English Amiga Board


Go Back   English Amiga Board > Main > Retrogaming General Discussion

 
 
Thread Tools
Old 02 January 2013, 17:54   #1
dlfrsilver
CaptainM68K-SPS France
dlfrsilver's Avatar
 
Join Date: Dec 2004
Location: Melun nearby Paris/France
Age: 40
Posts: 7,176
Send a message via MSN to dlfrsilver
copy protections hacking on CPS-1 hardware

I have lately been creating unprotected sets for the capcom CPS1 system protected by suicide battery. You remember Parasol stars on amiga with its 17 or 18 checksums ?

A game like Slam masters use 67 checksums which are XORing the tile layer bit enable/disable, with indirect use in registers....

It looks like a sort of hardware copylock, with hardware chip CPS-B adress modifications.

I have done also Three Wonders Euro phoenix set and also the japanese release, wonder 3 Jap. This one alone needs 350 modifications in the code.

btw, the tile layer enable disable is very simple and very complex, and is based on a word : for instance, a single Move #$12C0, D0 and move D0, $800160 (this value can change from game to game protected by the battery), displays no layers.

the activation is done by using bits : a game like slam masters use bit 2 (0x0004) for layer 0, bit 3 (0x0008) for layer 1 and bit 4 (0x0010) for layer 2.

to display layer 0 it's like 12C0+04=12C4 $12C4 is the word when pushed in the address register $80016a (control video register). for layer 1, $12C8 and layer 2 $12D0. You can there mix the values, like displaying layer 0 and 1 or 1 and 2 or 0,1,2 all together. $12DC display all the layers at the same time.

what i have discovered is that the CPS-1 games are games coded with a specialized tool to gain some development time, and made of clever and very clean ASM routines, all tight together by a C linker.

I have done Warriors of fate ETC latest revision, slam masters ETC, three wonders, king of dragons ETC (both releases, only the latest has still a missed checksum, i must clear that out), both JAP releases, The punisher ETC, Captain commando, etc etc.....

I'm actually fighting with quiz and dragons, which has also checksums to defeat And also capcom world 2 jap.

Muscle Bomber Duo ETC and Varth Japan are in the pipe too
dlfrsilver is offline  
AdSense AdSense  
Old 03 January 2013, 15:22   #2
Retroplay
Lemon Curry ?

Retroplay's Avatar
 
Join Date: Sep 2004
Location: Denmark
Posts: 2,928
Suicide batteries ?

So once the batteries are dead, the games are lost for good without any means to recover them again ?
Retroplay is offline  
Old 03 January 2013, 15:50   #3
blankstare
Banned

 
Join Date: Apr 2010
Location: United Kingdom
Posts: 14
The battery powers a chip that holds the decryption keys for the game. Without power, the decryption keys are no longer accessible so the game doesn't function.

It is possible to hack the hardware to obtain the decryption keys or to install a new battery circuit.
blankstare is offline  
Old 03 January 2013, 19:53   #4
dlfrsilver
CaptainM68K-SPS France
dlfrsilver's Avatar
 
Join Date: Dec 2004
Location: Melun nearby Paris/France
Age: 40
Posts: 7,176
Send a message via MSN to dlfrsilver
There is no encryption going on, on cps1 games. Not a single line of it. The fact is that the ppu2 on the c board is able to use custom (understand other than e default ones) hardware adress registers.

When the battery dies those parameters are lost. Since the games have been coded with them in mind, when the game code ask for display the graphic layers, the ppu 2 is unable to recognize them.

In order to make the game working again, you need to patch all the hardware adresses related to layers enable disable words, patch the ctrl video register, multply protection, prirority masks , etc etc there is even a ppu2 (read cps-b-21-10014) hardware check which is by the way not present on all games.

The worse thing is that the games someof tem are doing XORing on the hardware layers values, so if you patch them, you need to modify the xor routines which are npthing more han checksums protection.

Knights of the round has 19 checksums buried inside it code, and slam masters has 67 checksums all in all.

Encryption only applies to cps-2.

And the c board hardware patch is needed to force the ppu2 to use the default registers by sending him 5 volts on pins 45 and 46.

This chip has many uses inside games.

Last edited by dlfrsilver; 03 January 2013 at 20:57.
dlfrsilver is offline  
Old 03 January 2013, 21:48   #5
lilalurl
T32
lilalurl's Avatar
 
Join Date: Aug 2001
Location: France
Age: 38
Posts: 2,834
Send a message via ICQ to lilalurl
Technical details about the suicide battery and the ressurection process for those interested:

http://cps2shock.emu-france.info/suicide.html


Hmmm, this reminds me the time when decryption tables were made for each CPS-2 games and people waiting (on the retrogames.com forums) for support to be implemented in Final Burn.
lilalurl is offline  
Old 03 January 2013, 22:36   #6
dlfrsilver
CaptainM68K-SPS France
dlfrsilver's Avatar
 
Join Date: Dec 2004
Location: Melun nearby Paris/France
Age: 40
Posts: 7,176
Send a message via MSN to dlfrsilver
CPS-1 protection has nothing in common with CPS-2 and the technical details from cps2shock are useless about CPS-1 suicide battery protection.

To say the least, there is no document readable by anyone on the net explaining the how and who's of the protection. Even mame driver for cps-1 is cryptic.....
dlfrsilver is offline  
Old 03 January 2013, 23:59   #7
lilalurl
T32
lilalurl's Avatar
 
Join Date: Aug 2001
Location: France
Age: 38
Posts: 2,834
Send a message via ICQ to lilalurl
Ah, I did not know they were not related. My mistake then .
lilalurl is offline  
Old 04 January 2013, 01:08   #8
dlfrsilver
CaptainM68K-SPS France
dlfrsilver's Avatar
 
Join Date: Dec 2004
Location: Melun nearby Paris/France
Age: 40
Posts: 7,176
Send a message via MSN to dlfrsilver
CPS-2 system use chunks of encrypted code, while CPS-1 relies on hand-setted hardware registers maintained alive by a battery inside the PPU2 aka CPS-B-21-10014
dlfrsilver is offline  
Old 04 January 2013, 01:57   #9
lesta_smsc
Registered User

lesta_smsc's Avatar
 
Join Date: Feb 2012
Location: United Kingdom
Posts: 1,223
I thought these 'ROMS' were already available... or are you tackling something different? Sorry for my ignorance.
lesta_smsc is offline  
Old 04 January 2013, 04:16   #10
dlfrsilver
CaptainM68K-SPS France
dlfrsilver's Avatar
 
Join Date: Dec 2004
Location: Melun nearby Paris/France
Age: 40
Posts: 7,176
Send a message via MSN to dlfrsilver
i have created sets for unsupported until now software revisions. Just visit arcade suicide website
dlfrsilver is offline  
Old 05 January 2013, 13:05   #11
lesta_smsc
Registered User

lesta_smsc's Avatar
 
Join Date: Feb 2012
Location: United Kingdom
Posts: 1,223
Cool will definately take a look. Have you forwarded on the details to the MAME development team?
lesta_smsc is offline  
Old 06 January 2013, 04:11   #12
dlfrsilver
CaptainM68K-SPS France
dlfrsilver's Avatar
 
Join Date: Dec 2004
Location: Melun nearby Paris/France
Age: 40
Posts: 7,176
Send a message via MSN to dlfrsilver
they are already aware of how it works. However, i have finally found how the mask layer enable works fully on Quiz and Dragons it was not that hard to find.
dlfrsilver is offline  
Old 06 January 2013, 15:16   #13
lesta_smsc
Registered User

lesta_smsc's Avatar
 
Join Date: Feb 2012
Location: United Kingdom
Posts: 1,223
Great stuff! I'm hoping this fruits into working versions of such (and other games)
lesta_smsc is offline  
AdSense AdSense  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
X-Copy / Cyclone Hardware Dongle mr.vince MarketPlace 7 08 October 2017 23:26
[req] ECS EoB data (CPS etc) extractor on Windows Marcuz project.Amiga Game Factory 18 25 August 2009 12:40
Wanted X-Copy with Cyclon and hardware Vars191 MarketPlace 0 04 September 2008 07:15
Lightstorm 3D tells about copy protections, overclocked quartzes... andreas Nostalgia & memories 2 25 September 2005 11:35
caps wwarp mfmwarp hardware copy stations Borg_Number_One support.WinUAE 5 10 September 2004 00:11

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 08:37.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Page generated in 0.17960 seconds with 11 queries