Reverse Engineering the CIC

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

User avatar
jims cool
Posts: 119
Joined: Fri May 11, 2007 12:47 pm
Location: Guelph, Ontario, Canada
Contact:

Post by jims cool » Wed Jun 06, 2007 3:27 am

...
Last edited by jims cool on Wed Mar 24, 2010 10:44 pm, edited 1 time in total.

User avatar
jims cool
Posts: 119
Joined: Fri May 11, 2007 12:47 pm
Location: Guelph, Ontario, Canada
Contact:

Playchoice Security (RP5H01)

Post by jims cool » Wed Jun 06, 2007 4:08 am

RP5H01 is used as for a security chip in Playchoice

EDIT: thought i would add some links.. give people an idea of how it works :D
rp5h01.c
rp5h01.h

here is a little PC10 hackey :wink:

Gamehacker's Replacement BIOS
Oliver's Replacement BIOS

enjoy!
Last edited by jims cool on Thu May 29, 2008 3:48 pm, edited 2 times in total.

User avatar
blargg
Posts: 3715
Joined: Mon Sep 27, 2004 8:33 am
Location: Central Texas, USA
Contact:

Post by blargg » Wed Jun 06, 2007 8:03 am

RP5H01 is used as a CIC security chip in Playchoice
And going by the data sheet, just a 64-bit PROM (one-time programmable read-only memory). Not an enigma like the CIC at all. :)

User avatar
teaguecl
Posts: 210
Joined: Thu Oct 21, 2004 4:02 pm
Location: San Diego

Post by teaguecl » Thu Jun 07, 2007 4:58 pm

blargg wrote:
RP5H01 is used as a CIC security chip in Playchoice
And going by the data sheet, just a 64-bit PROM (one-time programmable read-only memory). Not an enigma like the CIC at all. :)
Wow, that would have been much easier to reverse engineer than the rabbit since we already know the hardware specs. All it would have taken is the die photo's to extract the binary, and a reverse assembler. Why didn't we think of that before?

gannon
Posts: 162
Joined: Sun Nov 20, 2005 9:38 pm
Contact:

Post by gannon » Thu Jun 07, 2007 5:08 pm

Always possible the part number is fake, misinformation is always a good tactic :P

User avatar
blargg
Posts: 3715
Joined: Mon Sep 27, 2004 8:33 am
Location: Central Texas, USA
Contact:

Post by blargg » Thu Jun 07, 2007 10:19 pm

All it would have taken is the die photo's to extract the binary, and a reverse assembler.
If it were a 64-bit PROM, you could just read its contents and burn that to a new PROM. No microscope necessary. :)

jonwil
Posts: 14
Joined: Fri Jun 16, 2006 11:24 pm

Post by jonwil » Fri Jun 08, 2007 1:04 am

Looking at a MAME romset for a Playchoice 10 game, there is a file called security.prm which is labeled as being the RP5H01 data. Exactly what the data contains and is used for is unclear.

User avatar
jims cool
Posts: 119
Joined: Fri May 11, 2007 12:47 pm
Location: Guelph, Ontario, Canada
Contact:

Post by jims cool » Sat Jun 09, 2007 7:31 am

...
Last edited by jims cool on Wed Mar 24, 2010 10:45 pm, edited 1 time in total.

User avatar
blargg
Posts: 3715
Joined: Mon Sep 27, 2004 8:33 am
Location: Central Texas, USA
Contact:

Post by blargg » Sat Jun 09, 2007 9:11 am

Looks like a new thread in the making, and requests for copyrighted files that might not be appropriate for Nesdev.

User avatar
jims cool
Posts: 119
Joined: Fri May 11, 2007 12:47 pm
Location: Guelph, Ontario, Canada
Contact:

Post by jims cool » Sat Jun 09, 2007 10:48 am

Type of Work: Computer File

Registration Number / Date:
TX0003812530 / 1994-09-06

Title: SFC CIC for Nintendo KK : ROM FIX 1991.2.7.

Description: Computer program.

Copyright Claimant:
Nintendo of America, Inc.

Date of Creation: 1991

Date of Publication:
1992-03-01

Authorship on Application:
rev. & additional computer code: Sharp Corporation,
employer for hire.

Previous Registration:
Prev. reg. 1986, TX 1-945-426.

Basis of Claim: New Matter: rev. & additional computer code.

Names: Nintendo of America, Inc.
Sharp Corporation

================================================================================

Type of Work: Computer File

Registration Number / Date:
TX0003812529 / 1994-09-06

Title: SFC CIC for Nintendo KK : ROM FIX 1990.3.23.

Description: Computer program.

Copyright Claimant:
Nintendo of America, Inc.

Date of Creation: 1990

Date of Publication:
1990-11-21

Authorship on Application:
rev. & additional computer code: Sharp Corporation,
employer for hire.

Previous Registration:
Prev. reg. 1986, TX 1-945-426.

Basis of Claim: New Matter: rev. & additional computer code.

Names: Nintendo of America, Inc.
Sharp Corporation

================================================================================

Type of Work: Computer File

Registration Number / Date:
TX0001945426 / 1986-12-01

Title: 10NES software.

Description: printout.

Copyright Claimant:
Nintendo of America, Inc.

Date of Creation: 1985

Date of Publication:
1985-10-01

Authorship on Application:
computer program: Sharp Corporation, employer for hire.

Copyright Note: C.O. correspondence.

Names: Nintendo of America, Inc.
Sharp Corporation

================================================================================

Type of Work: Recorded Document

Document Number: V2182P102

Date of Recordation:
1986-05-30

Entire Copyright Document:
V2182P102 (Single page document)

Date of Execution: 6May86

Title: 10NES; software in R O M of L S I in software security
system of Nintendo entertainment system / By Sharp
Corporation.

Notes: Copyright assignment.

Party 1: Sharp Corporation.

Party 2: Nintendo of America, Inc.

Names: Sharp Corporation.
Nintendo of America, Inc.

================================================================================
Last edited by jims cool on Fri Mar 26, 2010 3:31 am, edited 4 times in total.

Zonomi
Posts: 61
Joined: Wed May 09, 2007 12:45 pm

Post by Zonomi » Thu Jun 14, 2007 4:17 pm

Tengen weren't the only ones to create their own CIC clone.
On Snes, Datel created the Action Replay.
I've opened mine (AR MK3), and tried to find where the CIC was.
Image
The numbers are the cartidge connectors.
"Datel Turbo Replay" seems to be a multi-purpose chip, and the other chip is an eprom. Has anyone already decapped it, or is willing to do it? Maybe it would be easier to understand the algorithm...

User avatar
kyuusaku
Posts: 1665
Joined: Mon Sep 27, 2004 2:13 pm

Post by kyuusaku » Thu Jun 14, 2007 6:26 pm

Are you sure the Action Replay doesn't just use the plugin cart's CIC or does it contain both NTSC and PAL defeation?

tepples
Posts: 22052
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Post by tepples » Thu Jun 14, 2007 7:44 pm

Game Genie passes the CIC signals through to the Game Pak. I'm guessing that because a lot of unlicensed games do the same, Action Replay is likely to do so as well.

drk421
Posts: 328
Joined: Sun Nov 14, 2004 11:24 am
Contact:

Post by drk421 » Thu Jun 14, 2007 9:03 pm

I know that the Bung SF7 didn't require a cart in the SNES to play games. Did it have a CIC clone in it?
Same for the SWC DX I have.

User avatar
kyuusaku
Posts: 1665
Joined: Mon Sep 27, 2004 2:13 pm

Post by kyuusaku » Thu Jun 14, 2007 9:21 pm

Yes, all game copiers apart from the Super Magicom and perhaps early Super UFOs have CIC clones in them.

Post Reply