Topic: What I've been working on (iq_132's work in progress)

[BritneysPAIRS]

Twinaphex those sources contain a speed hack for the xbox for this driver....as it was also to slow on the xbox in mame....

congrads to IQ legendary

[iq_132]

Cool stuff iq_132 - Puzzle Bobble 3 and 4 are games I've been wanting to see for a long time in FBA - they're still too slow in MAME 0.78 on PS3 so who knows - perhaps FBA could be fast enough for them.

right now, it takes about 9% cpu on my 3.8quad core ((3800*4)*0.09) = 1368mhz. That's without any of the alpha blending, proper layer mixing, or sound of any sort. However, that is also without any sort of speed hacks or improvements.

How complex is Konami GX BTW you'd reckon? Wondering if that could be lifted over from MAME circa 0.72/0.80 period.

painfully. Konami hardware makes me squirm.

[BritneysPAIRS]

I wonder if IQ would be up for old school mame updates sometime for coinops / other systems that have low specs....mini devices are now aproaching xbox specs lol....

we can post them across many platforms now....I handed over all you did and all I did with is about 700 games added or speed hacked or fixed controllers for mame .84 to make them playable its a waste to see it lost in time.... I also posted a .72 core with midway and tatiof3 stfm and another 100 or so games speed hacked so they can run on lower specs....not much is missing I even added raiden fighters 2 jet
I know some easy ones iq and have a list as per what you said was easy and what you said maybe and no way.....

we dream of the day when iq supports such low specs....

im sorry im dreaming again and off topic but you know your welcome and it look like it could be used across more than the old xbox now

Oh and Merry Xmas

[kev]

NIcework IQ. Very good choice of driver.

[iq_132]

Here's an update. I haven't had much time lately, so I've been working on little projects here and there.

The first one was figuring out the protection used by a couple of IGS games Virtual Bowling and Long Hu Bang II. The protection is somewhat devious and used by other games like Oriental Legends. The protection involves writing to a few locations, the device bitswaps and xors the data, and then reads it back. Each game expects different bitswaps/xors.
This allow me to remove the rom patches.

Next, I took a look at Dragon World II on PGM hardware.  Since the games were added, the protection has been over-simplified and using a very simple hack to bypass it. Other regions were non-working or very buggy at the least.
This was a bit of a pain, as the protection is somewhat similar to the work I did on Virtual Bowling, but different enough to be confusing.
At this point it works, but there are some hacky/unknown parts to it. This will definitely need a re-visit in the future.

Next I took a look at a Street Fighter 'II Dongfang Bubai bootleg dumped by Smittdogg. The protection was surprisingly simple -- basically it expected 0x200 and 0x210 returned at two specific addresses or it crapped out. Dirt simple.

The last bit of work I did on MAME was to add a proper protection emulation for Alien Challenge (another IGS game).  Previously I had reverse-engineered the protection for Lord of Gun on the same hardware.  Alien Challenge took much larger advantage of the protection device. This also allowed me to go back and implement a missing protection mode for lordofgun!

Looking at the early protections for IGS games it seems that many were designed to operate in a very similar way -- take a bit of data and bitswap/xor it and compare it.

tldr; I did a lot of work that no one will notice. Again.

[iq_132]

So it's been a long time. As always, busy with the job.

Anyway, to what I've been up to -- if you follow the MAME git, you probably saw my latest submission.

By examining the 68k assembly output by MAME & FBA's debuggers and behavior that it uses, I was able to
figure out most of the remaining protection used by The Killing Blade. The remaining protection is a number
generated algorithmically by the 68k program as well as the protection device, which is compared and causes
the game to have a panic attack if it doesn't match.
The worst part is that even if you were to directly examine the cart's protection device, you would only be
able to trick the game into telling you the sequence for one region -- even though the 68k has 7 regions stored!

The first step is the last step actually used by the game -- assembling certain bits of the internal (hold) number.
Interestingly, this same order of bits is used by a ton of IGS games! Killing Blade, Oriental Legends Super, Dragon World 2,
Virtual Bowling, lbh2, and many more. ^^

After figuring this out, it is easy to hack/bypass the protection by reading the ram address of the internal (hold) value.

However, for MAME's purposes, this is not enough. We need to be able to generate this internal (hold) value.
The first step is finding where in the 68k's program it is assembled.  Killing Blade is nasty, in particular, because it
has one of the routines that does this written to shared ram by the protection device! (We'll discuss this later).

After finding this, it was easy enough to figure the order the bits go in and whether they are inverted or not.
However, this still takes 3 different inputs!

It takes the old (previous) value
It selects a bit from the offset used to trigger the hold calculation and uses that against the first bit in the value.
It takes a third unknown (hilo) value

Again, it's easy enough to hack it to bypass calculating where the hilo value comes from... but for MAME's purposes, this is, again, not good enough.

So we go further, to calculate the hilo value, you have to look all over the code.
The game will pick two data tables, each is 0xec bytes large (236) and repeats them
again and again. The first table is always the same -- it is actually the copyright warning information! The second one is dependent on
the regional setting of the game.
The 68k uses data in "words" as in, two bytes at a time (16 bits), the hilo value is one byte from each table inverted by the other
then every other byte goes in either byte1 or byte2 of the hilo word (0,1 then 2,1, then 2,3, then 4,3, 4,5 and so on).

It took me a little while to realize that the initial value was actually a seed created by generating the hold 4 times and running the hilo generator 8 times. ^^

This pretty much finished up The Killing Blade's protection, but not olds

Olds has other functions that are incomplete -- the protection device can copy data from an external rom in a variety of ways.
It can swap the nibbles in a word around, it can invert the word by data from a table, it can add data from a table to each word
using it as a sort of encryption, it can subtract data from the table. It can also do a straight copy with no modification.

The problem was figuring out exactly which command did what, and figuring out why the outputted data wasn't always right.
After some work, I realized that the table it uses to decrypt the doesn't always wrap like it would logically when it reached the
end of the table. -- normally it should go 0, 1, 2, 3... 255,0,1, With this setup, it could go 0,1,2, 255,256,0,1,
This helped killing blade as well, though I'm not entirely sure it is actually used.

There is only one copy mode that I couldn't figure out -- mode 0, it seems to copy some 68k code to ram and the game tries to go there and run it.
right now, I am hacking it by using a "ret" command, basically telling the 68k to go back to where it came from.

Lastly the protection device uses "registers" that the game can write to and read back from the ram in a modified form. This is almost completely ignored in the current implementation of the protection device.

I hope some day myself or someone else can figure it out and get the game working 100%.


tldr; stuff and stuff. PGM, kittens, adventure.

[Arcadez]

Nice work!! plus an interesting read
If you dont mind me asking a while back you were looking at adding support for B-Rap Boys in FBA but last i read the game
was getting stuck at the rom load screen was just wondering has then been any progress getting the game to play or not

[iq_132]

Nice work!! plus an interesting read
If you dont mind me asking a while back you were looking at adding support for B-Rap Boys in FBA but last i read the game
was getting stuck at the rom load screen was just wondering has then been any progress getting the game to play or not

I get bored with things and move on pretty fast. haha I've got probably 40 drivers that are in various states of completion.

[Arcadez]

I get bored with things and move on pretty fast. haha I've got probably 40 drivers that are in various states of completion.

Fair enough i know what ya mean i get bored easy too 

[iq_132]

Been a long time since I posted in this thread...

Anywho. I came up with a very small (but slow) version of the crc32 routine.

Code: [Select]

unsigned inline int crc_tab(unsigned char a)
{
unsigned int b = 0;

if (a & 0x01) b ^= 0x77073096;
if (a & 0x02) b ^= 0xEE0E612C;
if (a & 0x04) b ^= 0x076DC419;
if (a & 0x08) b ^= 0x0EDB8832;
if (a & 0x10) b ^= 0x1DB71064;
if (a & 0x20) b ^= 0x3B6E20C8;
if (a & 0x40) b ^= 0x76DC4190;
if (a & 0x80) b ^= 0xEDB88320;

return b;
}

unsigned int crc32(unsigned char *src, unsigned int nLen)
{
int i;
unsigned int crc = ~0;

for (i = 0; i < nLen; i++)
{
crc = crc_tab(crc ^ src[i]) ^ (crc >> 8);
}

return ~crc;
}

Since I've been teaching myself motorola 68k assembly language, I figured this would be a neat little project. Also, it may be
helpful for anywho who is trojaning data on 68k-based devices.

Code: [Select]

; A0 = start address
; A1 = end_address
; D0 = result
; D1 = trashed
; D2 = trashed
MOVEQ #$0.L, D0
NOT.L D0
_start_loop
MOVEQ #0.L, D2
MOVE.B (A0)+, D2
EOR.B D0, D2
MOVEQ #$0.L, D1
BTST #0, D2
BEQ _skip_01
EOR.L #$77073096, D1
_skip_01
BTST #1, D2
BEQ _skip_02
EOR.L #$EE0E612c, D1
_skip_02
BTST #2, D2
BEQ _skip_03
EOR.L #$076DC419, D1
_skip_03
BTST #3, D2
BEQ _skip_04
EOR.L #$0EDB8832, D1
_skip_04
BTST #4, D2
BEQ _skip_05
EOR.L #$1DB71064, D1
_skip_05
BTST #5, D2
BEQ _skip_06
EOR.L #$3B6E20C8, D1
_skip_06
BTST #6, D2
BEQ _skip_07
EOR.L #$76DC4190, D1
_skip_07
BTST #7, D2
BEQ _skip_08
EOR.L #$EDB88320, D1
_skip_08
LSR.L #8, D0
EOR.L D1, D0
CMPA.L A0,A1
BNE _start_loop
NOT.L D0


[iq_132]

Just finishing this:

[Arcadez]

Nice work always good to see more classic Nintendo in FBA

[vbt]

cool, IQ is back with new pictures 

[destronger]

yes!!! punch out!

[iq_132]

yes!!! punch out!

lol. I'm glad you guys like my choice in drivers. I'm most pleased about having ported two new sound cores to get the game to have good sound.