The PS4
Microcontroller on a Bubble Bobble board turned out after eventually being
decapped by the MAME team , to be a Motorola MC6803u4.
Its
datasheet can be downloaded here for anyone who might be interested:
http://www.megaupload.com/?d=1S5VE22CA suitable
disassembler and
corresponding assembler which can be used to work with the
MCU can also be found here:
http://www.techedge.com.au/utils/dhc11.htmAn easy way to start
experimenting is to use the MAME emulator that supports the dumped
MCU. If you extract the
bublbobl romset into a
corresponding folder within your
ROM folder, you can make
modifications to the
a78-01.17 file.
This brings us to our first hurdle. Any attempt to modify the stock binary dump and you will be greeted with the following screen on attempting to start the game.
Ah! A cheeky
checksum is afoot.
Peeking at the
disassembly, we find the following snippet which is called early on in the flow of the code.
A couple of pointers to this code.
The ROM in a 6803u4 resides from $F000-$
FFFF.
The routine at
LF1DB is one that writes to the shared Z80 RAM on the BB PCB. The byte to write is stored in the B accumulator, the address is in the
indeX register.
What the routine does is set the index register to point to the start of the ROM and clears the A and B
accumulators ready for use. It adds 2 bytes of the
ROM to the double byte accumulator D (which in essence is just the pair of A and B
accumulators) and increases the index register by 2, then loops. Once the entire ROM has been added up , the 2 calculated values are written to consecutive locations in the shared RAM.
These locations are checked by the main Bubble Bobble program code, if they are not both $00 then we get the error screen.
An easy fix to this from our point of view is to just
NOP out the "
addD 0, X". The D accumulator never gets changed after its initial clearing and will therefore always equal $0000 after the loop.
Give it a try if you feel like it. Change the date in the text string towards the end of the binary to simulate the
error. Then if you
NOP out the command by changing the 2 bytes at offset $27F from E300 to 0101 it should then run fine.
