Tuesday, 16 June 2015

Capcom CPS1 - Part 3

Welcome to the third and last post in the Capcom CPS-1 reverse engineering series, if you missed any of the previous readings you can find them here:


Security inside

As explored during the previous two articles, with the introduction of CPS-1 Capcom developed a couple of graphic custom chips known as CPS-A and CPS-B. These chips unified many graphic functions and allowed Capcom to push its game capabilities further while reducing system design complexity.

One specific mission of custom CPS-B was security, a characteristic that prevented operators from reusing CPS-1 hardware by simply burning new roms, this was accomplished by featuring a unique internal chip configuration in almost every new game title.

While early CPS-B chips are truly unique items, with their internal configuration set at the silicon level, the final CPS-B revision known as B-21 was capable of holding any factory configuration by using internal memory backed by an external battery. This helped Capcom simplify its operation by not having to manufacture new CPS-B chips with every new release.

At production one specific configuration was defined by Capcom for the accompanying game title, and losing power supplied by the external battery means you lose your game, a typical problem faced by today's game collector in preserving working original games.





27 comments:

  1. Very cool! Thanks for your hard work!

    ReplyDelete
  2. Great new :-) Thanks Eduardo.
    A dream come true ^^

    ReplyDelete
  3. Incredible work! and you make it look like so simple.

    I see that this post is mainly video based, is this the new trend?

    It would be nice a link to the Pic with the pinout.
    In min.15:25 where you can see the programmable logic, looks like the obfuscating bars are also there. Did you also have to process that area. Can you elaborate more on how you defeated that and which challenges did you face?

    Once again Congratulations!

    ReplyDelete
    Replies
    1. Yes, guard bars were everywhere, so the entire chip had to be delayered. It's a chemical process, you can find some more information over here: http://siliconpr0n.org/wiki/doku.php?id=delayer:start

      Delete
  4. When we will be able to buy this?

    ReplyDelete
    Replies
    1. Anytime, just email whenever you are ready. Thanks for your support.

      Delete
  5. Why the video rather than writing it up? Video compression makes the diagrams fuzzy, you can't easily skip over the repetitive parts, it's not searchable or usable for reference. It's also very light on detail. There didn't seem to be any mention of where the de-suicide data comes from. Has it been somehow extracted from working boards? Has it been reconstructed some other way? If it isn't extracted from working boards, how do you know you have the right values for buts which you don't know the purpose of? Overall I found the video very disappointing.

    ReplyDelete
    Replies
    1. When I have the chance I will post a pdf presentation as I did with Kabuki, I hope that helps.

      Regarding the data, it's all hard work ie: puzzle solving. Spotting the right values comes from trial and error as well as in game verification. Rom code reviews are also performed to spot and understand which memory addresses are exactly being used by each game.

      Delete
  6. Now that this has been reverse engineered, do you think recreating these chips in a FPGA or similar would be viable? These chips are frequently dying these days, which I see as at least a big problem as losing the decryption data... I have a few c-boards which are dead due to the PPU :/

    Come to think of it, I wonder if some of the faulty B21 PPUs are simply due to the registers dropping bits here & there. On the c-boards with no battery, do the B21s still have data in the 144 registers (or is it all just blank)? Is there an easy way of reading the data FROM the registers? Would be great if I could revive one of my Hyper Fighting c-boards (missing sprite layers) simply by reprogramming the B21...

    ReplyDelete
    Replies
    1. I see it possible for someone to reproduce B21 parts as FPGAs, although the work involved would quite a lot.

      When a B21 loses i's battery all registers should go to zero. You can't read them from outside, only write.

      Delete
    2. Ok, so presumably battery-less B21 c-boards (SF2HF etc) must just not use any of the data in those registers then?

      Delete
    3. Exactly, not on those memory registers but instead they default to a hardwired internal logic. B21 can operate with those default settings or any settings configured at will.

      Delete
  7. What an amazing job you have finally done !!

    I have few questions / remarks about your video.

    First of all, you said to put SETUP high on startup, should it be kept high all programmation time?

    About the data transfert, could you tell me if address are encoded as LSB firt or MSB first ?

    Same question about transferring data, should I send first bit first of the 144 one's first ?

    Few remarks now,

    It looks that there is a little confusion between some of your slides, bit 10 is used for title ctrl 1 at 35:35 and also for unknown output at 37:27

    I'm also surprised about tile/starfield control.
    I can't imagine that it is only encoded in 3 bits.
    I don't know if you know how it works, but it's not like the other fields in mame.
    The value are for masking another ones, not adress shifting.
    For example, to activate layer 1, you have to "oring" all bits at the adress of the layercontrol with the first mask value.

    On a BT1 PPU, to activate layer 1, you have to do *0x800168 |= 0x20
    And when I look to all the possible value, it should use 5 bits instead of 3.
    May the remaining 2 bits be somewhere else in the 144 bits ?

    Thanks a lot again for your time !

    Bye

    ReplyDelete
    Replies
    1. Hi Alex, thank you for the feedback and support, keep it coming. Below you will find my answers:

      Setup signals: Correct signal must be maintained through the entire programming process.

      Data transferring: Starting with bit 144 all the way down to bit 1. It's a serial pattern, eg: 144 clock 143 clock 142 clock ... and so on.

      Tile/Start field controls: Yesterday I added a comment in the video explaining how those work and why they are 3 bits only. You will find the note in the video around minute 34:45

      Tile_ctrl1: You are totally right, thanks for pointing this out! I have just added another note to the video with a correction, see 34:00

      Regards. Eduardo

      Delete
  8. Hello there, Eduardo!

    As an arcade collector myself, I am in complete awe of your work. Well done.
    Coming from a software / ICT background myself, it amazes me the way they approached and designed this.

    I've also been an keen researcher of the CPS-2 platform, and I can see alot of similarities in the security protocols between the CPS-2 system and the Kabuki as well as the CPS-B-21 chips.
    It seems there is something in the CPS2 custom chips that have the following functions:
    1/ Programmable area that controls which parts of the memory maps are involved in the decryption process.
    2/ A 'watchdog' opcode that the ASIC needs to see every X amount of seconds or the game freezes / resets.
    3/ Programmable area that holds decryption keys and which areas of memory control some system functions.
    (when the battery loses power the area of addressable memory changes! eg: whatever_function: alive=0x8000c000, dead=0x8000f000)

    Those conclusions I made are just based on reading the MAME source as well as CPS2Shock's incredible work over the years.

    Would you consider embarking on another journey to uncover the secrets of the CPS-2?
    I would be fascinated to know how it works and if we can de-suicide and reprogram the security on dead B boards! I have 2 myself.
    The steps involved in the secret 'door-knocking' and 'secret-key' and the evential serial data upload into internal battery backed RAM space I bet are similar and I would LOVE to know how it works!

    I can't get enough of this stuff!
    Thanks and once again, incredible work!

    Regards, Dave.

    ReplyDelete
  9. Any chance you make a tutorial on hoe to build this programmer?

    ReplyDelete
    Replies
    1. Definitely, I will post something soon.

      Delete
  10. Hi Eduardo !

    I'm a french arcade collector.
    Your work is very impressive. So fast and efficient !
    I follow your cps2 tutorial and bought a Genuino Uno.
    Thanks to you, my Marvel vs Capcom single black work again now :-)

    But I have a problem with ArcadeHacker-CPS1 and ArcadeHacker_Kabuki-Master.
    When I want to verify/compile, it's not working, I have this message:
    collect2.exe: error: ld returned 5 exit status

    exit status 1
    Error compiling for board Arduino/Genuino Uno.

    Have you any idea for help me ?
    Or I need another Arduino/Genuino like the MEGA version ?

    Another question. I saw the Marvel vs Capcom single black version in the ArcadeHacker_CPS2, but I don't see others CPS2 single black boards in the list (Gigawing, Street fighter zero 3, Hyper street fighter 2, Mars Matrix and Dimahoo). Have you the possibility to add them too ?

    Thanks for all ;-)

    ReplyDelete
  11. Do you know which specific games are subject to this "suicide" on CPS I?

    ReplyDelete
    Replies
    1. Look at the list on the link below, all of the games with an * at the end run a security enabled B21 chip. https://github.com/Robbbert/hbmame/blob/master/src/mame/video/cps1.cpp

      Delete
  12. Is it possible to replace just the B21? Mine is destroyed corrosion has taken 6 of the legs completely.41,42,79,80,81,82.

    ReplyDelete
  13. Your work on this is amazing. I have a cps 1 game(sf2 ce) that has no battery on the c board. But it has been corroded and the b21 chip has lost 6 of its legs . Are there any b21's left in the world to replace it ,and if not would it be possible to program an fpga to replace it? just wondering if its possible to fix this or do i just need to buy a new PCB.

    ReplyDelete
    Replies
    1. You may want to look for faulty boards and find a replacement for your game.

      Delete
  14. This is the coolest thing I've ever seen! Do CPS-B-21 chips that don't have the battery circuit that many games run on have a "default state"? If no data is programmed into the ppu then the registers / priorities are just set at defaults with no offsets or anything being changed?

    Ideally, I think it would be best just to reprogram each game to run on a default state cps-b-21 since this is the most common variation of the ppu. Hopefully someone will one day make a more powerful and easy to use cps debugger to simplify this process.

    ReplyDelete
    Replies
    1. That's correct, there's a default config when the device is configured to run without battery.

      Delete
  15. It's very amazing
    Can Japanese version cps1 board also be available?

    ReplyDelete