Slot check security



Slot checking is a MVS security measure added in some games produced after 1998 due to the emergence of bootleg MVS boards. It displays a warning screen and locks the game up if some checks fail.

Someone who would want to bypass this check will typically search for the warning text string in the P ROM and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.

=KOF 98=

If the game figures out it is being run for the first time on the system (thanks to backup RAM data), it forces a watchdog reset. If the system doesn't reset itself after a certain amount of time (due to the eventual absence of the watchdog circuit), the game displays the warning screen and locks up.

=Other games=


 * The calendar data zone in the BIOS RAM is cleared, then READ_CALENDAR is called. If is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no RTC to trigger the security.
 * If is zero (BIOS in AES mode), and bit 7 of  is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES system ROM or those that don't handle REG_STATUS_B reads to trigger the security.

Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM.

That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set the byte at $10FCEF (fail) or not.

A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.

Todo: Add more details.

Use by games
As seen in MAME's source ([neogeo.cpp]), a few games are known to do this check:


 * Nightmare in the Dark
 * The King of Fighters 2000
 * Sengoku 3: MVS SLOT CHECK Ver2.30 00/04/25
 * Matrimelee
 * Metal Slug 5

Sengoku 3: Checks M1 ROM too, displays "M1-ROM ERROR." if Z80 doesn't reply to command 1 in $7FFF iterations loop.