Reverse Engineering a 21 pin mod

[MrSporty]

For anyone thats interested , heres the progress ive made so far with reverse engineering the current batch of 21 pin mods in an attempt to create a universal type.

In the attached Zip are 3 images:

full1.jpg - This is a currently available SSIC8B modchip layed out for easy access.

board1.jpg - A close up on the breadboard showing easy access to the individual lines.

screen.jpg - Interesting !!! 🙂 . This shows a screen capture from my logic analyser. Channel 0 is the Serial Clock line to the CD mech MCU. The other 4 channels show the serial data lines sampled before and after they are passed thru the PIC.

Most data is passed thru unchanged (you can see the delay induced by the pic in the offest between channel 1 and 2. In this case though the data is heavily modified after the first few pulses.

This was sampled around the point where the saturn would normaly command the CD mech to seek out to the protection ring. The PIC is doing its magic by filtering the commands.

Ill have the serial portion of the code tacked in a week or so .. then its onto the higher speed data stream that is injected by a combination of all 3 of the modchips IC's .. fun!

MrS

 

[ExCyber]

This is quite interesting. 😀

I had gotten to wondering how tough it would be to replace the CD drive altogether with e.g. an ATA drive, maybe this will provide some hints. I don't have a logic analyzer but if you can document the basics of the protocol then it could be explored further with much simpler equipment. 🙂

 

[MrSporty]

My primary goal was to document the protection scheme, although some sort of ATA interface wouldn't be out of the ball park in the long run.

An offshoot to the work so far is that i cant see it being too hard to inject a packet into the data stream when the region is being read .. thus negating the use of ISO patches and region switches. Youd just set the mod to run at the same region as your console is currently set and ALL disks would then run.

But i digress .. on with the task in hand .. the reversing of this Mod.

MrS

 

[antime]

The region mod thing would depend on if the Saturn chokes on there being more region identifier strings than symbols or if they're in the wrong order. If there are more than one region symbol (the letters at the beginning of the IP) the region strings (located before the AIP) have to be in a certain order.

Since the start location of the AIP depends on the number of region strings you can only patch the first one, as it is the only one guaranteed to be present (though I suppose finding and simply blanking out any other strings could also work).

 

[ExCyber]

My primary goal was to document the protection scheme, although some sort of ATA interface wouldn't be out of the ball park in the long run.

Yeah, when I said "document the basics", I meant just enough to figure out how the interface is clocked/controlled, and who talks when if there's fixed turnaround timing. With that info it should be feasible to snoop the interface with cheap dedicated hardware instead of a logic analyzer. 🙂

 

[madmalkav]

You can figure what I'm going to ask:

Any progress?