Firmware bypass methods

By Wierzbowsky

Guardian (3448)

Wierzbowsky's picture

11-06-2022, 12:08

Looks like several people have problems with Carnivore2 and built-in firmware in some MSX computers. I also experienced that a few times, last time with my Hitachi MSX2. I have requests from a few people to add firmware bypass functionality into C2, but I am not that good with MSX hardware to find the solution yet. Could any of MSX hardware and software gurus give me some ideas or even share code to detect and bypass a firmware? Would be much obliged...

Login or register to post comments

By gdx

Enlighted (5600)

gdx's picture

26-06-2022, 07:20

There are only three methods to bypass an MSX firmware.

  1. The best for the Carnivore 2 would probably be modifying MSX initialization routine from Nextor. Ie add the detection of known firmware for the corresponding slot and ignore them when found. Or, add the ability to ignore the configured slot by the user.
  2. Patch or remove the MSX firmware. This is the most efficient because it works regardless of the use of the MSX configuration but some users cannot or does not want to modify their MSX. I make patches for the Sony HB-55/75 and Hitachi H1/H2.
  3. Some firmwares have provided this function. You can find it by disassembling the firmware. For example, FS-A1 firmware can be bypassed by writing 023h at 0CBD8h, and HB-201/HB-201P firmware can be bypassed by writing 0c9h at 402Eh in the slot 3.

By sdsnatcher73

Prophet (3414)

sdsnatcher73's picture

26-06-2022, 07:42

How do you modify the MSX initialization routine (as mentioned in option 1)?

By gdx

Enlighted (5600)

gdx's picture

26-06-2022, 09:20

MSXs initialisation is different with MSX-DOS2 & Nextor. I think it shorts the MSX initialisation to initialize in its own way. So it's probably possible to modify it.

By Wierzbowsky

Guardian (3448)

Wierzbowsky's picture

26-06-2022, 13:02

Thanks, gdx! Is there a full list of pokes to bypass the firmware? To me it's still unclear how a firmware that operates from slot 0 could be bypassed by poking at certain address. For poking my software should first gain control. Is "call" initialization routine executed before a firmware takes control?

By sdsnatcher73

Prophet (3414)

sdsnatcher73's picture

26-06-2022, 15:01

gdx wrote:

MSXs initialisation is different with MSX-DOS2 & Nextor. I think it shorts the MSX initialisation to initialize in its own way. So it's probably possible to modify it.

But that does not say a lot. I really would appreciate some more detail as I would like to understand. I know the MSX BIOS will start to scan slots for AB headers. I know a game ROM will just execute (or hook to the disk initialization if it needs to access floppy). So how do you make the BIOS skip a certain slot? And what are the differences for DOS1 and DOS2/Nextor?

Alexey wrote:

Thanks, gdx! Is there a full list of pokes to bypass the firmware? To me it's still unclear how a firmware that operates from slot 0 could be bypassed by poking at certain address. For poking my software should first gain control. Is "call" initialization routine executed before a firmware takes control?

I don’t think you can bypass the firmware in slot 0 (basically in a lower slot than where your ROM is), unless that firmware itself has some detection. Which machines have firmware in slot 0 BTW? Won’t these have issues with games?

By gdx

Enlighted (5600)

gdx's picture

26-06-2022, 15:32

Sorry, I did not have time to search all the firmwares. Did it for 4 or 5 only.
I didn't dig into DOS2 or Nextor either. So it is possible that I am wrong. Maybe Konamiman can help.

sdsnatcher73 wrote:

I don’t think you can bypass the firmware in slot 0 (basically in a lower slot than where your ROM is), unless that firmware itself has some detection.

In the case of the Sony HB-55/75, this is possible because it copies a routine in RAM (slot 3) to execute the firmware after the other ROMs. This is why a well-placed C9h prevents its execution.

By sdsnatcher73

Prophet (3414)

sdsnatcher73's picture

26-06-2022, 17:07

But my question is more on the general working of the BIOS slot search. Is the only way to bypass the firmware a poke in RAM depending on what firmware is detected? Or is there a more general way to do it? Like modify some data the slot search routine uses?