Codemaster' CME-01 and Cosmic Spacehead rev-eng

[krzysiobal]

I've got Cosmic Spacehead for testing. This is the only known game that contains Codemasters' CME-01 DIP28 chip. This is remastered Aladdin version of `Linus Spacehead Cosmic Crusade`, with the following differences (maybe there more):
* Cosmic Spacehead is dated 1993, while LSCC is 1992 (this is in fact the only NES Codemasters game dated 1993, others are 1992 or 1991)
* Cosmic Spacehead uses new Codemasters logo
* The splash screen is different
* There is something called "2 player pie slap" in Cosmic Spacehead
* Plus the shell shape looks very different from standard NES shells.

Linus Spacehead Cosmic Crusade:


Cosmic Spacehead:


About the mapper and chip:

Code: Select all

                   .----v----.
   (R)  PRG-A16 <- | 01   28 | -- +4.3V
   (R)  PRG-A15 <- | 02   27 | -> PRG A17 (R)
 (R,N)  CPU-A12 -> | 03   26 | -> PRG A14 (R)
   (N)  CPU-A14 -> | 04   25 | <- CPU A13 (R,N)
   (N) CPU /RMS -> | 05   24 | -> PRG /CE (R)
   (N)  CIC+RST -> | 06   23 | -> PRG /OE (R)
   (N)  CPU R/W -> | 07   22 | <- CPU D7  (R,N)
 (n/c)   OUTER2 <- | 08   21 | <- CPU D0  (R,N)
 (n/c)   OUTER0 <- | 09   20 | <- CPU D6  (R,N)
 (n/c)   OUTER1 <- | 10   19 | <- CPU D1  (R,N)
         MOSFET <- | 11   18 | <- CPU D5  (R,N)
   10MHz CLK IN -> | 12   17 | <- CPU D2  (R,N)
  10MHz CLK OUT <- | 13   16 | <- CPU D4  (R,N)
            GND -- | 14   15 | <- CPU D3  (R,N)
                   '---------'
* Mapper is clocked with external 10MHz ceramic resonator (blue thing)
* There is 4 bit inner PRG bank, like in mapper 71:  [....pppp] at $c000-$ffff 
* There is 3 bit outer PRG bank, like in mapper 232: [...PPP..] at $8000-$bfff
  (with one additional bit)                              ||+---- pin 9
                                                         |+----- pin 10
                                                         +------ pin 8
* Pin 23 = PRG /OE <= /ROMSEL or not CPU-R/W
* Pin 24 = PRG /CE <= '1' when copy_protection_enabled else '0'
  Reading $0000-$ffff while copy protection is enabled returns $EA)
* After power up, copy protection is enabled. To disable it, CIC+RST must become low,
  and then - CPU read from $f000-$ffff must happen. If CIC+RST is floating, game won't work.
* For current state of knowledge, CPU D7/D6/D5 do not seem to affect anything
* Above chip and PRG-ROM are powered from +4.3V (1n4004 diode in series with +5V)
* Pin 11 controls N-mosfet. If it goes high, it can cause very high current to flow from VCC to GND.
  However, I wasn't able to toggle this pin high.

--

I checked a little more the copy protection and it looks like just single read from $f000-$ffff won't turn it on. Looks like after 294 reads, the copy protection is disabled. And the CME-01 is not only "injecting" $EA, but also:
$4c $4c $88 $88
$6c $fc $ff
but around 100 reads before coopy protection is disabled, pin 11 goes high for around 1 milisecond.

first read f000-ffff.bin

(4 KiB) Downloaded 143 times

second read f000-ffff.bin

(4 KiB) Downloaded 130 times

Also the game gangs after a few seconds on my Famiclone, maybe there is some special timing needed to keep the copy protection disabled?

--

Oh, looks like there is yet another Codemasters game using the same hardware, that is even not present in bootgod's database - Super Adventure Quests:
https://www.jammarcade.net/tag/codemasters/

[Dwedit]

Linus Spacehead and Cosmic Spacehead use NTSC/PAL Detection, and that can fail on Dendy-like systems.

Another difference between Cosmic Spacehead and Linus Spacehead is that Cosmic Spacehead gives full control during platforming segments, and speeds up gameplay by 50% if you are on a PAL system.

I had always thought Cosmic/Linus Spacehead were just like Mapper 2 cartridges, never occurred to me that they could have specially designed protection chips in there.

[lancuster]

krzysiobal, can you make a dump of "Cosmic Crusade"?

[lidnariq]

Reading $0000-$ffff while copy protection is enabled returns $EA)

But M2 isn't present. Does it just drive the data bus continuously? Or do you mean $8000-$FFFF ?

Also, what happens if the 10MHz resonator is replaced with some other speed?

[krzysiobal]

krzysiobal, can you make a dump of "Cosmic Crusade"?

This game is already dumped.

But M2 isn't present. Does it just drive the data bus continuously? Or do you mean $8000-$FFFF ?

II analyzed it a little more. Because the chip has only CPU/ROMSEL, A14..12 and R/W, the best what it can do is count CPU cycles and basing on that, change internal state and change value to drive data bus. Only reads from $8000-$ffff change the internal state (because only for them, /ROMSEL toggles). Writes does not seem to change internal state.
For reads from $0000-$7fff it drives the data bus with the previously output value. It is not pull-up, but strong driving - on my kazzo CPU-D and PPU-D lines are tied together (with serial resistors for safety reasons) and I can't read CHR-RAM because $EA is conflicting.

So after simulating RESET (CIC+RST tied to +5V and then to GND):

1) When reading anywhere from $8000-$ffff:
* 255 * $EA
* next reads return: $4C, $4C, $88, $88, $EA

2a) If next reads are from $8000-$e000
* return $EA forever

2b) If next reads are from $f000-$ffff
* $4C $4C $88 $88
* then $EA for next 249 reads
* then:
$4C $4C $88 $88 $EA $EA $4C $4C
$88 $88 $EA $4C $4C $88 $88 $EA
$4C $4C $88 $88 $EA $EA $4C $4C
$88 $88 $EA $4C $4C $88 $88 $EA
$4C $4C $88 $88 $EA $6C $FC $FF
* and since next read, chip gets unlocked and stops driving data bus.

If we don't read until chip gets unlocked, but start reading from $8000-$efff, we get:
* $4C, $4C, $88, $88
* next $EA forever

Also, what happens if the 10MHz resonator is replaced with some other speed?

I will check it and also check at which moment mosfet gets turned on.
I am wondering if this is copy protection (too weak) or just the CME-01 gives the CPU opcodes to execute to perform certain operation untill desired effect is achieved.
This 1ms high current spike causes significant voltage drop, which might glitch and disable CIC. And the diode, which is in series with CME-01's VCC protects it from losing voltage when NES +5V drops.

[lidnariq]

And the diode, which is in series with CME-01's VCC protects it from losing voltage when NES +5V drops.

I've seen a similar UPS-like circuit in a 2600 multicart, where it's used to keep a counter powered while the unfiltered power line clocks the counter.

[lancuster]

krzysiobal, I mean new game, "Cosmic Spacehead" (1993).

[Dwedit]

Both games are dumped.

Interesting that the game would be running CIC Defeat Code on the CPU, then switching back to the normal game.