I can verify that what @MetalliC says is true.
Programming zero-key pic
- Thread starter Coyo5050
- Start date
MetalliC
Champion
why no ?
as was said, I have original PIC in HEX format (not source code) which was compiled by Sega itself, it does match dumps in MAME, but it doesn't match your one.
to finish all this unwanted drama - do you able to modify source code, so compiled binary will 100% match original sega binaries ?
Excellent, so is this ready to use or does it still need the DES keys changed?This has been discussed before and as @brizzo says hex bits are wrong.
However people are posting a recompiled version of a semi-disassembled code block.
The correct procedure is just to take the official dumped binaries from MAME and change the DES keys.
edit:
Here are the correct setting for the PIC and I included a zero key netboot image taken from the official dump.
View attachment zerokey_net.zip
Chihiro and triforce type 3 have a different oscillator type on the small board where the pic plugs in. (It's a ceramic one if I remember well.) Some files floating around have an incorrect oscillator setting that worked on a type 1 netdimm, but not on a type 3. That's probably why people think you need a different netboot bin for the type 3. With the proper oscillator settings, a type 3 netboot pic works equal well in a type 1 setup.
reviewing my stuff I see that __Config needed to be 0x0182 for it to work on a type 3.
reviewing my stuff I see that __Config needed to be 0x0182 for it to work on a type 3.
probably XT (external crystal with mild drive current)
btw, insults & bullshit aside, is there a working and no bs sourcecode available??
i'm thinking of modding some to create a universal pic that uses an unused pin to toggle between net and "media" modes.
but there are so many sources and hex's floating around that it's hard to know what even works.
btw, insults & bullshit aside, is there a working and no bs sourcecode available??
i'm thinking of modding some to create a universal pic that uses an unused pin to toggle between net and "media" modes.
but there are so many sources and hex's floating around that it's hard to know what even works.
Well i have good news and bad news. Good news is that while I had a helluva time with my Top3000 writing these zero keys, my Superpro 610p has no problem. Bad news is that I can't tell you that one file worked vs the other. Both @rtw's and @werejag's booted games. With rtw's .bin file I had to set the settings like he depicted. werejag's .hex preloaded settings, although different in that LVP was enabled and data code protection was off, and code protection was off.
So I'm not sure why both work, seeing as they're different. I'm also not sure why my top3000 didn't like writing them. Sorry for not being able to help make a definitive result on this, and I don't mean to stir the pot any more but as far as I can tell these both work...
Coyo5050
Professional
Im out of town with only my phone for internet. Ill try to remember to update fri when i get back.
Let me provide some facts here.
The original chip used was PIC16C621A. Modern replacement part is PIC16F628A
CONFIG bits for PIC16F628A are not remotely complex. The confusion is introduced because not all programmers use the same interface to set them.
http://ww1.microchip.com/downloads/en/DeviceDoc/41196g.pdf <-- PIC16F628A datasheet, goto Page 17 -- 3.6 Configuration Word
Relatively speaking, the only config option that really matters is FOSC[2:0] which configures the clock/oscillator source. The reason HS mode is used because the circuit on the dimm provides 8mhz to the PIC.
The original chip used was PIC16C621A. Modern replacement part is PIC16F628A
CONFIG bits for PIC16F628A are not remotely complex. The confusion is introduced because not all programmers use the same interface to set them.
http://ww1.microchip.com/downloads/en/DeviceDoc/41196g.pdf <-- PIC16F628A datasheet, goto Page 17 -- 3.6 Configuration Word
Relatively speaking, the only config option that really matters is FOSC[2:0] which configures the clock/oscillator source. The reason HS mode is used because the circuit on the dimm provides 8mhz to the PIC.
No source code is required. Disassemble the binary @rtw posted from MAME. But I attached a disassembled copy for you. This is compiler ready. Can definitely be cleaned up and made more readable, but the compiled result is correct.
Good to know, so if we can get the files to have the proper config settings preloaded then we can wrap this up nicely.
Finisterre
Professional
Is there a fun story on how the Dumping Union, or whom ever came up on the original key, obtained it?
I know in a previous thread we identified that naoSetDevMode() in the NetDIMM firmware was the actual function responsible for the features we all enjoy, in essence a "development mode key". 62
I'm just wondering what the original context usage was, did all game dev houses get one? Was it generally more tightly held, etc?
Some of these fun bits to stories can be lost over time
I think this is one of the earlier references to this stuff that I ran across:
https://assemblergames.com/threads/sega-naomi-security-pic-dumper.19454/
"as i said before here is the toy this tool can be used to get the des key from sega arcade gdrom systems to decrypt gdrom games" - Serantes
"There is some "development mode" which might help here? (I think that one is activated if the PIC responds with a zero key. Not sure anymore, need to look at the disassembly again). Building a PIC with a zero key wouldn't be that complicated (some people can do that today" - tmbinc
That is the problem, since there is no generic way to provide config bits there will never be an image guaranteed to work on all programmers.
Best is to use the binaries I provided and save that picture with the config bits
Ok then, so we just need to make a thread with the keychip bin files ready to burn and a pic of the config settings to use. You feel like doing it?That is the problem, since there is no generic way to provide config bits there will never be an image guaranteed to work on all programmers.
Best is to use the binaries I provided and save that picture with the config bits
SureOk then, so we just need to make a thread with the keychip bin files ready to burn and a pic of the config settings to use. You feel like doing it?That is the problem, since there is no generic way to provide config bits there will never be an image guaranteed to work on all programmers.Best is to use the binaries I provided and save that picture with the config bits
I am guessing a thread under here, but what would be a good title ?
Naomi, Triforce and Chihiro Forum
Triforce is a bit vague, it supposedly needs a different clock setting than the standard ones ?
MetalliC
Champion
I doubt it is fun: two separate people (or teams?) decapped & deprotected DIMM PICs, and then read it's firmware, then compared results to be sure it is good, and it was - the difference was only DES keys and game BIN name.
cant remember details, but iirc there was used "masked UV attack", same as this one, to reset read protection fuses.
it was a long ago (like 10 years?), I don't think Dumping Uninoin was related to this, not sure if DU even existed back then.