hacking a sega whitestar pinball focusing on the audio
play

Hacking a Sega Whitestar Pinball: Focusing on the audio board - PowerPoint PPT Presentation

May 07, 2023 •45 likes •665 views

Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory (LSE) Nov 20, 2015 1 / 62 Sega Whitestar Pinball Overview 2 / 62 Playfield 3 / 62 IO Board 4 / 62 CPU/Sound Board

  1. Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory (LSE) Nov 20, 2015 1 / 62

  2. Sega Whitestar Pinball Overview 2 / 62

  3. Playfield 3 / 62

  4. IO Board 4 / 62

  5. CPU/Sound Board 5 / 62

  6. CPU/Sound Board 6 / 62

  7. Main CPU 7 / 62

  8. Main CPU Address Space U213 PAL16L8 2 I0 A14 1 I1 F7 19 A15 ROMCS 3 18 I2 FI6 A13 RAMCS 4 17 I3 FI5 E IOPORT 5 16 I4 FI4 Q A9 6 15 I5 FI3 VMA A10 7 14 I6 FI2 RW SNDSTB 8 13 I7 FI1 A11 XA0 9 I8 F0 12 A12 IOSTB 11 I9 MPIN 8 / 62

  9. Main CPU Address Space 9 / 62

  10. Main CPU Address Space GAL16V8 U213 A15 A14 A13 /E Q VMA RW A11 A12 GND MPIN IOSTB XA0 SNDSTB A10 A9 IOPORT /RAMCS /ROMCS VCC /ROMCS.T = A15 + A14 + IOPORT /ROMCS.E = /E RAMCS.T = A15 + A14 + A13 + A12 * A11 * A10 * A9 * /RW * /MPIN /RAMCS.E = /E IOPORT.T = A15 + A14 + /A13 + A12 + A11 + XA0 IOPORT.E = /E IOSTB.T = /A15 * /A14 * A13 * /A11 IOSTB.E = /E DESCRIPTION: Sega Whitestar Pinball U213 (Address space decoding) (Extracted using Quine-McCluskey method) 10 / 62

  11. Replacing ROM 11 / 62

  12. Replacing ROM 12 / 62

  13. Main CPU Programming 13 / 62

  14. Sound Board 14 / 62

  15. Sound Board 15 / 62

  16. Sound Board Block Diagram 16 / 62

  17. Voices EEPROM 8-bit PCM @ 8kHz 17 / 62

  18. Sound CPU 18 / 62

  19. Sound CPU Address Space 19 / 62

  20. Sound CPU Address Space 0x0000-0x1FFF : RAM 0x2000 : Status Register ( OSTAT signal) 0x2002 : Main CPU / Sound CPU Command Register ( BIN signal) 0x2006 : DSP Status ( BLD signal) During read operation: 0x4000-0xFFFF : ROM During write operation: 0x6000 : DSP Command (MSB) 0xA000-0xA0FF : DSP Command (LSB) 20 / 62

  21. Sound CPU Wiring lda #$80 sta IO_STATUS ;; Reset DSP cla anda #1 sta IO_STATUS ;; Indicate to Main CPU that audio card ;; is ready 21 / 62

  22. Main CPU / Sound CPU Interface Main CPU Command (8bit) 22 / 62

  23. Main CPU / Sound CPU Interface lda #CMD ;; a <- CMD sta SNDSTB ;; [SNDSTB] <- a 23 / 62

  24. Main CPU / Sound CPU Interface 24 / 62

  25. Main CPU / Sound CPU Interface 25 / 62

  26. Main CPU / Sound CPU Interface lda BIN ;; a <- [BIN] 26 / 62

  27. FIRQ Handler struct cmd_ring_buffer { uint8_t begin; uint8_t end; uint8_t data[16]; } ; 27 / 62

  28. Main Loop struct cpu_cmd { uint8_t callback_idx; uint8_t unk0; uint16_t mask; void **data; } ; 28 / 62

  29. Digital Signal Processor 29 / 62

  30. Sound CPU / DSP Interface Data (16bit): 0x1234 Address (8bit): 0x56 30 / 62

  31. Sound CPU / DSP Interface lda #$12 ;; a <- $12 sta DSP1 ;; [DSP1] <- a 31 / 62

  32. Sound CPU / DSP Interface lda #$34 ;; a <- $34 sta DSP0 + $56 ;; [DSP0 + $56] <- a 32 / 62

  33. Sound CPU / DSP Interface IN dma, IN0 ;; DATA[dma] <- $0056 33 / 62

  34. Sound CPU / DSP Interface IN dma, IN1 ;; DATA[dma] <- $1234 34 / 62

  35. DSP / DAC Interface 35 / 62

  36. BSMT2000 A1/PA1 1 40 A2/PA2 A0/PA0 2 39 A3 MC/MP 3 38 A4 RS 4 37 A5 INT 5 36 A6 Brian Schmidt’s Mouse Trap CLKOUT 6 35 A7 X1 7 34 A8 Used in many arcade X2/CLKIN 8 33 MEN BIO 9 32 DEN machines from 1991 to 2003 V SS 10 31 WE D8 11 30 V CC D9 12 29 A9 Masked ROM TMS320C15 D10 13 28 A10 D11 14 27 A11 DSP from Texas Instruments D12 15 26 D0 D13 16 25 D1 D14 17 24 D2 D15 18 23 D3 D7 19 22 D4 D6 20 21 D5 36 / 62

  37. TMS320C15 Block Diagram 37 / 62

  38. BSMT2000 38 / 62

  39. Dumping BSMT2000 Mask ROM TBLR dma ;; DATA[dma] <- PROG[ACC] OUT dma, port ;; IO[port] <- DATA[dma] 39 / 62

  40. Dumping BSMT2000 Mask ROM 40 / 62

  41. Dumping BSMT2000 Mask ROM 41 / 62

  42. BSMT2000 Testbench Block Diagram 42 / 62

  43. Dumping BSMT2000 Mask ROM LACK 1 ;; ACC <- 1 SACL 0 ;; DATA[0] <- ACC LT 0 ;; T <- DATA[0] MPYK 1 ;; P <- 1 x T ZAC ;; ACC <- 0 loop: TBLR 0 ;; DATA[0] <- PROG[ACC] SACL 1 ;; DATA[1] <- ACC OUT 1, 1 ;; IO[1] <- DATA[1] OUT 0, 0 ;; IO[0] <- DATA[0] APAC ;; ACC <- ACC + P B loop 43 / 62

  44. BSMT2000 Testbench 44 / 62

  45. BSMT2000 Address Space IN 0 : Sound CPU command address IN 1 : Sound CPU command data IN 2 : EEPROM data OUT 0 : EEPROM address OUT 1 : EEPROM bank OUT 3 : Sample out (Left) OUT 7 : Sample out (Right) 45 / 62

  46. BSMT2000 Initialization OSTAT EQU $2000 DSP1 EQU $6000 DSP0 EQU $A000 init_dsp: ;; Reset DSP lda #$80 sta OSTAT ;; Set DSPRST ;; Compute command address according to the desired DSP mode ldb #$FE ;; select mode 1 ldx #DSP0 abx ;; x <- b + x ;; Select DSP mode by writing 0 at DSP0 + ~mode clra sta #DSP1 ;; MSB sta ,x ;; LSB ;; Start DSP sta OSTAT ;; Clear DSPRST rts 46 / 62

  47. DSP Main Loop ZAC ;; ACC <- 0 LT VOLUME1 ;; T <- DATA[VOLUME1] MPY SAMPLE1 ;; P <- T * DATA[SAMPLE1] LTA VOLUME2 ;; ACC <- ACC + P; T <- DATA[VOLUME2] MPY SAMPLE2 ;; P <- T * DATA[SAMPLE2] ... LTA VOLUME12 ;; ACC <- ACC + P; T <- DATA[VOLUME12] MPY SAMPLE12 ;; P <- T * DATA[SAMPLE12] APAC ;; ACC <- ACC + P SACH 0, TMP ;; DATA[TMP] <- ACC[31:16] OUT DAC, TMP ;; IO[DAC] <- DATA[TMP] 47 / 62

  48. Mixing Audio Streams 48 / 62

  49. Sound CPU Commands Handling BIOZ fetch ;; Jump to ‘fetch‘ if TST pin ;; is active NOP ;; Burn CPU cycles NOP ;; NOP ;; B next fetch: IN 0, 60 ;; DATA[60] <- IO[0] LAR AR0, 60 ;; AR0 <- DATA[60] IN 1, * ;; DATA[AR0] <- IO[1] next: 49 / 62

  50. TST pin wiring CLKOUT = CLKIN / 4 = 6MHz 50 / 62

  51. BSMT2000 data memory layout 0x0-0xA : Channel playback positions 0x16-0x20 : Channel rates 0x21-0x2B : Sample limits 0x2C-0x36 : Sample loops 0x37-0x41 : Sample bank 0x42-0x4C : Channel right volume 0x4D-0x57 : Channel left volume 0x58-0x62 : Sample data 0xFF : Scratch 51 / 62

  52. Back to Sound CPU firmware 52 / 62

  53. DSP operations #define MAX_CHAN 12 struct dsp_ops { void (*set_fixed_volume[MAX_CHAN])(); void (*set_rate[MAX_CHAN])(); void (*set_default_rate[MAX_CHAN])(); void (*stop_playing[MAX_CHAN])(); void (*load_pcm_sample[MAX_CHAN])(); void (*op5[MAX_CHAN])(); void (*op6[MAX_CHAN])(); void (*op7[MAX_CHAN])(); void (*op8[MAX_CHAN])(); void (*op9[MAX_CHAN])(); } ; 53 / 62

  54. Main CPU commands struct cpu_cmd { uint8_t callback_idx; uint8_t unk0; uint16_t mask; void **data; } ; 54 / 62

  55. Example : Play PCM Sample ;; PCM sample description 818B: 00 00 ;; pcm.base ;; sample starts at 0x0000 818D: 47 AC ;; pcm.limit ;; sample finishes at 0x47AC 818F: 47 86 ;; pcm.loop_start ;; sample playing must loop at 0x4786 818F: 3C 818F: 03 ;; pcm.bank ;; sample is located on bank 3 of U17 EEPROM ;; Explosion pattern bytecode 91DE: 05 81 8B ;; load pcm sample described at 0x818B into channel 91E1: 09 01 ;; set channel volume 91E3: 01 1D 01 6D ;; set channel rate, start sample playing ;; and wait 7425 ticks (0x1D01) => 2.53 seconds 91E7: 0F ;; free the channel and stop sample playing 55 / 62

  56. PCM Samples struct pcm_sample { uint16_t base; uint16_t limit; uint16_t loop_start; uint8_t unk; uint8_t bank; } ; 56 / 62

  57. PCM Samples 57 / 62

  58. Track Allocation struct track { struct track *next; struct track *prev; void *instruction_pointer; // Address of the next bytecode // instruction uint16_t counter; // Used for operation timing uint16_t last_timestamp; uint8_t next_instruction; uint8_t type; // 0: Background track // 1: Foreground track uint8_t channel_id; ... } ; 58 / 62

  59. Track Types 59 / 62

  60. Track Types uint8_t *channels_types = (void *) 0x00EA; if (track.type == channels_types[current_channel]) dsp_ops[current_channel](); 60 / 62

  61. Track Types 61 / 62

  62. Q&A IRC: Ptishell@irc.rezosup.org Mail: surply@lse.epita.fr Twitter: @Ptishell 62 / 62

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Title: Pinball Roger Norcross/Patrick Barberio, New Paltz

Title: Pinball Roger Norcross/Patrick Barberio, New Paltz

Title: Pinball Roger Norcross/Patrick Barberio, New Paltz Rnorcrosse@newpaltz.k12.ny.us,pbarberio@newpaltz.k12.ny.us Pinball Set Up GYM 0 -------PolySpots with pin on top 0 ^ x x 0 ------Make mirror image across 0 x x 0 ^ x x

338 views • 4 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Designing and Using an Audio-Visual Description Core Ontology Antoine Isaac &amp; Raphal

Designing and Using an Audio-Visual Description Core Ontology Antoine Isaac &amp; Raphal

Designing and Using an Audio-Visual Description Core Ontology Antoine Isaac &amp; Raphal Troncy Friday 8 th of October, 2004 Outline Motivations Methodology and content Focusing on domain needs Focusing on upper-level

786 views • 23 slides
Web Hacking 101: Burping for fun and maybe some profit Magno (Logan) Rodrigues magnologan at

Web Hacking 101: Burping for fun and maybe some profit Magno (Logan) Rodrigues magnologan at

Web Hacking 101: Burping for fun and maybe some profit Magno (Logan) Rodrigues magnologan at gmail dot com WHO AM I? ARE YOU SURE YOU WANNA KNOW? - Parker, Peter (Spider Man 2002) InfoSec/AppSec Specialist / CompTIA Instructor Focusing

702 views • 44 slides
Pinball Project Case Study SDMAY12-13 Thursday, November 17, 11 Dr. Who

Pinball Project Case Study SDMAY12-13 Thursday, November 17, 11 Dr. Who

Pinball Project Case Study SDMAY12-13 Thursday, November 17, 11 Dr. Who http://www.hyperspin-fe.com/forum/showthread.php?t=8239 Thursday, November 17, 11 Dr. Who Widebody Clone Cabinet dimensions copied from a Williams Electronics Twilight

391 views • 35 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

960 views • 62 slides
Pinball Wizardry Youre a wizard, Harry Historical Stuff (OG machines) Quick History

Pinball Wizardry Youre a wizard, Harry Historical Stuff (OG machines) Quick History

Pinball Wizardry Youre a wizard, Harry Historical Stuff (OG machines) Quick History 1930s: Baffle Ball! 1933: Electrification 1947: First flippers introduced 1970s: Solid state electronics: circuit boards,

596 views • 37 slides
Game development for the ColecoVision and Sega 8-bit systems Developing for Z80-based video game

Game development for the ColecoVision and Sega 8-bit systems Developing for Z80-based video game

Game development for the ColecoVision and Sega 8-bit systems Developing for Z80-based video game systems using modern free tools Philipp Klaus Krause February 4, 2018 Table of Contents 1 Consoles 2 SDCC 3 Library 4 Tools 5 Summary Table of

590 views • 20 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pilot Groundwater Monitoring Program in Northern Arizona for the Flagstaff Arboretum Purpose

Pilot Groundwater Monitoring Program in Northern Arizona for the Flagstaff Arboretum Purpose

Pilot Groundwater Monitoring Program in Northern Arizona for the Flagstaff Arboretum Purpose The Arboretum at Flagstaff [1] Climate Impact on Northern Arizona Southwest Experimental Garden Array (SEGA) Gardens of SEGA [2] What

378 views • 15 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach &amp; Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
Relaxing Exclusive Control in Boolean Games Arianna Novaro IRIT, University of Toulouse F.

Relaxing Exclusive Control in Boolean Games Arianna Novaro IRIT, University of Toulouse F.

Relaxing Exclusive Control in Boolean Games Arianna Novaro IRIT, University of Toulouse F. Belardinelli U. Grandi A. Herzig D. Longin E. Lorini L. Perrussel SEGA Workshop, Prague 2018 Relaxing Exclusive Control in Boolean Games SEGA 2018

471 views • 30 slides
Parsing with unification Frederik Fouvry Department of Computational Linguistics and Phonetics

Parsing with unification Frederik Fouvry Department of Computational Linguistics and Phonetics

Parsing with unification Frederik Fouvry Department of Computational Linguistics and Phonetics Saarland University Introduction to Computational Linguistics Frederik Fouvry Parsing with unification Outline Motivation 1 Unification 2

757 views • 43 slides
Comonadic notions of computation Tarmo Uustalu 1 Varmo Vene 2 1 Institute of Cybernetics, Tallinn 2

Comonadic notions of computation Tarmo Uustalu 1 Varmo Vene 2 1 Institute of Cybernetics, Tallinn 2

Comonadic notions of computation Tarmo Uustalu 1 Varmo Vene 2 1 Institute of Cybernetics, Tallinn 2 University of Tartu FMCS 2006, Kananaskis, 8 June 2006 Motivation Moggi and Wadler showed that effectful computations can be structured with

428 views • 23 slides
Compilerconstructie najaar 2019 http://www.liacs.leidenuniv.nl/~vlietrvan1/coco/ Rudy van Vliet

Compilerconstructie najaar 2019 http://www.liacs.leidenuniv.nl/~vlietrvan1/coco/ Rudy van Vliet

Compilerconstructie najaar 2019 http://www.liacs.leidenuniv.nl/~vlietrvan1/coco/ Rudy van Vliet kamer 140 Snellius, tel. 071-527 2876 rvvliet(at)liacs(dot)nl college 1, vrijdag 6 september 2019 Overview 1 Why this course Its part of the

698 views • 54 slides
Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo

Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo

Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo Varanda Pereira) Dep. de Informtica Centro Algoritmi Universidade do Minho, Braga-Portugal UCM Madrid, 2016-07-12 Motivation This talk is about:

1.03k views • 63 slides
CSC411/2515 Lecture 2: Nearest Neighbors Roger Grosse, Amir-massoud Farahmand, and Juan

CSC411/2515 Lecture 2: Nearest Neighbors Roger Grosse, Amir-massoud Farahmand, and Juan

CSC411/2515 Lecture 2: Nearest Neighbors Roger Grosse, Amir-massoud Farahmand, and Juan Carrasquilla University of Toronto UofT CSC411-Lec2 1 / 26 Introduction Today (and for the next 5 weeks) were focused on supervised learning. This

298 views • 26 slides
Introduction to Neural Networks Machine Learning and Object Recognition 2016-2017 Course website:

Introduction to Neural Networks Machine Learning and Object Recognition 2016-2017 Course website:

Introduction to Neural Networks Machine Learning and Object Recognition 2016-2017 Course website: http://thoth.inrialpes.fr/~verbeek/MLOR.16.17.php Biological motivation Neuron is basic computational unit of the brain about 10^11 neurons

1.26k views • 74 slides
The Potential of Memory Augmented Neural Networks Dalton Caron Montana Technological University

The Potential of Memory Augmented Neural Networks Dalton Caron Montana Technological University

The Potential of Memory Augmented Neural Networks Dalton Caron Montana Technological University November 15, 2019 Overview Review of Perceptron and Feed Forward Networks Recurrent Neural Networks Neural Turing Machines

1.27k views • 57 slides
NTM Atef Chaudhury and Chris Cremer Motivation Memory is good Working memory is key to many

NTM Atef Chaudhury and Chris Cremer Motivation Memory is good Working memory is key to many

NTM Atef Chaudhury and Chris Cremer Motivation Memory is good Working memory is key to many tasks - Humans use it everyday - Essential to computers (core to Von Neumann architecture/Turing Machine) Why not incorporate it into NNs which

390 views • 34 slides

More recommend