David Haywood＇s MAME(tm) WIP (2010/04/27) - 模擬器

http://mamedev.emulab.it/haze/

One of the most common questions I get asked is ‘Why is the PGM hardware so
badly emulated?’

The answer to this is simple, it isn’t. The actual PGM emulation (aside from
the sound chip) is mostly complete. The problem is that every single PGM game
has it’s own protection scheme, and the later ones (which is the real reason
people complain) are very, very well protected, and are IMPOSSIBLE to emulate
properly without expensive hardware decapping because even with trojans you
can’t read out all the internal ROM code. (So don’t ask about them)

With that said some of the older ones still present interesting challenges to
study. The Killing Blade has been emulated for a long time, but it’s always
bothered me that in order for it to run a dump of the RAM content from a
running machine was required to bypass proper emulation of a scrambled DMA
device. A few days ago XingXing sent me some data from tests he did on the
PCB, allowing me to properly implement the transfers and remove the fake ROM.
This means that both sets of The Killing Blade now work correctly (previously
only the parent set worked, because the RAM dump was incorrect for the clone).




Not that exciting, but from an emulation point of view, good to understand,
and it was interesting to find that the xor/add/subtraction table used for
the transfers is actually stored at the start of the MCU data rom. Emulating
the device also revealed another interesting oddity. Previously an entire
block of startup code for the game was missing, because it was put in ram,
executed, and erased, and thus missing from the RAM dump. This performs some
additional security checks, these haven’t been figured out yet (and aren’t
that important, they were completely missing before afterall!), but will
present another interesting challenge at some point.

Slightly more interesting is the fact that the chip which is thourgh to be
responsible for the scrambled DMA (IGS022) can be exchanged between games,
although the chip it’s used in conjunction with (IGS025) can’t..

There is one other game running on PGM that uses this combination of chips,
and that’s Dragon World 3, which at this point becomes a potentially
interesting target. XingXing provided a RAM dump similar to the Killing Blade
one which allows the game to boot, but I’m hoping that it can be elimiated
quickly by reusing the DMA code (IGS022) code tha was figured out for The
Killing Blade. The problem is the game makes much more extensive use of the
IGS025 chip, and currently doesn’t even appear to attempt to trigger any DMA
operations. It does boot now, but until those chips are emulated it won’t
work, it crashes when you attempt to start a game. Unlike the later games it’
s a realistic emulation target at this point however.




Thanks to XingXing for the hardware work / information.

--