Conker's Bad Fur Day (Aug 26, 2000 prototype)
|Conker's Bad Fur Day (Aug 26, 2000 prototype)|
|Download Conker's Bad Fur Day (Aug 26, 2000 prototype) (info)|
A ECTS prototype of Conker's Bad Fur Day for the Nintendo 64.
- Archive contains both the encrypted and the unencrypted ROM files.
- Security dongle notes by marshallh:
Reversing the Rare Ltd proto dongle ___________________________________
June 2012, marshallh
These dongles were presumably hand-built be Rare, for the purpose of either:
1. Allowing non-retail debug builds to be tested by running on stock N64s with just a flash cart, 2. Preventing the build from booting on any stock setup without the dongle or dev cartridge.
It's possible that these were both the intended purpose. In any case, the dongle is a pass-through, except that there is an Altera MAX7000 series CPLD intercepting the AD16 bus. This lets all normal bus transactions through, but in the special case mentioned below, takes control of the bus and gives its own data.
The Conker BFD build that was tested did not finish booting on my 64drive. After sticking a logic analyzer on it, I found it was hanging upon reading a value from an address in the higher range of cart space.
Upon disassembling the rom, it was clear that the game was writing some data to whatever development cart they had, and then reading back two 16bit halfwords and comparing them to stored values.
1. Writes 0x80004040 to cartridge address 0x1C000020C 2. Reads 32bits from 0x1C000000, compares the lower halfword to 0x4F4A 3. Reads 32bits from 0x1C000002, compares the lower halfword to 0x4653
The second read is contingent upon the first. If you convert the 32bit 'magic' to ASCII, it's 'OJFS'.
This may not be the full extent of the debug stub handling/protection, but having the 64drive answer these requests like the original dongle allows the game to boot and be played normally.
This check appears once in code, but is called upon every major scene change (probably code overlay swap event). The PD debug ROM allows for several different possible values compared to BFD.
By patching the ROM it's possible to remove these checks and put in the proper values, and allows operation on any backup unit.