Part 1: Dumping the Triforce-IPL

I’ve already described that the heart of the beast is a basically unmodified retail Gamecube board. Rumors tell it has 48MB of (MEM1-)RAM, but based on the memory chip quantity and description, I cannot confirm that – they exactly match a retail Gamecube. As a side note, games seem to be 512MB max. I won’t give any further comment about the possible implications of these facts ;).

However what is modified versus a retail Gamecube board is that a different IPL is installed. The IPL is basically the BIOS of the Gamecube. It’s stored in a serial ROM chip in encrypted form. This encryption has been partially cracked already, which allowed developing of Hardware devices to override the stock IPL with a custom variant. There exist several homebrew and commercial modchips ([1], [2]). While those devices can be used installing a BIOS mod which enables piracy, they are also very helpful for running homebrew software right from the start.

To dump the IPL of the Triforce Gamecube board, I’ve attached a qoob modchip to the Triforce board. This allowed me to override the Triforce IPL with my own code. I’ve then flashed a modified version of my IPL replacement, which allowed me to dump the Triforce IPL. I had to force progressive videomode to make the VGA video output of the Triforce working correctly (it doesn’t seem to set the correct ID pins). One small problem is that the original setup uses the serial 1 port for the IO board, whereas I need it for the network adapter (BBA). But it’s possible to disconnect the serial port, and attach the BBA, if you remove the BBA housing. It’s not nice, but it works. (The problem is that the physical space is rather constrained, but without an extension cord of the proprietary serial and DI connectors, it’s impossible to use the Gamecube board outside of the Triforce power supply, which in turn is coupled to the IO and Media board. Some slight PCB bending however allows using the BBA in the Triforce setup – no showstopper here. Note that it’s also possible to use the Gamecube board in a stock Gamecube housing.

A quick analysis of the (quite small) IPL shows that it reads the next loader from the media board, possibly using simplified or custom DI commands. If you boot without the media board, all you get is a “MEDIA BOARD MISSING” error message. If you install the media board (without the DIMM board), you get the Triforce-logo and an error message that the DIMM board doesn’t work. This gives the conclusion that the the logo and the rest of the loader are stored in the Media Board Flash memory.

Next step will be acquring an image of what’s contained there, preferable using the DI. If I can’t work this out, I need to resort to reading out the flash directly or inserting debug hooks in the IPL, then run it.

(Sorry, I don’t have pictures of the setup yet, but I will provide them. My jailbroken iPhone didn’t saved the pics. That’s what you get when using hacked software ;)

About this entry