nesdev.org

Posted: **Mon May 12, 2008 4:11 pm**

We're looking for someone to build us a device to allow us to decompress arbitrary data from the SPC7110 chip from Epson, so we can reverse engineer the algorithm used.

The chip is used in Far East of Eden Zero, Momotarou Dentetsu Happy, and Super Power Leauge 4.

CaitSith2 has some source code up for talking to the SPC7110 here: http://www.caitsith2.com/snes/snes_cart_dumper.htm

The general process of setting up a decompression:

1. If the data rom is > 1MB, Goto step 2, otherwise go to step 3.
2. Initialize access, by writing this sequence of bytes to 00:4830.
0x80 0x00 0x80 0x80 0x00 0x80 0x00 0x80 0x00 0x80 0x00 0x80 0x80 0x00 0x80 0x00.
3. Write 0x00 to 00:480B
4. Write the address of the table to 00:4801-4803, with low byte to 00:4801
5. Write the Index to 00:4804
6. Set DMA channel to 00:4807 (not needed if dumping directly)
7. Write offset to return after finished decompressing, to 00:4805-4806, low byte to 00:4805.
8. Read 00:480C until bit 7 is set. (any attempts to read decompressed data before the chip is finished, results in 0x00 being returned. The decompression buffer is 32K as far as we know.)
9. Write 0x00 to 00:4808-4809.
10. Read 00:4800 for however many bytes your going to read from the decompression buffer.

If you wish to read any bytes above the 1MB boundry, (E0:0000-FF:FFFF), you need to follow step 2 above.

The beginning of the data rom is always 0x01020408 0x10204080, and the end of the data rom is always 0xFEFDFBF7 0xEFDFBF7F. This was put in place for checking that data rom access works when the spc7110 runs its hardware test. This is why the first table is always at 0x000008 from the beginning of the data rom.
---------------

We basically need a PC program with source code too (DOS, Windows, Linux, or BSD doesn't really matter as long as it works), that would allow us to pass a block of data to the chip, then return the decompressed data.

Can be connected to the PC via any normal port, serial, parrallel, USB, or FireWire, two connections are fine too (although preferably not two parrallels, since I don't know any of us with a single PC with that).

I imagine to do the hardware, it would need a ROM emulator replacing the data ROM, and some type of connector to a PC on the other end.

We'll handle setting up automated tests once we have a working device and software to simply talk to it. Anyone have the skill and interested in building us what we need? Also, please let us know in advance how much this will cost (hardware, and effort), so we can raise the money. If any hardware is needed that we already have, let us know.

Many thanks in advance.

Posted: **Tue May 13, 2008 11:42 pm**

Does the ROM emulator replace the game ROM or a special SPC7110 graphics ROM?

Posted: **Mon May 19, 2008 7:21 pm**

We just need a ROM emulator to replace the data ROM. Much easier to solder by hand. Game ROM would certainly be nice, but I'm sure someone has a copier that can run custom programs that can probe the SPC chip.

Problem is that the data ROM sits between the SPC7110 and the bus, and the SPC will only decompress data from the connected data ROM, and not from the bus.

Posted: **Tue May 20, 2008 1:43 am**

How little data can you work on at a time?

I think the best solution would be a dual ROM emulator, where the game ROM holds a little code to read the SPC7110 data which it writes to itself. The PC could then hold SNES reset, read the data from the game ROM and update the data ROM and repeat after a fixed period.

I can post my idea for the emulator logic if you like, but I'm not up for building it, 150+ wires will be too much to troubleshoot.

Posted: **Mon May 26, 2008 11:53 pm**

Here is a complete set of the extracted compressed, and decompressed data, from the original games. http://caitsith2.net/spc7110/

The method to extract the compressed data, and nothing more than what is required for the specific decompressed entry, took advantage of the tables themselves. Each Table entry is 4 bytes long. 3 bytes, for the data rom address where the compressed data starts, and 1 byte to indicate the compression method used on the data. It was by subtracting Table Entry 0 from table entry 1, determined table entry 0's size, and Table entry 1 from table entry 2 to determine size of table entry 1, and so on, for the compressed data.

Posted: **Wed May 28, 2008 5:45 am**

I have been researching about that alot, considering quite a few solutions. I even managed to get Charles MacDonald to work on FEoEZ, but the project stopped mainly due to time lacking.

The best solution I've come up with is a U2 (was it U2 or another?) chip - USB 2.0 interface.
That would be the less invasive, most suitable way, as its speedy and would allow total control from the PC (as in you would be able to supply new test data to the SPC on the fly).

Of course you would need a "cruise" program on the SNES to pilot the SPC, but that really shouldnt be much of a problem.

Also, i have the mappings of all SPC7110 based carts (apart of the Shonen version FEoEZ), just in case they are needed, and a partial memory map of FEoEZ putted together by Charles MacDonald.

http://www.caitsith2.com/snes/snes_cart_dumper.htm

*bows in front of caitsith's amazing schema drawing skills*

EDIT : Oh, and I have two loose SPC chips, with no bowed pins in case someone wants them - have been desoldered with a hot air desolderer, so chances are they still work.

Posted: **Wed May 28, 2008 6:43 am**

The name "SPC" is in both SPC700 (Super NES sound CPU) and SPC7110 (data decompression IC). Is there a reason for this?

Posted: **Wed May 28, 2008 7:00 am**

tepples wrote:The name "SPC" is in both SPC700 (Super NES sound CPU) and SPC7110 (data decompression IC). Is there a
reason for this?

Not that i recall at least..

Posted: **Thu May 29, 2008 6:43 pm**

Yeah, I pretty much need someone to make the hardware device for me. I have next-to-zero EE skills.

Planning to get Nach's help on this as well, and I can always try and bug Andreas, but he could very well be too busy.

I've tried looking at your packs, and I really appreciate you hosting them, caitsith2. Unfortunately I can't find any patterns in them.

I would pretty much have to start by feeding the chip nothing but 00's for input, then change one bit and see how the output changes, rinse, repeat, to try and find patterns to build upon.

Even then, I'm not sure how successful I'd be. I'd still like to try.

I also want to try and figure out the rest of the chip's functions, as I'm not too happy with the existing code for that. And if I had an interface for that, I could run the last S-DD1 test I need (nothing that SO / SFA2 uses, but good to fill in all the blanks), and test the final S-RTC command to see if it does anything at all (not used by DKJM2, but again, I like complete emulation.)

Really hesitant to try the stop-n-swop method on that, as copiers are extremely rare and I'm afraid of damaging it that way.

Posted: **Tue Jun 03, 2008 3:05 am**

I posted my work on the ynt site :

www.yntproject.net?section=docs - check the SPC7110 pinouts.
Also, I have the doc from TheDumper about the GDSF header somewhere. Will put it up when I find it.

Posted: **Tue Jun 03, 2008 2:29 pm**

kammedo, D15 on a 8/16-bit ROM is A-1 or 8-bit A0.

Where are the SPC7110 schematics? All I see is previously published pinouts.

Posted: **Tue Jun 03, 2008 10:59 pm**

kyuusaku wrote:kammedo, D15 on a 8/16-bit ROM is A-1 or 8-bit A0.

Where are the SPC7110 schematics? All I see is previously published pinouts.

Don't recall having stated they would be original. Schematics are underway, need to get a proper software to make them *yahwn*.

Anyone is able to track them down with a simple tester and some time, which is what I did, for all the board types. Suggestions are welcomed.
Also, D15 = A1 (I assume A-1 == A1) on a 8/16 bit MROM, or D15 = A0 on a 8Bit MROM? Would you mind explain yourself clearer? Thanks! ^^

Posted: **Wed Jun 04, 2008 7:08 am**

byuu wrote: Planning to get Nach's help on this as well, and I can always try and bug Andreas, but he could very well be too busy.

No need to bug me. I have consistently expressed my interest on this for a long time, from the time when i was bugging The Dumper for him to construct a hardware interface to the last Kammedo-Charles MacDonald attempt to build such a thing.

In my opinion, all this issue would be trivial if we got such an interface; without it, however, i failed twice trying to make sense of caitsith2's data. I have in my to-do list to try to analize the data more seriously but, as i'm not very confident in the success of such line of attack, i'm not exactly motivated about it...

Right now i don't have much free time, and the little i have is being devoted to another project that have higher priority in my list. In some weeks' place, however, i should have some time to try it but, as said, i'm not very optimist about it...

Posted: **Wed Jun 04, 2008 10:52 am**

I've never understood if the base codestream uses some type of ABS coding.

Alignment 1 seems to emit zeros faster than alignments 2/0 (startup overhead or per-bitplane stuff?)

A2 has 4-bpp graphics and (iirc) 2-bpp graphics also.
A1 has ???
A0 has nametable data ($400+$2 sized amounts). Non two-power.

I'm guessing layer 1 isn't LZ/Huffman. Reversible wavelets would be cute.

Here's some samples picked out (the last one baffles me the most).

Code: Select all

[1]
14 EB 90 E8 00 00 DB D0 4E A1 33 B4 74 0B 18 76 -->
18 24 18 24 18 24 18 24 18 24 18 24 18 24 18 24
18 24 18 24 18 E7 FF 00 FF 00 18 E7 18 24 18 24
00 00 00 00 00 FF FF 00 FF 00 00 FF 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[1]
16 C2 95 0A E8 00 00 00 05 9F CE A0 24 91 CB BE -->
20 1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[1]
D3 1C F8 00 00 00 00 00 00 00 1D 17 20 BC 23 2E -->
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF

D3 1C F8 00 00 00 00 00 D3 1C F8 00 00 00 00 00 -->
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF

D3 1C F8 00 00 29 7E 41 55 C8 00 00 13 7C 95 A6 -->
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 (***)
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 (***)
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF

[1]          
04 68 74 40 14 DB 73 57 E2 CA 91 AB BB 2E C9 57 -->
01 01 01 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

04 68 74 44 0E 6D EF 79 DC 47 7B ED F3 DE B0 C1 -->
01 01 01 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 0F  00 00 00 00 00 00 00 00
12 00 00 00 00 00 0F 14  00 00 00 00 00 00 00 00
13 00 00 00 00 00 14 00  00 0E 00 00 00 00 0E 09

Posted: **Wed Jun 04, 2008 12:16 pm**

kammedo wrote: Don't recall having stated they would be original. Schematics are underway, need to get a proper software to make them *yahwn*.

I mean schematics (even symbolic) of the chip, not schematics of the board which isn't necessary since everyone already knows the ROM pinouts.

kammedo wrote:Also, D15 = A1 (I assume A-1 == A1) on a 8/16 bit MROM, or D15 = A0 on a 8Bit MROM? Would you mind explain yourself clearer? Thanks! ^^

A-1 is "address negative 1", because it's one bit lower than A0 which selects a WORD on a 16-bit ROM. When a 16-bit ROM can be put into 8-bit mode (/BYTE signal), D15 generally becomes an input which selects which byte of the word is output on D0-7. This is why in the document you mention that D0-7 and strangely D15 are connected, because D15 is really A0 and 16-bit A0 = 8-bit A1 etc.

nesdev.org

SPC7110 Reverse Engineering Project

SPC7110 Reverse Engineering Project