Saturday 8 December 2018

Sega System 16 / 18 / 24 / X Security Programming Guide

Dear all, after some lengthy testing we are happy to release full details on the security programing of the Hitachi FD1089 / FD1094 cpus used in Sega's System 16 / 18 / 24 / X motherboards.


This guide is the result of several years of work by a small group of arcade enthusiasts to unravel the secrets of the security implementation found in one of the most loved and popular arcade game platforms. Thanks to this work it is now possible to fully preserve most Sega 16 bit systems enabled with security as fully working unmodified originals.

Unlike previous projects this time we recommend the usage of a dedicated pcb to interface with the chips due to the high pin count involved in the programming.

Additional details of the inner workings of Sega's FD security modules will be published over time in this blog. Work on the earlier MC 8 bit modules used in some System 1 / 2 boards and sound of Sega 16 is still in progress and will be published when completed. 

Thanks to everyone who has helped make this a reality including all kind donors and testers.

Sega Hitachi FD1089 / FD1094 Security Programming Guide

This document will guide you through the basics of preparing your setup and testing the a clean desuicide method on any known Sega 16 / 18 / 24 / X board revisions using Hitachi FD1089 or FD1094 modules. You can find a pdf copy of this guide and code on the following link: https://github.com/ArcadeHacker/ArcadeHacker_Sega_Hitachi


What's needed


Arduino programmer hardware





  • Soldering iron and solder

Sofrware



Assembling and preparing your Arduino programmer


This step is pretty straight forward, solder all the pin headers to your programmer pcb as well as the IC 64pin socket. The fully assembled pcb looks like this:


After the pcb shield is ready just sandwich it together with your Arduino Mega 2650.



Download and install software for your OS from https://www.arduino.cc/en/Main/Software
Select the right arduino board type before connecting your arduino to your computer. Tools -> Board -> Mega 2560.



Connect the Arduino to your computer by plugin the USB cable and choose the correct serial port in Tools -> Port. 

Open the ArcadeHacker Sega FD1094 or FD1089 .ino file in the Arduino environment. Compile and Upload the sketch to the Arduino unit.

Open the Arduino IDE serial monitor found in Tools -> Serial Monitor. Configure the two settings found in the lower right part of the serial monitor window as follows: Carriage Return and 115200 bauds. 



Close and open the serial monitor, you should now see the following text on screen. If this is the case you have successfully setup and configured your Arduino programmer. 



Programming security keys


Look inside the Arduino FD1089 or FD1094 code for the game you intend to program the encryption keys into the FD chip and uncomment the desired line of code. Only one game can be uncommented at any time, don't forget to comment the default blank game setting at the beginning of the list.



If the above was done correctly you should now compile and upload the program to your Arduino without problems. Once the upload process is finished open the serial monitor found in Tools. The program prompt should display the game you have configured. 



For this example we have selected "eswat" a System 16 game using the Hitachi FD1094 security module "317-0160". FD1094 security modules can be repurposed for any game and it is not required that a label in the cpu module matches the intended game security key to be programmed. This will not be the case with FD1089 modules as two different encryption schemes exist (FD1089A & FD1089B): A variants of the chip are only compatible with games roms for other A variants, and B variants for B games only.



Having inserted the module in the socket we can proceed to program the security keys by typing w and pressing enter. Make sure you replace the module battery if necessary before attempting a key load, a new battery will last at least 20-30 years so don't expect to have to repeat this often. Once the process finishes you can disconnect the Arduino module from your computer and remove the cpu module.



If you would like to verify that the contents of the cpu match the intended configuration loaded in your programmer you can perform a verification by typing v and pressing enter. This verification compares a 1 bit parity per byte calculated internally by the security module against the encryption configuration in your Arduino. 

WARNING: This verification procedure is 100% safe in FD1094 modules. Unfortunately this is not the case with FD1089 modules as the verification will delete the data inside your module, please do not attempt verification with any valuable FD1089 modules especially if currently undumped or not preserved in Mame. 


Final words


This is all there is to preserving your Sega FD1089 / FD1094 modules as working units, we hope this milestone will help you and the rest of the arcade community preserve your loved games as originals and stop the general discarding of Sega Hitachi modules. 

As mentioned in the opening of this post, a number of follow up articles in this blog will reveal the inner workings and curiosities of these artfully crafted security modules. 

Happy preservation. 

24 comments:

  1. Whoooo!.... Epic!... :)
    Congrats!

    ReplyDelete
  2. Awesome! Thank you so much! (/^▽^)/

    ReplyDelete
  3. Awesome job eduardo and all others contributing for this happening

    ReplyDelete
  4. Incredible stuff, as usual will be waiting eagerly for the technical details.

    ReplyDelete
  5. Unbelievably information, Eduardo Cruz! Thanks so much!

    ReplyDelete
  6. just say congratulation nothing more...

    ReplyDelete
  7. Good one. May this help improving graphics emulation in CrackDown?

    ReplyDelete
  8. Looks like my decryption program won't be needed anymore ... That's a good thing ;)
    Good work Eduardo !

    ReplyDelete
    Replies
    1. Well everything has been decrypted but I think there will still be people not wanting to use a battery (when you have a huge collection of PCBs it's just not realistic to replace dozens/hundreds of batteries every 5 or 10 years to play it safe).

      Delete
    2. These last quite a long time 20-30 years

      Delete
  9. Awesome work. Thanks a million!

    ReplyDelete
  10. Hi Eduardo, impressive work as always.
    I have few questions for you:
    1) Can a FD1094 module replace any FD1089 module (A or B)?
    2) Is a battery necessary to inject keys if the module is powered through its power pins? Are the keys held as long as module is powered (I'thinking of programming the module in situ by isolating its buses from the motherboard).
    3) Does a module act as a standard 68k CPU if programmed with default keys (0x00 or whatever the default value is)?

    ReplyDelete
    Replies
    1. 1) FD1094 modules cannot directly replace FD1089 A/B modules, not unless with a complete remake of the encrypted roms. 2) You should be able to do this, the battery is only switched when VCC is lost, otherwise VCC is used. 3) I haven't tested this but you may be able to use the modules as standard 68k by filling the internal memory with byte value 0x40, this value is used internally to shut off the encryption scheme.

      Delete
    2. Hi !
      I ordered and received a batch of 5 PCBs (the minimum count). Since I only need one, I can send one to people interested, you only pay the postage. You may email me at djvinc -at- gmail -dot- com !

      Delete
  11. Thanks a lot Eduardo for this valuable information.

    ReplyDelete
  12. Edouardo, I love you ;-)
    I just make revive my cotton board !
    Thanks for this AWESOME job !

    ReplyDelete
  13. Will the further posts describing how this actually works ever be posted?

    ReplyDelete
  14. Hey Eduardo, what's the best way to get in touch with you? Is there a forum or discord server or something you frequent? I can program FD1094 modules no worries, but I'm having trouble with FD1089B modules. Programming seems to not write the correct contents, and verification's coming back with parity "1" for every address regardless of what was written. I was hoping you could help me troubleshoot. Programming did something as previously there was a damaged, but partially working, security key. The content was changed by the programming attempt but not to what was supposed to be written. Any help would be appreciated.

    ReplyDelete
  15. Test a different FD1089 module in case that one is damaged.

    ReplyDelete
  16. Wonderful work…
    Do you know if a compatible Arduino Mega 2560 Rev3 would be good?

    ReplyDelete
  17. Eduardo, consigo contato com você? Sou do Brasil também e preciso de um auxílio na minha golden axe

    ReplyDelete