JKKDARK
May 24th, 2008, 00:23
Progress on the Sega Dreamcast emulator (http://dknute.livejournal.com/) for PC.
I was unable to figure out any "smart" method of dumping E-VMU BIOS, so I still need to find the correct entry point to the BIOS procedure I want. Unfortunatelly the only way to do this is a brute-force exhaustive search of all 16384 combinations. Trust me, I've tried out quite a few and the conclusion is: the code in English-based VMUs has been shuffled by the linker and it's layout is completly different from any J-VMU I've seen.
Long story short, if you people hope to get English BIOS for VMU emulation (AFAIK noone has ever dumped it) you better help me :) I will continue my search anyway but it'll take weeks to months. It's not really required you know, Japanese BIOS will work just fine, but without it the simulator would appear somehow... incomplete.
Here's a list of things you need to have to help:
(1) Dreamcast
It's only required for the initial VMU programming. You might need it few more times if the VMU becomes corrupted, but that's it. Any region console will do.
(2) Spare E-VMU
It's a VMU that uses English to communicate via it's LCD. I'm not aware of any other types of VMU but J- and E- ones, but if you know better please tell me.
Important note: that VMU will be completly erased. Backup it first if it contains mini-game or saves you'll want to use in future.
(3) CR2032 button cells
You'll need some of those to power the VMU in standalone mode. Actually, if you have two able hands you can just connect two wires to the contacts (using sticky tape for example) and power it from external battery pack or even power supply. That's what I'm doing. Anything from 5V to 9V is fine, so a 4-pack of AA or AAA cells or one 9F22 battery will do. There is a diode inside the VMU to protect it in case you get the polarity wrong but be careful about that. And in case you decide on a power supply, make sure it's a quality one. The cheap "wall cubes" with unregulated output have a strong ripple which can go as high as twice the nominal voltage!
(4) Free time and some patience
This whole process is quite boring, really. You'll be repeating the same thing hundreds of times and it's important that you do it throughly. Good news is you can pause and continue at any time.
Interested? If so, please download this small package (http://rapidshare.com/files/116790510/VMU_Dialer.7z.html) and follow the instructions below. It contains CDI ready to be burned and a binary file for people who would rather use a serial cable or BBA for uploading executables.
- I'm assuming you know how to burn CD-Rs for your Dreamcast to boot. Google it if you don't. The CDI in the archive is self-bootable, but I've also included the unscrambled binary file in case you'd want to make your own CD with a proper dummy file.
- Boot the disc, or upload it via cable, whatever works for you. Your console should be hooked up to a TV, PAL/NTSC mode will be autodetected. In case you need to override this, keep X pressed during boot/upload to force PAL, or Y to force NTSC. VGA box is another story - I'm pretty sure it'll detect and use proper mode but in case it doesn't use X+Y together. Keep in mind this will not work if normal TV cable is attached.
- You should be using standard Dreamcast controller, although anything that has VMU slot will probably do. Any port will do but I'd stick to Port A and slot 1 just in case. After the application starts you should see this:
VMU blind dialer 1.0
Press A to begin, or B to quit
- If you haven't already, insert a VMU into your controller and press A button. Let me repeat this one more time: AT THIS POINT YOUR VMU WILL BE COMPLETLY ERASED. The screen will change and eventually read like this:
Detecting... found VMU @A1
[Version 1.005,1999/10/26,315-6208-05,SEGA Visual Mem
ory System BIOS Produced by ]
Writing to VMU FLASH memory, please wait...
Processing block 256/256
Done
Take note of the version being displayed. If you have VMU version below 1.004 please contact me, as there's a chance it's different from newer models.
- Once you see "Done" you can pull the VMU out. This procedure is so straightforward that you don't even need to use the TV; just wait a few seconds for the CD to boot and keep pressing A until the exclamation (!) icon on VMU LCD shows up. Then wait for it to go away and it's ready.
That covers priming the VMU. You can produce more then one, give it to family/friends :)
Now, for the important (and boring) part:
- Turn on the VMU
- Set up date/time if you're asked to
- Select mini-game mode, press A to run
- This will appear on LCD:
http://pics.livejournal.com/dknute/pic/000c2pht/s320x240
There are 4 hexadecimal digits here. The one blinking is the one selected and up/down on D-pad will increment or decrement it. There is no wrap or carry/borrow, so the lowest you can go is zero, the highest is F.
Left/right on the D-pad will select a different digit for you to play with. You need to set all four to get a unique address. This is why it's called "a dialer" - you pick up numbers to try out. Simple. Each and every possible combination from 0x0000 to 0x3fff has to be tested.
Once all digits are set, press A to test your combination.
At this point several things can happen:
- VMU will freeze. Reset it via hole on it's back or cut and re-apply power.
- VMU will reset itself. Saves you the trouble.
- Control will actually return to the mini-game program - this is rare, though. You'll see something like this:
http://pics.livejournal.com/dknute/pic/000c3636/s320x240
Every time the VMU doesn't die, the program will test the buffer to see what's in it. If it's not interesting, it'll say "BAD" and print out a value. NOW PAY ATTENTION, THIS IS IMPORTANT: if the value is "77", ignore it and keep trying with different address. If it's "FF", write down the address and once you're done with testing for the time being, send me a list of those addresses. If you see any other number, especially if you see "2A" and/or "BAD" does not show up with the number, tell me about it ASAP. That's what we're looking for.
- On a very rare occasion a small group of addresses will execute BIOS built-in FLASH write routine. This will most likely corrupt the VMU and you'll need to flash it again via Dreamcast. Happens.
That's about it. Don't go over 0x4000, no point. If you want to help, contact me first via mail or comments - I will ask you about your VMU version and will assign you a range of numbers that needs to be tested in the first place. This way we won't have several people doing the same thing in vain.
Footnotes:
- Yes, each and every address has to be tested. No skipping. We're hunting for 3 or 4 values out of 16384, we can't afford even smallest gaps in the search pattern.
- Once you set a number, you can press B once and it will be stored in the FLASH and recalled after reset. "FB" will appear on the screen to tell you it has happened. DO NOT USE THIS TOO OFTEN, for FLASH memory can only be written 1000-10000 times before it stops working. I use it every 64 numbers (0x40 in hex) to keep track of my progress.
- Keep notes. If you make a pause and forget what was the last number you've tried, go back to the number you're sure about. Or else you risk skipping something important.
- Because 95% attempts end up in hang or reset, this is really slow and boring thing to do. But if 20 or so people were to help out, we could cover all range in just few days.
I was unable to figure out any "smart" method of dumping E-VMU BIOS, so I still need to find the correct entry point to the BIOS procedure I want. Unfortunatelly the only way to do this is a brute-force exhaustive search of all 16384 combinations. Trust me, I've tried out quite a few and the conclusion is: the code in English-based VMUs has been shuffled by the linker and it's layout is completly different from any J-VMU I've seen.
Long story short, if you people hope to get English BIOS for VMU emulation (AFAIK noone has ever dumped it) you better help me :) I will continue my search anyway but it'll take weeks to months. It's not really required you know, Japanese BIOS will work just fine, but without it the simulator would appear somehow... incomplete.
Here's a list of things you need to have to help:
(1) Dreamcast
It's only required for the initial VMU programming. You might need it few more times if the VMU becomes corrupted, but that's it. Any region console will do.
(2) Spare E-VMU
It's a VMU that uses English to communicate via it's LCD. I'm not aware of any other types of VMU but J- and E- ones, but if you know better please tell me.
Important note: that VMU will be completly erased. Backup it first if it contains mini-game or saves you'll want to use in future.
(3) CR2032 button cells
You'll need some of those to power the VMU in standalone mode. Actually, if you have two able hands you can just connect two wires to the contacts (using sticky tape for example) and power it from external battery pack or even power supply. That's what I'm doing. Anything from 5V to 9V is fine, so a 4-pack of AA or AAA cells or one 9F22 battery will do. There is a diode inside the VMU to protect it in case you get the polarity wrong but be careful about that. And in case you decide on a power supply, make sure it's a quality one. The cheap "wall cubes" with unregulated output have a strong ripple which can go as high as twice the nominal voltage!
(4) Free time and some patience
This whole process is quite boring, really. You'll be repeating the same thing hundreds of times and it's important that you do it throughly. Good news is you can pause and continue at any time.
Interested? If so, please download this small package (http://rapidshare.com/files/116790510/VMU_Dialer.7z.html) and follow the instructions below. It contains CDI ready to be burned and a binary file for people who would rather use a serial cable or BBA for uploading executables.
- I'm assuming you know how to burn CD-Rs for your Dreamcast to boot. Google it if you don't. The CDI in the archive is self-bootable, but I've also included the unscrambled binary file in case you'd want to make your own CD with a proper dummy file.
- Boot the disc, or upload it via cable, whatever works for you. Your console should be hooked up to a TV, PAL/NTSC mode will be autodetected. In case you need to override this, keep X pressed during boot/upload to force PAL, or Y to force NTSC. VGA box is another story - I'm pretty sure it'll detect and use proper mode but in case it doesn't use X+Y together. Keep in mind this will not work if normal TV cable is attached.
- You should be using standard Dreamcast controller, although anything that has VMU slot will probably do. Any port will do but I'd stick to Port A and slot 1 just in case. After the application starts you should see this:
VMU blind dialer 1.0
Press A to begin, or B to quit
- If you haven't already, insert a VMU into your controller and press A button. Let me repeat this one more time: AT THIS POINT YOUR VMU WILL BE COMPLETLY ERASED. The screen will change and eventually read like this:
Detecting... found VMU @A1
[Version 1.005,1999/10/26,315-6208-05,SEGA Visual Mem
ory System BIOS Produced by ]
Writing to VMU FLASH memory, please wait...
Processing block 256/256
Done
Take note of the version being displayed. If you have VMU version below 1.004 please contact me, as there's a chance it's different from newer models.
- Once you see "Done" you can pull the VMU out. This procedure is so straightforward that you don't even need to use the TV; just wait a few seconds for the CD to boot and keep pressing A until the exclamation (!) icon on VMU LCD shows up. Then wait for it to go away and it's ready.
That covers priming the VMU. You can produce more then one, give it to family/friends :)
Now, for the important (and boring) part:
- Turn on the VMU
- Set up date/time if you're asked to
- Select mini-game mode, press A to run
- This will appear on LCD:
http://pics.livejournal.com/dknute/pic/000c2pht/s320x240
There are 4 hexadecimal digits here. The one blinking is the one selected and up/down on D-pad will increment or decrement it. There is no wrap or carry/borrow, so the lowest you can go is zero, the highest is F.
Left/right on the D-pad will select a different digit for you to play with. You need to set all four to get a unique address. This is why it's called "a dialer" - you pick up numbers to try out. Simple. Each and every possible combination from 0x0000 to 0x3fff has to be tested.
Once all digits are set, press A to test your combination.
At this point several things can happen:
- VMU will freeze. Reset it via hole on it's back or cut and re-apply power.
- VMU will reset itself. Saves you the trouble.
- Control will actually return to the mini-game program - this is rare, though. You'll see something like this:
http://pics.livejournal.com/dknute/pic/000c3636/s320x240
Every time the VMU doesn't die, the program will test the buffer to see what's in it. If it's not interesting, it'll say "BAD" and print out a value. NOW PAY ATTENTION, THIS IS IMPORTANT: if the value is "77", ignore it and keep trying with different address. If it's "FF", write down the address and once you're done with testing for the time being, send me a list of those addresses. If you see any other number, especially if you see "2A" and/or "BAD" does not show up with the number, tell me about it ASAP. That's what we're looking for.
- On a very rare occasion a small group of addresses will execute BIOS built-in FLASH write routine. This will most likely corrupt the VMU and you'll need to flash it again via Dreamcast. Happens.
That's about it. Don't go over 0x4000, no point. If you want to help, contact me first via mail or comments - I will ask you about your VMU version and will assign you a range of numbers that needs to be tested in the first place. This way we won't have several people doing the same thing in vain.
Footnotes:
- Yes, each and every address has to be tested. No skipping. We're hunting for 3 or 4 values out of 16384, we can't afford even smallest gaps in the search pattern.
- Once you set a number, you can press B once and it will be stored in the FLASH and recalled after reset. "FB" will appear on the screen to tell you it has happened. DO NOT USE THIS TOO OFTEN, for FLASH memory can only be written 1000-10000 times before it stops working. I use it every 64 numbers (0x40 in hex) to keep track of my progress.
- Keep notes. If you make a pause and forget what was the last number you've tried, go back to the number you're sure about. Or else you risk skipping something important.
- Because 95% attempts end up in hang or reset, this is really slow and boring thing to do. But if 20 or so people were to help out, we could cover all range in just few days.