Sonic and Sega Retro Message Board: Virtua Racing! Reveal your secrets! - Sonic and Sega Retro Message Board

Jump to content

Hey there, Guest!  (Log In · Register) Help
  • 2 Pages +
  • 1
  • 2
    Locked
    Locked Forum

Virtua Racing! Reveal your secrets!

#1 User is offline Nemesis 

Posted 04 November 2007 - 05:47 PM

  • Posts: 465
  • Joined: 11-January 03
  • Gender:Male
  • Location:Sydney, Australia
  • Wiki edits:6
I've been doing a little more prodding at Virtua Racing over the weekend. I'm trying to find a way to raid the internal ROM data in the SVP. It's defeated me so far, but I'm picking up another 2 or 3 copies off ebay which I can destroy mercilessly. Once they arrive I'll be able to try some more extreme measures hardware wise. Until then, I'll be attacking it more thoroughly from the software side with the aid of the MegaCD. With the aid of MoD's extremely useful SegaCD transfer suite, I should be able to upload a few small programs to map out the boundaries of the interface to the SVP, and hopefully find an avenue I can use to trojan the chip. I've also been dumping the contents of the DRAM and other memory in the range 0x300000-0x400000 from the system during execution, but nothing particularly interesting has come from it.

Anyway, for any of you who have Virtua Racing and are curious to see a debugging curiosity that few others have seen, I've got a process to kick the game into its internal test menu. Charles MacDonald put out some notes years ago about his discoveries from disassembling the test menu code, but I don't know that he ever had a way to activate it on the real system, or if he did he never published it. If you have a Game Genie, you can activate the test menu. Note that the Pro Action Replay will NOT work. There's a clash on memory addresses between the PAR and the SVP interface in Virtua Racing. Virtua Racing is unable to boot with any of the 3 versions of the PAR attached. Anyway, here's my rough notes about enabling the test menu that I wrote while I was going:

Quote

Virtua Racing has an internal debug menu which is designed to test and query the SVP chip.
-The code for this menu is stored in 0x1B000-1C0BC.
-The entry point for the test menu code is 0x1B0D4.
-There is an entry stub which launches into the menu at 0x18300
-There is a reference to this entry stub from 0x201EC, which appears to be part of the initial entry code from the reset vector entry point at 0x20000.
-The test stub will be entered if the byte at 0xFFD8CC is equal to 0xFF.

So, if the RAM has 0xFF loaded at 0xD8CC, the test menu will kick in. The only question is, how do we pull that off? We've tested all 3 versions of the Action Replay, and they are apparently incompatible with Virtua Racing. The Game Genie is incapable of writing to RAM.

The test menu can be activated on the real system by using the Game Genie. Since the Game Genie is incapable of modifying the flag in RAM, we patch the startup code instead to force execution to always enter the test menu. The following Game Genie code NOP's the branch at 0x201E0:

REAT-E61A (0201E0:4E71)


I've got some other preliminary notes on the SVP interface which are a little more complete than what's currently out there, but I'll wait until I've done some of my tests from the MegaCD before I publish those. Hopefully even if I can't find a way to get at the internal ROM, I can document enough of the SVP interface so that it can be emulated as a black box anyway. I'll post anything else of interest when I come across it.

#2 User is offline drx 

Posted 04 November 2007 - 05:52 PM

  • <Shade> fuck MJ
  • Posts: 2175
  • Joined: 02-March 04
  • Gender:Male
  • Project::rolleyes:
  • Wiki edits:8
I've got some new docs on the chip around here somewhere, I'll PM them to you.

#3 User is offline Nemesis 

Posted 06 November 2007 - 07:28 AM

  • Posts: 465
  • Joined: 11-January 03
  • Gender:Male
  • Location:Sydney, Australia
  • Wiki edits:6
After some further analysis, I don't believe there is any internal ROM data in the SVP chipset. I've been tearing the ROM to peices, and I can identify the purpose of every block of data in the entire ROM, except large sections from 0x00200-0x1B000. Some data in this section looks suspiciously like code, but not for any machine code format I know.

It appears the entire ROM from 0x0-0x20000 is a canned SVP bootstrapper. There is no code or data in this section which is called at any time during the normal execution of the game. The entry point is at 0x20000 after the end of the bootstrapper, and in fact, the only 68000 code in this block at all is the code and data for the small SVP test menu mentioned in my post above, and it makes perfect sense for this to be in the bootstrapper. Apart from this test menu right at the end of the block, and several sections of significant padding (which would normally be unusual for the start of a ROM), there appears to be mainly code for the SVP, and some large data tables. I'd bet any amount of money this section was built as a self-contained bootstrapper, and all the code which runs on the SVP lies in this region.

I don't have any direct way to confirm this 100% yet, but I'll try and come up with something. There's still some key questions I can't answer confidently yet either, like how the SVP knows what its entry point is in the ROM. I'm guessing it's 0x800, but I don't know how it knows that. I also don't know what position the ROM data is based at in the SVP memory map. I'll keep on digging.

If we do in fact have all the code for the SVP however, which I believe we do, this is a major step forward. Chances are, the SVP isn't completely custom. Its machine code will almost certanly resemble another processor family out there. Perhaps now we can positively identify the type of chipset the SVP is based on, which is the first step in emulating it.
This post has been edited by Nemesis: 06 November 2007 - 07:36 AM

#4 User is offline Sik 

Posted 08 November 2007 - 03:40 PM

  • Sik is pronounced as "seek", not as "sick".
  • Posts: 6719
  • Joined: 17-March 06
  • Gender:Male
  • Project:being an asshole =P
  • Wiki edits:11
Honestly, nobody knows. But take into mind some things: if the SVP program was run from the ROM directly, it would slow down as the bus is shared by two hardware at the same time (68k and SVP). So probably it's run somewhere else. But imagine the SVP has an internal ROM. Why should it be accessible from outside? Probably its data bus is just to communicate between the SVP and the rest of the hardware (software really). The program would be internally in the SVP chip and wired internally only, too. It'd be impossible to get it unless you examine it's internal connections, and who's so crazy to try that?

You better find a way to get the SVP working first. At least a fake SVP in the case of emulators, as there's only one software for it ever available. Later you'd get deep into the SVP programming...

#5 User is offline Robjoe 

Posted 08 November 2007 - 06:10 PM

  • Delicious and nutritious.
  • Posts: 840
  • Joined: 11-September 05
  • Gender:Male
  • Location:Ludington, Michigan, US
  • Project:Brawl mods, Megamix Layouts, and messing with Sonic 3.
  • Wiki edits:1
I know I'm veering somewhat off-topic, but has anyone here actually PLAYED Virtua Racing? Is it any good? Not just graphically ahead of its time and strangely programmed, but is it fun? I've been wondering that for some time. Y'see, normally I'd just emulate it, and pick it up off eBay if I like it (or just burn it to a blank CD in the case of Sega CD games), but I can't really do that here for obvious reasons. =P

#6 User is offline Nemesis 

Posted 08 November 2007 - 08:00 PM

  • Posts: 465
  • Joined: 11-January 03
  • Gender:Male
  • Location:Sydney, Australia
  • Wiki edits:6

View PostSik, on Nov 9 2007, 07:40 AM, said:

Honestly, nobody knows. But take into mind some things: if the SVP program was run from the ROM directly, it would slow down as the bus is shared by two hardware at the same time (68k and SVP). So probably it's run somewhere else.

Not necessarily. If you believe the speculation about the architecture of the SVP, it has internal IRAM (instruction ram). Think of it as an L2 cache. It could potentially keep most or all of its code buffered in IRAM, and only have to generate external bus queries to the ROM chipset when it needs to access data outside the page of memory which is currently cached. The SVP probably also runs its bus at a higher clock speed, meaning even if there is no IRAM, if the SVP is designed cleverly enough, constant access from the 68000 to ROM might only steal say 1/3 of the maximum access time from SVP to ROM communication from the SVP code, depending on the exact clock speeds and 1000 other factors.

Quote

But imagine the SVP has an internal ROM. Why should it be accessible from outside?

Well, IF it has internal ROM, there's probably no reason to make it accessible externally, aside from perhaps an external ROM integrity test. Internal ROM is much less flexible though, and more expensive in a lot of ways. The only benefit is saving on the development and manufacturing costs if you can do away with an external ROM entirely, but they still needed an external ROM anyhow, so they wouldn't gain anything by doing it.

Quote

You better find a way to get the SVP working first. At least a fake SVP in the case of emulators, as there's only one software for it ever available. Later you'd get deep into the SVP programming...

The only way we've ever going to get it 100% correct is by emulating the SVP code. You could reverse-engineer the interface and simulate the SVP, but it would probably take quite awhile to get it to look just right. You'd have to make a lot of guesses and assumptions. It could be done, and if we can't get at the SVP code this is the next best thing, but if we do in fact already have the code sitting right in front of us, why not try and actually emulate it and do the job properly?
This post has been edited by Nemesis: 08 November 2007 - 08:03 PM

#7 User is offline nineko 

Posted 08 November 2007 - 10:27 PM

  • I am the Holy Cat
  • Posts: 5684
  • Joined: 17-August 06
  • Gender:Male
  • Location:italy
  • Project:I... don't even know anymore :U
  • Wiki edits:5,251

View PostRobjoe, on Nov 9 2007, 12:10 AM, said:

I know I'm veering somewhat off-topic, but has anyone here actually PLAYED Virtua Racing? Is it any good? Not just graphically ahead of its time and strangely programmed, but is it fun? I've been wondering that for some time. Y'see, normally I'd just emulate it, and pick it up off eBay if I like it (or just burn it to a blank CD in the case of Sega CD games), but I can't really do that here for obvious reasons. =P

If you only care about the gameplay, you can get either the arcade version (and run it in Mame) or the 32X version. They're not much different from the Genesis version, except for the graphics (of course).

#8 User is offline muteKi 

Posted 09 November 2007 - 08:47 PM

  • Fuck it
  • Posts: 7536
  • Joined: 03-March 05
  • Gender:Male
  • Wiki edits:91
Yeah, it's pretty fun. I would say it's the one reason I wouldn't part with my system.

#9 User is offline Sith 

Posted 10 November 2007 - 01:30 PM

  • The molotov bitch
  • Posts: 1902
  • Joined: 24-July 06
  • Gender:Female
  • Location:Belgium
I bought the MD cart back in the days and it was very expensive. €115 IIRC.
Normal MD carts ranged somewhere between €62.5 - €71
(Of course in the US things were cheaper - you lucky dogs. :P)

I would love to see it emulated some day but I'm not holding my breath...

#10 User is offline Evil Cheese 

Posted 13 November 2007 - 04:51 PM

  • .....
  • Posts: 296
  • Joined: 06-October 05
  • Wiki edits:4

View PostRobjoe, on Nov 8 2007, 06:10 PM, said:

I know I'm veering somewhat off-topic, but has anyone here actually PLAYED Virtua Racing? Is it any good? Not just graphically ahead of its time and strangely programmed, but is it fun? I've been wondering that for some time. Y'see, normally I'd just emulate it, and pick it up off eBay if I like it (or just burn it to a blank CD in the case of Sega CD games), but I can't really do that here for obvious reasons. =P


Yep, I picked up that cart soon after it came out (rented it a few times first ;)).

It has been awhile since I played it but we did have fun playing it way back when. IIRC there are only 3 tracks you can race on so it can get old pretty fast if you're not into racing games. If you're the type that loves trying to beat your best lap time over and over again you may like it.

Graphics are great considering it is the Genesis. I don't really think the game was worth the money (I recall paying around $120 for it) but these days that isn't such a problem now is it? :)

I really wished they would have used this chip in other games instead of going the 32X route. I can understand why it only made it into one game though, just drove the prices up too much. They should have been less concerned with 3D graphics and more concerned with keeping up with Nintendo in 2D. No doubt in my mind that the latter Genesis games could have looked as good as the later SNES games with some extra horse power in the cart.

#11 User is offline Sik 

Posted 15 November 2007 - 02:07 PM

  • Sik is pronounced as "seek", not as "sick".
  • Posts: 6719
  • Joined: 17-March 06
  • Gender:Male
  • Project:being an asshole =P
  • Wiki edits:11

View PostNemesis, on Nov 8 2007, 10:00 PM, said:

Quote

You better find a way to get the SVP working first. At least a fake SVP in the case of emulators, as there's only one software for it ever available. Later you'd get deep into the SVP programming...

The only way we've ever going to get it 100% correct is by emulating the SVP code. You could reverse-engineer the interface and simulate the SVP, but it would probably take quite awhile to get it to look just right. You'd have to make a lot of guesses and assumptions. It could be done, and if we can't get at the SVP code this is the next best thing, but if we do in fact already have the code sitting right in front of us, why not try and actually emulate it and do the job properly?

Yeah, I know, but what I mean is that unless you know what the SVP is meant to do, it'll be way too hard to understand the code. If you know how should it interact with the rest, at least a small portion, things will be a lot easier. I probably wouldn't have found so much code from Sonic 3D if I didn't know what each RAM address was used for.

View PostAmy Rose, on Nov 13 2007, 06:51 PM, said:

Graphics are great considering it is the Genesis. I don't really think the game was worth the money (I recall paying around $120 for it) but these days that isn't such a problem now is it? ;)

I got it at the equivalent to 9.33 dollars. Think on it again :P

#12 User is offline Nemesis 

Posted 15 November 2007 - 04:44 PM

  • Posts: 465
  • Joined: 11-January 03
  • Gender:Male
  • Location:Sydney, Australia
  • Wiki edits:6

Quote

Yeah, I know, but what I mean is that unless you know what the SVP is meant to do, it'll be way too hard to understand the code. If you know how should it interact with the rest, at least a small portion, things will be a lot easier. I probably wouldn't have found so much code from Sonic 3D if I didn't know what each RAM address was used for.

Well, fortunately we do have a point of reference. The 68000 code writes particular command words to to SVP to put it into different states. You can see those same command words as constants in the SVP code. There's enough context to figure out compare and branch instructions, and from that you can start to explore the rest of the code. It'd still be a lot of work to build up a reasonable set of instructions, but a guy called Tasco Deluxe has already done the hard work, and managed to figure out a large number of instructions with a fair degree of certanty, and somehow managed to map out the registers too. The documents are called the "SVP Reference Guide" and the "SVP Register Guide", and are linked to by the SVP Wikipedia article.

There isn't enough to emulate the SVP, but I'm hoping to match the machine code format for the SVP to another known processor. Chances are the machine code format isn't unique. If the SVP is a Samsung SSP1601M as is generally believed at this point, then from what I've read, the machine code format is fairly universal for the entire SSP16 family of DSP chipsets from Samsung. If we can find a reference for another chipset in that family, it might be enough to emulate the SVP. From what I can tell though, the manual we really want is called the "SSP16 Family Digital Signal Processor User's Manual", by Samsung.


Anyway, I think I can pretty much confirm that Samsung was indeed the manufacturer of the SVP. I desoldered the SVP chip from a copy of Virtua Racing yesterday. There are several markings on the bottom of the chip I have yet to identify, but what I can identify is the line "Made in Korea". Samsung is of course based in Korea, and is their largest manufacturer of IC's. I don't think there was any other Korean-based manufacturer in the early 90's that produced DSPs.

#13 User is offline Sith 

Posted 16 November 2007 - 11:07 AM

  • The molotov bitch
  • Posts: 1902
  • Joined: 24-July 06
  • Gender:Female
  • Location:Belgium

View PostNemesis, on Nov 15 2007, 10:44 PM, said:

Anyway, I think I can pretty much confirm that Samsung was indeed the manufacturer of the SVP. I desoldered the SVP chip from a copy of Virtua Racing yesterday. There are several markings on the bottom of the chip I have yet to identify, but what I can identify is the line "Made in Korea". Samsung is of course based in Korea, and is their largest manufacturer of IC's. I don't think there was any other Korean-based manufacturer in the early 90's that produced DSPs.

That is interesting news, and a big lead that you might be right. I'm keeping my fingers crossed.

#14 User is offline ICEknight 

Posted 04 December 2007 - 01:15 PM

  • Posts: 11170
  • Joined: 11-January 03
  • Gender:Male
  • Location:Spain
  • Wiki edits:18
Any of you guys interested in the Japanese version?

#15 User is offline Nemesis 

Posted 04 December 2007 - 11:38 PM

  • Posts: 465
  • Joined: 11-January 03
  • Gender:Male
  • Location:Sydney, Australia
  • Wiki edits:6
I picked up a japanese copy recently, along with the US version and several copies of the European version. I haven't looked at the Japanese one that much so far, but from what I've seen, there doesn't seem to be a massive difference between them.

Anyway, I've put exploring Virtua Racing on ice for the time being while I ramp up work on Exodus, my Mega Drive emulator. I'm trying to get a fully functional public release out by February. I'll probably have another serious look at Virtua Racing sometime after that release. The next thing I'll probably attempt for Virtua Racing is decapping the chip. I don't know how much useful info that will actually yield, but it should be fun. :D

  • 2 Pages +
  • 1
  • 2
    Locked
    Locked Forum

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users