Security code

From NeoGeo Development Wiki
Jump to: navigation, search

Pointed to at $182 (in the 68k_program_header).

The System ROM compares this code byte per byte with its internal copy (which is located at $C146CA for SP-E, and $C146A2 for SP-E v2) as part of the cartridge detection routine.

There is some jumps to the security code inside the system ROM but it seems to never be called (at least in SP-E v2).

From the official SNK doc :

dc.w	0x7600, 0x4A6D, 0x0A14, 0x6600
dc.w	0x003C, 0x206D, 0x0A04, 0x3E2D
dc.w	0x0A08, 0x13C0, 0x0030, 0x0001
dc.w	0x3210, 0x0C01, 0x00FF, 0x671A
dc.w	0x3028, 0x0002, 0xB02D, 0x0ACE
dc.w	0x6610, 0x3028, 0x0004, 0xB02D
dc.w	0x0ACF, 0x0606, 0xB22D, 0x0AD0
dc.w	0x6708, 0x5088, 0x51CF, 0xFFD4
dc.w	0x3607, 0x4E75, 0x206D, 0x0A04
dc.w	0x3E2D, 0x0A08, 0x3210, 0xE049
dc.w	0x0C01, 0x00FF, 0x671A, 0x3010
dc.w	0xB02D, 0x0ACE, 0x6612, 0x3028
dc.w	0x0002, 0xE048, 0xB02D, 0x0ACF
dc.w	0x6606, 0xB22D, 0x0AD0, 0x6708
dc.w	0x5888, 0x51CF, 0xFFD8, 0x3607
dc.w	0x4E75

From KOF96 (CD):

	moveq	#0,d3
	tst	2580(a5)		;$10FD14.w
	bne	LAB_20F3		;
	movea.l	2564(a5),a0		;$10FD04.l
	move	2568(a5),d7		;$10FD08.w
LAB_20F0:
	move.b	d0,EXT_03E5		;watchdog
	move	(a0),d1
	cmpi.b	#$FF,d1
	beq.s	LAB_20F1		;skip
	move	2(a0),d0
	cmp.b	2766(a5),d0		;$10FDCE.b
	bne.s	LAB_20F1		;skip
	move	4(a0),d0
	cmp.b	2767(a5),d0		;$10FDCF.b
	bne.s	LAB_20F1		;skip
	cmp.b	2768(a5),d1		;$10FDD0.b
	beq.s	LAB_20F2
LAB_20F1:
	addq.l	#8,a0
	dbf	d7,LAB_20F0
	move	d7,d3
LAB_20F2:
	rts

LAB_20F3:
	movea.l	2564(a5),a0		;$10FD04.l
	move	2568(a5),d7		;$10FD08.w
LAB_20F4:
	move	(a0),d1
	lsr	#8,d1
	cmpi.b	#$FF,d1
	beq.s	LAB_20F5		;skip
	move	(a0),d0
	cmp.b	2766(a5),d0		;$10FDCE.b
	bne.s	LAB_20F5		;skip
	move	2(a0),d0
	lsr	#8,d0
	cmp.b	2767(a5),d0		;$10FDCF.b
	bne.s	LAB_20F5		;skip
	cmp.b	2768(a5),d1		;$10FDD0.b
	beq.s	LAB_20F6
LAB_20F5:
	addq.l	#4,a0
	dbf	d7,LAB_20F4
	move	d7,d3
LAB_20F6:
	rts

From sp-s2.sp1 :

Security:
                moveq   #0, d3
                tst.w   0xA14(a5)
                bne.w   loc_C146E6
                movea.l 0xA04(a5), a0
                move.w  0xA08(a5), d7

loc_C146B4:
                move.b  d0, (0x300001).l
                move.w  (a0), d1
                cmpi.b  #0xFF, d1
                beq.s   loc_C146DC
                move.w  2(a0), d0
                cmp.b   0xACE(a5), d0
                bne.s   loc_C146DC
                move.w  4(a0), d0
                cmp.b   0xACF(a5), d0
                bne.s   loc_C146DC
                cmp.b   0xAD0(a5), d1
                beq.s   locret_C146E4

loc_C146DC:
                addq.l  #8, a0
                dbf     d7, loc_C146B4
                move.w  d7, d3

locret_C146E4:
                rts

loc_C146E6:
                movea.l 0xA04(a5), a0
                move.w  0xA08(a5), d7

loc_C146EE:
                move.w  (a0), d1
                lsr.w   #8, d1
                cmpi.b  #0xFF, d1
                beq.s   loc_C14712
                move.w  (a0), d0
                cmp.b   0xACE(a5), d0
                bne.s   loc_C14712
                move.w  2(a0), d0
                lsr.w   #8, d0
                cmp.b   0xACF(a5), d0
                bne.s   loc_C14712
                cmp.b   0xAD0(a5), d1
                beq.s   locret_C1471A

loc_C14712:
                addq.l  #4, a0
                dbf     d7, loc_C146EE
                move.w  d7, d3

locret_C1471A:
                rts