Reverse Engineering the CIC

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderator: Moderators

User avatar
infiniteneslives
Posts: 2104
Joined: Mon Apr 04, 2011 11:49 am
Location: WhereverIparkIt, USA
Contact:

Re: Reverse Engineering the CIC

Post by infiniteneslives »

Hard to know what caps you have exactly. Perhaps they are/should be fine, a photo would prob help us help you.
If you're gonna play the Game Boy, you gotta learn to play it right. -Kenny Rogers
Ice Man
Posts: 547
Joined: Fri Jul 04, 2014 2:34 pm

Re: Reverse Engineering the CIC

Post by Ice Man »

I have used an original NES-SLROM board. No custom made baords.
This one, to be exact: http://bootgod.dyndns.org:7777/profile.php?id=14

Desoldered the CIC, programmed the Attiny13A with the correct fuse settings, installed it as follows:
Pin 1 - NC
Pin 2 - CIC Hole 6 (Cart #71)
Pin 3 - NC
Pin 4 - CIC Hole 8 (GND)
Pin 5 - CIC Hole 1 (Cart #35)
Pin 6 - CIC Hole 2 (Cart #34)
Pin 7 - CIC Hole 7 (Cart #70)
Pin 8 - CIC Hole 16 (VCC)

P.S. 2 out of 3 are working, tested in that board as well. So I doubt it is capacitor related but maybe a faulty Attiny13A.
Either way, new Attiny13A are on their way and I will test them once I get them.
User avatar
infiniteneslives
Posts: 2104
Joined: Mon Apr 04, 2011 11:49 am
Location: WhereverIparkIt, USA
Contact:

Re: Reverse Engineering the CIC

Post by infiniteneslives »

At a glance, your wiring is fine (as expected since some chips work). But I have no idea how long your wires are or other things that a photo would help portray. I did have similar issues where some chips worked and some didn't with some of Jim's Cool first attiny13 NES CIC builds. He found the bug and fixed it, never shared with me what the problem was. Not of much help, but perhaps your issue with krikzz implementation is related. First I've heard of it though, and there's quite a few people using his attiny13 NES CIC implementation AFAIK.
If you're gonna play the Game Boy, you gotta learn to play it right. -Kenny Rogers
Ice Man
Posts: 547
Joined: Fri Jul 04, 2014 2:34 pm

Re: Reverse Engineering the CIC

Post by Ice Man »

Found out my problem.

I set the fuse bits first instead of writing it with a GQ-4X resulting in ID FFFF making it useless to progam with a GQ-4X.
However, the TL866 recognized the Attiny13A and its ID. So i thought I could continue with the proper fuse settings.
While programming worked well the AVRCIC never worked in that said cart. Luckily I had another cart with a working AVRCIC. So I switched them out. The SLROM cart now works fine, but the other doesn't, obviously.

So I just programmed one using the TL866 ONLY. Reset the console a few times and hey, both carts work.

I also found out, if you program it with a GQ-4X. Set the fuse bits LAST. First program the HEX file.

Thanks for the help though.
User avatar
infiniteneslives
Posts: 2104
Joined: Mon Apr 04, 2011 11:49 am
Location: WhereverIparkIt, USA
Contact:

Re: Reverse Engineering the CIC

Post by infiniteneslives »

Ahh yeah those tools are pretty terrible for programming microcontrollers. For AVRs, I would highly recommend any devices that allow you to use avrdude, allows you to be much more explicit with what's getting programmed exactly and when.
If you're gonna play the Game Boy, you gotta learn to play it right. -Kenny Rogers
tepples
Posts: 22705
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: Reverse Engineering the CIC

Post by tepples »

Inbound link
The description of the recently uploaded video "Secrets of the Nintendo CIC Chip - Early Cartridge Anti-Piracy" by Modern Vintage Gamer links to this topic.
Lord Nightmare
Posts: 131
Joined: Wed Apr 05, 2006 10:12 am
Location: PA, USA
Contact:

Re: Reverse Engineering the CIC

Post by Lord Nightmare »

At long last, the trick to entering the ROM dump/debug mode of the SM590 was figured out earlier today by Sean Riddle:
http://www.seanriddle.com/sm590/
specifically http://www.seanriddle.com/sm590/sm590dump.txt

We now have electronic dumps of:
3193A
6113 non-A (which matched the dump done by neviksti using decap+stain back in 2006ish)
RFC-CPU10 (AKA R.O.B.)

We still need dumps or redumps of:
6113A (is this just a dieshrink of 6113 with the same code?)
3195 PAL-x
3195A PAL-x (dieshrink of 3195?)
3196 PAL-y
3197 (korea)
3198 (famicombox cart CIC)
3199 (famicombox coin timer)

(PAL-x and PAL-y are technically PAL-B and PAL-A but I may have the order backwards so I wanted to note that)

The following are SM595 instead of SM590 but probably dump the same way
F411 (SNES NTSC, 1991 consoles?)
F411A (SNES NTSC, 1992 consoles?)
F411B (SNES NTSC, 1993 and later?)
F413 (SNES PAL)
F413A and B if they existed.

LN
"When life gives you zombies... *CHA-CHIK!* ...you make zombie-ade!"
Patnukem
Posts: 93
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem »

How can I help with dumps of the Famicombox CIC? I would like to figure this out for my self but happy to share... where do I start?
lidnariq
Posts: 11429
Joined: Sun Apr 13, 2008 11:12 am

Re: Reverse Engineering the CIC

Post by lidnariq »

If you're comfortable with a soldering iron, follow these instructions (also linked above).
Patnukem
Posts: 93
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem »

Sure thing... I own an arcade so I’m not afraid of the soldering iron. I never have dumped stuff before so I just want to make sure I do it correctly. I’m reading the past post so it’s taking me a bit to get caught up.

The Famicomstation should be here tomorrow. I have to repair it then I’ll start trying to get the 3198 & 3199 dumps for everyone.
Fiskbit
Posts: 890
Joined: Sat Nov 18, 2017 9:15 pm

Re: Reverse Engineering the CIC

Post by Fiskbit »

I've also picked up some CICs recently that I'm hoping to dump, including the two in the FamicomBox. I still need to get a way to actually collect the data. Sounds like you're a bit ahead of me. I think it'll be good to compare dumps to verify they're correct.

I don't think the FamicomStation menu ROM is available, so if you'd be willing, it would be good to have a dump of that, as well. It should differ from the FamicomBox in at least its title graphics.
lidnariq
Posts: 11429
Joined: Sun Apr 13, 2008 11:12 am

Re: Reverse Engineering the CIC

Post by lidnariq »

If you don't already have a favorite microcontroller, the simplest way to get the data off the pins of the SM590 micros into a computer would be to use one of FTDI's parts that allow you to hook up 8 data pins and a "latch this data" pin to the data bus and clock here, and manually switch R20, R21, and ACL. (e.g. FT245R. Lots of other FTDI parts can supposedly be configured to operate in this mode, too, e.g. FT232H)
Patnukem
Posts: 93
Joined: Thu Sep 10, 2020 11:16 pm

Re: Reverse Engineering the CIC

Post by Patnukem »

I think I can manage the soldering bit, I am a little lost on the collection process as it’s not something I’ve done before. I would love to learn how. I see the connection and reading directions but some overly detailed directions (for the interface to record them) for someone who has never done this would help. Sorry I’m new to this and spend most of my time repairing and troubleshooting arcade games and this type of thing rarely comes up.
User avatar
Jeroen
Posts: 1048
Joined: Tue Jul 03, 2007 1:49 pm

Re: Reverse Engineering the CIC

Post by Jeroen »

Lord Nightmare wrote: Thu Sep 12, 2019 5:25 pm At long last, the trick to entering the ROM dump/debug mode of the SM590 was figured out earlier today by Sean Riddle:
http://www.seanriddle.com/sm590/
specifically http://www.seanriddle.com/sm590/sm590dump.txt

We now have electronic dumps of:
3193A
6113 non-A (which matched the dump done by neviksti using decap+stain back in 2006ish)
RFC-CPU10 (AKA R.O.B.)

We still need dumps or redumps of:
6113A (is this just a dieshrink of 6113 with the same code?)
3195 PAL-x
3195A PAL-x (dieshrink of 3195?)
3196 PAL-y
3197 (korea)
3198 (famicombox cart CIC)
3199 (famicombox coin timer)

(PAL-x and PAL-y are technically PAL-B and PAL-A but I may have the order backwards so I wanted to note that)

The following are SM595 instead of SM590 but probably dump the same way
F411 (SNES NTSC, 1991 consoles?)
F411A (SNES NTSC, 1992 consoles?)
F411B (SNES NTSC, 1993 and later?)
F413 (SNES PAL)
F413A and B if they existed.

LN
That's really cool information.
I noticed in the disassembly the mnemonics of the code: http://www.seanriddle.com/sm590/nescic-dis.txt
don't seem to match the mnemonics in the datasheet for the sm590: https://www.datasheets360.com/pdf/2349826358003027286

Is there any info on what mnemonics were used?

edit: found it
https://hackmii.com/2010/01/the-weird-a ... erful-cic/
Last edited by Jeroen on Mon Sep 14, 2020 11:47 am, edited 1 time in total.
lidnariq
Posts: 11429
Joined: Sun Apr 13, 2008 11:12 am

Re: Reverse Engineering the CIC

Post by lidnariq »

Patnukem wrote: Mon Sep 14, 2020 7:19 am I think I can manage the soldering bit, I am a little lost on the collection process as it’s not something I’ve done before.
Well, first things first: do we have a pinout for the 3198 CIC? Tentatively looking at one SSS-UNROM board, it looks like all the pins might actually go to the card edge, which would mean there's no soldering needed at all.

What the next step after that is depends on what you want to do. As I said, you could use a FT245 or FT232H, but there are other options too.
Sorry I’m new to this and spend most of my time repairing and troubleshooting arcade games and this type of thing rarely comes up.
No need to apologize! Seeking to learn a craft is something that should always be commended.
Post Reply