Tuesday, March 22, 2005

How to dump a NMK004

This is still at the theorical level, until one of the hardware gurus gets his hands dirty and tries to put it in practice.

The NMK004 cannot be dumped directly using the common methods, but the way it operates can probably be used to extract the internal ROM data in another way.

The external ROM contains data tables used to play the samples and music; but not only that, it contains pointers to those tables.
By changing those pointers, we can make the NMK004 use its internal ROM as if it was one of the external tables. In particular, this can be done with the table that contains the sample numbers to be played by the two OKI6295.

We can then log the commands sent by the NMK004 to the OKI6295, and this will allow us to determine which sample it is attempting to play - and therefore the value of the internal ROM byte it has just read.

So in theory there shouldn't be problems - unfortunately the hardware setup needed to get it all to work isn't trivial. But I'm confident that in due time it will be done.

8 comments:

Anonymous said...

Once again Nicola proves he is still the Mame King with an excellent piece of lateral thinking. Let's hope that there's a similar hardware dumping king out there. Nice work - and as always...I'm still not worthy!

:)

Falcone said...

Interesting to read. Seems to be (at least partially) loosely related to another to-do-item: is there still some effort made by anyone to read out the Dallas DS5002 MCU?

Don't know where to post it (did'nt get my mame-board account, for some, reasons activated) - i think you already know this paper "Tamper Resistance - a Cautionary Note" (http://www.cl.cam.ac.uk/users/rja14/tamper.html), Chapter 3.1 & 3.2 ("Breaking the Dallas chip"), but is this also possible if you can dump the NMK via a hardware modification/hack?

Anonymous said...

falcone:
all this is well known for a long time, but if you paypal guru $50K the dallas mcu will be cracked...

Anonymous said...

Falcone, please, use your head. This means, by and large, f***-all in terms of the Dallas MCU. Entirely different chip, entirely different operation, and so on and so forth.

Guru said...

>Anonymous said...
>falcone:
>all this is well known for a long >time, but if you paypal guru $50K >the dallas mcu will be cracked...

or I'll retire ;-))

Regarding Nicola's comments, remember, to log the chip output will require something like a logic analyser to capture data, which none of the devs have, unfortunately. So maybe Mish and his 'Target Manager' can come to the rescue ;-)

Guru

Falcone said...

Sorry, if it really was known for long... at least i didn't know that.

If i still would have an analyzer i would loan it, but unfornately the times i had access to such equipment are over....

Anonymous said...

Hello again Nicola,
Congrats on all your new work.
I would like to know if your still working on fixing those Seibu games with the messed up sound and graphics and if you can please fix Apache 3 in the near future, those TATSUMI games are some of my favorites.
again Thanks for all your hard work my friend and take care.
-Jackie

troy said...

It's all gone quiet in Italy! What are you currently working on Nicola?