Revealing Capcom’s Custom Silicon Security

I helped with defeating the CPS-2 encryption scheme.<p>It all comes down to the function code pins on the CPU, which change depending on what kind of data you are fetching (regular data or program instructions) and whether you&#x27;re in supervisor or user mode.<p>FC1, FC0: 01 = data, 10 = program FC2: 0 = user, 1 = system<p>The encryption enable line is tied to FC2 and FC1, so it&#x27;s only active when fetching program instructions in user mode. The reason for this is that the reset vector, which is accessed as supervisor program data, cannot be encrypted, otherwise the initial program counter and stack pointer would be wrong.<p>So, you could take over the interrupt table and run instructions in an ISR, but you still had a problem. If you tried to do MOVE (a0), d0 for example, it would try to read (a0) with the DATA function code, which would not activate decryption.<p>BUT...<p>The m68k manual states: Data items in the instruction stream can be accessed with the program counter relative addressing modes; these accesses classify as program references.<p>So, all you needed to do is use PC-relative addressing within an ISR, which can access the entire memory space if you program it right, and then just stream the whole program ROM out, decrypted, via whatever means you wanted.<p>This worked, but for some reason, the encryption chip would mysteriously shut down after a very short while.<p>This final puzzle piece could have remained a mystery forever, if Capcom hadn&#x27;t inadvertently spilled the beans.<p>In a bid to enter the high end home market, Capcom released a &quot;home&quot; version of their CPS-1 system, along with very slightly modified versions of all their classic CPS-1 games. Their mistake came when they decided to port some CPS-2 games to CPS-1 (the systems were close enough to do it without too much difficulty). If you look at the program code in the CPS-2 converted titles, you&#x27;ll notice a weird MOVE instruction that is sprinkled throughout the code, yet doesn&#x27;t seem to do anything useful.<p>This is the final piece of the puzzle. That specific move instruction is read by the encryption chip, and used as a &quot;keep alive&quot;. If enough time passes without that pattern being on the data bus, the encryption chip shuts down permanently, until you turn off power.<p>So all you needed to do is inject that MOVE instruction while you were reading out the program ROM using PC-relative MOVEs from your custom exception routine.

You know, I hate articles like this. They get you hooked, much like the pilot of a TV series - then say &quot;wait until next week when we find out...etc&quot;.<p>But I don&#x27;t follow individual sites much - rather aggregators like HN. Most likely, when the follow-up does appear, HN won&#x27;t have it posted (unless someone submits it - which is a possibility).<p>I dunno - I understand why this is done from a business perspective (and maybe from a practical perspective - maybe the rest of the write-up hasn&#x27;t been written up yet!) - but I would just rather wait until its all there, then plow thru the whole thing in one shot.<p>As it stands - with this and other articles in the past - I might revisit it, but its doubtful that I&#x27;ll remember.<p>It&#x27;s too bad - I like the topic, and it sounds very interesting.

The original CPS-2 reverse engineering project is also a fascinating read: <a href="http:&#x2F;&#x2F;cps2shock.emu-france.info&#x2F;" rel="nofollow">http:&#x2F;&#x2F;cps2shock.emu-france.info&#x2F;</a>

I worked at a game company that (among other things) made “retro” game collections of Capcom and Atari games for PS2 and Xbox 360. Even they didn’t have the source code for most of the smaller titles; we had to reverse nearly all of them.