Thanks to Alex and Matt I finally managed to get a proper dump using MAME.
I just run MAME and all the PCs will be dumped to a file. It has some nice efficient tricks as when it notices that it's inside a loop it simplifies the output and only dumps the loop once, so I thought the file should be quite small.
When it's dumping the PC, the thing runs damm slow and it takes 5 minutes to start playing, but the best of all is that the dump file in those 5 minutes is quite small and only takes 24Gigs of data :)))
I created a new tiny tool that reads all those PCs and puts them in a table (the famous decrypting table). So we are ready to see if using MAME will make this game finally work on another set.
I create a new JOJOBA CD to tried it on MAME, I update with the new CD and....didn't work!
For some reason it starts executing code from other addresses which didn't do before, so I started adding one by one those special locations. The process is quite tedious, as you must
A) Update game in MAME
B) Run it and see if it works
C) If it doesn't work, look for the code that isn't updated in the table
D) Update table
E) Create new CD
F) Go to A)
Good news is that apparently SF3-2I only executes code from 06000000 to 06100000. In the worst case and unless I come up with a better idea, there is always the option of analysing the whole 1Mb of code and data in Assembler BY HAND and create the table in this way. That can take me like a month, so I'll keep as plan B or C or X ;)).
More coming soon.
Saturday, October 13, 2012
Wednesday, October 10, 2012
Progress on new version of the tool
Some of you have been wondering why there has been no news about the new version of the tool. The main reason is that for now we can only convert cartridges into SF3-2I. Due to the special encryption of this game (it only encrypts code, but not data, and code and data are mixed in memory), we need to either A)manually disassemble all the memory and mark what is code and what is data or B) create a version of any emulator and have it dumping all the PCs that it runs. Obviously the B is the most logical one. We can start from this version that works almost perfect and when people find a bug, they can report that or contribute fixing it.
The problem is that I got a special version of the CPS3 Emulator of ElSemi, but apparently he's using some very clever tricks in ordere to emulate some things. On the Other hand MAME appears to be more Hardware-compatible, so after working for some time on the first version I just shifted to MAME.
I didn't give up the option of trying to fix the cartridges towards another type of encryption which would ease things a lot and will avoid people having to worry about a game crashing.
Here you can see a video of my setup running with A and B cartridges (sorry for the quality):
http://youtu.be/rToOhdwp1wY
Having said that, the new version of the tool is ready, the only problem are the tables that must come with it and that will tell the program what to decrypt and what not inside the 10 and 20 files.
Stay tuned for more.
The problem is that I got a special version of the CPS3 Emulator of ElSemi, but apparently he's using some very clever tricks in ordere to emulate some things. On the Other hand MAME appears to be more Hardware-compatible, so after working for some time on the first version I just shifted to MAME.
I didn't give up the option of trying to fix the cartridges towards another type of encryption which would ease things a lot and will avoid people having to worry about a game crashing.
Here you can see a video of my setup running with A and B cartridges (sorry for the quality):
http://youtu.be/rToOhdwp1wY
Having said that, the new version of the tool is ready, the only problem are the tables that must come with it and that will tell the program what to decrypt and what not inside the 10 and 20 files.
Stay tuned for more.
Friday, September 21, 2012
All cartridges can be restored now!
Our friend Oliveira found the way to unbrick the remaining A and B cartridges!
All cartridges can be restored now!!
The trick was with the black cable left after removing the battery.
At the moment All cartridges can be restored to work as SF III-2nd Strike.
More news coming soon about the latest version of the conversion tool.
Our Big thanks to our friend Oliveira.
All cartridges can be restored now!!
The trick was with the black cable left after removing the battery.
At the moment All cartridges can be restored to work as SF III-2nd Strike.
More news coming soon about the latest version of the conversion tool.
Our Big thanks to our friend Oliveira.
Thursday, September 20, 2012
Another one goes down
Today I managed to get one more kind of cartridge to work without battery and this are the ones that have a C sticker on the CPU. Olveira managed to get the D sticker working.
So basically we got 50% of the 4 versions that can now work without battery and we are missing the A and B type which are the ones that in the back side of the cartridge have a FM1208S instead of a MACH111.
Oliveira already told what needs to be done for a cartridge without battery to work, so for the ones who missed it, here it goes:
"The SH2 CPU needs to see a specific sequence of 8 bytes at a certain address (0x7FF00) when it has no keys programmed before it can operate."
So If we put this sequence in the BIOS of any C or D cartridge, the cartridge will boot without battery and with a specific default key.
The thing is that with my tool we can convert all games to work for SF3-2nd, as soon as this is supported. As you know a table needs to be done in order to separate instructions from code.
Today ElSemi told me that he will create a special version of his emulator to create this tables.
Thumbs Up! We are on the right way!
So basically we got 50% of the 4 versions that can now work without battery and we are missing the A and B type which are the ones that in the back side of the cartridge have a FM1208S instead of a MACH111.
Oliveira already told what needs to be done for a cartridge without battery to work, so for the ones who missed it, here it goes:
"The SH2 CPU needs to see a specific sequence of 8 bytes at a certain address (0x7FF00) when it has no keys programmed before it can operate."
So If we put this sequence in the BIOS of any C or D cartridge, the cartridge will boot without battery and with a specific default key.
The thing is that with my tool we can convert all games to work for SF3-2nd, as soon as this is supported. As you know a table needs to be done in order to separate instructions from code.
Today ElSemi told me that he will create a special version of his emulator to create this tables.
Thumbs Up! We are on the right way!
Breakthrough
By some very lucky accident, our friend Oliveira, managed to revive a dead SF3-3 Cartridge and convert it to SF3-2.
We are now trying several roms reencypted to see which conclusions we can draw from it. The only fact till now is that only one kind of cartridge (out of 4) can be revived.
Apparently after re-encryption, the cartridge can work with any game's BIOS, so we could re-encrypt all this cartridges with the SF3-3 BIOS that allows using only 1 single CD for update.
This will also mean that one can have a collection of 6 CDS that will work with that BIOS....
Stay tuned!
We are now trying several roms reencypted to see which conclusions we can draw from it. The only fact till now is that only one kind of cartridge (out of 4) can be revived.
Apparently after re-encryption, the cartridge can work with any game's BIOS, so we could re-encrypt all this cartridges with the SF3-3 BIOS that allows using only 1 single CD for update.
This will also mean that one can have a collection of 6 CDS that will work with that BIOS....
Stay tuned!
Monday, March 12, 2012
adding support for SFII-2nd and decapping
Hi,
This is a small update on the status of the breaking process.
I used the sygnal analyser without much luck, so before putting much of my time into something that I'm not sure if it will pay off, I contacted a colleague that has previous experience in the retro-engineering ICs and we'll try to decapp a couple of custom SH2 and find out how to reprogram them or at least narrow down the number of pins that are accessing the encryption module.
Regarding the support for SFIII-2nd I have tried to creat a new version of MAME that will just 'printf' each address (PC) that is being executed by the SH2 but I I can't get to have them all printed out.
For that reason and following Alex's propositionI'm asking for support of the experts around there to provide new C files that need to be changed in order to get printed all the addresses that are executed. An improved version should ideally generate a table that sets to one te value of an address if it was exectued, so we avoid getting laaaarge output files. This is not critical, as a little script in Notepad++ could do the job.
When we have a working C version, then I'll ask you to run it, send me the output files that you get, so I can integrate them all and put them in the latest version of the tool.
We'll (hopefully) set up an open code environment for this, so meanwhile please send your files via www.mediafire.com
Waiting for your feedback....
This is a small update on the status of the breaking process.
I used the sygnal analyser without much luck, so before putting much of my time into something that I'm not sure if it will pay off, I contacted a colleague that has previous experience in the retro-engineering ICs and we'll try to decapp a couple of custom SH2 and find out how to reprogram them or at least narrow down the number of pins that are accessing the encryption module.
Regarding the support for SFIII-2nd I have tried to creat a new version of MAME that will just 'printf' each address (PC) that is being executed by the SH2 but I I can't get to have them all printed out.
For that reason and following Alex's propositionI'm asking for support of the experts around there to provide new C files that need to be changed in order to get printed all the addresses that are executed. An improved version should ideally generate a table that sets to one te value of an address if it was exectued, so we avoid getting laaaarge output files. This is not critical, as a little script in Notepad++ could do the job.
When we have a working C version, then I'll ask you to run it, send me the output files that you get, so I can integrate them all and put them in the latest version of the tool.
We'll (hopefully) set up an open code environment for this, so meanwhile please send your files via www.mediafire.com
Waiting for your feedback....
Thursday, February 2, 2012
The Spider is ready
With the help of Raf, I've managed to get replace the 29f400 with a socketable 28f400. The result can be seen in the pictures below.
Good news is that it works perfectly and that means several things:
* Both 29f400 and 28f400 can be used
* I changed the BIOS from a Mexican one to a USA one and worked perfectly.
* This is an SF2 cartridge, which might be even better given the peculiarity of the encryption in this game (data not encrypted, code encrypted).
* It´s much easier and safer now to attach the probes from the signal analyser.
* Nope, I can't get back to life dead cartridges yet....
I will setup everything this weekend and let's start seeing what's going on.
Stay tuned.
Good news is that it works perfectly and that means several things:
* Both 29f400 and 28f400 can be used
* I changed the BIOS from a Mexican one to a USA one and worked perfectly.
* This is an SF2 cartridge, which might be even better given the peculiarity of the encryption in this game (data not encrypted, code encrypted).
* It´s much easier and safer now to attach the probes from the signal analyser.
* Nope, I can't get back to life dead cartridges yet....
I will setup everything this weekend and let's start seeing what's going on.
Subscribe to:
Comments (Atom)