> Sounds good, I've added the disassembly to the original post. > > Also, I have a question about Rainbow Edition in general. It was always my > understanding that these hacks were sold as EPROM upgrade kits for operators with the > original board, but something I saw while disassembling this turbo code suggests that > there was some kind of hardware protection added by the hackers. The hijacked turbo > code leads here before running Rainbow Edition turbo code proper: > > > 0E544A movem.l D0-D4/A1, -(A7) ; Push registers to stack for later retrieval > 0E544E clr.w D2 > 0E5450 clr.w D0 > 0E5452 move.b $201201.l, D0 ; Reads 0x40 > 0E5458 move.b $281201.l, D2 ; Reads 0x02 > 0E545E sub.b D0, D2 > 0E5460 subi.b #$30, D2 ; Result: 0x0E > 0E5464 jmp ($4,PC,D2.w) ; Jump to $E5478 (Rainbow Edition's turbo code) > > The $200000 region isn't normally mapped to anything in CPS1 games. I see this is > accounted for in Mame's CPS1 driver, as these addresses are forced to contain the > correct values that create the correct jump offset to the turbo code. But what did > this actually look like on the board? Was Rainbow Edition exclusively found on > bootleg hardware as opposed to an upgrade kit for legit boards?
I believe some of the boards have an extra PAL kludged in there, which probably provides the values. I can't find any examples, but I seem to recall it was something like a sub-board in place of the 68k with the 68k and a PAL on it. (or something similar with wire mods and a sub-board)
Basically the people selling kits didn't want anybody bootlegging their kits, so they had to do something more than make them a ROM swap.
|