Naomi multi BIOS (fixed with proper bootstrap)

[mathieulh]

This is the naomi multibios with a proper bootstrap (not the one from the HOTD2 beta used to bypass the HOLLY checksum)
This include both the naomi and naomi2 bioses which both have been tested on real hardware, they should fix the compatibility
issues introduced by the original multibios as well as fix the issue that caused many Atomiswave converts to not properly boot.

BIOSES are based on epr-21576h and epr-23605c for naomi 1 and 2 respectively.

As a reminder these are the tested available DIPSW configurations

DSW2	DSW3	DSW4

OFF	OFF	OFF	Japan
ON	OFF	OFF	USA
OFF	ON	OFF	Export
ON      ON	OFF	Korea
OFF     OFF	ON	Australia

- Mathieulh

 

[Pa0l0ne]

Awesome!!! Thank you so much!

 

[Mrhide]

 

[djsheep]

Awesome! Thanks.

 

[rewrite]

Fantastic! Thank you!

 

[Kavas]

Just got my first Naomi setup up and running this week. Not even sure what Bios the seller included with the kit. Most games I tried worked but a few gave errors like CvS 2k Pro. Error 02 and some others were thrown up on screen. Haven't tried the Atomiswave games included yet.

I am guessing it's a good idea to reflash my bios with this one?

 

[Pa0l0ne]

Just got my first Naomi setup up and running this week. Not even sure what Bios the seller included with the kit. Most games I tried worked but a few gave errors like CvS 2k Pro. Error 02 and some others were thrown up on screen. Haven't tried the Atomiswave games included yet.

I am guessing it's a good idea to reflash my bios with this one?

Definitely have to do it! Just happy flashed and tested some random games

 

[MetalliC]

@mathieulh does both of these was tested and works fine on real NAOMI 1/2 ? (I highly doubt it is)

 

[Darksoft]

Someone please confirm and test it.

EDIT: Oh I see now that @mathieulh said it was tested. Can someone else please provide some feedback? Any problematic games where this should be tested?

 

[MetalliC]

Just happy flashed and tested some random games

which one it was epr-21576h_multi.ic27_proper or epr-23605c_multi.ic27_proper ?

I'm mainly wondering does both of them happily pass HOLLY protection check

 

[bobbydilley]

> This include both the naomi and naomi2 bioses which both have been tested on real hardware.

Yes they both pass the check + boot (will have to wait for @mathieulh to reply, but I believe he basically brute forced the checksum by burning tonnes of EPROMs and trying them all out)

Edit: I was wrong, although this was the original plan. Turns out the checksum is weak and changing only a few bytes leaves it the same.

 

[Darksoft]

 

[MetalliC]

but I believe he basically brute forced the checksum by burning tonnes of EPROMs and trying them all out

he didn't bruteforced anything, but just 'reverted' 1st 1KB IPL back to original, so there left only 2(N1) and 4(N2) bytes patches which enable region switching, besides 2/4 bytes difference they are exact same as original N1/2 BIOSes, with no any attempts to somehow "compensate" checksum.
and that's why I'm wondering if/how it works

 

[mathieulh]

Just happy flashed and tested some random games

which one it was epr-21576h_multi.ic27_proper or epr-23605c_multi.ic27_proper ?
I'm mainly wondering does both of them happily pass HOLLY protection check

Both pass the HOLLY checksum and both have been tested. I indeed got very lucky and they passed on first try, otherwise I would have bruteforced them until I got a successful collision (sega uses the last 6 bytes as inverted bytes themselves to generate collisions), the algo is very weak anyway so the odds of success are pretty high.

Finally, I am not surprised it works, only 4 bytes were changed and the less changes you make, the more likely the original inverted bytes still match the expected checksum for whatever (very weak) algorithm NEC put in there.

As a sidenote, using the hotd2 beta bootstrap should be avoided, it does operations that mess with timings later on and causes issues. With how weak the algorithm is (you can expect one chance of collision out of every 5 attempts), I don't understand why nobody just wrote a custom bootstrap (a jump to an arbitrary address would do) and forged the inverted bytes via bruteforce.

 

[MetalliC]

@mathieulh congrats then! you had really good luck.

and shame on me - when I've did these multi patches I haven't checked if it works "as is", but appended HOD2 proto IPL and released this multibios

add: even more interesting - when I tried to "compensate" checksum and flip other nearby bits (with original IPL) - it wont work, check was failed. so, yes, checksum algo is weak but still PITA

 

[mathieulh]

@mathieulh congrats then! you had really good luck.

and shame on me - when I've did these multi patches I haven't checked if it works "as is", but appended HOD2 proto IPL and released this multibios

even more interesting - when I tried to "compensate" checksum and flip other nearby bits - it wont work, check was failed

The fact that it uses sega built in code makes it possible without too much hassle xD (Nice work on finding that out btw!).

Though technically we could also patch the 02 error with very little changes, I just think the jumper approach is cleaner, not to mention that if you netboot/cf/cdr you can just set byte 0x428 to 0xFF in your image to pass the region check.

 

[Sp33dFr34k]

Awesome, so glad this fixes the issue with the AW conversions, nice work!

 

[bobbydilley]

but I believe he basically brute forced the checksum by burning tonnes of EPROMs and trying them all out

he didn't bruteforced anything, but just 'reverted' 1st 1KB IPL back to original, so there left only 2(N1) and 4(N2) bytes patches which enable region switching, besides 2/4 bytes difference they are exact same as original N1/2 BIOSes, with no any attempts to somehow "compensate" checksum.and that's why I'm wondering if/how it works

Apologies - what I said above was the original strategy that wasn’t required due to the weak sum algorithm not changing with only a few bytes as you’ve both said above.

I’ve edited my message, thanks for explaining both.

 

[MetalliC]

The fact that it uses sega built in code makes it possible without too much hassle xD (Nice work on finding that out btw!).

yes, this is handy.
actually this is leftover from dev.box BIOS, and it was supposed to be enabled in other way: code checking text in BIOS at 0x1FFD00 - COPYRIGHT (C) SEGA ENTERPRISES ... NAOMI BOOT ROM, and if its not the same as expected - will be enabled dev mode (dev BIOSes have there NAOMI DEVELOP text instead).
but its better not to touch that text, because games checking it too and may enable various debug stuff, some of them trying to communicate with host PC using SCSI, and hang because it doesn't exists in regular retail NAOMIs. so, better to patch the code directly.

 

[skate323k137]

This is great! A good check would be Spawn on NAOMI, if I remember right it will crash at a splash screen if no credits are inserted (on the "old" multi bios)

Also on the "old" multi bios, a NAOMI 2 freeze will occur on replay mode of Initial D3 after gameplay if no buttons are pressed to skip it.