• Rise from your gwave!

Home brewed modchip

Discussion in 'Saturn' started by orta, Aug 15, 2004.

  1. orta

    orta New Member

    Hi there people it's nice to be back :) and I've got a question,

    Is there a wayto home brew a sega saturn mod chip because I've got the tools and equipments like ferric chloride and hand drill to make the modchip's PCB my only problem is the diagram and parts I.D. any ideas will be greatly appreciated!!
     
  2. ExCyber

    ExCyber Staff Member

    The problem is that you can't just get the components; the main components are a PAL/GAL and a PIC microcontroller, both programmable. There was some work going on to reverse-engineer what the modboards do, but it seems to have kind of fallen off.
     
  3. orta

    orta New Member

    Oh is that so!? I thought it is as easy as the playstation's 12C508 mod chip anyway thanks for the info!! :)

    Edit: I remember programming the 12C508a PS modchip using a Pic programmer there is also a hex file that i programmed into it I thought it is the same as the saturn. ;)
     
  4. Arakon

    Arakon New Member

    it's not much different except that you need more complicated programmers and the code to go on the chips.. which can't be read from the chips or found anywhere, for that matter.
     
  5. patroclus02

    patroclus02 New Member

    Yes, you can read the programs in the chips if you have a programmer.

    You have to desolder the PIC16C54 and the GAL chip from the modchip and put them into a correct programmer/reader.

    I plan building some programmers, and get a modchip to take the codes out. Then, it seems possible to build a modchip.
     
  6. mal

    mal Member

    That's assuming that they aren't read protected.
     
  7. patroclus02

    patroclus02 New Member

    As far as I know, a PIC16C54 can't be read protected... about GAL, I suppose neiter... but I don't know. It's the only way I see for making a new modchip, take out those codes.
     
  8. mal

    mal Member

    This data sheet refers to there being a code protection bit on the PIC16c5x family of ICs.
     
  9. patroclus02

    patroclus02 New Member

    Yes, you're rigth. If it is code protected, then it migth be imposible to take it out...
     
  10. patroclus02

    patroclus02 New Member

    Arakon, are you sure the chips are read protected??
     
  11. Arakon

    Arakon New Member

    yes, I am sure, since there have been attempts to make your own saturn modchip for years already.

    it's been tried time and time again, several times right here on SX, and noone got the code out of these chips.
     
  12. patroclus02

    patroclus02 New Member

    Damn.

    I wanted to try to make myown modchip. Even if we can't take those codes out, we could figure out how it works. I have some ideas and quite some experience in electronics.

    Could I speak with some people who had worked on this before?? Anyone knows or have tried??

    I wonder what is point A for (and pin 14 from cd-rom chip). I think it is for timing. As far as I got :

    The GAL device seems to check for certain lines from cd-rom ribbon cable to be up (possible when Saturn checks for code protection), and then it migth pass the event to the PIC16C54. Then, it overrides the signal going to motherboard from cd-rom. This must be acomplished by the 74LS157 integrated circuit (multiplexer with 2 inputs). this circuit selects aun output from 2 possible inputs. One of them should be the one coming from cd-rom drive, and the other one from one of the ports of 16C54. At the precise moment, some sequence of pulses migth fool Saturn to boot the backup.

    Knowing when, and what, I could build myown microcontroller to send the needed data across a multplexer (74LS157 is a very common chip that needs no programming).

    If noone works on this projects, or on copy protection (on how to make perfect working backus), in a few years Saturn will start to be a imposible console for the task.

    By the way, The company which made these modchips doesn't exists now??
     
  13. junker

    junker New Member

    Using a similar procedure to what "the guru" does, could it be possible to put a trojan onto the chip and get inside it that way?
     
  14. ExCyber

    ExCyber Staff Member

    The PAL/GAL could probably be "dumped" in a sense via brute-force I/O analysis. There are ways to get inside the PIC chips, but they are unpleasant. It would almost certainly be easier and simpler to just hook a logic analyzer (or a suitably programmed microcontroller...) up to the bus and monitor the communication to see what the chip alters. There's no pressing need to duplicate the implementation, especially when it could probably be done with a single $4 chip nowadays.
     
  15. patroclus02

    patroclus02 New Member

    That's what I worked out just today. :agree

    ExCyber, do you know what pin 14 of cd-rom chip is for?? (the one to connect to point A). :ph34r:

    Anyone knows which lines in the 21 ribbon calbe are for data bus (8 lines) ??

    Just now I found something.

    As I see in the pics of modchip (I have no modchip at now), the 74LS157 (multiplexer) just uses 1 multiplexer of its 4. That means that to fool the console, it probably uses only this multiplexer output (or in other words, this means one single line is uses to fool the console). This line is pin 7 of the ribbon cable, which is conected to the multiplexer outputs. Maybe is enough checking what modchip does on this line. :yum

    The problem is still knowing WHEN (suppose when lens is goig to check outer ring), and also, I have no tool to get what the modchip alters in the bus... :damn:
     
  16. MrSporty

    MrSporty New Member

    The combination of the 3 chips works basically as follows:

    The PIC is sat BETWEEN the DATAIN and DATAOUT of the CDROM controller MCU (This controller is referred to as the 64/32 pin chip by peeps on this board) . It monitors the command packets allowing most of them to pass unmollested until the "Seek to protection ring" command is encountered.

    This command nullified by the PIC so that the cdrom mech never actually seeks out to the edge of the disk (On a CDR this would cause problems as the laser tried to focus on unburned media).

    After a brief delay , the 74LS "switch" is used to switch a dataline from the regular cdrom subcode data being sent to the saturn to an output from the PAL on the modboard. The PIC then uses 4 datalines to que a "Protection OK" packet in the PAL's internal registers which is in-turn fired out along the previously mentioned dataline over a hundred times (Overkill but i guess they wanted to make sure the saturn didn't miss the packet).

    After that , the 74 is switched back to allowing the cdrom subcode data to pass freely and the PIC goes back to passively handling the I/O of the controller MCU.

    ... And you get to play your CDR copy of radiant silvergun ;)

    Addendum:

    Of the 6 lines either passively or actively modified by the modchip:

    1 Apparently clocks the PAL.

    3 are for SERIN , SEROUT and SERCLK for the controller MCU.

    1 Is the "spliced" CDROM subcode dataline.

    1 is used to sync the RC oscillator on the modchip
     
  17. patroclus02

    patroclus02 New Member

    Hello,

    MANY thanks for the info! :D

    How did you worked it out ?? Do you have the code inside PIC and GAL ??

    When you say PAL, do you mean GAL?? (the 16V8D chip on the modboard) :unsure:

    Do you have more detail info about "Seek to protection ring" command (how to detect it), and how to create a "Protection OK" packet?? :huh

    So then, the GAL device is only there to create the protection OK packet??

    "3 are for SERIN , SEROUT and SERCLK for the controller MCU."

    A serial comnication.. what type of data is sent/recived ?? data from cd or just commands?? (do you know which pin is which in modchip's bus?)

    Sorry for so many question, but I apreciate all possible help. :)
     
  18. MrSporty

    MrSporty New Member

    I dont have either the PIC code or the PLD fusemap im afraid .. all of that is based on my own observations using an el-cheapo logic analyser.

    In this instance PAL/GAL can be interchanged as they used different devices on different batches. They both perform the same function tho and it would probably be best to call it a PLD.

    The PLD's doesn't just handle the the creation of the "OK" packet. It appears to also do some sensing of data as well as clock generation for the PIC.

    A brief look at the serial MCU data can be seen in the zip attatched to this post (screen1.jpg).

    http://www.phantasy-star-universe.com/foru...topic=12027&hl=

    When i get home tonight i'll dig out the data sheets for the MCU in the cd controller as well as the DSP used to handle the cdrom data. It has the pinouts for the serial lines and the data lines.

    MrS
     
  19. patroclus02

    patroclus02 New Member

    This is great ;)

    Are you still working on this??

    All your experiences can help me a lot. Please, do post the pinouts and also, if you can, which pin is which in the modchip bus.

    With this info, I'll be able to help you as soon as I get my modchip, and till then, I'll try to work out possible ways of building a whole new modchip. All data got by logic analyzer is heavily apreciated.

    I think that if we work together we will be able to make it.
     
  20. MrSporty

    MrSporty New Member

    I have a collection of PDF's should aid you in identifying the relevant datalines on the various IC's used in the saturns CD mech and the available modchips. Unfortunately , the forum wont let me upload it as either a ZIP or a RAR.

    Mail me for it.
     

Share This Page