Mega-CD real region free on game discs

[l_oliveira]

I had this idea for quite some while now and I believe it's doable...

After learning how the MEGA-CD works I started to read about how the region protection mechanism works on this system and found out that achieving real region free is possible somehow.

For a long time I've been patching my games to run on a JP/Asia MEGA-CD by doing this on the ISO images:

- Extract header using Winhex
- Manually edit the header to match the strings the Japanese ROM expect
- Paste the Japanese security program on top of the original (US or PAL) security program
-Pad the difference with 68000 NOP instructions.

The success rate with this method has been 100% so far.

But using the real silver discs is much more desirable than using shitty CD-Rs making real free region interesting.

The security checking is done by the SUB-CPU during the second part of the disc detection process (when the CPU reads the TOC information from the CD Drive) where the security program is compared to an existing copy of it on the SUB-CPU RAM.

The idea is change the compare code to instead, copy the loaded security program that would be used on the compare on top of the original security program which came from the disc read then pad the size difference with NOP instructions automatically. This would cause the Japanese ROM to behave as a region free ROM.

Then why it has to be the Japanese ROM ? Because it's security program is the smallest of the 3. :rolleyes:

What you guys think of this idea ?

I'm not capable of doing it alone because the ROM has the SUB-CPU BIOS image compressed on the main 68000 ROM chip. Decompressed it's 128KB just like the main ROM image.

I would need help reverse engineering this, changing it and then putting it back onto the ROM. :shrug:


Edit: Achieved.

Link:

http://www.4shared.com/file/0HXCyFYT...CD_BIOSES.html

Package contains:

eu_mcd1_9210_regionfree.bin
EU_MegaCD2_30031993_regionfree.BIN
jp_mcd1_911228_region_free.bin
JP_MegaCD2_22121992_regionfree.bin
JP_Wondermega_02061992_regionfree.BIN
us_scd1_9210_regionfree.bin
US_SEGA_CDX_930907_regionfree.bin
US_X'EYE_27121993_regionfree.bin

Edit: Added a utility to byteswap the BIOSes on this post. :thumbsup:
Usage:
Name file "BIOS.BIN" and put on same folder as .exe and .bat...
Click .bat and a file named "SWAP.BIN" will be created.

Edit2: Unified link. Contains all files.

[dutchconsolefreak]

I'm no expert on mega-cd, but you are saying that a custom compression algorithm has to be written on the basis of the decompression routine? If the only thing that's decompressed is the security program, it might be easier to use the rom space occupied by the decompression routine and replace it with a routine that simply copies our own code to the sub-cpu.

When there is also code decompressed for other things besides security, we have a problem.
Do you have a dump of the compressed data? Does it have any kind of header? Did you already disassemble the decompression routine?

I would love to help, but i have no knowledge of the megadrive/cd architecture, and it has been years ago i programmed anything in 68k.

Just for my understanding.. the megacd ROM is executed on the megadrive cpu, it then decompresses&moves data to ram on the megacd and then the megacd cpu is executing?

[cde]

I have often wondered why we dont have region free games on the Sega/MegaCD, i recently looked at the old "SLOloader and thought we may be able to make a boot disc to suit a consoles region, and then when the security check has been passed, just send an "eject disc tray" command allowing you to insert your other region game.. Granted this assumes you have model 1 Sega/MegaCD, and we can use SLOloader to inject the command, and your willing to keep pushing the tray closed after the disc ejects.. Lot of ifs.

http://www.retrodev.com/slo.html

I have took my MegaCD's top case off (and disc magnet) and re-attached the Megadrive, giving me access through the side to the disc. I inserted a PAL game and pressed B to go to the menu screen. The CDROM icon appeared and i then played any CD audio track, then pressed stop, with the disc stopped i swapped the game for the US version of the same game and then pressed CDROM and the game launched and played fine. I do have region and 50/60htz switches too, this allowed me to switch to NTSC to enjoy the game fully... Dont know if it works with all games, but as a POC it shows the security check has been passed.

[l_oliveira]

In fact, the SUB-CPU (the 12mhz 68000 on the CD digital board) has a 128KB bios which is unpacked from the main 68000 ROM. The SUB-CPU has no ROM but the main 68000 unpacks it's bios and put stuff together to then start it when ready. And yes we will need custom tools to unpack the sub CPU bios and then put it back after changes are made.

[segaloco]

There has been a dump of that BIOS (somewhat) which was really just a RAM dump which consisted of at least that BIOS. It could be reverse engineered to find the compression algorithm

[dutchconsolefreak]

decompressed Sega CD 68k BIOS (size: 1 mbit)
This is the BIOS data which is decompressed by the Genesis 68k into the Sega CD 68k RAM (based on Sega CD BIOS 1.10.
Not suitable for emulator usage, just suitable for programming purposes.

http://eidolon.dnsalias.net/eifiles/scd_100_us.zip

Here some info about the code that actually tests the segacd region:

Take the American version 1 BIOS, for instance. At 5724 you'll see:
; 400000 is the CD buffer,
; where the boot code's been
; just transfered to.
; 400200, therefore, points
; to (boot code)+ $200.
00005724 41F9 00400200 LEA $00400200,A0

; "SEGA" at $100?
0000572A 0CA8 53454741 FF00 CMP.L #$53454741,-$0100(A0)

; The function returns "not equal"
; if there's no "SEGA" at $100.
00005732 660E BNE $00005742 ;

; A1->Security code image
00005734 43FA 000E LEA $00005744(pc),A1

; Compares $2C2 words (Motorola catch here)
00005738 303C 02C1 MOVE.W #$02C1,D0

; Finally, it returns "equal" if
; all 1412 bytes on (400200) and (5744)
; match.
0000573C B348 CMPM.W (A0)+, (A1)+
0000573E 56C8 FFFC DBNE D0, $573C
00005742 4E75 RTS

; Here lies a verbatim copy of the US security code at offset
; $200.
00005744 43FA 000A
00005748 4EB8 0364
0000574C 6000 057A
00005750 600F
...

Since it takes too much time to recreate the original compression algorithm, it is beter to search for a new compressor with a compact 68k decompression source.

EDIT:
Seems that the code above is NOT in the (de)compressed bios, but in the main segacd ROM.
When (partially) disassembling "Sega CD Model 1 BIOS v1.10 (1992)(Sega)(US).bin" i find:

0x00005724: 0x41F9 0x0040 0x0200 LEA 0x400200,A0
0x0000572A: 0x0CA8 0x5345 0x4741 0xFF00 CMPI.L #0x53454741,(-0x100,A0)
0x00005732: 0x660E BNE.S *+0x10 [0x5742]
0x00005734: 0x43FA 0x000E LEA (0xE,PC) [0x5744],A1
0x00005738: 0x303C 0x02C1 MOVE.W #0x2C1,D0
0x0000573C: 0xB348 CMPM.W (A0)+,(A1)+
0x0000573E: 0x56C8 0xFFFC DBNE D0,*-0x2 [0x573C]
0x00005742: 0x4E75 RTS
0x00005744: 0x43FA 0x000A
0x00005748: 0x4EB8 0x0364
0x0000574C: 0x6000 0x057A
0x00005750: 0x600F
0x00005752: 0x0000 0x0000
0x00005756: 0x0C22 0x0E44
0x0000575A: 0x0E66 0x0E88
0x0000575E: 0x0EEE
... and the rest of the security code...

As you can see this is the same as above, but like i said not in the compressed bios.
In the compressed bios [link at the start of this post] i didn't find the same code, but there was a comparison loop with the same size as the security code (and the security code itself):

0x00004222: 0x43FA 0x0018 LEA (0x18,PC) [0x423C],A1
0x00004226: 0x303C 0x02C1 MOVE.W #0x2C1,D0
0x0000422A: 0xB348 CMPM.W (A0)+,(A1)+
0x0000422C: 0x56C8 0xFFFC DBNE D0,*-0x2 [0x422A]
0x00004230: 0x6704 BEQ.S *+0x6 [0x4236]
0x00004232: 0x44FC 0x0001 MOVE #0x1,CCR
0x00004236: 0x4CDF 0x0301 MOVEM.L (A7)+,D0/A0-A1
0x0000423A: 0x4E75 RTS
0x0000423C: 0x43FA 0x000A
0x00004240: 0x4EB8 0x0364
0x00004244: 0x6000 0x057A
0x00004248: 0x600F
0x0000424A: 0x0000 0x0000
0x0000424E: 0x0C22 0x0E44
0x00004252: 0x0E66 0x0E88
0x00004256: 0x0EEE
... and the rest of the security code...

So it looks like the protection is atleast on two levels: the main rom (executed on the genesis?) and in the segacd bios (executed on the sub-cpu)

[RAQ]

Here is a link to a modified Europen BIOS i did http://gendev.spritesmind.net/forum/viewtopic.php?t=726 This 'hack' removes the country protection check and the CD security check, it's not perfect but it does work. It's only been tested on an emulator (Kega Fusion) but i don't see why it wouldn't work on actual hardware.

[dutchconsolefreak]

Thanks for sharing the link :-) Can you tell why it is not perfect? And how did you recompress the mcd bios part?

edit:
Oke, i've read about the glitches on ntsc machines, i think it can be solved by modifying a usa or jpn rom?

[l_oliveira]

From a talk with Tmee, I just realized we can just "trojan" the SUB-CPU code before it gets started, by adding an routine which changes whatever we need to in the SUB-CPU RAM before it's set to run.

In a system setup like MEGA-CD, the role of MAIN CPU is what the programmer want it to be.

As we can just halt the SUB-CPU (or not let it run) and poke around it's memory, there's no need to tamper with the original compressed image of the SUB-CPU boot program. :lol:

[sayin999]

There is no way just to make a boot disc to bypass the region check?

[APE]

Here is a link to a modified Europen BIOS i did http://gendev.spritesmind.net/forum/viewtopic.php?t=726 This 'hack' removes the country protection check and the CD security check, it's not perfect but it does work. It's only been tested on an emulator (Kega Fusion) but i don't see why it wouldn't work on actual hardware.

I'm getting a broken SegaCD in a few days (hoping its the F1 fuse problem) and I was looking for an excuse to build a EEPROM flasher to try the multi-region SegaCD bios mod that is out there. However I think I'll go ahead and give yours a shot and see how actual hardware likes it if you don't mind.

Granted this is an American SegaCD outputting 60hz normally but afaik internally they're the same hardware. My monitor will accept 50hz over composite so that shouldn't be a problem.

Annnnnd I just read about the glitches on an NTSC system. Noted. Will see how it performs anyway.

[l_oliveira]

I had a good look on the hacked PAL ROM and RAQ basically did what I posted on the thread, but like three months earlier ... :lol:

He however completely bypassed the SEGA LOGO, which is probably why the BIOS crashes on some games.

I will try to contact him as he left his name on the ROM. :D

Edit:

I love people with a sense of humor:

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00004250 49 20 73 65 65 20 79 6F 75 72 20 75 73 69 6E 67 I see your using
00004260 61 20 68 65 78 20 65 64 69 74 6F 72 20 61 6E 64 a hex editor and
00004270 79 6F 75 20 68 61 76 65 20 6D 61 6E 61 67 65 64 you have managed
00004280 20 74 6F 20 20 64 65 63 6F 6D 70 72 65 73 73 20 to decompress
00004290 74 68 65 20 53 55 42 2D 43 50 55 20 42 49 4F 53 the SUB-CPU BIOS
000042A0 20 73 75 63 63 65 73 73 66 75 6C 6C 79 2E 20 20 successfully.
000042B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000042C0 20 20 48 65 6C 6C 6F 20 74 6F 20 74 68 65 20 20 Hello to the
000042D0 66 6F 6C 6C 6F 77 69 6E 67 20 70 65 6F 70 6C 65 following people
000042E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000042F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00004300 20 20 20 50 61 75 6C 20 4A 6F 6E 65 73 20 20 20 Paul Jones
00004310 20 20 4A 61 6D 69 65 20 42 61 72 6C 6F 77 20 20 Jamie Barlow
00004320 20 20 4B 65 6E 20 47 72 61 6E 6E 65 6C 20 20 20 Ken Grannel
00004330 20 4B 61 73 73 79 20 4F 51 75 69 67 6C 65 79 20 Kassy OQuigley
00004340 20 20 4A 6F 72 64 61 6E 20 47 72 61 79 20 20 20 Jordan Gray
00004350 20 20 20 45 6C 6C 61 20 47 72 61 79 20 20 20 20 Ella Gray
00004360 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00004370 20 54 68 69 73 20 42 49 4F 53 20 68 61 63 6B 20 This BIOS hack
00004380 20 20 77 61 73 20 64 6F 6E 65 20 62 79 20 20 20 was done by
00004390 52 75 73 73 65 6C 6C 20 4F 51 75 69 67 6C 65 79 Russell OQuigley
000043A0 20 6F 6E 20 33 31 2F 30 33 2F 32 30 31 30 20 20 on 31/03/2010
000043B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000043C0 20 20 21 21 20 45 4E 4A 4F 59 20 21 21 20 20 20 !! ENJOY !!

This guy rocks ! :thumbsup:

[l_oliveira]

Thanks to RAQ's work on the SUB-CPU bios I was able to put this together with slightly extra bit of hacking:

http://www.4shared.com/file/0HXCyFYT...CD_BIOSES.html


This one contains his patched SUB-CPU BIOS and extra patches on the MEGA Drive side of the code to aways display the "PRODUCED BY OR UNDER LICENCE OF KABUSHIKI KAISHA SEGA ENTERPRISES" regardless of the disc region.

To achieve this I replaced the original SUB-CPU BIOS with RAQ's, changed the MEGA-CD MD side BIOS call at 0x0364 to point to a patched copy of the Japanese logo at 0x6F20 which executes and then returns execution to the game.


Edit:
Mirror for RAQ's original file:

http://www.4shared.com/file/V899xMfH/_BIOS__Mega-CD__World___v100_.html

Edit2: File failed on real hardware due to wrong SEGA checksum. Has been repaired.

Edit3: Original file deleted. New archive contains original file. (see first post for details)

[PrOfUnD Darkness]

Very nice!

[l_oliveira]

Turns out that the SUB CPU bios is Kosinski (Yeah same stuff on SONIC games) compressed and tools existed to compress/decompress it since forever... :lol:

Thanks a lot for pointing me on the right way, TmEE !

And thanks for you RAQ for making this before me.
Quite an achievement ! :thumbsup:

[TmEE]

this is jawusum :D

[RAQ]

True, the SUB-CPU is compressed using the kosinski method, here's a link for a description

http://segaretro.org/Kosinski_compre...6redirect%3Dno

It was used in numerous carts as well as the Mega-CD BIOS, the decompression code is at these offsets of the various BIOS's

JAP - $7cc
USA - $902
EUR - $8f0

With thanks to l_oliveira for giving me a little push I have managed to patch all 3 BIOS regions so they are 'universal' but at the moment only the JAP BIOS is bug free (not fully tested), in bugs I mean a slight flicker on the EUR BIOS played on a 60Hz machine and no 'segaaaa' intro screen when playing JAP CD's, possibly a few others, I just think the EUR BIOS has the better title screen :-) So for now for a 'universal' Mega-CD BIOS, download l_oliveira's version from the above post. Many thanks l_oliveira :thumbsup:

[l_oliveira]

Yesterday I also added hacks to the US 921011 and made my own version of your EU 921027.

They are like the EU921027 you made, but it does aways show it's own boot screen regardless of which disc you insert on them.

This is a temporary archive as I am still doing the readme for them with a detailed description of the changes. :thumbsup:

This time I'm using the original SUB-CPU BIOS for each one of the files so there should be no compatibility issues besides the BIOS calls quirks (such as the problem with Heavy Nova)

They also have been SEGA checksum-fixed properly as I learned my lesson from burning an EPROM with a non checksum-fixed file. If weren't for TmEE tell me about the SEGA code being programmed to skip if CRC=0000 I would need to erase my EPROM again.

Temporary link:

http://www.4shared.com/file/vjQbI31Z..._FREE_JUE.html

While the files on the archive seem to work properly on the real hardware, they have not been throughly tested so consider this is a work in progress... :thumbsup:

[bearkilla]

wow awesome work everyone

[dutchconsolefreak]

I'm happy to see your project is still alive :-) Just wondering, the hacked jpn/usa bios doesn't have any problems with 50hz pal titles? Also, is there any difference between the bios for the megacd1/2 and/or cdx/multimega?

Also we have to consider the different wondermega's and the x'eye :drool:

Oh.. and how did you recompress the sub-cpu bios? Never mind, already found the sega data compressor :thumbsup: