neoIP - A new way to generate an IP.BIN without ECHELON or binhack....

Discussion in 'Sega Dreamcast Development and Research' started by Mrneo240, Feb 21, 2018.

  1. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    There's a lot of space in an IP.bin for code, 18430 bytes. Let's assume you're an asm wizard and you handwrite and compile it without a compiler. You get 9215 instructions, you probably need 215 at most for a simple setup and jump to 1st_read.bin without scrambling. Let's be generous and say scrambling adds 2000 instructions (it doesn't), so you have 7000 instructions left versus 9000.

    Space is plentiful when you're being mindful. Now let's say your writing C and using gcc to compile, you still have space but now suddenly youryo wasting a lot more of it.
     
    darcagn likes this.
  2. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    2,960
    Likes Received:
    794
    I'm pretty sure the custom code in the IP.BIN was written in assembler directly. Maybe it was just simpler to skip it, or it was considered neat. It may have been to confuse people trying to rebuild a CDI from it too.
     
  3. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    Ok well here's the state of things:
    • General code cleanup
      • Stricter typing most places
      • Formatted the same
      • Function names organized more
    • Video
      • Double buffering, no flickering
      • More normal looking menu
      • Added some basic 2d functions
    • Sound
      • Still broken, won't fix
    • Input
      • Untouched
    • Other
      • Improved speed (time from license screen to game boot)
      • Added licenses/attribution
      • Stealth enabled by default (no menu, boot straight to game)
    • Patching
      • Binary patching, easier to use and configurable by user. Can be changed after compile time
      • Runtime patching: zero progress. :(
        • Help definitely needed
    Source coming in the next 2 days along with a new tool for inserting simple patches (8,16,32 bit) and will be linked here and on GitHub.

    I tried incorporating the memory patcher from the pso patcher disc but so far it just crashes when enabled. If disabled it is able to hook the function and forward the syscall but when enabled it jumps to address 0xA0000000 (lol :D) after doing the patch so I gotta look into that .
     
    Xerxes3rd, Woofmute and darcagn like this.
  4. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    2,960
    Likes Received:
    794
    Very nice work! Seems very interesting!
    @Esppiral and @megavolt85 might want to try this to have optional 16:9 games!
     
    Xerxes3rd likes this.
  5. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    Current look of the menu. basic but functional.

    2018-02-28 02_23_51-gpuDX11hw _ spg_ 59 gpu_ 0 _ CRAZY TAXI.png
     
  6. yzb37859365

    yzb37859365 Spirited Member

    Joined:
    Jul 14, 2013
    Messages:
    183
    Likes Received:
    122
    Looks great,goodluck~
     
    fafadou, SiZiOUS and -=FamilyGuy=- like this.
  7. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    https://github.com/mrneo240/neoIP more changes and info to be pushed later today.

    as it stands it wont be straightforward to use this, developers only for the moment.

    ill write up usage and methodology later this evening.

    edit: it should compile with a default dreamcast toolchain. if it doesnt, check makefile.config and go from there.

    neoIP.c and maketmpl.c are used for generating the actual IP.bin, the makefile only generates boot1.bin, which must be placed at offset 0x3800 in IP.bin. Edit the last 4 bytes of the boot1.bin to be a 32bit int with the size of the 1st_read.bin (neoIP does this automatically, maketmpl doesnt but can be configured to, or it can be configured in the code as well)

    MESSY AS FUCK but better than 2 days ago. more cleanup to come, also i cant remember if i removed the code in scramble.c that uses store queues, if its there comment out and replace with memset/memcpy

    extra edit: also assumes VGA output, but can definitely be expanded to properly deal with more resolutions.
     
    Last edited: Mar 2, 2018
    fafadou, darcagn and -=FamilyGuy=- like this.
  8. megavolt85

    megavolt85 Robust Member

    Joined:
    Jan 8, 2015
    Messages:
    291
    Likes Received:
    422
    Code:
    ResetGD:
        sts.l   pr, @-r15
    
        mova    GDreset, r0
        mov.l   @r0, r4
        mova    GDresetval, r0
        mov.l   @r0, r5
    
        mov.l    r5, @r4
    
        mova    Aflushstart, r0
        mov.l   @r0, r4
        mova    Aflushend, r0
        mov.l   @r0, r5
    
    aflushlp:
        mov.l   @r4, r0
        add     #4, r4
    
        cmp/eq  r4, r5
        bf      aflushlp
    
        bsr     GdInitSystem
        nop
    
        lds.l   @r15+, pr
        rts
        nop
    
        .align  4
    
    GDreset:
        .long   0xa05f74e4
    GDresetval:
        .long   0x1fffff
    Aflushstart:
        .long   0xa0000000
    Aflushend:
        .long   0xa0200000
    optimisation ;)

    Code:
    ResetGD:
        sts.l   pr, @-r15
        mova    Aflushend, r0
        mov.l    @r0,r0
        mov.b    @r0,r0
        
        bsr     GdInitSystem
        nop
    
        lds.l   @r15+, pr
        rts
        nop
        
        .align  4
    Aflushend:
        .long   0xa01fffff
     
  9. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    Done! works great! also fixed up the store queue issues.
    thanks for the help
     
    fafadou and -=FamilyGuy=- like this.
  10. root670

    root670 Robust Member

    Joined:
    Apr 4, 2010
    Messages:
    205
    Likes Received:
    17
    I've extracted the code engine from CodeBreaker as assembly source and posted it here for use in my CheatDeviceDC project: https://github.com/root670/CheatDeviceDC/blob/master/engine/engine_asm.S

    While analyzing the engine code I came across an undocumented code type! Pointer writes can be done using a code beginning with 08 and I don't think it's been used by any games. The format is kind of weird: it uses the lower 3 bits of the first code line (the "base address") to determine the size of the write (8/16/32 bits, chosen by 0, 1, and 2). I tried to explain this as well as I could in the comments, but I might be overthinking the logic a bit.

    Other things worth mentioning are that C and E type codes are converted into D type codes by the CodeBreaker menu, where the first byte of the second code line is used to store the number of lines to execute if the condition is true. Increment and decrement codes are surprisingly not supported by CodeBreaker, but readings online would suggest that GameShark does support then

    You're welcome to use this for your loader to enable patch codes. For my project I plan is to assemble this as an object file, link it into the main executable, then use the symbol names to copy it into memory and setup the code list.
     
    S4pph4rad, SiZiOUS, Xerxes3rd and 2 others like this.
  11. PrOfUnD Darkness

    PrOfUnD Darkness Familiar Face

    Joined:
    Mar 13, 2004
    Messages:
    1,115
    Likes Received:
    47
    Wow lots of amazing information within this thread, keep it coming guys I just grabbed my popcorn :)
     
  12. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    Amazing work!

    Unfortunately I still haven't been able to store code somewhere in memory and jump it and return within the context of a game.

    Im still gonna try and figure that magic part out.
     
    Xerxes3rd likes this.
  13. SiZiOUS

    SiZiOUS Spirited Member

    Joined:
    Mar 27, 2009
    Messages:
    113
    Likes Received:
    159
    This is a really nice news! :) Great job ! :)
     
    fafadou likes this.
  14. S4pph4rad

    S4pph4rad Site Supporter 2015

    Joined:
    Nov 28, 2014
    Messages:
    140
    Likes Received:
    114
    This might have been covered already by someone else in the thread or the posted sample, but in case it hasn't yet... The way older cheat devices worked when they required enable codes was that the enable code was usually the address of a return from subroutine instruction. The device would mask (in the case of a ROM cart) or overwrite the instruction and replace it with a long jump to the code handler routine. The routine would run, writing the memory addresses that the code updates, then return. Since you jumped to the code handler, return would return to the original place where instruction you patched was going to go.

    For performance reasons, perhaps you could pre-translate codes into assembly instructions that write to the necessary areas, then you wouldn't need to run code handling logic. (But cheat devices usually had a bunch of code types other than simple writes, like conditional ones that would read a memory address to compare values, write something to an offset of a pointer at a specified address, etc.)

    More modern cheat devices that didn't usually require Enable codes would search the binaries for common routines found in every game for example maybe an SDK method to read the controller input. Games would need to call that every frame anyway, which is why codes appear to be constantly active.

    I guess an alternative to executable patching to execute codes would be to use interrupts, but I don't know if that's even an option here. I used to make codes for GBA and Gamecube games long ago, and in the case of GC games clearing interrupts was a standard thing that games would do any time they loaded a new executable. This is why long enable codes were required for multi-executable games (demo discs, collections, PSO) because they'd have to patch the executable loader so that it could execute the code handler to patch the next executable that is loaded.

    Also I just saw this thread for the first time today, this project sounds great so I hope you're able to do everything you want with it. I had wanted to write a cheat patcher at some point but never found the time to work on one so I'm glad to see someone actually doing it.
     
    fafadou and Mrneo240 like this.
  15. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    Not too much to report but there is a couple little fixes made in GitHub and there's finally documentation.

    A full proper release was made as well. Maybe someone will use this? Even if not, I'll be using it for any future NeoDC releases and of course our upcoming game (read: tech demo)

    The current release is compiled for booting SCRAMBLED binaries from a CD-R or UNSCRAMBLED binaries from a GD-ROM.
    But can be hex edited to boot an UNSCRAMBLED binary on a CD-R (similar to ECHELON's binhack) also you could hex edit in up to 4 patches without recompiling it.
    While on the license screen you can hold the 'X' button to access the menu.

    Demo CDI, along with IP.bin and a basic 1st_read.bin(scrambled) are included.

    Minor structure changes to come tonight as well.

    Not sure if link is posted: Https://GitHub.com/mrneo240/neoip
     
    Last edited: Apr 22, 2018
    SiZiOUS, Xerxes3rd, fafadou and 2 others like this.
  16. S4pph4rad

    S4pph4rad Site Supporter 2015

    Joined:
    Nov 28, 2014
    Messages:
    140
    Likes Received:
    114
    Wow, I can't believe I missed this post last time I was in the thread, and also THANK YOU for finding that. A couple years back there were some situations that I wanted pointer codes for and those ended up getting turned into ASM hacks instead. This would be a game changer if I was still making codes. :)
     
    SiZiOUS and fafadou like this.
  17. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    may not be the most exciting thing but i was reading people were having trouble playing pba on PAL/EUR dreamcasts so

    i made a new release that is proven working in NA/PAL dreamcasts (JAP untested, but should)
    and....

    IT USES neoIP to boot a WinCE game. Things are better when they have a purpose.

     
    Last edited: May 4, 2018
    pitito and truemaster1 like this.
  18. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    2,960
    Likes Received:
    794
    So, there are patches applied depending on the region?
     
  19. Mrneo240

    Mrneo240 Peppy Member

    Joined:
    Sep 15, 2017
    Messages:
    396
    Likes Received:
    454
    no, the files are prepatched based on the patch made by megalexxx circa 2003.
    neoIP here isnt implementing anything beyond its typical usage, just wanted to demonstrate that it works for WinCE as well.
     
    MastaG and Xerxes3rd like this.
  20. TerdFerguson

    TerdFerguson ls ~/

    Joined:
    Apr 27, 2015
    Messages:
    662
    Likes Received:
    352
    so, is there potential this method could be used to boot WCE games from the SD card?
     

Share This Page