The Guru's ROM Dump News - AUSTRALIAN MIRROR

The Guru is proudly supported by....

If you like what you see and want to support me....

29th April 2023
Over the last couple of days I've been continuing with trojan dumping the whole main DRAM on Point Blank 3 using my hacked-in TSOP48 adapter. After a couple of days and 62 trojans run I had a total of about 1MB of plain text data (62 x 16384 bytes of data). I had previously mentioned trying to trojan-dump the data directly via one of the ports on the expansion I/O board but there wasn't much interest due to lack of info or code examples. I had a closer look at the board. There were some unpopulated parts on the ROM board, specifically some missing 0402 SMD capacitors, a missing J2 connector and a missing chip LT1181A. The datasheet shows it's a RS232 chip. Hmmm. I wonder where it connects. Only TR2 (receive port 2) is connected and it joins to the ROM board connector. I traced the motherboard and it went to a LVT245 buffer. The input of that connects to the CXD8606 CPU on pin 74 which is the serial port TXD1 pin. Wow! There'a an exposed serial port not going through any protection. That was pretty silly to leave it there on full retail boards hehe! I checked the TR2 pad going into the not-populated LT1181 chip with my logic probe and there was activity at power-on. This means the program is sending some data to the serial port at boot-up. I mentioned this to Windy Fairy and suggested he could hook up the serial port in the MAME System 10 driver, log it and see what comes out on one of the working System 10 games. It looked good, some debug info showed when capturing the data in a terminal program. From my point of view the first step is to see if I can capture the same stock data. I sprung into action!
This is a standard ROM board showing the missing parts.....

After a few minutes it had those parts, taken from a System 10 EXIO board on one of my Taiko no Tatsujin games. I was previously a bit overzealous with the hot glue so I had to chop part of it away to get the chip to fit in place, but it's all good now....

Then I had to haul my old laptop and EPROM programmer into my workroom bringing all the cables etc. and I precariously balanced the laptop on a chair. I found an old USB cable, ruthlessly chopped both ends off and wired a couple of wires onto J2 on the ROM board and hooked that to my old Toshiba Tecra A8 laptop which has the optional serial port module populated. It's just a simple DB9 null-modem cable with pins 1+4+6 tied, 2 is receive (RX, green wire), 5 is ground (black wire), 7 and 8 are tied together. Pin 3 is transfer (TX) but the PC is not doing any transferring and the System 10 board is not doing any receiving so that pin is not connected. This laptop runs Windows 7 so I downloaded the old shitty Microsoft Hyper Terminal and ran it then powered on the board....

It worked great! In the meantime over a couple of hours Windy Fairy had written a serial transfer dumping program using some of the example code Namco provided with their bootup debug thing and pre-tested it in MAME to make sure it was doing the right thing. I burned it to the NAND and ran the test. The first time it started dumping some hex data (we did it in ASCII HEX because it's easier to just capture plain text) but after about 2 seconds it reset and repeated again continuously every 2 seconds. He added some code to keep the watchdog happy and I re-burned the NAND and re-tested, then I got comfortable on a milk crate and waited while all the data scrolled up the screen at a blazingly fast 115200 baud....

After about 9 minutes it was done and I had a ~6MB text file on my HDD. Windy checked the data and confirmed everything was good and 5 minutes later these pics came back....

Job done! It hasn't been properly decrypted of course. This is just using the dumped code until the encryption is figured out. This will be playable in MAME 0.255 which gets released at the end of May. Or you could pull the source from github and compile your own if you can't wait :-)

26th April 2023
I've updated my Namco System 10 page with some history about what's been going on over the last few weeks. Read that to catch up.
The last 3 Namco System 10 boards were being stubborn as far as emulating them is concerned so I ran a few trojans on the boards for Taiko no Tatsujin 3 & 5 and Point Blank 3 and that led to the decryption of TK3 and TK5. However Point Blank 3 is being more stubborn so it requires many more trojans. Unfortunately the protection keycus prevents writing to the whole NAND ROM so the trojan can only write to the high score area of the NAND which is only 16kB. It's EXTREMELY time consuming to pull and remount SMD tsop48 ROMs as well as the PCB pads are not going to last so I've mounted a DIP48-TSOP48 ZIF socket onto the board. Now I can just program and swap the NAND ROM over in 30 seconds. The main program is 4MB but hopefully all 256 trojan reads to get the fully decrypted code won't be required. But at least now I'm prepared for it if necessary hehe!
This pic shows the board working using the original ROM to verify everything is good. It works so it's all good :-)

21st April 2023
I've added a new Namco System 10 Page to my main menu 'Guru Status'. Previously this info was on a google spreadsheet but now that info has been transferred over permanently to this site. The spreadsheet will not receive any more updates from me. Keep an eye out on my System 10 page at least daily because things are probably going to move very quickly ;-)

4th February 2023
An undumped Namco Tekken 3 PCB (TET2 Ver.C) arrived from long time MAME supporter Heihachi_73 (a fellow Aussie from Melbourne) which has now been dumped and added to MAME.

Before dumping it I had to remove the battery which is located right next to the flash ROMs....

Many many years ago (probably 20) I once made the mistake of not removing the battery in order to retain the coinage/play/character-unlock data. That was a mistake... upon heating the ROMs with hot air the battery decided to go nuclear and it literally disappeared never to be seen again heheh! So I removed the battery first. But before doing that let's have a look at the coinage/play data....

Total coins is 6951. Total power-on time is 8395 hours. If we assume it is on 12 hours/day that's a bit less than 2 years of on-site operation. The coin rate per hour is about 82c per hour. Not exactly a great hourly rate but I suppose the arcade operator eventually got his money back plus a bit of profit assuming he paid less than $7k for the cabinet. The total play time is only 301 hours so this game was clearly not very popular. 301 hours vs 8395 power on time means it was only played 3 1/2% of the time it was powered on.

The board is working but has some minor damage so for fun I will try to fix it.
The top board has a surface mounted electrolytic cap missing. This is quite common and doesn't affect anything so no need to replace it. The only time missing caps need to be replaced is when they are connected to thin traces and are part of some circuit. When there are many caps on power planes, one cap doesn't affect much if it's missing as there are several on the power plane already. One trick often done on laptop/phones is just to snap off a bad/shorted cap connected between VCC and GND and that will remove the short and the device will start working which proves all of them are not required. You could replace it if you wanted but I'm going to move on.
The bottom board has one damaged EMI filter and a missing SMD capacitor...

While EMI filters probably don't do a whole lot either, the way it is wired, the signals from the JAMMA connector go through the EMI filters then to other components. If the EMI filter is bad the signals won't get to the right place. Look closely and you can see the EMI filter at FL6 has a hairline crack in it. Cracking isn't that common (it's clearly had some kind of heavy blow on it) but it is common for the EMI filters to have cracked/dry joints and re-flowing them often fixes it. In this case it has to be replaced. You could also just replace the filter with wires if you didn't have spare parts. In my case I have a few dead/junk Namco System 12 boards lying around so I have plenty of spare parts.

The small cap was also replaced. This is a 2.2nF 0603 SMD MLCC capacitor. This took about 10 minutes to fix including pulling the parts off the junk board and cleaning the board with some special PCB cleaner ;-)
I powered on the board, inserted a coin and hit start. The character select screen had the selector moving automatically to the right. I went into the test mode to check the inputs....

Looks like 'right' is stuck on. I can move the joystick in other directions but when I let go of the joystick it goes back to the right direction by itself. With my logic probe I checked pin 5 of FL6 (the 'right' input) and there was no signal, nothing! The inputs are usually pulled up to VCC through a pull-up resistor and moving the joystick actually grounds that same signal and causes it to go low. When the joystick is not touched the signal automatically goes high again because of the pull-up resistor. In this case there was nothing, it was floating. The signal first goes to some adjacent 74HC257 logic chips. The floating no-connect signal is low enough on the logic chip input (pin 2 in this case) that it thinks right be being activated. I removed a bunch of parts along the path of the JAMMA right direction so I could check them and the traces....

The traces are all joined. At the back is another 2.2nF SMD MLCC capacitor and a 103 (10K) resistor. These tested ok in my component tester. The part before that is marked R102...

On first glance this looks like a common 1K resistor array.... 1, 0 and 2 extra zeros = 1000 Ohms = 1K ohm. This particular resistor array consists of separate 0603 resistors and looks like a common off-the-shelf part. I used my multimeter to measure the resistance of each resistor. Now this is the unusual part... the resistors are not all the same! It measures 1K, 2K, OPEN, 2K, 1K. The open resistor seems to be the issue. I pulled another identical part off my junk board and measured it. It measures 1K, 2K, 2K, 2K, 1K. Ahh!!! I figured this was a custom part but I found the datasheet and it's a stock part. The datasheet is available online. Below is a quick snip from it. It's the R-Type. The R refers to the type of circuit inside which in this case is 10P8R. This is actually 8x 1K resistors. The 3 middle pins connect 2x 1K resistors together in the middle. The 2 outer pins connect to a 1K resistor in the middle and the other end joins with a wire to the pins (5 and 10). So that's why the middle pins measure 2K and the outer pins measure 1K. In this case if you didn't have the required part you could simply replace all 5 positions with common SMD resistors (probably 0402 would fit... remember there's 2 butted together in the middle...) and wire them as per the circuit (probably very tricky work for such a small SMD area) or just buy some online. I have the part so I just replaced it....

Now it looks like new and you can't even tell it's been repaired hehe!
I powered on the board and checked the test mode controls and all are good. I played a game and it's working fine now.

In other news, I also dumped a Tekken 2 TES3 Ver.A board which was previously undumped. This was a redump because I actually dumped this many years ago. I later found the older dump (dated December 2016!!) and the CRC32's matched exactly. For some reason either I forgot to upload it or someone forgot to add it when I released the dump into the wild, but it's done now ;-)

Older News.....
2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000

The Guru is proudly supported by....