...but I don't think that bullet point & memes
is the best way to talk about arcade games
Slide 5
Slide 5 text
not everyone understands hardware
Slide 6
Slide 6 text
not everyone understands software
Slide 7
Slide 7 text
but everyone understand that it's a game!
Slide 8
Slide 8 text
that's the cool part of emulation:
it brings games to everyone !
(games that might be lost forever)
Slide 9
Slide 9 text
This talk is about arcade games,
the games where you put money to play.
That money would go in the operator's pocket,
no share to the arcade manufacturer.
To be successfull, they had to be awesome.
"Dedicated" (hardware, controls...) is the key to their success.
Slide 10
Slide 10 text
some arcade hardware graphics were cut into tiles:
the CPU can't draw directly: it just gives a list
of tile, then a dedicated chip draws the complete screen.
Smoother animation, but can't draw anything else.
Slide 11
Slide 11 text
some arcade hardware were powered-up consoles,
but there were many more arcade hardwares.
Slide 12
Slide 12 text
Let's go back in time:
This is Night Driver (Atari 1976)...
Slide 13
Slide 13 text
It's based on the first racing game,
Nürburgring (1975) made of 30 PCBs.
Slide 14
Slide 14 text
Berzerk was one of the first game with digitized speech.
It cost 1000 USD / word to be digitized
(it contained 16 words!)...
Slide 15
Slide 15 text
...they also made a german version !
same price per word ? ;)
Slide 16
Slide 16 text
Battlezone, the first FPS, in 1980...
Slide 17
Slide 17 text
...was initially designed as a military trainer.
Slide 18
Slide 18 text
I, Robot (1984) a 3d action game with filled polygons
Slide 19
Slide 19 text
... is considered to be 'too advanced for its time'.
Slide 20
Slide 20 text
Dragon's Lair, an ‘interactive’ cartoon in 1983,
at a time where HDs were 10 Mb and graphics in 16 colors.
Slide 21
Slide 21 text
...was using the very recent Laser Disc technology (from 1981).
But LD drives were quickly worn out, because of frequent scene skipping.
Slide 22
Slide 22 text
Outrun (Sega 1986), awesome racing game!
Slide 23
Slide 23 text
...uses 2 main CPUs at 10 Mhz (an Amiga 500 runs at 7 Mhz)
the 2nd CPU's only task is to display the roads.
(they're drawn at 30 FPS *only*, the rest of the game at 60)
Slide 24
Slide 24 text
Hard Drivin (1989), a 3d simulation way before modern GPUs existed...
Slide 25
Slide 25 text
...used 3 PCBs.
They made a triple screen version of the sequel:
6 PCBs, 4 CPUs, 9 DSPs !!!!
It’s emulated since last month (November 14) !
Slide 26
Slide 26 text
Sometimes, it was the arcade cabinet that was awesome.
Hang gliding, bike, car... ass poking ?!?
Slide 27
Slide 27 text
Sega's R360 rotates the player on all axis, even upside down !
Slide 28
Slide 28 text
Sometimes, the screen was the awesome part: half sphere, 3x screen...
Slide 29
Slide 29 text
...and with awesome games came awesome piracy!
Slide 30
Slide 30 text
the first bootleg in Mame is from 1977!
Slide 31
Slide 31 text
As long as a game was good enough and its hardware not too extreme,
bootlegs would be made. A few of them were 'creative'.
Slide 32
Slide 32 text
Space Invaders (text) <> Darth Vader (gfx)
Metal Slug 3 <> Metal Slug 6 (!!)
Slide 33
Slide 33 text
They went further and were taking a good game,
then hacking gfx & sound to create a 'new' game
Slide 34
Slide 34 text
or sometimes they just ripped off graphics,
to make a (crappy) game,
like a shooter with StarCraft's GFX :(
Slide 35
Slide 35 text
With awesome piracy came awesome protections.
once again, dedicated stuff, sometimes
tightly integrated with the game internals
Slide 36
Slide 36 text
In Bee Storm, if the protected CPU is missing,
the game works, but the enemies don't shoot anymore.
Slide 37
Slide 37 text
In Hang-on, if the 2nd CPU (sometimes encrypted)
is missing, then roads are straight.
Slide 38
Slide 38 text
in S.P.Y., collisions are handled by a custom chip:
without it, you can't hurt and cannot be hurt.
Slide 39
Slide 39 text
So, in general, the only solution to correctly emulate
them is to decap the protection chip and read the internal ROM.
Bubble Bobble was only correctly preserved in 2005 !
Slide 40
Slide 40 text
to store protected data, they went further:
store data on battery-powered RAM.
the battery dies, the game dies.
the manual doesn't even mention it!
the warranty is void if you open the game's case!
Slide 41
Slide 41 text
some manufacturers were using 'commercial' protection chip,
but most were custom.
Slide 42
Slide 42 text
so you're not supposed to open the game,
yet all games will eventually die once all batteries are empty.
Hacking these games is the only way to preserve them.
Slide 43
Slide 43 text
it also enables the IP to be re-used commercially later.
Slide 44
Slide 44 text
modern practices also brought DLC rip-offs :(
Slide 45
Slide 45 text
Arcade games had to be awesome. They were often using dedicated parts.
they were heavily pirated. they were heavily protected.
So protected that it makes them vulnerable (to time)!
Hacking is the only way to preserve them.
Slide 46
Slide 46 text
Let's look at the Capcom Play System, known as CPS1.
Slide 47
Slide 47 text
known mostly for Street Fighter II
Slide 48
Slide 48 text
and many other good games
Slide 49
Slide 49 text
the complete list...
Slide 50
Slide 50 text
including the least known,
only emulated in June 2014.
It's SF2-based, but it's a mole
hitting game !!
Slide 51
Slide 51 text
CPS1 was increasingly protected:
Yet it was completely hacked.
SF2 bootlegs were common.
Slide 52
Slide 52 text
a final fight bootleg, adding extra characters to control.
Slide 53
Slide 53 text
an original CPS1… (3 PCBs)
Slide 54
Slide 54 text
and a CPS1 bootleg (nothing in common)
Slide 55
Slide 55 text
the latest CPS1 generation had custom chip+suicide battery,..
Slide 56
Slide 56 text
...but it was defeated nonetheless:
weak encryption+encrypted data made plaintext attack easy.
Slide 57
Slide 57 text
CPS1 was great.
It was protected.
It was completely hacked.
Slide 58
Slide 58 text
Capcom released its evolution, the CPS2
Slide 59
Slide 59 text
it started with this...
Slide 60
Slide 60 text
from Super SF2 (1993)
to Hyper SF2 (2003)
(how original !)
Slide 61
Slide 61 text
CPS2 was awesome...
Slide 62
Slide 62 text
...really awesome!
Slide 63
Slide 63 text
...plenty of great games...
Slide 64
Slide 64 text
the real successor to the CPS1
the last successful hardware from Capcom.
Slide 65
Slide 65 text
here is the complete list of bootlegs, hacks, swaps...
(absolutely NOTHING)
Slide 66
Slide 66 text
they were so desperate that they couldn't hack that...
Slide 67
Slide 67 text
that they hacked a console version into an arcade game (with typo)
Slide 68
Slide 68 text
A CPS2 is a sandwich of 2 PCBs
(sometimes only 1, sometimes 3)
Slide 69
Slide 69 text
the game PCB contains code+data+protection
Slide 70
Slide 70 text
what's in green is in clear,
in red is encrypted.
Code and Data are together.
Code is crypted, data isn't.
Slide 71
Slide 71 text
decryption is made on the fly,
during memory fetch.
read standard memory? as is.
read for execution? decrypt.
Slide 72
Slide 72 text
patch an opcode (unknown encryption)
→ black screen. game over. retry ?
Slide 73
Slide 73 text
CPS2 was really awesome.
it was well protected.
it was absolutely unscathed for 6 years.
Slide 74
Slide 74 text
Capcom had a major competitor.
Slide 75
Slide 75 text
the Neo-Geo is known
for many games...
Slide 76
Slide 76 text
an exceptional success and longevity !
Slide 77
Slide 77 text
a success in arcade AND as an expensive console
Slide 78
Slide 78 text
Capcom created something
that made the NeoGeo look small and cheap.
It was a commercial failure...
Slide 79
Slide 79 text
as a last effort, they backported a recent CPS2 game.
the first decrypted CPS2 port !!!
Slide 80
Slide 80 text
but nothing happened. the dragon was still alive.
Slide 81
Slide 81 text
to defeat a dragon, you need adventurers:
Razoola, Charles MacDonald, Andreas Naive, Nicola Salmoria, David Haywood, and many others.
(I worked with Razoola, and helped him on the PC side)
Slide 82
Slide 82 text
In November 1999, Razoola re-enabled SFZ’s internal debugger (first working CPS2 patch !)
→ not blind anymore !
Slide 83
Slide 83 text
in spring 2000, he found that some specific memory ranges were not using encryption!
why ? no reason - just a big facepalm !
→ shellcode execution for a split second.
Slide 84
Slide 84 text
when reading relatively to code (PC),
memory fetches are actually decrypted !
Sega prevented that, but Capcom failed.
→ first CPS2 decryption, word by word
Slide 85
Slide 85 text
so, in Summer 2000, I visited Raz, hoping we'd break the algo.
but no success...
Slide 86
Slide 86 text
in the meantime, we worked on other stuff
(it's good to keep the faith, and your brain fresh !)
Slide 87
Slide 87 text
in December 2000, Raz noticed that Capcom
leaked the key to keep decryption alive.
→ automated dump is now possible !
Slide 88
Slide 88 text
we dumped by connecting the CPS2 to the joystick port of the PC.
ugly, clumsy, slow, but worked !
Slide 89
Slide 89 text
Jan 2001: first cps2 emulation
Slide 90
Slide 90 text
the news didn't get it right, as usual...
Slide 91
Slide 91 text
but now emulation was a reality.
each game needed to be sent to
Raz in a working state.
Slide 92
Slide 92 text
game over for CPS2 ?
not fully. encryption still unknown, no possible restoration yet.
Slide 93
Slide 93 text
in the meantime, more side projects, to keep the faith ;)
Slide 94
Slide 94 text
recent NeoGeo games also featured better protection
Slide 95
Slide 95 text
but with 'joystick dumping', that was defeated quickly :p
(decryption done by Nicola Salmoria)
Slide 96
Slide 96 text
what about dead CPS2 boards ?
Slide 97
Slide 97 text
if you put back decrypted code on a dead CPS2,
it still doesn't work.
Slide 98
Slide 98 text
Razoola was donated a working PCB to sacrifice,
then found out why.
Slide 99
Slide 99 text
video and sound registers had a different address on dead games.
patching these addresses makes them work again !
Slide 100
Slide 100 text
workflow: decrypt code, merge with data, patch addresses...
Slide 101
Slide 101 text
Razoola made a universal test ROM,
and 'no more battery' Phoenix versions.
Slide 102
Slide 102 text
this also made bootlegs possible.
no more battery...
from MegaMan to Gigaman :(
Slide 103
Slide 103 text
and also some cool all-in-one:
play all games with just one board.
Slide 104
Slide 104 text
PC, 1999
CPS2, 1994
these 2 games look different...
Slide 105
Slide 105 text
however, the IP was the same.
Some nice lawyer wrote us a letter...
You see who your friends really are,
in these cases ;)
Slide 106
Slide 106 text
so now even the most obscure CPS2 games were preserved,
but the encryption was still unknown.
and it would take us 200 years to dump all possible values for one game...
Slide 107
Slide 107 text
so we needed someone else to continue...
Slide 108
Slide 108 text
if you can't defeat the ennemy, bring your friends.
In 2005, Charles MacDonald started to work on the CPS2.
Slide 109
Slide 109 text
Charles MacDonald is an awesome hacker, with special weapons.
Here, his PAL blackboxer.
So, he took the CPS2 PAL, determine their internal configuration
by blackboxing them, replace them with GALs.
He now had controls over memory mapping !
Slide 110
Slide 110 text
then he designed his own dedicated device...
Slide 111
Slide 111 text
to dump CPS2 directly via its expansion port, to USB !!!
He could dump the 8 Gb set in 17h.
He did that for several games. but that wasn't enough to understand the algorithm......
Slide 112
Slide 112 text
so someone else needed to continue to break the algo...
Slide 113
Slide 113 text
that's where Nicola Salmoria and Andreas Naive helped.
they're awesome to determine encryption algorithm.
the algo was feistel based, and the key was 64 bits.
Slide 114
Slide 114 text
so, from one european decrypted dump of a game,
the key could be determined,
which could then decrypt the rare japanese version of the game.
Slide 115
Slide 115 text
Higenekodo even designed a patch to improve the controls of that game :D
dedication FTW !
Slide 116
Slide 116 text
Last, Dave Haywood designed an attack to determine
the key just from the ENCRYPTED dump of the game.
So even the rarest CPS2 game was preserved !
Slide 117
Slide 117 text
Conclusion
Slide 118
Slide 118 text
Capcom's mistakes
Slide 119
Slide 119 text
many people contributed, in various ways
Slide 120
Slide 120 text
and overall, an awesome victory !
Slide 121
Slide 121 text
the original hardware to resurrect CPS2s appeared only a few years ago...
Slide 122
Slide 122 text
CPS2's protection is seen as related to Sega Naomi's
Slide 123
Slide 123 text
Andreas Naive later defeated CPS3 encryption
Then recently, Darksoft resurrected them and
made an all-in-one CPS3 CD !
Slide 124
Slide 124 text
Razoola also went deeper in Neo-Geo enhancing,
with his Universal Bios.
Slide 125
Slide 125 text
this is the Bubble Memory system.
it’s very fragile.
Slide 126
Slide 126 text
to work, it needs to warm up to a certain temperature.
to me, this big countdown says:
'all these games are going to disappear if no one hacks or contribute for them'
Slide 127
Slide 127 text
Razoola’s CPS2Shock
http://www.cps2shock.com
http://web.archive.org/web/*/http://cps2shock.retrogames.com
Charles MacDonald's Home Page
http://cgfm2.emuviews.com/old2005.php
Nicola Salmoria's MAME Ramblings
http://mamelife.blogspot.com/2006/01/8gb-2-is-still-4gb.html
Andreas Naive’s Notas de Andy
http://andreasnaive.blogspot.com/2006_12_01_archive.html
Mame’s CPS2 encryption source
http://mamedev.org/source/src/mame/machine/cps2crpt.c.html
DarkSoft’s Breaking CPS3
http://64darksoft.blogspot.com
(links)
Slide 128
Slide 128 text
yes, this is a CPS2 timeline :p
Slide 129
Slide 129 text
some bonus ?
Slide 130
Slide 130 text
SFA3 has a time lock: if you let it run long enough,
some special modes are unlocked.
the title background tells how many modes are unlocked.
Slide 131
Slide 131 text
extra characters, extra playing modes
Slide 132
Slide 132 text
Hidden in the operator menu,
Razoola found the crazy cheat codes
in the disassembly to turn on this
extras without waiting weeks.
Slide 133
Slide 133 text
Charles MacDonald also worked on Sega hardware and created his own device for it...
Slide 134
Slide 134 text
Dumping from a Sega System24’s FD1094 to USB
Slide 135
Slide 135 text
to preserve games from
System 16, 24 & System X
Slide 136
Slide 136 text
Last Survivor, a System X game from 1989,
was thought to be lost forever.
Someone still had one in working conditions:
it was preserved, 20 years later !
Slide 137
Slide 137 text
it's a split-screen multiplayer FPS
Slide 138
Slide 138 text
modern tools show how fighting games engine actually work.
damage areas change from one version to the other.
Slide 139
Slide 139 text
there are bugs in the official releases !
Slide 140
Slide 140 text
attack behind you, or be hit for no reason...
Slide 141
Slide 141 text
tools assisted speedruns abuse games
via standard controls.