Conker's Bad Fur Day (Aug 26, 2000 prototype)

From Hidden Palace
Jump to navigation Jump to search
Title Screen
Conker's Bad Fur Day (Aug 26, 2000 prototype)
Build date Aug 26, 2000
Dump status Released
Dumped by Borman
Released by Borman
Origin Developers Cartridge with Security Dongle
Game Conker's Bad Fur Day
System Nintendo 64
Genre Platform
Release date US Mar 5, 2001
EU Apr 6, 2001
Download Conker's Bad Fur Day (Aug 26, 2000 prototype) (info)

A ECTS prototype of Conker's Bad Fur Day for the Nintendo 64.

Notes

The Cutting Room Floor research
This prototype has a research article on TCRF.
  • Archive contains both the encrypted and the unencrypted ROM files.
  • Security dongle notes by marshallh:

Reversing the Rare Ltd proto dongle ___________________________________

June 2012, marshallh


Description ___________

These dongles were presumably hand-built be Rare, for the purpose of either:

1. Allowing non-retail debug builds to be tested by running on stock N64s with just a flash cart, 2. Preventing the build from booting on any stock setup without the dongle or dev cartridge.

It's possible that these were both the intended purpose. In any case, the dongle is a pass-through, except that there is an Altera MAX7000 series CPLD intercepting the AD16 bus. This lets all normal bus transactions through, but in the special case mentioned below, takes control of the bus and gives its own data.


Specifics _________

The Conker BFD build that was tested did not finish booting on my 64drive. After sticking a logic analyzer on it, I found it was hanging upon reading a value from an address in the higher range of cart space.

Upon disassembling the rom, it was clear that the game was writing some data to whatever development cart they had, and then reading back two 16bit halfwords and comparing them to stored values.

1. Writes 0x80004040 to cartridge address 0x1C000020C 2. Reads 32bits from 0x1C000000, compares the lower halfword to 0x4F4A 3. Reads 32bits from 0x1C000002, compares the lower halfword to 0x4653

The second read is contingent upon the first. If you convert the 32bit 'magic' to ASCII, it's 'OJFS'.

This may not be the full extent of the debug stub handling/protection, but having the 64drive answer these requests like the original dongle allows the game to boot and be played normally.

This check appears once in code, but is called upon every major scene change (probably code overlay swap event). The PD debug ROM allows for several different possible values compared to BFD.

By patching the ROM it's possible to remove these checks and put in the proper values, and allows operation on any backup unit.



Conker's Bad Fur Day prototypes
Retrieved from "https://hiddenpalace.org/w/index.php?title=Conker%27s_Bad_Fur_Day_(Aug_26,_2000_prototype)&oldid=18477"