Triforce scans boards

It's really great to see some Triforce dumps. Nice sharing!

 

awesome pics! thank you

tmbinc, i'm in contact with a german triforce owner...maybe i can work something out

 

My triforce arrived . Thanks to the people who suggested me where to look - coinexpress was a great choice, and it was safely delivered into my house.

Now, I've of course started to hack around. I'll document what I've done so far on my site (http://debugmo.de). Short summary so far: I've dumped the IPL, I'm currently reversing how the communication with the media board works, and my goal is to find a method how to dump the raw game data, bypassing all the security in the DIMM/media board.

Of course that's only half of the game. I don't know much about arcade, so excuse my stupid questions:

What parts of the Triforce are used in other arcade systems as well? I believe the DIMM board (together with the GD-ROM reader and the security pic) are identical to one from a NAOMI(2?) board. Are there any attempts of breaking the security scheme on these systems? Where can I read some details about how the security PIC works, and how GDROM games are scrambled?

[Edit: Fighting with the board editor to not screw up my links.]

 

Thanks for the update tmbinc! Unfortunately I have zero experience with arcade hardware but I find the work you are doing on the Triforce to be very interesting! I'll continue to follow it closely, just thoughts I'd say keep up the good work!

You seem fairly confident that something will come of this which makes it all the more exciting

 

If you don't looked at already, you might want to look at http://www.system16.com/

There not a lot of technical information but you might find more information on their message board since it's a arcade dedicated website.

 

You might have some luck here:

http://www.sega-naomi.com/forum/index.php

 

Very interesting update from tmbinc on his blog => http://debugmo.de/

 

There is no public information about any of this, this is the first time I've seen vxWorks mentioned.

Emulation has been stumped by the lack of the IPL. Again you're the first person to have gotten this far with it. I know someone else was looking to dump it, but I think the board is still in transit.

The people that reverse engineered the PIC aren't giving anything away either, I heard they paid to have the chip decapped and dumped. Which is an easy, if expensive route.

I'll ask around though, you never know when someone has been working away in silence on something.

 

As some semi-progress (i'm currently not at home at my triforce), I've tried to dump the GD-ROM (I couldn't find the mentioned dumps anywhere). It only worked *very* partially. The GD-ROM has 3 files, two small ones and a big one, which i believe is the game image. My dumping solution (trap disc & disc swap.. uh oh. I don't have dreamcast, and to be honest, I'm currently not in the mood of getting one just for that dump) was not able to dump the data after a certain point. But it was enough to get some bytes of the game data, and I could see repeating 8 byte patterns. So my uneducated bet is DES-ECB. It's definitely encrypted.

The one route I will follow is to emulate enough of the IPL / media-board-GCM that I can read the data trough the gamecube interface (i.e. DI <-> Media board <-> DIMM board <-> GDROM). That will just require more work, there is no real showstopper. When I succeed with that, I will get a decrypted image of the file.

The other route is the reverse route: coming from the GDROM into the direction of the gamecube. I will dump the DIMM board's flash (but that will take some time due to unfortunate logistics. Damn.), in the hope that the DIMM-Board's firmware contains the decryption logic. My guess is that the security PIC spits out a key for the decryption of the gdrom data - but that's just a blind guess.

Have similar PICs been dumped already? What do they contain?

Any hints or progresses are welcome.

 

On the sega-naomi.com forum user MrSporty (should be also reg. here) has succesfully cloned a security chip (so he claimed) after having the PIC chip decapped.
There was a long thread on that forum, detailing the timing of signals and lenght of the key, if I'm not mistaken there was also the key (but not the complete dump of the PIC).
Too bad the thread was deleted, apparently some feared their investment in the process would be compromised...

 

Hey tmbinc, if you want a dump of the NetDIMM v3.17 Firmware just drop me a line.

 

Good news, everyone!

I'm just dumping Virtua Striker 2002. I did it basically the same way like I dumped the media board, by running SegaBoot (the app which talks to the DIMM board, let it read the game etc.), and hooked into the "read" function. As soon as the game was loaded (which takes ages - and my lion-backup-battery is dead, so it will do that every time again), my program takes over the control, and just dumps the whole game via usbgecko. (Network doesn't work, as the BBA uses the same serial port which the baseboard requires).

So, in a few (read: 40) minutes I'll have a ~300MB .gcm file on my harddisk. It won't run on a gamecube, as it depends on the JVS IO, but you know, things like that aren't real showstoppers...

The next step is to understand the actual encryption. For that, I'll take a look at the dimm board FW (Thanks, MrSporty), but if they were clever, the decryption is done in an ASIC or FPGA, without the key ever leaving into software. We'll see.

I also proved that the DIMM board does the actual decryption (which, of course, makes sense, and was expected).

In the end, I want to provide a dumping solution which yields decrypted images. Currently my setup is more than awkward. Basically all 6 triforce PCBs (baseboard, power, gamecube, media, dimm, dimm-doughter) plus the gamecube-modchip and the usbgecko are lying on my desk, plugged together, but without any housing, powered by an ATX power supply, with an additional 12V fan to cool the gamecube board a bit (the original fan was broken and stinky). Several layers of paper ensure that there won't be any shortcuts (hopefully...). Re-booting the beast requires removing the serial-port-a plug to the baseboard, because for whatever reason, it won't boot otherwise to the modchip'ed bios. I then need to hotplug it all together.

So to make it short: It's a nice proof of concept, but we need another way .

 

wow, nice work again tmbinc!

 

Awesome!! really!

 

Wow tmbinc, I am impressed! Now that you have it working, hopefully refining the process takes less effort!

I for one am interested in seeing if these triforce images will run on a GDEV or GBOX as I think they might. Just got my GDEV all hooked up and itching to do new things with it

In one word, congratulations!

 

Another update! http://debugmo.de/?p=76

 

http://debugmo.de/?p=81

 

if some1 is looking for a triforce motherboard i got a 1gb unit for sale in the marketplace

 

huge necrobump but any news on this?

Edit: I made it and get Mario Kart Arcade GP 1 & 2 but now I$B!-(Bd need the Segaboot gcm(s) in order to run this in dolphin/ on my Wii.

Anyone push me in the right direction for this.