Videocart dumper

From veswiki
Revision as of 13:17, 13 November 2013 by E5frog (talk | contribs)
Jump to: navigation, search

Sean Riddle built a dumper for the Videocarts to be able to lure the code out without damaging the cartridges. A portable version was shipped over the world to collect rare data from even rarer cartridges.


Pinout of cartridge:

1	ground
2	ground
3	D0
4	D1
5	/INTREQ
6	ROMC0
7	ROMC1
8	ROMC2
9	D2
10	ROMC3
11	D3
12	ROMC4
13	PHI
14	D4
15	WRITE
16	D5
17	D6
18	D7
19	+5V
20	+5V
21	Not Connected
22	+12V

Connect this way: Port A.0, pin w serial data, pair with ground wire to PC (if TTL compatible)
Port A.1, pin x f8phi clock signal, cart pin 13
Port A.2, pin y f8write write signal, cart pin 15
Port A.3, pin z f8romc3 ROMC3 signal, cart pin 10

Port B, used for data input D0-D7 from cartridge

PIC-processor pinout 16F628 (linked picture):
http://vallejo.cc/proyectos/cellbot/16f628pinout.jpg
Pinout is the same on the 16C84 and 16F84, no need for hardware changes if you swap between these.

PC PSU can be used for power, all needed voltages are available on the standard black (ground), red (5V), yellow (12V), black (ground)cable.



Files for PCI16F84, PIC16C84 and PIC16F628:
[PIC processor files]



Sean Riddle's original code (recommended)

;Fairchild Channel F cart dumper version 2

;2/10/2004 Sean Riddle seanriddle@cox.net

; slight modifications by e5frog 15/08/2009

 

INCLUDE "modedefs.bas"

@ device pic16f84, hs_osc, wdt_off


DEFINE	OSC		20			;20 MHz oscillator
DEFINE	NO_CLRWDT	1			;watchdog is off

DEFINE 	DEBUG_REG	PORTA			;serial output on A.0
DEFINE 	DEBUG_BIT	0
DEFINE 	DEBUG_BAUD	9600		; (was 4800) set terminal program to 9600 8-N-1, log input binary, dump and save the log.
DEFINE  DEBUG_MODE	1			; for direct output from PIC to serial port (signal to pin 2, GND to pin 5)(no MAX232)
' Set Debug mode: 0 = true, 1 = inverted


BUFSIZE 	CON		16			;16-byte buffer

i		VAR 		BYTE			;general register
k		VAR		WORD			;another

buf		VAR		BYTE			;buffer pointer
rom		VAR		BYTE[BUFSIZE]	;buffer to store ROM

f8phi		VAR		PORTA.1		;clock signal
f8write 	VAR		PORTA.2		;write signal
f8romc3 	VAR		PORTA.3		;ROMC3 signal

;	CMCON=7					;turn off comparators
OPTION_REG.7=0					;weak pull ups on port B
TRISB=$FF						;port B is all input

Low f8phi
Low f8write
Low f8romc3

;	Debug "start..."

Pause 2000						;wait a couple of seconds after reset

;	what I do:
;	clear PC0 with ROMC state 8
;	loop 1024 times (was 256)
;	fetch 16 bytes into buffer with ROMC state 0
;	dump buffer to serial port


	f8phi=1
	f8write=1

	@ nop						;NOPs used to create square waves
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8romc3=0
	f8phi=1
	f8romc3=1					; this puts us in ROMC state 8 - clear PC0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8romc3=1
	f8phi=1
	f8romc3=1

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop


;;;


	f8phi=1
	f8write=1

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0

 For k=1 TO 1024  ; was 256

	For i=0 TO BUFSIZE-1

		f8phi=1
		f8write=1

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		f8romc3=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		f8romc3=0				;ROMC state 0, fetch instruction

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		rom[i]=PORTB			;read databus into buffer
		f8phi=0

	Next i					 

	For i=0 TO BUFSIZE-1		;dump the buffer to the serial port
		Debug rom[i]
	Next i
Next k

 

End


Added needed changes for the PIC16F628 (which is what can be bought today).

;	Fairchild Channel F cart dumper version 2
;	2/10/2004 Sean Riddle seanriddle@cox.net
;	Evolved from 16f84 to 16F628A by Fredric Blåholtz 03/08/2009
;	Pic BASIC Pro 

INCLUDE "modedefs.bas"

@ device pic16f628, protect_off, cpd_off, lvp_off, bod_on, mclr_on, pwrt_on, wdt_off, hs_osc

DEFINE	OSC		20			; 20 MHz oscillator
DEFINE	NO_CLRWDT	1			; watchdog is off

DEFINE 	DEBUG_REG	PORTA			; serial output on A.0
DEFINE 	DEBUG_BIT	0
DEFINE 	DEBUG_BAUD	4800

BUFSIZE 	CON		16			; 16-byte buffer

i		VAR 		BYTE			; general register
j		VAR		BYTE			; 2nd general reg
k		VAR		WORD			; another

buf		VAR		BYTE			; buffer pointer
rom		VAR		BYTE[BUFSIZE]	; buffer to store ROM

f8phi		VAR		PORTA.1		; clock signal
f8write 	VAR		PORTA.2		; write signal
f8romc3 	VAR		PORTA.3		; ROMC3 signal

CMCON		=		7			; Port A = digital I/O
OPTION_REG.7=		0			; weak pull ups on port B
TRISB		=		$FF			; port B is all input
VRCON 	= 		0			; Voltage reference disabled

Low f8phi
Low f8write
Low f8romc3

;	Debug "start..."

Pause 2000						; wait a couple of seconds after reset

;	what I do:
;	clear PC0 with ROMC state 8
;	loop 256 times
;	fetch 16 bytes into buffer with ROMC state 0
;	dump buffer to serial port
;	clear PC0

	f8phi=1
	f8write=1

	@ nop						;NOPs used to create square waves
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8romc3=0
	f8phi=1
	f8romc3=1					; this puts us in ROMC state 8 - clear PC0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8romc3=1
	f8phi=1
	f8romc3=1

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop


;;;


	f8phi=1
	f8write=1

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0

 For k=1 TO 256

	For i=0 TO BUFSIZE-1

		f8phi=1
		f8write=1

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		f8romc3=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		f8romc3=0				;ROMC state 0, fetch instruction

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		rom[i]=PORTB			;read databus into buffer
		f8phi=0

	Next i					 

	For i=0 TO BUFSIZE-1		;dump the buffer to the serial port
		Debug rom[i]
	Next i
Next k

 

End





Attempt to run on a 4MHz PIC16C84, worked pretty well, didn't dump everything.


;	Fairchild Channel F cart dumper version 2
;	2/10/2004 Sean Riddle seanriddle@cox.net
;	Edited from 16f84 to 16c84 by Fredric Blåholtz 03/08/2009
;	Pic BASIC Pro 

INCLUDE "modedefs.bas"

@ device pic16c84, hs_osc, wdt_off

;DEFINE	OSC		10			;10 MHz oscillator
;DEFINE	OSC		3			;3.58... MHz oscillator
DEFINE	OSC		4			;4 MHz oscillator
DEFINE	NO_CLRWDT	1			;don't insert wake up watchdog code

DEFINE 	DEBUG_REG	PORTA			;serial output on A.0
DEFINE 	DEBUG_BIT	0
DEFINE 	DEBUG_BAUD	9600			; can be changed to other baud-rates as well 9600-8-N-1
' Set Debug mode: 0 = true, 1 = inverted
DEFINE	DEBUG_MODE	1			; needed when dumping directly from pic to serial port pin 2 (pin 5 GND).
 
k		VAR		WORD		;variable for loop
rom		VAR		BYTE		;buffer to store ROM

f8phi		VAR		PORTA.1		;clock signal
f8write 	VAR		PORTA.2		;write signal
f8romc3 	VAR		PORTA.3		;ROMC3 signal

OPTION_REG.7=0					;weak pull ups on port B
TRISB=$FF					;port B pins are all inputs

Low	f8phi					; set all signals LOW at startup
Low	f8write
Low	f8romc3

	Debug "Dumping starts in two seconds..." ; message on serial line - OPTIONAL

Pause 2000						;wait 2 seconds after a reset

;	what is done:
;	clear PC0 with ROMC state 8
;	fetch 1 byte into buffer with ROMC state 0
;	dump buffer to serial port
;	loop 16384 times




	f8phi=1
	f8write=1

	@ nop			;NOPs used to create square waves
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8romc3=0
	f8phi=1
	f8romc3=1		; this puts us in ROMC state 8 - clear PC0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8romc3=1
	f8phi=1
	f8romc3=1

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop

	@ nop			; forgotten in Sean's version?

;;;


	f8phi=1
	f8write=1

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0
	f8phi=1
	f8romc3=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8phi=0

	@ nop
	@ nop
	@ nop
	@ nop

	f8write=0

 For k=0 TO 16383

		f8phi=1
		f8write=1

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		f8romc3=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		f8romc3=0		;ROMC state 0, fetch instruction

		@ nop
		@ nop
		@ nop
		@ nop

		f8phi=0

		@ nop
		@ nop
		@ nop
		@ nop

		f8write=0
		f8phi=1
		rom=PORTB		;read databus into buffer
		f8phi=0

		Debug rom		;send byte over serial line


Next k

 

End