Building a Commodore 64GS
12 November 2022
1571 drive repair
November 29, 2022
If from an early age one of your favorite pastimes was to open toys to see what they were like inside then this section might be to your liking!
The writer has a degree in Medicine and Surgery but has always had a passion for electronics and modifications in mind.
I still remember when, armed with a hacksaw, I filed the corners of the Mega Drive cartridge slot to be able to insert the cartridges from the rising sun and shortly after I literally destroyed the now abandoned Master System to try to figure out what the connector was for side comb…
The curiosity for these things has never passed and over time it has become a passion for the functioning of the protection systems implemented in the consoles released on the market while I was still a kid, especially those that I had never managed to have.
These systems, hardware and/or software, have developed starting from simple implementations up to complex algorithms managed by dedicated hardware and elaborated by as many gadgets.
THE NES
Let's start with the first console produced by Nintendo, the NoI mean Andentertainment S.system
(code HVC-001 where the letters stand for Home Video Computer).
Its protection takes the name of CIC and represents a chip whose acronym means checking THEintegrated ccircuit;
Here it is highlighted in red:
It represents an early form of cartridge protection for consoles. The purpose for which it was produced concerned the possibility for Nintendo to globally control the games released for its platform, effectively avoiding the launch of "pirated" cartridges and also being able to exclude games from different regions from running.
The NES was produced in 1983 but the CIC was introduced by Nintendo to protect its intellectual property when the company decided to launch the console in foreign markets, therefore starting from 1985 in all probability due to the experience Atari had with its 2600 VCS which had a collapse in sales also due to the development of low-value titles by third parties; therefore this protection system is not found in the Japanese consoles/cartridges and not even in the NES 2 or "top-loading model" (NES-101), produced between 1993 and 1995.
The chip therefore represents a ROM, therefore it is not possible to rewrite it, and is found inside the console, which acts as a "block", combined with a corresponding chip, which acts as a "key", present in NES cartridges other than those Japanese:
This chip, produced by Sharp, can be identified with the following codes written on its envelope:
3193 – 3193A – 3195 -3195A – 3196 – 3196A – 3197 – 3197A – 6113 – 6113A – 6113B1
with these characteristics (unofficial but developed by those who have studied it over the years):
3193 – USA/Canada
6113 – similar to the previous one but with a slightly smaller layout with some differences in initialization.
3194 – unknown, possibly Korean
3195 – PAL B (France, Spain, Germany, Sweden, etc…)
3196 – Asia / HK
3197 – PAL A (Great Britain, Italy and Australia)
3198 – Famicombox lockout chip (found in both cartridges and “Box”)
3199 – Famicombox coin timer (found only in the “Box”)
with different content therefore depending on the region in
which the console and the games would be sold.
HOW DOES IT WORK
Until 2010 no one had been able to publicly document its functions until such Segher, a member of the then known Team Twiizers (currently known as team fail0verfow), documented personally its features.
As we have already said, the system consists of 2 parts:
– a Sharp SM590 4bit microcontroller (in the console) which controls the inserted cartridge and acts as a “lock”
– a corresponding chip in the cartridge capable of sending a code that acts as a “key” to the chip in the console;
if the key is not valid the system resets itself.
The pinout of the chip is this:
The software that runs on the chip is called 10NES (so the CIC represents the hardware while the 10NES represents the software that runs on the CIC).
The PIN-lock is PIN4; PIN3, on the other hand, represents a "seed" and is connected to a capacitor which it does not always use
the same for downloading; the CIC records this time and uses it as a pseudo-random generator to decide which of the 16 possible "streams" to use and communicates it to the key chip in the cartridge.
The chip lock PIN10 (in the console) is connected to the chip key PIN7 (in the cartridge) and is able to reset the console.
PINs 11 and 12 (RESET_SPEED) are used to decide at what speed to "blink" the reset line (about 0.4s, 0.6s, 0.8s, 1.0s
each on/off) and then restart the console.
HOW TO BYPASS IT
Over time, various systems have followed one another to overcome this protection:
1 – many third-party developers chose to send a rapid electrical impulse (called a “voltage spike”) to
temporarily disable it and then allow the non-Nintendo-licensed program to run. Nintendo ran for cover against this "technique" by producing a hardware revision of the NES immune to the specific "attack" (in particular those with the writing "NES-CPU-11" on the PCB)
CURIOUS FACT: it so happened that the older revisions (written "NES-CPU-04" on the PCB) were substantially
unable to support the protection so, if you must buy a used NES, try to understand the hardware revision and look for an "old" one.
2 – some developers (such as HES) instead developed a "dongle" capable of connecting to a genuine cartridge for
bypass the check with it:
3 – An Atari-affiliated company called Tengen managed to “abusively” obtain the patent by the United States Patent and Trademark claiming that he must have it to defend himself in a lawsuit; this patent was used to produce a clone chip which was called Rabbit (for all the legal tussle you can read this interesting article).
4 – A small company called RetroZone produced, after the 10NES patent expired on January 24, 2006, its own chip based on the reverse engineering of the previous Rabbit and called it CIClone:
5 – The chip was subsequently emulated in microcontrollers such as the ATtiny13A (in the photo the microcontroller pins from
connect to the respective pins on the NES cartridge):
6 – Given that in some cases the protection system could not authenticate even the official cartridges (for example if the cartridge contacts were not cleaned properly), a hardmod to disable it is to lift or cut the PIN4 of the CIC:
or connect the PIN4 of the chip to the mass (in the photo PIN14); in this way the chip works automatically both as a lock and as a key:
PHYSICAL PROTECTION: THE PINS
To avoid the use of Japanese cartridges in consoles from other regions and vice versa, the Japanese console (Famicom) had smaller cartridges at 60 PINs while those from other countries had 72 PINs:
consequently it was not physically possible to exchange them between consoles of different regions.
Obviously in a short time adapters were created for both situations to overcome this regional "block" with
including CIC bypass via CIClone-style chip or an original Sharp chip taken from an original cartridge:
We are therefore at the dawn of protection technologies but we have seen how ingenuity was not lacking both on the part of manufacturers and on the part of those who did not want to have "restrictions"! ^_^
