Reverse Engineering the CIC

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

tepples
Posts: 21749
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Post by tepples » Wed May 09, 2007 1:15 pm

We understand the Rabbit microcontroller's machine code. But I haven't seen any effort to understand the authentic CIC's machine code.

User avatar
blargg
Posts: 3715
Joined: Mon Sep 27, 2004 8:33 am
Location: Central Texas, USA
Contact:

Post by blargg » Wed May 09, 2007 9:26 pm

I think the attempt is to understand the common algorithm used by both. Once you've duplicated that, who cares how it's implemented in the real thing?

tepples
Posts: 21749
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Post by tepples » Thu May 10, 2007 6:24 am

Because I seem to remember seeing microscopic evidence that the Super NES CIC appears to use the same microcontroller as the NES CIC with a completely different program.

dvdmth
Posts: 354
Joined: Wed Mar 22, 2006 8:00 am

Post by dvdmth » Thu May 10, 2007 8:00 am

blargg wrote:I think the attempt is to understand the common algorithm used by both. Once you've duplicated that, who cares how it's implemented in the real thing?
AFAIK the algorithm was changed from the NES to the SNES. If the algorithm is indeed the same, however, I can reverse-engineer the keys if I am given a log of the communications between the lock and key (as I have for the regional CICs). Has anyone ever logged the SNES CIC's communication?
"Last version was better," says Floyd. "More bugs. Bugs make game fun."

Zonomi
Posts: 59
Joined: Wed May 09, 2007 12:45 pm

Post by Zonomi » Thu May 10, 2007 11:33 am

From what I've read so far, tengen chip's opcodes are fully understood, and its code reversed. But, the opcodes can be different from NES CIC, thus, making a snes version impossible.
The only solution, in this case, would be to restart everything again, but with NES (or SNES) CIC (as they share the same hardware, but not the same data).
And, what makes it harder, is that tengen chip was reversed quickly after a "debug mode" was found, and not using microscope pictures.
Am I right so far?

tepples
Posts: 21749
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Post by tepples » Thu May 10, 2007 7:49 pm

But now that we know the 10NES algorithm (from the Rabbit's debug mode), shouldn't that help us find the NES CIC's instruction encoding, and from there to a way to decode the Super NES CIC instruction?

dvdmth
Posts: 354
Joined: Wed Mar 22, 2006 8:00 am

Post by dvdmth » Thu May 10, 2007 10:13 pm

tepples wrote:But now that we know the 10NES algorithm (from the Rabbit's debug mode), shouldn't that help us find the NES CIC's instruction encoding, and from there to a way to decode the Super NES CIC instruction?
Before we can do that, we need to know how the ROM bits are arranged (we only have the raw dump, as the bits exist physically, but that doesn't tell us how the bits appear to the processor). I think someone was going to make ROM dumps for the international CIC variants - has that ever happened? If such dumps exist, I wouldn't mind doing some comparisons against the 3193 dump, which would help figure out the bit organization.

Even then, it would by no means be an easy task to figure out the instruction set, as we have no info on the real CIC's technical capabilities. Knowing the algorithm definitely helps, though, and it wouldn't surprise me at all if it can eventually be accomplished.
"Last version was better," says Floyd. "More bugs. Bugs make game fun."

User avatar
jims cool
Posts: 119
Joined: Fri May 11, 2007 12:47 pm
Location: Guelph, Ontario, Canada
Contact:

Post by jims cool » Fri May 11, 2007 1:30 pm

hey i have a couple questions i hope someone can help me with :)

1. the clock divider is by 4 right? 4mhz/4 so 1mhz?
and what speed is the input/output data?

2. i see seeds for 3195, 3196 and 3197 what about 3193 3198?
and the "X" can that nibble be anything? is it a mistake in 10NES?

3. does anyone have a copy of the real CIC binary?
i wouldn't mind seeing it :)

thanks...

User avatar
jims cool
Posts: 119
Joined: Fri May 11, 2007 12:47 pm
Location: Guelph, Ontario, Canada
Contact:

Post by jims cool » Fri May 11, 2007 2:02 pm

...
Last edited by jims cool on Wed Mar 24, 2010 10:36 pm, edited 1 time in total.

dvdmth
Posts: 354
Joined: Wed Mar 22, 2006 8:00 am

Post by dvdmth » Fri May 11, 2007 3:30 pm

jims cool wrote:1. the clock divider is by 4 right? 4mhz/4 so 1mhz?
and what speed is the input/output data?

2. i see seeds for 3195, 3196 and 3197 what about 3193 3198?
and the "X" can that nibble be anything? is it a mistake in 10NES?

3. does anyone have a copy of the real CIC binary?
1. The Tengen chip executes 1 instruction every 4 clock cycles, so yes, the instruction execution speed is 1 MHz. It is assumed that the original CIC also works this way, but I don't know if it was ever verified.

As for the I/O, that is controlled by the code. The Tengen ROM was translated to C, so you can check out how it works (including timing) here:

http://thefox.aspekt.fi/Tengen.c

2. The 3193's seed (if I'm reading the Tengen code right - I don't have it in my notes) is as follows:

LOCK: 3952F20F9109997
KEY: x952129F910DF97

The "x" can be any 4-bit value. At the start of execution, the chip inside the NES randomly picks a value and sends it to the chip inside the cartridge. Note that you need to do some math on the transmitted value in order to determine what to use for "x" (see the Tengen source linked above).

The 3198 has not been reverse-engineered. That chip only appears in the Famicombox, and it appears to operate differently from the CIC's used in the NES.

3. The ROM data, as it appears under a microscope, can be seen here:

http://www.nesmuseum.com/10nes/nescicrom.txt

The bits are interleaved, but we don't know how they are arranged.
"Last version was better," says Floyd. "More bugs. Bugs make game fun."

User avatar
jims cool
Posts: 119
Joined: Fri May 11, 2007 12:47 pm
Location: Guelph, Ontario, Canada
Contact:

Post by jims cool » Fri May 11, 2007 4:41 pm

thanks that helps a bunch :D
if the SNES and NES use the same chip with a different code the bits should be in the same order
think I'll look into the NES CIC some more Tengen said they had there chip working before they even had the copyright documents :)
so i wonder if they found out the order of the bits or some how cracked the I/O
I'm thinking they most likely found out the order....

drk421
Posts: 328
Joined: Sun Nov 14, 2004 11:24 am
Contact:

Post by drk421 » Fri May 25, 2007 7:06 pm

I found the patent for the CIC chip:

http://www.google.com/patents?id=81EWAAAAEBAJ

jonwil
Posts: 14
Joined: Fri Jun 16, 2006 11:24 pm

Post by jonwil » Sun May 27, 2007 7:13 am

Just wanted to congratulate all the gurus here who figured out the NES lockout chip.

Anyone know what protection the Playchoice-10 carts used? (I know they used something to prevent operators from copying NES games to PC10 carts)

Also, did the VS Unisystem have anything other than the custom palettes?

dvdmth
Posts: 354
Joined: Wed Mar 22, 2006 8:00 am

Post by dvdmth » Sun May 27, 2007 7:50 am

jonwil wrote:Also, did the VS Unisystem have anything other than the custom palettes?
Some VS Unisystem games used a different PPU that changed registers $2000 and $2001 around. The PPU also returned a specific value in the unused bits of $2002, which games would check in order to verify they were working on the right hardware. Also, I think some games switched around the controller configurations as well, which would've caused confusion if the wrong game was played on the wrong system. I'm not an arcade expert, though, so I may not remember very accurately.
"Last version was better," says Floyd. "More bugs. Bugs make game fun."

jonwil
Posts: 14
Joined: Fri Jun 16, 2006 11:24 pm

Post by jonwil » Sun May 27, 2007 8:06 am

Does anyone know if the CIC chip (or any similar chip) was used for any known Nintendo arcade machine (dedicated, Playchoice 10, VS Unisystem, Nintendo Super System or otherwise)

Post Reply