[MarzSyndrome]

So obviously, many of the Mega Drive/Genesis ports for iOS store their roms in an encrypted file named "pack1.fsys" (with a couple of odd exceptions). Just now I tried using I-FunBox to search across my iPhone 4's entire flash space to see if a game decompresses a "rom.bin" file at some remote location while the game is running, but no dice.

I'm mainly interested in ripping roms because I know that some of them have been modified from their original incarnation, much like how the roms on Sonic Classic Collection were altered. A quick google of "pack1.fsys" reveals that nobody to date has taken a closer look at the format.

So, have Apple conveniently left a hole for RAM-examiners to plunge into?

[Covarr]

This might help. It's unfortunately all I could find on memory dumping the iPhone.

[LocalH]

That actually looks like a pretty decent tutorial, first part of it is exactly dumping memory. Haven't tried it yet but I'm not near my computer ATM.

[MarzSyndrome]

Well I've tried many times to get the hang of that guide, but just can't make head nor tail of it. Not to mention many similar sites I've come across seem to concentrate wholly on decrypting executables when that's not what I'm after. =P


Anyone with an iPhone/iPad and programming knowledge able to help out?

[sonicblur]

MarzSyndrome, on 29 January 2012 - 08:19 PM, said:

Well I've tried many times to get the hang of that guide, but just can't make head nor tail of it. Not to mention many similar sites I've come across seem to concentrate wholly on decrypting executables when that's not what I'm after. =P

Anyone with an iPhone/iPad and programming knowledge able to help out?

Most people with iPhone/iPad programming knowledge will NOT be able to help out. Using GDB on jailbroken devices is nothing like using the GDB debugger via XCode. The biggest difference is anyone who is doing development is going to have source level debugging, which you're not going to get loading someone else's binaries up. You're limited to direct memory address dumps and breakpoints. Regardless, I took the time to learn this side of things when Sonic CD came out, which is how I got a couple of the ogg's out a week before Glitch released his extractor. (He beat me to that part, since I only had the decryption part of it done when he released his tool) So here is some information that may or may not help you.

In an ideal world, you could just dump everything and look through the complete dump. The problem with GDB is that you need as much memory free as you want to dump. If you want to dump 12MB of RAM, 12MB needs to be free. I was using a jailbroken 1st gen iPod touch running iOS 3, because 4 and up have address layout randomization and iOS 3 didn't have that yet. (I'm not sure if this is a problem on jailbroken iOS 4+ devices or not.) But the 1st gen devices have only 128MB of ram, so any time I tried to dump more than a few megs of RAM either the device would freeze or the game would crash and you wouldn't be able to resume from the current breakpoint. What I ended up doing to get the music from memory was dumping the decrypted executable by following those instructions, then I loaded that dump into IDA (the free version will do, it supports iPhone executables) and found the relevant code that loads and decrypts data. Then I set a breakpoint after a file had been decrypted and looked at the address in the stack pointing at where the data had been decrypted to. That helped me isolate the 1MB or so I needed to dump.

If you have a newer device, you might just be able to dump random regions to find what you're looking for, provided there is enough memory free.
The "mach-regions" command will list every memory region in use by the application running. There will be many of them. Just go ahead and dump each region one by one until you find what you're looking for inside one of the dumps. It's very likely that what you're looking for will be somewhere in the first ~15 regions. I found that with Sonic CD, the higher regions just seemed to have OS level stuff for frameworks the game linked against, whereas the lower regions were the game's actual heap.

Does that help? Don't dump outside of the valid regions listed by the "mach-regions" command, the device usually locks up when you try to do that.

[MarzSyndrome]

It's a white iPhone 4 with iOS 4.3.3 pre-installed on it (and there's no reason for me to update it so far). I jailbroke it already so I should have full access to Cydia and terminal commands.

Is "mach-regions" included with any particular package, or GNU Debugger? What are the correct terminal commands I should be using (parameters included)? Do I need to have the phone connected to the PC at the time, or is it possible to do it all on the phone only?

[sonicblur]

MarzSyndrome, on 30 January 2012 - 07:09 AM, said:

It's a white iPhone 4 with iOS 4.3.3 pre-installed on it (and there's no reason for me to update it so far). I jailbroke it already so I should have full access to Cydia and terminal commands.

Is "mach-regions" included with any particular package, or GNU Debugger? What are the correct terminal commands I should be using (parameters included)? Do I need to have the phone connected to the PC at the time, or is it possible to do it all on the phone only?

mach-regions is a gdb command. If you follow the guide you found, that gets you to the point where you're running gdb and can dump memory.
The GDB console has it's own commands, and on iOS and Mac OS X, "mach-regions" is one of the commands you can enter. So is the "dump ram.bin address size" command which the guide you found details.

You need to enable developer mode in Cydia, install the developer tools which will install GDB. Then you just SSH into your phone, launch the app, use "ps -A" to get the process ID of the game, start GDB with that process "gdb -p #" where # is the process ID from your previous step.

You can do this all over Wifi, there's no need to leave the phone connected.

[Irixion]

Umm, you could like, open up the .ipa in winrar or something and look at the contents, you may have more luck getting stuff that way.

[MarzSyndrome]

Irixion, on 30 January 2012 - 09:12 PM, said:

Umm, you could like, open up the .ipa in winrar or something and look at the contents, you may have more luck getting stuff that way.

That's not what this is about (and I already know IPAs are basically zips anyway). The idea is to extract decrypted data out of an encrypted file within the package that's evidently to do with the rom the emulator uses. Memory dumping worked great with the PC Smash Packs, but later Sega commerical emulators seem to make it ever harder.

[MarzSyndrome]

Well, set my Cydia to Developer mode, found GNU Debugger and attempted to install it, only to keep getting this:

Quote

I wasn't able to locate file for the sqlite3-lib package. This might mean you need to manually fix this package.

Any suggestions?

[sonicblur]

MarzSyndrome, on 31 January 2012 - 03:43 PM, said:

Well, set my Cydia to Developer mode, found GNU Debugger and attempted to install it, only to keep getting this:

Quote

I wasn't able to locate file for the sqlite3-lib package. This might mean you need to manually fix this package.

Any suggestions?

Install that package first???
I had some problems with Cydia calculating dependencies properly as well, I had to manually install some of them.

[MarzSyndrome]

Yeah, turns out it was just a case of refreshing the Cydia cache or whatever those automatic updates are related to. So I'm all SSHd and gdb'd up!


Exceeeeeeeeeeeeeeept now it seems - even after lots of memory dumping - I still can't find any MD rom buried away. I even dumped over 200Mb of memory at once at some point, even though it was causing my iPhone's HD space to disappear and incur tons of lag. Still bugger all after all that effort.


This leads one to believe that either the rom gets loaded into a completely different part of the RAM entirely, or it remains in a compressed form even after loading and the emulator is decompressing/decrypting it on-the-fly. Yes, I tried OffZip to check for zlibbed chunks and it came up with nothing.


For the record, I was testing it all out with the Phantasy Star II port. A more skilled programmer might have a better idea as to what kind of wizardry Sega's developers have come up with these days. It really does seem like only the 90's Smash Packs and console versions of collections are susceptible to raw memory exposure...

[Skyler]

What games do you have? If it helps any, Sonic Spinball isn't encrypted. Inside of the ipa, there's the rom.bin - and even the Japanese version (rom-j.bin, I think).

[MarzSyndrome]

For the record, the following games all use an encrypted/compressed "pack1.fsys" file:

Altered Beast
Ecco the Dolphin
Golden Axe
Golden Axe II
Golden Axe III
Gunstar Heroes
Phantasy Star II
Shining Force
Space Harrier II
Streets of Rage
Streets of Rage 2
Streets of Rage 3
Virtua Fighter 2


In other words, the majority of the series. Only Sonic 2, Sonic Spinball, and v1.0 (not later versions) of Sonic 1 use a plain "rom.bin" file it seems.

It would help if at least one of us could work out what kind of format "pack1.fsys" is in. It's not ZLib (otherwise OffZip would unpack it) for one thing. Let's just hope it's not some new, proprietary algorithm.

[MarzSyndrome]

Okay, slight change of topic, but just now I tried to see if I could make my own rom dumps of the Sonic Classic Collection games by using DeSmuME's memory viewer/dumper, and even in this I can't find any damn ROM in memory while a game is running!

Seriously, I must not be doing something more specific with my memory combing. I'm searching for typical words like "SEGA" and "Sonic" or "Phantasy" that would typically pop up in a header, yet every single RAM dump I've made so far, be it DS or iOS, has failed to reveal these.


What the frigg? Somebody care to explain this one for me pretty please?