SegaXtreme

Originally posted by antime@Jan. 09 2003, 2:20 pm

When you open the CD lid, the Saturn issues an interrupt.

...

However, I doubt there is a register you can set from the main CPU that causes the security check to be skipped but rather that the CD subsystem requires a disc validation once per session.

Here is about all the info you may need on this interesting CD....... (Note that it wasn't made by me... but by Adam.....):

"From: gamescan@pacbell.net...

Date: Sun Aug 19 18:12:21 EDT 2001

Subject: Re: Question: (Was Re: The best Saturn news...)

Sega, unlike Sony, has never made special "debug" systems for testing betas.

Debugging was done on the dev consoles and the testing was done on standard

units with key discs. What you have is one of the key discs.

The Saturn required a set of two key discs. One for third party games and

one for first party games. What you have is the "Black" third party key

disc. The first party key disc is the "Red" disc.

In order to play a CDR on the Saturn you need to load the proper key disc

and then load the CDR. The Black disc will boot any third party CDR while

the red disc will boot any first party CDR. The system discs do not disable

the county code check, they only disable the CDR security check. However,

the system discs themselves are not country coded and will work in any

system out there.

Once the Saturn has been booted with the key disc, the CDR security check

will remain disabled until the power is cycled. This was done to allow for

multiple disc games as well as to allow for the swapping of different games

without having to do the boot-disc cycle again.

The Maker ID on the discs are unique to whomever originally licensed the

discs, presumably to prevent them from being sold.

Sega kept the same system with the Dreamcast, however only one system disc

is used instead of two. Interestingly enough the Dreamcast system disc is

labeled Dreamcast System Disc 2. I don't know if there ever was a System

Disc 1 for the Dreamcast or if the 2 was to denote that System Disc 2 was

for the DC while System Disc 1 was for the Saturn.

What you have is quite rare and hard to find. However, most people don't

know what the #### it is so when they do become available the discs tend to

go cheap. I remember about a year or two back a Saturn system with a black

disc popped up on eBay. Someone asked about it here on the list and I posted

an explanation. I figured that it would go for a sum of money so didn't

bother bidding on it myself. Heh, I was quite surprised when the package

closed at around $75. Whoever got that (was it you Jason?) got one #### of a

deal. Had I known it would have gone for so cheap I would have snagged it

myself.

Adam"

Hopefully that is more than enough Info.... if not, you could always E-mail him =) TTFN

Noob

Originally posted by Vic Viper@Jan. 09 2003, 10:50 am

But still, if a security check is required to read data off a disc, how is possible to the saturn to read a VCD with the MPEG cart without any type of disc authentication ?

Originally posted by Vic Viper@Jan. 09 2003, 8:47 pm

Actually the system SHOULD at least have free access to the first 16 sectors of the disc, so it's capable of determinating if a disc is or not a Saturn disc, as it should contain a valid IP.

Home	Forums	What's new	Resources

		AntiPasta		Jan 7, 2003
			Lo people, Would it be possible to create a program (to upload to your AR) to facilitate the swap trick? I thought about it, but I'm still pretty green on saturn programming. Basically the idea would be to manually authenticate the disc and load the game, but adding in pauses and on-screen messages to help the swapping.

		TakaIsSilly		Jan 7, 2003
			Sure, it's possible: Create a program that runs the code on this thread, given from CyberWarriorX: http://litespeedcomputers.com/sx....;t=1029... This authenticates the cd, but you still have to swap for the CD information during the process at the same time... otherwise it won't do the TOC correctly, i suspect.. Loading the program file, will provably end up to be more dificult. Altough most programs will load the first file on the TOC, some games (Elan Doreé comes to mind) have huge files that are bigger than the available RAM...

		AntiPasta		Jan 8, 2003
			well, isn't it possible to control the cd drive more directly? Either through to-the-metal I/O or some more basic BIOS calls...

		TakaIsSilly		Jan 8, 2003
			Nope. the CD drive is a "black box". We ask kindly for him to give us files or fill a buffer, but the drive is "locked" (ie. won't return sector info) until those instructions are called, and those activate the check... That's why the modboard for the Saturn "intercepts" the traffic from the cd reader, because the BIOS has no code to make checks, unlike PSX. It just stands in a loop waiting for the result.

		AntiPasta		Jan 8, 2003
			geez. Even the PSX' cdrom is documented on the I/O level, and said scene has ZILCH official docs and figured everything out by itself... which makes me think... any way to dump the Sat's bios using the PAR?

		Vic Viper		Jan 8, 2003
			"Placing program code in cartridges can be made into a security hole by creating a ROM with this portion rewritten" I think they mean: By making a bootable cartridge you show hackers how to boot trojans and other hacking tools into the system. P.S.: Yes there's a way to dump the bios with comms link here ya go : http://f-ts.bias.ne.jp/~azuco/ase/ipl.htm... Basically the guy tell you to make the commslink software read the area from 0x00000000 to 0x00080000 (512kb)

		antime		Jan 8, 2003
			That will dump the main BIOS, no problem there. BIOS images have been available on the net forever, but what we're interested in here is dumping the CD subsystem BIOS which is not accessible from the main CPUs. The security hole may have meant booting pirate carts from legit game CDs, but then again the Action Replay, cartdev system and all import carts all boot straight from cartridge ROM so that could hardly have been considered secret knowledge. I remember reading somewhere a year or so ago that the CD subsystem could be accessed from cartridge space, but as I can't even recall where I read it I can't say whether it was just someone speculating or someone with real info on the subject. With the right hardware you could probably dump the CD BIOS without too much trouble, but I for one do not have the resources to do it.

		TakaIsSilly		Jan 8, 2003
			As often said, Saturn offers no MMU. Being so, the memory of the system is not able to be changed, other by the means of the cartdige slot. You can make a cart (that's just a bus expansion) that overlays over the memory map, and offers a modified version of some code (perhaps the 0x60002dc and the 0x600029c calls). The fact is that we _can_ do I/O calls, we have detailed register explanation of the SCU, we can read all CD-ROM formats, all sectors, I belive even subchannel info... We can do lots of stuff with it, after it is unlocked. But before, the interface to hardware returns allways a "Device not Ready error"... Don't forget the Saturn has a SH1 microcontroller for all CD-ROM funcions, and it's memory isn't acessible from the bus that cart is sitting - data is tranfered using the SCU, not by software activation. It's little wonder this was a problem to the modders back in the days.

		Vic Viper		Jan 9, 2003
			As someone pointed here (I think it was ExCyber) the CD subsystem is a black box. It's composed of 3 chips : YGR019 (Seems to be the interface and ASIC and maybe also with a DSP inside for error correction) HD6437097 (the code in it is called CDB105) (this for the 20 pin saturn) and the H8 microcontroller on the CD drive mechanism : HD6433712H (the code in it is called CDM103V) As was also mentioned before, the modchip works by disturbing the communication of the SH1 with the H8 making the SH1 think it got the security code read from disc by the H8. It means the H8 can fully read the disc even if the security code was not authenticated yet (some mods make the system completely skip the security check and others have the laser to quicly move to the cheking point but then quickly come back.) This makes me think the check is surely on the SH1. I also believe that there's a unlock command that can be issued to the SH1 to simply skip the check and get access to the disc. I think this is how the MPEG cartridge works. Since the connection of the MPEG cart to the Saturn is buffered throught the YGR019 chip, I think the command is issued directly to the SH1 by the asic inside the MPEG cartridge. Maybe a person with all the hardware, a logic analyzer and some guts might unlock it .... Maybe even get a way into the SH1 ram and dump it's microcode ... But this is just a idea and I'm not a cracking GOD like some people arround the world who cracked strong security schemes like the CPS2 encryption ... It's just my two cents ....

		TakaIsSilly		Jan 9, 2003
			That is close to my idea, but I forgot about the VCD slot all together, what is a interesting "hole" in security. However, the file check seems to be dependent if the first sector of the CD has the correct IP.BIN. CDs's not for the console (that I suppose, shall return a different code) are taken directly to the BIOS screen, that cakes care to activate the "extras" (CD-Player, VCD Player, PhotoCD), ... what leaves me wondering if a CD burned with a modified IP, then artificially booted tru a program would work ^^;. What is the result of using the autentication procedure with a ordinary non-saturn CD? Do they fall directly into the BIOS screen? PS: If i recall correctly, that Dev CD that allows for backups to run, proves there is at least a register one can set to skip all former security checks until the next power down. ... EDIT: Err, isn't dumping the executable from the aformentioned CD and inserting it using a AR, enough to awnser what is this thread all about? There is a ISO of it around, I belive.

		antime		Jan 9, 2003
			When you open the CD lid, the Saturn issues an interrupt. Normally, the interrupt handler will take you to the BIOS CD player screen but if you handle it yourself you can do whatever you like. So yes, placing a program that does that on the cart would help with swapping (and I wonder why I didn't think of this myself). However, I doubt there is a register you can set from the main CPU that causes the security check to be skipped but rather that the CD subsystem requires a disc validation once per session.

		Vic Viper		Jan 9, 2003
			Also burning it on a disc then booting with swap trick should work, I believe.... But if this CD exist it proves there IS a key command to disable the checking. I don't know however, if the command works before a check was sucessfull. In the Dreamcast however, the mainrom itself sends the key command to the drive if it finds out the CD rom has the special format. I believe it was made this way, because when SEGA sued Ballistic about making unlicenced Genesis carts they tried to counter saying SEGA was completely blocking the device which is owned by the customer, not by them.... Since then all SEGA machines have a sort of trick or master keyword which allows the system to boot code without a security check. It just happens no one figured out how it works for Saturn (yet). However Datel reverse engineered the ROM for the Dreamcast and discovered that it had code to unlock the drive all by itself, without the security check. Then it was when the piracy started ... All people needed to do was reverse engineer the GS and figure out the bootstrap method. After you got inside, you could use the GD rom drive itself to dump discs to you. And that was what was been done since then... I Believe there might be a trick to make the Saturn run a CDR without a mod and a swap trick, if the bios has the key command. Anyway, with that dev CD, and a bootable rom cartridge it might be possible to make a true software key to the Saturn, even if it requires you to fist insert a original CD, then open the lid to swap for a CDR.

		Vic Viper		Jan 9, 2003
			Actually the system SHOULD at least have free access to the first 16 sectors of the disc, so it's capable of determinating if a disc is or not a Saturn disc, as it should contain a valid IP. Also the Saturn will check the barcode in ANY disc which have a Saturn IP on it's first 16 sectors, even if the IP is for other region. It will say "Game disc unsuitable for this system". If the barcode is not found, it will say "Disc unsuitable for this system, or if the disc has CDDA tracks nothing will be print and you will be able only to play the audio tracks. Saturn IS NOT CAPABLE of determinating if a disc is or not a CD-R. This is for sure. It is capable only to determine if the disc is or not a licenced Saturn disc. If a Saturn was capable of detecting CDRs we were going to have problems similar to the problems people using XBOX homebrewn software have for booting their software in moded XBOX systems.(The drive ejects the medium or refuses to read after determinating if the disc is a CDR)

		Vic Viper		Jan 9, 2003
			I'm sure of that because the drive must at least allow the bios to read the IP of the disc... The Saturn DOES NOT attempt to read barcode on discs which have no IP or a non Saturn IP (I.E.: Sega-CD disc) Anyway attempting to read the barcode on a disc that has nothing there could severely damage the focus/tracking coil (JVC OPTIMA-06 laser pickup, a standard audio JVC part) So I presume the drive allows the bios to read at least the IP but if you request anything else you get a read error. Can anyone with a PAR/Commslink test this ?