Slot check security: Difference between revisions

From NeoGeo Development Wiki
Jump to navigation Jump to search
No edit summary
Line 7: Line 7:
==Genuine MVS board checks==
==Genuine MVS board checks==


*The calendar data location in the [[BIOS RAM locations|BIOS RAM]] is cleared, then BIOSF_READ_CALENDAR is called. If BIOS_MONTH($10FDD3) is greater than 13 (should be 12 ?), the check fails. This causes bootleg boards with no RTC to set the month to $FF and trigger the security.
*The calendar data zone in the [[BIOS RAM locations|BIOS RAM]] is cleared, then [[READ_CALENDAR]] is called. If {{BR|BIOS_MONTH}} is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no [[RTC]] to trigger the security.
*If BIOS_MVS_FLAG($10FD82) is zero (BIOS in AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES BIOS or not handling hardware REG_STATUS_B read to trigger the security.
*If {{BR|BIOS_MVS_FLAG}} is zero (BIOS in AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES BIOS or not handling REG_STATUS_B reads to trigger the security.


Depending on the result of those checks, the value $8B55 (pass) or 9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM.
Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to [[VRAM]] at $7FFF. This furthermore verifies that the board has full VRAM.


That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not.
That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not.


A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow. This
A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.
 
Todo: Add more details.


==Use by games==
==Use by games==

Revision as of 15:39, 15 August 2016

Warning screen as shown by Sengoku 3 when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).

Slot checking is a cartridge system security measure put in place by some games produced after 2000 due to the emergence of bootleg MVS boards. It displays a warning screen and locks the game up if some checks fail.

Someone who would want to bypass this check will typically search for the warning text string in the P ROM and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.

Genuine MVS board checks

BIOS_MONTH ( $10FDD3) is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no RTC to trigger the security.

  • If

BIOS_MVS_FLAG ( $10FD82) is zero (BIOS in AES mode), and bit 7 of REG_STATUS_B is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES BIOS or not handling REG_STATUS_B reads to trigger the security.

Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM.

That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not.

A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.

Todo: Add more details.

Use by games

As seen in MAME's source ([neogeo.c]), a few games are known to do this check:

Sengoku 3: Checks M1 ROM too, displays "M1-ROM ERROR." if Z80 doesn't reply to command 1 in $7FFF iterations loop.