Tuesday 2 January 2018

A Journey Into Capcom's CPS2 Silicon - Part 2

Welcome to the second post in the Capcom CPS-2 reverse engineering series, if you missed the previous post you can find it here:


Inside the custom chips of CPS2


Capcom's Play System 2, also known as CPS2, was a new arcade platform introduced in 1993 and a firm call on bootlegging. Featuring similar but improved specs to its predecessor CPS1, the system introduced a new security architecture that gave Capcom for the first time a piracy-free platform. A fact that remained true for its main commercial lifespan and that even prevented projects like Mame from gaining proper emulation of the system for years.


Chip Makers

Capcom's extensive use of customs in CPS2 spreads over a total 11 QFP type chips, as part of this project each of the chips were decapped and identified as follows:

A board (Base board)

DL-0311: Ricoh A5C series, standard cells. (Also found in CPS1) Datasheet
DL-0921: Ricoh A5C series, standard cells. (Also found in CPS1) Datasheet
DL-1123: Hitachi HG62F series model 22, gate array. Datasheet
DL-1425: AT&T Digital Signal Processor WEDSP16A-M14. (Also found in CPS1.5) Datasheet
DL-1625: VLSI Technology (VTI) VGT300 series model 022, gate array. Datasheet
DL-2227: Hitachi HG62E series model 08, gate array. Datasheet

CPS2 A Board 93646A-3 Custom chips highlighted


B board (Top board)

DL-1525: Motorola H4C series model 057, gate array in combination with a 68000 cpu megacell (CPM68K REV7-89). Datasheet
DL-1727: Fujitsu CG24 series model 692, gate array. *
DL-1827: Fujitsu CG24 series model 692, gate array. *
DL-1927: Fujitsu CG24 series model 512, gate array. *
DL-2027: Fujitsu CG24 series model 512, gate array. *

* No datasheet available for the Fujitsu CG24 series, please share any.

CPS2 B Board 93646B-6 Custom chips highlighted


Gate Array technology

Used in most CPS2 custom chips, a gate array circuit is a prefabricated silicon chip circuit with no defined functionality, in which transistors, standard NAND or NOR logic gates, are placed following a regular pattern and manufactured on a wafer, this half baked wafer is known as master slice.

Common advantages of Gate Arrays designs over Full-Customs according to TU Delft:

Minimization of the fabrication time: Because the chips are prefabricated (the transistors are already on the master image), the silicon foundry only processes the masks related to metal wires. As compared to full custom layout, the number of masks processed by the silicon foundry is often reduced by more than 60%.

Minimization of the design time: The time involved in designing a cell layout is reduced dramatically (as compared to full-custom) because the transistors are pre placed on the image. Typically, it takes only a few minutes to layout a flipflop or a combinatorial gate, and the designer does not need to know much about the process design rules.

Minimization of the chip cost: The layout design starts with a prefabricated master image. This is a semi-manufactured article that can be produced in large quantities. Consequently, it can be cheap.


Gate Array die size and development time compassion versus other chip design technologies


The Fujitsu gate array chips featured in CPS2's B board belong to the CG24 series and use a 0.8 micron CMOS process. Fujitsu uses a block-level placement and routing scheme commonly known as "fishbone".


Markings inside CPS2 Gate Array chip DL-2027


Unwired section of NAND sea-of-gates inside a Fujitsu CG24 chip

Logic inverter (NOT) implemented in Fujitsu's NAND sea-of-gates

Fujitsu's gate array technology is discussed in more detail in 1978 USPTO patent 4,412,237: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US4412237.pdf


Capcom's deep pockets

Interestingly enough, several of the B board's chips used by Capcom show a very low utilization of resources being the worst offender chip DL-2027. In IC density terms its contents could be classified as mostly empty space. 

Given the expensive nature of the end to end design and fabrication of these devices one must think that perhaps Capcom's market successes enabled the company not to spare in resources.


Highlighted in yellow: total die area utilization inside DL-2027 


The Mysterious CPU


Contrary to popular belief, Capcom's CPS-2 cpu does not reside on the A bottom board of the system, instead the cpu is found on the B board and inside the big 208 pin QFP chip labeled as DL-1525. MAME's own documentation on CPS-2 does not help this belief either as it also states the system cpu is DL-1625, an A board chip.



Capcom DL-1525 dated 1993 week 51 source id JSX02RJ524AU03

DL-1525 hosts inside a massive die measuring around 7x7mm in size featuring a majestic Motorola 68000 megacell core surrounded by a vast 3-layer gate array. This monster IC is based on the Motorola H4C gate array series and uses a gate length of 0.7 microns (700 nanometers). To date it is the smallest feature sized chip I have worked on since I began reverse engineering ICs.


DL-1525 is a Motorola H4C057 class gate array in combination with a 68k cpu core (top right)


Small section of DL-1525 captured at 50x magnification. Three routing metal layers are visible.


Cross-section view of a Motorola H4C gate array describing its composition


DL-1525 Ancestry

A newsletter from Dataquest from May 1988 traces back the origins of Motorola's blending of 68000 cores with gate arrays to the world of laser printers. An extract of such IC industry newsletter reads as follows: 
Motorola is designing gate-array-based interface chips for use in laser printers. The chips will contain a core of the 68000 microprocessor and the dedicated laser printer functions. The LPC-1 will have 5,000 gates and will be fabricated with a 2-micron CMOS technology, while the ALPC-1 will have 16,000 gates and will be the first commercial application of Motorola's HDC series of 1-micron CMOS channelless architecture gate arrays. The LPC-1 is currently available in sample quantities; samples of the ALPC-1 will be available in December, with volume production scheduled for February 1989.

In fact, additional research shows chips with similar source identification marks to Capcom's DL-1525 have been in use in commercial laser printers such as models A258/A259/A260 made by Ricoh. The following parts catalog mentions at least two relevant ICs listed as follows:

 JSC05RR519AU15   208QFP // RICOH IPU BOARD A259 5146 / A260 5146
 JSC05SV519AY17   240QFP // Ricoh main control board A258 5090

Another close brother to DL-1525 is Motorola's own MC68302 "Integrated Multiprotocol Processor" chip. This IC employs a similar gate array and embedding of a 68k cpu core inside. More details about it can be found in the following document and product manual.


MC68302 internals description found in "Image Processing For Future High Energy Physics Detectors"

Other chips from Motorola are known to exist with even closer source id numbers to Capcom's DL-1525, their purpose or end product usage are unknown: 

 JSX02RJ514AU17   208QFP // H4C057-68K 
 JSX02RJ524AU03   208QFP // Capcom CPS2 DL-1525
 JSX05PR511AW26  144QFP
 JSX05PR511AW27  No info
 JSX38PG511AJ03   No info


DL-1525 in the wild

Another interesting finding regarding DL-1525 was the availability of chip stock in Alibaba.com marketplace, during March of 2017 and to test the listing veracity I was able to successfully purchase brand new stock of JSX02RJ524AU03 from a Chinese reseller. At the time of writing of this blog post such stock seems to be still listed on sale online. This chip doesn't seem to be the only Capcom device being sold in the wild, other chip codes are available to purchase online. 

I guess this is of no commercial relevance to Capcom anymore, but overall it doesn't show great asset control practices.


Two NOS units of Capcom's DL-1525 chip sourced from China, chips dated 1998 week 24

This is all for now, I hope you have enjoyed Part 2 of the CPS2 reverse engineering series. On the next post we will explore how and where Capcom hided its CPS2 security implementation. Stay tuned.

Part 3

17 comments:

  1. Oh man, you did it again! Reading your posts is like a dream made true! Hats off and keep up the good work.

    ReplyDelete
    Replies
    1. as if you had understood half of what Eduardo wrote ...

      Delete
  2. Took a while but was well worth the wait. Anxiously waiting for next post. :)

    ReplyDelete
  3. see you in 2019 por part 3

    ReplyDelete
  4. At that geometry, I'm guessing that it must be CMOS? So the 68K megacell would likely be based on the MC68HC000 or HC001?

    ReplyDelete
    Replies
    1. Definitely CMOS, core markings read as follows: CPM68K REV 7-89

      Delete
  5. Great !!!, i consideer really interesting the custom dl 1525,
    are usual in others arcade developments that the main microprocessor is inside a custom with gate array? Do you think campcom makes dl 1525 for hide 68000?

    ReplyDelete
    Replies
    1. DL-1525 is 101% meant to protect the cpu form outsiders, with CPS2 Capcom pushed the bar to stop bootleggers and unauthorized game conversions. Another example of this is Sega's System 16.

      Delete
  6. Great read. Given that the customs are more or less gate arrays and macroblock combos, rather than full hard customs, does that mean the configuration may be readable with a microscope? Having a closer hardware description of the CPS A and CPS B custom chips would be very useful.

    ReplyDelete
    Replies
    1. Regardless of the chip nature (gate array, standard cells, full custom), all chips are definable through inspection given enough time, patience, willingness.

      Before attempting anything like it I recommend looking at Mame's source code for CPS1 & 2, these guys are geniuses and already figured out most of the hardware working.

      Delete
    2. Sure, we have a reasonable high level description of the function of these chips and their registers. My interest is in an accurate recreation, either to supplement one of hundreds of CPS1 A boards with dead CROM address outputs on the A custom, or to allow for an accurate FPGA recreation. Decoding hidden internal state logic through external observation is a complex problem that is difficult to verify.

      Delete
  7. Nice Work, turns out CPS2shock were right afterall in the 68k location and MAMEdev were wrong. You have settled a long standing debate of times gone by.

    ReplyDelete
  8. Really nice work. I greatly enjoyed reading both parts.

    ReplyDelete
  9. Fascinated by all of this.. thanks for taking us on this journey. I am still intrigued by the DL-1625 (VTI) on the a-board, as well as where the 2 other GFX chips disappeared to within the single board CPS-2 black design.
    Do you have any plans to look at the encrypted z80 and 68k modules found on the Sega System 16b at some point? Thanks once again. :) Looking forward to the next part!

    ReplyDelete
  10. Ei Edu, i really love your articles. I'm a computer engineer and retro restorer, but is really hard to find sources about CPS2, so piece by piece we can make dead boards come back to life. Thanks for your great work.

    ReplyDelete
  11. This is a fantastic series and I love reading your work. Now, have you identified which of the chips in the CPS2 is responsible for sprites? I'm asking as a friend's Vampire Savior board has corrupted background graphics and good sprites and I'm thinking it has something to do with the "chip rot" issue that is affecting other Ricoh-manufactured ICs from the late 80's to early 90's (the SNES is also having this issue). I figured the sprite chip that the CPS2 got as an upgrade over the CPS1 wasn't from Ricoh and this overview confirms this. With that said, which of these ICs is responsible for sprites in the CPS2?

    ReplyDelete