Mega-CD real region free on game discs

Discussion in 'Sega Discussion' started by l_oliveira, Jun 5, 2010.

  1. l_oliveira

    l_oliveira Officer at Arms

    Joined:
    Nov 24, 2007
    Messages:
    3,373
    Likes Received:
    28
    Location:
    Brazil
    I had this idea for quite some while now and I believe it's doable...

    After learning how the MEGA-CD works I started to read about how the region protection mechanism works on this system and found out that achieving real region free is possible somehow.

    For a long time I've been patching my games to run on a JP/Asia MEGA-CD by doing this on the ISO images:

    - Extract header using Winhex
    - Manually edit the header to match the strings the Japanese ROM expect
    - Paste the Japanese security program on top of the original (US or PAL) security program
    -Pad the difference with 68000 NOP instructions.

    The success rate with this method has been 100% so far.

    But using the real silver discs is much more desirable than using shitty CD-Rs making real free region interesting.

    The security checking is done by the SUB-CPU during the second part of the disc detection process (when the CPU reads the TOC information from the CD Drive) where the security program is compared to an existing copy of it on the SUB-CPU RAM.

    The idea is change the compare code to instead, copy the loaded security program that would be used on the compare on top of the original security program which came from the disc read then pad the size difference with NOP instructions automatically. This would cause the Japanese ROM to behave as a region free ROM.

    Then why it has to be the Japanese ROM ? Because it's security program is the smallest of the 3. :rolleyes:

    What you guys think of this idea ?

    I'm not capable of doing it alone because the ROM has the SUB-CPU BIOS image compressed on the main 68000 ROM chip. Decompressed it's 128KB just like the main ROM image.

    I would need help reverse engineering this, changing it and then putting it back onto the ROM. :shrug:


    Edit: Achieved.

    Link:

    http://www.4shared.com/file/0HXCyFYT/Hacked_MEGACD_BIOSES.html

    Package contains:

    eu_mcd1_9210_regionfree.bin
    EU_MegaCD2_30031993_regionfree.BIN
    jp_mcd1_911228_region_free.bin
    JP_MegaCD2_22121992_regionfree.bin
    JP_Wondermega_02061992_regionfree.BIN
    us_scd1_9210_regionfree.bin
    US_SEGA_CDX_930907_regionfree.bin
    US_X'EYE_27121993_regionfree.bin

    Edit: Added a utility to byteswap the BIOSes on this post. :thumbsup:
    Usage:
    Name file "BIOS.BIN" and put on same folder as .exe and .bat...
    Click .bat and a file named "SWAP.BIN" will be created.

    Edit2: Unified link. Contains all files.
     

    Attached Files:

    Last edited: Nov 29, 2011
  2. dutchconsolefreak

    dutchconsolefreak Peppy Member

    Joined:
    Sep 8, 2005
    Messages:
    303
    Likes Received:
    2
    Location:
    Amsterdam
    I'm no expert on mega-cd, but you are saying that a custom compression algorithm has to be written on the basis of the decompression routine? If the only thing that's decompressed is the security program, it might be easier to use the rom space occupied by the decompression routine and replace it with a routine that simply copies our own code to the sub-cpu.

    When there is also code decompressed for other things besides security, we have a problem.
    Do you have a dump of the compressed data? Does it have any kind of header? Did you already disassemble the decompression routine?

    I would love to help, but i have no knowledge of the megadrive/cd architecture, and it has been years ago i programmed anything in 68k.

    Just for my understanding.. the megacd ROM is executed on the megadrive cpu, it then decompresses&moves data to ram on the megacd and then the megacd cpu is executing?
     
  3. cde

    cde AG Defender

    Joined:
    Mar 5, 2008
    Messages:
    241
    Likes Received:
    1
    Location:
    UK
    I have often wondered why we dont have region free games on the Sega/MegaCD, i recently looked at the old "SLOloader and thought we may be able to make a boot disc to suit a consoles region, and then when the security check has been passed, just send an "eject disc tray" command allowing you to insert your other region game.. Granted this assumes you have model 1 Sega/MegaCD, and we can use SLOloader to inject the command, and your willing to keep pushing the tray closed after the disc ejects.. Lot of ifs.

    http://www.retrodev.com/slo.html

    I have took my MegaCD's top case off (and disc magnet) and re-attached the Megadrive, giving me access through the side to the disc. I inserted a PAL game and pressed B to go to the menu screen. The CDROM icon appeared and i then played any CD audio track, then pressed stop, with the disc stopped i swapped the game for the US version of the same game and then pressed CDROM and the game launched and played fine. I do have region and 50/60htz switches too, this allowed me to switch to NTSC to enjoy the game fully... Dont know if it works with all games, but as a POC it shows the security check has been passed.
     
    Last edited: Jun 5, 2010
  4. l_oliveira

    l_oliveira Officer at Arms

    Joined:
    Nov 24, 2007
    Messages:
    3,373
    Likes Received:
    28
    Location:
    Brazil
    In fact, the SUB-CPU (the 12mhz 68000 on the CD digital board) has a 128KB bios which is unpacked from the main 68000 ROM. The SUB-CPU has no ROM but the main 68000 unpacks it's bios and put stuff together to then start it when ready. And yes we will need custom tools to unpack the sub CPU bios and then put it back after changes are made.
     
    Last edited: Dec 25, 2012
  5. segaloco

    segaloco Enthusiastic Member

    Joined:
    Jun 25, 2009
    Messages:
    543
    Likes Received:
    2
    There has been a dump of that BIOS (somewhat) which was really just a RAM dump which consisted of at least that BIOS. It could be reverse engineered to find the compression algorithm
     
  6. dutchconsolefreak

    dutchconsolefreak Peppy Member

    Joined:
    Sep 8, 2005
    Messages:
    303
    Likes Received:
    2
    Location:
    Amsterdam
    decompressed Sega CD 68k BIOS (size: 1 mbit)
    This is the BIOS data which is decompressed by the Genesis 68k into the Sega CD 68k RAM (based on Sega CD BIOS 1.10.
    Not suitable for emulator usage, just suitable for programming purposes.

    http://eidolon.dnsalias.net/eifiles/scd_100_us.zip

    Here some info about the code that actually tests the segacd region:

    Since it takes too much time to recreate the original compression algorithm, it is beter to search for a new compressor with a compact 68k decompression source.

    EDIT:
    Seems that the code above is NOT in the (de)compressed bios, but in the main segacd ROM.
    When (partially) disassembling "Sega CD Model 1 BIOS v1.10 (1992)(Sega)(US).bin" i find:

    As you can see this is the same as above, but like i said not in the compressed bios.
    In the compressed bios [link at the start of this post] i didn't find the same code, but there was a comparison loop with the same size as the security code (and the security code itself):

    So it looks like the protection is atleast on two levels: the main rom (executed on the genesis?) and in the segacd bios (executed on the sub-cpu)
     
    Last edited: Jun 6, 2010
  7. RAQ

    RAQ Member

    Joined:
    Nov 11, 2007
    Messages:
    6
    Likes Received:
    1
    Here is a link to a modified Europen BIOS i did http://gendev.spritesmind.net/forum/viewtopic.php?t=726 This 'hack' removes the country protection check and the CD security check, it's not perfect but it does work. It's only been tested on an emulator (Kega Fusion) but i don't see why it wouldn't work on actual hardware.
     
    l_oliveira likes this.
  8. dutchconsolefreak

    dutchconsolefreak Peppy Member

    Joined:
    Sep 8, 2005
    Messages:
    303
    Likes Received:
    2
    Location:
    Amsterdam
    Thanks for sharing the link :) Can you tell why it is not perfect? And how did you recompress the mcd bios part?

    edit:
    Oke, i've read about the glitches on ntsc machines, i think it can be solved by modifying a usa or jpn rom?
     
    Last edited: Jun 8, 2010
  9. l_oliveira

    l_oliveira Officer at Arms

    Joined:
    Nov 24, 2007
    Messages:
    3,373
    Likes Received:
    28
    Location:
    Brazil
    From a talk with Tmee, I just realized we can just "trojan" the SUB-CPU code before it gets started, by adding an routine which changes whatever we need to in the SUB-CPU RAM before it's set to run.

    In a system setup like MEGA-CD, the role of MAIN CPU is what the programmer want it to be.

    As we can just halt the SUB-CPU (or not let it run) and poke around it's memory, there's no need to tamper with the original compressed image of the SUB-CPU boot program. :lol:
     
  10. sayin999

    sayin999 Officer at Arms

    Joined:
    Mar 13, 2004
    Messages:
    3,189
    Likes Received:
    3
    Location:
    USA San Diego,CA
    There is no way just to make a boot disc to bypass the region check?
     
  11. APE

    APE Master Baiter

    Joined:
    Dec 5, 2005
    Messages:
    6,187
    Likes Received:
    39
    Location:
    Caleefornya
    I'm getting a broken SegaCD in a few days (hoping its the F1 fuse problem) and I was looking for an excuse to build a EEPROM flasher to try the multi-region SegaCD bios mod that is out there. However I think I'll go ahead and give yours a shot and see how actual hardware likes it if you don't mind.

    Granted this is an American SegaCD outputting 60hz normally but afaik internally they're the same hardware. My monitor will accept 50hz over composite so that shouldn't be a problem.

    Annnnnd I just read about the glitches on an NTSC system. Noted. Will see how it performs anyway.
     
    Last edited: Jun 9, 2010
  12. l_oliveira

    l_oliveira Officer at Arms

    Joined:
    Nov 24, 2007
    Messages:
    3,373
    Likes Received:
    28
    Location:
    Brazil
    I had a good look on the hacked PAL ROM and RAQ basically did what I posted on the thread, but like three months earlier ... :lol:

    He however completely bypassed the SEGA LOGO, which is probably why the BIOS crashes on some games.

    I will try to contact him as he left his name on the ROM. :D

    Edit:

    I love people with a sense of humor:
    This guy rocks ! :thumbsup:
     
    Last edited: Jun 28, 2010
  13. l_oliveira

    l_oliveira Officer at Arms

    Joined:
    Nov 24, 2007
    Messages:
    3,373
    Likes Received:
    28
    Location:
    Brazil
    Thanks to RAQ's work on the SUB-CPU bios I was able to put this together with slightly extra bit of hacking:

    http://www.4shared.com/file/0HXCyFYT/Hacked_MEGACD_BIOSES.html


    This one contains his patched SUB-CPU BIOS and extra patches on the MEGA Drive side of the code to aways display the "PRODUCED BY OR UNDER LICENCE OF KABUSHIKI KAISHA SEGA ENTERPRISES" regardless of the disc region.

    To achieve this I replaced the original SUB-CPU BIOS with RAQ's, changed the MEGA-CD MD side BIOS call at 0x0364 to point to a patched copy of the Japanese logo at 0x6F20 which executes and then returns execution to the game.


    Edit:
    Mirror for RAQ's original file:

    http://www.4shared.com/file/V899xMfH/_BIOS__Mega-CD__World___v100_.html

    Edit2: File failed on real hardware due to wrong SEGA checksum. Has been repaired.

    Edit3: Original file deleted. New archive contains original file. (see first post for details)
     
    Last edited: Nov 29, 2011
  14. PrOfUnD Darkness

    PrOfUnD Darkness Resolute Member

    Joined:
    Mar 13, 2004
    Messages:
    973
    Likes Received:
    0
    Location:
    Brazil
  15. l_oliveira

    l_oliveira Officer at Arms

    Joined:
    Nov 24, 2007
    Messages:
    3,373
    Likes Received:
    28
    Location:
    Brazil
    Turns out that the SUB CPU bios is Kosinski (Yeah same stuff on SONIC games) compressed and tools existed to compress/decompress it since forever... :lol:

    Thanks a lot for pointing me on the right way, TmEE !

    And thanks for you RAQ for making this before me.
    Quite an achievement ! :thumbsup:
     
    Last edited: Sep 19, 2011
  16. TmEE

    TmEE Peppy Member

    Joined:
    Aug 13, 2008
    Messages:
    362
    Likes Received:
    1
    Location:
    Estonia, Rapla city
    this is jawusum :D
     
  17. RAQ

    RAQ Member

    Joined:
    Nov 11, 2007
    Messages:
    6
    Likes Received:
    1
    True, the SUB-CPU is compressed using the kosinski method, here's a link for a description

    http://segaretro.org/Kosinski_compr...ex.php?title=Kosinski_compression&redirect=no

    It was used in numerous carts as well as the Mega-CD BIOS, the decompression code is at these offsets of the various BIOS's

    JAP - $7cc
    USA - $902
    EUR - $8f0

    With thanks to l_oliveira for giving me a little push I have managed to patch all 3 BIOS regions so they are 'universal' but at the moment only the JAP BIOS is bug free (not fully tested), in bugs I mean a slight flicker on the EUR BIOS played on a 60Hz machine and no 'segaaaa' intro screen when playing JAP CD's, possibly a few others, I just think the EUR BIOS has the better title screen :) So for now for a 'universal' Mega-CD BIOS, download l_oliveira's version from the above post. Many thanks l_oliveira :thumbsup:
     
  18. l_oliveira

    l_oliveira Officer at Arms

    Joined:
    Nov 24, 2007
    Messages:
    3,373
    Likes Received:
    28
    Location:
    Brazil
    Yesterday I also added hacks to the US 921011 and made my own version of your EU 921027.

    They are like the EU921027 you made, but it does aways show it's own boot screen regardless of which disc you insert on them.

    This is a temporary archive as I am still doing the readme for them with a detailed description of the changes. :thumbsup:

    This time I'm using the original SUB-CPU BIOS for each one of the files so there should be no compatibility issues besides the BIOS calls quirks (such as the problem with Heavy Nova)

    They also have been SEGA checksum-fixed properly as I learned my lesson from burning an EPROM with a non checksum-fixed file. If weren't for TmEE tell me about the SEGA code being programmed to skip if CRC=0000 I would need to erase my EPROM again.

    Temporary link:

    http://www.4shared.com/file/vjQbI31Z/MEGA-CD_FREE_JUE.html

    While the files on the archive seem to work properly on the real hardware, they have not been throughly tested so consider this is a work in progress... :thumbsup:
     
  19. bearkilla

    bearkilla Robust Member

    Joined:
    Feb 3, 2009
    Messages:
    269
    Likes Received:
    2
    wow awesome work everyone
     
  20. dutchconsolefreak

    dutchconsolefreak Peppy Member

    Joined:
    Sep 8, 2005
    Messages:
    303
    Likes Received:
    2
    Location:
    Amsterdam
    I'm happy to see your project is still alive :) Just wondering, the hacked jpn/usa bios doesn't have any problems with 50hz pal titles? Also, is there any difference between the bios for the megacd1/2 and/or cdx/multimega?

    Also we have to consider the different wondermega's and the x'eye :drool:

    Oh.. and how did you recompress the sub-cpu bios? Never mind, already found the sega data compressor :thumbsup:
     
    Last edited: Jun 30, 2010

Share This Page