Decrypted Gamecube IPL -- Reverse engineering by Xayrga at 4:19 PM EDT on July 13, 2016
Was wondering if anybody knew anything about the gamecube IPL. I've managed to decrypt it and have been pulling it apart.


Here's what I know.

From 0x00-0x100 it has a DOL header which is corrupted (likely ignored, gekko boots at 0x100)

(Below is DOL header contents)
<small>
0x3 - Text 256
0x7 - Text 0
. . .
--------
0x1F - Data 0
. . .
--------
--------
0x4B - Text-A 2167406592 !!!
0x4F - Text-A 0

. . .
--------
0x67 - Data-A 0
. . .
--------
--------
0x93 - Text-S 2095072
0x97 - Text-S 0
...
--------
0xAF - Data-S 0
.... ... ..
0xDF - BSS Memory at 0 size of 0
0xE3 - Entry point at 2167406592 !!!
!! Cannot dump blocks, DOL header is corrupted.
</small>

That's the contents of what the DOL header gave me, points past EOF , so it's corrupted.


I was exploring the file a bit when I found entries that look like gamecube FST, and sure enough it was, however I don't know where this FST starts. The IPL appears to setup the OS, with the main menu just being a rom that directly boots the game in the drive.

Within this filesystem are several files listed, there are gamecube stream format sounds

/stream00.adp.../stream01.adp.../stream02.adp.../stream03.adp.../stream04.adp.../stream05.adp.../stream06.adp.../stream07.adp...

as well as an implementation of BMS (JAudio or whatever the sequenced audio engine is called)


ipl_0.aw

/Banks/.

......Banks/ipl.bnk (Just by manually checking the data surrounding these, it is indeed sequence data)

......Banks/ipl.ws


Other files include a stream file for the opening sequence

/boot_demo_base_cube.1.SH
/boot_demo_cover_cube.base32
/cube_mat1


There are various unused strings within the rom as well, one referencing at a completely unreleased pokemon game!

"Pokemon Stadiummmmmm"
"Gameplay.Pokemon Stadiummmmmm"
"pokemon kingin.2000"
"The new PokeMon Stadium!"

These were likely strings to test the memory card screen , or the "GAME PLAY" screen. Following this looks like texture data.


Right, so I don't know where the filesystem in this rom is, or where to find the start of it. But here's a copy of the decrypted bios.


First, here's the XOR pad for decrypting the bios


http://xayr.ga/rom/ipl_xor.pox ( Does not include the first 0x100 bytes, if you're going to use this, remember to seek past! )


aaaand here's the bios.

http://xayr.ga/rom/ipl_decrypted.bin


If you'd like; take a crack at it, and see if you can locate the start of the filesystem.





edited 4:21 PM EDT July 13, 2016

edited 4:24 PM EDT July 13, 2016
by 47iscool at 9:33 PM EDT on July 14, 2016
The guys at GC forever might like to know this.
by Xayrga at 9:15 AM EDT on July 15, 2016
@47iscool

Thanks! I threw a post over there in softmodding.
by AnonRunzes at 3:53 PM EDT on July 15, 2016
So how am I going to use the XOR pad for? Can you at least give me some pointers?
by 47iscool at 10:34 PM EDT on July 17, 2016
Welcome


Go to Page 0

Search this thread

Show all threads

Reply to this thread:

User Name Tags:

bold: [b]bold[/b]
italics: [i]italics[/i]
emphasis: [em]emphasis[/em]
underline: [u]underline[/u]
small: [small]small[/small]
Link: [url=http://www.google.com]Link[/url]

[img=https://www.hcs64.com/images/mm1.png]
Password
Subject
Message

HCS Forum Index
Halley's Comet Software
forum source