Sega Dreamcast HDMI Adapter coming soon ..

Discussion in 'Sega Dreamcast Development and Research' started by Venatus Usque, Apr 8, 2015.

Page 10 of 10
  1. PrOfUnD Darkness

    PrOfUnD Darkness Familiar Face

    Joined:
    Mar 13, 2004
    Messages:
    1,004
    Likes Received:
    16
    Amazing technical stuff in this thread, but this explanation on how the homebrew/pirate patch works was amazing, I don't think I ever read any explanation about it before, thank you.
     
    PrOfUnD Darkness, Jun 5, 2016
    #181
    RaZiel likes this.
  2. madsheep

    madsheep Robust Member

    Joined:
    Jul 19, 2013
    Messages:
    271
    Likes Received:
    18
    correct me if i am wrong but if this happens then the other data on the drive will be unaccessible so loading the binary then locking the drive will resault in no access to program/game resources and libs
     
    madsheep, Jun 6, 2016
    #182
    MetalliC likes this.
  3. MetalliC

    MetalliC Rising Member

    Joined:
    Apr 23, 2014
    Messages:
    66
    Likes Received:
    33
    @madsheep you are right, I missed this, actually never looked what genuine Mil-CDs is, and its more like additional video-player as I see, so its indeed will require subsequent disc access.
    well, in such case I'm afraid Sega had no choice...

    btw, this question was nice reason to put my eye and debugger onto "how real Mil-CDs unlock G1 ATA" ?
    unsurprisingly it works different to pirated/homebrew software.
    as we remember DC BIOS write into 5f74e4h register ('last checksummed address') 42FEh value before jump into Mil-CD binary.

    later in it's code executed such routine:
    Code:
    8C1DF142  D10C  MOV.L     #h'A0001000, R1
8C1DF144  D20C  MOV.L     #h'8C001000, R2
8C1DF146  D30D  MOV.L     #h'00000C00, R3
8C1DF148  6016  MOV.L     @R1+, R0
8C1DF14A  2202  MOV.L     R0, @R2
8C1DF14C  4310  DT        R3
8C1DF14E  8FFB  BF/S      h'8C1DF148
8C1DF150  7204  ADD       #h'04, R2
8C1DF152  D00B  MOV.L     #h'000000C0, R0
8C1DF154  6316  MOV.L     @R1+, R3
8C1DF156  4010  DT        R0
8C1DF158  8BFC  BF        h'8C1DF154
    looks useless, because it copy 'SysCalls' area from ROM (1000h - 3fffh) into RAM, which is already there, then do dummy read of 300h more bytes.
    this code is hidden/obfuscated "original Sega's" G1 unlock routine.
    which is basically reads data from BIOS 1000h to 42ffh (1 byte more than needed to reach 42FEh address) , this chunk of data have 'correct magic checksum' so G1 ATA will be unlocked after this.
     
    Last edited: Jun 6, 2016
    MetalliC, Jun 6, 2016
    #183
    TerdFerguson likes this.
  4. japanese_cake

    japanese_cake Rising Member

    Joined:
    Jul 24, 2009
    Messages:
    58
    Likes Received:
    11
    Interesting indeed! I just bought a real milcd to have a look at this. I am a bit surprised though because I remember trying to unlock the drive with data stored in ROM located at an address > 0xa0000000 and it did not work. But as soon as I put the same data at 0xa0000000 then it worked. Maybe I did something wrong. I will try again later. Thank for the info ;)

    (I think we should talk about this in another thread though ^^)

    Update: it works with address>0xa0000000 - I was just not doing the unlock correctly (was putting in a05f74e4 (data_size -1) instead of (data_start_offset + datat_size - 1). Anyway, got my MILCD today, time to have a look at this weird CD format..
     
    Last edited: Jul 1, 2016 at 5:57 AM
    japanese_cake, Jun 23, 2016
    #184
    RaZiel likes this.
Page 10 of 10

Share This Page