Reverse Engineering the CIC

Discuss hardware-related topics, such as development cartridges, CopyNES, PowerPak, EPROMs, or whatever.

Moderator: Moderators

User avatar
kevtris
Posts: 504
Joined: Sat Oct 29, 2005 2:09 am
Location: Indianapolis
Contact:

Post by kevtris »

.
Last edited by kevtris on Sat Mar 06, 2010 12:27 pm, edited 1 time in total.
/* this is a comment */
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Post by tepples »

kevtris wrote:When I say "connects to pin X of lockout chip" I mean the chip that would be on the cartridge. Not the chip in the system.
You can distinguish them by calling the chip in the console the "lock chip" and the chip in the cart the "key chip".
kevtris wrote:/force NTSC - pulling this pin low forces the chip into NTSC only (3193 only) mode. The three PAL modes are not usable. Floating (disconnecting) this pin allows the chip to try all 4 regions.
When is this pin read?
dvdmth wrote:The important thing here is to keep a game utilizing the "lockout functioning" output from thinking there's a lockout error when in reality there is no lockout functionality to begin with.
The CPU should know that it hasn't reset by the time the game's copyright screen disappears.
User avatar
kevtris
Posts: 504
Joined: Sat Oct 29, 2005 2:09 am
Location: Indianapolis
Contact:

Post by kevtris »

tepples wrote:
kevtris wrote:When I say "connects to pin X of lockout chip" I mean the chip that would be on the cartridge. Not the chip in the system.
You can distinguish them by calling the chip in the console the "lock chip" and the chip in the cart the "key chip".
kevtris wrote:/force NTSC - pulling this pin low forces the chip into NTSC only (3193 only) mode. The three PAL modes are not usable. Floating (disconnecting) this pin allows the chip to try all 4 regions.
When is this pin read?
It is read a little while after startup. It is designed to be tied low (to pin 8) or floated at all times, and not dorked with during operation.
/* this is a comment */
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Post by tepples »

Aww man, I was wishing it could tie in with CPU-based 50/60 detection.
User avatar
Bregalad
Posts: 8056
Joined: Fri Nov 12, 2004 2:49 pm
Location: Divonne-les-bains, France

Post by Bregalad »

It is a very cool thing you eventually DID it !!!
Congratulations !
Useless, lumbering half-wits don't scare us.
neviksti
Posts: 203
Joined: Thu Jun 22, 2006 11:39 pm

Post by neviksti »

I take back my quick comments about the 3195A (pictures of the ROM can be seen at http://neviksti.com/CIC/3195A/ ). It turns out the ROM layout is quite different. It went from the 512 bytes of the 6113 (and SNES D411) to 768 bytes (the bitline decoders went from 1 of 8 to 1 of 12).

Also, there is now a clear pattern in the ROM (unlike before).

The Tengen CIC only used about 256 instructions (12bit each), yes? While the NES CIC has the ROM output 8 bits and has at least 512 of these "instructions". So something seems awefully strange here.

The Tengen chip executed one instruction every 4 clock cycles. Maybe the NES CIC does as well, but there are two 8bit loads involved in this ... maybe first 8 bits is instruction code, and last 8 bits are data. The only time all 8 bits of data should be needed are for jump statements... so maybe we can test this idea.

I finished depackaging the 3193A (from USA) chip tonight, but haven't had time to look at it in the microscope yet. I'm hoping the chip layout will match the 3195A so we can directly compare the ROM data.


What is functionally different between the 3193 and 6113? Can one act as a key/lock and the other only as a key? I'm not sure what to make of the large changes in layout between them as I was not expecting to see that (especially considering they didn't even change the layout when going from 6113 -> SNES D411).
User avatar
kevtris
Posts: 504
Joined: Sat Oct 29, 2005 2:09 am
Location: Indianapolis
Contact:

Post by kevtris »

neviksti wrote:I take back my quick comments about the 3195A (pictures of the ROM can be seen at http://neviksti.com/CIC/3195A/ ). It turns out the ROM layout is quite different. It went from the 512 bytes of the 6113 (and SNES D411) to 768 bytes (the bitline decoders went from 1 of 8 to 1 of 12).

Also, there is now a clear pattern in the ROM (unlike before).

The Tengen CIC only used about 256 instructions (12bit each), yes? While the NES CIC has the ROM output 8 bits and has at least 512 of these "instructions". So something seems awefully strange here.

The Tengen chip executed one instruction every 4 clock cycles. Maybe the NES CIC does as well, but there are two 8bit loads involved in this ... maybe first 8 bits is instruction code, and last 8 bits are data. The only time all 8 bits of data should be needed are for jump statements... so maybe we can test this idea.

I finished depackaging the 3193A (from USA) chip tonight, but haven't had time to look at it in the microscope yet. I'm hoping the chip layout will match the 3195A so we can directly compare the ROM data.


What is functionally different between the 3193 and 6113? Can one act as a key/lock and the other only as a key? I'm not sure what to make of the large changes in layout between them as I was not expecting to see that (especially considering they didn't even change the layout when going from 6113 -> SNES D411).
I tested this the other day.

the following combinations work:

3193L 3193K
3193L 6113K
6113L 6113K

this combination DOES NOT WORK:

6113L 3193K

L and K are lock/key resp.

This must be why even the last front loaders made in the 90's had 3193's for the locks, long after all the carts were using 6113's.
/* this is a comment */
User avatar
Bregalad
Posts: 8056
Joined: Fri Nov 12, 2004 2:49 pm
Location: Divonne-les-bains, France

Post by Bregalad »

Just on a side note, when cutting pin 4, this makes the CIC behave as a key and the reset line is freed. So the 6113 most probably act like a key only version of the 3193 (saving costs ?). The combination 6113L 6113K most likely works, beacuse the 6113 acts like a defeated CIC.

Now, about the PIC12 version of the CIC, I'd like to have more prection about the /ForceNTSC pin. You mean it's an open collector input ? What will happen when it is tied high ? The same as if it is floating, the chip will go in all modes, while in Force NTSC mode, is just behave like a 6113 without asking questions ?
Useless, lumbering half-wits don't scare us.
User avatar
loopy
Posts: 405
Joined: Sun Sep 19, 2004 10:52 pm
Location: UT

Post by loopy »

Last edited by loopy on Wed Aug 20, 2008 11:18 am, edited 1 time in total.
User avatar
kevtris
Posts: 504
Joined: Sat Oct 29, 2005 2:09 am
Location: Indianapolis
Contact:

Post by kevtris »

Bregalad wrote:Just on a side note, when cutting pin 4, this makes the CIC behave as a key and the reset line is freed. So the 6113 most probably act like a key only version of the 3193 (saving costs ?). The combination 6113L 6113K most likely works, beacuse the 6113 acts like a defeated CIC.


Now, about the PIC12 version of the CIC, I'd like to have more prection about the /ForceNTSC pin. You mean it's an open collector input ? What will happen when it is tied high ? The same as if it is floating, the chip will go in all modes, while in Force NTSC mode, is just behave like a 6113 without asking questions ?
It is an input, but it has a pullup built into the chip so it's pulled high internally. The internal resistor is around 100K or so. I measured the pin when it's floating and it is indeed sitting at 5V, even when I loaded it with a few megs it didn't move very far indicating that the pullup is functioning.

You can tie it high if you're feeling like it, it won't hurt anything... but it's not required. I made it do the "force' when pulled low, because it is right next to pin 8, which is ground. So to operate in NTSC only mode, you connect pins 7 and 8 together.
/* this is a comment */
User avatar
AWal
Posts: 132
Joined: Wed Oct 06, 2004 8:00 am
Location: Northern New York
Contact:

Post by AWal »

kevtris wrote:...must be why even the last front loaders made in the 90's had 3193's for the locks, long after all the carts were using 6113's.
Probably saved costs in manufacturing, without changing it too much (like licensee's cared at $9/cart)

Just a hunch...
rbudrick
Posts: 284
Joined: Wed Sep 21, 2005 3:20 pm

Post by rbudrick »

Image

A pic of some SNES CICs Tomy posted in another forum.

-Rob
User avatar
Bregalad
Posts: 8056
Joined: Fri Nov 12, 2004 2:49 pm
Location: Divonne-les-bains, France

Post by Bregalad »

I doubt the '74LS110', '74LS112', '74F9110 and '74HC11' are CICs.
Useless, lumbering half-wits don't scare us.
User avatar
kyuusaku
Posts: 1665
Joined: Mon Sep 27, 2004 2:13 pm

Post by kyuusaku »

They aren't, they just labeled them that to throw off Nintendo/competitors. Apparently Tomy has some early SFC pirate carts with 555 circuits to unlock the CIC too but hasn't shared them yet :)
Zonomi
Posts: 69
Joined: Wed May 09, 2007 12:45 pm

Post by Zonomi »

Hi all.
Sorry for reviving the thread, but I'd like to know if there was any progress in CIC hacking, like trying to adapt it to SNES.
Post Reply