Difference between revisions of "Videocart dumper"
From veswiki
| Line 26: | Line 26: | ||
19 +5V | 19 +5V | ||
20 +5V | 20 +5V | ||
| − | 21 | + | 21 Not Connected |
22 +12V | 22 +12V | ||
</pre> | </pre> | ||
Revision as of 23:34, 12 November 2013
Sean Riddle built a dumper for the Videocarts to be able to lure the code out without damaging the cartridges. A portable version was shipped over the world to collect rare data from even rarer cartridges.
Pinout of cartridge:
1 ground 2 ground 3 D0 4 D1 5 /INTREQ 6 ROMC0 7 ROMC1 8 ROMC2 9 D2 10 ROMC3 11 D3 12 ROMC4 13 PHI 14 D4 15 WRITE 16 D5 17 D6 18 D7 19 +5V 20 +5V 21 Not Connected 22 +12V
Sean Riddle's original code (recommended)
;Fairchild Channel F cart dumper version 2 ;2/10/2004 Sean Riddle seanriddle@cox.net ; slight modifications by e5frog 15/08/2009 INCLUDE "modedefs.bas" @ device pic16f84, hs_osc, wdt_off DEFINE OSC 20 ;20 MHz oscillator DEFINE NO_CLRWDT 1 ;watchdog is off DEFINE DEBUG_REG PORTA ;serial output on A.0 DEFINE DEBUG_BIT 0 DEFINE DEBUG_BAUD 9600 ; (was 4800) set terminal program to 9600 8-N-1, log input binary, dump and save the log. DEFINE DEBUG_MODE 1 ; for direct output from PIC to serial port (signal to pin 2, GND to pin 5)(no MAX232) ' Set Debug mode: 0 = true, 1 = inverted BUFSIZE CON 16 ;16-byte buffer i VAR BYTE ;general register k VAR WORD ;another buf VAR BYTE ;buffer pointer rom VAR BYTE[BUFSIZE] ;buffer to store ROM f8phi VAR PORTA.1 ;clock signal f8write VAR PORTA.2 ;write signal f8romc3 VAR PORTA.3 ;ROMC3 signal ; CMCON=7 ;turn off comparators OPTION_REG.7=0 ;weak pull ups on port B TRISB=$FF ;port B is all input Low f8phi Low f8write Low f8romc3 ; Debug "start..." Pause 2000 ;wait a couple of seconds after reset ; what I do: ; clear PC0 with ROMC state 8 ; loop 1024 times (was 256) ; fetch 16 bytes into buffer with ROMC state 0 ; dump buffer to serial port f8phi=1 f8write=1 @ nop ;NOPs used to create square waves @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=0 f8phi=1 f8romc3=1 ; this puts us in ROMC state 8 - clear PC0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=1 f8phi=1 f8romc3=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop ;;; f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 For k=1 TO 1024 ; was 256 For i=0 TO BUFSIZE-1 f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 ;ROMC state 0, fetch instruction @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 rom[i]=PORTB ;read databus into buffer f8phi=0 Next i For i=0 TO BUFSIZE-1 ;dump the buffer to the serial port Debug rom[i] Next i Next k End
Added needed changes for the PIC16F628 (which is what can be bought today).
; Fairchild Channel F cart dumper version 2 ; 2/10/2004 Sean Riddle seanriddle@cox.net ; Evolved from 16f84 to 16F628A by Fredric Blåholtz 03/08/2009 ; Pic BASIC Pro INCLUDE "modedefs.bas" @ device pic16f628, protect_off, cpd_off, lvp_off, bod_on, mclr_on, pwrt_on, wdt_off, hs_osc DEFINE OSC 20 ; 20 MHz oscillator DEFINE NO_CLRWDT 1 ; watchdog is off DEFINE DEBUG_REG PORTA ; serial output on A.0 DEFINE DEBUG_BIT 0 DEFINE DEBUG_BAUD 4800 BUFSIZE CON 16 ; 16-byte buffer i VAR BYTE ; general register j VAR BYTE ; 2nd general reg k VAR WORD ; another buf VAR BYTE ; buffer pointer rom VAR BYTE[BUFSIZE] ; buffer to store ROM f8phi VAR PORTA.1 ; clock signal f8write VAR PORTA.2 ; write signal f8romc3 VAR PORTA.3 ; ROMC3 signal CMCON = 7 ; Port A = digital I/O OPTION_REG.7= 0 ; weak pull ups on port B TRISB = $FF ; port B is all input VRCON = 0 ; Voltage reference disabled Low f8phi Low f8write Low f8romc3 ; Debug "start..." Pause 2000 ; wait a couple of seconds after reset ; what I do: ; clear PC0 with ROMC state 8 ; loop 256 times ; fetch 16 bytes into buffer with ROMC state 0 ; dump buffer to serial port ; clear PC0 f8phi=1 f8write=1 @ nop ;NOPs used to create square waves @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=0 f8phi=1 f8romc3=1 ; this puts us in ROMC state 8 - clear PC0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=1 f8phi=1 f8romc3=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop ;;; f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 For k=1 TO 256 For i=0 TO BUFSIZE-1 f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 ;ROMC state 0, fetch instruction @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 rom[i]=PORTB ;read databus into buffer f8phi=0 Next i For i=0 TO BUFSIZE-1 ;dump the buffer to the serial port Debug rom[i] Next i Next k End
Attempt to run on a 4MHz PIC16C84, worked pretty well, didn't dump everything.
; Fairchild Channel F cart dumper version 2 ; 2/10/2004 Sean Riddle seanriddle@cox.net ; Edited from 16f84 to 16c84 by Fredric Blåholtz 03/08/2009 ; Pic BASIC Pro INCLUDE "modedefs.bas" @ device pic16c84, hs_osc, wdt_off ;DEFINE OSC 10 ;10 MHz oscillator ;DEFINE OSC 3 ;3.58... MHz oscillator DEFINE OSC 4 ;4 MHz oscillator DEFINE NO_CLRWDT 1 ;don't insert wake up watchdog code DEFINE DEBUG_REG PORTA ;serial output on A.0 DEFINE DEBUG_BIT 0 DEFINE DEBUG_BAUD 9600 ; can be changed to other baud-rates as well 9600-8-N-1 ' Set Debug mode: 0 = true, 1 = inverted DEFINE DEBUG_MODE 1 ; needed when dumping directly from pic to serial port pin 2 (pin 5 GND). k VAR WORD ;variable for loop rom VAR BYTE ;buffer to store ROM f8phi VAR PORTA.1 ;clock signal f8write VAR PORTA.2 ;write signal f8romc3 VAR PORTA.3 ;ROMC3 signal OPTION_REG.7=0 ;weak pull ups on port B TRISB=$FF ;port B pins are all inputs Low f8phi ; set all signals LOW at startup Low f8write Low f8romc3 Debug "Dumping starts in two seconds..." ; message on serial line - OPTIONAL Pause 2000 ;wait 2 seconds after a reset ; what is done: ; clear PC0 with ROMC state 8 ; fetch 1 byte into buffer with ROMC state 0 ; dump buffer to serial port ; loop 16384 times f8phi=1 f8write=1 @ nop ;NOPs used to create square waves @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=0 f8phi=1 f8romc3=1 ; this puts us in ROMC state 8 - clear PC0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=1 f8phi=1 f8romc3=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop ; forgotten in Sean's version? ;;; f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 For k=0 TO 16383 f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 ;ROMC state 0, fetch instruction @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 rom=PORTB ;read databus into buffer f8phi=0 Debug rom ;send byte over serial line Next k End
