OneStation (One Station) Portable Game Console
Dumping the Flash ROM (FlashROM) and investigating the Data.

OOPS!
I forgot that "hacking" NES ROM's isnt that easy!
All those Mappers and stuff... and the fact that it's impossible to figure anything out from this pirate FlashROM (after browsing it's contents for a few days). Basically each NES cart has specialized chips called Mappers that expand the cart's abilities past the NES's usual limitations. Since I don't know which "Mappers" this NES-on-a-chip uses (and because the games are on a FlashROM, with no cartslot), there's really a small chance that this would work. I just don't feel like putting in the extra time to find out which Mapper each game uses and find another game compatible with that Mapper to be placed onto the FlashROM.

So thats it, I'm done with this "project". Read on for what I've done up to this point.

Here's what I gathered so far...

    The system relies on the Cartridges for 100% of it's brains. The system itself is just a dummy LCD screen and Speaker/button set up. Nothing too exciting inside, if you want to see it's internals just google for the images, there's plenty sites showing that. I'm more interested in the Carts. Read this page top to bottom, it's a step-by-step process of how I learned what I know so far. So what you see is what I see, up to that point where you stop readin.

    My main goal here is to extract the contents of the FlashROM on this PCB, and see whats going on inside there. Possibly replace some ROM's.


Inside the 15-in-1 "Movie Games"  cartridge:

This is the main NES-on-a-chip....chip, and the whole "NES" system in one tiny cartridge.
Amazing compared to the original NES (yes there's no video/audio hardware here):



The NES ROM's are stored on the MBM29DL323BE-90PFTN (32M (4M x 8/2M x 16) BIT Dual Operation [FUJITSU]) chip here:

An equivelant to the MBM29DL323BE-90PFTN chip is the
AM29LV320DB90 (32 Megabit (4 M x 8-Bit/2 M x 16-Bit) CMOS 3.0 Volt-only, Boot Sector Flash Memory [AMD]) (as far as I know).


I de-soldered the FlashROM and dumped it with my trusty Willem programmer (and a 16Bit TSOP48 adapter).

Before:


After:


Dumper:


    After dumping the ROM, I got a nice 4.00 MB (4,194,304 bytes) file with the contents of the FlashROM. The Willem Programmer setting for this chip was set to dump a "29LV320" which worked out fine (as far as I can see, because the dumpfile contains VALID data and is the correct size [4MB = 32Mbit]).


Contents of the dumped FlashROM:

    The FlashROM contains the NES roms (Yes, these are actual NES games, with Copyright messages and everything.). As far as I gathered, the Boot-Menu is also on this FlashROM, the list of games is here at offset 0x0007CD80:

0007CD80 CD01 CE09 CE16 CE27 CE53 7069 6465 7220 .......'.Spider
0007CD90 4D61 6E00 4772 656D 6C69 6E73 2032 0042 Man.Gremlins 2.B
0007CDA0 6174 6D61 6E20 5265 7475 726E 7300 4261 atman Returns.Ba
0007CDB0 746D 616E 0048 6172 7279 2050 6F74 7465 tman.Harry Potte
0007CDC0 7200 4A61 6D65 7320 426F 6E64 204A 7200 r.James Bond Jr.
0007CDD0 4A61 636B 6965 2043 6861 6E00 4D69 7373 Jackie Chan.Miss
0007CDE0 696F 6E00 5075 6E69 7368 6572 0052 6F62 ion.Punisher.Rob
0007CDF0 6F63 6F70 0052 6564 204F 6374 6F62 6572 ocop.Red October
0007CE00 0041 6C69 656E 2033 0048 6F6D 6520 416C .Alien 3.Home Al
0007CE10 6F6E 6520 3200 5261 7962 616E 2074 6865 one 2.Rayban the
0007CE20 2074 6869 7264 0054 616E 6B20 3139 3930  third.Tank 1990

    I was able to load the romdump (yes, the 4MB romdump) into an NES emulator and what shows up is SpiderMan, running with broken graphics. So that tells me the first "program" on the FlashROM is NOT the boot-loader "menu". So unless the NES-on-a-chip calls a specific location location to start the boot-menu, something freaky is going on here. Could the boot-menu be on the NOAC? Not likely because the FlashROM contains the list of games.... I don't know. Finding the specific location and size of the "boot-menu" program data has so far been impossible for me. There's just nothing there that says "here is where the code starts, here is where it ends".

   Anyway,  I grabbed my collection of legal...ahem.... NES roms and started comparing the contents of those .nes ROMs that I had to the dumpfile I just created.
The first game I decided to compare was "Red October" (The Hunt for Red October), I dont know why either. That game sucks. Anyway.

Each NES rom has a 16byte header, followed by game data, followed by graphics data
 I opened up "The Hunt for Red October.nes" and this is what it looks like (header is in red, game data in green):
00000000 4E45 531A 0810 4000 0000 0000 0000 0000 NES...@.........
00000010 5C00 9F00 D400 A911 EC00 9511 1801 AE66 \..............f
(The Hunt for Red October.NES)

    I won't go into the details of NES headers, google.
Since I know that the HfRO game in the OneStation cart is EXACTLY the same as the NES ROM that I have (tested in Emulator), I decided to search for traces of the NES ROM files inside the dumped OneStation FlashROM.

0015FFF0 0000 0000 0000 0000 0084 95C1 00FF BEC1 ................
00160000 5C00 9F00 D400 A911 EC00 9511 1801 AE66 \..............f
(OneStationROMDUMP-NES.bin)

    And what do you know? Except for the broken header, we have the exact same match for the game data code (signature)! (At offset 0x00160000) So what does this mean? It means they took the NES ROMs (dumped or, you know, found online) and stuck them into the FlashROM. The byte signature that I decided to search for was unique, its very rare to get 16bytes to be EXACTLY the same in more than one instance. In this case this worked out in my favor, as the OneStation romdump showed only one possible match of that byte-signature. Note that other games, such as Robocop, won't work this way (arbitrary signature after header), you have to select another unique byte-string-signature to extract from the NES rom to search for inside the OneStation rom.

    To test my findings, I ripped the NES ROM data from the OneStation FlashROM dump. HfRO.nes is 256Kb (262,160bytes) (or 0x40010bytes for reference), so I found the byte signature that I was looking for, and ripped out 262,160bytes (0x40010bytes) out of the OneStation ROMdump. I created a new test.nes file and compared (with Hex Workshop's byte-by-byte comparison) the two files.

Well actually, first I fired up my NES emulator and attempted to play the game... and what happened? The game ran...with freaky messed-up graphics, see below:


After that I decided to investiage further. Here's what I got when I compared the files:

Nothing too exciting here, obviously the Header is wrong. No big deal.

Moving on:

What the hell is this??? Why is Alien3 inside of the HfRO dump that I ripped out of the OneStation romdump??

More:


    Ok, so something freaky is going on here. Part of the Alien3 game code somehow ended up inside of the Robocop dump that I ripped out of OneStation romdump... I was confused. I went outside for a short break when it hit me. This cartridge is a multi-rom. The cartridge boots the menu, the boot-menu tells the system which game to run, the header is read. The header tells the game code where to find the GRAPHICS DATA! SO... because this is a multi-rom cartridge, the game code is stored sequentially, one after the other (I'll have to confirm that.), and the CHAR data (graphics) is stored in another location.

How did I confirm that? I  went ahead and searched for this byte-signature (highlighted in that bluish color):


    I used the data from the original NES rom and searched for that byte-string (highlighted in blue on the bottom file) inside the OneStation ROM. And indeed, the graphics data is stored in a different location! Almost at the END of the FlashROM (at offset 0x003A000, in red):

0039FFF0 0000 0000 0000 0000 0000 0000 0000 0000 ................
003A0000 0000 0000 0000 0000 2020 2020 2020 20FF ........       .
003A0010 0000 0000 0000 0000 2020 2020 0000 00FC ........    ....
003A0020 0000 0000 0000 0000 0000 0000 0000 0000 ................
003A0030 0000 0000 0000 0738 0000 0000 0000 0000 .......8........
003A0040 0000 0000 0000 0000 2020 2020 0000 0000 ........    ....
003A0050 0000 0000 0000 0001 0000 0000 0000 0000 ................

SO the moral of this lesson is that in an NES ROM (in this example a 256Kb ROM):
    So I went ahead and ripped out 0x0020000 bytes from the beginning of the matched byte-signature. Then I replacd bytes 0x0020010 to 0x0040010 in my "Test.nes" file, (basically to recap, I ripped the HfRO game data from OneStation romdump and placed that into "test.nes", found out that didn't work, so I ripped out the graphics data and placed it into the last 0x0020000 bytes of the "test.nes" file).

Success! A complete game-data + graphics-data romdump-rip! See here:


    Ok, so thats it. I was able to rip out "The Hunt for Red October" out of the OneStation FlashROM dump and create an identical copy of my local "Hunt for Red October.NES" ROM. What does this mean? Well for one thing, it means that I didn't kill the FlashROM chip when I de-soldered it. Another thing is I was able to SUCCESSFULLY dump the whole FlashROM, and the fact that the HfRO rip from the romdump works means that the FlashROM dump was valid data.

BTW, if anyone wants the 4MB FlashROM "OneStationROMDUMP-NES.bin" file, e-mail me.

(UNFINISHED)
Modifying the romdump and burning it back into the FlashROM:
    Now that I have the data that I need, I want to see if I can stick it back onto the cartridge. I decided to try and replace the sucktacular Hunt for Red October with another game to see if reprogramming the FlashROM and re-soldering it back onto the OneStation would work. At first I wanted Excitebike on the cart, but then I realized Excitebike is something like 24KB, and I wanted a game that had the same file-size as HfRO just for testing purposes. Then I found Ninja Gaiden, ah yeah. A classic. Ninja Gaiden was exactly 256KB like HfRO.
    So what I did was replace the game data of HfRO with the game data from Ninja Gaiden (0x00000000 to 0x0020010). I took the data from "Ninja Gaiden.NES" and stuck it into OneStation romdump. Did the same for the graphics data. (Remember the file sizes and data location offsets). Cutting and pasting is not a grueling task, so that was done quick. I confirmed the file size of the OneStation romdump was still the same. So everything looked good. I also modified the "Menu" in the Boot screen to say "NinjaGaiden" (thats all that fit in there).
    I whipped out my trusty Willem programmer. Started programming the new modified romdump. Bam, it failed. Ok, I see that the programming software takes up a ton of  resources. So I killed off a bunch of programs and erased the chip (took about 20mins). Then I successfully programmed the full 4MB modified romdump (took about an hour or so with a parallel-port programmer). I verified the chip-data and everything looked great.

    I yanked out the chip from the chip-programmer, and got to soldering. And thats where things went wrong. I've never done any SMT SOLDERING (De-soldering is a painless task). I made a huge mistake. I forgot to add flux to the pads, I forgot to tin the pads. I just put the chip back on the pads and jammed the soldering iron onto the chip's leads. Some leads wouldn't stick (duh... there's no SOLDER!), so I kept jamming on the soldering iron. A few minuts later everything looked good.

I thought I soldered the chip back on just fine. I closed the cartridge case. I plugged it into my OneStation console. Fired it up. WHITE SCREEN. NOTHING.
I looked closer, and I noticed I killed a few of the PCB"s solder pads. And probaby the chip too with that much heat.

So now what? I'm waiting for a few more of these 15-in-1 carts before I can continue and try to do this right.


TO BE CONTINUED...(after I get more OneStation Cartridges)



OneStation MD 16-Bit adapter and 16bit MD games:




    Whats this? It's the "16bit MegaDrive" adapter and cartridges for the OneStaion. The adapter is a Sega-Genesis-on-a-Chip, and the carts are like Genesis carts. The carts are tiny...and fraglie. I got the MD adapter because when it was announced, I thought you'd be able to plug in Genesis carts into the adapter. I was wrong.
    So why am I dedicating a section to this thing? Because it sucks. 3 out of the 4 MegaDrive games I got were DEFECTIVE! 75% failure, BEFORE I even got a chance to play them. Whats with that shit? The carts are so tiny and fragile, they are probably affected by the slightest bit of static electricity. I'm pissed. And inside the cart there really isn't much to look at. It's the same chip you see when you rip apart a Radica game system. Thats it for my complaining.



Created by roto/mozy - October 28, 2006 - 10:00pm