nesdev.org

In case anyone missed it, the latest bsnes version has added limited support for the ST011 and ST018 chips. If anyone wants to look at the progress and possibly help improve them, take a look at the source.

The ST011 code in ZSNES is bit-perfect for the demo. We either need more logs to get it bit-perfect or someone who is experienced with writing a nice shogi AI to get it somewhat playable.

The ST018 code I added was very preliminary and really does nothing more than get past the first few lock-up points. I mostly just wanted to see why everyone kept calling it a RISC processor. It may be internally, but it's irrelevant since you can't upload your own instructions. Well, at least until someone dumps the program ROM from it.

The way it works is to upload the board state in a 96(?)-byte structure, and then send a command and get back the results. The command requests are usually things like "will this move result in checkmate?", "has player 1 or 2 won?", etc. Most of it we can emulate with generic Shogi algorithms, but there are a few that control where the computer AI moves that will require chip logs.

As for ST011, I guess if I can get my hands on the cart, I can use blargg's serial interface to dump some logs. Seems like a lot of work, but if someone is willing to RE them, I suppose getting the logs is the least I can do.

For both the ST011 and ST018, I don't have the hangups that others in the past have had with using a generic Shogi algorithm as a placeholder to better understand the chip. It's definitely simulation in place of emulation, though.

And proper OP1E support for SD Gundam GX should at least get the game fully playable, right? If someone needs help converting the Gundam X routines from 65816 to C, I can lend a hand there.

byuu wrote:And proper OP1E support for SD Gundam GX should at least get the game fully playable, right? If someone needs help converting the Gundam X routines from 65816 to C, I can lend a hand there.

We need more OPs, that aren't used in the available logs, to get the battles right. Most of the failures with the current OP1E algo are minor.

For what it's worth, the MESS team and I have raised money and obtained a cart to have the DSP-1B decapped and scanned. If we are able to emulate the NEC uPD77C25 and get the program ROM, then we can decap the DSP-2, DSP-3 and DSP-4 and get instant bit-perfect, timing-perfect emulation of said chips.

The same should be possible for ST-010+ST-011, ST-018 and Cx4. But we don't know which three CPUs are used, and they are most likely custom, eg undocumented. Meaning it may even be harder to emulate the PROMs than it is to simulate the opcodes.

And for those who enjoy the simulation approach, having the PROMs should allow us to RE the algorithms much easier.

I have some side projects that I may be willing to pay for decap and rom reading. How much and where are you going for such services? I never had much luck looking previously.

Here is the guy: http://decap.mameworld.info/

Here is the thread that started it all, it might interest you: http://www.bannister.org/forums/ubbthre ... 41&page=39

There's also Flylogic: http://www.flylogic.net/

TheGuru is secretive about his deal (or at least was last time I tried to ask him about it), so I'm not sure what all we can expect. (Unlike several images of metal layer masked rom he's shown, the DSP1 ROM cannot be read by merely decapping and imaging ... either staining or probing is necessary.) However I see some things on his successful list that must have been probed or something, so who knows. $200 is ridiculously cheap for such work, so there must be some heck of a deal.

I've talked with Chris at flylogic.net and exchanged some stuff with him before. Unfortunately, if he isn't interested in the project personally (ie doing it for free or pitance), I would never be able to afford his rates. He's quite amazing at what he does.

Did you read the links I posted? The questions are answered about the nature of the deal. Even probing equipment being used is mentioned. http://decap.mameworld.info/about-2/

neviksti, could you ask Chris what his rates would be for taking on a MaskROM like the DSP-n series? It may be a good idea to have him take a shot at this as well, perhaps with the DSP-1A or somesuch. I've heard estimates that MaskROMs typically cost ~$350-500 on the open market, which also seems rather low.

HJRodrigo wrote:Did you read the links I posted? The questions are answered about the nature of the deal. Even probing equipment being used is mentioned. http://decap.mameworld.info/about-2/

No, I'm sorry I didn't.
I saw mameworld and thought the decap page you listed was just this page: http://guru.mameworld.info/decap/index.html
Thank you for pointing out your link to me (again).

Anyway, it is nice to know they are not as secretive about it anymore. The remaining secrecy probably stems almost more from pricing issues (in his real job) than security issues. The page doesn't go into technique details, but it is clear probing is used when necessary.

byuu wrote:neviksti, could you ask Chris what his rates would be for taking on a MaskROM like the DSP-n series? It may be a good idea to have him take a shot at this as well, perhaps with the DSP-1A or somesuch. I've heard estimates that MaskROMs typically cost ~$350-500 on the open market, which also seems rather low.

The prices I told you about earlier, one data point was from prices he told me he charged. I was asking about a more recent chip though. Um, I should probably say the rest in a PM.

The MaskROM estimate you write is echoed on the page HJRodrigo linked. I'm not sure where that is coming from. Previously with some searching I remember finding it was possible to get images at roughly that cost, so they must be referring to the ROM made by changing the top metal interconnect layer mask. In older devices, everything was large enough that you could easily read out the data after decapping such devices (you could probably even do the whole thing with just sandpaper, and a geological microscope from Toys R Us).

But many kinds of maskrom cannot be read in an image (and even the metal layers ones wouldn't be readible if there were additional metal layers above). So newer devices may require additional processing and/or techniques. Also newer devices just have a lot more memory to read out, which costs more. Some devices I've looked at have 4 metal layers, which obscures much of the lower circuitry (sometimes there is a layer purposely for obscuring). So just in general, the newer the device the more expensive.

I was very discouraged by the prices I was getting from asking around, so I by no means exhaustively searched for places that do such work. Plus that was at least a couple years ago, so maybe prices have dropped as well.

In case anyone missed it:
http://board.byuu.org/viewtopic.php?f=3&t=1261

LN

And also:
http://board.byuu.org/viewtopic.php?f=3&t=1263

all 3 within a 12 hour period, too!

LN