Copy protection: Difference between revisions
(How it works) |
(Added notes) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
The NeoGeo [[CDZ]]'s [[system ROM]] has | The NeoGeo [[CDZ]]'s [[system ROM]] has CD-ROM copy protection features. Not all games use them. | ||
= | ==Notes== | ||
*Copies the whole CPY.TXT sector to $126000 (routine at $C0D358), BIB.TXT to $126800, ABS.TXT to $127000. | |||
*All the normal file contents are removed ("Copyright by SNK corp..."). | |||
*Routine at $C0D230: Adds everything up except the very first word ($126002~$127000) byte per byte in a word and compares it to that first word (checksum). | |||
*Checks for NEO-GEO,0 string at $126002. | |||
*Checks bit 0 of $12600A. 1=Protection type=1, do region check with $12600B. Special case if the console's mode is 5: always trips the check ! | |||
*Clears 2048 bytes at $125800. | |||
*Checks bit 1 of $12600A. 1=Protection type=2, and... | |||
**Routine at $C0D392: Loads sector from track XX+3 in $125800, then it's up to the game to do checks on the data ? | |||
*Checks bit 2 of $12600A. 1=Put $FF in $10F792 (in-game protection flag ?). | |||
*JSR to code at $12600C. Test D0, if non-zero, trip check. | |||
=Methods= | |||
One of the copy detection methods relies on the fact that most computer CD drives/burners will automatically correct disc errors thanks to the available EDC and ECC fields in CD-ROM sectors. | |||
In some games, SNK intentionally inserted data with errors and the '''correct''' checksum value in the [[TXT_file|CPY.TXT]], BIB.TXT and ABS.TXT files. If the system ROM detects the presence of such data, it computes its checksum and compares it against the given one. If they match, it means the errors were corrected (probably by a burner) and the system stops loading the game. | |||
The console's own error correction system is certainly disabled when loading the .TXT files. | |||
For example in [[Art of Fighting 3 - The Path of the Warrior]], the following data is appended to CPY.TXT: | For example in [[Art of Fighting 3 - The Path of the Warrior]], the following data is appended to CPY.TXT: | ||
A header: | A fixed-format header: | ||
<pre> | <pre> | ||
Line 17: | Line 30: | ||
</pre> | </pre> | ||
And valid {{Chipname|68k}} code: | * 0F BA: Checksum of the error-corrected data | ||
* 4E 45 4F 2D 47 45 4F 00: "NEO-GEO", 0 | |||
* 03: Enabled checks (bit 0~2) | |||
* 02: Region/zone flag (EURO) | |||
And valid {{Chipname|68k}} code, which does another kind of region check: | |||
<pre> | <pre> | ||
Line 34: | Line 52: | ||
</pre> | </pre> | ||
Todo: What are the $10F782 and $10F77E variables ? RTS with D0=1 means fail. | |||
=Patching= | |||
The patching tutorial commonly found online tells to replace the first two occurences of the letter "g" with "f" after the "NEO-GEO" string in CPY.TXT. | |||
This causes the computed checksum to be wrong (pass first check) and turns the BEQ instructions into BNE (pass second check). | |||
=Emulation= | |||
[[MAME|MESS]] bypasses the protections by changing only one "g" to "f". See Read_LBA_To_Buffer() in megacdcd.c. | |||
=Game list= | =Game list= | ||
Since the NeoGeo CDZ came out in 1996, it is unclear if pre-1996 games had new masters made to use the protection or if SNK planned to use it since the beginning (makes no sense ?). | Since the NeoGeo CDZ came out in 1996, it is unclear if pre-1996 games had new masters made to use the protection or if SNK planned to use it since the beginning (makes no sense ?). | ||
Todo: How does the in-game protection work ? | |||
{|class="wikitable" | {|class="wikitable" | ||
!Title||CDZ protection||In-game | !Title||CDZ protection||In-game protection | ||
|- | |- | ||
|[[Art of Fighting 3 - The Path of the Warrior]]||Yes||Yes | |[[Art of Fighting 3 - The Path of the Warrior]]||Yes||Yes | ||
Line 120: | Line 139: | ||
(List from [http://strider.mjjprod.free.fr/blog/index.php?post/2009/01/03/Les-protections-sur-Neo-Geo-CD]) | (List from [http://strider.mjjprod.free.fr/blog/index.php?post/2009/01/03/Les-protections-sur-Neo-Geo-CD]) | ||
[[Category:CD systems]] | [[Category:CD systems]] |
Latest revision as of 21:50, 7 October 2017
The NeoGeo CDZ's system ROM has CD-ROM copy protection features. Not all games use them.
Notes
- Copies the whole CPY.TXT sector to $126000 (routine at $C0D358), BIB.TXT to $126800, ABS.TXT to $127000.
- All the normal file contents are removed ("Copyright by SNK corp...").
- Routine at $C0D230: Adds everything up except the very first word ($126002~$127000) byte per byte in a word and compares it to that first word (checksum).
- Checks for NEO-GEO,0 string at $126002.
- Checks bit 0 of $12600A. 1=Protection type=1, do region check with $12600B. Special case if the console's mode is 5: always trips the check !
- Clears 2048 bytes at $125800.
- Checks bit 1 of $12600A. 1=Protection type=2, and...
- Routine at $C0D392: Loads sector from track XX+3 in $125800, then it's up to the game to do checks on the data ?
- Checks bit 2 of $12600A. 1=Put $FF in $10F792 (in-game protection flag ?).
- JSR to code at $12600C. Test D0, if non-zero, trip check.
Methods
One of the copy detection methods relies on the fact that most computer CD drives/burners will automatically correct disc errors thanks to the available EDC and ECC fields in CD-ROM sectors.
In some games, SNK intentionally inserted data with errors and the correct checksum value in the CPY.TXT, BIB.TXT and ABS.TXT files. If the system ROM detects the presence of such data, it computes its checksum and compares it against the given one. If they match, it means the errors were corrected (probably by a burner) and the system stops loading the game.
The console's own error correction system is certainly disabled when loading the .TXT files.
For example in Art of Fighting 3 - The Path of the Warrior, the following data is appended to CPY.TXT:
A fixed-format header:
0F BA 4E 45 4F 2D 47 45 4F 00 03 02 ...
- 0F BA: Checksum of the error-corrected data
- 4E 45 4F 2D 47 45 4F 00: "NEO-GEO", 0
- 03: Enabled checks (bit 0~2)
- 02: Region/zone flag (EURO)
And valid 68k code, which does another kind of region check:
clr.l d0 clr.l d1 tst.l $10F782 beq $12601C bset #0,d1 tst.l $10F77E beq $126028 bset #1,d1 cmp.b $12600A,d1 beq $126030 addq.l #1,d0 rts
Todo: What are the $10F782 and $10F77E variables ? RTS with D0=1 means fail.
Patching
The patching tutorial commonly found online tells to replace the first two occurences of the letter "g" with "f" after the "NEO-GEO" string in CPY.TXT.
This causes the computed checksum to be wrong (pass first check) and turns the BEQ instructions into BNE (pass second check).
Emulation
MESS bypasses the protections by changing only one "g" to "f". See Read_LBA_To_Buffer() in megacdcd.c.
Game list
Since the NeoGeo CDZ came out in 1996, it is unclear if pre-1996 games had new masters made to use the protection or if SNK planned to use it since the beginning (makes no sense ?).
Todo: How does the in-game protection work ?
(List from [1])