Page 1 of 1
Testing boot from CARTRIDGE SLOT at 0x400000
Posted: Sun Dec 29, 2013 4:13 am
by l_oliveira
Code: Select all
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00400000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00400010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00400020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00400030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00400040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00400050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400080 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400090 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004000A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004000B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004000C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004000D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004000E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004000F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400100 53 45 47 41 20 47 45 4E 45 53 49 53 20 20 20 20 SEGA GENESIS
00400110 28 43 29 54 2D 30 30 30 30 30 30 30 2E 58 58 58 (C)T-0000000.XXX
00400120 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400130 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400140 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400150 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400160 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400170 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400180 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00400190 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004001A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004001B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004001C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004001D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004001E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
004001F0 55 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 U
00400200 43 FA 00 0C 4E B9 00 00 03 64 60 00 05 7A 60 0F Cú N¹ d` z`
...
00400770 77 49 1F 1F 1F 1F 07 0A 07 0D 00 0B 00 0B 1F 0F wI
00400780 1F 0F 23 80 23 80 4E 71 4E 71 4E 71 4E 71 4E 71 #€#€NqNqNqNqNq
00400790 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
004007A0 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
004007B0 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
004007C0 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
004007D0 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
004007E0 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
004007F0 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
00400800 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 4E 71 NqNqNqNqNqNqNqNq
00400810 4E F9 00 00 08 00 4E 71 4E 71 4E 71 4E 71 4E 71 Nù NqNqNqNqNq
Lame, I know, but for the purpose of checking the boot method... Worked good enough.
System boots from cold boot to SEGA CD boot LOGO then keep repeating the logo over and over. The SEGA-CD LOGO/Planet screen is never shown.
Security data required for this boot up (SEGA-CD2, BIOS MPR-15511) is different from the data used for the disc but it can be easily extracted from the BIOS.
Then I go to a different BIOS from same region (USA) and it's security data matches the security data from disc...
This definitely requires more research. But it does indeed work.
Now onto researching how many variations of this boot system exist...
Posted: Sun Dec 29, 2013 10:08 pm
by Chilly Willy
What are you trying to do? Most all of this is already well-known. If you're trying to init the CD while a cart is running, that's already done. I released code for Mode 1 CD support a couple years ago (example and code still available here and elsewhere).
If the cart is not asserting the CART line, the CD BIOS boots and expects either nothing at 0x400000 or a backup ram cart. Addressing for BRAM carts is also on the forum here.
Posted: Sun Dec 29, 2013 10:13 pm
by l_oliveira
Chilly Willy wrote:What are you trying to do? Most all of this is already well-known. If you're trying to init the CD while a cart is running, that's already done. I released code for Mode 1 CD support a couple years ago (example and code still available here and elsewhere).
If the cart is not asserting the CART line, the CD BIOS boots and expects either nothing at 0x400000 or a backup ram cart. Addressing for BRAM carts is also on the forum here.
I have a cart with "SEGA" at 400100 and CD security sector at 400200. It displays the CD TMSS screen then tries to boot the code on the cart. That's what I am trying to do.
/CART is being kept high so it's the CD BIOS that is booting the code on the cartridge.
Posted: Mon Dec 30, 2013 3:00 am
by Chilly Willy
Interesting. If that's true, it's probably looking for something similar to the boot block Mode 1 is looking for, just at 0x400000 instead of 0x6000. You might try a modified version of the block in the Mode 1 example and see if that runs. That would make yet another way of booting for the MD.
Posted: Mon Dec 30, 2013 3:16 am
by l_oliveira
Chilly Willy wrote:Interesting. If that's true, it's probably looking for something similar to the boot block Mode 1 is looking for, just at 0x400000 instead of 0x6000. You might try a modified version of the block in the Mode 1 example and see if that runs. That would make yet another way of booting for the MD.
If you're curious about this, take the file us_scd1_9210.bin and have a look at the offset 560:
Code: Select all
ROM:00000560 move.w ($C00004).l,d3
ROM:00000566 btst #1,d3
ROM:0000056A bne.s loc_560
ROM:0000056C bsr.w sub_7C2
ROM:00000570 bsr.w sub_5724 <--- This calls the code which checks the cartridge
ROM:00000574 bne.w loc_884 <-check failed ? bail out (normal code path)
ROM:00000578 st ($FFFFFE53).w
ROM:0000057C bsr.w sub_610
ROM:00000580 move.w #$4EF9,($FFFFFD00).w
ROM:00000586 move.l #$5A8,($FFFFFD02).w
ROM:0000058E jmp $400200 <- Launch cartridge code (Cartridge code at 400200 will cause SEGA CD TMSS to be displayed before program starts)
Code: Select all
ROM:00005724 lea ($400200).l,a0
ROM:0000572A cmpi.l #$53454741,-$100(a0) <- Is there "SEGA" at $400100 ?
ROM:00005732 bne.s locret_5742 <- No ?
ROM:00005734 lea sub_5744,a1 <- Bail out then.
ROM:00005738 move.w #$2C1,d0 <- security sector size /2
ROM:0000573C cmpm.w (a0)+,(a1)+
ROM:0000573E dbne d0,loc_573C <- compare security code and flag success on exit if 100% identical...
ROM:00005742 rts
Right at offset $5744 there's a copy of the TMSS code + data which is checked against the one in the cartridge.
Before I knew why that copy of the TMSS data was there I was using it on my version of the hacked region free BIOS. Now I am researching this mostly to have a test rom. I am readying a release of revised region free BIOS with this boot behavior restored (and maybe improved if possible)...
Posted: Mon Dec 30, 2013 7:26 am
by Chilly Willy
Is this before or after the rest of the CD BIOS has been initialized? It's very interesting... I may want to do some checking myself. And here I thought we'd figured everything out on the CD.
Posted: Mon Dec 30, 2013 12:01 pm
by notaz
Yeah it's interesting boot mode where you can avoid having to start the CD/bios yourself and have it done for you, I guess?
Posted: Mon Dec 30, 2013 1:45 pm
by l_oliveira
Chilly Willy wrote:Is this before or after the rest of the CD BIOS has been initialized? It's very interesting... I may want to do some checking myself. And here I thought we'd figured everything out on the CD.
Actually ElBarto and a few other people were talking about it in this very forum a while ago ....
And it boots before the CD BIOS shows it's splash screen. The (few) Japanese CD BIOSes I goofed around with don't try to detect a bootable cartridge. If you want to catch this behavior using the MESS debugger do this at the debugger command prompt:
Focus 0 (it will focus on the Mega Drive CPU, it usually defaults to the CD CPU)
WPSET 400000,10000,RW (tells the debugger to break execution once a read or write to the cartridge connector region is attempted)
This should give you a quick insight of where the boot check code is on each bios. After this detection is done, the next thing the BIOS do at that region is attempt detection "RAM_CARTRIDG" string at $400010. All CD BIOSes seem to do this regardless of region.
Edit: Oh and if you're using a US or PAL BIOS with my region free hacks in it, that 'boot modi' won't work because I modified the boot code for the cartridge (at the time I had no idea why the TMSS data was there). This research is being done so I can fix it properly for the next release of hacked region Free BIOSes I'm planning for the next year.
Since the Japanese/ASIA BIOSes don't do this I might leave them as they are currently.
Posted: Mon Dec 30, 2013 11:38 pm
by Chilly Willy
If some BIOSes don't do this, then it can't really be used for a general purpose game without warning folks with those BIOSes. If it's before initing the BIOS, it also doesn't replace the current Mode 1 startup code. This looks like it was made for an extended CD BIOS for future models. In that respect, it's kinda like the Amiga KS ROM.
The Amiga KS ROM was in a set location, but almost the first thing it does is check an alternate location for the magic cookie denoting an extension rom, then runs it if it finds it. That allowed for things like 040/060 accelerators to run some init code before allowing the KS to boot like normal. This sounds similar - some future hardware would have its own BIOS extension at 0x400000 and init the hardware via this mechanism, then return to allow the normal BIOS to boot the CD.
Posted: Tue Dec 31, 2013 5:09 pm
by l_oliveira
I put some thought on this and the purpose of this boot modi could be manufacturing optimization. This could be meant to be used at the factory to boot a diagnosis cartridge....
Posted: Sat Jan 04, 2014 1:04 pm
by TascoDLX
l_oliveira wrote:This should give you a quick insight of where the boot check code is on each bios. After this detection is done, the next thing the BIOS do at that region is attempt detection "RAM_CARTRIDG" string at $400010. All CD BIOSes seem to do this regardless of region.
Ah yes, I think I remember RAM_CARTRIDG...
The default function handler for main-side (i.e., cart) BRAM service calls is located in BIOS ROM. However, if the BIOS finds the string 'RAM_CARTRIDG' at $400010, it will use the function handler at $400020 instead. This would give the cart complete control in handling BRAM service calls (on the main side, anyway). So you could design a BRAM cart any way you see fit, if you're willing to write the code for it.
Posted: Sat Jan 04, 2014 1:34 pm
by l_oliveira
The MEGA-CD really deserves a WIKI of some sort ...
Posted: Fri Dec 26, 2014 10:01 pm
by l_oliveira
Posted: Sat Dec 27, 2014 7:46 pm
by l_oliveira
A few hours more of work poured on this:
Euro ROMs do consistently use the same security data as the CD. You can make a single cart which will boot on any un-modded PAL system out there.
That's a good thing.
For USA consoles things are a little grim:
The tray model SEGA-CD with BIOS 1.10 use the same security sector as the DISC, which is a good thing. SEGA CD2 use a different security sector:
Original security sector:
Code: Select all
43FA 000A LEA PC+0A,A1 <- Load address for logo data in A1
4EB8 0364 JSR w.0364 <- Call logo display
Newer ROMs use this instead:
Code: Select all
43FA 000C LEA PC+0C,A1 <- Load address for logo data in A1
4EB9 00000364 JSR l.00000364 <- Call logo display
The rest of the data is the same, but the new security code is one word longer. Any mismatch is considered fail so the cart made for tray SEGA-CD won't boot on a lid SEGA CD model.
I'm considering adding the cart detection code to my custom (JPN)MEGA-CD BIOS so I can use this kind of boot system for this idea:
viewtopic.php?t=1929
It's not really too bad that there's some minor issues with this boot method.
Posted: Mon Dec 29, 2014 9:51 pm
by TascoDLX
l_oliveira wrote:I'm currently trying to make heads and tails from LaserActive LD SUB CPU BIOS and figure out how it decides if it should or not load the MEGA-CD/SEGA-CD disc SUB CPU BIOS. Apparently I found the data it uses on the said checking but I can't figure out how it's used yet.
For checking discs, the LD SUB BIOS works the same way as the CD SUB BIOS
except it uses a 2D checksum method instead of comparing the code directly. It computes 16-bit sum totals for each row of 8 words (
consecutive) as well as sum totals for each column.