Slot check security: Difference between revisions
(Fixed link to MAME source code) |
|||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
[[File:S3warning.png|frame|Warning screen as shown by [[Sengoku 3]] when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).]] | [[File:S3warning.png|frame|Warning screen as shown by [[Sengoku 3]] when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).]] | ||
Slot checking is a | Slot checking is a MVS security measure added in some games produced after 1998 due to the emergence of [[bootleg MVS boards]]. It displays a warning screen and locks the game up if some checks fail. | ||
Someone who would want to bypass this check will typically search for the warning text string in the [[P ROM]] and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers. | Someone who would want to bypass this check will typically search for the warning text string in the [[P ROM]] and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers. | ||
== | =KOF 98= | ||
If the game figures out it is being run for the first time on the system (thanks to [[backup RAM]] data), it forces a [[watchdog]] reset. If the system doesn't reset itself after a certain amount of time (due to the eventual absence of the watchdog circuit), the game displays the warning screen and locks up. | |||
=Other games= | |||
*The calendar data zone in the [[BIOS RAM locations|BIOS RAM]] is cleared, then [[READ_CALENDAR]] is called. If {{BR|BIOS_MONTH}} is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no [[RTC]] to trigger the security. | *The calendar data zone in the [[BIOS RAM locations|BIOS RAM]] is cleared, then [[READ_CALENDAR]] is called. If {{BR|BIOS_MONTH}} is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no [[RTC]] to trigger the security. | ||
*If {{BR|BIOS_MVS_FLAG}} is zero (BIOS in AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES | *If {{BR|BIOS_MVS_FLAG}} is zero (BIOS in AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES system ROM or those that don't handle REG_STATUS_B reads to trigger the security. | ||
Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to [[VRAM]] at $7FFF. This furthermore verifies that the board has full VRAM. | Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to [[VRAM]] at $7FFF. This furthermore verifies that the board has full VRAM. | ||
That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not. | That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set the byte at $10FCEF (fail) or not. | ||
A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow. | A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow. | ||
Line 20: | Line 24: | ||
==Use by games== | ==Use by games== | ||
As seen in MAME's source ([[ | As seen in MAME's source ([[https://github.com/mamedev/mame/blob/master/src/mame/drivers/neogeo.cpp neogeo.cpp]]), a few games are known to do this check: | ||
*[[Nightmare in the Dark]] | *[[Nightmare in the Dark]] |
Latest revision as of 22:40, 23 June 2017
Slot checking is a MVS security measure added in some games produced after 1998 due to the emergence of bootleg MVS boards. It displays a warning screen and locks the game up if some checks fail.
Someone who would want to bypass this check will typically search for the warning text string in the P ROM and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.
KOF 98
If the game figures out it is being run for the first time on the system (thanks to backup RAM data), it forces a watchdog reset. If the system doesn't reset itself after a certain amount of time (due to the eventual absence of the watchdog circuit), the game displays the warning screen and locks up.
Other games
- The calendar data zone in the BIOS RAM is cleared, then READ_CALENDAR is called. If
BIOS_MONTH ( $10FDD3) is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no RTC to trigger the security.
- If
BIOS_MVS_FLAG ( $10FD82) is zero (BIOS in AES mode), and bit 7 of REG_STATUS_B is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES system ROM or those that don't handle REG_STATUS_B reads to trigger the security.
Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM.
That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set the byte at $10FCEF (fail) or not.
A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.
Todo: Add more details.
Use by games
As seen in MAME's source ([neogeo.cpp]), a few games are known to do this check:
- Nightmare in the Dark
- The King of Fighters 2000
- Sengoku 3: MVS SLOT CHECK Ver2.30 00/04/25
- Matrimelee
- Metal Slug 5
Sengoku 3: Checks M1 ROM too, displays "M1-ROM ERROR." if Z80 doesn't reply to command 1 in $7FFF iterations loop.