Saturn CD Block ROM dumped again.

antime said:
One detail I noticed from the schematics is that the LSI can handle both the 20- and 21-pin interfaces, meaning that Sega were planning to use two different CD chipsets from the start.
Click to expand...

Worth noting that on a machine that uses CDB106 and a 20pin drive (CDB106 normally always uses 21pin drives), pin 87 of the SH1 is jumpered to +5V instead of ground. The documents list this pin as the least significant bit of the Port C data register. Anyone bothered to look into what the CDB firmware does with those registers?
 
Waterfuell said:
In SS service manual there is a schematic wich helps to get a global idea how CDB is composed.
But not show the line wich SH1 uses to send comands to CD drive.
Click to expand...

You can see it on this picture.
 

Attachments

  • Saturn Diagram.png
    Saturn Diagram.png
    170.2 KB · Views: 305
rorirub said:
Worth noting that on a machine that uses CDB106 and a 20pin drive (CDB106 normally always uses 21pin drives), pin 87 of the SH1 is jumpered to +5V instead of ground. The documents list this pin as the least significant bit of the Port C data register. Anyone bothered to look into what the CDB firmware does with those registers?
Click to expand...

My research is based on CDB105 and unfinished, so i cant help, the only that i can say about port C is that pin PC6 is config as analog input AN6 in pin 94
 
Are you still working on this? Any progress? I'm interested in making my own ODE because hardly anybody can afford the prices they charge and we can control microcontrollers with python now so I thought I would give it a shot. I've ordered a few Saturn's to use for testing and will probably start getting my hands dirty with the project at the start of the new year. Essentially my goal is to get a cheap ODE on the market for everybody.
 
gambit said:
Are you still working on this? Any progress? I'm interested in making my own ODE because hardly anybody can afford the prices they charge and we can control microcontrollers with python now so I thought I would give it a shot. I've ordered a few Saturn's to use for testing and will probably start getting my hands dirty with the project at the start of the new year. Essentially my goal is to get a cheap ODE on the market for everybody.
Click to expand...
The project is halt, looks like ROM has been reverse engineered other times before, and people say there is no more to extract.
The theorical feature that should be interesting to find is the way to load SH1 encrypted code from an autorized cd, but RE all the ROM requires lot of job for something that doesnt arouse much interest.

At this moment Im also working on a open source ODE, ive talked about it whith other users in discord, not so deep, bu you can take a look if interested.
 
Waterfuell said:
The project is halt, looks like ROM has been reverse engineered other times before, and people say there is no more to extract.
The theorical feature that should be interesting to find is the way to load SH1 encrypted code from an autorized cd, but RE all the ROM requires lot of job for something that doesnt arouse much interest.

At this moment Im also working on a open source ODE, ive talked about it whith other users in discord, not so deep, bu you can take a look if
Click to expand...

I saw that it had been reversed before but I thought the information was still not fully publicly available.
Sent you a message on discord.
 
@Waterfuell ,

I've started looking at the SH-1 ROM (cdb105.bin) and the YGR ROM (ygr022.bin). Using Yabause 0.9.15 I am able to set breakpoints within the SH-1. Do you know if it's possible to debug the YGR as well?

Edit: Actually it looksl ike ygr022.bin is just a variant of the cdb105.bin.
 
Last edited:
slinga said:
@Waterfuell ,
Do you know if it's possible to debug the YGR as well?
Click to expand...

As I comented to you in discord ygr is just lsi + sh1 join togeter in a single chip.
LSI is just hardware, imagine it like an non programable cpld or fpga, just logic, for glue all together.

I couldnt debug in yabause, in linux didnt work for me, I did a prety simple and slow sh1 emulator in python.
 
Last edited:
CDB105 and CDB106 are the markings on SH1 when it's separated from OCU (marked YGR019A or YGR019B), as the service manual labels this component.
OCU is an external bus controller for the SH1, it plays a bit the same role as does SCU (minus the DSP) for the SH2s. As @Waterfuell said on Discord, it contains the CD block registers described in System Library User's Manual.
YGR022 is an integration of OCU and SH1. As such, it contains the 64 KB ROM of SH1. It first appears on revision VA6 of the Saturn motherboard. There are pictures of the different motherboards on the 2nd half of this page : [Sega] Saturn – Différencier les versions
 
Waterfuell said:
I couldnt debug in yabause, in linux didnt work for me, I did a prety simple and slow sh1 emulator in python.
Click to expand...
I can verify SH-1 debugging in Linux with Yabause 0.9.15 works. I can set code breakpoints within the SH-1 ROM and it hits. Memory breakpoints do not appear to work however.
 
Do we have a way of dumping the CDB yet? I was hoping the Satiator could do it, but I didn't pay attention as to what apps are available for it.
 
I know it's out, but not all versions are dumped. CDB104 wasn't dumped last time I checked and it behaves differently in some instances. There are also older versions on devkits, at least one which does not have the copy protection implemented. Would be nice to get those dumped. I was always hoping the Satiator could do that due to the way it hooks up to the SH1.
 
rorirub said:
I know it's out, but not all versions are dumped. CDB104 wasn't dumped last time I checked and it behaves differently in some instances. There are also older versions on devkits, at least one which does not have the copy protection implemented. Would be nice to get those dumped. I was always hoping the Satiator could do that due to the way it hooks up to the SH1.
Click to expand...

Unless someone find the way to load sh1 from cd or mpeg port and share the code, we only can hope jhdl someday add ROM dumping support to satiator.
 
Waterfuell said:
Unless someone find the way to load sh1 from cd or mpeg port and share the code, we only can hope jhdl someday add ROM dumping support to satiator.
Click to expand...

Have you looked at the strings in the CDB ROMs? There's only a few, and a couple stand out: "Hitachi" and "PublicKeyCipher." Given its proximity to a bunch of bit shifting and XOR instructions, I would not be surprised if this was used in the process to decrypt and load SH1 code from the VCD port. I have yet to do much more reverse-engineering beyond that, but I've seen no mention of these strings online whatsoeve...
 
You must log in or register to reply here.

Similar threads

Kahuna
Save Game Transfers: Saroo -> Pseudo Saturn Kai
Replies
3
Views
494
benclaff
benclaff
Ponut
Saturn SCU DSP Notes
2
Replies
24
Views
6K
TrekkiesUnite118
TrekkiesUnite118
edde_baby
Dumping Sega Saturn Cartridges with less hardware
Replies
2
Views
2K
edde_baby
edde_baby
M
SDLoader v0.12: run binaries from SD Card and backup/restore saves
8 9 10
Replies
189
Views
49K
xhul
xhul
S
Trying to build and run a working Saturn sample program
Replies
8
Views
4K
antime
antime
Back
Top