Maelgrum wrote on 2023-10-01, 20:45:

can be 128 times faster at most.

IMHO, speed is not important in this case, I already dumped 2 models (CT3990 and CT3980), probably soon users here will dump the rest of the models released with V4.13 and then it's done. so, more important is bug-fix patches for V4.13 and hopefully successful V4.16 attack. Also, documenting undocumented commands and their usage. BTW, when I dumped CT3980 I stop-watched it and it took a little over 23 minutes.

georgel wrote on 2023-10-01, 20:39:

When you stress on Creative's bugs remember that this exploit is 100% based on other pioneers of dumping that had no access to firmware image at all. You would have done nothing without access to actual firmware.

It is completely true!!!
Nothing can be made without existing dumps.
Understanding of vulnerabilities, code structure e. t. c - all this from disassembly of prior dumps.
But luckily, few chips can be just simply readed.

georgel wrote on 2023-10-01, 20:39:

remember that this exploit is 100% based on other pioneers of dumping that had no access to firmware image at all. You would have done nothing without access to actual firmware.

@Maelgrum recognized that long time ago:

Maelgrum wrote on 2022-03-21, 18:25:

All glory to Malice (forums.bannister.org), who made almost all of this dumps.

I think we all here appreciate how hard is to make dump in hardware, but it's just a stepping-stone...

[EDIT] next step for me - going shopping PLCC-44 sockets and 8052 ICs...

mattw wrote on 2023-10-01, 16:28:

maxtherabbit wrote on 2023-10-01, 16:05:

I may go ahead and socket the CT2760 today. Going to run 4.13p3 on it and verify NMI functionality.

do you have the NMI problem with dumped/decrypted 4.13 or only with the patched 4.13?

I don't have any problem. My AWE32 still has the factory 4.12 DSP soldered to it. I was saying I may fit a socket to test 4.13 patch 3.

But it seems you already confirmed the 4.13 on the AWE cards is the same as the other SB16

maxtherabbit wrote on 2023-10-01, 21:12:

But it seems you already confirmed the 4.13 on the AWE cards is the same as the other SB16

not exactly true - I confirmed V4.13 on CT3990 and CT3980 is the same and it's the same with the old publicly released dump made in hardware, but maybe that hardware dump was obtained on either CT3990 or CT3980 card - as far as I know we don't know the card model from which the hardware dump was made, at the same time here:

Re: The Soundblaster DSP project

@georgel reported a little different V4.13 and maybe after someone more knowledgeable analyze the difference the "block" that differs will be exactly how pins role is assigned according to the PCB layout. So, potential source of the NMI error could be that.

[EDIT] in other words for cards like CT2760 maybe some additional changes will be needed to adopt V4.13. I guess when my ICs and socket arrives more will become clear (unless someone do it before me) and test patched V4.13 on CT3990/CT3980 where the DSP is now confirmed the same as the source one used to make the patched versions.

mattw wrote on 2023-10-01, 21:17:

@georgel reported a little different V4.13 and maybe after someone more knowledgeable analyze the difference the "block" that differs will be exactly how pins role is assigned according to the PCB layout. So, potential source of the NMI error could be that.

On existing dumps, in the end of code area located some unused junk - old ASP testing code, and table of SINe values. This may be remains of early SB16 testing code.

Maelgrum wrote on 2023-10-01, 21:32:

old ASP testing code

that makes a lot of sense, because AWE32 (at least CT3980/90) has ASP and Vibra16C doesn't have ASP.

mattw wrote on 2023-10-01, 21:17:

@georgel reported a little different V4.13 and maybe after someone more knowledgeable analyze the difference the "block" that differs will be exactly how pins role is assigned according to the PCB layout. So, potential source of the NMI error could be that.

I just reported that but made no conclusions. I am also inclined to think these bytes are simply not used. Presently this is unimportant.

My rough estimate for bnruteforcing is about 1500 attempts. But chances for positive result are low.

georgel wrote on 2023-10-01, 21:40:

I just reported that but made no conclusions. I am also inclined to think these bytes are simply not used. Presently this is unimportant.

Anyway, this is first previously unknown dump.
Thanks for dumping, georgel!

Maelgrum wrote on 2023-10-01, 21:44:

georgel wrote on 2023-10-01, 21:40:

I just reported that but made no conclusions. I am also inclined to think these bytes are simply not used. Presently this is unimportant.

Anyway, this is first previously unknown dump.
Thanks for dumping, georgel!

The dump is not important and is not first 😉 Sorry 😉 But welcome.

DSP V4.16 is essentially AWE64, right? I don't have any AWE64.

georgel wrote on 2023-10-01, 21:42:

@Maelgrum what are the plans for bruteforcing now? My rough estimate is about 65536 attempts. Instead of designing code for that I am thinking of some more efficient approach.

Return addresses of some routines can be readed from stack (as we see on memory dump, locations 0xC1 and 0xC2).
Return addresses of MPU loop can be readed also with simple attack.
This can help to make initial guess (if code structure more or less same).
But brutforcing is DANGEROUS!
If some instruction with external memory access on 16 bit bus occurs in code, bus conflict is possible between DSP and bus interface chip.
This can damage card!
Must be done very carefully, in short time, with temperature control, e. t. c.
And with full understanding of risks)))

mattw wrote on 2023-10-01, 21:55:

DSP V4.16 is essentially AWE64, right? I don't have any AWE64.

Yes, CMI8330 also reports 4.16

georgel wrote on 2023-10-01, 21:59:

mattw wrote on 2023-10-01, 21:55:

DSP V4.16 is essentially AWE64, right? I don't have any AWE64.

Yes, CMI8330 is also reports 4.16

DSP is very tightly coupled with bus interface/control chip.
They must copy all aspects, nuances, e. t. c.
So it looks unlikely that they use real 4.16.
Just report it, as last known version.
Anyway - this can be tested by early SB dump, just by checking memory dump.

Maelgrum wrote on 2023-10-01, 22:03:

Anyway - this can be tested by early SB dump, just by checking memory dump.

You mean RAM dump. That is very insufficient. Once you can dump the ROM of Creative's 4.16 , you'll have the answer if they are identical.

Maelgrum wrote on 2023-10-01, 22:03:

So it looks unlikely that they use real 4.16.

I believe the same - I don't think Cmedia (at least back then) had both the resources and also the need to really crack and copy the real DSP 4.16

Maelgrum wrote on 2023-10-01, 22:03:

this can be tested by early SB dump, just by checking memory dump.

I have CMI8330 card somewhere and I can do such test, when and if I find it, but I guess @georgel can do such test faster, i.e. has the card in hands.

georgel wrote on 2023-10-01, 22:07:

You mean RAM dump. That is very insufficient. Once you can dump the ROM of Creative's 4.16 , you'll have the answer if they are identical.

IMHO, it will give a clue, i.e. for example if similar values are at locations 0xC1 and 0xC2, etc. or in general RAM dump between CMI8330 and real DSP 4.16 look alike.

georgel wrote on 2023-10-01, 22:07:

You mean RAM dump. That is very insufficient. Once you can ROM dump 4.16 , you'll have the answer if they are identical.
[/quote]

If they not support memory read command - it is not real 4.16.
And we have RAM dumps from 4.16 - it is known what must be at locations 0xC1 and 0xC2.

mattw wrote on 2023-10-01, 21:55:

DSP V4.16 is essentially AWE64, right? I don't have any AWE64.

I have two it's no problem

georgel wrote on 2023-10-01, 19:34:

Maelgrum wrote on 2023-10-01, 18:49:

V0.02 - tested on my SB V4.13 - it works.
Process is slow - wait, it prints every 256 dumped bytes a line on screen and saves in dump.bin. few minutes needed per 256 byte block.

Good. Here is the DUMP from my vibra 16c. A block in the end differs from the public one.

So whats suppose to be in the last section? If its even important.

Not at a pc right now but will have a look at the 4.12 signetics and 4.13 chip i have later.