Paddles for C64 and beyond
28 March 2023
Let's build a video game
3 May 2023
In the previous article we talked about the protections inserted by Nintendo in its NES “export” console; today let's see how the additional peripheral FDS behaves!
The Famicom Disk System (product code FMC-001) was released by Nintendo in February 1986 as an add-on for the Famicom (the Japanese version of the NES for those who don't remember) and allowed the reading of games, as well as from cartridges, even from floppy disks. In the adjacent image you can see it lying below the Famicom with its expansion cartridge (black) inserted.
Here below it is in the "integrated" version (Famicom+FDS) called Twin Famicom and produced by Sharp.
This peripheral actually had a precursor, the Nintendo Data Recorder, created in 1984 for the Jappo market, but it lacked protections.
It was used to store programs written for the BASIC application or to save levels created for a handful of titles that supported it (Castle Excellent, Excitebike, Mach Rider and Wrecking Crew).
The purpose of the FDS, on the other hand, besides the possibility of saving the progress made (one of the very first titles released was in fact The Legend of Zelda !), was to increase the space for producing and distributing games, a space which at the time was still limited by the low capacity ROM cartridges! Included with the drive was an expansion cartridge containing RAM chips and an ASIC chip with DRAM controller, IRQ hardware, sound generation hardware, a serial interface to the drive, and a parallel port.
To officially obtain the games loaded on disk you had to go to the "kiosk" that had a similar style to the vending machines of our days, as you can see on the side.
If you already had a disk (empty or already written) this could be reused for 500 yen, if you also wanted a blank disk you had to add another 2000.
The protections of the FDS
FORMAT
The hardware of the machine has a 2.8″ x 3″ floppy drive and 64Kb of storage space per side, therefore 128Kb total; the storage format on disk is that of QuickDisks (the same format as MSX) but using a 3″x4″ plastic case instead of the standard 3″x3″. Not being a "standard" thing, copying was already made complicated: in fact, a system had to be found to use more "common" disks such as the "normal" QuickDisks.
Furthermore, the writing "NINTENDO", present on the back of the floppy, was carved and the player did not accept discs that did not have this "engraving".
But the hackers didn't stop so soon, for this, starting with a standard QuickDisk that you can see here on the right…
…systems were produced to adapt this disc to the FDS format which consisted in cutting off the "flaps" of the standard discs, applying a rear "extension" and attaching a piece to "simulate" both the correct length and the presence of the engraving of the NINTENDO logo (in particular the physical control took place on the letters THE and No of the inscription):
SOFTWARE CHECKS
There are several checks performed from the console:
– the system searches for the string of 14 bytes
“*NINTENDO-HVC*” at disk offset 0x01 and returns an error if it can't find it;
– 224 bytes at the $2800-$28DF address of the PPU must coincide with those of the BIOS stored at the address $ED37;
– the first file of a disc is called KYODAKU- (meaning “approved”) and must be present otherwise an error will appear;
– some developers could implement checks on hidden files that the bios did not read which were still "searched" by the game and if not found they returned an error.
These controls could have been defeated managing to obtain a 1:1 copy of the original floppy but… how to do it since some factory drive controllers have been built by adding a dedicated logic to not allow this function? The answer came in a short time: using a hardmod on the FDS that allowed complete reading/writing bypassing the controller of the card itself (it is called "FDS write mod") and using a dedicated software to perform the dump:
Riassumendo ai minimi termini: esistono sostanzialmente 2 versioni del controller, il FDP3206P ed il FD7201P; nella 3206P, se viene inviato il comando “scrivi un file”, il sistema funziona ma se viene inviato il comando “scrivi tutto il disco” (con il quale possono essere copiati tutti i settori ed eventuali files nascosti) il sistema disabilita la scrittura della testina che continua a “non scrivere” in silenzio: quando avviene la verifica della scrittura il sistema riporta ovviamente un errore perchè nulla è stato scritto (“Error 26: Could not write to disk card”). La modifica permette di bypassare questo “limite” imposto di fabbrica. Nel 2021 è uscita una modifica priva di fili (chiamata “V4”) dotata di un solo chip che va posizionato al di sopra del FDP3206 originale e vanno saldati con esso 8 pin:
HARDWARE CHECKS
Subsequently Nintendo introduced an additional level of control which still excludes writing (even if the controller is an FD720P !) starting from some hardware revisions of the power boards; this system component can have 5 possible revisions, each identifiable by a specific string written on the PCB which you can see circled in red in the photo.
FMD-PWER-0X dove al posto della X può esserci un numero compreso tra 1 e 5; la revision 1 has no protection, the 2 can sometimes have it sometimes not, the 3 is probably without protection while 4 and 5 definitely implement protection.
There revision 02 with protection (in the photo) it is easily identified because it has an additional card that must be removed (and the connector must be soldered) to make it return as an unprotected rev.02:
Le rev. 04 e 05 hanno invece la parte aggiuntiva integrata nel PCB rendendo dunque necessarie alcune modifiche di taglio pista, rimozione di alcuni componenti e ponticellature per averne ragione.
Rev.04
Remove/unsolder the JP14 component: this totally disables the protection; however, a jumper must be created between points A and B of the card to restore the writing function.
Rev.05
Eliminare/disconnettere i jumper evidenziati nell’immagine di sinistra (quello più in alto è nascosto tra i 2 componenti di plastica neri) – i corrispettivi punti nell’altra faccia del PCB sono evidenziati in rosso con l’etichetta “Desolder and remove”; vanno poi tagliate le 2 piccole piste indicate dai 2 piccoli “trattini rossi” nell’immagine di destra ed infine vanno collegati 2 fili dove indicato dalle linee blu per ripristinare la funzione di scrittura.
Per quanto riguarda invece i Twin Famicom alcuni hanno una power board priva dei chip che determinano la protezione quindi non vanno modificati (va solo controllata la versione del chip del lettore floppy) mentre per altri modelli, dove la power board ha 2 chips, si devono collegare 2 fili tra loro:
Potete capire come fare all’interno di questo video (più o meno verso il minuto 14).
COPIERS
There are also dedicated hardwares that work using 2 FDS connected together like the Dubbing Boy II:
or the Famicom Disk Backup Unit:
anche essi con il relativo software per la copia (come nell’immagine a lato) con i quali è possibile utilizzare un FDS per leggere ed uno per scrivere i dati su un disco di destinazione.
Esiste anche un software (Copy Master versione NTSC) che funziona senza dover effettuare queste mod ma non è comunque in grado di produrre una copia perfetta in quanto non è capace di scrivere *NINTENDO-HVC* o eventuali files nascosti quindi, non copiando perfettamente 1:1, potrebbe produrre copie non funzionanti.
You can therefore see how the evergreen cat-mouse chase between physical (proprietary hardware with specific anatomies) and digital (controls) protection mechanisms VS the corresponding systems to overcome them! So let's see how the foundations are being laid for that magical world that has held and is still holding court among modification enthusiasts all over the world! Do we want to call them hackers? Shall we call them devs ? Whatever name you choose, one thing is certain: as long as there is protection, you will always find someone willing to try and overcome it!
