431 lines
14 KiB
C++
431 lines
14 KiB
C++
/*
|
|
* awcartridge.cpp
|
|
*
|
|
* Created on: Nov 5, 2018
|
|
* Author: flyinghead
|
|
* Plagiarized from mame (mame/src/mame/machine/awboard.cpp)
|
|
* // license:BSD-3-Clause
|
|
* // copyright-holders:Olivier Galibert,Andreas Naive
|
|
*
|
|
*/
|
|
|
|
/*
|
|
|
|
Atomiswave ROM board specs from Cah4e3 @ http://cah4e3.wordpress.com/2009/07/26/some-atomiswave-info/
|
|
|
|
AW_EPR_OFFSETL Register addres: 0x5f7000
|
|
+-------------------------------------------------------------------------------+
|
|
| bit15-0 |
|
|
+-------------------------------------------------------------------------------+
|
|
| EPR data offset low word |
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
AW_EPR_OFFSETH Register addres: 0x5f7004
|
|
+-------------------------------------------------------------------------------+
|
|
| bit15-0 |
|
|
+-------------------------------------------------------------------------------+
|
|
| EPR data offset hi word |
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
Both low and high words of 32-bit offset from start of EPR-ROM area. Used for
|
|
reading header and program code data, cannot be used for reading MPR-ROMs data.
|
|
During program code DMA transfer Romeo MCU perform data checksuming (decrypted data, in 8bit units),
|
|
result must match some CPLD / encryption key-specific value, otherwise MPR-ROM access
|
|
described below will not work correctly.
|
|
Game header (first 256 bytes of ROM) is not checksum protected.
|
|
|
|
AW_MPR_RECORD_INDEX Register addres: 0x5f700c
|
|
+-------------------------------------------------------------------------------+
|
|
| bit15-0 |
|
|
+-------------------------------------------------------------------------------+
|
|
| File system record index |
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
This register contains index of MPR-ROM file system record (64-bytes in size) to
|
|
read throught DMA. Internal DMA offset register is assigned as AW_MPR_RECORD_INDEX<<6
|
|
from start of MPR-ROM area. Size of DMA transaction not limited, it is possible
|
|
to read any number of records or just part of it.
|
|
|
|
AW_MPR_FIRST_FILE_INDEX Register addres: 0x5f7010
|
|
+-------------------------------------------------------------------------------+
|
|
| bit15-0 |
|
|
+-------------------------------------------------------------------------------+
|
|
| First file record index |
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
This register assign for internal cart circuit index of record in MPR-ROM file
|
|
system sub-area that contain information about first file of MPR-ROM files
|
|
sub-area. Internal circuit using this record to read absolute first file offset
|
|
from start of MPR-ROM area and calculate normal offset for each other file
|
|
requested, since MPR-ROM file data sub-area can be assighed only with relative
|
|
offsets from start of such sub-area.
|
|
|
|
AW_MPR_FILE_OFFSETL Register addres: 0x5f7014
|
|
+-------------------------------------------------------------------------------+
|
|
| bit15-0 |
|
|
+-------------------------------------------------------------------------------+
|
|
| MPR file offset low word |
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
AW_MPR_FILE_OFFSETH Register addres: 0x5f7018
|
|
+-------------------------------------------------------------------------------+
|
|
| bit15-0 |
|
|
+-------------------------------------------------------------------------------+
|
|
| MPR file offset hi word |
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
Both low and high words of 32-bit relative offset from start of MPR-ROM files
|
|
sub-area. Used by internal circuit to calculate absolute offset using data
|
|
from AW_MPR_FIRST_FILE_INDEX register. Cannot be used for reading EPR-ROM
|
|
data nor even MPR-ROM file system sub-area data.
|
|
|
|
AW_PIO_DATA Register addres: 0x5f7080
|
|
+-------------------------------------------------------------------------------+
|
|
| bit15-0 |
|
|
+-------------------------------------------------------------------------------+
|
|
| Read/Write word from/to ROM board address space |
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
Using this register data can be read or written to ROM BD at AW_EPR_OFFSET directly,
|
|
decryption is not used, flash ROMs (re)programming via CFI commands possible.
|
|
|
|
Type 2 ROM BD have MPR_BANK register at AW_EPR_OFFSET 007fffff, which selects
|
|
1 of 4 mask ROM banks.
|
|
|
|
ROM board internal layouts:
|
|
|
|
Type 1:
|
|
|
|
00000000 - 00800000 IC18 flash ROM
|
|
00800000 - 01000000 IC10 or mirror of above
|
|
01000000 - 02000000 IC11 \
|
|
..... mask ROMs
|
|
07000000 - 08000000 IC17 /
|
|
|
|
Type 2:
|
|
|
|
00000000 - 00800000 FMEM1 flash ROM
|
|
00800000 - 01000000 mirror of above
|
|
01000000 - 01800000 FMEM2 flash ROM
|
|
01800000 - 02000000 mirror of above
|
|
02000000 - 04000000 MROM1 MROM4 MROM7 MROM10 \
|
|
04000000 - 06000000 MROM2 MROM5 MROM8 MROM11 banked mask ROMs
|
|
06000000 - 08000000 MROM3 MROM6 MROM9 MROM12 /
|
|
|
|
Type 3:
|
|
|
|
00000000 - 01000000 U3 flash ROM
|
|
01000000 - 02000000 U1 flash ROM
|
|
02000000 - 03000000 U4 flash ROM
|
|
03000000 - 04000000 U2 flash ROM
|
|
04000000 - 05000000 U15 flash ROM
|
|
05000000 - 06000000 U17 flash ROM
|
|
06000000 - 07000000 U14 flash ROM
|
|
07000000 - 08000000 U16 flash ROM
|
|
|
|
Development:
|
|
|
|
00000000 - 00800000 IC12 \
|
|
..... flash ROMs
|
|
07800000 - 08000000 IC27 /
|
|
|
|
|
|
In short:
|
|
|
|
EPR-ROM
|
|
+--------------+ 0x00000000
|
|
| |
|
|
| HEADER +- AW_EPR_OFFSET << 1
|
|
| |
|
|
+--------------+
|
|
| |
|
|
| CODE +- AW_EPR_OFFSET << 1
|
|
| |
|
|
| |
|
|
+--------------+ 0x007fffff
|
|
|
|
MPR-ROMS
|
|
+--------------+ 0x00000000
|
|
| FS_HEADER |
|
|
| FS_RECORD[1] +- (AW_MPR_RECORD_INDEX << 6)
|
|
| FS_RECORD[2] |
|
|
| FS_RECORD[3] +- (AW_MPR_FIRST_FILE_INDEX << 6)
|
|
| ... |
|
|
| FS_RECORD[N] |
|
|
+--------------+- FS_RECORD[AW_MPR_FIRST_FILE_INDEX].FILE_ABS_OFFSET
|
|
| FILE_0 |
|
|
| FILE_1 +- (AW_MPR_FILE_OFFSET << 1) + FS_RECORD[AW_MPR_FIRST_FILE_INDEX].FILE_ABS_OFFSET
|
|
| ... |
|
|
| FILE_N |
|
|
+--------------+ 0x07ffffff
|
|
|
|
*/
|
|
#include "awcartridge.h"
|
|
#include "awave_regs.h"
|
|
#ifdef _MSC_VER
|
|
#undef min
|
|
#undef max
|
|
#include <algorithm>
|
|
#endif
|
|
|
|
u32 AWCartridge::ReadMem(u32 address, u32 size) {
|
|
verify(size != 1);
|
|
switch(address & 255)
|
|
{
|
|
// case AW_EPR_OFFSETH_addr:
|
|
// break;
|
|
// case AW_EPR_OFFSETL_addr:
|
|
// break;
|
|
// case AW_MPR_RECORD_INDEX_addr:
|
|
// break;
|
|
// case AW_MPR_FIRST_FILE_INDEX_addr:
|
|
// break;
|
|
// case AW_MPR_FILE_OFFSETH_addr:
|
|
// break;
|
|
// case AW_MPR_FILE_OFFSETL_addr:
|
|
// break;
|
|
case AW_PIO_DATA_addr:
|
|
{
|
|
u32 roffset = epr_offset & 0x3ffffff;
|
|
if (roffset >= (mpr_offset / 2))
|
|
roffset += mpr_bank * 0x4000000;
|
|
u16 retval = (RomSize > (roffset * 2)) ? ((u16 *)RomPtr)[roffset] : 0; // not endian-safe?
|
|
DEBUG_LOG(NAOMI, "AWCART ReadMem %08x: %x", address, retval);
|
|
return retval;
|
|
}
|
|
default:
|
|
INFO_LOG(NAOMI, "Unhandled awcart read %X, %d", address, size);
|
|
return 0xffff;
|
|
}
|
|
}
|
|
|
|
void AWCartridge::WriteMem(u32 address, u32 data, u32 size)
|
|
{
|
|
switch(address & 255)
|
|
{
|
|
case AW_EPR_OFFSETH_addr:
|
|
epr_offset = (epr_offset & 0x0000ffff) | (data << 16);
|
|
recalc_dma_offset(EPR);
|
|
break;
|
|
|
|
case AW_EPR_OFFSETL_addr:
|
|
epr_offset = (epr_offset & 0xffff0000) | (u16)data;
|
|
recalc_dma_offset(EPR);
|
|
break;
|
|
|
|
case AW_MPR_RECORD_INDEX_addr:
|
|
mpr_record_index = data;
|
|
recalc_dma_offset(MPR_RECORD);
|
|
break;
|
|
|
|
case AW_MPR_FIRST_FILE_INDEX_addr:
|
|
mpr_first_file_index = data;
|
|
recalc_dma_offset(MPR_FILE);
|
|
break;
|
|
|
|
case AW_MPR_FILE_OFFSETH_addr:
|
|
mpr_file_offset = (mpr_file_offset & 0x0000ffff) | (data << 16);
|
|
recalc_dma_offset(MPR_FILE);
|
|
break;
|
|
|
|
case AW_MPR_FILE_OFFSETL_addr:
|
|
mpr_file_offset = (mpr_file_offset & 0xffff0000) | (u16)data;
|
|
recalc_dma_offset(MPR_FILE);
|
|
break;
|
|
|
|
case AW_PIO_DATA_addr:
|
|
// write to ROM board address space, including FlashROM programming using CFI (TODO)
|
|
DEBUG_LOG(NAOMI, "Write to AW_PIO_DATA: %x", data);
|
|
if (epr_offset == 0x7fffff)
|
|
mpr_bank = data & 3;
|
|
break;
|
|
|
|
default:
|
|
INFO_LOG(NAOMI, "Unhandled awcart write %X: %d sz %d", address, data, size);
|
|
break;
|
|
}
|
|
}
|
|
|
|
/*
|
|
We are using 8 bits keys with the following subfields' structure:
|
|
bits 0-3 is a index of 16-bits XOR (only 11 was used in known games)
|
|
bits 4-5 is a index to the sboxes table
|
|
bits 6-7 is a index to the permutation table
|
|
|
|
These subfields could be differing from the "real" ones in the following ways:
|
|
- Current keys equal to decrypted game code binary 8-bit sum (of each byte's swapped 4-bit nibbles)
|
|
- Every one of the index subfields could be suffering an arbitrary bitswap and XOR
|
|
- The 16-bits-XOR subfield could suffer an arbitrary XOR which could depend on the 4 index bits (that is: a different XOR per every index combination)
|
|
- Of course, the way in which we are mixing 3 subfields in one only key is arbitrary too.
|
|
*/
|
|
|
|
|
|
const u8 AWCartridge::permutation_table[4][16] =
|
|
{
|
|
{14,1,11,15,7,3,8,13,0,4,2,12,6,10,5,9},
|
|
{8,10,1,3,7,4,11,2,5,15,6,0,12,13,9,14},
|
|
{4,5,9,6,1,13,7,11,10,0,14,12,8,15,2,3},
|
|
{12,7,11,2,0,5,15,6,1,8,14,4,9,13,3,10}
|
|
};
|
|
|
|
const AWCartridge::sbox_set AWCartridge::sboxes_table[4] =
|
|
{
|
|
{
|
|
{11,8,6,25,2,7,23,28,5,10,21,20,1,26,17,19,14,27,22,30,15,4,9,24,31,3,16,12,0,18,29,13},
|
|
{13,5,9,6,4,2,11,10,12,0,8,1,3,14,15,7},
|
|
{1,13,11,3,8,7,9,10,12,15,4,14,0,5,6,2},
|
|
{3,0,5,6,2,4,1,7}
|
|
},
|
|
{
|
|
{9,15,28,7,13,24,2,23,21,1,22,16,18,8,17,31,27,6,30,12,4,20,5,19,0,25,3,29,10,14,11,26},
|
|
{5,2,13,11,8,6,12,1,4,3,0,10,14,15,7,9},
|
|
{11,6,10,0,12,1,8,14,2,9,13,3,7,4,15,5},
|
|
{1,5,6,2,4,7,3,0}
|
|
},
|
|
{
|
|
{17,25,29,27,5,11,10,21,2,8,13,0,30,3,14,16,22,1,7,15,31,18,4,20,9,19,26,24,23,28,12,6},
|
|
{15,3,2,11,7,14,6,12,1,13,0,8,9,4,10,5},
|
|
{6,12,5,7,4,8,2,3,1,14,13,11,9,10,0,15},
|
|
{5,1,0,3,4,6,2,7}
|
|
},
|
|
{
|
|
{7,21,9,20,10,28,31,11,16,15,14,30,27,23,5,25,0,22,24,2,6,17,3,18,4,12,13,19,26,1,29,8},
|
|
{10,6,5,1,13,0,9,2,15,14,7,11,8,3,12,4},
|
|
{8,6,15,13,2,7,1,3,11,0,14,10,4,5,12,9},
|
|
{6,5,4,1,0,2,3,7}
|
|
}
|
|
};
|
|
|
|
const int AWCartridge::xor_table[16] = // -1 = unknown/unused
|
|
{
|
|
0x0000, -1, 0x97CF, 0x4BE3, 0x2255, 0x8DD6, -1, 0xC6A2, 0xA1E8, 0xB3BF, 0x3B1A, 0x547A, -1, 0x935F, -1, -1
|
|
};
|
|
|
|
static u16 bitswap16(u16 in, const u8* vec)
|
|
{
|
|
u16 ret = 0;
|
|
for (int i = 0; i<16; i++) {
|
|
ret |= ((in >> vec[i])&0x1)<<(15-i);
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
u16 AWCartridge::decrypt(u16 cipherText, u32 address, const u8 key)
|
|
{
|
|
u8 b0,b1,b2,b3;
|
|
u16 aux;
|
|
const u8* pbox = permutation_table[key>>6];
|
|
const sbox_set* ss = &sboxes_table[(key>>4)&3];
|
|
|
|
const u8 text_swap_vec[] = {
|
|
pbox[15],pbox[14],pbox[13],pbox[12],pbox[11],pbox[10],pbox[9],pbox[8],
|
|
pbox[7],pbox[6],pbox[5],pbox[4],pbox[3],pbox[2],pbox[1],pbox[0] };
|
|
aux = bitswap16(cipherText, text_swap_vec);
|
|
const u8 addr_swap_vec[] = { 13,5,2, 14,10,9,4, 15,11,6,1, 12,8,7,3,0 };
|
|
aux = aux ^ bitswap16((u16)address, addr_swap_vec);
|
|
|
|
b0 = aux&0x1f;
|
|
b1 = (aux>>5)&0xf;
|
|
b2 = (aux>>9)&0xf;
|
|
b3 = aux>>13;
|
|
|
|
b0 = ss->S0[b0];
|
|
b1 = ss->S1[b1];
|
|
b2 = ss->S2[b2];
|
|
b3 = ss->S3[b3];
|
|
|
|
return ((b3<<13)|(b2<<9)|(b1<<5)|b0)^xor_table[key&0xf];
|
|
}
|
|
|
|
|
|
void AWCartridge::Init()
|
|
{
|
|
mpr_offset = decrypt16(0x58/2) | (decrypt16(0x5a/2) << 16);
|
|
INFO_LOG(NAOMI, "AWCartridge::SetKey rombd_key %02x mpr_offset %08x", rombd_key, mpr_offset);
|
|
device_reset();
|
|
}
|
|
|
|
void AWCartridge::SetKey(u32 key)
|
|
{
|
|
rombd_key = key;
|
|
}
|
|
|
|
void AWCartridge::device_reset()
|
|
{
|
|
epr_offset = 0;
|
|
mpr_record_index = 0;
|
|
mpr_first_file_index = 0;
|
|
mpr_file_offset = 0;
|
|
mpr_bank = 0;
|
|
|
|
dma_offset = 0;
|
|
dma_limit = 0;
|
|
}
|
|
|
|
void AWCartridge::recalc_dma_offset(int mode)
|
|
{
|
|
switch(mode) {
|
|
case EPR:
|
|
dma_offset = epr_offset * 2;
|
|
dma_limit = mpr_offset;
|
|
break;
|
|
|
|
case MPR_RECORD:
|
|
dma_offset = mpr_offset + mpr_record_index * 0x40;
|
|
dma_limit = std::min((u32)0x8000000, RomSize);
|
|
break;
|
|
|
|
case MPR_FILE: {
|
|
u32 filedata_offs = (mpr_bank * 0x8000000 + mpr_offset + mpr_first_file_index * 0x40 + 8) / 2;
|
|
dma_offset = decrypt16(filedata_offs) | (decrypt16(filedata_offs + 1) << 16);
|
|
dma_offset = (mpr_offset + dma_offset + mpr_file_offset * 2) & 0x7ffffff;
|
|
dma_limit = std::min((uint32_t)0x8000000, RomSize);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (dma_offset >= mpr_offset) {
|
|
u32 bank_base = mpr_bank * 0x8000000;
|
|
dma_offset += bank_base;
|
|
dma_limit = std::min(dma_limit + bank_base, RomSize);
|
|
}
|
|
}
|
|
|
|
void *AWCartridge::GetDmaPtr(u32 &limit)
|
|
{
|
|
limit = std::min(std::min(limit, (u32)32), dma_limit - dma_offset);
|
|
u32 offset = dma_offset / 2;
|
|
for (int i = 0; i < limit / 2; i++)
|
|
decrypted_buf[i] = decrypt16(offset + i);
|
|
|
|
// printf("AWCART Decrypted data @ %08x:\n", dma_offset);
|
|
// for (int i = 0; i < 16; i++)
|
|
// {
|
|
// printf("%02x %02x ", decrypted_buf[i] & 0xff, decrypted_buf[i] >> 8);
|
|
// if ((i + 1) % 8 == 0)
|
|
// printf("\n");
|
|
// }
|
|
|
|
return decrypted_buf;
|
|
}
|
|
|
|
void AWCartridge::AdvancePtr(u32 size)
|
|
{
|
|
dma_offset += size;
|
|
}
|
|
|
|
std::string AWCartridge::GetGameId()
|
|
{
|
|
if (RomSize < 0x30 + 0x20)
|
|
return "(ROM too small)";
|
|
|
|
dma_offset = 0x30;
|
|
u32 limit = 0x20;
|
|
char *name = (char *)GetDmaPtr(limit);
|
|
std::string game_id(name, limit);
|
|
while (!game_id.empty() && game_id.back() == ' ')
|
|
game_id.pop_back();
|
|
return game_id;
|
|
}
|
|
|