leonardoliveira & Idc's clean decrypted roms

[idc]

Leonard and I were chatting about this yesterday when he made the discovery that a the CPU on a dead cart still tries to boot. He discussed with me a few promising ideas on how to proceed, but then I went to bed. This morning I awoke to an e-mail with the awesome news. I was confident, but I didn't expect it to happen so quickly! Nice one Leo!

[Rossyra]

[darksoft]

Wow. Great work!

[YZRider926]

Very nice work. Looking forward to some more updates.

[pubjoe]

Incredible!

[MrSandman]

that is so fantastic !

DisplayCollapse view

What is going on?

What CD has been inserted?

Was the cart dead?

Did the cart match the CD / game?

Is this behaviour different from what is usual?

[IDCHAPPY]

I won't ask how your doing it, but excellent , makes me feel happier about having CPS3 gear

[leonardoliveira]

I won't ask how your doing it, but excellent , makes me feel happier about having CPS3 gear

I'll only say one thing:

Doing CPS2 stuff is like 1000 times more work. >.>

[Collin]

That is mind-blowingly good news! Congratulations!

I did soil my trousers in the happiest of ways just now.

[leonardoliveira]

If anyone is wondering how this CPS3 revival stuff works, it has to do with that "unknown" chunk of code at address 0x7FF00 every game has and that doesn't seem to decrypt with the game keys.

There are four kinds of DL-3229 chip. That is the purpose of the "A", "B", "C" or "D" sticker on the top of the chip.

The custom SH2 chip is set up to jump to 0x7FF00 (or that stuff is not code but the data which is copied to the security SRAM inside the chip) when it has blanked keys on the SRAM memory. It's a SECURE device so the catch is that each of these four chips use a SET ON STONE key to decrypt a boot loader (which will be at 0x7FF00) and the encrypted bootloader I have works only for ONE of these four chips. Also, it SET the encryption keys only for Street Fighter 3 2nd Impact so that's the only thing I am able to revive (for now).

While it's pretty limited for the time. WE NOW KNOW WHERE TO LOOK for a solution ...

[SuperPang]

Oh well that clears that up then

[YZRider926]

If anyone is wondering how this CPS3 revival stuff works, it has to do with that "unknown" chunk of code at address 0x7FF00 every game has and that doesn't seem to decrypt with the game keys.

There are four kinds of DL-3229 chip. That is the purpose of the "A", "B", "C" or "D" sticker on the top of the chip.

The custom SH2 chip is set up to jump to 0x7FF00 when it has blanked keys on the SRAM memory. It's a SECURE device so the catch is that each of these four chips use a SET ON STONE key to decrypt a boot loader (which will be at 0x7FF00) and the encrypted bootloader I have works only for ONE of these four chips. Also, it SET the encryption keys for Street Fighter 3 2nd Impact so that's the only thing I am able to revive (for now).

While it's pretty limited for the time. WE NOW KNOW WHERE TO LOOK for a solution ...

Well you got to start somewhere. So would you need to get different versions of the carts as well as different games for testing and such?

[leonardoliveira]

Well you got to start somewhere. So would you need to get different versions of the carts as well as different games for testing and such?

Pretty much, yes.

Right now I'm on the IRC with xorloser (yes the guy what knows lots of crypto stuff) working some tests out.

Also, there's a possibility that chunk is not code, but data for the decryption SRAM so I edited my post accordingly.

[Devil Soundwave]

Holy smokes. Nice work sir!

[Collin]

Awesome! What has to be done to revive 2I carts?

[leonardoliveira]

Awesome! What has to be done to revive 2I carts?

We've narrowed the stuff at 7FF00 seems to be the security keys indeed. They're uploaded to the SRAM inside the chip on POR (Power On Reset)

Still working out their "real size".

[Collin]

So in layman's terms, what is physically done to fix the cart? Is it a question of reprogramming an EPROMS, or installing jumper wires, or what?

[leonardoliveira]

So in layman's terms, what is physically done to fix the cart? Is it a question of reprogramming an EPROMS, or installing jumper wires, or what?

Supposed facts:

The flash chip /CE and /OE signals (Chip Enable and Output Enable) are controlled by the CPS3 mainboard, not by the custom SH2 CPU itself. So address decoding is done by the mainboard and that AMD MACH111 PLD device.

There's /BYTE signal from the flash chip connected to the PCI slot edge connector which means that CAPCOM probably uses a 8-bit programmer to write the flash, with the cartridge already assembled...

Flash /OE and /CE have pullups installed, which implies that the hardware used to revive the CPU keys not necessarily has to support flashing. It would work even with the pins being left alone.
That allows for interacting with the SH2 CPU without touching the flash.

Apparently the custom SH2 is hard wired to use the CS0 region in 16 bits (bootrom region) since pins MD3 and MD4 (on normal SH7604 SH2 these pins are used to select 8bit, 16bit or 32bit bootrom bus width) are used to control the secure backup mode during power off. Still talking about generic SH2 on a CPS3, I do suspect that some high address lines might be inverted (internally, on both the custom SH2 and CPS3 chipset) to prevent the generic SH2 from working... In addition to MD3/MD4 pins.

For now I believe that at CAPCOM something on this like is done to revive a cart:

1- They open the cart, take notice of the sticker glued at the SH2 chip.
2- Replace the battery
3- Assemble the cart
4- Plug it on the programmer


Now, I think each game has 4 sets of data for 7FF00, one for each of the 4 chips. When the battery is removed, the chip goes to what I called "empty mode". In empty mode it will copy whatever is at 7FF00 to it's internal memory and only after that it will try to boot.

I suppose the reprogram hardware will have a chunk of 16bit RAM mapped at 7FF00 at SH2 address space and the programmer will upload the correct value (which we currently suspect to be eight bytes) at the said location. When the SH2 chip is released from reset it will load that eight bytes as key (they seem to be encrypted somehow though) and the device is set-up.



No wires are installed. This method should be plug and play. The operator just need to know which kind of chip the CPU in the cart is because apparently the keys are encoded in a different manner for each of these chips.

Edit:
After playing around with this I decided to test something vile:

1- Take the working battery less cartridge
2- Install a battery
3- Play it for a while
4- Take it out from the CPS3 system
5- Play around the edge connector with a screwdriver
6- Put it back

And it was stuck at that screen where you see garbage that is on the video memory, which means the CPS3 is stuck and the cartridge did suicide.
I called that "mode" as "stuck mode" lol. xorloser did mention that the CPU could had wakened from sleep through a pulse on one of it's interrupt pins, causing it to crash.
Removing the battery brings it to life instantly as the valid key for re-programming is permanently sitting at 0x7FF00.

[Collin]

Very cool! A lot of that was over my head, but I think I got the basics. Are you able to turn other 2I carts into battery-free?

*edit* I realized that I hadn't asked one question that I meant to, which is what was done physically to make the cart play without a battery.

[leonardoliveira]

Very cool! A lot of that was over my head, but I think I got the basics. Are you able to turn other 2I carts into battery-free?

*edit* I realized that I hadn't asked one question that I meant to, which is what was done physically to make the cart play without a battery.

I flashed the eight bytes which cause it to set the encryption KEY for SF3-2 at 0x7FF00

Btw it was xorloser who figured out it was data, not code.