Ripping problems

Hope you guys can get this one going.

 

It may be worthwhile ASSEMbler putting the extracted files onto his 5.24 and reworking them in GD Workshop - I wouldn't go as far as to say burn a GD-R, but work out the kinks in GD Workshop, copy the reworked files back off the internal emulator, job done, or at least maybe made slightly easier. Technically it is cheating but fuck it - if it saves a boatload of time great.

I haven't used GD Workshop in 6 - 7 years though so I can't comment on how easy the fucking around with a new project will be to get these files in order but it was simple enough to emulate and dump back in the day.

Either way I'm looking forwards to cracking it open with IsoBuster again after another several hours practice on other things

 

thanks for the clarification

now it is clear that something is wrong with the codes

1. I think I read somewhere that it may be 0wince in disguise. so it is one possibility

2. some games like Shenmue and Dynamite Cop refuse to boot in a region modded (Bios hack) Dreamcast. This game might be one of them - if your Dreamcasts are modded.

3. selfboot it with DP3/XDP may help fixing some boot problems.

4. I know nothing about GDR. Will a scrambled 1st_read.bin boot in GDR format? It surely will not boot in milCD. It is easy to unscrambled it and try

just my 2 cents.

 

the menu looks pretty much like the one found in K-Project. Could they both have used the same protection? If so, who did the original selfboot for K-Project?

Yakumo

 

As also seen in; http://www.youtube.com/watch?v=gsJCXJCmcUg.

 

It's pretty hard that's a WINCE game if there's no DLL files on the disc (which i assume there wasn't since FG checked the files)

 

Plagiarised from DChelp.net

This image must meet the following criteria:
◦No larger than 320×90 pixels
◦No greater than 128 colors
◦No larger than 8 kilobytes (8192 bytes)
◦Must be saved in PNG format

Tip: for transparent background use this color #C0C0C0 (R:195, G:195, B:195)

FYI I used the above FAQ to insert 'geistus forceus' into the boot screen and the logo was injected, but it made no impact on the booting problems.


As the VNC has been offline I have been looking into various first party games developed around the same time for clues. I'm kind of thinking aloud here but at the same time only at the most obvious of things which are unlikely to have any major influnce on our current problem. Still I feel it is best to begin at the beginning and methodically rule out some of the idiosyncrasies.


We know an IP.BIN is usually supposed to be found at LBA 45,000 - 45,015, spanning a total of 16 sectors at 2,048 bytes each which makes it 32,768 bytes aka 32kb in file size.

We know the first 2,048 bytes of the IP.BIN contain the Hardware ID, Maker ID, Device information (CRC), Product ID, Product version, *Month Date Year, Region, Main binary, Software title, Software manufacturer and peripheral minimum requirements and support.

*Interesting trivia: The date set in the IP.BIN is 27th November 1998. Ring any bells? It should do - it is the Dreamcast's japanese launch date! This particular build however appears to be from 23rd April 1999 - it was announced as cancelled a whole month later on 21st May 1999.


We know from the official pre-production sample art Geist Force was intended to be Product ID: HDR-008.

We know the Dreamcast uses a Media ID which is a CRC check based on information provided in the Product ID and Product version fields. We know the Geist Force IP.BIN Product ID is GM-9999999 and the Product version is 1.000, which should give us a CRC of 1CF5, BUT we also know that Geist Force has SEGA in place of the CRC check which is unusual, but not unheard of. There is only one known retail game I know of out of many which also uses this: HDR-002 Virtua Fighter 3tb. All other released titles AFAIK are CRC checked. This could be a problem but possibly not.

I figured out the Geist Force IP.BIN failed to load in IPwriter because of the peripheral string was set to 07990 - peripheral strings are supposed to be 7 characters long so replacing this validates the IP.BIN (in IPwriter at least). What I don't know is what 07990 was supposed to be, but adding an extra pair of 0's to make it 0799000 adds Start+A+B+D-Pad, X, Y, Analog L & R triggers and the Analog Stick to the minimum requirements. FYI for what it is worth FG's IP.HAK has a 6 digit string of 079901 and naturally also fails to open in IPwriter.

I tried changing the peripheral string from the standard 7 digits in HDR-0007 The House of the Dead 2 to 07990 , the CRC to SEGA and for lulz added most of the useful IP data from Geist Force and as expected it had no obvious negative effect on loading directly from the .cdi (no crashing after the licence screen) or on gameplay via control pad.


Now to get ugly. First off the rest of the IP.BIN/1ST_READ.BIN seems a little weird but FG patched the IP.BIN and loading via Daemon Tools off X:\ the game works just fine, but loading from the .cdi directly the game crashes after the licence screen. Loading from a .mdf/.mds/.mdx the game crashes immediately, so kudos goes to Padus DiscJuggler and it's Dreamcast magic for even getting us that far.

There is a suggestion if we ignore all of the weird shit the game may have some form of copy protection which is looking increasingly likely. To test this theory a little more I have used HDR-0178 Rez as a starting point as it is widely known to be copy protected, but just as importantly we have the key to unlock it to make a before and after assessment.

I tried loading an unhacked/pure extraction of Rez as .nrg via Daemon Tools X:\ and it appers to kick to the menu after the licence screen but crashes before it loads it. Geist typically works in this manner thus would not crash in this situation. I tried ripping the .nrg into a .cdi for lulz and whether the .cdi is mounted on X:\ or loaded directly it crashes regardless. I tried again with Outtrigger as it is a little different but it is the same deal. I was hoping to see it could load on X:\ but crash directly like Geist but this issue may complicate matters.


Reverse engineering Propellor Arena isn't the best solution as it has been hacked to start at LBA 11702. K-Project (or lets get anal and call it Vibe as it dosn't have the floating people) could be closer to what we are looking for, for example it at least starts at LBA 45000. Let's not forget though in that respect the image may be similar but in other respects it could be different, for example Geist Force was in production years before Rez, tools and procedures would have changed and only the last few games were non-LBA copy protected.

As it stands at the minute my money is on the weird LBA shit that is, or rather isn't going on which Demon Tools somehow finds a way to fix. I wouldn't be surprised if there was a byte or two out of place for protection, but given as it doesn't crash in the same way as Rez it is less likely unless it takes a different form. One way to confirm this would be if GD-R owners dumped their 3 track games (for personal use - they do not have to release them, just what they lerned - even annonymously if they wish), preferably older first party titles, but any old non-WinCE game would do.

I sold dozens of HKT-06 GD-R here when I ran into money trouble so someone is bound to have a disc which would prove useful for verification so that we could confirm if the weirdness is HKT-06 GD-R or Geist Force specific.


The other option I previously suggested is that it may be worthwhile copying the extracted files to a 5.24 and using the Katana SDK, even without the source code we should still have some amount of flexibility to apply some changes which may not make it rip off the bat but may make life easier.

 

refer to http://mc.pp.se/dc/ip0000.bin.html for an explanation of the peripheral string in IP.BIN.
Specifically for 0799010, the "1" tells the bios that this game is VGA compatible. Its only a flag, it is still up to the game to actually support VGA. At least it allows you to boot with VGA box attached.

Do you have a Dreamcast that still use the original bios ? Please try to boot the game with it to rule out the possibility of the protection scheme of checking hacked bios.

To my record, the following games use this protection scheme and refuse to boot in consoles with hacked bios but work fine in normal consoles:
Dynamite Cop, Outtrigger, Sega Bass Fishing, Shenmue, Shenmue 2 and Virtua Fighter 3tb
and yes, even the release groups couldn't/didn't fixed this protection scheme.

 

0799010 is still a 7 digit code though - Geist uses 5, FG's IP.HAK used 6 digits. Perhaps the last zeroes can be 20'd and the game won't care but IPwriter will care - it is a nice site BTW though I was reading it the other week to start an RS232 hack on my DC, just waiting on a pay day to order the MAX3222 etc.

nulLDC and all of the Dreamcasts have used an original BIOS - this went without saying We tried with other bios too for lulz of course!

Whatever is going on, as I explained above it is not happening as strictly as the copy protected games I tested. I'm wagering more along the lines of rough hack with awesome emulation but some fine tuning will fix it, but given as Geist Force is such a mess it may be a pain in the arse

 

don't really know the issues with 5/6/7 digit code but it doesn't seem to be the main problem here.

Since the nrg works in NullDC, it is unlikely that the files are corrupted. I tend to believe it is protection. Tough one to crack...

 

I agree, IP Writer might have hard time loading it, but the Dreamcast probably doesn't care at all. Mine had 6 digit, only because I added (grammatically it's added or add?) the VGA flag.

Some people way better than me at deciphering things got the bootbin and bootsector to try to crack it, so I beleive it'll eventually be done! Just let us time, and coffee, and some luck wouldn't hurt.

Cross your fingers, but don't hold your breath...

FG

 

that will certainly help but I rely on NUllDC for code tracing and this thing works in NullDC - tough job

 

BTW I sort of already came to the conclusion that the digits were not the main issue and addressed other things - I guess it got lost in my sea of text or translation. As I said I didn't expect the changes to be dramatic but it is one thing to believe the changes won't affect anything, so I sank a couple of hours to know they wont affect things.

Thanks to a forum member I managed to get hold of the unmolested K-Project HKT-06 GD-R .gdi/bin dump and the only change required was a known form of copy protection, which is sadly the same as the retail copy of Rez

This is good in a way in that it means our problem is not likely to be a HKT-06 GD-R specific problem, but obviously bad news in that there is no direct lesson learned to start reverse engineering Geist Force.

There is still a lot of hope for Geist Force yet but it is going to take time and effort. I'm still of the opinion loading the extracted files onto a 5.24 and playing with the Katana SDK could potentially waste a few days getting set up but may save a few weeks on cracking time.

That said I'm looking forwards to another chance to VNC for a sector by sector view in IsoBuster to see what I can find.

It works as .nrg and .cdi on Deamon Tools X:\ only - just not as .cdi directly. We know it dies on the TOC, but we didn't post the full debugger yet as the VNC is offline (ASSEMbler is using his machine for whatever he uses it for atm - goat porn and Portal 2 I think!) All work and no play maks jack a dull boy and everyone needs a break from time to time.

 

Not trying to confuse you but Eldorado Gate 4 shows similar behaviour:

.nrg and .cdi mounted with Alcohol as x:\ "works" in NUllDC but not as .cdi and .gdi directly.
("works" - protection related problems in.cdi not counted. .nrg is a perfect rip)

.nrg/.cdi burnt to CDR "works" in my dreamcast

.cdi and .gdi "works" in Demul and Makaron

So this might just be NullDC's own problem.



Games that work in NullDC as x:\ in .nrg but not in real Dreamcast?

Nettou Golf is one after initial hacking. May be the one who finally ripped it successfully knows more about the protection involved.

 

It is not just nullDC's problem - the same builds we test in nullDC, we test as coasters on retail DC too

I tried the Eldorado Gate Vol 4. - whilst it does have the CD E4 43 6A string, it is split onto 2 separate lines and I had it working uncracked with no issues as .CDI directly without crshing, wheres Rez hes the CD E4 43 6A string but will crash on .CDI mounted on X:\ or directly, as does Nettou Golf (albeit different string). To be thorough I tried Eldorado Gate Vol. 4 cracked too and it was no different from before. Neither perform in nullDC as Geist is doing.

 

He was not saying it's the same, he was saying it's similar behavior albeit different working in NullDC than on real hardware, or more "precise" emulators. He only said Nettou Golf behaved as Geist, not other games.

What I find interesting is that Geist got no "CD001" string which are present in EVERY katana games I've seen. Maybe Geist was developed so early that it uses its own libraries instead of the SEGA ones, or simply beta libs that were not finalised. In fact, you can't find a "SEGA" string in the binary, but "UNKNOWN" is there a whole lot of times ...

 

hrm, what is there instead of the CD001? CD001 is part of the ISO9660 header (Standard Identifier) and pretty sure it should always be CD001.

-ack

 

I don't understand most of what's been discussed in this thread but I have been following it closely, just hoping this problem will get resolved. Unfortunately, that quote above was my first thought with all of this... Geist was meant to be a launch title so there's every chance it's going to be prepared differently.

I'd be surprised if this was some sort of copy-protection, given that the machine hadn't been cracked at that point in time.

Anyway, just wanted to also say good luck with all of this - it's certainly an interesting read, even for someone who doesn't know the ins-and-outs of coding.