Reverse Engineering the CIC
Moderator: Moderators
.
Last edited by kevtris on Sat Mar 06, 2010 12:27 pm, edited 1 time in total.
/* this is a comment */
You can distinguish them by calling the chip in the console the "lock chip" and the chip in the cart the "key chip".kevtris wrote:When I say "connects to pin X of lockout chip" I mean the chip that would be on the cartridge. Not the chip in the system.
When is this pin read?kevtris wrote:/force NTSC - pulling this pin low forces the chip into NTSC only (3193 only) mode. The three PAL modes are not usable. Floating (disconnecting) this pin allows the chip to try all 4 regions.
The CPU should know that it hasn't reset by the time the game's copyright screen disappears.dvdmth wrote:The important thing here is to keep a game utilizing the "lockout functioning" output from thinking there's a lockout error when in reality there is no lockout functionality to begin with.
It is read a little while after startup. It is designed to be tied low (to pin 8) or floated at all times, and not dorked with during operation.tepples wrote:You can distinguish them by calling the chip in the console the "lock chip" and the chip in the cart the "key chip".kevtris wrote:When I say "connects to pin X of lockout chip" I mean the chip that would be on the cartridge. Not the chip in the system.
When is this pin read?kevtris wrote:/force NTSC - pulling this pin low forces the chip into NTSC only (3193 only) mode. The three PAL modes are not usable. Floating (disconnecting) this pin allows the chip to try all 4 regions.
/* this is a comment */
I take back my quick comments about the 3195A (pictures of the ROM can be seen at http://neviksti.com/CIC/3195A/ ). It turns out the ROM layout is quite different. It went from the 512 bytes of the 6113 (and SNES D411) to 768 bytes (the bitline decoders went from 1 of 8 to 1 of 12).
Also, there is now a clear pattern in the ROM (unlike before).
The Tengen CIC only used about 256 instructions (12bit each), yes? While the NES CIC has the ROM output 8 bits and has at least 512 of these "instructions". So something seems awefully strange here.
The Tengen chip executed one instruction every 4 clock cycles. Maybe the NES CIC does as well, but there are two 8bit loads involved in this ... maybe first 8 bits is instruction code, and last 8 bits are data. The only time all 8 bits of data should be needed are for jump statements... so maybe we can test this idea.
I finished depackaging the 3193A (from USA) chip tonight, but haven't had time to look at it in the microscope yet. I'm hoping the chip layout will match the 3195A so we can directly compare the ROM data.
What is functionally different between the 3193 and 6113? Can one act as a key/lock and the other only as a key? I'm not sure what to make of the large changes in layout between them as I was not expecting to see that (especially considering they didn't even change the layout when going from 6113 -> SNES D411).
Also, there is now a clear pattern in the ROM (unlike before).
The Tengen CIC only used about 256 instructions (12bit each), yes? While the NES CIC has the ROM output 8 bits and has at least 512 of these "instructions". So something seems awefully strange here.
The Tengen chip executed one instruction every 4 clock cycles. Maybe the NES CIC does as well, but there are two 8bit loads involved in this ... maybe first 8 bits is instruction code, and last 8 bits are data. The only time all 8 bits of data should be needed are for jump statements... so maybe we can test this idea.
I finished depackaging the 3193A (from USA) chip tonight, but haven't had time to look at it in the microscope yet. I'm hoping the chip layout will match the 3195A so we can directly compare the ROM data.
What is functionally different between the 3193 and 6113? Can one act as a key/lock and the other only as a key? I'm not sure what to make of the large changes in layout between them as I was not expecting to see that (especially considering they didn't even change the layout when going from 6113 -> SNES D411).
I tested this the other day.neviksti wrote:I take back my quick comments about the 3195A (pictures of the ROM can be seen at http://neviksti.com/CIC/3195A/ ). It turns out the ROM layout is quite different. It went from the 512 bytes of the 6113 (and SNES D411) to 768 bytes (the bitline decoders went from 1 of 8 to 1 of 12).
Also, there is now a clear pattern in the ROM (unlike before).
The Tengen CIC only used about 256 instructions (12bit each), yes? While the NES CIC has the ROM output 8 bits and has at least 512 of these "instructions". So something seems awefully strange here.
The Tengen chip executed one instruction every 4 clock cycles. Maybe the NES CIC does as well, but there are two 8bit loads involved in this ... maybe first 8 bits is instruction code, and last 8 bits are data. The only time all 8 bits of data should be needed are for jump statements... so maybe we can test this idea.
I finished depackaging the 3193A (from USA) chip tonight, but haven't had time to look at it in the microscope yet. I'm hoping the chip layout will match the 3195A so we can directly compare the ROM data.
What is functionally different between the 3193 and 6113? Can one act as a key/lock and the other only as a key? I'm not sure what to make of the large changes in layout between them as I was not expecting to see that (especially considering they didn't even change the layout when going from 6113 -> SNES D411).
the following combinations work:
3193L 3193K
3193L 6113K
6113L 6113K
this combination DOES NOT WORK:
6113L 3193K
L and K are lock/key resp.
This must be why even the last front loaders made in the 90's had 3193's for the locks, long after all the carts were using 6113's.
/* this is a comment */
Just on a side note, when cutting pin 4, this makes the CIC behave as a key and the reset line is freed. So the 6113 most probably act like a key only version of the 3193 (saving costs ?). The combination 6113L 6113K most likely works, beacuse the 6113 acts like a defeated CIC.
Now, about the PIC12 version of the CIC, I'd like to have more prection about the /ForceNTSC pin. You mean it's an open collector input ? What will happen when it is tied high ? The same as if it is floating, the chip will go in all modes, while in Force NTSC mode, is just behave like a 6113 without asking questions ?
Now, about the PIC12 version of the CIC, I'd like to have more prection about the /ForceNTSC pin. You mean it's an open collector input ? What will happen when it is tied high ? The same as if it is floating, the chip will go in all modes, while in Force NTSC mode, is just behave like a 6113 without asking questions ?
Useless, lumbering half-wits don't scare us.
It is an input, but it has a pullup built into the chip so it's pulled high internally. The internal resistor is around 100K or so. I measured the pin when it's floating and it is indeed sitting at 5V, even when I loaded it with a few megs it didn't move very far indicating that the pullup is functioning.Bregalad wrote:Just on a side note, when cutting pin 4, this makes the CIC behave as a key and the reset line is freed. So the 6113 most probably act like a key only version of the 3193 (saving costs ?). The combination 6113L 6113K most likely works, beacuse the 6113 acts like a defeated CIC.
Now, about the PIC12 version of the CIC, I'd like to have more prection about the /ForceNTSC pin. You mean it's an open collector input ? What will happen when it is tied high ? The same as if it is floating, the chip will go in all modes, while in Force NTSC mode, is just behave like a 6113 without asking questions ?
You can tie it high if you're feeling like it, it won't hurt anything... but it's not required. I made it do the "force' when pulled low, because it is right next to pin 8, which is ground. So to operate in NTSC only mode, you connect pins 7 and 8 together.
/* this is a comment */