Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)

General Dreamcast discussion applies here. Before posting here please check the other forums in the Dreamcast section to see if your topic would fit better in those categories.

Moderators: pcwzrd13, mazonemayu

Forum rules
Please check the other forums in the Dreamcast section before posting here to see if your topic would fit better in those categories. Example: A new game/homebrew release would go in the New Releases/Homebrew/Emulation section: http://dreamcast-talk.com/forum/viewforum.php?f=5 or if you're having an issue with getting your Dreamcast to work or a game to boot it would go in the Support section: http://dreamcast-talk.com/forum/viewforum.php?f=42
alexfree
fire
Posts: 75
Contact:

Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)

Post#1 » Tue Sep 27, 2022 10:55 pm

I have this 'path' in my head to playing backups and imports on unmodified revision 2 Sega Dreamcasts which have MIL-CD support removed in the BIOS. The only method I can find online to get these most likely very rare consoles playing backups/imports is to physically remove the newer BIOS chip and replace it with an older BIOS chip which does still have MIL-CD support. I think I have a 100% software-only plan to achieve the same thing...

I have been working on my fork of Tonyhax International for a quite a few months now. There are many ways to boot into the Tonyhax International loader, one of which is from a specially crafted save game file that triggers a stack overflow when you load the save in a real PS1 game. Once your in the Tonyhax International loader you can put in import discs or backup CD-Rs and they will play correctly on completely unmodified stock PlayStation 1 and early PlayStation 2 consoles. So I was thinking, this can be done for the Dreamcast as well?!

Essentially you would need to replicate Dreamcast equivelents of everything the save game exploit is doing in Tonyhax International for the PlayStation. You would have to:

- Find a retail Dreamcast game which makes save files that have ascii strings in it (most obvious examples would be games that let you enter a player name yourself that is kept in a save file on your VMU but things like highscores also work). Making the save game file on an emulator would be easiest.

- In a hex editor find some ascii strings and try to expand them to insane lengths until you get a stack overflow. See if you can overwrite the return register with your own data. To use a modifed save file you probably also need to update the checksum of the file before you try it on a console or emulator.

-If you can overwrite the return register, see if you can modify the other contents of the save file with a very small primary stage 1 loader written in SH-4 assembly. If you can get the save file to store this stage 1 loader in memory on the console after loading the specially crafted save file that overflows, you can point the return address to this loader and the CPU will execute it.

- Last of all you'd need to figure out what the primary stage 1 loader does next. Do you do bare minimum setup for VMU access so that you load a stage 2 loader from a different file on the VMU? Most likely this would be the best way.

The end result would be:
- Using a SD card adapter, Dreamshell, and a Dreamcast console that can play CD-R games put the modified save game exploit file on the VMU.
- Connect the VMU containing the save game exploit file to a controller connected to a Dreamcast console that can't play CD-R games.
- Start a real Dreamcast game on the Dreamcast console that can't play CD-R games. Load the save file. The exploit triggers and some kind of loader starts allowing you to then insert and play a CD-R backup or real import disc.

I think this is actually possible. The amount of consoles which can't play MIL-CDs are probably very small, I don't own one. I own a September 1999 NTSC-U rev 1 console which plays backups wonderfully. I would be interested in getting a rev 2 without MIL-CD support if a POC can be put together, that could be tested in emulation and on any Dreamcast such as my rev 1 first.

For those interested in what I'm exactly talking about with the exploit, it is essentially this:
https://championleake.github.io/blog/PS1-StackSmashing/

Tonyhax International has a ton of examples of successfully implementing this exploit in multiple games (on the PlayStation):
https://github.com/alex-free/tonyhax/tr ... ntrypoints

List of things required to attempt this:
- Dreamcast that can play CD-R games for testing.
- SD card adapter.
-Hex editor/know how of values in a save game file.
-Know how to update the checksum after modifying the save game file.
-Know a bit of SH-4 assembly and how the Dreamcast memory works.
-A good emulator that can show the register contents when a crash occurs when loading a malicious save file.

22 years on and no one has a software-only solution for the last Dreamcasts manufactured?

User avatar
megavolt85
Developer
Posts: 1787

Re: Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)

Post#2 » Wed Sep 28, 2022 6:13 am

on the Dreamcast, your method won't work.
after reading the GD disk, the drive is blocked and does not read CD disks, software reset does not unlock, the ability to read CD disks is possible only after a hardware reset of the GDROM.

User avatar
pcwzrd13
Seen Any Sailors?
Posts: 7041
Contact:

Re: Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)

Post#3 » Wed Sep 28, 2022 8:01 am

I really don't think it's worth the effort to try and find a solution to this. The Dreamcasts that can't read MIL-CDs are EXTREMELY rare. It's only a small subset of Rev. 2s (manufactured in December of 2000 I believe). If you have one of them, you should probably just sell it anyway because you have a rare specimen. :lol:
PSO Characters:
Teal'c - lvl 119 HUcast - GC# 11666
Alto - lvl 39 FOnewm - GC# 12964

YouTube Channel : Dreamcast Live

alexfree
fire
Posts: 75
Contact:

Re: Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)

Post#4 » Wed Sep 28, 2022 12:19 pm

megavolt85 wrote:on the Dreamcast, your method won't work.
after reading the GD disk, the drive is blocked and does not read CD disks, software reset does not unlock, the ability to read CD disks is possible only after a hardware reset of the GDROM.


Thanks this makes sense. Before this idea dies however, what about the SD card adapter? Do you think it would be possible to set that up after gaining control of the CPU via exploit?

Also, wouldnt import discs still work as they are GDROMs?

User avatar
megavolt85
Developer
Posts: 1787

Re: Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)

Post#5 » Wed Sep 28, 2022 12:41 pm

alexfree wrote:what about the SD card adapter? Do you think it would be possible to set that up after gaining control of the CPU via exploit?


after running the exploit, you can download data from anywhere, the only thing you can't do is change the GD disk to a CD.

alexfree wrote:Also, wouldnt import discs still work as they are GDROMs?

I know only one GD disk to import - SYSTEM DISK
but it is designed to run GD-R discs, not CDs

alexfree
fire
Posts: 75
Contact:

Re: Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)

Post#6 » Wed Sep 28, 2022 1:03 pm

megavolt85 wrote:
alexfree wrote:what about the SD card adapter? Do you think it would be possible to set that up after gaining control of the CPU via exploit?


after running the exploit, you can download data from anywhere, the only thing you can't do is change the GD disk to a CD.

alexfree wrote:Also, wouldnt import discs still work as they are GDROMs?

I know only one GD disk to import - SYSTEM DISK
but it is designed to run GD-R discs, not CDs


I asked about import discs because it should then be possible to at least change the GD disc with an import GD disc not matching the console and run it after exploit if it is setup to do that.

If alternatively a SD card loader is setup by the exploit then that is the solution to backups/homebrew.

So it seems it is indeed possible, just not involving CD-Rs. I have no idea when I'll be able to look into this, it's more just to find out if it can be done. Thanks for this info, it helped a lot.

  • Similar Topics
    Replies
    Views
    Last post

Return to “Lounge”

Who is online

Users browsing this forum: No registered users