-- From Android -- Grin
About the Protection mecanism of the compact flash......
The thinks are always on the same place, on the card, and all is based on 2 bytes that you read from the ATA Identify command, and 8 bytes Manufacturer card.
Is important EVER, start with a card fresly formatted with FAT16, because in this way, the sector adress of the mecanism, always correspond to the same adresses inside the game file.
Do you need to read the 20 digits Serial number, returned by the Ata Identify command.
This serial number, is different from card to card, but the first 10 bytes are ever the same in all the 4 Sega cards I have, so I supossed it will be ever the same.
At adress 0x24 of the readed 256 bytes structur there is an ASCII value of "00" that minds the value is 0x3030, this is the same for all the Sega CF cards that I have and is the value used as offset for calculate the position of the protection elements inside the card.
For put a new game,
1)You need to format the card with FAT.
2) open GAME.BIN (binary file of the game, desencrypted) and make a CRC32 of it.
3) Get the result and make a XOR 0xFFFFFFFF
4) open a header file, ABC.bin and store the result of the CRC32 calculation at adress 0x08-0x0B, the order of the CRC32 is first low byte and last high byte.
2) copy to the CF card the ABC.bin (File containing the header for the game)
If all is ok, the ABC.bin, will start at sector 520 of the CF card and GAME.bin will start at sector 536 of the CF card, this is very important because if not, the adresses of the game that we need to patch, will change
So you need to go to sector 0x3030 +0x20-> 0x3050-> Sector 12368, that corresponds to the GAME.bin adress of ((12368-536)*512= 0x5C7000 (this is ever the same, if your game starts at secor 536 of the CF card), copy this 256 bytes to a File
The go to sector 0x277-> Sector 631-> that corresponds to the Game.bin adress of (631-536)*512 =0x0BE00-0x0BFFF, copy this 256 bytes to a second file.
Make a XOR of the two 512 files using a program like XORIT.
Then you overwrite the data at 0xBE00-0xBFFF of the game with the data result of the XORIT program and save to Game.bin
Copy the GAME.bin to the card.
This is the first part of the protection mechanism, now the game will be loaded successfully on the Naomi, Trifrorce or Chihiro, but after 5 minutes the Naomi will reset with error 26 mediaboard malfunction.
Now the second part of the protection mechanism, consist of make a Checksum of one sector of the Game.bin and store this checksum in the CF, but outside the game.bin and abc.bin (header file), this will link the game to the CF card, and by this way is imposible to copy only the game files to another card, as this will trigger the 2 protection mechanism.
So for acomplish this part, is necesarry to go to sector 0x3030+0x19=0x3049 --> 12361 game.bin adress of (12361-536)*512=0x5C6200-0x5c63FF.
You need to get this sector and make a 32 bytes checksum, by addding the data as 32 bytes DWORD, with a result of 32 Bytes DWORD.
Is important that the data is get 4 bytes at a time as this ---> B1*256*256*256+B2*256*256+B3*256+B4 and this is stored in a 32Bytes DWORD and added to the next 4 bytes.
The result of the sum of the 512 bytes in 4 bytes packets, will be stored in the card sector 0x1D7-->sector 471 offest 0x38 with is located at the second copy of the fat.
For store this value, you need to open the card with winhex and then go to the sector 471 and at offeset 471 store the 4 bytes checksum, first low byte and last highest byte.