Saturn CD Block ROM dumped again.

Waterfuell

New Member
I've replicated the metod described by JHDL six years ago.

Credits to antime, cause ive used his "serial transfer client" code. I used before in my SS with my own linux python "transfer tool" and an FT232RL, and worked very well. Only a minor adaptations has been needed to work in CDB SH1.

For compiling I've used Red Ringo Rico toolchanis, self compiled some time ago for work under linux.

I've build my own eprom programer based on robsoncouto work. robsoncouto/flash
And some modifications based on schematics from kernelcrash blog. Using an Arduino Uno to program EPROMs – KernelCrash

SH7034 datasheet as been very usefull as the sega saturn service manual.

In offset 0x400 can read exactly "Copyright (C) Hitachi, Ltd. 1993"

md5sum CDB_ROM
21cc63ac18d7a85420c24de5c7d51321 CDB_ROM

1byte checksum 0xee

Some pics:
Dumping device.
IMG_20200810_161500.jpg
CD Block daughterboard .
IMG_20200810_155332.jpg
DIY eprom programer.
IMG_20200810_162732.jpg
DIY eeprom eraser (20 years ago was an pcb isolator)
IMG_20200810_162900.jpg

Ive atachedd the code an tools used (a little bit chaotic), for reference.

PS:Sorry for my english.
 

Attachments

Last edited:

antime

Extra Hard Mid Boss
I assume the trick is to start the processor in ROM-less mode, load the dumping code into RAM, and then re-enable the ROM? I had thought about doing something similar, but never followed through.
 

Waterfuell

New Member
I assume the trick is to start the processor in ROM-less mode, load the dumping code into RAM, and then re-enable the ROM? I had thought about doing something similar, but never followed through.
Just that, is what JHDL did long time ago, I wanted to do the same since then.
 

Waterfuell

New Member
I forget to say your code has been so useful, is practically the same code that I've loaded in SH1.

So, thanks antime.
 

Waterfuell

New Member
...now any clue, hint that could allow to use the SH1 as a normal cpu ? codemasters said they tried to use it for micromachine v3
At this moment, I dont know anything about CDB.
Right now Im dissasembling the code, but think that Im not good in that.
And I dont know if my work flow is the best.

How Im doing the dissasembling...
Ive coded a dissasembler in python.
I coment manually the output asm code and put some indicators, for example, where a function start, where ends, where is a call...
In sublime tex Ive created a plugin that gets the indicators and creates a flow chart in graphviz, this helps me to follow the code, and clicking the nodes in the graphic jumps directly to this line in the asm code.
Very ugly, but helpfull, later when in pc will post some images.

EDIT: promised image aded
 

Attachments

Last edited:

slinga

Member
congrats @Waterfuell & @antime , now any clue, hint that could allow to use the SH1 as a normal cpu ? codemasters said they tried to use it for micromachine v3
AFAIK the only way to interact with the SH-1 is via the CD Block registers which have a very limited interface. If there was a way to program the SH-1 from the SH-2 it would be trivial to dump the SH-1 ROM.
 

vbt

Staff member
there is one way to write to the cdrom ram (the SH1 ram) from the SH2s, so if there was an hidden command to excute some code we could use the SH1 a bit.
 

antime

Extra Hard Mid Boss
The hope is to find an exploitable bug in the ROM, that would allow code execution. A back door would of course make things easier.
 

cafe-alpha

Member
Congratulations @Waterfuell ! You're certainly the second people having dumped CD Block ROM :)
Just by curiosity, do you plan to share the analysis of the ROM, or to keep it private ?

there is one way to write to the cdrom ram (the SH1 ram) from the SH2s, so if there was an hidden command to excute some code we could use the SH1 a bit.
From my limited knowledge around CD Block, it's not possible to send data from SH-2 to SH-1 : in normal usage, the "data access register" is just accessed for reading and I doubt that writing there is doing something relevant.
The most doable way of using SH-1 for purpose other than reading CD-ROM would be to inject a custom SH-1 executable into the ROM of MPEG cart, as Satiator is doing.
 

Waterfuell

New Member
Give Ghidra a shot. It supports SH-1.
Ive think about it, but no espace left in my hd, i got in mind buy a new hd, then i will give a try.

Congratulations @Waterfuell ! You're certainly the second people having dumped CD Block ROM :)
Just by curiosity, do you plan to share the analysis of the ROM, or to keep it private ?
Thanks.
My idea is share everithing I get.


From my limited knowledge around CD Block, it's not possible to send data from SH-2 to SH-1 : in normal usage, the "data access register" is just accessed for reading and I doubt that writing there is doing something relevant.
The most doable way of using SH-1 for purpose other than reading CD-ROM would be to inject a custom SH-1 executable into the ROM of MPEG cart, as Satiator is doing.
As @vbt says, you can upload data to sh1, the questios is as @antime points, find a exploitable way to execute that data in some way.

AFAIK pseudo saturn exploit copy fake sectors to CDB ram, but neither am I an expert.

Mi initial hope is find an easy way for dump the ROM, maybe the test points in CDB daughterboard?? They are conected directly to one serial port of sh1. But a lot of work left yet.

PS: As always, sorry for my english.
 

Attachments

Last edited:

rorirub

New Member
I'm waiting for someone to write a dumper on the Satiator, so we can dump the other CD Block firmware versions... CDB104 is undumped, and Nemesis has prototype hardware with SH1 versions without security checks, those would be interesting to have (it would make the ultimate "mod" chip!).

Imd5sum CDB_ROM
21cc63ac18d7a85420c24de5c7d51321 CDB_ROM
I can confirm that the md5 matches the CDB105 dump made by Doc Abrasive. Dear Lord... it was over 6 years ago...

As far as I know, he disassembled the entire thing and the closest thing to a backdoor was a "universal" system disc that would bypass the region check. Also the system disc only checks two strings in the cd header (first sector), and the rest of the disc is filler. To quote him:

I also found that there's code to recognise an all-regions system disc.
It looks like it was configured to be hard to burn for anyone with one
of the legit Saturn development burners in the '90s, but I wonder where
it actually saw use?
System discs are actually just recognised using the string SEGASYSTEM in
the disc name field, then the CD block stores whatever author field is
on the disc for later. All the rest of the disc content is totally
unnecessary!
Universal discs have to have exactly 30 tracks and some unusual Q
subcode content in the TOC. Easy to burn now, but still doesn't bypass
the ring check, so *shrug*
So the MPEG1 port is the only "backdoor" where you can execute SH1 code.
 

black_kawa

New Member
I believe this disc you guys are saying are the black discs, used in development of games. I got the .iso on a facebook group and i was using it to run backups. The disc allows to run backups, but since it doesnt have the security layer, you need to disc swap with a original game to make the disc works. If you guys want i can share the .iso
 

Waterfuell

New Member
I believe this disc you guys are saying are the black discs, used in development of games. I got the .iso on a facebook group and i was using it to run backups. The disc allows to run backups, but since it doesnt have the security layer, you need to disc swap with a original game to make the disc works. If you guys want i can share the .iso
IIRC jhdl discover in the rom that could exist a "super disc" for run 1st and 3rd party disk copies.

The black disc you are talking about should be the KD02 system disk, used for launch 3rd party disks copies.
 

Waterfuell

New Member
I'm waiting for someone to write a dumper on the Satiator, so we can dump the other CD Block firmware versions... CDB104 is undumped, and Nemesis has prototype hardware with SH1 versions without security checks, those would be interesting to have (it would make the ultimate "mod" chip!).

...

...the MPEG1 port is the only "backdoor" where you can execute SH1 code.
Probably I never will put my hands on a satiator, so at the moment replicate what JHDL did six years ago is the only thing that I can do for get the CDB ROM.

The code discoveries done by JHDL has no been relased, so study the rom by myself is the only thing that i cand do for understand how CDB works, and how load SH1 code.

Edit: I forget to say, JHDL also discovered that you can load encripted SH1 code from an authenticated CD.
 
Last edited:

slinga

Member
Edit: I forget to say, JHDL also discovered that you can load encripted SH1 code from an authenticated CD.
Are you sure it wasn't from an authenticated MPEG card? Because if you can load encrypted SH1 code from an authenticated disc it would be trivial to write a program to dump the SH1 ROM.
 

Waterfuell

New Member
Are you sure it wasn't from an authenticated MPEG card? Because if you can load encrypted SH1 code from an authenticated disc it would be trivial to write a program to dump the SH1 ROM.
Sure, IIRC is related with two offset located in IP, one says were is the SH1 code, the other say the legth. I can try to find related code in rom.

PS: Ive clean my HD and installed ghidra, the c decompiler is interesting, some problems with arguments and return variables in funtions, the code in rom looks like no follow standar rules.
 
Last edited:
Top