Wednesday, 30 May 2018

A Journey Into Capcom's CPS2 Silicon - Part 3

Welcome to the third and last post in the Capcom CPS-2 reverse engineering series, if you missed any of the previous post you can find them here:


Hunting Capcom's Secrets

For many years, finding how and where did Capcom hid away its security implementation has been a pending critical task for the arcade community. CPS2 systems running out of battery were rendered useless forcing collectors worldwide to perform board conversions or let go of their favorite games. 


Typical CPS2 3.6 volts battery made by Hitachi Maxell Ltd in Japan

The battery featured in CPS2 systems is found on the top B board, and it powers a grid that reaches all of the B board customs chips while the board is at rest. During normal operation battery drain is stopped and regular voltage is supplied.

Thanks to Capcom's friendly implementation, battery replacing is a relative safe operation as one is able to switch such battery without fearing instant game death. A capacitor found next to the battery is able to keep things running for a good few minutes until a fresh replacement is soldered. 


Battery voltage measured before distribution to one of the CPS2 custom chips

This grid and the fact Capcom pushes battery power to all custom chips in the board is a deliberate smoke and mirrors exercise in an attempt to deter any curious parties by multiplying the number of possible target chips. 

Earlier security implementations by Capcom such as Kabuki or CPS1 lack this grid scheme and just feature a direct correspondence between the battery and security chip target using it. 


Pulling the string

A clue as to where CPS2 systems hid security came with the introduction of B board revision 5 (93646B-5), from this revision on a little JST NH 6 pin connector was added featuring a number of known and unknown pcb signals. 

Previous to board revision 5 these signals have been found to exist at one of the large base connectors, more specifically base connector CN2.


CN9 as found in CPS2 B board revisions 5 and up


CN2 base connector at a CPS2 B board revion 4

Why would Capcom move these signals into an simpler and more readily accesible connector? If you think in terms of producing, distributing and maintaining tens of thousands of game boards, the move speaks loud of operational and logistics convenience.  Ever scalable, simpler and less expensive processes is a top of mind item for past and present organizations worldwide.

Still a relevant question remained over time: What was behind connector CN9? No game or board feature was known to make any use of it, even worst, any adventurous individuals messing around would quickly find out that playing with this connector ended up mysteriously killing the game. A clear indication about this connector being somehow related to the security implementation of the CPS2 system.


Behind CN9

A quick analysis of CN9 revealed the following findings:


Looking at the list above, pins 1, 5 & 6 carry well known signals involved in the most basic life elements of a game pcb: VCC & GND (Power), and /Reset. Without these it is materially impossible for a game to operate, therefore very relevant signals. 

The remaining pins 2, 3 & 4 don't seem to be driven as no signal is present during operation, most likely inputs with their purpose being unknown. Following the traces for these pins we quickly find them leading onto the adjacent custom chip DL-1827, and no where else. 

Eureka? Time to find out what's behind this IC.

CN9 pins 2, 3, & 4 interface with DL-1827 pins 131, 132 and 69


Inside Capcom's DL-1827

Microscope inspection of DL-1827 revealed a made to order gate array chip manufactured by Fujitsu, more specifically a CG24 series gate array model 692 built on a 0.8 micron CMOS process technology. More information on these chips and gate array technology available on the previous series post. 


Manufacturer marks inside Capcom DL-1827 

Further inspection of the chip logic revealed a shocking finding: DL-1827 is a mere middle-man making no use of such signals. In essence the chip verifies that the board is powered up and drives a passthrough for connector CN9 signals #2, #3 & #4 among several other. The target of such signals entering and exiting DL-1827 is revealed to be the adjacent chip DL-1525.


DL-1827 acts as a passthrough of CN9 signals onto chip DL-1525

The following chart below summarizes how CN9 signals travel until reaching out its destination at chip DL-1525. The analysis discovered that Capcom intentionally used chip DL-1827 to hide away the real security target in CPS2 systems.


CN9 signal journey summary


Inside Capcom's DL-1525

As discussed in the previous post, DL-1525 hosts inside a massive die measuring around 7x7mm in size featuring a majestic Motorola 68000 megacell core surrounded by a vast 3-layer gate array. Inside of this sea of gates one area in particular hosts a large section of memory registers used to store some configuration settings and the game encryption keys. 

A total of 158 bits (1 bit per memory register) are chained together in a serial train to compose the memory block used as part of these settings found in CPS2 security.


DL-1525 Motorola H4C057 class gate array, memory dedicated array area highlighted.

A closer look of the area shows the structures identified as memory registers.

Group of gate array memory registers highlighted in purple and green.

Below, verification of such structures in the simulator reveals the memory registers as D type flip-flops. Top right of the image: 20x chip gate array area capture of a flip-flop memory register.
Top left and bottom images: logic simulation for verification purposes.

CPS2 DL-1525 gate array D type flip flop overview and simulation

Example of how one of the CN9 signals enters the DL-1525 chip: Bottom left in yellow CN9 #3 enters DL-1525 through pin 9 and is driven through a buffer for signal amplification purposes. After that the signal goes straight into the first memory register enable input, then connected to the rest of registers as a series of chains.


Overview of CN9 #3 signal entering DL-1525 through pin 9



Structure of the memory

The 158 bits used in CPS2 security configurations are structured in 4 differentiated blocks. One of them is dedicated to configuration settings while another three contain specific encryption information such as the pair of encryption keys.

From the outside configurations are stored in the chip via serial a protocol in bit reverse order, while the system inside access the information in full parallel mode (all bits at once).

Example CPS2 internal configuration for the game sfz2alh 

As displayed above a number of bits in the first block are of unknown purpose, from here i'd like to invite any brave readers to venture in finding their exact use and functionality.

All information regarding how to write CPS2 security configurations can be found here.


Closing words

Working on unraveling the mysteries behind the CPS2 security implementation has been an amazing challenge and journey for me. I'd like to thank every person that has participated, helped or backed the project in any way, specially to those deeply involved: Artemio Urbina, Ian Court and Digshadow.

The arcade legacy still has a great number of preservation challenges waiting to be addressed that will keep us entertained for while. I look forward to share new and exciting projects with you in the near future.

Eduardo.

No comments:

Post a Comment