Slot check security: Difference between revisions

From NeoGeo Development Wiki
Jump to navigation Jump to search
m (KOF98 watchdog test)
Line 1: Line 1:
[[File:S3warning.png|frame|Warning screen as shown by [[Sengoku 3]] when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).]]
[[File:S3warning.png|frame|Warning screen as shown by [[Sengoku 3]] when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).]]


Slot checking is a cartridge system security measure put in place by some games produced after 2000 due to the emergence of [[bootleg MVS boards]]. It displays a warning screen and locks the game up if some checks fail.
Slot checking is a MVS security measure added in some games produced after 1998 due to the emergence of [[bootleg MVS boards]]. It displays a warning screen and locks the game up if some checks fail.


Someone who would want to bypass this check will typically search for the warning text string in the [[P ROM]] and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.
Someone who would want to bypass this check will typically search for the warning text string in the [[P ROM]] and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.


==Genuine MVS board checks==
=KOF 98=
 
If the game figures out it is being run for the first time on the system (thanks to [[backup RAM]] data), it forces a [[watchdog]] reset. If the system doesn't reset itself after a certain amount of time (due to the eventual absence of the watchdog circuit), the game displays the warning screen and locks up.
 
=Other games=


*The calendar data zone in the [[BIOS RAM locations|BIOS RAM]] is cleared, then [[READ_CALENDAR]] is called. If {{BR|BIOS_MONTH}} is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no [[RTC]] to trigger the security.
*The calendar data zone in the [[BIOS RAM locations|BIOS RAM]] is cleared, then [[READ_CALENDAR]] is called. If {{BR|BIOS_MONTH}} is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no [[RTC]] to trigger the security.
*If {{BR|BIOS_MVS_FLAG}} is zero (BIOS in AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES BIOS or not handling REG_STATUS_B reads to trigger the security.
*If {{BR|BIOS_MVS_FLAG}} is zero (BIOS in AES mode), and bit 7 of {{Reg|REG_STATUS_B}} is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES system ROM or those that don't handle REG_STATUS_B reads to trigger the security.


Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to [[VRAM]] at $7FFF. This furthermore verifies that the board has full VRAM.
Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to [[VRAM]] at $7FFF. This furthermore verifies that the board has full VRAM.


That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not.
That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set the byte at $10FCEF (fail) or not.


A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.
A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.

Revision as of 05:55, 16 October 2016

Warning screen as shown by Sengoku 3 when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).

Slot checking is a MVS security measure added in some games produced after 1998 due to the emergence of bootleg MVS boards. It displays a warning screen and locks the game up if some checks fail.

Someone who would want to bypass this check will typically search for the warning text string in the P ROM and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.

KOF 98

If the game figures out it is being run for the first time on the system (thanks to backup RAM data), it forces a watchdog reset. If the system doesn't reset itself after a certain amount of time (due to the eventual absence of the watchdog circuit), the game displays the warning screen and locks up.

Other games

BIOS_MONTH ( $10FDD3) is greater than 13 (should be 12 ? Is that a bug ?), the check fails. This causes bootleg boards with no RTC to trigger the security.

  • If

BIOS_MVS_FLAG ( $10FD82) is zero (BIOS in AES mode), and bit 7 of REG_STATUS_B is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES system ROM or those that don't handle REG_STATUS_B reads to trigger the security.

Depending on the result of those checks, the value $8B55 (pass) or $9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM.

That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set the byte at $10FCEF (fail) or not.

A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow.

Todo: Add more details.

Use by games

As seen in MAME's source ([neogeo.c]), a few games are known to do this check:

Sengoku 3: Checks M1 ROM too, displays "M1-ROM ERROR." if Z80 doesn't reply to command 1 in $7FFF iterations loop.