Forums

Sega Master System / Mark III / Game Gear
SG-1000 / SC-3000 / SF-7000 / OMV
Home - Forums - Games - Scans - Maps - Cheats - Credits
Music - Videos - Development - Hacks - Translations - Homebrew

View topic - Action Replay / Game Genie

Reply to topic
Author Message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13023
  • Location: London
Reply with quote
Action Replay / Game Genie
Post Posted: Thu Nov 30, 2000 8:41 pm
I've been doing a bit of reading up on these, after suggesting PolestaR added support for them to his emu.

I've written a doc which you can read here, and made a program for converting Game Genie codes into meka.pat entries, which you can get here. All comments are welcome.

Maxim
  View user's profile Send private message Visit poster's website
  • Joined: 28 Sep 1999
  • Posts: 1149
Reply with quote
Post Posted: Thu Nov 30, 2000 9:47 pm
Quote
> I've been doing a bit of reading up on these, after suggesting PolestaR added support for them to his emu.

> I've written a doc which you can read here, and made a program for converting Game Genie codes into meka.pat entries, which you can get here. All comments are welcome.

Great job! Quite easy to understand the whole thing.

Now I can add GG code handling to SMS Plus. :)

Does anyone know if the ROMs for either device have been dumped?
I'd love to support the real thing, so games could be trained on an emulator..


  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13023
  • Location: London
Reply with quote
Post Posted: Thu Nov 30, 2000 10:56 pm
Quote
> Great job! Quite easy to understand the whole thing.

Thanks :o) I had to re-write it a fair bit, as the parts I wrote at 4am this morning were a bit incoherent... I left the car bit in, though...

Quote
> Now I can add GG code handling to SMS Plus. :)

> Does anyone know if the ROMs for either device have been dumped?
> I'd love to support the real thing, so games could be trained on an emulator..

Meka.nam:

D232BBBB54246DA1,Action Replay,VER=1.02,Mapper=6

I can see a few problems with trying to fully emulate the cartridges...

1. They must have custom hardware in there, based on how I think they work. There's three mean-looking chips in my (GB) PAR, probably only one of which is a rom.

2. The actual devices only support 3 or 4 codes at once.

3. Shunting the training through the emulated Z80 would be slower - I think it takes a couple of seconds to scan all the memory locations.

4. I don't know if the PAR allows you train without resetting every time. On the GB, this is very annoying.

5. You'll need some method of loading the cheat cart and the rom. You can apparently concatenate the Mega Drive Sonic & Knuckles with a child cart and it works, but I doubt it'd work here.

Using ChaSMS's trainer, I can see that it's very fast, although there's plenty of room for improvement with it...

Maxim
  View user's profile Send private message Visit poster's website
  • Joined: 28 Sep 1999
  • Posts: 1149
Reply with quote
Post Posted: Thu Nov 30, 2000 11:55 pm

Quote
> Thanks :o) I had to re-write it a fair bit, as the parts I wrote at 4am this morning were a bit incoherent... I left the car bit in, though...

This is probably extremely useless trivia, but the Game Genie programmer (Richard Aplin) happened to be a big contributor to Master Gear.
I guess people don't mind talking when they don't have an NDA to think about - that's one advantage to being an unlicensed developer.

Quote
> D232BBBB54246DA1,Action Replay,VER=1.02,Mapper=6

I've never seen this available publically, so I will probably have to beg someone (Zoop, most likely :) into getting it.
Nice to know it actually got dumped.

Quote
> 1. They must have custom hardware in there, based on how I think they work. There's three mean-looking chips in my (GB) PAR, probably only one of which is a rom.

Usually this is fairly simple, like a few registers for the addresses and poke values, system configuration, and then extra RAM for the Pro Action Replays.

Quote
> 2. The actual devices only support 3 or 4 codes at once.

Good point. I have been adding support for the Genesis PAR II to one of my projects, and it supports 100 codes at once. So the amount of available cheats was not a big consideration. :)

Quote
> 3. Shunting the training through the emulated Z80 would be slower - I think it takes a couple of seconds to scan all the memory locations.

True.

Quote
> 4. I don't know if the PAR allows you train without resetting every time. On the GB, this is very annoying.

Probably - all the other models require lots of resetting too.

Quote
> 5. You'll need some method of loading the cheat cart and the rom. You can apparently concatenate the Mega Drive Sonic & Knuckles with a child cart and it works, but I doubt it'd work here.

This can be done, it's similar to how Meka supports the SMS BIOS, and swaps a loaded game in afterwards.

Quote
> Using ChaSMS's trainer, I can see that it's very fast, although there's plenty of room for improvement with it...

Part of my reason for emulating the cheat device(s) was to save myself from making a snazzy interface for all the menus. Not a problem under Windows, but much more difficult with DOS.
But with your reasons listed, I can see that it would be more convenient and flexible to program in a 'real' cheat finder.
Maybe I'll just do a Windows port of my own design and simplify things.


  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13023
  • Location: London
Reply with quote
Update...
Post Posted: Mon Dec 04, 2000 9:44 pm
I've updated both the doc and the program. So get them again if you want.

Maxim
  View user's profile Send private message Visit poster's website
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Sat Dec 05, 2009 3:48 am
Sorry to bring back such an old thread but did you ever end up finding the SMS PAR dump? I'd be interested in running it through a disassembler to see what additional "code types"(the initial 2 characters of a code, like "00") it actually supports and what each one does. I've dug pretty deep into the firmware of Datel's AR for PS1 and would be kinda surprised if they didn't support a couple other types.

And yeah, the 4 code limitation is crap. I really gotta wonder why they did that. If they were patching ROM on-the-fly I could see there being some sort of hardware limitations but when it comes to a simply 16-bit address and 8-bit value per code, plus the fact that the PAR has its own RAM to store them in, the whole thing seems odd.

Does anyone have a PCB scan of the SMS PAR?
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13023
  • Location: London
Reply with quote
Post Posted: Sat Dec 05, 2009 10:13 am
In order to do the patching, the device must either inject Z80 code or steal the bus, presumably once per frame. (My old doc is probably not desperately accurate in this respect since it's all guesswork from years back.) This must introduce timing problems for the games themselves, so maybe four codes was a compromise point. I can't see how the cart could distinguish a VBlank from an HBlank without screwing up the game, and delaying the Z80 in the HBlank must be very tight timing-wise.
  View user's profile Send private message Visit poster's website
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Mon Dec 07, 2009 5:53 pm
Do you have any evidence that RAM patching is done by Z80 instructions? I'm wondering if the PAR simply "overdrives" the bus data lines with the patch value when it detects access to a matching address on the address lines. As long as the PAR's output drivers are stronger than those of the addressed device(RAM chip) it would work just fine. Or if the device's drivers are too strong, the PAR could simply drive !RD high to block the device from ever seeing the read and the PAR could output the patch value on the data lines without contention.

That's basically how many modern "modchips" work for consoles like PS2 when they need to "patch" the BIOS ROM. Depending on the modchip, they either overdrive the data lines(contending with the ROM chip) or pull !CE(or !OE) high(contending with the CPU) and put the patch value on the data lines. The result is actually very reliable.

I would really need to see a decent scan of the PAR PCB and/or look at a disassembly of the PAR ROM though.
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13023
  • Location: London
Reply with quote
Post Posted: Mon Dec 07, 2009 8:29 pm
I have no evidence at all :) Directly driving the bus would be interesting but it'd need to halt the Z80 while it did it, hence the timing problems. The trainer menus obviously all run on the Z80. I don't see how it could overpower the control or data lines, all it could do is zap them with more voltage or ground them which I think wouldn't work (at least, bus contention has quite predictable effects (bitwise ANDing) and overvolting/shorting things would destroy them fairly quickly).

The magic on the device is done mostly by custom chips so the schematics and source are of little use (presumably just reading/writing the codes/training info to/from the custom hardware). The only source of information may be the original developers/designers. We have their names but I don't think we know who any of them really are.

Richard Aplin who designed the Game Genie is more known/approachable/talks to the internets (at least, he used to).
  View user's profile Send private message Visit poster's website
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Tue Dec 08, 2009 1:37 am
Halting the Z80 would defeat the purpose since it's the Z80 that is "reading" the data lines. And I assure you that changing the voltage level from what is considered 0/1 to 1/0 is very much possible and predictable. Like I said, this is used by "modchips" for PS2(and some others) which are installed in literally millions of systems.

Anyway I have no way of proving that this is what PAR does anyway. That's just a possibility. As far as PCB scans/schematics go, I'm no stranger to "black box" hacking. Just seeing how something is connected together can give you some good insight into what it does. :D

Some day I'll probably have to buy a PAR... :P
  View user's profile Send private message
  • Joined: 25 Jul 2007
  • Posts: 562
  • Location: Melbourne, Australia
Reply with quote
Post Posted: Tue Dec 08, 2009 8:30 am
I don't have a scanner unfortunately so you'll have to make do with my crappy pictures.
par-front.jpg (152.01 KB)
par-front.jpg
par-rear.jpg (142.74 KB)
par-rear.jpg

  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Tue Dec 08, 2009 5:48 pm
djbass wrote
I don't have a scanner unfortunately so you'll have to make do with my crappy pictures.


Hey, that's a great start! Could you tell me the part numbers on those ICs? I believe the "MHS" one is "HMT-2064-5" which would make sense since that's an 8KByte SRAM.

Many thanks!
  View user's profile Send private message
  • Joined: 28 Sep 1999
  • Posts: 1149
Reply with quote
Post Posted: Wed Dec 09, 2009 4:19 am
[quote="ASMblur"]
djbass wrote
I don't have a scanner unfortunately so you'll have to make do with my crappy pictures.


Wow, this is interesting stuff. All the other PARs (and GameGenies) use a ASIC to implement the patching functionality. This is way simpler.

The two chips on the bottom are a 74HC74 (can't quite read the logic family, maybe HCT) and a PALCE20V8H PAL which just implements user-programmed glue logic.

I would bet it works something like this:

- Power-up, /reset asserted, flip flop #1 reset. This makes the PAL enable the on-board ROM instead of the cartridge ROM on the pass-through connector.

- PAR program allows the user to enter codes which are stored in the 8K SRAM, then starts the game by setting flip-flop #1. The PAL enables the cartridge ROM and the PAR program, relocated to RAM, jumps to the cartridge ROM entry point.

- The PAL detects an interrupt and enables the PAR ROM (much like a reset did) so that the code at $0038 is executed. RAM locations are patched and control is returned to the game. The switch may disable this behavior.

There is probably some extra junk to handle not triggering a patch when the PAR ROM is enabled, etc.

Some day when we have enough SMS PARs that we don't know what to do with them, the PAL can be removed and dumped. :D But I think its operation is fairly straightforward.
  View user's profile Send private message Visit poster's website
  • Joined: 27 Apr 2005
  • Posts: 420
  • Location: Australia
Reply with quote
Post Posted: Wed Dec 09, 2009 5:02 am
I've got some Game Genie PCB photos in my attachment box from some time ago.
http://www.smspower.org/forums/files/gamegeniefrontwsizeuc8_736.jpg
http://www.smspower.org/forums/files/gamegeniebackwsizetb8_355.jpg
This is only one half of the setup. The two PCBs sandwich together connected at the pin header. I'll get some pics of the other half shortly.
  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Wed Dec 09, 2009 5:33 am
Thanks for the GG pics DMEnduro! What an amazingly complex piece of hardware. :D

Charles: The PS1 PAR also used a PALCE for the CommsLink registers. PS1 was very simple though since the PAR ROM was mapped to 0x1F000000 at all times. All they had to do was hook some system calls in the kernel to make sure their patcher function got called often enough. The CommsLink was the only thing that was even remotely complicated about the hardware and you know how simple that is. :)

Do you have any idea what the PLCC is on the top, left? It has a Microchip logo and looks like it says "MICROCHIP" below that. I *think* it says "PIC2?5"(can't read the ?). If this is indeed a PIC, it must emulate the ROM. AFAIK Microchip never made any memories with parallel interface, just serial. All very curious!
  View user's profile Send private message
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13023
  • Location: London
Reply with quote
Post Posted: Wed Dec 09, 2009 8:04 am
Charles MacDonald wrote
- The PAL detects an interrupt and enables the PAR ROM (much like a reset did) so that the code at $0038 is executed. RAM locations are patched and control is returned to the game. The switch may disable this behavior.

So what about timing-sensitive games? Injecting code before HInt handlers run would seem dangerous. If the code that runs was from RAM it could be a lot shorter as constants could be modified instead of having to load the patch values from wherever they live.

The 8KB SRAM is presumably there for the "training" (it is overkill for storing four 32-bit numbers).

The 00 prefix may have been added for forward compatibility with a future device.

If it is really that simple then we could get probably get a long way from a look at the ROM. It would seem dumpable if we can trick it into making itself visible to the dumper, perhaps just by temporarily grounding the reset line.
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 08 Jul 2001
  • Posts: 8129
  • Location: Paris, France
Reply with quote
Post Posted: Wed Dec 09, 2009 8:23 am
I have an (unverified) ROM dump of the Master System version I will try to get it up shortly.
  View user's profile Send private message Visit poster's website
  • Joined: 27 Apr 2005
  • Posts: 420
  • Location: Australia
Reply with quote
Post Posted: Wed Dec 09, 2009 9:08 am
The other part. I've labeled the throughs, as the back of the PCB is simply 5v and ground planes.
ggggcartedge.JPG (841.44 KB)
2nd PCB
ggggcartedge.JPG

  View user's profile Send private message
  • Joined: 25 Jul 2007
  • Posts: 562
  • Location: Melbourne, Australia
Reply with quote
Post Posted: Wed Dec 09, 2009 1:18 pm
Slave drivers you lot! :p

Here you go..

PAR SMS:

MHS
HMT-2064-5
8807FA 139

PALCE20V8Q
-25JC/4
324HVS9 H

T 9327H
HC74A

Microchip
27C256
15/L
9322 CEA


PAR GG:

MB8464A-10L
JAPAN 9209 M83

T 9241H
HC32A

T 9241H
HC32A

T 9320H
HC74A

PALCE20V8Q
-25JC/4
__10PNM

Microchip
27C256
15/L
9810 CEA


The switch on the SMS PAR has three states.. Off, Train, Run
The GG one simply has a red button to train cheats with (jumps to trainer menu) with the other switch to turn the cheats on/off.
par-sms-front.jpg (218.43 KB)
par-sms-front.jpg
par-sms-front2.jpg (216.44 KB)
par-sms-front2.jpg
par-sms-rear.jpg (180.72 KB)
par-sms-rear.jpg
par-gg-front.jpg (225.55 KB)
par-gg-front.jpg
par-gg-front2.jpg (245.91 KB)
par-gg-front2.jpg
par-gg-rear.jpg (226.16 KB)
par-gg-rear.jpg
par-gg-top.jpg (189.28 KB)
par-gg-top.jpg

  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Wed Dec 09, 2009 6:31 pm
Excellent work guys!

So Microchip did indeed make parallel memory: a 32KByte EPROM.

Maxim: Using the SRAM to store the codes is the only thing that makes sense in this case. I'm sure they use it for RAM dump in training mode but they would need somewhere to store the address/value pairs in "run" mode.
  View user's profile Send private message
  • Joined: 24 Nov 2009
  • Posts: 18
Reply with quote
Post Posted: Thu Dec 10, 2009 1:43 am
Well, I gave in and bought a PAR for $32US from eBay Germany. If it arrives(who knows given the holiday season) I'll depopulate and scan it. I can dump the EPROM relatively easily so we can compare it with Bock's dump.

I'm assuming the PALCE will have the "security bit" set so I don't know if I'll be able to dump it. I do have a Cypress EZUSB FX2 board that I've used in a number of other projects which should be adequate for toggling inputs and checking the output results but I'd need some help with creating the analysis algorithm itself.
  View user's profile Send private message
  • Joined: 03 Dec 2019
  • Posts: 1
  • Location: Zoetermeer, The Netherlands
Reply with quote
PAR clone
Post Posted: Tue Dec 03, 2019 8:25 pm
Hi guys,

I've been a visitor of this forum for years but I'm thinking of contributing to it now...
I was wondering if there'd be any interest in a Master Pro Action Replay clone, what with originals being quite pricey these days...
Also I noticed a mentioning of the firmware for it but I cannot find a dump anywhere. I have dumped mine and I'm wondering if there are different rom versions...
  View user's profile Send private message Visit poster's website
  • Site Admin
  • Joined: 19 Oct 1999
  • Posts: 13023
  • Location: London
Reply with quote
Post Posted: Tue Dec 03, 2019 8:58 pm
I disassembled it here: https://github.com/maxim-zhao/smsproactionreplay A clone would need to implement whatever it does to overlay the ROM on interrupt, which is still somewhat mysterious. There’s a credits screen with date and version number if you hold button 2 on startup.
  View user's profile Send private message Visit poster's website
Reply to topic



Back to the top of this page

Back to SMS Power!