hacking a sega whitestar pinball: focusing on the … 2015...hacking a sega whitestar pinball:...
TRANSCRIPT
![Page 1: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/1.jpg)
Hacking a Sega Whitestar Pinball:Focusing on the audio board
Grehack 2015
Pierre Surply
EPITA Systems/Security Laboratory (LSE)
Nov 20, 2015
1 / 62
![Page 2: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/2.jpg)
Sega Whitestar Pinball Overview
2 / 62
![Page 3: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/3.jpg)
Playfield
3 / 62
![Page 4: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/4.jpg)
IO Board
4 / 62
![Page 5: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/5.jpg)
CPU/Sound Board
5 / 62
![Page 6: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/6.jpg)
CPU/Sound Board
6 / 62
![Page 7: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/7.jpg)
Main CPU
7 / 62
![Page 8: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/8.jpg)
Main CPU Address Space
I02
I11
I23
I34
I45
I56
I67
I78
I89
I911
FI5 17
FI4 16
FI3 15
FI2 14
FI1 13
PAL16L8
F0 12
FI6 18
F7 19
U213
A14
A15
A13
E
Q
VMA
RW
A11
A12
MPIN
A9
A10
XA0
ROMCS
RAMCS
IOPORT
SNDSTB
IOSTB
8 / 62
![Page 9: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/9.jpg)
Main CPU Address Space
9 / 62
![Page 10: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/10.jpg)
Main CPU Address Space
GAL16V8
U213
A15 A14 A13 /E Q VMA RW A11 A12 GND
MPIN IOSTB XA0 SNDSTB A10 A9 IOPORT /RAMCS /ROMCS VCC
/ROMCS.T = A15 + A14 + IOPORT
/ROMCS.E = /E
RAMCS.T = A15 + A14 + A13 + A12 * A11 * A10 * A9 * /RW * /MPIN
/RAMCS.E = /E
IOPORT.T = A15 + A14 + /A13 + A12 + A11 + XA0
IOPORT.E = /E
IOSTB.T = /A15 * /A14 * A13 * /A11
IOSTB.E = /E
DESCRIPTION:
Sega Whitestar Pinball
U213 (Address space decoding)
(Extracted using Quine-McCluskey method)
10 / 62
![Page 11: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/11.jpg)
Replacing ROM
11 / 62
![Page 12: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/12.jpg)
Replacing ROM
12 / 62
![Page 13: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/13.jpg)
Main CPU Programming
13 / 62
![Page 14: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/14.jpg)
Sound Board
14 / 62
![Page 15: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/15.jpg)
Sound Board
15 / 62
![Page 16: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/16.jpg)
Sound Board Block Diagram
16 / 62
![Page 17: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/17.jpg)
Voices EEPROM
8-bit PCM @ 8kHz
17 / 62
![Page 18: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/18.jpg)
Sound CPU
18 / 62
![Page 19: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/19.jpg)
Sound CPU Address Space
19 / 62
![Page 20: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/20.jpg)
Sound CPU Address Space
0x0000-0x1FFF: RAM
0x2000: Status Register (OSTATsignal)0x2002: Main CPU / Sound CPUCommand Register (BIN signal)0x2006: DSP Status (BLD signal)
During read operation:0x4000-0xFFFF: ROM
During write operation:0x6000: DSP Command (MSB)0xA000-0xA0FF: DSP Command(LSB)
20 / 62
![Page 21: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/21.jpg)
Sound CPU Wiring
lda #$80
sta IO_STATUS ;; Reset DSP
cla
anda #1
sta IO_STATUS ;; Indicate to Main CPU that audio card
;; is ready
21 / 62
![Page 22: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/22.jpg)
Main CPU / Sound CPU Interface
Main CPU Command (8bit)
22 / 62
![Page 23: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/23.jpg)
Main CPU / Sound CPU Interface
lda #CMD ;; a <- CMD
sta SNDSTB ;; [SNDSTB] <- a
23 / 62
![Page 24: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/24.jpg)
Main CPU / Sound CPU Interface
24 / 62
![Page 25: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/25.jpg)
Main CPU / Sound CPU Interface
25 / 62
![Page 26: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/26.jpg)
Main CPU / Sound CPU Interface
lda BIN ;; a <- [BIN]
26 / 62
![Page 27: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/27.jpg)
FIRQ Handler
struct cmd_ring_buffer {uint8_t begin;
uint8_t end;
uint8_t data[16];
};
27 / 62
![Page 28: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/28.jpg)
Main Loop
struct cpu_cmd {uint8_t callback_idx;
uint8_t unk0;
uint16_t mask;
void **data;
};
28 / 62
![Page 29: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/29.jpg)
Digital Signal Processor
29 / 62
![Page 30: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/30.jpg)
Sound CPU / DSP Interface
Data (16bit): 0x1234Address (8bit): 0x56
30 / 62
![Page 31: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/31.jpg)
Sound CPU / DSP Interface
lda #$12 ;; a <- $12
sta DSP1 ;; [DSP1] <- a
31 / 62
![Page 32: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/32.jpg)
Sound CPU / DSP Interface
lda #$34 ;; a <- $34
sta DSP0 + $56 ;; [DSP0 + $56] <- a
32 / 62
![Page 33: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/33.jpg)
Sound CPU / DSP Interface
IN dma, IN0 ;; DATA[dma] <- $0056
33 / 62
![Page 34: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/34.jpg)
Sound CPU / DSP Interface
IN dma, IN1 ;; DATA[dma] <- $1234
34 / 62
![Page 35: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/35.jpg)
DSP / DAC Interface
35 / 62
![Page 36: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/36.jpg)
BSMT2000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
40
39
38
37
36
35
34
33
32
31
30
29
28
27
26
25
24
23
22
21
A1/PA1
A0/PA0
MC/MP
RS
INT
CLKOUT
X1
X2/CLKIN
BIO
VSS
D8
D9
D10
D11
D12
D13
D14
D15
D7
D6
A2/PA2
A3
A4
A5
A6
A7
A8
MEN
DEN
WE
VCC
A9
A10
A11
D0
D1
D2
D3
D4
D5
Brian Schmidt’s Mouse Trap
Used in many arcademachines from 1991 to 2003
Masked ROM TMS320C15
DSP from Texas Instruments
36 / 62
![Page 37: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/37.jpg)
TMS320C15 Block Diagram
37 / 62
![Page 38: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/38.jpg)
BSMT2000
38 / 62
![Page 39: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/39.jpg)
Dumping BSMT2000 Mask ROM
TBLR dma ;; DATA[dma] <- PROG[ACC]
OUT dma, port ;; IO[port] <- DATA[dma]
39 / 62
![Page 40: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/40.jpg)
Dumping BSMT2000 Mask ROM
40 / 62
![Page 41: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/41.jpg)
Dumping BSMT2000 Mask ROM
41 / 62
![Page 42: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/42.jpg)
BSMT2000 Testbench Block Diagram
42 / 62
![Page 43: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/43.jpg)
Dumping BSMT2000 Mask ROM
LACK 1 ;; ACC <- 1
SACL 0 ;; DATA[0] <- ACC
LT 0 ;; T <- DATA[0]
MPYK 1 ;; P <- 1 x T
ZAC ;; ACC <- 0
loop: TBLR 0 ;; DATA[0] <- PROG[ACC]
SACL 1 ;; DATA[1] <- ACC
OUT 1, 1 ;; IO[1] <- DATA[1]
OUT 0, 0 ;; IO[0] <- DATA[0]
APAC ;; ACC <- ACC + P
B loop
43 / 62
![Page 44: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/44.jpg)
BSMT2000 Testbench
44 / 62
![Page 45: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/45.jpg)
BSMT2000 Address Space
IN 0: Sound CPU command addressIN 1: Sound CPU command dataIN 2: EEPROM dataOUT 0: EEPROM addressOUT 1: EEPROM bankOUT 3: Sample out (Left)OUT 7: Sample out (Right)
45 / 62
![Page 46: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/46.jpg)
BSMT2000 Initialization
OSTAT EQU $2000
DSP1 EQU $6000
DSP0 EQU $A000
init_dsp:
;; Reset DSP
lda #$80
sta OSTAT ;; Set DSPRST
;; Compute command address according to the desired DSP mode
ldb #$FE ;; select mode 1
ldx #DSP0
abx ;; x <- b + x
;; Select DSP mode by writing 0 at DSP0 + ~mode
clra
sta #DSP1 ;; MSB
sta ,x ;; LSB
;; Start DSP
sta OSTAT ;; Clear DSPRST
rts
46 / 62
![Page 47: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/47.jpg)
DSP Main Loop
ZAC ;; ACC <- 0
LT VOLUME1 ;; T <- DATA[VOLUME1]
MPY SAMPLE1 ;; P <- T * DATA[SAMPLE1]
LTA VOLUME2 ;; ACC <- ACC + P; T <- DATA[VOLUME2]
MPY SAMPLE2 ;; P <- T * DATA[SAMPLE2]
...
LTA VOLUME12 ;; ACC <- ACC + P; T <- DATA[VOLUME12]
MPY SAMPLE12 ;; P <- T * DATA[SAMPLE12]
APAC ;; ACC <- ACC + P
SACH 0, TMP ;; DATA[TMP] <- ACC[31:16]
OUT DAC, TMP ;; IO[DAC] <- DATA[TMP]
47 / 62
![Page 48: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/48.jpg)
Mixing Audio Streams
48 / 62
![Page 49: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/49.jpg)
Sound CPU Commands Handling
BIOZ fetch ;; Jump to ‘fetch‘ if TST pin
;; is active
NOP ;; Burn CPU cycles
NOP ;;
NOP ;;
B next
fetch: IN 0, 60 ;; DATA[60] <- IO[0]
LAR AR0, 60 ;; AR0 <- DATA[60]
IN 1, * ;; DATA[AR0] <- IO[1]
next:
49 / 62
![Page 50: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/50.jpg)
TST pin wiring
CLKOUT = CLKIN / 4 = 6MHz
50 / 62
![Page 51: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/51.jpg)
BSMT2000 data memory layout
0x0-0xA: Channel playback positions0x16-0x20: Channel rates0x21-0x2B: Sample limits0x2C-0x36: Sample loops0x37-0x41: Sample bank0x42-0x4C: Channel right volume0x4D-0x57: Channel left volume0x58-0x62: Sample data0xFF: Scratch
51 / 62
![Page 52: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/52.jpg)
Back to Sound CPU firmware
52 / 62
![Page 53: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/53.jpg)
DSP operations
#define MAX_CHAN 12
struct dsp_ops {void (*set_fixed_volume[MAX_CHAN])();
void (*set_rate[MAX_CHAN])();
void (*set_default_rate[MAX_CHAN])();
void (*stop_playing[MAX_CHAN])();
void (*load_pcm_sample[MAX_CHAN])();
void (*op5[MAX_CHAN])();
void (*op6[MAX_CHAN])();
void (*op7[MAX_CHAN])();
void (*op8[MAX_CHAN])();
void (*op9[MAX_CHAN])();
};
53 / 62
![Page 54: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/54.jpg)
Main CPU commands
struct cpu_cmd {uint8_t callback_idx;
uint8_t unk0;
uint16_t mask;
void **data;
};
54 / 62
![Page 55: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/55.jpg)
Example : Play PCM Sample
;; PCM sample description
818B: 00 00 ;; pcm.base
;; sample starts at 0x0000
818D: 47 AC ;; pcm.limit
;; sample finishes at 0x47AC
818F: 47 86 ;; pcm.loop_start
;; sample playing must loop at 0x4786
818F: 3C
818F: 03 ;; pcm.bank
;; sample is located on bank 3 of U17 EEPROM
;; Explosion pattern bytecode
91DE: 05 81 8B ;; load pcm sample described at 0x818B into channel
91E1: 09 01 ;; set channel volume
91E3: 01 1D 01 6D ;; set channel rate, start sample playing
;; and wait 7425 ticks (0x1D01) => 2.53 seconds
91E7: 0F ;; free the channel and stop sample playing
55 / 62
![Page 56: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/56.jpg)
PCM Samples
struct pcm_sample {uint16_t base;
uint16_t limit;
uint16_t loop_start;
uint8_t unk;
uint8_t bank;
};
56 / 62
![Page 57: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/57.jpg)
PCM Samples
57 / 62
![Page 58: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/58.jpg)
Track Allocation
struct track {struct track *next;
struct track *prev;
void *instruction_pointer; // Address of the next bytecode
// instruction
uint16_t counter; // Used for operation timing
uint16_t last_timestamp;
uint8_t next_instruction;
uint8_t type; // 0: Background track
// 1: Foreground track
uint8_t channel_id;
...
};58 / 62
![Page 59: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/59.jpg)
Track Types
59 / 62
![Page 60: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/60.jpg)
Track Types
uint8_t *channels_types = (void *) 0x00EA;
if (track.type == channels_types[current_channel])
dsp_ops[current_channel]();
60 / 62
![Page 61: Hacking a Sega Whitestar Pinball: Focusing on the … 2015...Hacking a Sega Whitestar Pinball: Focusing on the audio board Grehack 2015 Pierre Surply EPITA Systems/Security Laboratory](https://reader031.vdocuments.site/reader031/viewer/2022020315/5b18853a7f8b9a2d258bd3a2/html5/thumbnails/61.jpg)
Track Types
61 / 62