Saturn proof-of-concept bootloader Pseudo Saturn

Hey guys, as I mentioned in another thread, I had been working on a proof of concept boot loader that lets you burn your own Saturn-like discs without the need the ring area or anything else that normally is needed for a pressed disc. It also doesn't require any hardware modifications. I've called it Pseudo Saturn.

Basically it takes advantage of the fact that the CD Block looks for certain strings located in the first sector of a disc. If not present, it doesn't require any additional special checks to unlock full functionality. That's why discs like CD audio, VCD's, and Photo CD's work. Specifically the string I've changed is the first 16 bytes or the "SEGA SEGASATURN " string.

Basically there's two parts to it:

1. Disc image patcher. The first 16 bytes are changed to the string "PSEUDO SATURN " and if necessary correct EDC/ECC data.
2. Saturn bootloader. Normally the bios won't boot a disc that doesn't contain "SEGA SEGASATURN " in the first 16 bytes, so basically a new bootloader is necessary. It was easiest to make a custom boot loader that runs on a cartridge with flash. And since most people own an Action Replay, it made it a good candidate to run the bootloader.

Originally it required a patched disc image and some kind of custom boot loader. Now thanks to the work of jhl it only requires a custom boot loader. It takes advantage of a few flaws in the CD Block.

Anyways, I've attached the most current build along with an installer disc image you run on your Saturn with an Action Replay inserted. There's more instructions and details in the package.

Also please support Yabause, and guys like jhl, Druid II and whoever else I may have missed that contributes heavily to reverse-engineering and documentation of Saturn hardware.

Source code is now available on github. It depends on the iapetus library which is also on github.

I've decided to do one last release(v0.832) and then call it quits. I've mentioned in another post I've had some issues to deal with. Things haven't gotten any better since then so I'm officially done. The code is still and will remain on Github for anyone who wants to continue development. I'll even accept pull requests, but I won't actively contribute. Thanks to everyone who's contributed to this and made this community great. Too many names to mention, but special thanks to jhl, cafealpha2, zorlon.

09/19/2015: Added new cd loader by jhl. Added new logo by alien.
07/08/2014: Added fix for broken cdpatch utility.
07/17/2014: Added support for newer EMS AR 4M Plus, Xinga AR clone carts. Fixed several issues with cdpatch.
08/05/2014: Added new CDB exploit by jhl. Added support for newer USB Dev cartridge. Several other fixes.

 

Keep up the good work!

 

Keep up the great work I'm a give this a try.....

 

This will be good for people with a model 1 Saturn, As they are hard to fit a mod chip to. Awesome work well done.

 

I'm actually surprised this has not already been done before, since the same approach is done with the PS2 with ESR, except that makes it look like a DVD movie.
Good work all the same.

 

Let me also quote from that "other thread":

 

Yeah, I was pretty shocked too when I discovered this could even be done. You'd think at least the chinese would've found the exploit. Especially with all the chinese clone AR carts with 1001 functions, st-key's and what.

 

I don't own a Saturn, and not sure I ever will (though I'd like to), but nontheless I thought I'd say: awesome and thank you for sharing it!

 

I thought the check for the disc type wasnt in the bios?

 

I think the disc type check is done by the cd-rom firmware, but then the bios won't execute code if the cd-rom assembly says it's not a saturn disc.
So IIUC changing the header of the bootsector skips the ring/wobble check so that the disc isn't rejected, and the code in the AR boots the game. Kinda clever!

 

Ah, I see what you are saying. Just his wording through me - but that makes sense.

 

It's in essence similar to how the mil-cd format allows a disc not to be rejected and how the modified bootsector boots the game (and unlock the gd-rom drive) on Dreamcast selfboots.
Except in the saturn case there's no (known) way to execute the bootsector and not reject the disc so an action replay is used.

 

So the Action Replay gets overwritten or does it retain it's functionality but have this bootloader added to it?

 

A wild guess it gets overwritten, the one reason I don't feel the need at the moment, it's a firmware replacement rather than a mod of the original AR firmware

I like the extra features of my Action Replay 4M Plus, especially the Save and Memory features that I don't want to be lost, cheats are nice also

Still great work is being done here and I for one will be watching this for future updates

EDIT....

Yay I'm a noob here, shocked I never posted before now


I do wish I had a second action replay to play with this little mod on though

Could this be used as a Bios file in any Saturn emulators so we can have a look at it (though little real point to that except to see it in action)

Perhaps a demo vid showing it off would be cool also, you know how people love there youtube nowerdays

 

Sounds great. I do have a few questions regarding usage though...

Does the AR version/model matter? I see the comms port being mentioned (which only the earlier ones have), and there's even FPGA-based ones (apparently very late models, maybe clones?) out there. Any chance installing this could fry/brick a cart? Or does it just install itself as a new set of codes, or sth like that?

 

So does this work or is it WIP?

 

I'll be trying this out tommorw and let you guys know.

 

@Kev, he said it does work. But it's a first proof of concept. I guess in the future you could keep the normal functions of the AR and add the bootloader transparently.

 

cdpatch.exe crashes on Windows 7 - x64. Tried on Windows 8.1 as well and one machine says, "no memory" and the other looks as though it will work and creates some kind file dump but no data was modified on the cue sheet. I really don't want to dig out a XP machine to test this out further tonight so if anyone has an solutions for Windows 7 or 8, let me know please. I've tried all the available compat modes and nothing will run the patch.

The AR firmware patch worked like a charm on my 5 in 1 pro.

 

Cyber Warrior: note that the Action Replay has far less save space on it than the internal menu allows you to use - the cart has a microcontroller that compresses saves. Hooking this up to work through the BIOS may be more difficult. The alternative is to have far less space for saves. From memory I think the AR uses 256kbyte (some using 512kbyte), part of which is taken by the ROM. That still leaves you with a lot of space though, and direct saving would make the carts save function less useless.
The cart still IDs itself as RAM expansion, so I guess you'd need to build a boot menu where you can select native saves or RAM expansion function?

It works but you need to sacrifice an action replay for it; and to reflash the action replay you already need a chipped console (or just do the swap trick once). You lose all functionality of an AR this way except the RAM expansion (?).
Since you need extra hardware either way, on top of manually patching images, this method is unfortunately not very practical. But a nice proof of concept.

Even if the code is moved into the BIOS (so you can keep a working AR cart), exchanging the bios is even more difficult for the end user.

All the cd patch does is remove the "SEGA SEGASATURN" text from the iso first sector, if I understood correctly. You can do that with a hex editor for any cd image yourself. However for 2352 mode images you'll have to rebuild the ECC manually for it to work (depending on how your burner handles images with ecc errors). You can do a rebuild in CD Mage easily - after hex editing the string out, load the image in CD Mage, do a scan for errors, then highlight only the very first sector (sector 150 or 151, whichever one has the header), right click, and use "Rebuild sector fields".
The cue sheet should not be modified, just that one header string in the binary, but I didn't test the app myself. Maybe you are trying to point the app to the cuesheet not the binary and that's why it doesn't work?

Also I thought the action replay was 4 in 1. There is a 5 in 1 version?