Slot check security: Difference between revisions

From NeoGeo Development Wiki
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 5: Line 5:
Someone who would want to bypass this check will typically search for the warning text in the [[P ROM]] and references to it in the code. Such text can't be found because the checking routine uses a NOT'ed version of the same text instead, probably to confuse hackers.
Someone who would want to bypass this check will typically search for the warning text in the [[P ROM]] and references to it in the code. Such text can't be found because the checking routine uses a NOT'ed version of the same text instead, probably to confuse hackers.


The checking code first sets one out of two values in VRAM at the unused address $7FFF depending on two checks:
*The calendar data location in the [[BIOS RAM locations|BIOS RAM]] ($10FDD2 and up) is cleared, then BIOSF_READ_CALENDAR is called. If BIOS_MONTH($10FDD3) is greater than 13, the check fails.
*The calendar data location in the [[BIOS RAM locations|BIOS RAM]] ($10FDD2 and up) is cleared, then BIOSF_READ_CALENDAR is called. If BIOS_MONTH($10FDD3) is greater than 13, the check fails.
*If BIOS_MVS_FLAG($10FD82) is zero (AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails.
*If BIOS_MVS_FLAG($10FD82) is zero (AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails.


That VRAM value is then read back and compared to set $10FCEF or not. The last check is done with the [[FIX_CLEAR]] bios call, which sets $10FCEF and makes the game pass the test.
Depending on those check, the value $8B55 (pass) or 9DBD (fail) is written to VRAM at $7FFF.
 
That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not. The last check is done with the [[FIX_CLEAR]] bios call, which sets $10FCEF and makes the game pass the test.
 
$10FCEE = $FF if Z80 failed to reply "1" in time.


==Use by games==
==Use by games==

Revision as of 02:55, 8 October 2013

Warning screen as shown by Sengoku 3 when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).

Slot checking is a cartridge system security measure introduced by some games produced after 2000 due to the emergence of bootleg MVS boards, which displays a warning screen and locks the game up if some checks fail.

Someone who would want to bypass this check will typically search for the warning text in the P ROM and references to it in the code. Such text can't be found because the checking routine uses a NOT'ed version of the same text instead, probably to confuse hackers.

  • The calendar data location in the BIOS RAM ($10FDD2 and up) is cleared, then BIOSF_READ_CALENDAR is called. If BIOS_MONTH($10FDD3) is greater than 13, the check fails.
  • If BIOS_MVS_FLAG($10FD82) is zero (AES mode), and bit 7 of REG_STATUS_B is set (MVS hardware), the check fails.

Depending on those check, the value $8B55 (pass) or 9DBD (fail) is written to VRAM at $7FFF.

That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not. The last check is done with the FIX_CLEAR bios call, which sets $10FCEF and makes the game pass the test.

$10FCEE = $FF if Z80 failed to reply "1" in time.

Use by games

As seen in MAME's source ([neogeo.c]), a few games are known to do this check:

Sengoku 3: Checks M1 ROM too, displays "M1-ROM ERROR." if Z80 doesn't reply to command 1 in $7FFF iterations loop.