Tuesday, October 16, 2012

It's gonna be bot

After careful consideration and after giving up the idea of doing something manually, I've opted for creating a bot that will go through all the code and will detect all branches and artificially run through them.

As a starting point I will use the tables that I have created with ElSemi's special version and MAME and I will do the following:

* analyse the game code and search for all conditiional jumps that are in the parts of the memory that we already know that's code.
* search if both possibilities have happened (jump/no jump). If any is missing, launch a subroutine that will follow that second branch line by line, jump by jump.
* search next conditional jump unit end of Code RAM.

I'm going 10 days off, so don't expect any updates in that time.

Stay tuned...

Sunday, October 14, 2012

Moving to cartridge modding

As I can see no other option at the moment to adapt games to SF3-2I cartridge than analysing the code in SH2 Assembler line by line, I decided to take a mind break and retake the cartridge conversion idea.

I had the idea that the last 256 bytes of the BIOS were somehow including the keys to make it work, but apparently that wasn't the case. I filled up the BIOS from 20000 to 7ffff on the battery free cartridge and still works, so I'm inclined to believe (and that's bad news) that in order to reprogram a cartridge with other keys, we need to connect the cartridge to the special device that communicates with the SH2 in a way that we don't know.

This also implies that even if we know how to reprogramm the cartridges, they would still need a battery, as the keys are not stored in the BIOS.

Luckily we know that all cartridges when having the battery removed, work as a SF3-2I with battery. That means that anyone, with a dead cartridge could just remove the battery, use the new version of the tool and play all 6 games.

I'll keep on thinking how to obtain 99% accurate tables. The only option I see at the moment is using some kind of bot that runs through the code, following some rules and determining what's code and what not.

That's not an easy task in the SH2 as you have many weird PC based JUMPs like

MOV.L @($20,PC),R14
JMP R14

which can be somehow controlled.

However things like
MOV.L @(R0,SP),R14
JMP R14

is a different story.

Any ideas are welcome. Just post them down here.

Saturday, October 13, 2012

More about the tool

Thanks to Alex and Matt I finally managed to get a proper dump using MAME.

I just run MAME and all the PCs will be dumped to a file. It has some nice efficient tricks as when it notices that it's inside a loop it simplifies the output and only dumps the loop once, so I thought the file should be quite small.

When it's dumping the PC, the thing runs damm slow and it takes 5 minutes to start playing, but the best of all is that the dump file in those 5 minutes is quite small and only takes 24Gigs of data :)))

I created a new tiny tool that reads all those PCs and puts them in a table (the famous decrypting table). So we are ready to see if using MAME will make this game finally work on another set.

I create a new JOJOBA CD to tried it on MAME, I update with the new CD and....didn't work!

For some reason it starts executing code from other addresses which didn't do before, so I started adding one by one those special locations. The process is quite tedious, as you must
A) Update game in MAME
B) Run it and see if it works
C) If it doesn't work, look for the code that isn't updated in the table
D) Update table
E) Create new CD
F) Go to A)

Good news is that apparently SF3-2I only executes code from 06000000 to 06100000. In the worst case and unless I come up with a better idea, there is always the option of analysing the whole 1Mb of code and data in Assembler BY  HAND and create the table in this way. That can take me like a month, so I'll keep as plan B or C or X ;)).

More coming soon.

Wednesday, October 10, 2012

Progress on new version of the tool

Some of you have been wondering why there has been no news about the new version of the tool. The main reason is that for now we can only convert cartridges into SF3-2I. Due to the special encryption of this game (it only encrypts code, but not data, and code and data are mixed in memory), we need to either A)manually disassemble all the memory and mark what is code and what is data or B) create a version of any emulator and have it dumping all the PCs that it runs. Obviously the B is the most logical one. We can start from this version that works almost perfect and when people find a bug, they can report that or contribute fixing it.

The problem is that I got a special version of the CPS3 Emulator of ElSemi, but apparently he's using some very clever tricks in ordere to emulate some things. On the Other hand MAME appears to be more Hardware-compatible, so after working for some time on the first version I just shifted to MAME.

I didn't give up the option of trying to fix the cartridges towards another type of encryption which would ease things a lot and will avoid people having to worry about a game crashing.

Here you can see a video of my setup running with A and B cartridges (sorry for the quality):

http://youtu.be/rToOhdwp1wY

Having said that, the new version of the tool is ready, the only problem are the tables that must come with it and that will tell the program what to decrypt and what not inside the 10 and 20 files.

Stay tuned for more.