GameCube IPL / GameCube bootROM - ROM map and GameCube IPL XOR decryption

[Borg Number One]

GameCube IPL / GameCube bootROM - ROM map and GameCube IPL XOR decryption
...and some questions about.

Since Aug-2015 in Swiss you can dump the 2Mbyte GameCube's IPL Mask ROM / bootrom to the decrypted IPL ROM file: ipl_clear.bin and the file: ipl.bin

• swiss-gc issue #121: Create System device which IPL and SRAM can be dumped from : https://github.com/emukidid/swiss-gc/issues/121

• swiss-gc commit #140: Add virtual system device to allow dumping ROMs : https://github.com/emukidid/swiss-gc/pull/140

It is a really great feature of Swiss. Thanks a lot.


Checksum of my IPL backups [MD5, SHA1, CRC32]:
ipl_clear.bin , ca904bc72ad481a86669376b94cfa3df , 85348ba22af82b4bb78f0360cb1b149cdd675d4d , 730d5f76
ipl.bin , 0cdda509e2da83c85bfe423dd87346cc , f27c63e5394e2fd1606f70df004c4fc2d6027700 , 4f319f43

From the point of view of the educational purpose, I did open both (ipl_clear.bin and: ipl.bin) in the differencing and merging tool "WinMerge".
(a well known tool like: "WinDiff").


As you can see the first 0x100 bytes (0x00000000 - 0x000000FF) are identical.
So the first 0x100 bytes are not encrypted - a well known fact (YAGCD -- 10.3.1 Memory Map (Europe/PAL))

The next area from:
0x00000100 to 0x001AEEE8
there is the GameCube BIOS - it seems to be right regarding to the YAGCD -- 10.3.1 Memory Map (Europe/PAL).

Well, the confusing thing is the next part from:
0x001AEEE9 to 0x001AFEFF.
Inside the decrypted ipl_clear.bin there is data (encrypted/scrambled data?).
But inside the encrypted ipl.bin there are 4120 times (0x1018 times) the 0x00-Byte.


Strange thing : misc binary data (0x001AEEE9 to 0x001AFEFF) is encrypted to 4120 times (0x1018 times) the 0x00-Byte?
In other words: inside the area from 0x001AEEE9 to 0x001AFEFF there are 4120 times 0x00-Byte (in the encrypted ipl.bin) wich will be decrypted to misc binary data in ipl_clear.bin?


++side note++
The rest of the data from:
0x001AFF00 to 0x001FFFFF (end of IPL ROM dump / EOF)
is unencrypted and it is the same in decrypted ipl_clear.bin and in encrypted ipl.bin.

-->
This matches the information from YAGCD -- 10.3.1 Memory Map (Europe/PAL)
++side note**

What is the sense of the data from 0x001AEEE9 to 0x001AFEFF and why is it "0x00" in the encrypted ipl.bin file?

For educational purpose:
Is there a way or a tool (or online tool) to get the XOR cyphertext / cypher key code by ?un-XOR-ing? (is this the right word? ) the decrypted and encrypted part of the IPL ROM?
Maybe is there a tool where I can first put in the encrypted part of ipl.bin file and then put in the decrypted part of the ipl_clear.bin file and then get the XOR cypher key from the tool?

[Extrems]

What is the sense of the data from 0x001AEEE9 to 0x001AFEFF and why is it "0x00" in the encrypted ipl.bin file?

It varies with the IPL ROM revision. 1.2 has ciphered padding there.

[creedof69]

Hello, I'm new to the Forum so sorry if replies aren't allowed. I gived myself the project to fix the PAL bios on the vWii (Wii mode of the Wii U). The NTSC bios works but not the PAL because it uses a resolution/framerate ratio not supported by the Wii U's processor (from what I understand). So the idea would be to patch the PAL bios so that it uses the same resolution as the NTSC, or else patch the NTSC bios so that it recognizes PAL games instead of USA (even if only the English language will be available). I compared different bios region and versions by hexadecimal, did several "swap" tests but I can't get anywhere since no information can be extracted because they are encrypted. That's when I searched for "decrypted Gamecube bios" on the Internet and I came across this Forum. Do you have any advice or clues to give me? thanks in advance.