Maelgrum wrote on 2023-10-04, 03:42:

Changes:
Must leave card in more sane state.

tested on 4x CT4170 cards, on all of them I get the following log:

1SB Reset: done
2DSP version: 4.16
3MPU-401 init: done
4MPU-401 loopback check: done
5ADDR1: 0A66
6ADDR2: 0498
7ADDR3: 0C17
8Success!

is it possible based on those values difference to adjust the offsets between know version attack and unknown one, I mean:

1(V413) - (V416)
2
30B31 - 0A66 = CB
40555 - 0498 = BD
50DBF - 0C17 = 1A8

or it's a total nonsense?

Maelgrum wrote on 2023-10-04, 03:42:

Changes:
Must leave card in more sane state.

Tried all sort of things here on the 4.11 card but i couldnt get the loopback working.
Mostly due to not wanting to blow up the card as it supplies voltage on the db62 connector.
(directly on the joystick didnt work, cable loopback didnt work either)

Heres the stuff for the 4.12 one though;

1SB Reset: done
2DSP version: 4.12
3MPU-401 init: done
4MPU-401 loopback check: done
5ADDR1: 0B3F
6ADDR2: 054F
7ADDR3: 0DBF
8Success!

mattw wrote on 2023-10-04, 04:23:

tested on 4x CT4170 cards, on all of them I get the following log: […]
Show full quote

Maelgrum wrote on 2023-10-04, 03:42:

Changes:
Must leave card in more sane state.

tested on 4x CT4170 cards, on all of them I get the following log:

Copy code to clipboard

1SB Reset: done
2DSP version: 4.16
3MPU-401 init: done
4MPU-401 loopback check: done
5ADDR1: 0A66
6ADDR2: 0498
7ADDR3: 0C17
8Success!

Excellent !
This information will be used at next stages.
ADDR1 is address inside F9 command. ADDR2 is address of main command loop.
Next stage will be evaluation of possible injection vectors.

In MPU loop, stack will be:

1C4 - 0C <- here we inject values from 0 to 3
2C3 - 17
3C2 - 04  <- here we inject values from 0 to 3
4C1 - 98
5C0

And memory at location 0xC0 and below fill be filled with 0x00, so after some code execution in interrupt handler, RETI will direct execution flow to address 0x0000 - Reset handler
After reset, fw outputs byte 0xAA to data port

So we will try to jump to address 0x0098, 0x0198, 0x0298, 0x0398, 0x0017, 0x0117,0x0217,0x0317, and see what happens
If SB hangs - its bad vector
If AA is in data port - its indication of possible good vector

This is stage 1

S95Sedan wrote on 2023-10-04, 04:43:

Tried all sort of things here on the 4.11 card but i couldnt get the loopback working. Mostly due to not wanting to blow up the […]
Show full quote

Maelgrum wrote on 2023-10-04, 03:42:

Changes:
Must leave card in more sane state.

Tried all sort of things here on the 4.11 card but i couldnt get the loopback working.
Mostly due to not wanting to blow up the card as it supplies voltage on the db62 connector.
(directly on the joystick didnt work, cable loopback didnt work either)

Heres the stuff for the 4.12 one though;

Copy code to clipboard

1SB Reset: done
2DSP version: 4.12
3MPU-401 init: done
4MPU-401 loopback check: done
5ADDR1: 0B3F
6ADDR2: 054F
7ADDR3: 0DBF
8Success!

Thanks S95Sedan !

Maelgrum wrote on 2023-10-04, 04:57:

This is stage 1

sounds very promising and 4 addresses for 2 locations - it's not that many tries to see which one are potentially good.

mattw wrote on 2023-10-04, 05:07:

Maelgrum wrote on 2023-10-04, 04:57:

This is stage 1

sounds very promising and 4 addresses for 2 locations - it's not that many tries to see which one are potentially good.

It is only stage 1 to discard definitely bad variants.
Stage 2 will be more complex:
To determine stack structure for potentially good variants.
We already determined code position ADDR1 of read memory command.
So by bruteforcing, we can try to jump to this location.
So we try variants of stack structure:
C0 - 0A
BF - 66

then:
C0 - 0
BF - 0A
BE - 66

and so on, rolling down, on some reasonable range, until we get something from SB data port (not 0xAA)
repeat for all potentially good variants of injection

This is Stage 2. We determined where return address is placed on stack for each injection variant

Maelgrum wrote on 2023-10-03, 16:19:

Ultimate goal is to crack and dump 4.16. It fixes single cycle dma bug, and I think it may work on older SB/AWEs.

But does it really fix the single cycle DMA bug? Vibras don't have it and if they use the same v4.13 DSP, then the single cycle DMA bug is likely not a DSP bug but some hardware bug elsewhere. But hopefully some workaround hack can be made to the DSP code.

aitotat wrote on 2023-10-04, 05:31:

Maelgrum wrote on 2023-10-03, 16:19:

Ultimate goal is to crack and dump 4.16. It fixes single cycle dma bug, and I think it may work on older SB/AWEs.

But does it really fix the single cycle DMA bug? Vibras don't have it and if they use the same v4.13 DSP, then the single cycle DMA bug is likely not a DSP bug but some hardware bug elsewhere. But hopefully some workaround hack can be made to the DSP code.

you won't know until you try ))

mattw wrote on 2023-10-03, 17:10:

that's kind off-topic here, but probably just custom-modified card by someone and then it was sold and ended up with you, because 5 years ago it was posted here "I de-CQMed my AWE32 PnP CT3990...!":

I de-CQMed my AWE32 PnP CT3990...!

and such modification became popular among the retro-community, i.e. how to replace CQM with YMF289B on SB cards that have (unpopulated) pads for both those chips. I myself ordered back then all the necessary chips, but I did not actually do it...

Thanks for pointing to the thread. The post you mentioned showed greater detail about how to make cards use YMF289B instead of CQM.

mattw wrote on 2023-10-03, 17:39:

I am 99% sure that @LSS10999 card was modified by someone and it's not manufactured like that by Creative, but in any way, it doesn't really matter as such modification is possible both ways and thus this off-topic is now settled.

I got my card a long time ago (long before that thread existed), and it was already like that -- having YMF289B instead of CQM. I couldn't find any trace of modifications... but it doesn't matter anyway.

The original question that led to this off-topic was about how the DSP would know whether there's a CQM or a real OPL (YMF289B in this case). I think the answer to it is also there from what I've read.

Still, I'm looking forward to seeing a proper dump of 4.16 FW.

sbcrack Stage 1
This is definitely not safe software, use with clear understanding of risks.

Maelgrum wrote on 2023-10-04, 06:22:

sbcrack Stage 1
This is definitely not safe software, use with clear understanding of risks.

3 options failed, 5 still are potentially good:

1SB Reset: done
2DSP version: 4.16
3MPU-401 init: done
4MPU-401 loopback check: done
5Stage 1, variant 0 ...passed
6Stage 1, variant 1 ...failed
7Stage 1, variant 2 ...passed
8Stage 1, variant 3 ...failed
9Stage 1, variant 4 ...passed
10Stage 1, variant 5 ...failed
11Stage 1, variant 6 ...passed
12Stage 1, variant 7 ...passed
13Success!

sbcrack Stage 2
This is definitely not safe software, use with clear understanding of risks.

Maelgrum wrote on 2023-10-04, 10:17:

sbcrack Stage 2

only 3 passed "variants" remained, full log attached:

1Stage 2, variant 4 ...passed
2.....
3Stage 2, variant 18 ...passed
4.....
5Stage 2, variant 39 ...passed

mattw wrote on 2023-10-04, 10:29:

only 3 passed "variants" remained, full log attached: […]
Show full quote

Maelgrum wrote on 2023-10-04, 10:17:

sbcrack Stage 2

only 3 passed "variants" remained, full log attached:

Copy code to clipboard

1Stage 2, variant 4 ...passed
2.....
3Stage 2, variant 18 ...passed
4.....
5Stage 2, variant 39 ...passed

All 3 variants look good,
Variant 39 is most usable, with probable stack stucture:
0xC0 R0
0xBF DPH
0xBE DPL
0xBD ACC
0xBC PCH
0xBA PCL

sbcrack Stage 3
This is definitely not safe software, use with clear understanding of risks.
Validation of variant 39

Maelgrum wrote on 2023-10-04, 06:22:

sbcrack Stage 1
This is definitely not safe software, use with clear understanding of risks.

Heres for the 4.12 one;

1SB Reset: done
2DSP version: 4.12
3MPU-401 init: done
4MPU-401 loopback check: done
5Stage 1, variant 0 ...failed
6Stage 1, variant 1 ...failed
7Stage 1, variant 2 ...passed
8Stage 1, variant 3 ...failed
9Stage 1, variant 4 ...passed
10Stage 1, variant 5 ...passed
11Stage 1, variant 6 ...failed
12Stage 1, variant 7 ...passed
13Success!

S95Sedan wrote on 2023-10-04, 11:31:

Heres for the 4.12 one; […]
Show full quote

Maelgrum wrote on 2023-10-04, 06:22:

sbcrack Stage 1
This is definitely not safe software, use with clear understanding of risks.

Heres for the 4.12 one;

Copy code to clipboard

1SB Reset: done
2DSP version: 4.12
3MPU-401 init: done
4MPU-401 loopback check: done
5Stage 1, variant 0 ...failed
6Stage 1, variant 1 ...failed
7Stage 1, variant 2 ...passed
8Stage 1, variant 3 ...failed
9Stage 1, variant 4 ...passed
10Stage 1, variant 5 ...passed
11Stage 1, variant 6 ...failed
12Stage 1, variant 7 ...passed
13Success!

Please don't try other stages - it's 4.16 specific.
Stage 1 is common

Maelgrum wrote on 2023-10-04, 11:33:

Please don't try other stages - it's 4.16 specific.
Stage 1 is common

stage3 for V4.16 is coming in minutes...

mattw wrote on 2023-10-04, 11:37:

stage3 for V4.16 is coming in minutes...

looks good, here is the log:

1SB Reset: done
2DSP version: 4.16
3MPU-401 init: done
4MPU-401 loopback check: done
5Stage 3, variant 39 ...passed
6Success!