game
icon
title Knuckle Bash
set name kbash
manufacturer Toaplan
year 1993
genre Fighter (hof)
category Fighter / Versus Co-op (hof)
driver status imperfect
driver source toaplan2.c
snapshots MW: in game / CT: in game | title ( 1 ) | select / EJ: in game
zoom
rating

59.2% after 39 votes
 
top
display
colour emulation good
palette 2048
display type raster
orientation horizontal
resolution 320x240
frequency 60.000000Hz
top
sound
sound emulation imperfect
channels mono
top
controls
players 2
nplayers 2P sim
controls 8 way joystick
buttons 3
coin slots 2
top
hardware
cpu 68000 @ 16MHz
audio YM2151 @ 3.375MHz
audio OKI6295 @ 1MHz
top
data
version added .036rc1
last change(s) none since version .53
roms
name size crc set flags sha1
kbash01.bin  524288  2965f81d  kbash    46f2df30fa92c80ba5a37f75e756424e15534784 
kbash02.bin  32768  4cd882a1  kbash    7199a5c384918f775f0815e09c46b2a58141814a 
kbash03.bin  2097152  32ad508b  kbash    e473489beaf649d3e5236770eb043327e309850c 
kbash05.bin  2097152  b84c90eb  kbash    17a1531d884d9a9696d1b25d65f9155f02396e0e 
kbash04.bin  2097152  e493c077  kbash    0edcfb70483ad07206695d9283031b85cd198a36 
kbash06.bin  2097152  9084b50a  kbash    03b58278619524d2f09a4b1c152d5e057e792a56 
kbash07.bin  262144  3732318f  kbash    f0768459f5ad2dee53d408a0a5ae3a314864e667 
top
cabinet art
marquee kbash.png
flyer kbash.png
PCB kbash.png
top
additional information
info 0.36RC1 [Quench]

TODO:
  • Hook up YM2151 sound
WIP:
  • 1st June 2008: Charles MacDonald - V25 research: There are a number of instructions which delay interrupt and exception processing, allowing one more instruction to be executed before the interrupt is taken. For the prefixes, this prevents an interrupt from being taken after the prefix byte has been fetched but before the instruction it applies to has been executed. Likewise for segment register loads, if an interrupt occurred after SS was changed, SP would be invalid. By delaying interrupts the following types of sequences become uninterruptible. It seems less important to have DS and ES register loads delay interrupts as well, I did not expect this behavior. I have been looking at the MCU code for other games and it seems that they use similar, if not identical instruction encodings, despite using differently labeled MCUs. V-Five in particular seems to match the Knuckle Bash opcodes quite closely, and when/if I can get Knuckle Bash decrypted, I'll see how much of V-Five can be decrypted.
  • 12th April 2008: Charles MacDonald - I recently acquired a Toaplan "Knuckle Bash" PCB. It's a fairly impressive system, based around a custom graphics chip which displays three tiled background layers and two 512x512 12-bit framebuffers for double buffered sprites. It has a 68HC000 running at 16 MHz that handles all the game related tasks, and a V25S MCU that manages inputs, sound effects, and music playback. The music for this game is quite good and definitely a notch above the rest. A lot of other Toaplan games use the same graphics chip, so I'm intending to run tests on it and get all the timing and other details worked out. The V25S microcontroller is a 80186 clone manufactured by NEC. Unlike the V25 it has no usable internal ROM and no 8080 emulation mode, the latter of which has been modified to add a new 'secure' operating mode. In secure mode a lookup table translates opcodes fetched from memory with their V25S equivalents. This allows the opcode-to-instruction mapping to be changed as the customer (Toaplan) sees fit, making the program code unusable unless the table contents are known. Luckily operands and data are not encrypted, and examination of the operands such as the ModR/M byte can reveal what category of instructions a particular opcode might fit in to. NEC intended for the V25S to be used as a drop-in replacement for the V25, to accomplish this it uses one of the unused V25 pins as a mode select input. When tied high or floating (due to an internal pull-up resistor) the CPU runs in normal mode, where the lookup table is bypassed and opcodes are processed normally. When tied low, the CPU is in secure mode and the lookup table is utilized. This pin is sampled during a reset, interrupt, or exception, and bit 15 of the PSW can be modified through select instructions to change the operating mode regardless of the pin state as well. These features allow a V25S to start in normal mode and selectively execute encrypted programs while still interacting with a unencrypted BIOS, operating system, and device drivers, or vice-versa. I modified the Knuckle Bash board to start the V25S in normal mode, and developed a program that sets the MCU to a known state and enters secure mode with the instruction trap feature enabled. This forces just one encrypted instruction to be executed before control is passed back to my unencrypted code, at which point the potentially modified state of the MCU is saved and examined. The behavior of all encrypted opcodes (except BRKS which sets up an unrecoverable state) can therefore be examined. I can see things like what data was pushed or popped from the stack, which registers were loaded, exchanged, or modified, and which instructions triggered an I/O or floating point exception. A lot of information can be gathered about the encrypted instructions, which narrows down or completely identifies which unencrypted instructions they map to. Best of all this technique should work for any V25S based system, such as the other Toaplan games. I'm looking forward to trying it on my Golden Axe 2 security board to see how effective it is after finishing with Knuckle Bash, though right now it's too early to give any indication of progress. Toaplan did an excellent job with the protection. The program ROM is filled with valid Z80 code and garbage data to throw off statistical analysis of the ROM, such as observing the frequency of occurence for particular bytes and byte sequences. The MCU has no manufacturer marking and has ambiguous names printed on it like "NITRO" and "DASH". Furthermore, the lookup table maps many opcodes to the same instructions so certain easily identifiable instructions can simply never be executed, increasing the number of potential matches any encrypted instruction might have. If this technique is applicable to the V35S, we'll have to see what Irem did with their games.
  • 0.88: Changed MSM6295 clock speed to 7575 Hz.
  • 11th May 2003: Guru - Knuckle Bash (Toaplan) arrived from Randy.
  • 0.37b10: Changed OKI6295 clock speed to 20454 Hz.
  • 0.37b9: Changed OKI6295 clock speed to 20000 Hz.
  • 0.37b6: Changed YM3812 clock speed to 3375000 Hz.
  • 0.36RC1: Quench added Knuckle Bash (Toaplan 1993). Working, but no sound. MCU dump exists, but it needs investigation.
  • 12th January 2000: Quench sent a driver for some later Toaplan games such as Teki Paki, Ghox, Dogyuun, Knuckle Bash, Pipi & Bibis / Whoopee!! and Snow Bros 2.
LEVELS: 10

Other Emulators:
  • Raine
Recommended Games (Street Fighter):

Knuckle Joe

My Hero

Renegade

Trojan

Trojan (PlayChoice-10)

Avengers

Double Dragon

Double Dragon II

Double Dragon 3

Double Dragon (PlayChoice-10)

Double Dragon (Neo-Geo)

Ginga NinkyouDen

Kyros

Shinobi

Shinobi (Mega-Tech)

The Revenge of Shinobi (Mega-Tech)

Bad Dudes vs. Dragonninja

Shadow Warriors

Vigilante

Crime Fighters

DownTown

Final Fight

Gang Wars

Last Battle (Mega-Tech)

Ninja Gaiden (PlayChoice-10)

Ninja Gaiden Episode II (PlayChoice-10)

Ninja Gaiden Episode III (PlayChoice-10)

Shadow Dancer

Tough Turf

The Combatribes

Crude Buster

Growl

Mug Smashers

64th. Street

Brute Force

Captain Commando

D. D. Crew

Karate Blazers

Riot City

Vendetta

Big Fight

Guardians of the Hood

Silent Dragon

Undercover Cops

Cadillacs and Dinosaurs

Knuckle Bash

Knuckle Bash 2

Ninja Baseball Batman

The Punisher

Streets of Rage II (Mega Play)

Violent Storm

Pretty Soldier Sailor Moon

Osman

Spikeout

Spikeout Final Edition

Vamp 1/2

Thunder Heroes

Romset: 8992 kb / 7 files / 3.22 zip
history Knuckle Bash (c) 1993 Toaplan.

3 wacky characters go after the Bulls and others who would dare threaten the peace of the city!

- TECHNICAL -

Game ID : TP-023

Main CPU : 68000 (@ 16 Mhz)
Sound Chips : YM2151 (@ 3.375 Mhz), OKI6295 (@ 7.575 Khz)

Screen orientation : Horizontal
Video resolution : 320 x 240 pixels
Screen refresh : 60.00 Hz
Palette colors : 2048

Players : 2
Control : 8-way joystick
Buttons : 3

- TRIVIA -

Licensed to Atari Games for Europe and USA distribution.

- TIPS AND TRICKS -

* Hidden Functions : If the 'Invulnerability dip switch' is enabled, you are invulnerable but you may also 'Pause' the game with P2 Start and restart with P1 Start.

- SERIES -
  1. Knuckle Bash (1993)
  2. Knuckle Bash 2 (1999)
- STAFF -
  • Designer : Junya Inoue
- SOURCES -

Game's rom.
resource links view in MAWS
view in CAESAR
view high score and replay at MARP
view in Progetto EMMA (Italian)
view in arcade-history.com
view in GameFAQs
view in KLOV
view in MamEnd
view in System16
view in The Arcade Flyer Archive
view in VGMuseum Game Endings
view in VGMuseum Gamepics
top
cheats
cheats
code comments
60000000:000000:00000000:00000000  -----------------------------
60000000:000000:00000000:00000000  A lot of these cheats need
60000000:000000:00000000:00000000  to be deactivated at the
60000000:000000:00000000:00000000  end of the round. Use F6 to
60000000:000000:00000000:00000000  disable then F6 to reenable
60000000:000000:00000000:00000000  when the next round starts
60000000:000000:00000000:00000000  -----------------------------
00000000:100023:00000009:FFFFFFFF  Infinite Credits
00000000:10023D:00000099:FFFFFFFF  Infinite Time
20800000:003811:00000008:FFFFFFFF  Invincibility
20810000:00A801:00000002:FFFFFFFF  Invincibility (2/6):1st = Direct Attack, 2nd = Trap
20810000:017232:00000060:FFFFFFFF  Invincibility (3/6):3rd-5th = Special Attack
20810000:018EDE:00000060:FFFFFFFF  Invincibility (4/6)
20810000:01E586:00000060:FFFFFFFF  Invincibility (5/6)
20910000:0210F8:00004E75:FFFFFFFF  Invincibility (6/6):Catch or Throw
60000000:000000:00000000:00000000 
00000000:1001D5:00000009:FFFFFFFF  Infinite Lives PL1
00000000:10151C:00000070:FFFFFFFF  Infinite Energy PL1
00000000:100015:00000000:00000010  Rapid Fire PL1:Turn it OFF on the name entry screen
00010000:101527:00000000:00000010  Rapid Fire PL1 (2/2)
00000001:101659:00000099:FFFFFFFF  Get 153 Pts Sub Game PL1
00000001:101659:00000000:FFFFFFFF  Get 0 Pts Sub Game PL1
60000000:000000:00000000:00000000 
00000000:10020D:00000009:FFFFFFFF  Infinite Lives PL2
00000000:1015C4:00000070:FFFFFFFF  Infinite Energy PL2
00000000:100019:00000000:00000010  Rapid Fire PL2:Turn it OFF on the name entry screen
00010000:1015CF:00000000:00000010  Rapid Fire PL2 (2/2)
00000001:101701:00000099:FFFFFFFF  Get 153 Pts Sub Game PL2
00000001:101701:00000000:FFFFFFFF  Get 0 Pts Sub Game PL2
60000000:000000:00000000:00000000 
20900000:0003F0:00006062:FFFFFFFF  Skip RAM/ROM Check:It's better to use together with Pre-Enable
20910000:0004B6:00004E75:FFFFFFFF  Skip RAM/ROM Check (2/2)
top
2004-2008 MAWS all copyrights belong to their respective owners