Backup CD-R/Import Loading Idea For Revision 2 Dreamcasts Without MIL-CD Support (No Hardware Mods)
Posted: Tue Sep 27, 2022 10:55 pm
I have this 'path' in my head to playing backups and imports on unmodified revision 2 Sega Dreamcasts which have MIL-CD support removed in the BIOS. The only method I can find online to get these most likely very rare consoles playing backups/imports is to physically remove the newer BIOS chip and replace it with an older BIOS chip which does still have MIL-CD support. I think I have a 100% software-only plan to achieve the same thing...
I have been working on my fork of Tonyhax International for a quite a few months now. There are many ways to boot into the Tonyhax International loader, one of which is from a specially crafted save game file that triggers a stack overflow when you load the save in a real PS1 game. Once your in the Tonyhax International loader you can put in import discs or backup CD-Rs and they will play correctly on completely unmodified stock PlayStation 1 and early PlayStation 2 consoles. So I was thinking, this can be done for the Dreamcast as well?!
Essentially you would need to replicate Dreamcast equivelents of everything the save game exploit is doing in Tonyhax International for the PlayStation. You would have to:
- Find a retail Dreamcast game which makes save files that have ascii strings in it (most obvious examples would be games that let you enter a player name yourself that is kept in a save file on your VMU but things like highscores also work). Making the save game file on an emulator would be easiest.
- In a hex editor find some ascii strings and try to expand them to insane lengths until you get a stack overflow. See if you can overwrite the return register with your own data. To use a modifed save file you probably also need to update the checksum of the file before you try it on a console or emulator.
-If you can overwrite the return register, see if you can modify the other contents of the save file with a very small primary stage 1 loader written in SH-4 assembly. If you can get the save file to store this stage 1 loader in memory on the console after loading the specially crafted save file that overflows, you can point the return address to this loader and the CPU will execute it.
- Last of all you'd need to figure out what the primary stage 1 loader does next. Do you do bare minimum setup for VMU access so that you load a stage 2 loader from a different file on the VMU? Most likely this would be the best way.
The end result would be:
- Using a SD card adapter, Dreamshell, and a Dreamcast console that can play CD-R games put the modified save game exploit file on the VMU.
- Connect the VMU containing the save game exploit file to a controller connected to a Dreamcast console that can't play CD-R games.
- Start a real Dreamcast game on the Dreamcast console that can't play CD-R games. Load the save file. The exploit triggers and some kind of loader starts allowing you to then insert and play a CD-R backup or real import disc.
I think this is actually possible. The amount of consoles which can't play MIL-CDs are probably very small, I don't own one. I own a September 1999 NTSC-U rev 1 console which plays backups wonderfully. I would be interested in getting a rev 2 without MIL-CD support if a POC can be put together, that could be tested in emulation and on any Dreamcast such as my rev 1 first.
For those interested in what I'm exactly talking about with the exploit, it is essentially this:
https://championleake.github.io/blog/PS1-StackSmashing/
Tonyhax International has a ton of examples of successfully implementing this exploit in multiple games (on the PlayStation):
https://github.com/alex-free/tonyhax/tr ... ntrypoints
List of things required to attempt this:
- Dreamcast that can play CD-R games for testing.
- SD card adapter.
-Hex editor/know how of values in a save game file.
-Know how to update the checksum after modifying the save game file.
-Know a bit of SH-4 assembly and how the Dreamcast memory works.
-A good emulator that can show the register contents when a crash occurs when loading a malicious save file.
22 years on and no one has a software-only solution for the last Dreamcasts manufactured?
I have been working on my fork of Tonyhax International for a quite a few months now. There are many ways to boot into the Tonyhax International loader, one of which is from a specially crafted save game file that triggers a stack overflow when you load the save in a real PS1 game. Once your in the Tonyhax International loader you can put in import discs or backup CD-Rs and they will play correctly on completely unmodified stock PlayStation 1 and early PlayStation 2 consoles. So I was thinking, this can be done for the Dreamcast as well?!
Essentially you would need to replicate Dreamcast equivelents of everything the save game exploit is doing in Tonyhax International for the PlayStation. You would have to:
- Find a retail Dreamcast game which makes save files that have ascii strings in it (most obvious examples would be games that let you enter a player name yourself that is kept in a save file on your VMU but things like highscores also work). Making the save game file on an emulator would be easiest.
- In a hex editor find some ascii strings and try to expand them to insane lengths until you get a stack overflow. See if you can overwrite the return register with your own data. To use a modifed save file you probably also need to update the checksum of the file before you try it on a console or emulator.
-If you can overwrite the return register, see if you can modify the other contents of the save file with a very small primary stage 1 loader written in SH-4 assembly. If you can get the save file to store this stage 1 loader in memory on the console after loading the specially crafted save file that overflows, you can point the return address to this loader and the CPU will execute it.
- Last of all you'd need to figure out what the primary stage 1 loader does next. Do you do bare minimum setup for VMU access so that you load a stage 2 loader from a different file on the VMU? Most likely this would be the best way.
The end result would be:
- Using a SD card adapter, Dreamshell, and a Dreamcast console that can play CD-R games put the modified save game exploit file on the VMU.
- Connect the VMU containing the save game exploit file to a controller connected to a Dreamcast console that can't play CD-R games.
- Start a real Dreamcast game on the Dreamcast console that can't play CD-R games. Load the save file. The exploit triggers and some kind of loader starts allowing you to then insert and play a CD-R backup or real import disc.
I think this is actually possible. The amount of consoles which can't play MIL-CDs are probably very small, I don't own one. I own a September 1999 NTSC-U rev 1 console which plays backups wonderfully. I would be interested in getting a rev 2 without MIL-CD support if a POC can be put together, that could be tested in emulation and on any Dreamcast such as my rev 1 first.
For those interested in what I'm exactly talking about with the exploit, it is essentially this:
https://championleake.github.io/blog/PS1-StackSmashing/
Tonyhax International has a ton of examples of successfully implementing this exploit in multiple games (on the PlayStation):
https://github.com/alex-free/tonyhax/tr ... ntrypoints
List of things required to attempt this:
- Dreamcast that can play CD-R games for testing.
- SD card adapter.
-Hex editor/know how of values in a save game file.
-Know how to update the checksum after modifying the save game file.
-Know a bit of SH-4 assembly and how the Dreamcast memory works.
-A good emulator that can show the register contents when a crash occurs when loading a malicious save file.
22 years on and no one has a software-only solution for the last Dreamcasts manufactured?
