Page 1 of 1

Can anyone tell me how the Xploder works?

Posted: July 20th, 2020, 1:49 am
by lordrafa
Hi everyone, I being reading for awhile about how a PSX cheat cartridge actually works but there is some parts that I not fully understand.

I think that I am right to suppose that the PSX Bios checks if the string "Licensed by Sony Computer Entertainment Inc." is present at 0x1F000004 and if so it will jump to the address at 0x1F000080 or 0x1F000000 (depending on the moment).

The Xploder ROM will be placed at range 0x1F000000-0x1F040000 and will contain the magic string plus all the required code and data. I think that the code is run directly from the ROM and never goes into the RAM.

If I understood right a Xploder cheat is a pair of: address to modify and desired value, hence if I want to let's say have infinite lives, I just need to modify the address where life variable resides with the desired value periodically so never reach 0. There are conditional cheats and also more advanced modes that allow to monitor which addresses have been modified but lets forget about them.

Additionally in the Xploder schematics, I can see that there is a CPLD/PLA that enables and disables the cartridge ROM depending on the address bus and some control lines. I would be tempted to think that this component is there just to support the PC communication using the DB25 connector and perhaps it could be removed by routing PSX CE directly to the ROM.

I would be really grateful if anyone can confirm all this. Also I don't have any clue about how the memory is modified once we jump into de game code. My only explanation would be that Xploder code leaves a routine attached to a software interruption that runs periodically, modifying the required addresses but this sounds weird because it would be fairly easy for the game to mess with the interruption vector and prevent the cheats from working properly.

Re: Can anyone tell me how the Xploder works?

Posted: July 20th, 2020, 2:46 am
by lordrafa
hum, I just realized that the PSX supports multi-threading so perhaps that is the part that I was missing.... if I can assume that there is no memory protection between threads it would be fairly easy to manipulate other thread variables....

Re: Can anyone tell me how the Xploder works?

Posted: July 20th, 2020, 5:58 pm
by danhans42
SO, your assumptions about the eeprom are correct.

You can do away with the GAL, and just use a ROM. However, the GAL handles more than just PC communication, its an address decoder and also provides 2 1bit inputs.

The GAL allows the memory space to be divided up and provides the chip selects to the various parts of the board. This is covered comprehensively in the nocash PSX FAQ document. The default setting for the expansion 1 region used is 512k from 1f000000-bf07ffff. The GAL provides the switch input, XP SEL input and the CS line which drives the 74HC245 or 373. It also handles the upper part of the ROM if 512k is used, and also the memory mapping if SRAM is fitted.

If you check out cheat cartridge section of nocash document, then under chipset pinouts you can see how the GAL is wired, along with the 74373/74245.

Any Q's give me a shout. I am actually re implementing the GAL in a modern Atmel ATF22V10C at the moment, having done it with a CPLD.. See below :)

Re: Can anyone tell me how the Xploder works?

Posted: August 5th, 2020, 9:47 am
by lordrafa
Thanks this satisfaces my curiosity.