Page 3 of 17
Posted: Fri Jan 22, 2010 1:19 am
by ikari_01
Great!
I will do the same with a pair of D413 when I get around to it.
Posted: Mon Mar 08, 2010 2:42 am
by ikari_01
segher wrote:
> [*]multiple consecutive ldi instructions.
> AFAICS the latter are used in seed initialization so it might actually help
> to have another ROM dump.
They are used in a few other places. It isn't necessary to really understand
those to create a clone, it is almost trivial to reconstruct the initial state
from a few dumps of the actual data streams.
It seems the latter ldis just override the former as one would expect. A brief inspection of the initial key exchange (before the first scrambling) supports this.
So the seeds for a D411 are:
Code: Select all
KEY: b14f4b57fd61e98
LCK: _9a185f11e10dec
with _ being the "stream select" bits from the lock in order 3-0-1-2 as usual.
AFAICS the scrambling algorithm itself is unchanged from the NES CIC (aside from being called three times).
Another change appears to be that, after scrambling, the D411 replaces the lock seed's third nibble with its seventh nibble ([0x13] <= [0x17]).
It also does lots of redundant stuff to P3.0, which changes some details of how the 'temp' nibbles (0x00, 0x10) are generated and interpreted, but the changes cancel each other out.
EDIT: This was wrong. I'm still not sure what exactly it is that P3.0 does, but with the D411, key and lock streams are swapped when [0x17].0 is 1 after the triple scrambling runs.
Here's a quick hack in C that generates a D411's input and output streams. Confirmed for the first 40 or so block transfers sampled with an LA.
http://pastebin.com/aGyMWbKF
Posted: Wed Mar 10, 2010 12:13 pm
by ikari_01
Here are the seeds for the D413 - compare them to the D411. They really put lots of effort into it.
Code: Select all
key seed: b14f4b57fd61e98
lck seed: _6a185f11e10dec
BTW, are there any SNES CICs other than D411 and D413?
Posted: Wed Mar 10, 2010 12:58 pm
by bunnyboy
Great work! Too bad they don't spell out anything
I do not know of other CIC's, possibly in the Super Famicombox? Will assume the D413A etc are just process variations.
Additionally it might be interesting to use the instruction set info to disasm the ROB chip once a ROM dump is made. Supposedly it is the same CPU.
---
If anyone knows someone who is awesome at PIC programming, I will offer a significant pile o cash for a Super Ciclone. Please PM/email to not derail the thread.
Posted: Wed Mar 10, 2010 1:05 pm
by Near
I would also be very interested in a C implementation of the lock+key CICs. While they don't help emulation, I would like to include them for the sake of hardware documentation.
Posted: Wed Mar 10, 2010 7:18 pm
by FitzRoy
ikari_01 wrote:BTW, are there any SNES CICs other than D411 and D413?
I have personally seen the following:
D411 (NTSC carts)
D411A (NTSC carts)
D411B (NTSC carts)
D413 (PAL carts)
D413A (PAL carts)
D413B (PAL carts)
F411A (NTSC carts with SuperFX, OBC1, maybe others)
F413A (PAL carts with SuperFX, OBC1, maybe others)
Posted: Fri Mar 19, 2010 5:36 pm
by jims cool
i don't like pic micros.. how about an open source AVR?
wouldn't mind doing the time for a universal nes / snes chip
..
edit: removed dumb question
Posted: Sat Mar 20, 2010 2:44 am
by ikari_01
Here's a
PIC implementation for the SNES CIC. Key mode only, auto region fallback (requires user reset)
Doing a combined NES/SNES CIC clone is a cool idea, especially since there is no open source NES CIC clone yet.
Posted: Sat Mar 20, 2010 6:37 am
by Jeroen
Awesome a snes ciclone
Posted: Sat Mar 20, 2010 2:02 pm
by jims cool
Here's a PIC implementation for the SNES CIC. Key mode only, auto region fallback (requires user reset)
Doing a combined NES/SNES CIC clone is a cool idea, especially since there is no open source NES CIC clone yet.
nice job! guess i'm starting with the nes cic.. then i'll make it universal
i only have 3193/6113 and D411A/F411B so i cant test everything
3197 apparently burns five extra cycles before initialization and first seed transmission is fifteen bits..
heres the seeds if you want to add them to your chip
3193 - USA/Canada
LOCK: 3952F20F9109997
KEY: x952129F910DF97
3195 - Europe
LOCK: $17BEF0AF5706617
KEY: $x7BD309F6EF2F97
3196 - Asia
LOCK: 06AD70AF6EF666C
KEY: x6ADCF606EF2F97
3197 - UK/Italy/Australia
LOCK: 558937A00E0D66D
KEY: x79AA1E0D019D99
Posted: Sun Mar 21, 2010 3:51 am
by orwannon
Great!
What type of PIC would I need to try this out?
Posted: Sun Mar 21, 2010 9:47 am
by blargg
If you download the source, you'll see at the beginning: "processor p12f629"
Posted: Sun Mar 21, 2010 10:26 am
by orwannon
blargg wrote:If you download the source, you'll see at the beginning: "processor p12f629"
Argh! How could I miss this? Thanks, blargg.
Edit: Hmmm ... ikari_01, would this work on a 12C508 as well?
Posted: Sun Mar 21, 2010 2:10 pm
by ikari_01
orwannon wrote:Edit: Hmmm ... ikari_01, would this work on a 12C508 as well?
Unfortunately not. Three problems:
- The 12[C/F]508 has a fixed power on reset delay of 18ms which is too slow.
- The lock CIC resets the key CIC using an active high reset signal - however the reset pin on the PICs is active low. Therefore the "reset" is simulated using the external interrupt pin of the 12F629, a feature not available on the 508.
- This is really a matter of convenience, but: The 508 has no EEPROM to store the last valid region, meaning the clone would not be able to permanently adjust to the type of lock (411/413).
So if you have external components like another uC to monitor the clone function and change/store the region, and an inverter for the reset pin, it might work - except in cases where the lock CIC would expect the key CIC to respond before 18ms after power on.
It's probably not worth it
If you don't need automatic region switching, you can go for the 12F609 which has no EEPROM but is cheaper and is available in smaller packages (MSOP8).
Posted: Sun Mar 21, 2010 4:59 pm
by Memblers
Nice work, that's pretty cool to see. Please pardon my cynicism, but I hope people will use this for something other than selling lame bootleg carts..