Routine to bypass a firmware

Enlighted (6213)

01-07-2022, 10:01

I rummaged in a few other firmwares and obtained results.

Here are five routines (including three new) to bypass firmwares that no require to patch the firmware.

Panasonic FS-A1:

This firmware is bypassed when the 0CBD8h byte is equal to 023h.

; Routine to byppass the Panasonic FS-A1 firmware

	org	4000h

RomHeader:
	dw	4241h,4010h,0,0,0,0,0,0

	ld	a,023h
	ld	(0CBD8h),a	; To bypass the FS-A1 firmare
	ret
	
	ds	8000h - $,0	; Fill with 0 to make a 16K ROM

Panasonic FS-A1F:

This firmware is bypassed when the 0C3CEh byte is equal to 023h.

; Routine to byppass the Panasonic FS-A1F firmware

	org	4000h

RomHeader:
	dw	4241h,4010h,0,0,0,0,0,0

	ld	a,023h
	ld	(0C3CEh),a	; To bypass the FS-A1 firmare
	ret
	
	ds	8000h - $,0	; Fill with 0 to make a 16K ROM

Panasonic FS-A1mk2:

This firmware is bypassed when the 0C3D2h byte is equal to 023h.

; Routine to byppass the Panasonic FS-A1mk2 firmware

	org	4000h

RomHeader:
	dw	4241h,4010h,0,0,0,0,0,0

	ld	a,023h
	ld	(0C3D2h),a	; To bypass the FS-A1 firmare
	ret
	
	ds	8000h - $,0	; Fill with 0 to make a 16K ROM

Sony HB-201/HB-201P:

This firmware is bypassed when the 402Eh byte of the slot 3 is equal to 0c9h.

; Routine to byppass the HB-201/HB-201P firmware

RDSLT	equ	0000Ch		; Read a byte in a slot
WRSLT	equ	00014h		; Write a byte in a slot

	org	4000h

RomHeader:
	dw	4241h,4010h,0,0,0,0,0,0

	ld	a,3		; Slot 3
	ld	hl,4027h	; Address
	call	RDSLT
	cp	048h		; Test 'H'
	jr	nz,JUMP		; Jump if read value is not 'H'
	ld	a,3
	inc	hl		; 4028h
	call	RDSLT
	cp	049h		; Test 'I'
	jr	nz,JUMP		; Jump if read value is not 'I'
	ld	a,3		; Primary slot 3
	ld	e,0c9h		; RET opcode
	ld	hl,402Eh
	call	WRSLT		; Write C9h to bypass the firmware 
JUMP:
	ret
	
	ds	8000h - $,0	; Fill with 0 to make a 16K ROM

Sony HB-F1, HB-F1II and HB-F9P/S:

Theses firmwares are bypassed when the Hook H.STKE (0FEDAh) is used.

; Routine to Bypass the HB-F1, HB-F1II and HB-F9P/S Firmware


H_STKE	equ	0FEDAh

	org	4000h

RomHeader:
	dw	4241h,4010h,0,0,0,0,0,0

	bit	7,h
	ret	nz		; Back if Rom mirror

	ld	hl,H_STKE
	ld	de,0c100h
	ld	bc,5
	ldir			; Copy the current Hook in case another ROM uses it
	
	ld	hl,NewHook
	ld	de,H_STKE
	ld	bc,5
	ldir			; Set the new hook

	ld	hl,Adding
	ld	de,0c100h-5
	ld	bc,5
	ldir			; Adding to disable the H_STKE hook

	ret

NewHook:
	call	0c100h-5
	ret
	ret

Adding:
	ld	a,0c9h
	ld	(H_STKE),a	; Disable the H_STKE hook
	
	ds	8000h - $,0	; Fill with 0 to make a 16K ROM

These programs make each a 16k ROM. So you can easily try them on emulator. Only the routine for Sony HB-201/201P has a (simple) firmware detection routine. If you want to integrate all the routines to bypass the firmware in the ROM of an interface for example, you will probably need to add a firmware detection routine to run only the bypass routine correspodning to the used MSX.

Por Wierzbowsky

Guardian (3603)

01-07-2022, 11:53

Thanks, gdx! I can implement those into Carnivore2's boot menu, but the question is - if the firmware starts earlier than boot block, how to run this code _before_ the firmware? Is there any hook in the ROM that BIOS registers and runs before executing the firmware?

Por gdx

Enlighted (6213)

01-07-2022, 12:56

The routines I give should prevent the execution of the firmware by inserting the cartridge in one of the cartridge slots of these MSXs.

Here's another one.

Sony HB-F5:

This firmwares is bypassed when the Hook H.STKE (0FEDAh) is created another program. So this routine disable the hook when it is used to run the firmware.

; Routine to Bypass the HB-F5 Firmware


H_STKE	equ	0FEDAh

	org	4000h

RomHeader:
	dw	4241h,4010h,0,0,0,0,0,0

	bit	7,h
	ret	nz		; Back if Rom mirror

	ld	hl,FirmwareHook
	ld	de,0c100h
	ld	bc,5
	ldir			; Copy the hook modified by the firmware 

	ld	a,(H_STKE+1)
	ld	(0c101h),a	; Change the slot number

	ld	hl,H_STKE
	ld	de,0c100h
Loop:
	ld	a,(de)
	cp	(hl)
	ret	nz		; Back if the Hook has been changed by the firmware
	cp	0c9h
	inc	hl
	inc	de
	jr	nz,Loop
	ld	(H_STKE),a	; Disable the Hook if it is that of the firmware
	ret

FirmwareHook:
	db	0f7h,03h,51h,40h,0c9h
	
	ds	8000h - $,0	; Fill with 0 to make a 16K ROM

Por Wierzbowsky

Guardian (3603)

01-07-2022, 13:48

But the code in the cartridge should take control first. And the firmware normally starts before the cartridge. Or am I missing something here?

Por gdx

Enlighted (6213)

01-07-2022, 14:41

The firmware not always start before the cartridges. It depends on the firmware.
In most firmware there is a key to prevent the firmware from running.
Panasonic has also provided a software solution. I found it by disassembling the beginning.
Sony uses the H.STKE hook to run the firmware after scanning roms. So, just change this hook to prevent the execution. (It must be done taking into account that other cartridges can also use this hook.)

Firmware that does not use these methods cannot be bypassed by software. This is the case of the Panasonic FS-A1FM and the Hitachi MB-H1/H2 for example. These should be patched or removed if they cause problems.

Por mars2000you

Enlighted (6482)

01-07-2022, 15:05

it's maybe also a problem of speed. When modifying an addon for an online javascript game to make it compatible with tampermonkey, I had to create a loader because the server hosting the game is slower than tampermonkey (the real cause is of course the way the game itself is coded).

As the addon modifies the game, it must come only when the game is fully loaded in the browser. Without the loader, it was not the case...

Por gdx

Enlighted (6213)

01-07-2022, 15:19

Mars2000, you got the wrong thread!

Por mars2000you

Enlighted (6482)

01-07-2022, 15:25

I like analogies!

Por sdsnatcher73

Prophet (3954)

01-07-2022, 15:40

Alexey wrote:

But the code in the cartridge should take control first. And the firmware normally starts before the cartridge. Or am I missing something here?

The firmware is only started before the cartridge if it is in a lower slot. In most MSX’s the firmware is therefore in slot 3.

Por gdx

Enlighted (6213)

01-07-2022, 16:23

Toshiba HX-34 firmware seems bypassable by writting 8 to I/O port 082h but I don't have this computer to test and this port seems not emulated. Does anyone have an HX-34 to test?

Here is the test ROM:
https://www15.zippyshare.com/v/78GekRxf/file.html

mars2000you wrote:

I like analogies!

Where is the analogy?