Haha i tried it with all the mask roms ( from TKO and RBI ) in every daughter board ( TKO / RBI / SSK both sides ) and not even a blinking screen...
Big dissapointment. I know the rom file says 0001 PPU, but is there any way it was one of the 05 series like MBJ ?? ...
I know this has gone cold case.... BUT, found some interesting Stuff over the weekend with regards to the Super Xevious rom file. So apparently there is some protection built in. This even tells you how to defeat this protection. Time to fire up the hex editor i think! ....
http://nocash.emubase.de/everynes.htm#vssystemppusandpalettes
VS System Protections
Unprotected Games
VS Games are consisting of sets of EPROMs without any special hardware (apart from custom cabinet front plates), the are no CIC lockout chips. That (and the relative high price of the games) made it quite inviting to upgrade the cabinets with illegal copies of newer games, or with unlicensed third-party games.
Nintendo Protections
To prevent piracy & unlicensed games, Nintendo has made a bunch of different PPUs: PPUs with different palettes, and PPUs with different Port 2000h/2001h/2002h.
Third-Party Protections
Thirty-Party games can be often DIP-switched to work with different palettes (thus bypassing Nintendo's protection). Instead, some thirty-party games do require some special "ID chip" mapped at 5xxxh or 5Exxh, and refuse to boot if the thing doesn't respond with expected values (see below for details).
Daughterboards
These are mainly used to access more memory. But, to some level they do also act as protection, since one needs to buy the boards. Some boards can be DIP-switched to work with different games with ROM capacites though.
Raid on Bungeling Bay
This game consists of seven 8Kbyte EPROMs. Six PRG/CHR EPROMs for first CPU, and one PRG EPROM for second CPU (without any CHR ROM here). This extra EPROM isn't doing anything useful (no sound/video output, and coprocessor-like maths), it's just doing a short handshake with the other CPU, and then it hangs in an endless loop.
The purpose is unknown; it may be some crude protection (won't work if the extra EPROM doesn't say "I am here"). Or maybe the game supports DUAL mode (and in UNI mode, requires the second CPU to say "I am NOT here").
Basically, the game needs a response IRQ from other CPU (with don't care response at 67E0h-67FFh), and additionally DIP 5 must be ON.
TKO Boxing Protection (Namco)
Protection unit is contained in a 28pin chip with part number "126 JAPAN".
[5E00h].Read ;-reset data stream (returns unknown/dummy value)
[5E01h].Read ;-return data stream (returns FFh,BFh,B7h,etc.)
TKO Boxing contains pre-computed 32 values in ROM:
FF,BF,B7,97,97,17,57,4F,6F,6B,EB,A9,B1,90,94,14 ;1st..16th read
56,4E,6F,6B,EB,A9,B1,90,D4,5C,3E,26,87,83,13,51 ;17th..32th read
That is, the initial value (FFh on first read) is XORed by following values:
40,08,20,00,80 ;XORed after 1st..5th read
40,18,20,04,80 ;XORed after 6st..10th read
42,18,21,04,80 ;XORed after 11st..15th read
42,18,21,04,80 ;etc.
42,18,21,44,88
62,18,A1,04,90
42
The exact way how that pattern is generated (and how it continues after 32 reads) is unknown. Note: The way how TKO Boxing is programmed, it CAN only verify the first 31 values, and actually DOES only verify first 7 values (unless there are further checks hidden "deeper" in the game).
Atari RBI Baseball Protection (Namco)
Protection unit is contained in a 28pin chip with part number "127 JAPAN".
[5E00h].Read ;-reset data stream (returns unknown/dummy value)
[5E01h].Read ;-return data stream (returns whatever...)
RBI Baseball verifies only two values: B4h on 5th read, and 6Fh on 10th read. This is different as in TKO Boxing (which would return 97h and 6Bh).
Super Xevious Protection (Namco)
Uses whatever protection chip (unknown part number).
The game is doing the following check upon Reset:
Write: [5098h]=38h, [5132h]=9Eh, [5263h]=22h, [5300h]=90h
Verify: [54FFh]=05h, [5678h]=01h, [578Fh]=89h, [5567h]=37h
Write: [5056h]=44h, [51C8h]=72h, [526Ah]=9Ah, [5300h]=FEh
Verify: [54FFh]=05h, [5678h]=00h, [578Fh]=D1h, [5567h]=3Eh
That can be faked by returning following values upon [5400h..57FFh] reads:
05h, 01h, 89h, 37h, 05h, 00h, D1h, 3Eh
Unknown how the hardware works in reality; it looks like four 8bit latches, and scrambled data, possibly by XORing data & address lines.
I am by no means a software guy... but I like screwing around with this stuff haha.