(WIP) Luca Elia: StarPak 3 (A Tale Of Rare Cartridge - 模擬器

By Agnes
at 2017-02-13T20:15

Table of Contents

2017.02.12

The Galaxy Games system by CES (Creative Electronics & Software) is a
cartridge based PCB in a two-player cocktail cab, with trackballs and buttons
as inputs. It offers a series of mini-games targeted at the casual player
(think bartops: you can see a video of the thing in action here).

The base system includes a number of games in the BIOS while the cartridges
— up to 4 can be fitted at the same time — can add plenty more. I emulated
this system and the base games several years back. The StarPak 2 cartridge
was added shortly after, but required an hack to run. The hardware uses a
blitter, implemented in a Xilinx FPGA, which was also featured in Midway's
Touch Master series of games (thus, the CES guys were clearly behind those
titles too).

It's pretty rare to see these titles auctioned, i.e. only one such PCB (with
StarPak 2) and one cab had been seen for sale in the last 10 years. Yet
BrianT spotted one that also came with two carts: StarPak 2, already dumped,
and StarPak 3, which was not!

The BIOS roms were also an undumped revision (v1.80 as opposed to the
previously dumped v1.90). So the The Dumping Union moved in to acquire the
lot and, with the help of several fellow MAMErs, they got it.

Coolmod dumped and documented it (with the help of Ken), here are some
pictures:

http://www.lucaelia.com/images/mame_snaps/galgame3/starpak3_cartridge.jpg

http://www.lucaelia.com/images/mame_snaps/galgame3/starpak2_cartridge.jpg

Now, looking at the photos of the cartridges, you can see they contain the
game code/graphics/data on SMT flash chips (center), a serial EEPROM to store
the game audits/options (tiny 8-legged chip at the bottom right) and a PIC
cpu (the larger chip on the right side, different models between the carts)
that is basically used for protection. It performs an needlessly complicated
handshaking with the main cpu to acknowledge it's fitted in one of the 4
slots and that it's authentic.

In our previous StarPak 2 sample, the PIC program was not readable
(protected), so in order to get to the game I had to bypass this handshaking
by patching the BIOS code. But this time we were lucky and the PIC hadn't
been protected, so we could read the program correctly.

Alas, the same could not be said for the other cartridge, the PIC in StarPak
3 was protected. Worse, this cart contained bigger roms, thus requiring some
ROM banking to be performed by the PIC itself. The BIOS knows nothing about
this feature which is internal and specific to the cart: it's all done by the
game code when read in RAM by the main cpu (a 68000) and executed. It talks
to the PIC to switch the higher part of the roms in.

I started by writing a simulation of the handshaking algorithm, so that we
could try and simulate the StarPak 3 banking properly, sound and graphics
would be wrong in some of its games otherwise. The BIOS initially sends a
1-byte command (FF hex) to see if the slot is populated and by which cart. It
expects a 32-byte response from the PIC, starting with "CES1997" and followed
by some bytes from the flash chips at some fixed addresses (one byte is the
cart ID). The main cpu can read from the flash too, so it checks that the
response matches the contents of the cart.

Throughout the game the PIC is challenged with sequences of 32-byte commands
(not starting with FF). The bytes are random and conceal a 4-byte key at
variable offsets (depending on the value of the bytes preceding the key). The
PIC has to compute the correct 1-byte response, a hash based on the key and,
optionally, on the sum of the command bytes. If this challenge/response dance
fails at any time, the games from the cartridge abruptly vanish from the menu.

And this is when something great happened... we were able to get the help of
Keith M. Kolmos (@KeithMKolmos), lead programmer on this software. He could
gather from his archive the PIC code for all of the StarPak cartridges
(including the yet undumped #1 and #4).

Now MAME could emulate the carts without hacks or simulations, so I ditched
the old code and wrote some more to emulate and abstract the carts as proper
devices with communication (i.e. parallel-to-serial and back), switching and
banking. I hooked up the PIC code and... it didn't work!

Turns out there was a bug in the PIC core emulation related to the flags
handling, which was preventing the correct answer from the cart to the main
cpu. Having just written a simulation of the handshaking in C++ it was easy
to spot.

With the new code in place, even though the driver has taken a bit of a speed
hit, StarPak 3 works correctly. It features a grand total of 8 new mini-games:

Galaxy Games StarPak 3 - Boot Screen (BIOS v1.80)

http://www.lucaelia.com/images/mame_snaps/galgame3/0024.png

http://www.lucaelia.com/images/mame_snaps/galgame3/0002.png

It includes a licensed rendition of Atari's Centipede (by the way, here's the
programmer's site):

http://justinlove.name/about/

http://www.lucaelia.com/images/mame_snaps/galgame3/0010.png

http://www.lucaelia.com/images/mame_snaps/galgame3/0011.png

Astro Blast is instead a Space Invaders clone with rendered alien ships:

http://www.lucaelia.com/images/mame_snaps/galgame3/0007.png

http://www.lucaelia.com/images/mame_snaps/galgame3/0025.png

A Mine Sweeper clone, Sweeper (same programmer as Centipede):

http://www.lucaelia.com/images/mame_snaps/galgame3/0012.png

http://www.lucaelia.com/images/mame_snaps/galgame3/0013.png

Word Sleuth is a word cross puzzle:

http://www.lucaelia.com/images/mame_snaps/galgame3/0015.png

http://www.lucaelia.com/images/mame_snaps/galgame3/0014.png

A puzzle game involving numbers, played against the computer or another
player, called Ker Chunk:

http://www.lucaelia.com/images/mame_snaps/galgame3/0016.png

http://www.lucaelia.com/images/mame_snaps/galgame3/0017.png

Great Wall is a Mahjong solitaire with the option of using symbols instead of
the traditional tiles:

http://www.lucaelia.com/images/mame_snaps/galgame3/0018.png