Security code: Difference between revisions

From NeoGeo Development Wiki
Jump to navigation Jump to search
m (Add syntaxhighlight tag)
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Pointed to at $182 (in the [[68k_program_header]]).
Pointed from $182 (in the [[68k program header]]). This pointer '''must''' be even !


The [[BIOSes|BIOS]] compares this code byte per byte with its internal copy (which is located at $C146CA for SP-E, and $C146A2 for SP-E v2) as part of the cartridge detection routine.
The [[System ROM]] compares this code word per word with its internal copy (which is located at $C146CA for SP-E, and $C146A2 for SP-E v2) as part of the cartridge detection routine.


There is some jumps to the security code inside the BIOS but it seems to never be called (at least in SP-E v2).
There is some jumps to the security code inside the system ROM but it seems to never be called (at least in SP-E v2).


From the official SNK doc :
From the official SNK doc :


<syntaxhighlight>
<syntaxhighlight>
dc.w 07600H, 04A6DH, 00A14H, 06600H
dc.w 0x7600, 0x4A6D, 0x0A14, 0x6600
dc.w 0003CH, 0206DH, 00A04H, 03E2DH
dc.w 0x003C, 0x206D, 0x0A04, 0x3E2D
dc.w 00A08H, 013C0H, 00030H, 00001H
dc.w 0x0A08, 0x13C0, 0x0030, 0x0001
dc.w 03210H, 00C01H, 000FFH, 0671AH
dc.w 0x3210, 0x0C01, 0x00FF, 0x671A
dc.w 03028H, 00002H, 0D02DH, 00ACEH
dc.w 0x3028, 0x0002, 0xB02D, 0x0ACE
dc.w 06610H, 03028H, 00004H, 0B02DH
dc.w 0x6610, 0x3028, 0x0004, 0xB02D
dc.w 00ACFH, 00606H, 0B22DH, 00AD0H
dc.w 0x0ACF, 0x0606, 0xB22D, 0x0AD0
dc.w 06708H, 05088H, 051CFH, 0FFD4H
dc.w 0x6708, 0x5088, 0x51CF, 0xFFD4
dc.w 03607H, 04E75H, 0206DH, 00A04H
dc.w 0x3607, 0x4E75, 0x206D, 0x0A04
dc.w 03E2DH, 00A08H, 03210H, 0E049H
dc.w 0x3E2D, 0x0A08, 0x3210, 0xE049
dc.w 00C01H, 000FFH, 0671AH, 03010H
dc.w 0x0C01, 0x00FF, 0x671A, 0x3010
dc.w 0B02DH, 00ACEH, 06612H, 03028H
dc.w 0xB02D, 0x0ACE, 0x6612, 0x3028
dc.w 00002H, 0E048H, 0B02DH, 00ACFH
dc.w 0x0002, 0xE048, 0xB02D, 0x0ACF
dc.w 06606H, 0B22DH, 00AD0H, 06708H
dc.w 0x6606, 0xB22D, 0x0AD0, 0x6708
dc.w 05888H, 051CFH, 0FFD8H, 03607H
dc.w 0x5888, 0x51CF, 0xFFD8, 0x3607
dc.w 04E75H
dc.w 0x4E75
</syntaxhighlight>
</syntaxhighlight>



Latest revision as of 10:20, 31 March 2018

Pointed from $182 (in the 68k program header). This pointer must be even !

The System ROM compares this code word per word with its internal copy (which is located at $C146CA for SP-E, and $C146A2 for SP-E v2) as part of the cartridge detection routine.

There is some jumps to the security code inside the system ROM but it seems to never be called (at least in SP-E v2).

From the official SNK doc :

dc.w	0x7600, 0x4A6D, 0x0A14, 0x6600
dc.w	0x003C, 0x206D, 0x0A04, 0x3E2D
dc.w	0x0A08, 0x13C0, 0x0030, 0x0001
dc.w	0x3210, 0x0C01, 0x00FF, 0x671A
dc.w	0x3028, 0x0002, 0xB02D, 0x0ACE
dc.w	0x6610, 0x3028, 0x0004, 0xB02D
dc.w	0x0ACF, 0x0606, 0xB22D, 0x0AD0
dc.w	0x6708, 0x5088, 0x51CF, 0xFFD4
dc.w	0x3607, 0x4E75, 0x206D, 0x0A04
dc.w	0x3E2D, 0x0A08, 0x3210, 0xE049
dc.w	0x0C01, 0x00FF, 0x671A, 0x3010
dc.w	0xB02D, 0x0ACE, 0x6612, 0x3028
dc.w	0x0002, 0xE048, 0xB02D, 0x0ACF
dc.w	0x6606, 0xB22D, 0x0AD0, 0x6708
dc.w	0x5888, 0x51CF, 0xFFD8, 0x3607
dc.w	0x4E75

From KOF96 (CD):

	moveq	#0,d3
	tst	2580(a5)		;$10FD14.w
	bne	LAB_20F3		;
	movea.l	2564(a5),a0		;$10FD04.l
	move	2568(a5),d7		;$10FD08.w
LAB_20F0:
	move.b	d0,EXT_03E5		;watchdog
	move	(a0),d1
	cmpi.b	#$FF,d1
	beq.s	LAB_20F1		;skip
	move	2(a0),d0
	cmp.b	2766(a5),d0		;$10FDCE.b
	bne.s	LAB_20F1		;skip
	move	4(a0),d0
	cmp.b	2767(a5),d0		;$10FDCF.b
	bne.s	LAB_20F1		;skip
	cmp.b	2768(a5),d1		;$10FDD0.b
	beq.s	LAB_20F2
LAB_20F1:
	addq.l	#8,a0
	dbf	d7,LAB_20F0
	move	d7,d3
LAB_20F2:
	rts

LAB_20F3:
	movea.l	2564(a5),a0		;$10FD04.l
	move	2568(a5),d7		;$10FD08.w
LAB_20F4:
	move	(a0),d1
	lsr	#8,d1
	cmpi.b	#$FF,d1
	beq.s	LAB_20F5		;skip
	move	(a0),d0
	cmp.b	2766(a5),d0		;$10FDCE.b
	bne.s	LAB_20F5		;skip
	move	2(a0),d0
	lsr	#8,d0
	cmp.b	2767(a5),d0		;$10FDCF.b
	bne.s	LAB_20F5		;skip
	cmp.b	2768(a5),d1		;$10FDD0.b
	beq.s	LAB_20F6
LAB_20F5:
	addq.l	#4,a0
	dbf	d7,LAB_20F4
	move	d7,d3
LAB_20F6:
	rts

From sp-s2.sp1 :

Security:
                moveq   #0, d3
                tst.w   0xA14(a5)
                bne.w   loc_C146E6
                movea.l 0xA04(a5), a0
                move.w  0xA08(a5), d7

loc_C146B4:
                move.b  d0, (0x300001).l
                move.w  (a0), d1
                cmpi.b  #0xFF, d1
                beq.s   loc_C146DC
                move.w  2(a0), d0
                cmp.b   0xACE(a5), d0
                bne.s   loc_C146DC
                move.w  4(a0), d0
                cmp.b   0xACF(a5), d0
                bne.s   loc_C146DC
                cmp.b   0xAD0(a5), d1
                beq.s   locret_C146E4

loc_C146DC:
                addq.l  #8, a0
                dbf     d7, loc_C146B4
                move.w  d7, d3

locret_C146E4:
                rts

loc_C146E6:
                movea.l 0xA04(a5), a0
                move.w  0xA08(a5), d7

loc_C146EE:
                move.w  (a0), d1
                lsr.w   #8, d1
                cmpi.b  #0xFF, d1
                beq.s   loc_C14712
                move.w  (a0), d0
                cmp.b   0xACE(a5), d0
                bne.s   loc_C14712
                move.w  2(a0), d0
                lsr.w   #8, d0
                cmp.b   0xACF(a5), d0
                bne.s   loc_C14712
                cmp.b   0xAD0(a5), d1
                beq.s   locret_C1471A

loc_C14712:
                addq.l  #4, a0
                dbf     d7, loc_C146EE
                move.w  d7, d3

locret_C1471A:
                rts