Pirate Gemlins 2 RE

This is an archive of a topic from NESdev BBS, taken in mid-October 2019 before a server upgrade.
View original topic
Pirate Gemlins 2 RE
by on (#205655)
Hi, I just got a pirate Gremlins 2 that uses an unindentified mapper + some glue logic IRQ circuit.
Some pictures:
Attachment:
File comment: Assembled board
IMG_2224.JPG
IMG_2224.JPG [ 1.22 MiB | Viewed 3978 times ]

Attachment:
File comment: Component side
Gremlins2-Componentes-smaller.png
Gremlins2-Componentes-smaller.png [ 1.31 MiB | Viewed 3978 times ]

Attachment:
File comment: Solder side
Gremlins2-Solda-Smaller.png
Gremlins2-Solda-Smaller.png [ 1.38 MiB | Viewed 3978 times ]


As you can see, I accidently burned the board. :cry:
Since it was my first time with a hot air station, I think I should practice a little more. :oops:
I also dumped the PRG with the amazing Tapedump, and since I was not sure about the CHR I dumped it directly.

Edit: fixed the circuit function.
Re: Pirate Gemlins 2 RE
by on (#205657)
I'm posting the PRG and CHR ROMs IPS.
For now they're complete, buit I'll generate an IPS from the original and erase them soon. Edit: Done!
If there's problem posting it here, please, erase them or tell me to do so.
Please, try to see if they're correctly dumped, so I can redump if necessary before reassembling the cartridge.
Attachment:
G2_PRG.ips [1001 Bytes]
Downloaded 132 times

Attachment:
G2_CHR.ips [24 Bytes]
Downloaded 128 times

Edit: Removed the original files and added the IPS, as promissed.
Better be safe than sorry!
Code:
CRC32s:
    Original   Patched
PRG 11fc8686   80006759
CHR a13b9d3a   fc5f907d


These IPS were created against the original Japanese ROM files.
I'm not adding a .NES file IPS because I'm not sure what mapper this is.
Re: Pirate Gemlins 2 RE
by on (#205658)
Fisher wrote:
unindentified mapper
And pins 16-1920 aren't connected to anything. Almost certainly cloned VRC2.

The two '191s and the '393 probably make up the IRQ source.



No obvious errors in the PRG or CHR dumps. They only differ from the Japanese release of the game by PRG:604 bytes and CHR:614 bytes.

CHR is, as typical, just blanking out the rightsholders' names:
Attachment:
Gremlin 2 - Shinshu Tanjou (J) - differences.gif
Gremlin 2 - Shinshu Tanjou (J) - differences.gif [ 3.74 KiB | Viewed 3960 times ]




Now having traced the PCB:

* VRC2, but in the VRC4e pinout variant (addresses in order, 0/4/8/C)
* IRQ prescaler of ÷ 256
* Presettable up-counting IRQ, IRQ on overflow
* IRQ can be stopped and prescaler cleared, or running

Additional register map beyond VRC2:
mask $F00C,
$F000: load data bus to IRQ counters, no effect on prescaler
$F008: load D0 to IRQ enable(D0=1)/halt(D0=0)

If IRQ halted: prescaler ('393) is cleared (reset to 0). Counter is halted (/CountEnable is high). Counter is NOT cleared.
If IRQ enabled: prescaler counts up every M2 cycle (on the falling edge). Loads take precedence over counting, if both would (could?) happen at the same time.

Weird idiosyncrasies:
The '191s count on a rising edge of their clock input, so the first time the '191s will count will be 128 M2 cycles after the counter is enabled. (And every 256 M2 cycles thereafter)
IRQs will self-acknowledge after 128 cycles, because the literal logic for IRQ being asserted is "counter = 0xFF and ClockInput=0"
1/3 of the 74'10 calculates NAND3(div256,div128,div32): it looks like there had been some effort to use a prescaler of ÷208 instead of 256, but nothing happens with the result of this calculation

The prescaler is not affected by counter loads, so relative phase of the IRQ can be managed in way that won't care about IRQ latency.

Two worked examples:
* Stopping IRQ, loading counter with $FF, and then enabling IRQ will cause an immediate IRQ
* Stopping IRQ, loading counter with $FE, and then enabling IRQ will cause an IRQ in 256cy (Counter will increment in 128cy, and then ClockInput becomes 0 again in 256cy)

edit: grammar nits
Re: Pirate Gemlins 2 RE
by on (#205664)
It's VRC2 clone(mapper23),no irq.
Re: Pirate Gemlins 2 RE
by on (#205678)
It's not the VRC4 IRQ, but the added 74'393 and 74'191s add an IRQ. One of the more interesting pirate IRQs, I think...
Re: Pirate Gemlins 2 RE
by on (#205679)
I have researched pirate gremilins 2 cartridge last year.
IC placement is different on the PCB. It uses same ICs.
[attachment=0]20160716150640.jpg[/attachment]
Re: Pirate Gemlins 2 RE
by on (#205690)
naruko wrote:
IC placement is different on the PCB. It uses same ICs.

The label is almost equal.
I think the case is the same:
Attachment:
File comment: Case
Case.jpg
Case.jpg [ 1.69 MiB | Viewed 3843 times ]

byemu wrote:
It's VRC2 clone(mapper23),no irq.

Yes, I dumped it by using TapeDump with the mapper 23 option.

I also dumped a pirate Jackie Chan wich had a build-in cheat.
Zxbdragon helped me to figure this out.
Thanks to him now I know how to cheat in this game.
Sould I share more details here or create another thread?
He also discovered that the first Gremlin's CHR dump was bad.

Looks like the pirates were trolled by Konami. :lol:
I think they made an VRC2 clone on the hope that many games would be made for it.
So they may have reused them by adding an IRQ circuit.
I think I have around 4 or 5 cartridges like this...

I don't think a Gimmick repro with additional sound can be done with this game.
Well, not without very extensive hacks.
Space would be an issue too.
Re: Pirate Gemlins 2 RE
by on (#205692)
The label seems to just be just a lightly-edited OEM one — http://bootgod.dyndns.org:7777/profile.php?id=3805

Fisher wrote:
I also dumped a pirate Jackie Chan which had a build-in cheat.
[...]Should I share more details here or create another thread?
Either way! It's nice to see hardware.

May as well make a new thread so that the topic is accurate, I guess.
Re: Pirate Gemlins 2 RE
by on (#205697)
Done!
Created a new topic here.
I took a look. I have 4 games (counting this one) wich seems to be the same mapper + worked around IRQ circuit.
All of them are japanese versions of the games and were "dissected" here at NesDev:
Kid Dracula;
Gradius 2 and
Batman

The only one I still have issues is Batman, wich slows down alot.
I hope to be able to fix that one day... :roll:
Gradius 2 had a glitch fixed thanks to Lidnariq! :beer:
Re: Pirate Gemlins 2 RE
by on (#205702)
emu....Failure
Re: Pirate Gemlins 2 RE
by on (#205713)
zxbdragon wrote:
emu....Failure

Is it caused by a bad dump or it's the IRQ circuit?
Damm! It can even be a combination of both!! :|
Re: Pirate Gemlins 2 RE
by on (#205718)
Fisher wrote:
zxbdragon wrote:
emu....Failure

Is it caused by a bad dump or it's the IRQ circuit?
Damm! It can even be a combination of both!! :|

dump ok.
Re: Pirate Gemlins 2 RE
by on (#205719)
Some schematic porn:
Image
Re: Pirate Gemlins 2 RE
by on (#205720)
zxbdragon wrote:
dump ok.

Great! Now it's reassembling time!!
Hope I've not fried the mapper when removing it. :shock:
krzysiobal wrote:
Some schematic porn:

Great as ever!!

I was thinking in getting more/better naked board scans and properly catalog the ones I have.
Maybe I could make a site called NakedBoards, BoardPorn or something similar...
Damm, now I'm imaginating a logo that could be a board taking it's components out with its "arms", showing it's hidden circuits to the world with a dirty smile on its face!! :lol:
Re: Pirate Gemlins 2 RE
by on (#205725)
zxbdragon wrote:
emu....Failure
How did you implement the IRQ?
Re: Pirate Gemlins 2 RE
by on (#205732)
lidnariq wrote:
zxbdragon wrote:
emu....Failure
How did you implement the IRQ?

f000 count = count & 0x00FF | data ^ 0xFF <<8
f008 enabled = data &0x01;
clock:
count=(count-1)&0xFFFF;
return count<enabled;
Re: Pirate Gemlins 2 RE
by on (#205733)
Flipping around the direction it counts makes that more confusing...
I'm probably making mistakes, but at the very least, you'd need to add:
f008 enabled = data & 0x01; if (!enabled) { count |= 0xFF }
clock: if (enabled) {count--; }

and that's probably still missing something.


I'd personally do this with two unsigned 8-bit types instead of trying to stuff both into the same 16-bit integer:
WF000: count = data;
WF008: enabled = (data & 1); if (!enabled) { prescaler = 0; }
M2: if (enabled) { prescaler++; if (0x80 == (prescaler & 0xFF)) { count++ }}
IRQ: if (enabled && 0xFF == count && prescaler < 128) return ASSERTED;
Re: Pirate Gemlins 2 RE
by on (#205741)
@Fisher

shop screen in hareware.
cg in hareware.
Re: Pirate Gemlins 2 RE
by on (#205744)
lidnariq wrote:
Flipping around the direction it counts makes that more confusing...
I'm probably making mistakes, but at the very least, you'd need to add:
f008 enabled = data & 0x01; if (!enabled) { count |= 0xFF }
clock: if (enabled) {count--; }

and that's probably still missing something.


I'd personally do this with two unsigned 8-bit types instead of trying to stuff both into the same 16-bit integer:
WF000: count = data;
WF008: enabled = (data & 1); if (!enabled) { prescaler = 0; }
M2: if (enabled) { prescaler++; if (0x80 == (prescaler & 0xFF)) { count++ }}
IRQ: if (enabled && 0xFF == count && prescaler < 128) return ASSERTED;


not working!
Re: Pirate Gemlins 2 RE
by on (#205805)
I've created some videos and uploaded to YouTube, to serve as reference:

The beginig of the game, including the 1st stage animation. I stopped a little after the store.
End of 1st stage, mainly the animation.
Hope this helps anyone that wishes to implement this mapper on an emulator.

This was captured using the Phantom System, a NES clone I have.
It's the same one I got fixed here.
Unfortunatelly, I don't have a (working) original NES, the sound may be a little different.
This one gave me the best video and audio output on my cheap capture card. :lol:
Re: Pirate Gemlins 2 RE
by on (#205811)
So it's another game (after Gimmick) ported from FME7 to VRC2 (orVRC4?)
While the gimmick uses AX5208C and does not need additional IRQ circuitry, this one uses VRC2 without IRQ?

I did small test and put the AX5208C (VRC4?) to KidDracula and it worked fine. However, the 23C3662 (VRC2?) from dracula put to Gimmick does not want him to work.

I wonder what would happen if the whole additional IRQ circuitry from the Gremlins2 would be removed and its DIL40 chip would be changed into AX5208C.
Re: Pirate Gemlins 2 RE
by on (#205812)
krzysiobal wrote:
I wonder what would happen if the whole additional IRQ circuitry from the Gremlins2 would be removed and its DIL40 chip would be changed into AX5208C.

If it helps, I tried to dump the game with mapper 22 option of TapeDump and got wrong CHR ROM.
It also runs on Nestopia with mapper 22 set, but with grabled graphics.

I think the Gradius 2 I have should also be the same case, since it has an aditional ROM to patch it.
What about this Batman?
Any tips of where I can buy some of these chips?
I tried to find an MMC3 clone on Aliexpress, but found some very negative commets and give up.
Re: Pirate Gemlins 2 RE
by on (#205868)
This one works:
https://youtu.be/F2poX2bMhWM

Lidnariq - could you explain why when writing 0 to $f00c, IRQ is deasserted?


Code:
#include "mapinc.h"

static int prg[2];
static int mirr;
static int chr[8];
static int counter;
static int counting_enabled;
static int m2_prescaler;
static int first_phase;
static int counterchanged;

static SFORMAT StateRegs[] =
{
   { 0 }
};


//shifts bit from position `bit` into position `pos` of expression `exp`
#define shi(exp, bit, pos) \
   ((((exp) & (1 << (bit))) >> (bit)) << (pos))

static int vrc_addr_mix(int A) {
   //this game wires A0 to VRC_A0 and A1 to VRC_A1
   return (A & 0xf000) | shi(A, 2, 0) | shi(A, 3, 1);
}

static void M273IRQHook(int a)  {
   if (counting_enabled) {
      m2_prescaler += a;
      if (m2_prescaler >= (first_phase ? 128 : 256)) {
         first_phase = 0;
         m2_prescaler -= (first_phase ? 128 : 256);
         counter++;
         counterchanged=1;
      }
      else {
         counterchanged=0;
      }
      
      if (counterchanged) {
         if (counter >= 256) {
            counter -= 256;
            X6502_IRQBegin(FCEU_IQEXT);
         }
         else {
            X6502_IRQEnd(FCEU_IQEXT);
         }
      }
      
   }
}

static void Sync(void) {
   setprg8(0x8000, prg[0]);
   setprg8(0xa000, prg[1]);
   setprg16(0xc000, -1);   
   for (int i = 0; i < 8; ++i) {
      setchr1(0x400 * i, chr[i]);
   }
   
   
   switch (mirr) {
   case 0: setmirror(MI_V); break;
   case 1: setmirror(MI_H); break;
   }
   
}

static DECLFW(M273Write) {
   //writes to VRC chip
   switch (vrc_addr_mix(A)) {
   case 0x8000:
   case 0x8001:
   case 0x8002:
   case 0x8003:
      prg[0] = V;
      break;
   case 0xA000:
   case 0xA001:
   case 0xA002:
   case 0xA003:
      prg[1] = V;
      break;
   case 0x9000:
   case 0x9001:
   case 0x9002:
   case 0x9003:
      mirr = V & 1;
      break;
   case 0xb000: chr[0] = (chr[0] & 0xF0) | (V & 0xF); break;
   case 0xb001: chr[0] = (chr[0] & 0xF) | ((V & 0xF) << 4); break;
   case 0xb002: chr[1] = (chr[1] & 0xF0) | (V & 0xF); break;
   case 0xb003: chr[1] = (chr[1] & 0xF) | ((V & 0xF) << 4); break;
   case 0xc000: chr[2] = (chr[2] & 0xF0) | (V & 0xF); break;
   case 0xc001: chr[2] = (chr[2] & 0xF) | ((V & 0xF) << 4); break;
   case 0xc002: chr[3] = (chr[3] & 0xF0) | (V & 0xF); break;
   case 0xc003: chr[3] = (chr[3] & 0xF) | ((V & 0xF) << 4); break;
   case 0xd000: chr[4] = (chr[4] & 0xF0) | (V & 0xF); break;
   case 0xd001: chr[4] = (chr[4] & 0xF) | ((V & 0xF) << 4); break;
   case 0xd002: chr[5] = (chr[5] & 0xF0) | (V & 0xF); break;
   case 0xd003: chr[5] = (chr[5] & 0xF) | ((V & 0xF) << 4); break;
   case 0xe000: chr[6] = (chr[6] & 0xF0) | (V & 0xF); break;
   case 0xe001: chr[6] = (chr[6] & 0xF) | ((V & 0xF) << 4); break;
   case 0xe002: chr[7] = (chr[7] & 0xF0) | (V & 0xF); break;
   case 0xe003: chr[7] = (chr[7] & 0xF) | ((V & 0xF) << 4); break;
      
   default:
      break;
   }
   
   switch (A & 0xf00c) {
   case 0xf000: counter = V; X6502_IRQEnd(FCEU_IQEXT); break;
   case 0xf008: if ((V & 1) == 0) {counting_enabled = 0; m2_prescaler = 0; first_phase = 1; X6502_IRQEnd(FCEU_IQEXT);}
               else            {counting_enabled = 1; }
            break;
   }

   Sync();
}

static void M273Power(void) {
   SetWriteHandler(0x8000, 0xFFFF, M273Write);
   SetReadHandler(0x8000, 0xFFFF, CartBR);
   Sync();
   
   counter = 0;
}

static void M273Reset(void) {
   counter = 0;
   Sync();
}

void Mapper273_Init(CartInfo *info) {
   info->Power = M273Power;
   info->Reset = M273Reset;
   MapIRQHook = M273IRQHook;

   AddExState(&StateRegs, ~0, 0, 0);
}
Re: Pirate Gemlins 2 RE
by on (#205870)
krzysiobal wrote:
Lidnariq - could you explain why when writing 0 to $f00c, IRQ is deasserted?
O_o

... Let me triple-check our work.

Nope, no explanation for it.

(I assume that's not a typo)



I just copied/pasted your source code into my checkout of fceux and rebuilt, and used the same PRG/CHR from earlier, and ... my title screen is all wrong.
Re: Pirate Gemlins 2 RE
by on (#205880)
Maybe you have something wrong in iNES header in ROM, because this game does not even user IRQ at title screen and in game (first time it does is the shop screen).
Re: Pirate Gemlins 2 RE
by on (#205883)
nestopia not working....
Re: Pirate Gemlins 2 RE
by on (#205892)
krzysiobal wrote:
Maybe you have something wrong in iNES header in ROM, because this game does not even user IRQ at title screen and in game (first time it does is the shop screen).
(embarrassed) I'd made a UNIF image for testing and forgot to include a MIRR block.

krzysiobal wrote:
m2_prescaler += a;
Oh, right, duh. That's why my example didn't work; FCEUX doesn't give a callback on every M2 cycle, but instead a number of M2 cycles to advance. I need to do something silly like ((m2_prescaler + a)& 128 ) && !(m2_prescaler&128) to detect the edge.

I think your code emits an IRQ 128cy too early? But, then again, when I change the timing to how I think the hardware is supposed to work, it's even later than what Fisher shows in his video, so I'm clearly wrong.

Not certain how to adjust the software to both implement what I think the hardware does and what I see, though.
Re: Pirate Gemlins 2 RE
by on (#205915)
How to working in Nestopia ?

nestopia using this code ,shop ok,but stage cg not working
Re: Pirate Gemlins 2 RE
by on (#206467)
thank you !

working in nestopia!
Re: Pirate Gemlins 2 RE
by on (#206471)
@Fisher
fceux,nestopia ending :
http://v.youku.com/v_show/id_XMzEwMzQwNjU1Mg==.html

hardware same?
Re: Pirate Gemlins 2 RE
by on (#206472)
@Fisher
fceux,nestopia ending :
http://v.youku.com/v_show/id_XMzEwMzQwNjU1Mg==.html

hardware same?
Re: Pirate Gemlins 2 RE
by on (#206521)
If I remember correctly there's some differences.
I'll try to make a video and post here.
Re: Pirate Gemlins 2 RE
by on (#206876)
Sorry for the big delay.
Finally, here's the video.
I didn't remembered correctly, but it seems quite similar!
Unless the GameGenie is doing some stuff...
Re: Pirate Gemlins 2 RE
by on (#206877)
Fisher wrote:
Sorry for the big delay.
Finally, here's the video.
I didn't remembered correctly, but it seems quite similar!
Unless the GameGenie is doing some stuff...

thank you ! emulator,It looks exactly the same!