HomeForumsWhat's newResources 
 
 
Saturn CD Block ROM dumped again.
Waterfuell - Aug 10, 2020

 1  2  3  Next> 

  Waterfuell Aug 10, 2020
I've replicated the metod described by JHDL six years ago.

Credits to antime, cause ive used his "serial transfer client" code. I used before in my SS with my own linux python "transfer tool" and an FT232RL, and worked very well. Only a minor adaptations has been needed to work in CDB SH1.

For compiling I've used Red Ringo Rico toolchanis, self compiled some time ago for work under linux.

I've build my own eprom programer based on robsoncouto work. robsoncouto/flash...
And some modifications based on schematics from kernelcrash blog. Using an Arduino Uno to program EPROMs – KernelC...

SH7034 datasheet as been very usefull as the sega saturn service manual.

In offset 0x400 can read exactly "Copyright (C) Hitachi, Ltd. 1993"

md5sum CDB_ROM
21cc63ac18d7a85420c24de5c7d51321 CDB_ROM

1byte checksum 0xee

Some pics:
Dumping device.

CD Block daughterboard .

DIY eprom programer.

DIY eeprom eraser (20 years ago was an pcb isolator)


Ive atachedd the code an tools used (a little bit chaotic), for reference.

PS:Sorry for my english.

 antime Aug 10, 2020
I assume the trick is to start the processor in ROM-less mode, load the dumping code into RAM, and then re-enable the ROM? I had thought about doing something similar, but never followed through.

 Waterfuell Aug 10, 2020

antime said:

Just that, is what JHDL did long time ago, I wanted to do the same since then.

 Waterfuell Aug 10, 2020
I forget to say your code has been so useful, is practically the same code that I've loaded in SH1.

So, thanks antime.

 antime Aug 10, 2020
You're welcome. The code was published to be used.

 vbt Aug 11, 2020
congrats @Waterfuell... & @antime... , now any clue, hint that could allow to use the SH1 as a normal cpu ? codemasters said they tried to use it for micromachine v3

 Waterfuell Aug 11, 2020

vbt said:

At this moment, I dont know anything about CDB.
Right now Im dissasembling the code, but think that Im not good in that.
And I dont know if my work flow is the best.

How Im doing the dissasembling...
Ive coded a dissasembler in python.
I coment manually the output asm code and put some indicators, for example, where a function start, where ends, where is a call...
In sublime tex Ive created a plugin that gets the indicators and creates a flow chart in graphviz, this helps me to follow the code, and clicking the nodes in the graphic jumps directly to this line in the asm code.
Very ugly, but helpfull, later when in pc will post some images.

EDIT: promised image aded

 slinga Aug 11, 2020

Waterfuell said:


Give Ghidra a shot. It supports SH-1.

 slinga Aug 11, 2020

vbt said:


AFAIK the only way to interact with the SH-1 is via the CD Block registers which have a very limited interface. If there was a way to program the SH-1 from the SH-2 it would be trivial to dump the SH-1 ROM.

 vbt Aug 12, 2020
there is one way to write to the cdrom ram (the SH1 ram) from the SH2s, so if there was an hidden command to excute some code we could use the SH1 a bit.

 antime Aug 12, 2020
The hope is to find an exploitable bug in the ROM, that would allow code execution. A back door would of course make things easier.

 cafe-alpha Aug 12, 2020
Congratulations @Waterfuell... ! You're certainly the second people having dumped CD Block ROM
Just by curiosity, do you plan to share the analysis of the ROM, or to keep it private ?


vbt said:


From my limited knowledge around CD Block, it's not possible to send data from SH-2 to SH-1 : in normal usage, the "data access register" is just accessed for reading and I doubt that writing there is doing something relevant.
The most doable way of using SH-1 for purpose other than reading CD-ROM would be to inject a custom SH-1 executable into the ROM of MPEG cart, as Satiator is doing.

 Waterfuell Aug 12, 2020

slinga said:

Ive think about it, but no espace left in my hd, i got in mind buy a new hd, then i will give a try.


cafe-alpha said:

Thanks.
My idea is share everithing I get.



cafe-alpha said:


As @vbt... says, you can upload data to sh1, the questios is as @antime... points, find a exploitable way to execute that data in some way.

AFAIK pseudo saturn exploit copy fake sectors to CDB ram, but neither am I an expert.

Mi initial hope is find an easy way for dump the ROM, maybe the test points in CDB daughterboard?? They are conected directly to one serial port of sh1. But a lot of work left yet.

PS: As always, sorry for my english.

 rorirub Aug 16, 2020
I'm waiting for someone to write a dumper on the Satiator, so we can dump the other CD Block firmware versions... CDB104 is undumped, and Nemesis has prototype hardware with SH1 versions without security checks, those would be interesting to have (it would make the ultimate "mod" chip!).


Waterfuell said:

I can confirm that the md5 matches the CDB105 dump made by Doc Abrasive. Dear Lord... it was over 6 years ago...

As far as I know, he disassembled the entire thing and the closest thing to a backdoor was a "universal" system disc that would bypass the region check. Also the system disc only checks two strings in the cd header (first sector), and the rest of the disc is filler. To quote him:


  
	
	

		
		

			I also found that there's code to recognise an all-regions system disc.

It looks like it was configured to be hard to burn for anyone with one

of the legit Saturn development burners in the '90s, but I wonder where

it actually saw use?

System discs are actually just recognised using the string SEGASYSTEM in

the disc name field, then the CD block stores whatever author field is

on the disc for later. All the rest of the disc content is totally

unnecessary!

Universal discs have to have exactly 30 tracks and some unusual Q

subcode content in the TOC. Easy to burn now, but still doesn't bypass

the ring check, so *shrug*


So the MPEG1 port is the only "backdoor" where you can execute SH1 code.

 rorirub Aug 16, 2020

cafe-alpha said:


Third, as far as I know. Someone else already replicated Doc's method to dump the CDB106.

 black_kawa Aug 16, 2020
I believe this disc you guys are saying are the black discs, used in development of games. I got the .iso on a facebook group and i was using it to run backups. The disc allows to run backups, but since it doesnt have the security layer, you need to disc swap with a original game to make the disc works. If you guys want i can share the .iso

 Waterfuell Aug 16, 2020

black_kawa said:

IIRC jhdl discover in the rom that could exist a "super disc" for run 1st and 3rd party disk copies.

The black disc you are talking about should be the KD02 system disk, used for launch 3rd party disks copies.

 Waterfuell Aug 16, 2020

rorirub said:


Probably I never will put my hands on a satiator, so at the moment replicate what JHDL did six years ago is the only thing that I can do for get the CDB ROM.

The code discoveries done by JHDL has no been relased, so study the rom by myself is the only thing that i cand do for understand how CDB works, and how load SH1 code.

Edit: I forget to say, JHDL also discovered that you can load encripted SH1 code from an authenticated CD.

 slinga Aug 16, 2020

Waterfuell said:


Are you sure it wasn't from an authenticated MPEG card? Because if you can load encrypted SH1 code from an authenticated disc it would be trivial to write a program to dump the SH1 ROM.

 Waterfuell Aug 17, 2020

slinga said:

Sure, IIRC is related with two offset located in IP, one says were is the SH1 code, the other say the legth. I can try to find related code in rom.

PS: Ive clean my HD and installed ghidra, the c decompiler is interesting, some problems with arguments and return variables in funtions, the code in rom looks like no follow standar rules.

 1  2  3  Next>