Friday 10 July 2009

PS4 Sum Error

The PS4 Microcontroller on a Bubble Bobble board turned out after eventually being decapped by the MAME team , to be a Motorola MC6803u4.

Its datasheet can be downloaded here for anyone who might be interested:

http://www.megaupload.com/?d=1S5VE22C

A suitable disassembler and corresponding assembler which can be used to work with the MCU can also be found here:

http://www.techedge.com.au/utils/dhc11.htm

An easy way to start experimenting is to use the MAME emulator that supports the dumped MCU. If you extract the bublbobl romset into a corresponding folder within your ROM folder, you can make modifications to the a78-01.17 file.

This brings us to our first hurdle. Any attempt to modify the stock binary dump and you will be greeted with the following screen on attempting to start the game.



Ah! A cheeky checksum is afoot.

Peeking at the disassembly, we find the following snippet which is called early on in the flow of the code.




A couple of pointers to this code.

The ROM in a 6803u4 resides from $F000-$FFFF.
The routine at LF1DB is one that writes to the shared Z80 RAM on the BB PCB. The byte to write is stored in the B accumulator, the address is in the indeX register.

What the routine does is set the index register to point to the start of the ROM and clears the A and B accumulators ready for use. It adds 2 bytes of the ROM to the double byte accumulator D (which in essence is just the pair of A and B accumulators) and increases the index register by 2, then loops. Once the entire ROM has been added up , the 2 calculated values are written to consecutive locations in the shared RAM. These locations are checked by the main Bubble Bobble program code, if they are not both $00 then we get the error screen.

An easy fix to this from our point of view is to just NOP out the "addD 0, X". The D accumulator never gets changed after its initial clearing and will therefore always equal $0000 after the loop.

Give it a try if you feel like it. Change the date in the text string towards the end of the binary to simulate the error. Then if you NOP out the command by changing the 2 bytes at offset $27F from E300 to 0101 it should then run fine.

1 comment:

  1. Wrong the PS4 is a MC6801u4, the MC6803u4 has no ROM.

    ReplyDelete