MEGA-CD: "Bios hackage"/Region modding

Started by l_oliveira, September 22, 2008, 03:46:31 PM

Previous topic - Next topic

l_oliveira

Well ... While we're at it (Dreamcast region modchip thread) I took my old MEGA-CD out of storage and started to thinker with it.

Since 2004/2005 (I don't remember well) I've been buying US and EU games and re-burning them on CDRs.
Because I don't like Datel's CDX and other similar stuff occupying my Mega Drive cartridge slot, I started to research how actually the SCDCONV program works. I found out that it *tries* to relocate the boot loader of the game and injects the proper "security program" for the target region.
Also I found out that the three regions have respectively:

Japanese security program:  342 Bytes  ->  "PRODUCED BY OR UNDER LICENCE FROM KABUSHIKI KAISHA SEGA ENTERPRISES"
European security program:  1390 bytes -> "PRODUCED BY OR UNDER LICENSE FROM SEGA ENTERPRISES, LTD"
U.S. security program:         1412 bytes -> "PRODUCED BY OR UNDER LICENSE FROM SEGA ENTERPRISES, LTD"

So what I do to make PAL and US games work on my asian Mega CD is manually paste the japanese security program at the correct offset (0x00200) of the first sector and pad the size difference with 68000 NOP instructions (4E 71).

Still, it doesn't solve the problem of the Mega-CD itself having a Mega Drive console region check on it's own BIOS ROM.
This is how I got that check defeated:   (For Asian Mega-CD Bios ROM: EPR-14563H  12/28-1991 1.00)


This routine checks the status of the region bit at 0x00A10001 and returns (RTS) if the region is *NOT* set to "Export":
00000716   1039 00a1 0001             MOVE.B    A_00a10001,D0
0000071C   6a06                             BPL       B_724
0000071E   0800 0006                     BTST      #6,D0
00000722   6702                             BEQ       B_726
00000724   4e75                             RTS

This routine prints the dreaded region error screen and locks itself on a endless loop:

00000726   007c 0700                            OR        #0x700,SR
0000072A   4eba 01f8                            JSR       (D_01f8,PC)
0000072E   4eba 0cba                            JSR       (D_0cba,PC) 
00000732   43fa 0022                            LEA       (D_0022,PC),A1
00000736   23fc c000 0000 00c0 0004    MOVE      #0xc0000000,A_00c00004
00000740   23d9 00c0 0000                   MOVE      (A1)+,A_00c00000
00000746   203c 4604 0003                   MOVE      #0x46040003,D0
0000074C   4eba 0c74                           JSR       (D_0c74,PC)
00000750   4eba 0518                           JSR       (D_0518,PC) 
00000754   60fe                                    BRA       B_754  <- this instruction locks the system up
After this, the data with the text message "ERROR! THIS IS A PAL-COMPATIBLE MEGA-CD FOR EXCLUSIVE USE IN SOUTHEAST ASIA."


I changed this:

00000722   6702                             BEQ       B_726

Into this:

00000722   4E71                             NOP

Causes the conditional "Branch if EQual" to never happen, the next instruction (RTS) is executed and the Mega-CD boots as if nothing had happened.

Fixed the checksum with a ROM repair tool, tested it on a emulator, byte swapped, burned on a 128BK 16 bit eprom (27C210) and was ready to go.

Tiido Priimägi

I've always thought of hacking the MCD BIOS, but then I got the MegaCart and I'm really unmotivated...

Anyway, great work !!!
Mida sa loed ? Nagunii aru ei saa ;)

NFG

I'm certainly impressed.  I wonder if I can hack the LaserActive BIOS to do similar things.

l_oliveira

While I'm at it:

For the US Laseractive rom  (03/29-1993 BR 000001-0.985 )

0000091A   1039 00a1 0001   MOVE.B    A_00a10001,D0
00000920   0200 00c0           AND.B     #0xc0,D0
00000924   0c00 0080           CMP.B     #0x80,D0
00000928   6602                   BNE        B_92c    <- Victim  (change to 4E71 or 4E75)
0000092A   4e75                  RTS

For the Japanese Laseractive ROM (03/29-1993 BR 000001-0.985)

00000840   1039 00a1 0001  MOVE.B    A_00a10001,D0
00000846   0200 00c0          AND.B     #0xc0,D0
0000084A   6602                  BNE       B_84e     <- There is !
0000084C   4e75                  RTS

Have fun modding your Laser Active :)

I recommend using the Japanese bios since patching the CD discs for it is piece of cake... But I don't know how that would affect the MEGA-LD playback ... lol (I've never seen a Laser Active)

Leynos

US Mega LD titles play on a Japanese Mega LD.  (My US LD of Hyperion boots no probs).

Mega CD games are still locked afaik tho.

l_oliveira

That hack allows you to run a japanese bios on your US Unit without a region switch mod.

Also that hack allows you to install a language switch mod and play your LDs and CDs without having to change it back to the original region switch.


I really wanted to hack the Mega-CD/SEGA-CD security program but it's on the sub CPU bios and it's compressed. I can dump the sub CPU bios but the problem is that I cannot re-compress it and put it back on the ROM image. That's beyond my knowledge at the moment.

If LDs have no region then it's very likely they use the same security program on both versions of the bios, for LD discs.

isodee

Is there or is it possible to make boot cd that will allow to play imports?

Tiido Priimägi

It shouldn't be hard, but I don't actually know, I don't quite think I'm going to mess with MCD... 32X seems more interesting.
Mida sa loed ? Nagunii aru ei saa ;)