Saturn CD Block ROM dumped again.
- Thread starter Waterfuell
- Start date
slinga
Established Member
The Yabause source tree apparently has some decompilation notes: Yabause/yabause.
I was looking through Yabause to figure out the memory map of the SH-1. I don't follow the memory mapped registers being used within the CD Block.
I was looking through Yabause to figure out the memory map of the SH-1. I don't follow the memory mapped registers being used within the CD Block.
If I remember correctly, in the yabause source tree there is 3 files, called SH1-pseudo, mpeg.c and ygr.c (or something similar), from this files you can get almost all registers used from SH1.
SH1-pseudo looks extracted from coments of the dissasembled ROM code, probably done for JHDL, but in my opinion this file is interesting from a emulation point of view.
What you are searching for is DRAM, ROM and OnChip SRAM base address????
DRAM 0x09000000
ROM 0x00000000
OC SRAM 0x0f000000
YGR regs 0x0A000000
Ive put by memory, tomorrow I will confirm, the address are related with CS pins of the SH1 an where it are mapped.
SH1-pseudo looks extracted from coments of the dissasembled ROM code, probably done for JHDL, but in my opinion this file is interesting from a emulation point of view.
What you are searching for is DRAM, ROM and OnChip SRAM base address????
DRAM 0x09000000
ROM 0x00000000
OC SRAM 0x0f000000
YGR regs 0x0A000000
Ive put by memory, tomorrow I will confirm, the address are related with CS pins of the SH1 an where it are mapped.
They are the onchip modules and configuration registers.
cafe-alpha
Established Member
Great ! In advance, thank you for sharing 🙂
Hmm, now that you say it, I do confirm that Pseudo Saturn is sending sectors to CDB. CD access library use this register only in read access, but writing to it actually does something. Sorry for the lack of checking on my side !
If Im in correct JHDL tried to dump the rom in programing mode.
What funtionality do you refer???
Not at all, sorry for no posting more progress.
The only Ive discovery at the moment is a kind of prompt on test pins.
Its a normal serial conection at 9600bps, you can write with an serial terminal some comands for read and write some memory regions, but the relevant sections are not fully accesible, the code dont let you read the ROM, or write the on chip DRAM wich is the place where is located the stack. If you try to read the ROM always return 31 characters (IIRC) from ofset 0x0400, the copyright message I posted in first post.
At this moment Im block in a weird fuction, that looks like ofuscate the pointers to some calling functions, ghidra blocks at the same point.
Ive ported some portions of code to python for geting an ram map, but I missing something and the code reaches a function return that underflows the stack.
So at this moment Im modifying mydissasembler for turning it in an very basic SH1 emulator.
Hi
A long time ago I did a SH1 windows emulator to dig in cdb ROM dump.
Hi,
Some years ago I did a SH1 GUI Emulator to dig in CDB ROM. I was using CDB 106 ROM for my tests. When I stopped the emulator coding, only the CPU core was emulated. It has some good featuree for now, it can step in code instruction by instruction, highlight register/memory changes, breakpoints by PC location or cycles, log memory access, save states and maybe some others that I did not remember now. Follows attached some emu prints. The disasembled code is a direct copy of IDA. It has not a disassembly feature. If you have interest please let me know.
Attachments
Last edited:
Thanks, I dont have a windows computer only a virtual machine with windows xp, and IDA neither, but im interested in give a look.
Do you found something interesting in CDB? What I want to find at this moment is an easy way for dump the rom, maybe if the rom is more accesible, more people will work on it, to finally find some easy way for execute arbitrary code in SH1.
How do you dump the ROM???
I believe that It can run on WinXP. I will do a test. I had plans to port it to an open RAD in linux like QT or Glade(GTK). By now I have not spare time to do it.
I didn't dig deep enough. I had a personal problem at that time and stopped to work on dump. I never touched it again after this. At that time I was interested in the Command/Data Interface and how CDB process buffered CD Data.
The ROM was dumped by another guy that asked me to study it, but the method was the same as you did.
Do you pretend inject code through SH2 and then dump the CDB ROM?
I didn't dig deep enough. I had a personal problem at that time and stopped to work on dump. I never touched it again after this. At that time I was interested in the Command/Data Interface and how CDB process buffered CD Data.
The ROM was dumped by another guy that asked me to study it, but the method was the same as you did.
Do you pretend inject code through SH2 and then dump the CDB ROM?
antime
Extra Hard Mid Boss
There are three versions available in the MAME romsets (satcdb.zip).
Try to find a way, or some exploitable way.
I didnt know that, if have know before I dont have buy the CDB daughterboard, and didnt embarked that crusade.
Even so, I will follow researching.
I have another crusade to you. I see at this moment that there is a method to dump H8 microcontroller ROM. Maybe it could work on first versions of CD Drive that has a H8. This is a glitch method using FPGA.
This guy is dumping the servo controller of N64DD.
GitHub - ChrisPVille/h8-dumper: Clock glitching FPGA-based ROM dumper for the H8/3292 and related mask ROM parts
Clock glitching FPGA-based ROM dumper for the H8/3292 and related mask ROM parts - ChrisPVille/h8-dumper
github.com
Excellent. I've downloaded now. Thank you.
slinga
Established Member
Sorry for the basic question,
How does the CS2 relate to the CD-block? Is it correct to say the SH-1 is the CD block and that the SH-1's firmware is the cd block? I've spent some time looking at the SH-1 code and it's doesn't seem to do much. Like the code to get the TOC doesn't look like it does anything at all. Maybe it's reading a memory mapped register which triggers other code execution?
I guess I don't see how the SH-1 interfaces with the disc.
How does the CS2 relate to the CD-block? Is it correct to say the SH-1 is the CD block and that the SH-1's firmware is the cd block? I've spent some time looking at the SH-1 code and it's doesn't seem to do much. Like the code to get the TOC doesn't look like it does anything at all. Maybe it's reading a memory mapped register which triggers other code execution?
I guess I don't see how the SH-1 interfaces with the disc.
antime
Extra Hard Mid Boss
It doesn't directly. It sends requests to the H8 microcontroller on the CD board, which drives the CD chipset. Data read from the CD goes back through the CD block LSI.
One detail I noticed from the schematics is that the LSI can handle both the 20- and 21-pin interfaces, meaning that Sega were planning to use two different CD chipsets from the start.
One detail I noticed from the schematics is that the LSI can handle both the 20- and 21-pin interfaces, meaning that Sega were planning to use two different CD chipsets from the start.
It's like antime writed. CD interface is composed by two modules: CDB(CD Block = SH1 + YGR) and CDD(CD Drive = RF IC + DSP + Servo Control Microcontroller ).
CD Drive gets raw data from CD. The H8 microcontroller send/get commands/status of SH1. If command is to get data it drives the OPU(Opticaal Pickup Unit) motor and coils to get the correct position on CD track and the reflected data(lands and pits) of Optical Media is amplified by RF IC, this data goes through DSP that demodulate it a nd process subcodes. The output of this process is sento to CDB.
CD Block: YGR descramble raw data and subcode, interrupts SH1 to process descrambled data or SH2 Commands.
CD Drive gets raw data from CD. The H8 microcontroller send/get commands/status of SH1. If command is to get data it drives the OPU(Opticaal Pickup Unit) motor and coils to get the correct position on CD track and the reflected data(lands and pits) of Optical Media is amplified by RF IC, this data goes through DSP that demodulate it a nd process subcodes. The output of this process is sento to CDB.
CD Block: YGR descramble raw data and subcode, interrupts SH1 to process descrambled data or SH2 Commands.
I have another crusade to you. I see at this moment that there is a method to dump H8 microcontroller ROM. Maybe it could work on first versions of CD Drive that has a H8. This is a glitch method using FPGA.
This guy is dumping the servo controller of N64DD.
GitHub - ChrisPVille/h8-dumper: Clock glitching FPGA-based ROM dumper for the H8/3292 and related mask ROM parts
Clock glitching FPGA-based ROM dumper for the H8/3292 and related mask ROM parts - ChrisPVille/h8-dumper
So hard to me, I dont know anything about FPGA and neither how the vulnerability works. 🙁
