Famicom Network System (aka Famicom Modem) Investigations

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderators: B00daW, Moderators

lidnariq
Posts: 10068
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by lidnariq » Sat Jan 09, 2021 1:37 pm

Yeah, that.

The only reference I've found is this one about BT telephone lines: https://www.britishtelephones.com/howtele.htm

User avatar
Ben Boldt
Posts: 699
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Ben Boldt » Sat Jan 09, 2021 2:06 pm

Thanks for the info and the link. I am a little nervous about it still but I will see what I can come up with.

Edit:
I wonder if I can use a VoIP adapter? This is probably going to generate a North America style dial tone but maybe that's OK?? I am looking into it.

User avatar
Ben Boldt
Posts: 699
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Ben Boldt » Sat Jan 09, 2021 7:00 pm

Looking more at the byte counts of the first 2 columns of connection data:
byte counts.png
The byte count of the top one is 0x13, and the bottom one is 0x20. Assuming that it is a 16-bit little-endian byte count, shown are selections of this size. The top one is for some reason 2 extra bytes and the bottom one 1 extra byte. This coincides with the number of % symbols in each. Suggesting that % may be a delimiter or escape sequence token.

"B1", at the beginning of the selection in each, happens to be a Modem AT command, as seen here:

https://michaelgellis.tripod.com/modem.html

In that case the command would be "Select Bell 212A (1200 bps)". Coincidentally, this is a 1200 baud modem if I am not mistaken.

User avatar
Ben Boldt
Posts: 699
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Ben Boldt » Mon Jan 11, 2021 8:05 pm

I improved my register capture gizmo tonight. Before, it was totally asynchronous, so at any time the address bus was changing, there was a chance I would get triggers. To fix that, I put my output through an additional 74LS74 D-flip-flop, which will pass address matches through only on the rising edge of M2. I found that I needed an additional delay on M2 rising edge in order for /ROMSEL to fully propagate through my existing logic. To do this, I used a circuit similar to krzysiobal's "Fixing Chinese SMB2J" RAM /CE circuit:

Code: Select all

M2 --+--|<|---+---+-- 74LS74 Clock Input
     |        |   |
     +--7.5k--+  56p
                  |
                 GND
This gives a delay of ~100nsec and prevents trips when executing code at $CxD0 when set to trigger $4xD0. It seems to work very well with these modifications. When I wanted to trigger only on writes, I was able to set my scope with logic trigger with this signal and CPU R/W both low to trigger, and that worked really well.

-----

I am finding very different messages being sent when PiT Motorboat Race makes and breaks connections:
PiT Motorboat Race wrote:Option Right, Right, 1111111111
Connect:
69 0A 00 00 04 14 1D 28 80 00 30 26 21 00 00
Disconnect:
64 01 00 02 A9 31

Option Right, Left, 2222, 1111111111
Connect:
69 0A 00 00 04 14 1D 28 80 00 30 26 21 00 00
Disconnect:
64 01 00 02 A9 32

Option Left, Right, 1111111111
Connect:
69 0A 00 00 04 14 1D 28 80 00 30 26 21 00 00
Disconnect:
64 01 00 02 A9 30

Option Left, Left, 2222, 1111111111
Connect:
69 0A 00 00 04 14 1D 28 80 00 30 26 21 00 00
Disconnect:
64 01 00 02 A9 30

These don't translate well into ASCII, unlike Super Mario Club. I have to say, I am surprised how very different the message is and not yet sure what to make of it.

User avatar
Ben Boldt
Posts: 699
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Ben Boldt » Tue Jan 12, 2021 8:31 pm

Here are more connect/disconnect sequences:
Heart no Benrikun Mini wrote: Connect:
00 13 00 42 31 20 36 33 57 30 36 30 33 31 33 35 38 35 35 24 67 25 37 31
ASCII: "...B1 63W0603135855$g%71"

Disconnect:
65 02 00 02 00 20
ASCII: "e.... "
This one blows away the theory about the byte counts not including %'s. This one's byte count is 2 larger than the number of bytes sent, and there is only 1 percent. I double-checked the "$" and also retriggered the scope again to make sure.

I was going to try finding JRA-PAT's sequences but I forgot to bring my microwire EEPROM and the game won't boot up past an error screen without that.

User avatar
Ben Boldt
Posts: 699
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Ben Boldt » Wed Jan 13, 2021 5:37 pm

JRA-PAT rev 05 wrote: Connect:
00 0F 00 88 30 42 30 20 36 34 32 35 36 34 36 36 36 24
ASCII: "...ˆ0B0 642564666$"

Disconnect:
01 01 00 01 30 42
ASCII: "....0B"
I find that this part of the connect message comes directly from the microwire EEPROM data:
0 642564666

This is either range 0x13-1C or 0x23-2C of the EEPROM, with that space added after the first digit. I tried modifying each line in the EEPROM data to see which one it is and JRA-PAT detects that as a corrupted EEPROM. Modifying just 1 digit the same in both lines still detects corrupted EEPROM, so maybe there is a checksum or range check, etc. In that mode, I get a configuration screen:
jra_config.jpg
I entered values:
11111111
2222
3333
44
55
6666666666

When I connect this way:
JRA-PAT rev 05 wrote: Connect:
00 0F 00 42 36 20 36 36 36 36 36 36 36 36 36 24 67 25
ASCII: "...B6 666666666$g%"

Disconnect:
01 01 00 01 30 42
ASCII: "....0B"
JRA-PAT is also adding that space after the first digit again like it did compared to the original microwire EEPROM data.

The Japanese text of the 6's translates as "Registration Center Number". The EEPROM does not get written back to when attempting this. Maybe it has to have a successful connection before writing it.

lidnariq
Posts: 10068
Joined: Sun Apr 13, 2008 11:12 am
Location: Seattle

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by lidnariq » Wed Jan 13, 2021 5:44 pm

Apparently I've accidentally learned enough kanji/hanzi to recognize what you entered as 3333 44 55 as marking Year Month Day. ... apparently they used birthdate as an extra authentication factor? feels bad in a modern security context.

User avatar
Ben Boldt
Posts: 699
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Ben Boldt » Wed Jan 13, 2021 10:12 pm

That's pretty funny. Back then that probably literally WAS secure to do things like that and trust your 8-bit Nintendo to your bank account and gambling addictions. Those were the days.

I have been thinking more about how I saw constant activity when looking at the control signals going to the RF5A18's RAM. I like to think that there is a processor running in there, that would be pretty cool. I want to snoop the address and data bus connected to that RAM chip and record some stuff. It may well be that pins 15,16,17 are in fact A13, A14, A15 potentially revealing a full 16-bit address bus. I would be pretty intrigued to see it accessing internal ROM data (i.e. RAM /CE high with data on the bus...) As it is, the only external thing connected to that separate address and data bus is U6: 8kbyte SRAM chip. Thank goodness they didn't use a DRAM like the FDS. It will also be interesting to see if the messages being sent over through $40D0,1,2,3 (i.e. the stuff I have been sharing lately) is being written into the RAM, and if so at what addresses. That will probably be next week due to a snow storm coming here tomorrow.

Fiskbit
Posts: 238
Joined: Sat Nov 18, 2017 9:15 pm

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Fiskbit » Thu Jan 14, 2021 1:04 am

According to this article, the modem did have some reasonable security functionality (public key encryption), but it went unused.

Also included in that article is a block diagram of the modem. I don't know how accurate it is, but it does show LSI-1 (the RF5A18?) having a CPU in it. I've attached a copy of the diagram for preservation purposes.
Attachments
fig_2.jpg

User avatar
Ben Boldt
Posts: 699
Joined: Tue Mar 22, 2016 8:27 pm
Location: Minnesota, USA

Re: Famicom Network System (aka Famicom Modem) Investigations

Post by Ben Boldt » Thu Jan 14, 2021 11:27 am

Wow, that is really great info. LSI-1 is the RF5A18, sure enough with internal CPU. Interesting to see LSI-2 (RF5C66) containing "Disk Drive Interface". There have been a few things found very similar to FDS. Though I don't see the RAM or ROM necessary for FDS unless it is lurking somewhere inside the 5C66, or intended to be in a card. I have wondered if one of the expansion pins is an input that "enables" FDS mode somehow. Lots of unknowns there but neat to think about.

There are quite a few logic pins tied directly low or high on the 5A18. It will be neat to see if one of them can turn the address bus as input and make the internal ROM dumpable. Hopefully it is a 6502 CPU or at least something common. I have not yet gotten this chip fully hooked up for bench test. If it is a 6502 and uses any indirect pointer like LDA ($0000),Y, I can probably build something to fudge that RAM $00,01 to grab from anywhere in memory and get a dump byte-by-byte that way. But I am getting WAY ahead of myself. I need to start with just looking what is on the address and data bus of the RAM and go from there.

Post Reply