SLIDE 1
Hacking a Sega Whitestar Pinball: Focusing on the audio board
Grehack 2015 Pierre Surply
EPITA Systems/Security Laboratory (LSE)
Nov 20, 2015
1 / 62
Sega Whitestar Pinball Overview
2 / 62
Hacking a Sega Whitestar Pinball: Focusing on the audio board - - PowerPoint PPT Presentation
Hacking a Sega Whitestar Pinball: Focusing on the audio board - - PowerPoint PPT Presentation
Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory (LSE) Nov 20, 2015 1 / 62 Sega Whitestar Pinball Overview 2 / 62 Playfield 3 / 62 IO Board 4 / 62 CPU/Sound Board
SLIDE 2
SLIDE 3
Playfield
3 / 62
SLIDE 4
IO Board
4 / 62
SLIDE 5
CPU/Sound Board
5 / 62
SLIDE 6
CPU/Sound Board
6 / 62
SLIDE 7
Main CPU
7 / 62
SLIDE 8
Main CPU Address Space
I0
2
I1
1
I2
3
I3
4
I4
5
I5
6
I6
7
I7
8
I8
9
I9
11
FI5
17
FI4
16
FI3
15
FI2
14
FI1
13
PAL16L8 F0
12
FI6
18
F7
19
U213 A14 A15 A13 E Q VMA RW A11 A12 MPIN A9 A10 XA0 ROMCS RAMCS IOPORT SNDSTB IOSTB
8 / 62
SLIDE 9
Main CPU Address Space
9 / 62
SLIDE 10
Main CPU Address Space
GAL16V8 U213 A15 A14 A13 /E Q VMA RW A11 A12 GND MPIN IOSTB XA0 SNDSTB A10 A9 IOPORT /RAMCS /ROMCS VCC /ROMCS.T = A15 + A14 + IOPORT /ROMCS.E = /E RAMCS.T = A15 + A14 + A13 + A12 * A11 * A10 * A9 * /RW * /MPIN /RAMCS.E = /E IOPORT.T = A15 + A14 + /A13 + A12 + A11 + XA0 IOPORT.E = /E IOSTB.T = /A15 * /A14 * A13 * /A11 IOSTB.E = /E DESCRIPTION: Sega Whitestar Pinball U213 (Address space decoding) (Extracted using Quine-McCluskey method)
10 / 62
SLIDE 11
Replacing ROM
11 / 62
SLIDE 12
Replacing ROM
12 / 62
SLIDE 13
Main CPU Programming
13 / 62
SLIDE 14
Sound Board
14 / 62
SLIDE 15
Sound Board
15 / 62
SLIDE 16
Sound Board Block Diagram
16 / 62
SLIDE 17
Voices EEPROM
8-bit PCM @ 8kHz
17 / 62
SLIDE 18
Sound CPU
18 / 62
SLIDE 19
Sound CPU Address Space
19 / 62
SLIDE 20
Sound CPU Address Space
0x0000-0x1FFF: RAM 0x2000: Status Register (OSTAT signal) 0x2002: Main CPU / Sound CPU Command Register (BIN signal) 0x2006: DSP Status (BLD signal) During read operation:
0x4000-0xFFFF: ROM
During write operation:
0x6000: DSP Command (MSB) 0xA000-0xA0FF: DSP Command (LSB)
20 / 62
SLIDE 21
Sound CPU Wiring
lda #$80 sta IO_STATUS ;; Reset DSP cla anda #1 sta IO_STATUS ;; Indicate to Main CPU that audio card ;; is ready
21 / 62
SLIDE 22
Main CPU / Sound CPU Interface
Main CPU Command (8bit)
22 / 62
SLIDE 23
Main CPU / Sound CPU Interface
lda #CMD ;; a <- CMD sta SNDSTB ;; [SNDSTB] <- a
23 / 62
SLIDE 24
Main CPU / Sound CPU Interface
24 / 62
SLIDE 25
Main CPU / Sound CPU Interface
25 / 62
SLIDE 26
Main CPU / Sound CPU Interface
lda BIN ;; a <- [BIN]
26 / 62
SLIDE 27
FIRQ Handler
struct cmd_ring_buffer { uint8_t begin; uint8_t end; uint8_t data[16]; };
27 / 62
SLIDE 28
Main Loop
struct cpu_cmd { uint8_t callback_idx; uint8_t unk0; uint16_t mask; void **data; };
28 / 62
SLIDE 29
Digital Signal Processor
29 / 62
SLIDE 30
Sound CPU / DSP Interface
Data (16bit): 0x1234 Address (8bit): 0x56
30 / 62
SLIDE 31
Sound CPU / DSP Interface
lda #$12 ;; a <- $12 sta DSP1 ;; [DSP1] <- a
31 / 62
SLIDE 32
Sound CPU / DSP Interface
lda #$34 ;; a <- $34 sta DSP0 + $56 ;; [DSP0 + $56] <- a
32 / 62
SLIDE 33
Sound CPU / DSP Interface
IN dma, IN0 ;; DATA[dma] <- $0056
33 / 62
SLIDE 34
Sound CPU / DSP Interface
IN dma, IN1 ;; DATA[dma] <- $1234
34 / 62
SLIDE 35
DSP / DAC Interface
35 / 62
SLIDE 36
BSMT2000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21
A1/PA1 A0/PA0 MC/MP RS INT CLKOUT X1 X2/CLKIN BIO VSS D8 D9 D10 D11 D12 D13 D14 D15 D7 D6 A2/PA2 A3 A4 A5 A6 A7 A8 MEN DEN WE VCC A9 A10 A11 D0 D1 D2 D3 D4 D5
Brian Schmidt’s Mouse Trap Used in many arcade machines from 1991 to 2003 Masked ROM TMS320C15 DSP from Texas Instruments
36 / 62
SLIDE 37
TMS320C15 Block Diagram
37 / 62
SLIDE 38
BSMT2000
38 / 62
SLIDE 39
Dumping BSMT2000 Mask ROM
TBLR dma ;; DATA[dma] <- PROG[ACC] OUT dma, port ;; IO[port] <- DATA[dma]
39 / 62
SLIDE 40
Dumping BSMT2000 Mask ROM
40 / 62
SLIDE 41
Dumping BSMT2000 Mask ROM
41 / 62
SLIDE 42
BSMT2000 Testbench Block Diagram
42 / 62
SLIDE 43
Dumping BSMT2000 Mask ROM
LACK 1 ;; ACC <- 1 SACL 0 ;; DATA[0] <- ACC LT 0 ;; T <- DATA[0] MPYK 1 ;; P <- 1 x T ZAC ;; ACC <- 0 loop: TBLR 0 ;; DATA[0] <- PROG[ACC] SACL 1 ;; DATA[1] <- ACC OUT 1, 1 ;; IO[1] <- DATA[1] OUT 0, 0 ;; IO[0] <- DATA[0] APAC ;; ACC <- ACC + P B loop
43 / 62
SLIDE 44
BSMT2000 Testbench
44 / 62
SLIDE 45
BSMT2000 Address Space
IN 0: Sound CPU command address IN 1: Sound CPU command data IN 2: EEPROM data OUT 0: EEPROM address OUT 1: EEPROM bank OUT 3: Sample out (Left) OUT 7: Sample out (Right)
45 / 62
SLIDE 46
BSMT2000 Initialization
OSTAT EQU $2000 DSP1 EQU $6000 DSP0 EQU $A000 init_dsp: ;; Reset DSP lda #$80 sta OSTAT ;; Set DSPRST ;; Compute command address according to the desired DSP mode ldb #$FE ;; select mode 1 ldx #DSP0 abx ;; x <- b + x ;; Select DSP mode by writing 0 at DSP0 + ~mode clra sta #DSP1 ;; MSB sta ,x ;; LSB ;; Start DSP sta OSTAT ;; Clear DSPRST rts
46 / 62
SLIDE 47
DSP Main Loop
ZAC ;; ACC <- 0 LT VOLUME1 ;; T <- DATA[VOLUME1] MPY SAMPLE1 ;; P <- T * DATA[SAMPLE1] LTA VOLUME2 ;; ACC <- ACC + P; T <- DATA[VOLUME2] MPY SAMPLE2 ;; P <- T * DATA[SAMPLE2] ... LTA VOLUME12 ;; ACC <- ACC + P; T <- DATA[VOLUME12] MPY SAMPLE12 ;; P <- T * DATA[SAMPLE12] APAC ;; ACC <- ACC + P SACH 0, TMP ;; DATA[TMP] <- ACC[31:16] OUT DAC, TMP ;; IO[DAC] <- DATA[TMP]
47 / 62
SLIDE 48
Mixing Audio Streams
48 / 62
SLIDE 49
Sound CPU Commands Handling
BIOZ fetch ;; Jump to ‘fetch‘ if TST pin ;; is active NOP ;; Burn CPU cycles NOP ;; NOP ;; B next fetch: IN 0, 60 ;; DATA[60] <- IO[0] LAR AR0, 60 ;; AR0 <- DATA[60] IN 1, * ;; DATA[AR0] <- IO[1] next:
49 / 62
SLIDE 50
TST pin wiring
CLKOUT = CLKIN / 4 = 6MHz
50 / 62
SLIDE 51
BSMT2000 data memory layout
0x0-0xA: Channel playback positions 0x16-0x20: Channel rates 0x21-0x2B: Sample limits 0x2C-0x36: Sample loops 0x37-0x41: Sample bank 0x42-0x4C: Channel right volume 0x4D-0x57: Channel left volume 0x58-0x62: Sample data 0xFF: Scratch
51 / 62
SLIDE 52
Back to Sound CPU firmware
52 / 62
SLIDE 53
DSP operations
#define MAX_CHAN 12 struct dsp_ops { void (*set_fixed_volume[MAX_CHAN])(); void (*set_rate[MAX_CHAN])(); void (*set_default_rate[MAX_CHAN])(); void (*stop_playing[MAX_CHAN])(); void (*load_pcm_sample[MAX_CHAN])(); void (*op5[MAX_CHAN])(); void (*op6[MAX_CHAN])(); void (*op7[MAX_CHAN])(); void (*op8[MAX_CHAN])(); void (*op9[MAX_CHAN])(); };
53 / 62
SLIDE 54
Main CPU commands
struct cpu_cmd { uint8_t callback_idx; uint8_t unk0; uint16_t mask; void **data; };
54 / 62
SLIDE 55
Example : Play PCM Sample
;; PCM sample description 818B: 00 00 ;; pcm.base ;; sample starts at 0x0000 818D: 47 AC ;; pcm.limit ;; sample finishes at 0x47AC 818F: 47 86 ;; pcm.loop_start ;; sample playing must loop at 0x4786 818F: 3C 818F: 03 ;; pcm.bank ;; sample is located on bank 3 of U17 EEPROM ;; Explosion pattern bytecode 91DE: 05 81 8B ;; load pcm sample described at 0x818B into channel 91E1: 09 01 ;; set channel volume 91E3: 01 1D 01 6D ;; set channel rate, start sample playing ;; and wait 7425 ticks (0x1D01) => 2.53 seconds 91E7: 0F ;; free the channel and stop sample playing
55 / 62
SLIDE 56
PCM Samples
struct pcm_sample { uint16_t base; uint16_t limit; uint16_t loop_start; uint8_t unk; uint8_t bank; };
56 / 62
SLIDE 57
PCM Samples
57 / 62
SLIDE 58
Track Allocation
struct track { struct track *next; struct track *prev; void *instruction_pointer; // Address of the next bytecode // instruction uint16_t counter; // Used for operation timing uint16_t last_timestamp; uint8_t next_instruction; uint8_t type; // 0: Background track // 1: Foreground track uint8_t channel_id; ... };
58 / 62
SLIDE 59
Track Types
59 / 62
SLIDE 60
Track Types
uint8_t *channels_types = (void *) 0x00EA; if (track.type == channels_types[current_channel]) dsp_ops[current_channel]();
60 / 62
SLIDE 61
Track Types
61 / 62
SLIDE 62
Q&A
IRC: Ptishell@irc.rezosup.org Mail: surply@lse.epita.fr Twitter: @Ptishell
62 / 62