Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

...but I don't think that bullet point & memes is the best way to talk about arcade games

Slide 5

Slide 5 text

not everyone understands hardware

Slide 6

Slide 6 text

not everyone understands software

Slide 7

Slide 7 text

but everyone understand that it's a game!

Slide 8

Slide 8 text

that's the cool part of emulation: it brings games to everyone ! (games that might be lost forever)

Slide 9

Slide 9 text

This talk is about arcade games, the games where you put money to play. That money would go in the operator's pocket, no share to the arcade manufacturer. To be successfull, they had to be awesome. "Dedicated" (hardware, controls...) is the key to their success.

Slide 10

Slide 10 text

some arcade hardware graphics were cut into tiles: the CPU can't draw directly: it just gives a list of tile, then a dedicated chip draws the complete screen. Smoother animation, but can't draw anything else.

Slide 11

Slide 11 text

some arcade hardware were powered-up consoles, but there were many more arcade hardwares.

Slide 12

Slide 12 text

Let's go back in time: This is Night Driver (Atari 1976)...

Slide 13

Slide 13 text

It's based on the first racing game, Nürburgring (1975) made of 30 PCBs.

Slide 14

Slide 14 text

Berzerk was one of the first game with digitized speech. It cost 1000 USD / word to be digitized (it contained 16 words!)...

Slide 15

Slide 15 text

...they also made a german version ! same price per word ? ;)

Slide 16

Slide 16 text

Battlezone, the first FPS, in 1980...

Slide 17

Slide 17 text

...was initially designed as a military trainer.

Slide 18

Slide 18 text

I, Robot (1984) a 3d action game with filled polygons

Slide 19

Slide 19 text

... is considered to be 'too advanced for its time'.

Slide 20

Slide 20 text

Dragon's Lair, an ‘interactive’ cartoon in 1983, at a time where HDs were 10 Mb and graphics in 16 colors.

Slide 21

Slide 21 text

...was using the very recent Laser Disc technology (from 1981). But LD drives were quickly worn out, because of frequent scene skipping.

Slide 22

Slide 22 text

Outrun (Sega 1986), awesome racing game!

Slide 23

Slide 23 text

...uses 2 main CPUs at 10 Mhz (an Amiga 500 runs at 7 Mhz) the 2nd CPU's only task is to display the roads. (they're drawn at 30 FPS *only*, the rest of the game at 60)

Slide 24

Slide 24 text

Hard Drivin (1989), a 3d simulation way before modern GPUs existed...

Slide 25

Slide 25 text

...used 3 PCBs. They made a triple screen version of the sequel: 6 PCBs, 4 CPUs, 9 DSPs !!!! It’s emulated since last month (November 14) !

Slide 26

Slide 26 text

Sometimes, it was the arcade cabinet that was awesome. Hang gliding, bike, car... ass poking ?!?

Slide 27

Slide 27 text

Sega's R360 rotates the player on all axis, even upside down !

Slide 28

Slide 28 text

Sometimes, the screen was the awesome part: half sphere, 3x screen...

Slide 29

Slide 29 text

...and with awesome games came awesome piracy!

Slide 30

Slide 30 text

the first bootleg in Mame is from 1977!

Slide 31

Slide 31 text

As long as a game was good enough and its hardware not too extreme, bootlegs would be made. A few of them were 'creative'.

Slide 32

Slide 32 text

Space Invaders (text) <> Darth Vader (gfx) Metal Slug 3 <> Metal Slug 6 (!!)

Slide 33

Slide 33 text

They went further and were taking a good game, then hacking gfx & sound to create a 'new' game

Slide 34

Slide 34 text

or sometimes they just ripped off graphics, to make a (crappy) game, like a shooter with StarCraft's GFX :(

Slide 35

Slide 35 text

With awesome piracy came awesome protections. once again, dedicated stuff, sometimes tightly integrated with the game internals

Slide 36

Slide 36 text

In Bee Storm, if the protected CPU is missing, the game works, but the enemies don't shoot anymore.

Slide 37

Slide 37 text

In Hang-on, if the 2nd CPU (sometimes encrypted) is missing, then roads are straight.

Slide 38

Slide 38 text

in S.P.Y., collisions are handled by a custom chip: without it, you can't hurt and cannot be hurt.

Slide 39

Slide 39 text

So, in general, the only solution to correctly emulate them is to decap the protection chip and read the internal ROM. Bubble Bobble was only correctly preserved in 2005 !

Slide 40

Slide 40 text

to store protected data, they went further: store data on battery-powered RAM. the battery dies, the game dies. the manual doesn't even mention it! the warranty is void if you open the game's case!

Slide 41

Slide 41 text

some manufacturers were using 'commercial' protection chip, but most were custom.

Slide 42

Slide 42 text

so you're not supposed to open the game, yet all games will eventually die once all batteries are empty. Hacking these games is the only way to preserve them.

Slide 43

Slide 43 text

it also enables the IP to be re-used commercially later.

Slide 44

Slide 44 text

modern practices also brought DLC rip-offs :(

Slide 45

Slide 45 text

Arcade games had to be awesome. They were often using dedicated parts. they were heavily pirated. they were heavily protected. So protected that it makes them vulnerable (to time)! Hacking is the only way to preserve them.

Slide 46

Slide 46 text

Let's look at the Capcom Play System, known as CPS1.

Slide 47

Slide 47 text

known mostly for Street Fighter II

Slide 48

Slide 48 text

and many other good games

Slide 49

Slide 49 text

the complete list...

Slide 50

Slide 50 text

including the least known, only emulated in June 2014. It's SF2-based, but it's a mole hitting game !!

Slide 51

Slide 51 text

CPS1 was increasingly protected: Yet it was completely hacked. SF2 bootlegs were common.

Slide 52

Slide 52 text

a final fight bootleg, adding extra characters to control.

Slide 53

Slide 53 text

an original CPS1… (3 PCBs)

Slide 54

Slide 54 text

and a CPS1 bootleg (nothing in common)

Slide 55

Slide 55 text

the latest CPS1 generation had custom chip+suicide battery,..

Slide 56

Slide 56 text

...but it was defeated nonetheless: weak encryption+encrypted data made plaintext attack easy.

Slide 57

Slide 57 text

CPS1 was great. It was protected. It was completely hacked.

Slide 58

Slide 58 text

Capcom released its evolution, the CPS2

Slide 59

Slide 59 text

it started with this...

Slide 60

Slide 60 text

from Super SF2 (1993) to Hyper SF2 (2003) (how original !)

Slide 61

Slide 61 text

CPS2 was awesome...

Slide 62

Slide 62 text

...really awesome!

Slide 63

Slide 63 text

...plenty of great games...

Slide 64

Slide 64 text

the real successor to the CPS1 the last successful hardware from Capcom.

Slide 65

Slide 65 text

here is the complete list of bootlegs, hacks, swaps... (absolutely NOTHING)

Slide 66

Slide 66 text

they were so desperate that they couldn't hack that...

Slide 67

Slide 67 text

that they hacked a console version into an arcade game (with typo)

Slide 68

Slide 68 text

A CPS2 is a sandwich of 2 PCBs (sometimes only 1, sometimes 3)

Slide 69

Slide 69 text

the game PCB contains code+data+protection

Slide 70

Slide 70 text

what's in green is in clear, in red is encrypted. Code and Data are together. Code is crypted, data isn't.

Slide 71

Slide 71 text

decryption is made on the fly, during memory fetch. read standard memory? as is. read for execution? decrypt.

Slide 72

Slide 72 text

patch an opcode (unknown encryption) → black screen. game over. retry ?

Slide 73

Slide 73 text

CPS2 was really awesome. it was well protected. it was absolutely unscathed for 6 years.

Slide 74

Slide 74 text

Capcom had a major competitor.

Slide 75

Slide 75 text

the Neo-Geo is known for many games...

Slide 76

Slide 76 text

an exceptional success and longevity !

Slide 77

Slide 77 text

a success in arcade AND as an expensive console

Slide 78

Slide 78 text

Capcom created something that made the NeoGeo look small and cheap. It was a commercial failure...

Slide 79

Slide 79 text

as a last effort, they backported a recent CPS2 game. the first decrypted CPS2 port !!!

Slide 80

Slide 80 text

but nothing happened. the dragon was still alive.

Slide 81

Slide 81 text

to defeat a dragon, you need adventurers: Razoola, Charles MacDonald, Andreas Naive, Nicola Salmoria, David Haywood, and many others. (I worked with Razoola, and helped him on the PC side)

Slide 82

Slide 82 text

In November 1999, Razoola re-enabled SFZ’s internal debugger (first working CPS2 patch !) → not blind anymore !

Slide 83

Slide 83 text

in spring 2000, he found that some specific memory ranges were not using encryption! why ? no reason - just a big facepalm ! → shellcode execution for a split second.

Slide 84

Slide 84 text

when reading relatively to code (PC), memory fetches are actually decrypted ! Sega prevented that, but Capcom failed. → first CPS2 decryption, word by word

Slide 85

Slide 85 text

so, in Summer 2000, I visited Raz, hoping we'd break the algo. but no success...

Slide 86

Slide 86 text

in the meantime, we worked on other stuff (it's good to keep the faith, and your brain fresh !)

Slide 87

Slide 87 text

in December 2000, Raz noticed that Capcom leaked the key to keep decryption alive. → automated dump is now possible !

Slide 88

Slide 88 text

we dumped by connecting the CPS2 to the joystick port of the PC. ugly, clumsy, slow, but worked !

Slide 89

Slide 89 text

Jan 2001: first cps2 emulation

Slide 90

Slide 90 text

the news didn't get it right, as usual...

Slide 91

Slide 91 text

but now emulation was a reality. each game needed to be sent to Raz in a working state.

Slide 92

Slide 92 text

game over for CPS2 ? not fully. encryption still unknown, no possible restoration yet.

Slide 93

Slide 93 text

in the meantime, more side projects, to keep the faith ;)

Slide 94

Slide 94 text

recent NeoGeo games also featured better protection

Slide 95

Slide 95 text

but with 'joystick dumping', that was defeated quickly :p (decryption done by Nicola Salmoria)

Slide 96

Slide 96 text

what about dead CPS2 boards ?

Slide 97

Slide 97 text

if you put back decrypted code on a dead CPS2, it still doesn't work.

Slide 98

Slide 98 text

Razoola was donated a working PCB to sacrifice, then found out why.

Slide 99

Slide 99 text

video and sound registers had a different address on dead games. patching these addresses makes them work again !

Slide 100

Slide 100 text

workflow: decrypt code, merge with data, patch addresses...

Slide 101

Slide 101 text

Razoola made a universal test ROM, and 'no more battery' Phoenix versions.

Slide 102

Slide 102 text

this also made bootlegs possible. no more battery... from MegaMan to Gigaman :(

Slide 103

Slide 103 text

and also some cool all-in-one: play all games with just one board.

Slide 104

Slide 104 text

PC, 1999 CPS2, 1994 these 2 games look different...

Slide 105

Slide 105 text

however, the IP was the same. Some nice lawyer wrote us a letter... You see who your friends really are, in these cases ;)

Slide 106

Slide 106 text

so now even the most obscure CPS2 games were preserved, but the encryption was still unknown. and it would take us 200 years to dump all possible values for one game...

Slide 107

Slide 107 text

so we needed someone else to continue...

Slide 108

Slide 108 text

if you can't defeat the ennemy, bring your friends. In 2005, Charles MacDonald started to work on the CPS2.

Slide 109

Slide 109 text

Charles MacDonald is an awesome hacker, with special weapons. Here, his PAL blackboxer. So, he took the CPS2 PAL, determine their internal configuration by blackboxing them, replace them with GALs. He now had controls over memory mapping !

Slide 110

Slide 110 text

then he designed his own dedicated device...

Slide 111

Slide 111 text

to dump CPS2 directly via its expansion port, to USB !!! He could dump the 8 Gb set in 17h. He did that for several games. but that wasn't enough to understand the algorithm......

Slide 112

Slide 112 text

so someone else needed to continue to break the algo...

Slide 113

Slide 113 text

that's where Nicola Salmoria and Andreas Naive helped. they're awesome to determine encryption algorithm. the algo was feistel based, and the key was 64 bits.

Slide 114

Slide 114 text

so, from one european decrypted dump of a game, the key could be determined, which could then decrypt the rare japanese version of the game.

Slide 115

Slide 115 text

Higenekodo even designed a patch to improve the controls of that game :D dedication FTW !

Slide 116

Slide 116 text

Last, Dave Haywood designed an attack to determine the key just from the ENCRYPTED dump of the game. So even the rarest CPS2 game was preserved !

Slide 117

Slide 117 text

Conclusion

Slide 118

Slide 118 text

Capcom's mistakes

Slide 119

Slide 119 text

many people contributed, in various ways

Slide 120

Slide 120 text

and overall, an awesome victory !

Slide 121

Slide 121 text

the original hardware to resurrect CPS2s appeared only a few years ago...

Slide 122

Slide 122 text

CPS2's protection is seen as related to Sega Naomi's

Slide 123

Slide 123 text

Andreas Naive later defeated CPS3 encryption Then recently, Darksoft resurrected them and made an all-in-one CPS3 CD !

Slide 124

Slide 124 text

Razoola also went deeper in Neo-Geo enhancing, with his Universal Bios.

Slide 125

Slide 125 text

this is the Bubble Memory system. it’s very fragile.

Slide 126

Slide 126 text

to work, it needs to warm up to a certain temperature. to me, this big countdown says: 'all these games are going to disappear if no one hacks or contribute for them'

Slide 127

Slide 127 text

Razoola’s CPS2Shock http://www.cps2shock.com http://web.archive.org/web/*/http://cps2shock.retrogames.com Charles MacDonald's Home Page http://cgfm2.emuviews.com/old2005.php Nicola Salmoria's MAME Ramblings http://mamelife.blogspot.com/2006/01/8gb-2-is-still-4gb.html Andreas Naive’s Notas de Andy http://andreasnaive.blogspot.com/2006_12_01_archive.html Mame’s CPS2 encryption source http://mamedev.org/source/src/mame/machine/cps2crpt.c.html DarkSoft’s Breaking CPS3 http://64darksoft.blogspot.com (links)

Slide 128

Slide 128 text

yes, this is a CPS2 timeline :p

Slide 129

Slide 129 text

some bonus ?

Slide 130

Slide 130 text

SFA3 has a time lock: if you let it run long enough, some special modes are unlocked. the title background tells how many modes are unlocked.

Slide 131

Slide 131 text

extra characters, extra playing modes

Slide 132

Slide 132 text

Hidden in the operator menu, Razoola found the crazy cheat codes in the disassembly to turn on this extras without waiting weeks.

Slide 133

Slide 133 text

Charles MacDonald also worked on Sega hardware and created his own device for it...

Slide 134

Slide 134 text

Dumping from a Sega System24’s FD1094 to USB

Slide 135

Slide 135 text

to preserve games from System 16, 24 & System X

Slide 136

Slide 136 text

Last Survivor, a System X game from 1989, was thought to be lost forever. Someone still had one in working conditions: it was preserved, 20 years later !

Slide 137

Slide 137 text

it's a split-screen multiplayer FPS

Slide 138

Slide 138 text

modern tools show how fighting games engine actually work. damage areas change from one version to the other.

Slide 139

Slide 139 text

there are bugs in the official releases !

Slide 140

Slide 140 text

attack behind you, or be hit for no reason...

Slide 141

Slide 141 text

tools assisted speedruns abuse games via standard controls.

Slide 142

Slide 142 text

No content