Slot check security: Difference between revisions
No edit summary |
|||
| Line 7: | Line 7: | ||
==Genuine MVS board checks== | ==Genuine MVS board checks== | ||
*The calendar data | *The calendar data zone in the [[BIOS RAM locations|BIOS RAM]] is cleared, then [[READ_CALENDAR]] is called. If {{BR|BIOS_MONTH}} is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no [[RTC]] to trigger the security. | ||
*If BIOS_MVS_FLAG | *If {{BR|BIOS_MVS_FLAG}} is zero (BIOS in AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES BIOS or not handling REG_STATUS_B reads to trigger the security. | ||
Depending on the result of those checks, the value $8B55 (pass) or 9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM. | Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to [[VRAM]] at $7FFF. This furthermore verifies that the board has full VRAM. | ||
That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not. | That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not. | ||
A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow. | A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow. | ||
Todo: Add more details. | |||
==Use by games== | ==Use by games== | ||
Revision as of 15:39, 15 August 2016
Slot checking is a cartridge system security measure put in place by some games produced after 2000 due to the emergence of bootleg MVS boards. It displays a warning screen and locks the game up if some checks fail.
Someone who would want to bypass this check will typically search for the warning text string in the P ROM and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.
Genuine MVS board checks
- The calendar data zone in the BIOS RAM is cleared, then READ_CALENDAR is called. If
BIOS_MONTH ( $10FDD3) is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no RTC to trigger the security.
- If
BIOS_MVS_FLAG ( $10FD82) is zero (BIOS in AES mode), and bit 7 of REG_STATUS_B is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES BIOS or not handling REG_STATUS_B reads to trigger the security.
Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM.
That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not.
A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.
Todo: Add more details.
Use by games
As seen in MAME's source ([neogeo.c]), a few games are known to do this check:
- Nightmare in the Dark
- The King of Fighters 2000
- Sengoku 3: MVS SLOT CHECK Ver2.30 00/04/25
- Matrimelee
- Metal Slug 5
Sengoku 3: Checks M1 ROM too, displays "M1-ROM ERROR." if Z80 doesn't reply to command 1 in $7FFF iterations loop.