Testing boot from CARTRIDGE SLOT at 0x400000

Ask anything your want about Mega/SegaCD programming.

Moderator: Mask of Destiny

Post Reply
l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Testing boot from CARTRIDGE SLOT at 0x400000

Post by l_oliveira » Sun Dec 29, 2013 4:13 am

Code: Select all

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00400000   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                   
00400010   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                   
00400020   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                   
00400030   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                   
00400040   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                   
00400050   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400060   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400070   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400080   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400090   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004000A0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004000B0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004000C0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004000D0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004000E0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004000F0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400100   53 45  47 41  20 47  45 4E  45 53  49 53  20 20  20 20   SEGA GENESIS    
00400110   28 43  29 54  2D 30  30 30  30 30  30 30  2E 58  58 58   (C)T-0000000.XXX
00400120   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400130   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400140   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400150   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400160   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400170   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400180   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
00400190   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004001A0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004001B0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004001C0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004001D0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004001E0   20 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20                   
004001F0   55 20  20 20  20 20  20 20  20 20  20 20  20 20  20 20   U               
00400200   43 FA  00 0C  4E B9  00 00  03 64  60 00  05 7A  60 0F   Cú  N¹   d`  z` 

...

00400770   77 49  1F 1F  1F 1F  07 0A  07 0D  00 0B  00 0B  1F 0F   wI              
00400780   1F 0F  23 80  23 80  4E 71  4E 71  4E 71  4E 71  4E 71     #€#€NqNqNqNqNq
00400790   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
004007A0   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
004007B0   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
004007C0   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
004007D0   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
004007E0   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
004007F0   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
00400800   4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71  4E 71   NqNqNqNqNqNqNqNq
00400810   4E F9  00 00  08 00  4E 71  4E 71  4E 71  4E 71  4E 71   Nù    NqNqNqNqNq
Lame, I know, but for the purpose of checking the boot method... Worked good enough.

System boots from cold boot to SEGA CD boot LOGO then keep repeating the logo over and over. The SEGA-CD LOGO/Planet screen is never shown.

Security data required for this boot up (SEGA-CD2, BIOS MPR-15511) is different from the data used for the disc but it can be easily extracted from the BIOS.

Then I go to a different BIOS from same region (USA) and it's security data matches the security data from disc...

This definitely requires more research. But it does indeed work.

Now onto researching how many variations of this boot system exist... :roll:

Chilly Willy
Very interested
Posts: 2984
Joined: Fri Aug 17, 2007 9:33 pm

Post by Chilly Willy » Sun Dec 29, 2013 10:08 pm

What are you trying to do? Most all of this is already well-known. If you're trying to init the CD while a cart is running, that's already done. I released code for Mode 1 CD support a couple years ago (example and code still available here and elsewhere).

If the cart is not asserting the CART line, the CD BIOS boots and expects either nothing at 0x400000 or a backup ram cart. Addressing for BRAM carts is also on the forum here.

l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Post by l_oliveira » Sun Dec 29, 2013 10:13 pm

Chilly Willy wrote:What are you trying to do? Most all of this is already well-known. If you're trying to init the CD while a cart is running, that's already done. I released code for Mode 1 CD support a couple years ago (example and code still available here and elsewhere).

If the cart is not asserting the CART line, the CD BIOS boots and expects either nothing at 0x400000 or a backup ram cart. Addressing for BRAM carts is also on the forum here.
I have a cart with "SEGA" at 400100 and CD security sector at 400200. It displays the CD TMSS screen then tries to boot the code on the cart. That's what I am trying to do.

/CART is being kept high so it's the CD BIOS that is booting the code on the cartridge.

Chilly Willy
Very interested
Posts: 2984
Joined: Fri Aug 17, 2007 9:33 pm

Post by Chilly Willy » Mon Dec 30, 2013 3:00 am

Interesting. If that's true, it's probably looking for something similar to the boot block Mode 1 is looking for, just at 0x400000 instead of 0x6000. You might try a modified version of the block in the Mode 1 example and see if that runs. That would make yet another way of booting for the MD. :D

l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Post by l_oliveira » Mon Dec 30, 2013 3:16 am

Chilly Willy wrote:Interesting. If that's true, it's probably looking for something similar to the boot block Mode 1 is looking for, just at 0x400000 instead of 0x6000. You might try a modified version of the block in the Mode 1 example and see if that runs. That would make yet another way of booting for the MD. :D
If you're curious about this, take the file us_scd1_9210.bin and have a look at the offset 560:

Code: Select all

ROM:00000560                 move.w  ($C00004).l,d3
ROM:00000566                 btst    #1,d3
ROM:0000056A                 bne.s   loc_560
ROM:0000056C                 bsr.w   sub_7C2
ROM:00000570                 bsr.w   sub_5724   <---  This calls the code which checks the cartridge
ROM:00000574                 bne.w   loc_884    <-check failed ? bail out (normal code path)
ROM:00000578                 st      ($FFFFFE53).w
ROM:0000057C                 bsr.w   sub_610
ROM:00000580                 move.w  #$4EF9,($FFFFFD00).w
ROM:00000586                 move.l  #$5A8,($FFFFFD02).w
ROM:0000058E                 jmp     $400200       <- Launch cartridge code (Cartridge code at 400200 will cause SEGA CD TMSS to be displayed before program starts)

Code: Select all

ROM:00005724                 lea     ($400200).l,a0
ROM:0000572A                 cmpi.l  #$53454741,-$100(a0)   <- Is there "SEGA" at $400100 ?
ROM:00005732                 bne.s   locret_5742   <- No ?  
ROM:00005734                 lea     sub_5744,a1   <- Bail out then.
ROM:00005738                 move.w  #$2C1,d0   <- security sector size /2
ROM:0000573C                 cmpm.w  (a0)+,(a1)+
ROM:0000573E                 dbne    d0,loc_573C     <- compare security code and flag success on exit if 100% identical...
ROM:00005742                 rts
Right at offset $5744 there's a copy of the TMSS code + data which is checked against the one in the cartridge.

Before I knew why that copy of the TMSS data was there I was using it on my version of the hacked region free BIOS. Now I am researching this mostly to have a test rom. I am readying a release of revised region free BIOS with this boot behavior restored (and maybe improved if possible)...

Chilly Willy
Very interested
Posts: 2984
Joined: Fri Aug 17, 2007 9:33 pm

Post by Chilly Willy » Mon Dec 30, 2013 7:26 am

Is this before or after the rest of the CD BIOS has been initialized? It's very interesting... I may want to do some checking myself. And here I thought we'd figured everything out on the CD.

notaz
Very interested
Posts: 193
Joined: Mon Feb 04, 2008 11:58 pm
Location: Lithuania

Post by notaz » Mon Dec 30, 2013 12:01 pm

Yeah it's interesting boot mode where you can avoid having to start the CD/bios yourself and have it done for you, I guess?

l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Post by l_oliveira » Mon Dec 30, 2013 1:45 pm

Chilly Willy wrote:Is this before or after the rest of the CD BIOS has been initialized? It's very interesting... I may want to do some checking myself. And here I thought we'd figured everything out on the CD.
Actually ElBarto and a few other people were talking about it in this very forum a while ago .... 8)

And it boots before the CD BIOS shows it's splash screen. The (few) Japanese CD BIOSes I goofed around with don't try to detect a bootable cartridge. If you want to catch this behavior using the MESS debugger do this at the debugger command prompt:

Focus 0 (it will focus on the Mega Drive CPU, it usually defaults to the CD CPU)
WPSET 400000,10000,RW (tells the debugger to break execution once a read or write to the cartridge connector region is attempted)

This should give you a quick insight of where the boot check code is on each bios. After this detection is done, the next thing the BIOS do at that region is attempt detection "RAM_CARTRIDG" string at $400010. All CD BIOSes seem to do this regardless of region.

Edit: Oh and if you're using a US or PAL BIOS with my region free hacks in it, that 'boot modi' won't work because I modified the boot code for the cartridge (at the time I had no idea why the TMSS data was there). This research is being done so I can fix it properly for the next release of hacked region Free BIOSes I'm planning for the next year.

Since the Japanese/ASIA BIOSes don't do this I might leave them as they are currently.

Chilly Willy
Very interested
Posts: 2984
Joined: Fri Aug 17, 2007 9:33 pm

Post by Chilly Willy » Mon Dec 30, 2013 11:38 pm

If some BIOSes don't do this, then it can't really be used for a general purpose game without warning folks with those BIOSes. If it's before initing the BIOS, it also doesn't replace the current Mode 1 startup code. This looks like it was made for an extended CD BIOS for future models. In that respect, it's kinda like the Amiga KS ROM.

The Amiga KS ROM was in a set location, but almost the first thing it does is check an alternate location for the magic cookie denoting an extension rom, then runs it if it finds it. That allowed for things like 040/060 accelerators to run some init code before allowing the KS to boot like normal. This sounds similar - some future hardware would have its own BIOS extension at 0x400000 and init the hardware via this mechanism, then return to allow the normal BIOS to boot the CD.

l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Post by l_oliveira » Tue Dec 31, 2013 5:09 pm

I put some thought on this and the purpose of this boot modi could be manufacturing optimization. This could be meant to be used at the factory to boot a diagnosis cartridge....

TascoDLX
Very interested
Posts: 262
Joined: Tue Feb 06, 2007 8:18 pm

Post by TascoDLX » Sat Jan 04, 2014 1:04 pm

l_oliveira wrote:This should give you a quick insight of where the boot check code is on each bios. After this detection is done, the next thing the BIOS do at that region is attempt detection "RAM_CARTRIDG" string at $400010. All CD BIOSes seem to do this regardless of region.
Ah yes, I think I remember RAM_CARTRIDG...

The default function handler for main-side (i.e., cart) BRAM service calls is located in BIOS ROM. However, if the BIOS finds the string 'RAM_CARTRIDG' at $400010, it will use the function handler at $400020 instead. This would give the cart complete control in handling BRAM service calls (on the main side, anyway). So you could design a BRAM cart any way you see fit, if you're willing to write the code for it.

l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Post by l_oliveira » Sat Jan 04, 2014 1:34 pm

The MEGA-CD really deserves a WIKI of some sort ... ;)

l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Post by l_oliveira » Fri Dec 26, 2014 10:01 pm


l_oliveira
Very interested
Posts: 53
Joined: Mon Mar 07, 2011 12:58 am

Post by l_oliveira » Sat Dec 27, 2014 7:46 pm

A few hours more of work poured on this:

Euro ROMs do consistently use the same security data as the CD. You can make a single cart which will boot on any un-modded PAL system out there.

That's a good thing.

For USA consoles things are a little grim:

The tray model SEGA-CD with BIOS 1.10 use the same security sector as the DISC, which is a good thing. SEGA CD2 use a different security sector:

Original security sector:

Code: Select all

43FA 000A          LEA    PC+0A,A1 <- Load address for logo data in A1
4EB8 0364          JSR     w.0364     <- Call logo display
Newer ROMs use this instead:

Code: Select all

43FA 000C          LEA    PC+0C,A1   <- Load address for logo data in A1
4EB9 00000364   JSR     l.00000364 <- Call logo display
The rest of the data is the same, but the new security code is one word longer. Any mismatch is considered fail so the cart made for tray SEGA-CD won't boot on a lid SEGA CD model.

I'm considering adding the cart detection code to my custom (JPN)MEGA-CD BIOS so I can use this kind of boot system for this idea:
viewtopic.php?t=1929

It's not really too bad that there's some minor issues with this boot method.

TascoDLX
Very interested
Posts: 262
Joined: Tue Feb 06, 2007 8:18 pm

Post by TascoDLX » Mon Dec 29, 2014 9:51 pm

l_oliveira wrote:I'm currently trying to make heads and tails from LaserActive LD SUB CPU BIOS and figure out how it decides if it should or not load the MEGA-CD/SEGA-CD disc SUB CPU BIOS. Apparently I found the data it uses on the said checking but I can't figure out how it's used yet.
For checking discs, the LD SUB BIOS works the same way as the CD SUB BIOS except it uses a 2D checksum method instead of comparing the code directly. It computes 16-bit sum totals for each row of 8 words (consecutive) as well as sum totals for each column.

Post Reply