1 // license:BSD-3-Clause
2 // copyright-holders:smf, Mike Balfour, David Widel
3
4 #include "emu.h"
5 #include "includes/pacman.h"
6
epos_decryption_w(offs_t offset)7 uint8_t epospm_state::epos_decryption_w(offs_t offset)
8 {
9 if (offset & 0x01)
10 {
11 m_counter = (m_counter - 1) & 0x0F;
12 }
13 else
14 {
15 m_counter = (m_counter + 1) & 0x0F;
16 }
17
18 switch (m_counter)
19 {
20 case 0x08:
21 case 0x09:
22 case 0x0A:
23 case 0x0B:
24 membank("bank1")->set_entry(m_counter & 3);
25 break;
26
27 default:
28 logerror("Invalid counter = %02X\n", m_counter);
29 break;
30 }
31
32 return 0;
33 }
34
epos_decrypt_rom(uint8_t * ROM,uint8_t invert,int offset,int * bs)35 static void epos_decrypt_rom(uint8_t *ROM, uint8_t invert, int offset, int *bs)
36 {
37 for (int mem = 0; mem < 0x4000; mem++ )
38 {
39 ROM[mem + offset] = bitswap<8>(ROM[mem] ^ invert, bs[0], bs[1], bs[2], bs[3], bs[4], bs[5], bs[6], bs[7]);
40 }
41 }
42
43
44 /*
45
46 The Glob protection description:
47
48 The Glob is designed to run on modified Pacman hardware. It contains
49 two graphics ROMs at 5E and 5F, but contains code ROMs on a daughterboard
50 similar in concept to Ms. Pacman. However, these code ROMs are decrypted
51 through additional circuitry. The daughterboard was encased in epoxy.
52
53 Here's a description of the protection as best as I can give it.
54
55 1) The decrypted D0 bit fed to the CPU is simply an inversion of the
56 D5 bit from the code ROMs.
57 2) The decrypted D1 bit fed to the CPU is simply an inversion of the
58 D2 bit from the code ROMs.
59 3) The other 6 data bits are decrypted by a 10H8 PAL. The PAL also
60 takes as input a 4-bit counter. The counter is incremented and
61 decremented as follows:
62 - the Z-80 command IN($xx) where xx is an odd number decrements the
63 counter; an even number increments the counter.
64 Ex: IN($64) would increment the counter, IN($6B) would decrement
65 the counter.
66 4) The PAL output also contains the two ROM enable lines used to enable
67 the two encrypted code ROMs. As long as the system is working
68 correctly, these ROMs will always be enabled.
69
70 As it so happens, only four counter values are ever used, which is
71 fortunate because the PAL only contains signals to enable the ROMs for
72 those four counter values. The valid counter values are $8, $9, $A, and
73 $B. The counter's intial value is $A, which is set by jumpers on the
74 daughterboard. Following is a description of the resulting decryptions
75 for these four counter states.
76
77 COUNTER ENCRYPTED DECRYPTED
78 VALUE VALUE
79
80 DDDDDDDD DDDDDDDD
81 76543210 76543210
82
83 Counter = 8: abcdefgh EAhBDgFC
84 Counter = 9: abcdefgh FAgeDBFC
85 Counter = A: abcdefgh EHDBagFC
86 Counter = B: abcdefgh GHDEaBFC
87
88 In the above diagram, capital letters represent inverted bits. Notice
89 that bits D2 and D5 are the same independent of counter state, this is
90 because these bits are not decrypted by the PAL.
91
92
93 In the code below, all four of these decryption patterns are used to
94 decrypt the entire code ROMs before execution. This is done for speed,
95 since we can then just bankswitch between the decrypted code sets on
96 each IN($xx) command, as opposed to dynamically decrypting every byte.
97
98 - Mike Balfour (mab22@po.cwru.edu)
99
100 */
101
MACHINE_START_MEMBER(epospm_state,theglobp)102 MACHINE_START_MEMBER(epospm_state, theglobp)
103 {
104 /* Note: D2 is inverted and connected to D1, D5 is inverted and
105 connected to D0. The other six data bits are converted by a
106 PAL10H8 driven by the counter. */
107
108 int bs[4][8] = {
109 { 3,7,0,6,4,1,2,5 },
110 { 1,7,0,3,4,6,2,5 },
111 { 3,0,4,6,7,1,2,5 },
112 { 1,0,4,3,7,6,2,5 },
113 };
114
115 /* While the PAL supports up to 16 decryption methods, only four
116 are actually used in the PAL. Therefore, we'll take a little
117 memory overhead and decrypt the ROMs using each method in advance. */
118
119 uint8_t *ROM = memregion("maincpu")->base();
120 epos_decrypt_rom(ROM, 0xfc, 0x10000, bs[0]);
121 epos_decrypt_rom(ROM, 0xf6, 0x14000, bs[1]);
122 epos_decrypt_rom(ROM, 0x7d, 0x18000, bs[2]);
123 epos_decrypt_rom(ROM, 0x77, 0x1c000, bs[3]);
124
125 membank("bank1")->configure_entries(0, 4, &ROM[0x10000], 0x4000);
126
127 save_item(NAME(m_counter));
128 }
129
MACHINE_RESET_MEMBER(epospm_state,theglobp)130 MACHINE_RESET_MEMBER(epospm_state, theglobp)
131 {
132 m_counter = 0x0A;
133 membank("bank1")->set_entry(m_counter & 3);
134 }
135
136 /*
137
138 Same Epos board as usual(theglobp,beastf,street heat). This is fairly easy to decrypt since it has consecutive bytes with the same algorithym. There are 4 different algorithyms. One consists almost entirely of text, one contains the majority of code and the remaining 2 are not used much and are therefore the most difficult. It is however difficult to decrypt to rom. The data for the coin sound is actually program code in a different phase. You need to move the sound tables and add a rom to get it to run without the daughterboard.
139
140 acitya contains a bug with the insurance in blackjack. It's impossible to collect, so it's likely that acitya is earlier than bwcasino.
141
142 I don't think this game is a gambling game. For one thing there's no real output hardware on a pacman board and the epos daughterboard doesn't contain any either.
143
144 David Widel d_widel@hotmail.com
145
146 */
147
MACHINE_START_MEMBER(epospm_state,acitya)148 MACHINE_START_MEMBER(epospm_state, acitya)
149 {
150 /* Note: D2 is inverted and connected to D1, D5 is inverted and
151 connected to D0. The other six data bits are converted by a
152 PAL10H8 driven by the counter. */
153
154 int bs[4][8] = {
155 { 1,6,7,3,4,0,2,5 },
156 { 7,6,1,3,4,0,2,5 },
157 { 1,0,7,6,4,3,2,5 },
158 { 7,0,1,6,4,3,2,5 },
159 };
160
161 /* While the PAL supports up to 16 decryption methods, only four
162 are actually used in the PAL. Therefore, we'll take a little
163 memory overhead and decrypt the ROMs using each method in advance. */
164
165 uint8_t *ROM = memregion("maincpu")->base();
166 epos_decrypt_rom(ROM, 0xb5, 0x10000, bs[0]);
167 epos_decrypt_rom(ROM, 0xa7, 0x14000, bs[1]);
168 epos_decrypt_rom(ROM, 0xfc, 0x18000, bs[2]);
169 epos_decrypt_rom(ROM, 0xee, 0x1c000, bs[3]);
170
171 membank("bank1")->configure_entries(0, 4, &ROM[0x10000], 0x4000);
172
173 save_item(NAME(m_counter));
174 }
175
MACHINE_RESET_MEMBER(epospm_state,acitya)176 MACHINE_RESET_MEMBER(epospm_state, acitya)
177 {
178 m_counter = 0x0B;
179 membank("bank1")->set_entry(m_counter & 3);
180 }
181
182
MACHINE_START_MEMBER(epospm_state,eeekkp)183 MACHINE_START_MEMBER(epospm_state, eeekkp)
184 {
185 /* Note: D2 is inverted and connected to D1, D5 is inverted and
186 connected to D0. The other six data bits are converted by a
187 PAL10H8 driven by the counter. */
188
189 int bs[4][8] = {
190 { 7,6,1,3,0,4,2,5 },
191 { 7,1,4,3,0,6,2,5 },
192 { 7,6,1,0,3,4,2,5 },
193 { 7,1,4,0,3,6,2,5 },
194 };
195
196 /* While the PAL supports up to 16 decryption methods, only four
197 are actually used in the PAL. Therefore, we'll take a little
198 memory overhead and decrypt the ROMs using each method in advance. */
199
200 uint8_t *ROM = memregion("maincpu")->base();
201 epos_decrypt_rom(ROM, 0xfd, 0x10000, bs[0]);
202 epos_decrypt_rom(ROM, 0xbf, 0x14000, bs[1]);
203 epos_decrypt_rom(ROM, 0x75, 0x18000, bs[2]);
204 epos_decrypt_rom(ROM, 0x37, 0x1c000, bs[3]);
205
206 membank("bank1")->configure_entries(0, 4, &ROM[0x10000], 0x4000);
207
208 save_item(NAME(m_counter));
209 }
210
MACHINE_RESET_MEMBER(epospm_state,eeekkp)211 MACHINE_RESET_MEMBER(epospm_state, eeekkp)
212 {
213 m_counter = 0x09;
214 membank("bank1")->set_entry(m_counter & 3);
215 }
216