Freeplaytech Forum

Full Version: flashmasta savegame fix
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6
On 32mbits flashmasta/bung cartridge, the save game function is broken for all games under 16mbits.

Here, you'll find some patches that can be applied using tools like lunar ips patcher to relocate the save game data.

If you find some issue regarding those patches or you'd like to see a patch for a specific game, let me know

Please, don't upload those patches elsewhere.

Loïc.
Hi,
here's a fix for Melon-chan no Seichou Nikki.

Like the Cotton one, it's even less tested as I don't understand Japanese.

Loïc

[link moved in 1st post]
Thanks for all of this, Loïc. I've been fairly busy with many other things lately. I've kept up with the few orders of units, but have otherwise been unable to spend time on these projects.
Hey Loïc (or anyone else),

Have you had issues with Biomotor Unitron? There was a guy that said his was having save problems like this. I've never heard of anyone having issues with it. If you know what to look for, is it easy to see if it might need a patch?
(10-20-2015, 12:56 PM)Flavor Wrote: [ -> ]Hey Loïc (or anyone else),

Have you had issues with Biomotor Unitron? There was a guy that said his was having save problems like this. I've never heard of anyone having issues with it. If you know what to look for, is it easy to see if it might need a patch?

I've just checked internet and biomotor is 8Mbit so it should have savegame issue.
I'll try take a look at that (might be a good way to test the incoming cartridge ^^) and create an ips patch.

Regards,
Loïc
Can you also do a little bit of a technical post to describe what exactly you end up patching (from what to what)?
Hi all,

here's some technical datas for patching Biomotor unitron (based on the "Biomotor Unitron (UE) [!].ngc" dump, should be the same for others)

This one was a little harder to modify, compared to Cotton or Melon Chan as the block to clear wasn't directly addressed, but stored in the b register.
And as neopop debugger don't show lines before a break point, it was a not as easy to track.

Biomotor unitron :

this is the part of the code where the game handle the savegame.

DIS 20DBB4: LD B,0x11 "22 11" ==> by defalut, the game clear block 0x11. So I changed this value with 0x21 to relocate the save at the end of a 16mbit cartridge.
DIS 20DBB6: CALL 0x20776F "1D 6F 77 20" ==> call the block erase function
DIS 20DBBA: CP RA3,0 "C7 30 D8"
DIS 20DBBD: JR NZ,0x20DBB4 "6E F5"
DIS 20DBBF: LD BC,0x0008 "31 08 00"
DIS 20DBC2: LD XDE,0x000FA000 "42 00 A0 0F 00" ==> set the destination address, here 0x0FA000 (A0 0F 00) thet I relocated at 0x1FA000 (A0 1F 00)
DIS 20DBC7: LD XHL,0x00004000 "43 00 40 00 00"
DIS 20DBCC: CALL 0x207788 "1D 88 77 20" ==> write function
DIS 20DBD0: CP RA3,0 "C7 30 D8"

savegame functions :

--block erase :
DIS 20776F: CP (0x200020),0xFFFE "D2 20 00 20 3F FE FF" ==> always false ? address is part of the cartridge header
DIS 207776: SCC Z,RA3 "C7 30 76" ==> RA3 <= 0
DIS 207779: LD RB3,B "C7 35 9A" ==> RB3 <= 0x11 (0x21 after modification)
DIS 20777C: LD RW3,0x08 "C7 31 03 08"
DIS 207780: LD (0x6F),0x4E "08 6F 4E"
DIS 207783: SWI 1 "F9"
DIS 207784: LD (0x6F),0x4E "08 6F 4E"
DIS 207787: RET "0E"


--block write :
DIS 207788: CP (0x200020),0xFFFE "D2 20 00 20 3F FE FF"
DIS 20778F: SCC Z,RA3 "C7 30 76"
DIS 207792: LD RW3,6 "C7 31 AE"
DIS 207795: LD RBC3,BC "D7 34 99"
DIS 207798: LD XHL3,XHL "E7 3C 9B"
DIS 20779B: LD XDE3,XDE "E7 38 9A" ==> write destination : 0x0FA000 before, and 0x1FA000 after relocation.
DIS 20779E: LD (0x6F),0x4E "08 6F 4E"
DIS 2077A1: SWI 1 "F9"
DIS 2077A2: LD (0x6F),0x4E "08 6F 4E"
DIS 2077A5: RET "0E"

However, the pattern "22 11 1D 6F 77 20" (LD B,0x11 & CALL 0x20776F) can be found 4 times in the source code, near the same address area. Maybe there's something left to modify, but it will require some testing.

Load game part :
DIS 20DABD: ADD XHL,0x000FA000 "EB C8 00 A0 0F 00" ==> read data from cartridge at 0x0FA000, relocated at 0x1FA000 (EB C8 00 A0 1F 00)
DIS 20DAC3: PUSH XHL "3B"
DIS 20DAC4: CALL 0x2077BE "1D BE 77 20" ==> call the reading function. Not really usefull to be described here ^^


Here's a sample of the mess ngp.c driver that describe the block number, and size regarding the cartridge size :
Quote:
The cartridges
==============

The cartridges used flash chips produced by Toshiba, Sharp or Samsung. These
are the only 3 manufacturers supported by the NeoGeo pocket bios. The device
IDs supported appear to be SNK exclusive. Most likely because of the factory
blocked game data areas on these chip.

These manufacturer IDs are supported: 0x98, 0xec, 0xb0
These device IDs are supported: 0xab, 0x2c, 0x2f

There is support for 3 different sizes of flash roms: 4Mbit, 8Mbit 16Mbit. The
32Mbit games appear to be 2 16Mbit flash chips in 2 different memory regions (?).

The flash chips have a couple of different sized blocks. When writing to a
cartridge the neogeo pocket bios will erase the proper block and write the data
to the block.

The relation between block number and flash chip is as follows:

## | 16Mbit (2f) | 8Mbit (2c) | 4Mbit (ab)
---+---------------+-------------+-------------
00 | 000000-00ffff | 00000-0ffff | 00000-0ffff
01 | 010000-01ffff | 10000-1ffff | 10000-1ffff
02 | 020000-02ffff | 20000-2ffff | 20000-2ffff
03 | 030000-03ffff | 30000-3ffff | 30000-3ffff
04 | 040000-01ffff | 40000-4ffff | 40000-4ffff
05 | 050000-01ffff | 50000-5ffff | 50000-5ffff
06 | 060000-01ffff | 60000-6ffff | 60000-6ffff
07 | 070000-01ffff | 70000-7ffff | 70000-77fff
08 | 080000-01ffff | 80000-8ffff | 78000-79fff
09 | 090000-01ffff | 90000-9ffff | 7a000-7bfff
10 | 0a0000-01ffff | a0000-affff | 7c000-7ffff
11 | 0b0000-01ffff | b0000-bffff |
12 | 0c0000-01ffff | c0000-cffff |
13 | 0d0000-01ffff | d0000-dffff |
14 | 0e0000-01ffff | e0000-effff |
15 | 0f0000-01ffff | f0000-f7fff |
16 | 100000-10ffff | f8000-f9fff |
17 | 110000-11ffff | fa000-fbfff |
18 | 120000-12ffff | fc000-fffff |
19 | 130000-13ffff | |
20 | 140000-14ffff | |
21 | 150000-15ffff | |
22 | 160000-16ffff | |
23 | 170000-17ffff | |
24 | 180000-18ffff | |
25 | 190000-19ffff | |
26 | 1a0000-1affff | |
27 | 1b0000-1bffff | |
28 | 1c0000-1cffff | |
29 | 1d0000-1dffff | |
30 | 1e0000-1effff | |
31 | 1f0000-1f7fff | |
32 | 1f8000-1f9fff | |
33 | 1fa000-1fbfff | |
34 | 1fc000-1fffff | |

The last block is always reserved for use by the system. The Neogeo Pocket Color
bios does some tests on this last block to see if the flash functionality is
working. It does this on every boot!
source : http://git.redump.net/mess/tree/src/mess/drivers/ngp.c

I can try to provide more informations if wanted.
Here's an IPS patch for Biomotor Unitron, quickly tested on real hardware.

[link moved in 1st post]
Thanks, Loïc. I knew all the technical details from the flash chip hardware side of things, but it's very interesting to see how you searched the ROM and patched it.
(10-29-2015, 01:41 AM)Flavor Wrote: [ -> ]Thanks, Loïc. I knew all the technical details from the flash chip hardware side of things, but it's very interesting to see how you searched the ROM and patched it.

Basicaly, I searched for (already found in Cotton and Melon Chan) :
LD (0x6F),0x4E
SWI 1

==> "08 6F 4E F9" in the rom.

From that point, I used neopop to trigger a break point at the supposed 'SWI 1' code location, or a break point at bios call (easiest method).
Run the game until I reach a meaningfull break point, then use disassembly function to retrieve the nearby code.

The writing function after the bios call gives the adress of the writen data (00 A0 0F 00).
I searched this string on the rom and set break point at nearby adresses. then run the emulator to find which break point is reached.

I had to use the Toshiba TLC900/H documentaion to understand the SCC instruction, or to help with some disassembly.
The rom structure wasn't intended for you ! Blush
Pages: 1 2 3 4 5 6