Naomi CF boot

From Pcbotaku wiki
Jump to: navigation, search


The NAOMI (including Chihiro and Triforce) Compact Flash solution is a 'drop in' replacement for the GD-ROM system. The setup includes:

  • Compact Flash reader unit (Sega Japan made, with common SCSI style interface connector and 5 pin GD-ROM power header)
  • Firmware update GD-ROM (specific to system for included game only)
  • Security PIC
  • Compact Flash card with encrypted game image (manufactured by Hagiwara Sys-Com)

The solution appears to be exclusive the UK.

For the Naomi, a version of the firmware that bypasses the check for Hagiwara Sys-Com cards exists. This version is "hacked", as the upgrade says 4.02, but the serial port output still reports the version to be gcxb-2.0.0 v4.01/v4.00 on start up.

Step 1 - get the seed key

All ATA devices have a 512 byte structure that contains among other things, a 20 byte serial number represented in ASCII. The 3rd and 4th to the last ASCII characters, in hex, is used as the seed in this protection scheme/maze (offset 0x24 and 0x25 in the 512 byte block, or in desimal - offset 36 & 37). Since the block is defined as 16bit words, the ascii characters are for some reason swapped, ABCDEFGH would be stored as BADCFEHG. Smartctl, part of the S.M.A.R.T. Monitoring Tools can read the serial number. It comes with all Linux distributions, and is also available for Windows. In the example below, 0x3037 is the seed key we're looking for.

This number, is also what you need to input into various tools that prepare the CF card for you.

Get part of serial number with smartctl

smartctl -r ataioctl,2 -i /dev/sda

smartctl 5.40 2010-03-16 r3077 [x86_64-unknown-linux-gnu] (local build)
Copyright (C) 2002-10 by Bruce Allen, http://smartmontools.sourceforge.net


REPORT-IOCTL: Device=/dev/sda Command=IDENTIFY DEVICE
 Input:   FR=...., SC=0x01, LL=...., LM=...., LH=...., DEV=...., CMD=0xec IN
REPORT-IOCTL: Device=/dev/sda Command=IDENTIFY DEVICE returned 0

===== [IDENTIFY DEVICE] DATA START (BASE-16) =====
000-015: 5a 04 ef 03 00 00 10 00 00 00 00 02 3f 00 0f 00 |Z...........?...|
016-031: 10 7d 00 00 31 30 36 31 30 46 39 30 32 43 41 30 |.}..10610F902CA0|
032-047: 30 30 30 30 37 30 36 36 01 00 01 00 04 00 55 59 |00007066......UY|
048-063: 4e 41 30 31 36 32 31 35 4d 32 20 42 4b 43 20 53 |NA016215M2 BKC S|
064-079: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |                |
080-095: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 01 00 |              ..|
096-111: 00 00 00 0f 00 00 00 02 00 00 07 00 ef 03 10 00 |................|
112-127: 3f 00 10 7d 0f 00 00 01 10 7d 0f 00 00 00 01 00 |?..}.....}......|
128-143: 03 00 e0 01 e0 01 78 00 78 00 00 00 00 00 00 00 |......x.x.......|
144-159: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
160-175: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
176-191: 1f 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
192-207: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
208-223: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
224-239: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
240-255: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
256-271: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
272-287: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
288-303: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
304-319: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
320-335: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
336-351: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
352-367: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
368-383: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
384-399: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
400-415: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
416-431: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
432-447: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
448-463: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
464-479: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
480-495: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
496-511: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
===== [IDENTIFY DEVICE] DATA END (512 Bytes) =====

=== START OF INFORMATION SECTION ===
Device Model:     512MB CKS
Serial Number:    0116F009C20A00000766
Firmware Version: YUAN1026
User Capacity:    519,708,672 bytes
Device is:        Not in smartctl database [for details use: -P showall]
ATA Version is:   [No Information Found]
ATA Standard is:  [No Information Found]
Local Time is:    Sun Apr 24 22:28:55 2011 CEST
SMART support is: Ambiguous - ATA IDENTIFY DEVICE words 82-83 don't show if SMART supported.
A mandatory SMART command failed: exiting. To continue, add one or more '-T permissive' options.

The following started out as something copy/pasted (see document history), and expanded with detail as investigation ensued.

  1. Read ATA IDENTIFY DEVICE data.
  2. Read 2 bytes of the CF serial number (offset +0x24 in the identify structure). [This means games are locked to a specific card, i.e. copying data from one official Sega card to another official Sega card most likely won't work, unless by extreme coincidence the 2 bytes read have identical values.]
  3. Use these 2 bytes as a word, and add 0x20 to the value. This resulting value will give the location of the xor "key" data sector.
  4. Go to that sector, and xor this data (byte by byte) with the data in encrypted sector 0x277.
  5. Use the same two bytes of the serial number as above as a word, but this time add 0x19.
  6. Go to that sector, compute a sum of 32-bit dwords, accumulating in a 32-bit dword.
  7. This value must match the 32-bit dword stored at offset 0x38 in sector 0x1D7.
  8. The 8-byte manufacturer ID must match a specific value. [Hagiwara Sys-Com cards only.]

References

http://www.compuphase.com/mbr_fat.htm

http://averstak.tripod.com/fatdox/bootsec.htm

4.02 Firmware