- Joined
- Nov 12, 2002
- Posts
- 4,662
I have decided to take a look how the 161in1 multicarts work and post details here. Hopefully this info will be helpful in the event somone works out how to reprogram devices holding game into.
I will update this thread as and when I get new information. I reveived one this morning which I bought from ebay last week, total cost 72.99 euro including the shipping.
Ok, lets get started with the basics. From cold boot the carts NGH is 0x9237
Moving quickly on, decided to first look at how the trigger works once a game is playing. Selected AOF2 and then using PC-2-NEO dumped the sucker and quickly isolated the injected code. It is placed into the game by altering the games vector table and then returns to the games vblank when execution iscomplete.
As follows;
It is really quite straight forward and its clear what is happening. The custom ports are not currently understood (I only had the cart 10 minutes now) but I suspect they control start offsets in the flash ROM space.
Things to note here is the very poor check of the 1UP start button which breaks when a memory card present and the uneeded storing of some registers to the stack. Only four registers are used but they save them all. In fact the entire code could have been written using only two resgisters easily (or even none).
Who knows what my next post on this multicart will discover.
I will update this thread as and when I get new information. I reveived one this morning which I bought from ebay last week, total cost 72.99 euro including the shipping.
Ok, lets get started with the basics. From cold boot the carts NGH is 0x9237
Moving quickly on, decided to first look at how the trigger works once a game is playing. Selected AOF2 and then using PC-2-NEO dumped the sucker and quickly isolated the injected code. It is placed into the game by altering the games vector table and then returns to the games vblank when execution iscomplete.
As follows;
Code:
161vbl MOVEM.L D0-D7/A0-A6,-(A7)
MOVE.B 0x380000,D0
CMPI.B #0xFE,D0 ; ! this why reset dosen't work !
BEQ timer ; ! when a memory card is present !
MOVE.W #0x0,0x10FF20
BRA exit
timer ADDI.W #0x1,0x10FF20 ; only trigger after 0x12C frames.
MOVE.W 0x10FF20,D0
CMPI.W #0x12C,D0
BEQ break
BRA exit
break MOVE.W #0x0,0x10FF20 ; put code in RAM and execute,
MOVE.W #0x0,D3 ; see RAM routine below for code.
LEA 0x100200,A4
MOVEA.L A4,A5
MOVE.L #0x33FC0F0F,(A4)+
MOVE.L #0x2FFFF0,(A4)+
MOVE.L #0x4E7133C3,(A4)+
MOVE.L #0x2FFFF2,(A4)+
MOVE.L #0x4E7133C3,(A4)+
MOVE.L #0x2FFFF6,(A4)+
MOVE.L #0x4E7133C3,(A4)+
MOVE.L #0x2FFF00,(A4)+
MOVE.L #0x4E714E70,(A4)+
MOVE.L #0x4EF900C0,(A4)+
MOVE.W #0x402,(A4)
JMP (A5)
exit NOP
MOVEM.L (A7)+,D0-D7/A0-A6
JMP 0x8F84 ; original game vbl start.
/ Generated code in RAM /
ram MOVE.W #0x0F0F,0x2FFFF0 ; ports controlling multicart, D3=0x0000
NOP
MOVE.w D3,0x2FFFF2
NOP
MOVE.w D3,0x2FFFF6
NOP
MOVE.w D3,0x2FFF00
NOP
RESET
JMP 0x00C00402 ; restart neogeo boot cycle.
It is really quite straight forward and its clear what is happening. The custom ports are not currently understood (I only had the cart 10 minutes now) but I suspect they control start offsets in the flash ROM space.
Things to note here is the very poor check of the 1UP start button which breaks when a memory card present and the uneeded storing of some registers to the stack. Only four registers are used but they save them all. In fact the entire code could have been written using only two resgisters easily (or even none).
Who knows what my next post on this multicart will discover.
Last edited: