Would love help with SH4 Assembly - GD-ROM Soft-Reset Trick (ECHELON)

Discussion in 'Sega Dreamcast Development and Research' started by Mrneo240, Feb 7, 2018.

  1. Mrneo240

    Mrneo240 Enthusiastic Member

    Joined:
    Sep 15, 2017
    Messages:
    519
    Likes Received:
    624
    Do you think any of the real programmers here know how gameshark/action replay/codebreaker works on the dreamcast?

    I keep seeing tons of games with master code:
    22C5F54A 00000002 or 22C5F54A 00000006

    I'm assuming this is a special code that instructs the cheat device where to hook code in order to do its thing, but beyond reversing the binaries (almost guaranteed I'm betting) do we know how to do that at all? I can one time patch stuff but for continuous stuff that isn't going to work.
     
  2. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    3,097
    Likes Received:
    1,045
    There's a guide somewhere explaining it, but I can't find it anymore. The first few characters are descriptors, e.g. "write dword once to 0xXXXX" or "write short repeatedly to 0xXYZA" then there's the value. IIRC it can get much more complex.

    Maybe @Esppiral can chime in?
     
  3. darcagn

    darcagn Site Supporter 2013, Site Supporter 2014

    Joined:
    May 13, 2007
    Messages:
    558
    Likes Received:
    291
    This document looks to have what you want

    https://gamefaqs.gamespot.com/dreamcast/916412-dreamcast/faqs/11357
     
  4. Mrneo240

    Mrneo240 Enthusiastic Member

    Joined:
    Sep 15, 2017
    Messages:
    519
    Likes Received:
    624
    explains exactly nothing. this is a special code specifically used as a master code on many dreamcast games.
    no documentation on what it specifies or how the gameshark hooks in to the game to actually function.
     
  5. Mrneo240

    Mrneo240 Enthusiastic Member

    Joined:
    Sep 15, 2017
    Messages:
    519
    Likes Received:
    624
    this code is only used for master code, no other gameshark codes for dreamcast start with 22. its special and somehow denotes how and where (im guessing) the gameshark will hook the main binary but i have no idea how.
     
  6. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    3,097
    Likes Received:
    1,045
    Well, then you might have to load the GS in an emulator and try to figure it out.
     
    Mrneo240 likes this.
  7. Mrneo240

    Mrneo240 Enthusiastic Member

    Joined:
    Sep 15, 2017
    Messages:
    519
    Likes Received:
    624
    thats my fear. at the moment too many projects to deal with it, so its just added to the ever growing list.

    i really i need to write a patch for lxdream to be able to dump memory regions.
     
  8. root670

    root670 Robust Member

    Joined:
    Apr 4, 2010
    Messages:
    205
    Likes Received:
    17
    @Mrneo240 I'm in the early stages of developing an open source cheat device and have been researching how GameShark and CodeBreaker work. I think you might find my notes useful! I can share my IDA database with you if you'd like as well. :)

    Cheat Engine Locations
    • GS installs its engine at 8C007200
    • CB installs its engine at 8C004800
    Enable/Master Codes:
    • Adding code 0B400000 00000002 (note that this is in the decrypted form) changes the address where the engine is installed to:
      • 8C008300 (IP.BIN entrypoint) on CB
      • 8C008000 (IP.BIN start) on GS. It looks like a different engine is used as well on GS, though it might use different engines depending on the codes being used
    CodeBreaker checks for the 00000002 value and doesn't seem to support any other values. I think the default location CodeBreaker uses for its engine is more compatible since games like Crazy Taxi normally require this code to be active when using GameShark.​
    • Adding code 0BFFFFFF xxxxxxxx changes the engine address to xxxxxxxx (user defined address)
      • F355 Challenge uses this code to set the engine address to 8C007800
      • Similarly, PSO 2 uses this code to set the engine address to 8C5FF000
    • For both of these codes, DCCrypt tries to decrypt the value despite already being in its decrypted form.
    GameShark v3.3
    Before launching a game, a patch is made at 8C0004F4 to disable checks against the IP.BIN file loaded in memory.
    A patch to jump to the code engine is made at 8C0018F0.

    CodeBreaker 197/Xploder 198

    The US versions of these are virtually identical. In fact, the compile times listed are mere seconds apart!

    Something interesting I noticed is that the loader seems to delete flashrom partition 4 and then overwrite it with data before launching a game. I haven't confirmed this to be the exact behavior, but there is code in there to do that while setting up the engine hooks.

    A patch is made at 0x8C00118C before launching a game. This is normally an offset to the gdGdcInitSystem() function at 8C001890. The value is added to 8C001180 (the beginning of the jump table; this is the third offset in the table) to get the actual address to jump to.

    It changes the offset to cause a to jump to A020C000. This is within flashrom partition 4... isn't that odd??
    Original values: 10 07 00 00
    Patched values: 80 AE 20 14

    CodeBreaker defines special codes to allow these addresses and values to be changed. I don't think any game uses these but they must have been added to address potential compatibility issues that could have occurred as new games were released.
    • The address of the offset table (default 8C001180) can be changed using code 0BFFFFFE xxxxxxxx
    • The address where the jump offset is written (default 8C00118C) can be changed using code 0BFFFFFC xxxxxxxx
    • The address to jump to (default A020C000) can be changed by using code 0BFFFFFD xxxxxxxx
    A patch to jump to the code engine is made at 8C0018F8, similar to how GS does it.
     
    Last edited: Feb 25, 2018
    Xerxes3rd, MetalliC, Mrneo240 and 4 others like this.
  9. Mrneo240

    Mrneo240 Enthusiastic Member

    Joined:
    Sep 15, 2017
    Messages:
    519
    Likes Received:
    624
    This is all great information! Also what an incredible time to share this info.

    Shall we have a race to see who can publish theirs first? :p

    It's also kind of disheartening to learn all this because it destroys the magic of what they are doing. I figured this could be done in a couple ways, the way you listed and also a different method.

    PM here or discord or something and we can coordinate, unless you want to claim first in the race. If that's the case, rock on! You clearly understand the platform and how it can be done. But after, let's coordinate and work together on this, the community doesn't need 2 cheat device software platforms.
     
    Xerxes3rd, pool7 and -=FamilyGuy=- like this.
  10. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    3,097
    Likes Received:
    1,045
    With what he already shared, I think he'll want to cooperate. The DC scene tends to be mostly relaxed and cooperative!
     
  11. Mrneo240

    Mrneo240 Enthusiastic Member

    Joined:
    Sep 15, 2017
    Messages:
    519
    Likes Received:
    624
    I'll post this here so less people see it....

    I should have time in a couple hours to work more on some features and stuff. I went through and started to clean up the source, get everything consistent, clean makefile and add comments, licenses and such. I started to incorporate a menu (dcland, was a great starting point), but then got distracted with writing a binary patching system, and incorporating the start of the runtime patching system. Then I got bitten by GCC (I swear some of the options are intentionally confusing or hard to find).

    Tonight after work ( ETA 4 hours) I'll be back to it and hopefully be able to get the menu done and ensure I haven't broken anything. (Moved a couple more things to pointers, and ints to shorts)
     
  12. root670

    root670 Robust Member

    Joined:
    Apr 4, 2010
    Messages:
    205
    Likes Received:
    17
    Glad you found the information I posted useful! My free time is a little sporadic but I'd love to collaborate with you on something!

    I've created a cheat device for PS2 (https://github.com/root670/CheatDevicePS2) that implements console-side cheat data base editing, support for compressed cheat lists and plain text files, nice looking menu system (in my opinion) and font rendering, fast loading compared to commercial devices, etc. that intended to recreate the look and feel of the PS2 version of CodeBreaker. My original plan was to create something very similar for Dreamcast, reusing some of the menu, text rendering, memory pool, and cheat database reading code from CheatDevicePS2's source.

    I was also planning to include a large cheat database created from scraping the cheats from CodeTwink.com, the current home of CodeBreaker, along with as many widescreen codes as I can find. A long distance goal would be to allow a cheat database to be loaded from an SD card and be easily modified by the end-user without taking up VMU space or needing to burn additional discs. A VMU could be used as well, and with compression it should take up much less space than GS and CB (which don't compress the user cheat list).

    My project would operate similarly to GameShark and CodeBreaker (load the cheat disc, then swap in the game disk) rather than being patched into existing game images as a single disc. It sounds like your project is aiming to implement the later, which is great for adding patches to individual games, but I think we're aiming for a different end result. That being said, things such as the assembly code for the cheat engine, how the engine gets hooked into a game, cheat database formats, etc are good candidates for collaboration.

    Would you be interested in collaborating on things like that? I'm not in a race to be first for anything and I'm open to other ideas as well.
     
    Xerxes3rd, darcagn and Mrneo240 like this.
  13. Mrneo240

    Mrneo240 Enthusiastic Member

    Joined:
    Sep 15, 2017
    Messages:
    519
    Likes Received:
    624
    The end results are closer than you realize I think, more just how the gui is different and of course how it's run.

    Yours is being used as a standalone program that runs and then by swapping discs it loads a new game and has your cheat device core installed.
    Mine is instead built in a much more compact space with a decent amount of restrictions: no file access, small binary size (9kb), but unlimited ram (13mb easily), but with the same goal.

    Installing a hook, allowing cheats/patches to be loaded and toggled, executing those and seamlessly returning execution to the game.

    Definitely I'd be glad to work together on that, although I feel way behind you on the knowledge part of this.
     
    Xerxes3rd and root670 like this.
  14. PrOfUnD Darkness

    PrOfUnD Darkness Familiar Face

    Joined:
    Mar 13, 2004
    Messages:
    1,122
    Likes Received:
    48
    Do you mind in explaining what exactly these code do? I'm not into sh64 asm but I'd love to understand what happens here :)

     
  15. megavolt85

    megavolt85 Peppy Member

    Joined:
    Jan 8, 2015
    Messages:
    329
    Likes Received:
    482
    this code used for unlocking G1 BUS
    when your console loaded main binary from MIL-CD, BIOS sends 42FE to holly register A05F74E4, it's locked G1 BUS and initialize BIOS cheksum verification
    this verification calculate all bytes read from BIOS and stoped after you read from BIOS adress highter what writen in register A05F74E4
    if you read valid bios, G1 BUS to be unlocked
    BIOS have two zones with valid checksum, first - all bios (from 0 to 1FFFFF), second - syscalls (from 1000 to 42FE)
     
    Last edited: Feb 28, 2018
    fafadou and pool7 like this.
  16. PrOfUnD Darkness

    PrOfUnD Darkness Familiar Face

    Joined:
    Mar 13, 2004
    Messages:
    1,122
    Likes Received:
    48
    Thank you for the explanation, so you just manipulate the value in register A05F74E4 so the checksum verification does not fail?

    So this is a expected behavior by Dreamcast's creators? Why would they do that? sounds stupid for me...
     
  17. megavolt85

    megavolt85 Peppy Member

    Joined:
    Jan 8, 2015
    Messages:
    329
    Likes Received:
    482
    no, after write to register A05F74E4, G1 locked, for unlock need read valid BIOS
     
  18. MetalliC

    MetalliC Spirited Member

    Joined:
    Apr 23, 2014
    Messages:
    180
    Likes Received:
    133
    it is part of this system security, BIOS checksum protection, which prevents to run some hacked or customized BIOS, for example where was removed GD/CD disc security checks.
    if BIOS CRC check was failed - G1 ATA registers access will be blocked (ie GD-drive in Dreamcast or cartridge interface in arcade hardware Naomi/Atomiswave/etc).
    it also used in case of Mil-CD boot, and wont let access G1 ATA until "secret" unlock sequence will be made.

    you may read a bit more detailed explanation there
    https://github.com/mamedev/mame/blob/master/src/mame/machine/dccons.cpp#L172
     
  19. PrOfUnD Darkness

    PrOfUnD Darkness Familiar Face

    Joined:
    Mar 13, 2004
    Messages:
    1,122
    Likes Received:
    48
    I got it, so SEGA just uses the same "security function" in two situations: When booting the Dreamcast and when running a MIL-CD binary. Really lazy when you think about it.

    I didn't know that official MIL-CDs unlocked the drive as well, interesting. Thank you for your insights. I wonder how the pirates group found this back then.
     
  20. megavolt85

    megavolt85 Peppy Member

    Joined:
    Jan 8, 2015
    Messages:
    329
    Likes Received:
    482
    they used a method from a code of BIOS

    i'm find backdoor, look code from this post
     
    TerdFerguson likes this.

Share This Page