretty efficient - it runs faster when fewer codes are entered, especially as games with many horizontal interrupts (e.g. Out Run road drawing) will apply the cheats many times per frame.

There are only a few things left outstanding:

1. How does the "return to PAR menu" pause button interception work? Presumably it enables the PAR ROM/RAM and then causes a jump to offset $0000, but I can't see how. Maybe the PAL injects the instruction onto the bus, but how can it know where it is aligned to? The upper 16KB is mostly filled with $31, which doesn't seem helpful (it'd decode as ld sp, $3131), and anyway the program counter might be at a higher address. It seems the low ROM interrupt handler may be involved...

2. Why does the game write the value being "searched for" in training mode to address $0068? This is just after the reti (not retn...) it has in ROM, but it seems to serve no purpose? Maybe it's some left-over debugging code?

There is a lot of left-over debugging code (and large chunks of the 1.3 BIOS) in the PAR ROM, including a function in the upper 16KB which seems like it cannot work. I suspect this is just left-over mess.

Disassembly updated here:

https://github.com/maxim-zhao/smsproactionreplay
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Sat Feb 27, 2021 10:25 pm
More questions...

- Can anyone dump the GG version?
- Are there any versions other than 1.02 known?
- On the SMS version, are cheats applied when the switch is in the lower position?
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Mon Mar 01, 2021 10:49 am
Maxim wrote
1. How does the "return to PAR menu" pause button interception work? Presumably it enables the PAR ROM/RAM and then causes a jump to offset $0000, but I can't see how. Maybe the PAL injects the instruction onto the bus, but how can it know where it is aligned to? The upper 16KB is mostly filled with $31, which doesn't seem helpful (it'd decode as ld sp, $3131), and anyway the program counter might be at a higher address. It seems the low ROM interrupt handler may be involved...

PAL spies on the INT line.
Maxim wrote
More questions...

- Can anyone dump the GG version?

I have one. Somewhere. Hopefully still working.
Maxim wrote

- Are there any versions other than 1.02 known?

I've only ever seen the 1.02 version, whatever the packaging was (white vs red box). But maybe there are also early (and rare) 1.00 or 1.01 out there?
Maxim wrote

- On the SMS version, are cheats applied when the switch is in the lower position?

No. Only in the upper position.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Mon Mar 01, 2021 4:35 pm
Is INT lowered on NMI too?

I haven’t quite understood how the switch in the lower position is able to go to the menu when you press Pause. The code has a jp 0 at the INT handler on the lower 16KB, and does the cheat injection in the upper handler. Both NMI handlers do nothing. I’d assumed the switch-down position would therefore enable the lower ROM bank when Pause is pressed, but it’s not clear how that can work.
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Tue Mar 02, 2021 8:07 am
Maxim wrote
Is INT lowered on NMI too?

No. I'm not sure I understand your question. That's how the Z80 works.

However the PAL spies on the NMI line too then there's some logic depending of the position of the switch: when in down position only INT is taken into account, when up both NMI and INT are used as triggers.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Tue Mar 02, 2021 8:36 am
The interaction is that switch up and INT means swap to the PAR ROM (upper bank, seems to be selected by software) to apply cheats, using the existing pc=$38; and switch down and NMI means to swap to the PAR ROM (lower bank) to enter the menu, but by an unknown mechanism to get to pc=0. The NMI handler just has reti which could return to anywhere.

Is it possible to map out what the PAL does here?
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Tue Mar 02, 2021 9:31 am
Sent you the equations by email (don't want my clone to be cloned with 0 efforts and 0 credits).
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13548
  • Location: London
Reply with quote
Post Posted: Tue Mar 02, 2021 12:08 pm
Fair enough :) where is your clone available, I couldn’t find it? Is it a complete device? From the disassembly you could build some better features (more codes, your own UI)...

(Actually, with a bit more work you could even add some extra features like a built-in cheat DB in ROM, debug tools like the orphaned memory editor, expanded RAM to improve the trainer...)
  View user's profile Send private message Visit poster's website
  • Joined: 26 Feb 2021
  • Posts: 20
Reply with quote
Post Posted: Tue Mar 02, 2021 2:34 pm
Maxim wrote
where is your clone available, I couldn’t find it? Is it a complete device?

I made only 10 units for first batch and sold them cheap (29€ for a fully assembled PCB). It's a complete board, the exact size of the OG one.
I'm thinking of raising the price a bit (35€) for the second batch to at least get the minimum wage for my labour.

Then you have 3 possibilities for the shell:
- use the OG AR shell
- modify the shell of any other game but you'd need to drill a hole on the left for the switch and cut an opening at the top for the cartridge port
- the last option is 3D printing, I have adapted the design from bierdosenhalter who shared it under Creative Commons licence - Attribution - Non-Commercial - Share Alikelicense, which my adapted version inherits.

Maxim wrote

From the disassembly you could build some better features (more codes, your own UI)...

(Actually, with a bit more work you could even add some extra features like a built-in cheat DB in ROM, debug tools like the orphaned memory editor, expanded RAM to improve the trainer...)

I thought about it, the first goal was preservation, then offer an alternate solution to the $200+ genuine MS AR you can find on greedbay.
It could also support more than 4 codes (but it might induce graphic glitches if there's too many and the interrupt lasts too long).
  View user's profile Send private message Visit poster's website
Reply to topic



Back to the top of this page

Back to SMS Power!