Mega Drive Unlicensed Game Emulation Notes

From Sega Retro

TODO: Is there a better category? And I have to add everything =P (plus ROM addresses, SRAM specifics, etc.)

Unlike official Mega Drive games, unlicensed games usually have copy protection schemes, SRAM mapping oddities, or other hardware quirks that emulator authors should take note of if they want their emulators to work with these games. sha1sums of dumps to watch out for are given.

Note that at present, no unlicensed game is known to use Sega's standard checksum routine, so checksum fixing should NOT be done to these games (especially since some, for example Aq Renkan Awa, are known to store code at $18E).

Games With Constant-Value Hardware Registers

TODO many, many, many more

A large number of unlicensed games merely read various constant byte values stored at specific addresses in the $400000 region as copy protection.

Game sha1sum $400000 $400002 $400004 $400006 On Failure
Elf Wor 5fc4591fbb1acc64e184466c7b6287c7f64e0b7a $55 $F $C9 $18
Huan Le Tao Qi Shu: Smart Mouse TODO $55 $F $AA $F0 The game will fade to black and freeze several seconds into gameplay. Check is at ROM $8BC.
Mighty Morphin' Power Rangers: The Fighting Edition 25d2d6a5ab20e16b8b42b67e5fb338421b64b29b $55 $F $18
Super Bubble Bobble MD 03f40c14624f1522d6e3105997d14e8eaba12257 $55 $F It will play a high-pitched beeping sound and refuse to go past the beginning of the title screen. This check is at ROM $123E4.

Additional Game Specifics

The game checksums two critical routines (specifically, the two that do the copy protection check) and will refuse to boot if the checksums do not match: 

ROM:000003EC                 lea     ($5166).l,a0    ; what this routine does is presently unknown (TODO)
ROM:000003F2                 move.w  #$2FF,d7
ROM:000003F6                 move.w  #0,d0
ROM:000003FA
ROM:000003FA loc_3FA:                                ; CODE XREF: ROM:000003FC�j
ROM:000003FA                 add.b   (a0)+,d0
ROM:000003FC                 dbf     d7,loc_3FA
ROM:00000400                 cmpi.b  #$5E,d0
ROM:00000404                 beq.w   loc_40E         ; next check
ROM:00000408                 jmp     (loc_300).l     ; back to entry point == no boot
ROM:0000040E ; ---------------------------------------------------------------------------
ROM:0000040E
ROM:0000040E loc_40E:                                ; CODE XREF: ROM:00000404�j
ROM:0000040E                 lea     ($1AAE).l,a0    ; this is the player event handling routine
ROM:00000414                 move.w  #$1FF,d7
ROM:00000418                 move.w  #0,d0
ROM:0000041C
ROM:0000041C loc_41C:                                ; CODE XREF: ROM:0000041E�j
ROM:0000041C                 add.b   (a0)+,d0
ROM:0000041E                 dbf     d7,loc_41C
ROM:00000422                 cmpi.b  #$94,d0
ROM:00000426                 beq.w   sub_430         ; boot!
ROM:0000042A                 jmp     (loc_300).l     ; back to entry point == no boot

Mighty Morphin' Power Rangers: The Fighting Edition

(TODO cleanup this part) According to Eke, author of Genesis Plus GX: 

00065D2E:6000 ; bypass a first check
00065D3A:070A ; fixes internal checksum so it matches original value

000661FC:6000 ; bypass a second check
00066208:070A ; fixes internal checksum so it matches original value

Additionally there's a routine that overwrites ROM to thwart copiers (TODO)

Super Bubble Bobble MD

The game also stores stuff in the $200000-$3FFFFF range and reads stuff back from it; exactly what this should be is unknown (TODO).

Games That Use Mirrored Memory For Copy Protection

TODO not as many: Tiny Toon Adventures 3, Barver Battle Saga, Shui Hu Zhuan, Feng Shen Whatchamacallit are the only four I know of so far

Some games store memory instead of constant values at the $400000 area, writing byte values to one address and expecting to read them back from a different address.

Game sha1sum Write To Read From On Failure

Additional Game Specifics

Games With Rockman X3-style ROM Banking

TODO this one will hurt

All Realtec Games

TODO: wikify this

Affected ROMs:

All Realtec games use a custom mapper format documented by TascoDLX.

Tiny Toon Adventures 3

Affected ROMs:

The game writes byte $55 to $400000 (this address is stored in memory by a calculation at $673E and the byte is stored in the function starting at $2C0C) and expects to read that byte back from $400002; otherwise, the game will reset itself (function with this check is at $2C26).

The game also appears to write to the upper 64KB of ROM (from $F0000 on), but doesn't appear to actually use that area (TODO).

Xin Qi Gai Wang Zi

Affected ROMs:

The game is 4MB storing SRAM above the $400000 mark. (TODO get specifics)

Ya Se Chuan Shuo

Affected ROMs:

  • "Imperial Dynasty" version: presently undumped
  • "The Legend of Arthur" version: 8fe0806427e123717ba20478ab1410c25fa942e6

The Data East/Side Pocket driver stolen from High Seas Havoc used in this game is slightly modified; an add from Z80 RAM to a register (TODO) is used. If this instruction is not emulated correctly, the play song routine will load invalid music and eventually crash.

Furthermore, the Z80 sound driver presumably expects that the uppermost 32KB of ROM (from $1F8000) be mirrored at $400000. This needs to be confirmed.

Retrieved from "https://segaretro.org/index.php?title=Mega_Drive_Unlicensed_Game_Emulation_Notes&oldid=59796"