Difference between revisions of "Mega Drive Unlicensed Game Emulation Notes"

From Sega Retro

Line 14: Line 14:
 
Affected ROMs:
 
Affected ROMs:
 
*[[Elf Wor]]: 5fc4591fbb1acc64e184466c7b6287c7f64e0b7a
 
*[[Elf Wor]]: 5fc4591fbb1acc64e184466c7b6287c7f64e0b7a
The game checksums two critical routines (one of which is the routine that handles player events) and will refuse to boot if the checksums do not match. (TODO add information on these checksums) [TODO also see why some emulators behave wonky with this]
+
The game checksums two critical routines (one of which is the routine that handles player events) and will refuse to boot if the checksums do not match:
 +
<pre>ROM:000003EC                lea    ($5166).l,a0
 +
ROM:000003F2                move.w  #$2FF,d7
 +
ROM:000003F6                move.w  #0,d0
 +
ROM:000003FA
 +
ROM:000003FA loc_3FA:                                ; CODE XREF: ROM:000003FC�j
 +
ROM:000003FA                add.b  (a0)+,d0
 +
ROM:000003FC                dbf    d7,loc_3FA
 +
ROM:00000400                cmpi.b  #$5E,d0
 +
ROM:00000404                beq.w  loc_40E ; next check
 +
ROM:00000408                jmp    (loc_300).l ; back to entry point == no boot
 +
ROM:0000040E ; ---------------------------------------------------------------------------
 +
ROM:0000040E
 +
ROM:0000040E loc_40E:                                ; CODE XREF: ROM:00000404�j
 +
ROM:0000040E                lea    ($1AAE).l,a0 ; this is the player event handling routine
 +
ROM:00000414                move.w  #$1FF,d7
 +
ROM:00000418                move.w  #0,d0
 +
ROM:0000041C
 +
ROM:0000041C loc_41C:                                ; CODE XREF: ROM:0000041E�j
 +
ROM:0000041C                add.b  (a0)+,d0
 +
ROM:0000041E                dbf    d7,loc_41C
 +
ROM:00000422                cmpi.b  #$94,d0
 +
ROM:00000426                beq.w  sub_430 ; boot!
 +
ROM:0000042A                jmp    (loc_300).l ; back to entry point == no boot</pre>
 +
 
 +
(TODO add information on these checksums) [TODO also see why some emulators behave wonky with this]
  
 
==[[Mighty Morphin' Power Rangers: The Fighting Edition]]==
 
==[[Mighty Morphin' Power Rangers: The Fighting Edition]]==

Revision as of 09:40, 28 July 2011

TODO: Is there a better category? And I have to add everything =P (plus ROM addresses, SRAM specifics, etc.)

Unlike official Mega Drive games, unlicensed games usually have copy protection schemes, SRAM mapping oddities, or other hardware quirks that emulator authors should take note of if they want their emulators to work with these games. sha1sums of dumps to watch out for are given.

All Realtec Games

TODO: wikify this

Affected ROMs:

All Realtec games use a custom mapper format documented by TascoDLX.

Elf Wor

Affected ROMs:

  • Elf Wor: 5fc4591fbb1acc64e184466c7b6287c7f64e0b7a

The game checksums two critical routines (one of which is the routine that handles player events) and will refuse to boot if the checksums do not match:

ROM:000003EC                 lea     ($5166).l,a0
ROM:000003F2                 move.w  #$2FF,d7
ROM:000003F6                 move.w  #0,d0
ROM:000003FA
ROM:000003FA loc_3FA:                                ; CODE XREF: ROM:000003FC�j
ROM:000003FA                 add.b   (a0)+,d0
ROM:000003FC                 dbf     d7,loc_3FA
ROM:00000400                 cmpi.b  #$5E,d0
ROM:00000404                 beq.w   loc_40E ; next check
ROM:00000408                 jmp     (loc_300).l ; back to entry point == no boot
ROM:0000040E ; ---------------------------------------------------------------------------
ROM:0000040E
ROM:0000040E loc_40E:                                ; CODE XREF: ROM:00000404�j
ROM:0000040E                 lea     ($1AAE).l,a0 ; this is the player event handling routine
ROM:00000414                 move.w  #$1FF,d7
ROM:00000418                 move.w  #0,d0
ROM:0000041C
ROM:0000041C loc_41C:                                ; CODE XREF: ROM:0000041E�j
ROM:0000041C                 add.b   (a0)+,d0
ROM:0000041E                 dbf     d7,loc_41C
ROM:00000422                 cmpi.b  #$94,d0
ROM:00000426                 beq.w   sub_430 ; boot!
ROM:0000042A                 jmp     (loc_300).l ; back to entry point == no boot

(TODO add information on these checksums) [TODO also see why some emulators behave wonky with this]

Mighty Morphin' Power Rangers: The Fighting Edition

Affected ROMs:

According to Eke, author of Genesis Plus GX:

00065D2E:6000 ; bypass a first check
00065D3A:070A ; fixes internal checksum so it matches original value

000661FC:6000 ; bypass a second check
00066208:070A ; fixes internal checksum so it matches original value 

Super Bubble Bobble MD

Affected ROMs:

Has copy protection similar to various other games (TODO)

Tiny Toon Adventures 3

Affected ROMs:

The game writes a value (TODO) to $400000 (this address is somewhat obfuscated in ROM) and expects to read it back from $400002 (TODO verify); otherwise, the game will reset itself (the branch that does this is at ROM address $002C36).

The game also appears to write to the upper 64KB of ROM (from $F0000 on), but doesn't appear to actually use that area (TODO).

Ya Se Chuan Shuo

Affected ROMs:

  • "Imperial Dynasty" version: presently undumped
  • "The Legend of Arthur" version: 8fe0806427e123717ba20478ab1410c25fa942e6

The Data East/Side Pocket driver stolen from High Seas Havoc used in this game is slightly modified; an add from Z80 RAM to a register (TODO) is used. If this instruction is not emulated correctly, the play song routine will load invalid music and eventually crash.

Furthermore, the Z80 sound driver presumably expects that the uppermost 32KB of ROM (from $1F8000) be mirrored at $400000. This needs to be confirmed.