The Faceless Master
Member
Code:
********************************************************************************
* *
* Once again we are proud to say : *
* " An alle : Maulhalten, jetzt, sofort ! " *
* *
* -- The senior members of Utopia present you today : -- *
* - Anaconda04 - A viperfree Cobra04 DVD-R boot core recode in pure assembly - *
* *
********************************************************************************
>>> The story :
Some time ago the worlds first Gamecube Modchip called "Viper" was released,
basically for the homebrew development scene to allow people to start their
applications directly at power-on of the GC. Pretty fast an application called
"Cobra" got available for it , which allows people to boot their DVD-Rs on the
gamecube. Starting of version 0.2 this application reached version 0.4 upto
now , running pretty stable on all available GC drives ( 04 , 06 and 08 ).
This application uses a special , undocumented feature on the Modchip binding
it "tight" to the Viper. Being sure that the possibility of booting DVD-Rs is
not something special of the Viper we decided to find out whats going on inside
this Cobra application. And here is the result - presented to you as open-source
to allow the community to explore and use the possibilies without using the
- in our eyes - too expensive modchip.
>>> The stuff :
The included file "Anaconda04.S" is a full documented application source which
results in a run-able core for booting DVD-Rs. The steps it performs are as
follows:
- Initialize the diskdrive into a reset state (by setting HW register cc003024)
- Unlock the drives' debug feature by sending two special commands named
"ff 01 MATSHITA 02 00" and "ff 00 DVD-GAME 03 00"
- Sending some small codeblock into the drives' memory by using a command named
"fe 01 01 00 <memoryoffset> <datalength> <data>"
- Starting this codeblock by hooking it into a system call within the drive
resulting in the known (?) states of the bootphase of Cobra04
(laser off, motor off, delay to swap, motor on, laser on)
- Unlocking the drive by performing a ReadDiscID command (A8000040) to be able
to read sectors
- Enable audio streaming depending on the setup of the DiscID
- Reading , parsing and starting the apploader of the swapped disc , resulting
in booting the application on it
As stated above, this is a complete homemade recode of just the boot core,
no videooutput or messages are delivered during the run. Except from the
derived data within the "DriveCode" table this code is not affiliated with
the original Cobra04 code. We decided to use the data in its original state,
as the team around Mentalcube (the designers of the Cobra application) did a
well job while choosing the neccesary patches within the drive. The patchcode
is generic for all drive versions , so no need for different tables.
We leave it to the community to create some fancy GUI for it if they want,
as we just did it for the proof-of-concept and to end the countless discussions
around whats going on within the Cobra and Viper. We are even not familiar with
tools like PSOLoad, SDLoad or whatever-Load as we are using our own technique to
execute code on our GCs, but due to the simplyness of the code there should be
no problem at all to run this snippet with those things.
>>> The instruction to do :
To assemble the code you can use the free and widely available DevkitPPC.
Simply perform those steps for generating an executable .bin file:
- powerpc-elf-gcc.exe -Wl,-Ttext,0x81700000 -o Anaconda04.elf Anaconda04.S
- powerpc-elf-strip.exe --strip-debug --strip-all --discard-all
-o Anaconda04r.elf -F elf32-powerpc Anaconda04.elf
- powerpc-elf-objcopy.exe -I elf32-powerpc -O binary Anaconda04r.elf
Anaconda04.bin
An example .bin file already assembled with those tools is included within
this package. Upload this file to 0x81700000 and jump to this address. Other
addresses can be easily used by changing the parameter to powerpc-elf-gcc.
Please keep in mind that you have to bypass your lidswitch in some way (e.g.
rubberband) to make the code work correctly.
>>> The final talking and teasing :
And now a few words to the Mentalcube crew (and those who are interested in
some techstuff ) :
At first, we "bow down" infront of you ! You did a well job, either by finding
out all the neccessary steps and ofcourse for all the implemented crypting and
obfuscating on both sides , GC and the drive 8] . Creating a loader by patching
running code inside the drive, which then loads another loader to 0x8226 which
finally loads the patchcode to 0x8502 by offsetting bytes inside the firmware
is really a nice idea for obfuscation. And ofcourse you used the side-effect
that the commands of the drive are bitwise interpreted, so you could easily
hide them by putting alot of trash inside and around them. Even the idea to
hide the two unlock commands by a backward-turned value - statemachine was
pretty genious . Oh, and did you find out the Break 0 register functionality
to patch the firmware on your own, or did you just read the right passage
within the CPUs' manual ;-) ?
Finally , you did some "unluckily" flaws to the last states of your coding
which allowed us to present this release today :
- The idea of forbidding to read back memory from the drive should have been
done inside one of the loaders and not by sending direct offset memorypatch
commands - that allowed us to read the entire memory while stepping through
the sent commands.
- the 8 bytes-from-expanded-(71)-inquiry-to-D4 & xor-stream-from-D8
vipercommand thingie was neat and we thought this will be a hellish thing to
reverse ... but as you encrypt the sending of the offsets you had to do it
backwards in the second loader which we just recoded - or even better -
NOP out the xoring in the loader - voila - basically the last sent table
gives what a (0x)BABE wants ;-) .
Apart from this we say again , this was a really nice job done by Mentalcube.
Too bad they tried to bind it to the Viper and still didnt open their code
after this period of time. And we just want to clarify an important point :
We dont take nor want any credits for the possibility of booting DVD-Rs on
the GC, this was entirely made by the Mentalcube crew - we just opened this
to the members of the community who dont have a Viper around (for whatever
reasons) by de-obfuscating and recoding it into this piece of easy-to-use code.
We decided to release this code now because we think its time that people see
whats the mystery behind the Cobra code and give the chance to set up some nice
projects based on this , like we are thinking about some sort of DVD-Player
for the GC or other things.
Please keep in mind that playing copies of games you dont own is highly illegal
and in no way meant as superior function of this code !
Use this code at your own risk, no responsibility is taken for its functionality
at your place or exploded/fucked up GCs, drives, vipers, users, computers, DVDs,
hamsters, cats, dogs, lost wifes and everything else that may happen :-) ...
You can use this code freely in any way you like as long as you keep some
credits inside to Mentalcube and Utopia.
Over and out - Wildlight/Utopia , 21.02.2005
