QJ Game Action Replay SV-801 reverse engineering

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderator: Moderators

Post Reply
User avatar
krzysiobal
Posts: 1037
Joined: Sun Jun 12, 2011 12:06 pm
Location: Poland
Contact:

QJ Game Action Replay SV-801 reverse engineering

Post by krzysiobal »

Finally, with help of Ben Boldt, I was able to obtain QJ Game Action Replay SV-801, the famous NES add-on cartridge that can save and load game state in any moment of game. There were even no good quality photos of it in the the web, so it's high time to put it under analysis.

The device contains:
* 16 kB 27128 EPROM,
* 32 kB 62256 SRAM (with unpopulated second slot), famous for being erased when battery runs out of its juice and bricking the cartidge,
* GMNFC 01 made by OKI, some kind of microprocessor, clocked by 20 MHz, which controls data/address/output and write enable lines of mentioned SRAM (lookind at the pins it potentially can address up to 128 kB)
* two 8bit latches, which latch address pins to the SRAM,
* GAL16V8, which switches between two RAMs
Image Image Image Image Image Image

GMNFC 01:
* This chip listens to CPU address/data bus (CPU-A14..A0, CPU-D7..D0 R/W, /ROMSEL, M2) and can drive the data bus
* It controls the CPU-A14, CPU-A13, CPU /ROMSEL, PPU-A13, PPU-/RD, CIRAM /CS, CIRAM /A10 of slave cart connector
* unrouted GMNFC 01 pins that does not seem to be connected internally: 23, 41, 56, 87, 105, 120 (other unrouted pins shows signs of internal connections during multimeter diode test)

Code: Select all

                                                  +-------+                    
                                          +5V -- / 001 128 \ -- GND
                                          M2 -> / 002   127 \ -- GND
                                    CPU A11 -> / 003     126 \ <- CIR /CS
                                   CPU A12 -> / 004       125 \ <- CIR A10
                                      GND -- / 005         124 \ <- PPU /RD
                           SLAVE CPU A13 <- / 006           123 \ -> SLAVE CIR A10
                                 CPU A9 -> / 007             122 \ <- PPU A13
                         SLAVE CPU A14 <- / 008               121 \ -> SLAVE PPU A13
                               CPU A8 -> / 009                 120 \ NC
                              CPU D7 <> / 010                   119 \ -> EPR /OE
                             CPU A7 -> / 011                     118 \ -> EPR A13
                            CPU D6 <> / 012                       117 \ <- PPU A10
                           CPU A6 -> / 013                         116 \ <- CPU A13
                          CPU D5 <> / 014                           115 \ <- CPU A14
                         CPU A5 -> / 015                             114 \ ??
                        CPU D4 <> / 016                               113 \ -- +5V
                          +5V -- / 017                                 112 \ ??
                     CPU A14 -> / 018                                   111 \ ??
                        GND -- / 019                                     110 \ ??
                    CPU D3 <> / 020                                       109 \ ??
                   CPU A3 -> / 021                                         108 \ <- /RESET
                  CPU D2 <> / 022                                           107 \ <> RAM D7
                        NC / 023                                             106 \ -- +5V
                CPU A2 -> / 024                                               105 \ NC
               CPU D1 <> / 025                                                 104 \ <> RAM D5
              CPU A1 -> / 026                                                   103 \ <> RAM D6
             CPU D0 <> / 027                                                     102 \ <> RAM D4
            CPU A0 -> / 028                                                       101 \ -- XTAL
SLAVE CPU /ROMSEL <- / 029                                                         100 \ -- GND
     CPU /ROMSEL -> / 030                                                           099 \ ??
        CPU R/W -> / 031                                                             098 \ -- GND
           GND -- / 032                           GMNFC 01                            097 \ -- GND
               ?? \ 033                            OKI                                096 / ??
                ?? \ 034                                                             095 / ??
   SLAVE PPU /RD <- \ 035                                                           094 / ??
    SLAVE CIR /CS <- \ 036                                                         093 / -- +5V
                   ?? \ 037                                                       092 / ??
                    ?? \ 038                                                     091 / -- GND
                     ?? \ 039                                                   090 / ??
                      ?? \ 040                                                 089 / ??
                       NC \ 041                                               088 / ??
                        ?? \ 042                                             087 / NC
                         ?? \ 043                                           086 / -- +5V
                          ?? \ 044                                         085 / ??
                           ?? \ 045                                       084 / -- GND
                            ?? \ 046                                     083 / ??
                             ?? \ 047                                   082 / ??
                              ?? \ 048                                 081 / ??
                           +5V -- \ 049                               080 / <> RAM D2
                                ?? \ 050                             079 / ??
                                 ?? \ 051                           078 / <> RAM D3
                                  ?? \ 052                         077 / -- GND
                                   ?? \ 053                       076 / <> RAM D0
                                    ?? \ 054                     075 / <> RAM D1
                                     ?? \ 055                   074 / -> LA04 / LA00
                                      NC \ 056                 073 / -> LA07 / LA12
                                       ?? \ 057               072 / -> LA03 / LA06
                                   ALE1 <- \ 058             071 / -> LA10 / LA08
                                 RAM /WE <- \ 059           070 / -> LA14
                                          ?? \ 060         069 / -> LA16 / LA13
                                      ALE2 <- \ 061       068 / -> LA15 / LA09
                                    RAM /OE <- \ 062     067 / -> LA05 / LA02
                                         GND -- \ 063   066 / -> LA01 / LA11
                                          GND -- \ 064 065 / -- +5V
                                                  +------+/
GAL:
* equations derived basing on its operation:

Code: Select all

  RAM1_nCS <= (ALE2) | (RAM_A15);
  RAM2_nCS <= (!RAM_A15) | (ALE2);
  RAM1_nWE <= (RAM_A15) | (RAM_nWE);
  RAM2_nWE <= (!RAM_A15) | (RAM_nWE);
  RAM_A14  <= LA14 when ALE2 = '1'         ;latch

  CLKOUT (pin 19) - sems too be unused input
  CLKIN (pin 1) - seems to be unused input
* I was able hovewer to read-it back in TLS866 programmer and then program different GAL using this jedec file and it seems to behave the same, so looks like it was not protected - I attach the GAL jedec fusemap:


Memory map (after powerup):
$5000-$5fff -> RAM (*)
$8000-$bfff -> open bus
$c000-$ffff -> EPROM
(*) The content of memory was corrupted, but I found a file named GAR.BIN in CopyNES' plugins directory which is believed to be the file used to reprogram the SRAM and fix the cartridge)

Principle of operation
I replaced the battery and wanted to fix the SRAM content by reprogramming it using MyKazzo (I don't have CopyNES), but reading $5000-$57ff region returns inconsistent results. I will examine how the GMNFC 01 chip works, but at this moments I can say it behaves weird - it does not behave like ASIC chip, but rather like a microcontroller that executes its code cycle by cycle.
For example, at the start of CPU read $5200 cycle I expected that it would quickly latch address to the RAM (ALE1, ALE2), then enable it (RAM /OE), then read its content (RAM D7..D0) and pass the data to the CPU bus (CPU D7..D0), but it looks like when M2 is high, RAM /OE is asserted twice and ALE1/ALE2 also togggls multiple times
Image

I extendend the M2 much longer and RAM /OE, ALE1 and ALE2 toggled more times. Looks like the M2 period must match the one in real hardware. When M2 is low, RAM /OE is high but ALE1 and ALE2 are still toggling.

One of few photos in the internet shows that the menu should looks like:
Image

On power up, the EPROM code makes some writes:
$4182 <- 00
$418B <- 00
$418D <- 00
$4185 <- A7
and then jumps to $5200


To be continued...
Attachments
GAR GAL16v8.zip
(372 Bytes) Downloaded 134 times
GAR RAM.BIN
(2 KiB) Downloaded 129 times
GAR ROM.nes
(32.02 KiB) Downloaded 129 times
NewRisingSun
Posts: 1510
Joined: Thu May 19, 2005 11:30 am

Re: QJ Game Action Replay SV-801 reverse engineering

Post by NewRisingSun »

The QJ Game Action Replay is a bastardized version of the Bung Game Master. The Bung Game Master, Master Boy, and QJ Game Action Replay are all emulated in NintendulatorNRS:
QJ Game Action Replay when running The Legend of Zelda (North America
QJ Game Action Replay when running The Legend of Zelda (North America
Zelda_QJGAR.png (1.04 KiB) Viewed 4288 times
Bung Game Master menu when running The Legend of Zelda (North America)
Bung Game Master menu when running The Legend of Zelda (North America)
Zelda_GM.png (1.7 KiB) Viewed 4288 times
The QJ GAR's big brother, the Bung Game Master, which also has the GMNFC 01 ASIC microcontroller, has the save/restore functionality but saves to 2.8" or 3.5" floppy disk instead when used with the Bung Master Link peripherial. It also adds the ability to play games off 2.8" and 3.5" floppy disks using an FPGA with loadable fusemaps, making it the grandfather of all modern flashcarts. It furthermore can fully dump cartridges to 2.8" and 3.5" floppy disks, but only if they use the MMC1, MMC3 or N118 mappers.

BIOS will reinitalize SRAM all by itself if on hard reset, register $4185 bit 0 is clear. I have hypothesized with kevtris that there must be some means on the PCB to change that register bit to zero to force the BIOS to reinitialize SRAM, but we have not managed to find one. In NintendulatorNRS, I initialize that bit 0 zero on hard reset, which allows me to power-on the emulated system with completely empty SRAM.

Your GAR ROM dump is incomplete; the first 24 KiB are all FFs, and only the last 8 KiB have correct data. There is another 8 KiB of bankswitched (register $4180 bit 0; bit 1 must be set to map BIOS at all to $E000-$FFFF) BIOS data that is missing. I have attached the complete ROM dumped by kevtris.

Edit: Added screenshots
Attachments
QJGAR.BIN
(16 KiB) Downloaded 138 times
User avatar
aquasnake
Posts: 515
Joined: Fri Sep 13, 2019 11:22 pm

Re: QJ Game Action Replay SV-801 reverse engineering

Post by aquasnake »

thanks to NRS, the following is discarded

Code: Select all

[s]CPU $5000-$5FFF: 4 KiB ExRAM(executed code) or PRG ROM for Game Action Replay bios(bank 0)
CPU $6000-$7FFF: 8 KiB banking switchable WRAM for save-state funcition
CPU $E000-$FFFF: 8 KiB PRG ROM for Game Action Replay bios(bank 1)
PPU $0000-$1FFF: 8 KiB CHR RAM for in-game menu


PPU mode ($4182, write only)

D~7654 3210
  ---------
  EMMM 4.II
  |||| | ++------ IRQ mode
  |||| |          0: None IRQ
  |||| |          1: MMC3 scanline based IRQ
  |||| |          2: CPU based IRQ, counting up
  |||| |          3: CPU based IRQ, counting down 
  |||| +--------- 4 screen external NTRAM select
  ||||            0: Disable
  ||||            1: Enable
  |+++----------- Mirroring mode
  |               0: 1sc-A
  |               1: 1sc-B
  |               2: V
  |               3: H
  |               4-7: Reserved
  +-------------- CHR RAM write control
                  0: Disable
                  1: Enable


ExRAM/ROM mode ($4185, write only)

D~7654 3210
  ---------
  1010 0111

The specific setting is unknown. 
When it is set with $A7, switch $5000-$5FFF to ExRAM (i.e. qj_gar_ram.bin).
When writing $0, switch to PRG ROM (i.e. bank 0 of qj_gar_bios.bin).
Default to 0 when power on.


Disk control I/O ($418B, $418D)

Not documented.
[/s]

but where is the enterence to menu ?
Last edited by aquasnake on Sat Jul 02, 2022 10:27 am, edited 1 time in total.
NewRisingSun
Posts: 1510
Joined: Thu May 19, 2005 11:30 am

Re: QJ Game Action Replay SV-801 reverse engineering

Post by NewRisingSun »

That description of $4182 comes from the Bung Doctor PC Junior and does not apply to the QJ Game Action Replay or the Bung Game Master. See NintendulatorNRS' source code (plugThruDevice_GameMaster.cpp) for an emulation of the QJ Game Action Replay.
Post Reply