Difference between revisions of "Videocart dumper"
From veswiki
| Line 29: | Line 29: | ||
22 +12V | 22 +12V | ||
</pre> | </pre> | ||
| + | |||
| + | Connect this way: | ||
| + | Port A.0, pin w serial data, pair with ground wire to PC (if TTL compatible) | ||
| + | Port A.1, pin x f8phi clock signal, cart pin 13 | ||
| + | Port A.2, pin y f8write write signal, cart pin 15 | ||
| + | Port A.3, pin z f8romc3 ROMC3 signal, cart pin 10 | ||
| + | |||
| + | Port B, used for data input D0-D7 from cartridge | ||
| + | |||
| + | PIC-processor pinout 16F628 (linked picture): | ||
| + | http://vallejo.cc/proyectos/cellbot/16f628pinout.jpg | ||
| + | Pinout is the same on the 16C84 and 16F84, no need for hardware changes if you swap between these. | ||
| + | |||
| + | PC PSU can be used for power, all needed voltages are available on the standard black (ground), red (5V), yellow (12V), black (ground)cable. | ||
| + | |||
| + | |||
| + | |||
Revision as of 15:16, 13 November 2013
Sean Riddle built a dumper for the Videocarts to be able to lure the code out without damaging the cartridges. A portable version was shipped over the world to collect rare data from even rarer cartridges.
Pinout of cartridge:
1 ground 2 ground 3 D0 4 D1 5 /INTREQ 6 ROMC0 7 ROMC1 8 ROMC2 9 D2 10 ROMC3 11 D3 12 ROMC4 13 PHI 14 D4 15 WRITE 16 D5 17 D6 18 D7 19 +5V 20 +5V 21 Not Connected 22 +12V
Connect this way: Port A.0, pin w serial data, pair with ground wire to PC (if TTL compatible) Port A.1, pin x f8phi clock signal, cart pin 13 Port A.2, pin y f8write write signal, cart pin 15 Port A.3, pin z f8romc3 ROMC3 signal, cart pin 10
Port B, used for data input D0-D7 from cartridge
PIC-processor pinout 16F628 (linked picture): http://vallejo.cc/proyectos/cellbot/16f628pinout.jpg Pinout is the same on the 16C84 and 16F84, no need for hardware changes if you swap between these.
PC PSU can be used for power, all needed voltages are available on the standard black (ground), red (5V), yellow (12V), black (ground)cable.
Files for PCI16F84, PIC16C84 and PIC16F628:
[PIC processor files]
Sean Riddle's original code (recommended)
;Fairchild Channel F cart dumper version 2 ;2/10/2004 Sean Riddle seanriddle@cox.net ; slight modifications by e5frog 15/08/2009 INCLUDE "modedefs.bas" @ device pic16f84, hs_osc, wdt_off DEFINE OSC 20 ;20 MHz oscillator DEFINE NO_CLRWDT 1 ;watchdog is off DEFINE DEBUG_REG PORTA ;serial output on A.0 DEFINE DEBUG_BIT 0 DEFINE DEBUG_BAUD 9600 ; (was 4800) set terminal program to 9600 8-N-1, log input binary, dump and save the log. DEFINE DEBUG_MODE 1 ; for direct output from PIC to serial port (signal to pin 2, GND to pin 5)(no MAX232) ' Set Debug mode: 0 = true, 1 = inverted BUFSIZE CON 16 ;16-byte buffer i VAR BYTE ;general register k VAR WORD ;another buf VAR BYTE ;buffer pointer rom VAR BYTE[BUFSIZE] ;buffer to store ROM f8phi VAR PORTA.1 ;clock signal f8write VAR PORTA.2 ;write signal f8romc3 VAR PORTA.3 ;ROMC3 signal ; CMCON=7 ;turn off comparators OPTION_REG.7=0 ;weak pull ups on port B TRISB=$FF ;port B is all input Low f8phi Low f8write Low f8romc3 ; Debug "start..." Pause 2000 ;wait a couple of seconds after reset ; what I do: ; clear PC0 with ROMC state 8 ; loop 1024 times (was 256) ; fetch 16 bytes into buffer with ROMC state 0 ; dump buffer to serial port f8phi=1 f8write=1 @ nop ;NOPs used to create square waves @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=0 f8phi=1 f8romc3=1 ; this puts us in ROMC state 8 - clear PC0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=1 f8phi=1 f8romc3=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop ;;; f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 For k=1 TO 1024 ; was 256 For i=0 TO BUFSIZE-1 f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 ;ROMC state 0, fetch instruction @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 rom[i]=PORTB ;read databus into buffer f8phi=0 Next i For i=0 TO BUFSIZE-1 ;dump the buffer to the serial port Debug rom[i] Next i Next k End
Added needed changes for the PIC16F628 (which is what can be bought today).
; Fairchild Channel F cart dumper version 2 ; 2/10/2004 Sean Riddle seanriddle@cox.net ; Evolved from 16f84 to 16F628A by Fredric Blåholtz 03/08/2009 ; Pic BASIC Pro INCLUDE "modedefs.bas" @ device pic16f628, protect_off, cpd_off, lvp_off, bod_on, mclr_on, pwrt_on, wdt_off, hs_osc DEFINE OSC 20 ; 20 MHz oscillator DEFINE NO_CLRWDT 1 ; watchdog is off DEFINE DEBUG_REG PORTA ; serial output on A.0 DEFINE DEBUG_BIT 0 DEFINE DEBUG_BAUD 4800 BUFSIZE CON 16 ; 16-byte buffer i VAR BYTE ; general register j VAR BYTE ; 2nd general reg k VAR WORD ; another buf VAR BYTE ; buffer pointer rom VAR BYTE[BUFSIZE] ; buffer to store ROM f8phi VAR PORTA.1 ; clock signal f8write VAR PORTA.2 ; write signal f8romc3 VAR PORTA.3 ; ROMC3 signal CMCON = 7 ; Port A = digital I/O OPTION_REG.7= 0 ; weak pull ups on port B TRISB = $FF ; port B is all input VRCON = 0 ; Voltage reference disabled Low f8phi Low f8write Low f8romc3 ; Debug "start..." Pause 2000 ; wait a couple of seconds after reset ; what I do: ; clear PC0 with ROMC state 8 ; loop 256 times ; fetch 16 bytes into buffer with ROMC state 0 ; dump buffer to serial port ; clear PC0 f8phi=1 f8write=1 @ nop ;NOPs used to create square waves @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=0 f8phi=1 f8romc3=1 ; this puts us in ROMC state 8 - clear PC0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=1 f8phi=1 f8romc3=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop ;;; f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 For k=1 TO 256 For i=0 TO BUFSIZE-1 f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 ;ROMC state 0, fetch instruction @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 rom[i]=PORTB ;read databus into buffer f8phi=0 Next i For i=0 TO BUFSIZE-1 ;dump the buffer to the serial port Debug rom[i] Next i Next k End
Attempt to run on a 4MHz PIC16C84, worked pretty well, didn't dump everything.
; Fairchild Channel F cart dumper version 2 ; 2/10/2004 Sean Riddle seanriddle@cox.net ; Edited from 16f84 to 16c84 by Fredric Blåholtz 03/08/2009 ; Pic BASIC Pro INCLUDE "modedefs.bas" @ device pic16c84, hs_osc, wdt_off ;DEFINE OSC 10 ;10 MHz oscillator ;DEFINE OSC 3 ;3.58... MHz oscillator DEFINE OSC 4 ;4 MHz oscillator DEFINE NO_CLRWDT 1 ;don't insert wake up watchdog code DEFINE DEBUG_REG PORTA ;serial output on A.0 DEFINE DEBUG_BIT 0 DEFINE DEBUG_BAUD 9600 ; can be changed to other baud-rates as well 9600-8-N-1 ' Set Debug mode: 0 = true, 1 = inverted DEFINE DEBUG_MODE 1 ; needed when dumping directly from pic to serial port pin 2 (pin 5 GND). k VAR WORD ;variable for loop rom VAR BYTE ;buffer to store ROM f8phi VAR PORTA.1 ;clock signal f8write VAR PORTA.2 ;write signal f8romc3 VAR PORTA.3 ;ROMC3 signal OPTION_REG.7=0 ;weak pull ups on port B TRISB=$FF ;port B pins are all inputs Low f8phi ; set all signals LOW at startup Low f8write Low f8romc3 Debug "Dumping starts in two seconds..." ; message on serial line - OPTIONAL Pause 2000 ;wait 2 seconds after a reset ; what is done: ; clear PC0 with ROMC state 8 ; fetch 1 byte into buffer with ROMC state 0 ; dump buffer to serial port ; loop 16384 times f8phi=1 f8write=1 @ nop ;NOPs used to create square waves @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=0 f8phi=1 f8romc3=1 ; this puts us in ROMC state 8 - clear PC0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8romc3=1 f8phi=1 f8romc3=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop ; forgotten in Sean's version? ;;; f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 For k=0 TO 16383 f8phi=1 f8write=1 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 f8romc3=0 ;ROMC state 0, fetch instruction @ nop @ nop @ nop @ nop f8phi=0 @ nop @ nop @ nop @ nop f8write=0 f8phi=1 rom=PORTB ;read databus into buffer f8phi=0 Debug rom ;send byte over serial line Next k End
