Dumping MPEG Card Bios

GO TO ADMIN PANEL > ADD-ONS AND INSTALL VERTIFORO SIDEBAR TO SEE FORUMS AND SIDEBAR

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
I am in the progress of dumping Saturn stuff lately and I am wondering how the MPEG Card bios works.

Standard Saturn Bios is readable directly in the memory as it is duplicated there.

Cartridge Data are also readable directly in the memory.

But for the MPEG Card bios, how it works with the Saturn ? Is it readable through any part of the memory ? If not, is there a way to read it from the Saturn ?

Thanks for any tips you can provide ;)
 

RockinB

Staff member
Joined
Apr 29, 2002
Messages
1,007
Points
36
Age
38
Website
www.rockin-b.de
There was a tool published for doing this in a CDC replacement topic here at SX. Try googling for mpgromdump.zip
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
I need help for undestanding what that does on the mpgromdump program (I am not as good as some of you on c/c++).

In main.c, there is this define:

Code:
//////////////////////////////////////////////////////////////////////////////


#define SYS_MPEGCHECK(i, i2, i3) \

        ((**(int(**)(int, int, int))0x6000298)(i, i2, i3))


//////////////////////////////////////////////////////////////////////////////

And then it is used here:


Code:
  Sint32 ret;

   char tempstr[128];


   if ((ret = SYS_MPEGCHECK(0, 128, 0x06080000)) < 0)

//   if ((ret = SYS_MPEGCHECK(128, 128, 0x06080000)) < 0)

   {

      sprintf(tempstr, "SYS_MPEGCHECK < 0(%d)", ret);

      slPrint(tempstr, slLocate(2, 22));

   }

   else

   {

      sprintf(tempstr, "bytes read = %d", ret);

      slPrint(tempstr, slLocate(2, 22));

   }


   slPrint("COMPLETE: Waiting for commlink...", slLocate(2, 1));

I don't understand the define part. What does it do ? I see 3 int variables (or pointers to int ?), some pointers, one memory address, but I don't see what it does putting all of this together :D


And what is the difference with:

Code:
#define SYS_CHKMPEG(_dummy_) \

        ((**(volatile Sint32(**)(Sint32))0x6000274)(_dummy_))
found on SEGA_SYS.h ?


Thanks ;)
 

ExCyber

Staff member
Joined
Aug 8, 2001
Messages
4,014
Points
36
Age
37
Madroms said:
I don't understand the define part. What does it do ? I see 3 int variables (or pointers to int ?), some pointers, one memory address, but I don't see what it does putting all of this together :D
It's defining a somewhat convoluted function call to a BIOS function (indirected through a table that the BIOS sets up in RAM). I don't know the details of the syntax off the top of my head, though it's not so much a special syntax as it is an unusual combination of standard elements (casts, dereference, and function call). I think the meaning is basically:


call the function at the address stored at 0x6000298, which returns int and accepts 3 int arguments


The macro is parameterized and fills in the arguments so that it can be used similarly to a normal function call.


edit: I think I figured it out enough to break it down. I'll try to explain it as well as I can.


Complicated C expressions involving type definitions often must be read "inside-out". In this case, let's start with the literal expression:


Code:
0x6000298
As far as the C compiler is concerned, this number is of type "int". That's not really what it is, though. In reality, it's the address of a memory cell containing the address of a function; it's a pointer to a pointer to a function. So we must tell the C compiler that this is what it is by using a cast operation. But in C there is no such thing as type "function"; the type of a function is defined by its signature (return type and argument types). In this case, the function returns int and accepts 3 int arguments. So in order to tell C about a function we must tell it about those things:


Code:
(int(**)(int, int, int))0x6000298
(The inner "(**)" part means "pointer to pointer to function")


Now we have the number 0x6000298, properly understood as type "pointer to pointer to function returning int and accepting 3 int arguments". But now we want to call the function, so we must adopt the standard function call syntax and also dereference the "pointer to pointer" in order to obtain the actual function:


Code:
(**(int(**)(int, int, int))0x6000298)(i, i2, i3)
(I think the actual macro wraps this in one more level of parens just to be safe)
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
Thanks for all ExCyber.

Ok, I understand. It calls a Bios function indirectly, by pointing to 0x6000298 memory address. And it passes 3 args to this pointer.

Is there a way to know which Bios function is called at this address and what do the args do ?

Looking at the args:

i = 0

i2 = 128

i3 = 0x06080000

I could think:

i = start address for reading

i2= size ? If so, in bytes ? kb ???? And how could we know the correct size of the full MPEG card bios ?

i3 = memory address to copy what it is read.

Something wrong ? (probably :D)

What I want to do is:

Reading MPEG Card bios then copy it to low mem (0x00200000) and then re-reading data from there (using 0x20200000) for easier access.

On a side note, I don't know why we must (?) use 0x2XXXXXXX addresses to read memory instead of 0x0XXXXXXX [or maybe I have all wrong].
 

antime

Extra Hard Mid Boss
Joined
Jan 24, 2002
Messages
2,575
Points
48
Website
www.iki.fi
Here's CyberWarriorX's explanation of that function.


You don't absolutely have to use the uncached memory aliases except when accessing hardware registers. If you read hardware registers via the cache two unpleasant things can happen:
  • The cache will return stale values.
  • When the cache does read data, it always reads a whole cache line. Unintended accesses to adjacent memory locations can have bad consequences.
Since the Saturn's CPU caches do not support bus snooping, memory written by eg. DMA or the other CPU will not be marked as invalid. In these cases you can either manually invalidate the cache or use the uncached aliases.
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
Oh, I missed his post. Thanks for the link.


And thanks for the info about cached/uncached memory ;)


I will finish my rom dumper maybe this week end and I will try it quickly on a real hardware.

The only problem is I can't test the MPEG dump part easily on emu :D so I hope it will work (not that the code provided is bad but mine could have some errors ;) )
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
Noted Runik ;) If I need your help I will contact you.

3 more questions:

1) is it possible to dump stuff connected on the Serial port ? aka reading RAW data through the serial port ?

2) does anyone know what this is (some data extraction from a file found on a dev disc):

Code:
SEGA SEGASATURN SEGA ENTERPRISESCS HW GIGAV0.00019950100CART16M JTUBKAEL        J               SATURN TTY      TERMINAL        TEST ROM        TEST ROM        TEST ROM        TEST ROM        TEST ROM
Code:
USOMON Ver 0.90 Rev 5c23m (C)1995 SEGA HW R&D Y.Shimizu.
uso.bin file: 10253 bytes. Probably something related to CartDev.

3) I am missing the SegaSaturn Developer's Documentation Vol. 1 Electronic Version Rel. 1 CD (with a yellow cover). Does anyone know what type of docs there are on it ? (and if someone wants to sell it, le me know ;) )
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
Ok, ROM dumper program finished and tested on real hardware.

Results:

1) ROM Cart: KOF95 + Ultraman => dumpable (both are 16MBit ROM)

2) AR Carts: All of them (AR, Urawaza, AR2, PAR,...) + clones => dumpable

3) Import adapter => dumpable

Ex:

a) Multigame Adaptor: reading the header => DATEL 95 UNI ADAPTER V1.1

b) CD+Plus: reading the header => Hong Kong Ver. 1.0, and the ROM has some ref to Pro Fighter, Game doctor and X-Terminator (so you know where it comes from :D)

c) Magic Card V2: also dumpable

4) Saturn Bioses: all dumpable (no news on this part as you can always use an AR+PC Comms for this). But I will probably dump some undumped Bioses in the future ;)

5) Modem: non dumpable ?? I tested the Japanese X-band Modem. I didn't find any header of the Modem Bios/ROM in the memory (checking the A-Bus CS0) but I find some strange data on the A-Bus CS1: lot of FF00FF00, and sometimes some other data (J or S letters and = sign), then a lot of FFA5... Normally, A-Bus CS1 memory is full of FFFF is the Saturn port is not used. Could this be some part of the modem Bios/ROM ? (or maybe itself fully available here). Else, does anyone know how it works ?

6) MPEG Card Rom: no succes :( I always had a return code of -91. I tested the program with a EUR model 1, EUR model 2, JPN model 2 and with the EUR VCD Card and the RG-VC1 JPN VCD Card. Same result for all the combinaison.

I put this pice of codes in my programm:

Code:
#define SYS_MPEGCHECK(i, i2, i3) \

        ((**(int(**)(int, int, int))0x6000298)(i, i2, i3))

and then in a function:

Sint32 retMPEG;

char tempstr[128];

         if ((retMPEG = SYS_MPEGCHECK(0, 128, 0x00200000)) < 0) {

              sprintf(tempstr, "return code < 0 : %d", retMPEG);

              MPEGsuccess = 0;

         } else {

                mFile.data = (void *)0x00200000;

                    mFile.size = retMPEG;

                sprintf(tempstr, "bytes read = %d", retMPEG);

          }
Did I make something wrong ?
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
It could have a ROM somewhere, not ? I didn't open mine so I don't know if all the data must be on the saturn program to "drive" it or if it has some sort of data on a ROM as part of the hardware.
 

antime

Extra Hard Mid Boss
Joined
Jan 24, 2002
Messages
2,575
Points
48
Website
www.iki.fi
No, it's a very generic modem design, controlled via the standard AT command set. There is an EEPROM on board, but it's not memory-mapped.
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
Ok, so nothing for the modem.

Noone for the MPEG Bios dump ? Did anyone succeed in the past to dump it with this command ?
 

TascoDLX

New Member
Joined
Dec 25, 2006
Messages
70
Points
6
Madroms said:
6) MPEG Card Rom: no succes :( I always had a return code of -91.
That error means the transfer command (0xE2) failed, though it doesn't really tell why.


Madroms said:
And what is the difference with:

Code:
#define SYS_CHKMPEG(_dummy_) \

        ((**(volatile Sint32(**)(Sint32))0x6000274)(_dummy_))
found on SEGA_SYS.h ?
That function will check for and authenticate the MPEG card (returns 0 if OK). It probably should be called first, if only to verify. Also, I'm not sure if you need to unlock the drive as well since the BIOS gets passed through the CD buffer. It's not something I have experience with.
 

Madroms

New Member
Joined
Jul 29, 2001
Messages
148
Points
18
Website
www.satakore.com
ok, i will try this function to see what it returns.

What is the function to unlock the drive ? And what is the consequences to do this ? (unable to run some code for ex,...)
 

TascoDLX

New Member
Joined
Dec 25, 2006
Messages
70
Points
6
Actually, I don't think you have to worry about that unlocking thing, though you can find the function, CdUnlock(), in Rockin'-B's tutorial (at the end) as well as other places. From the info I've gathered, the lockout only prevents the reading of data from bootable Saturn discs (until a disc is authenticated, of course). It shouldn't have any effect on what you're trying to do.
 

vbt

Staff member
Joined
Dec 16, 2001
Messages
5,182
Points
63
Age
42
TascoDLX said:
Actually, I don't think you have to worry about that unlocking thing, though you can find the function, CdUnlock(), in Rockin'-B's tutorial (at the end) as well as other places. From the info I've gathered, the lockout only prevents the reading of data from bootable Saturn discs (until a disc is authenticated, of course). It shouldn't have any effect on what you're trying to do.
Cdunlock allows also to access data from a CD without an ip.bin .
 

TascoDLX

New Member
Joined
Dec 25, 2006
Messages
70
Points
6
OK. I think I was thrown by the name of the function. CdUnlock initializes the drive, which must be done for disc access. Discs with the Sega IP.BIN need the security ring to be verified before data can be read. I'm still not sure if it's needed here, but it couldn't hurt.
 
Top