Slot check security

From NeoGeo Development Wiki
Revision as of 10:24, 14 August 2015 by Furrtek (talk | contribs)
Jump to navigation Jump to search
Warning screen as shown by Sengoku 3 when booting on MVS hardware with BIOS_MVS_FLAG set to 0 (AES mode).

Slot checking is a cartridge system security measure put in place by some games produced after 2000 due to the emergence of bootleg MVS boards. It displays a warning screen and locks the game up if some checks fail.

Someone who would want to bypass this check will typically search for the warning text string in the P ROM and references to it in the code. Such text can't be found because the checking routine uses a XORed version of the same text instead, certainly to confuse hackers.

Genuine MVS board checks

  • The calendar data location in the BIOS RAM is cleared, then BIOSF_READ_CALENDAR is called. If BIOS_MONTH($10FDD3) is greater than 13 (should be 12 ?), the check fails. This causes bootleg boards with no RTC to set the month to $FF and trigger the security.
  • If BIOS_MVS_FLAG($10FD82) is zero (BIOS in AES mode), and bit 7 of REG_STATUS_B is set (MVS hardware), the check fails. This causes bootleg boards using a copy of the AES BIOS or not handling hardware REG_STATUS_B read to trigger the security.

Depending on the result of those checks, the value $8B55 (pass) or 9DBD (fail) is written to VRAM at $7FFF. This furthermore verifies that the board has full VRAM.

That VRAM value is then read back and added to $74AB (=$10000 if checks passed) to set $10FCEF (fail) or not.

A later version of this procedure also times the Z80 reply to command $01. $10FCEE = $FF if Z80 was too slow. This

Use by games

As seen in MAME's source ([neogeo.c]), a few games are known to do this check:

Sengoku 3: Checks M1 ROM too, displays "M1-ROM ERROR." if Z80 doesn't reply to command 1 in $7FFF iterations loop.

Retrieved from "https://wiki.neogeodev.org/index.php?title=Slot_check_security&oldid=4301"