Making a Killing, Killing a Dragon
One of the most common questions I get asked is ‘Why is the PGM hardware so badly emulated?’
The answer to this is simple, it isn’t. The actual PGM emulation (aside from the sound chip) is mostly complete. The problem is that every single PGM game has it’s own protection scheme, and the later ones (which is the real reason people complain) are very, very well protected, and are IMPOSSIBLE to emulate properly without expensive hardware decapping because even with trojans you can’t read out all the internal ROM code. (So don’t ask about them)
With that said some of the older ones still present interesting challenges to study. The Killing Blade has been emulated for a long time, but it’s always bothered me that in order for it to run a dump of the RAM content from a running machine was required to bypass proper emulation of a scrambled DMA device. A few days ago XingXing sent me some data from tests he did on the PCB, allowing me to properly implement the transfers and remove the fake ROM. This means that both sets of The Killing Blade now work correctly (previously only the parent set worked, because the RAM dump was incorrect for the clone).
Not that exciting, but from an emulation point of view, good to understand, and it was interesting to find that the xor/add/subtraction table used for the transfers is actually stored at the start of the MCU data rom. Emulating the device also revealed another interesting oddity. Previously an entire block of startup code for the game was missing, because it was put in ram, executed, and erased, and thus missing from the RAM dump. This performs some additional security checks, these haven’t been figured out yet (and aren’t that important, they were completely missing before afterall!), but will present another interesting challenge at some point.
Slightly more interesting is the fact that the chip which is thourgh to be responsible for the scrambled DMA (IGS022) can be exchanged between games, although the chip it’s used in conjunction with (IGS025) can’t..
There is one other game running on PGM that uses this combination of chips, and that’s Dragon World 3, which at this point becomes a potentially interesting target. XingXing provided a RAM dump similar to the Killing Blade one which allows the game to boot, but I’m hoping that it can be elimiated quickly by reusing the DMA code (IGS022) code tha was figured out for The Killing Blade. The problem is the game makes much more extensive use of the IGS025 chip, and currently doesn’t even appear to attempt to trigger any DMA operations. It does boot now, but until those chips are emulated it won’t work, it crashes when you attempt to start a game. Unlike the later games it’s a realistic emulation target at this point however.
Thanks to XingXing for the hardware work / information.
Source:mamedev.emulab.it/haze/
0 Comments
Post a Comment