Author Topic: Demystifying the 1.8in Handhelds  (Read 3009 times)

davidstech

  • Full Member
  • ***
  • Posts: 140
    • View Profile
    • http://ds0.me
Demystifying the 1.8in Handhelds
« on: December 15, 2017, 11:06:15 AM »
Further to my dump a couple of days ago of one of the as-of-yet totally undetermined 1.8in handhelds, I decided to dump another slightly older one, a 106 in 1 I bought from Taobao a few years ago, model number "8533" and PCB date 2013-10-18. You can find the ROM dump here:

http://davidstech.net/games/multis/106%20in%201%201.8in%20DigitalPocket%20Handheld%208533.7z

This time, there are at least some strings in the ROM. At 0x2129 there are the names of all the games, separated by 0xFF. Elsewhere there is other in-game text and also a reference to a hardware test and a checksum.

More interesting there is what is very clearly valid 6502 machine code at various locations in the ROM, the first example I noticed was at offset 0x40436 immediately after the text NS-TOWER and its 0xFF "terminator". This does seem to narrow down the possibilities for what it could be, and also suggests the possibility that it's architecture is somehow derived from the NES. However, I can't immediately find any particularly NES-esque code like writes to the PPU register space. Hence I think it also possible for it to be GameKing derived, as that also had a 6502 based processor.

I can't find obvious assembly in last week's 116in1 ROM dump but given the lack of strings in that dump I think it may be scrambled in some way, which I will investigate further.

I'm going to try and do a bit more research and experimentation, maybe one day we'll have some kind of emulator for these devices.
Well, that was easy, I don't even know why they bothered. The 116in1 dump I last week made was scrambled with the world's best encryption system - XORing with 0xE4... Now strings and assembly are visible and it looks structurally similar to the 106in1, also the name "tony" appears early on - if Tony is reading this, please reply :).

Here's a descrambled version of last week's dump:

http://davidstech.net/games/multis/116%20in%201%201.8in%20Retro%20Pocket%20Games%20(descrambled).7z


A bit more investigation and it appears the code is for the 65C02, not the plain 6502. I can't find anything that points to a particular platform; my best guess now is some generic 65C02 based microcontroller that either has enough RAM that the bootloader copies code from the external SPI flash to RAM, or that supports directly running code off SPI flash.

The LCD display appears to be a generic "microprocessor parallel" type interface so the processor wouldn't necessarily need to have a PPU or display interface if that was done in software. It also seems that the processor might have a speaker driver built in which would narrow the search further.
« Last Edit: December 15, 2017, 04:06:14 PM by davidstech »

davidstech

  • Full Member
  • ***
  • Posts: 140
    • View Profile
    • http://ds0.me
Demystifying the 1.8in Handhelds
« Reply #1 on: December 21, 2017, 06:22:36 PM »
A bit more info, if anyone is curious.

With regards to these devices and the disassembly of their ROMs:

There seems to be RAM low down in memory,  seemingly around $0000..$0fff. Some code executes out of this.

Some frequently called and jumped to code is located around $6000..$6xxx. This is most likely an internal ROM in the processor. When functions here are called it seems data is passed by writing into consecutive memory locations starting at either $0100 or $0080.

There seems to be some kind of IO ports at $8000 and $c000. It looks like $8000 is for an address/command and $c000 for data. Maybe this is display related.

On a separate note, I also have some higher resolution also unknown devices. One of the higher resolution consoles I have with a similar set of games to the low res ones (the PCP station 8728 with "Bluetooth") seems to be based on the same hardware internally, and hence has framerate issues. The other with TV-out and a different set of games (the CY-699A, similar to the 828 taizou looked at IIRC) has totally different hardware inside with parallel flash and some kind of encryption/authentication chip. It does have 168 on the PCB so maybe even VT168. I haven't tried dumping the ROMs of either of these yet.
« Last Edit: December 21, 2017, 06:28:07 PM by davidstech »