Ok, having been somewhat involved in the process with reverse engineering the CIC, there's a bunch of parts of this video which need clarification: in 2006, before the Nesdev scene knew what processor the CIC used, the Atari/Tengen rabbit chip was reverse engineered. The instruction set of the rabbit chip is DIFFERENT (and slightly more efficient!) than the instruction set of what we later found out was a Sharp SM590 microcontroller that the NES and SNES CIC chips used. This meant that the code it ran is actually not the same as the original NES code, and lends to the idea explained by people who worked at atari, that the copy of the 10NES cic code listing they got from the copyright registrar's office was not actually used during the reverse-engineering, but was done afterward by a legal intern without permission. The real SM590 code for the NTSC and one of the PAL NES regions, and for the NTSC SNES cic was extracted via decapping around 2007. Once we knew the keys for the NTSC and PAL-1 region on the NES, the keys for the other two regions, PAL-2 and Korea, were brute-forced using traces of the 16 data streams. The reason two CICs had to be decapped is the timing of the NTSC CIC code is older and different from the timing of the two PAL and Korea CICs, the latter 3 likely use the same code with a different key on each. The SNES D411 CIC was decapped, and brute force analysis of streams from the SNES PAL CIC showed that the NTSC D411/F411 CIC and PAL D413/F413 CIC keys only differ by 1 bit. The N64 CIC is an entirely different can of worms, and much more complicated. There, the N64 has a system management controller in it called the PIF (which has INSIDE THE CHIP a special version of its 'lock' CIC, containing multiple keys, corresponding to different key chips it can use) uses the values returned by the key chips to decrypt one of the earlier boot-sectors for each game upon power-up. The PIF also contains a small bit of boot code that runs on the MIPS processor in the N64, and sets up the RDRAM and then queries the PIF to see what the CIC returned. Reverse engineering the N64 CIC had a major advantage: a clever member of the n64 community discovered that if you apply a higher-than-normal voltage to one of the SM5K3 pins, it will spit out its internal ROM contents in an undocumented debug mode. This made finally completely reverse engineering the N64 CIC (which has 4 or 5 variants per region, to prevent people swapping ROMs and piggybacking carts between games easily) finally possible. Another interesting thing is the very final version of the cart CIC used on the n64, used on perfect dark 2 and banjo tooie (and one other game?), actually has another layer of encryption implemented by the CIC 'in between' the blocks of bits in the stream of random data that it normally constantly sends back and forth with the PIF, which allows the console cartridge software to send a 'command' to the CIC and get a response back, which was used for additional DRM with those games specifically.
LJN was a way for Acclaim to publish more games, similar to Konami with Ultra Games. Most LJN/Acclaim games were made by different devs and companies, so it was a gamble on what would an LJN game be. Hell, Rareware made the Roger Rabbit game they published.
Note that the claim that Atari required the 10NES code to create the Rabbit chip is disputed. That was Nintendo's claim and was repeated, without any apparent diligence to verify it, by David Sheff in "Game Over". I have heard quite different versions of this from the folks who were working at Atari at the time. I don't think any of us are in a position to judge, but I'd call Nintendo's claims at best poorly substantiated. A relevant point is that amateurs have subsequently decapped the CIC, and didn't experience a lot of trouble optically recovering the ROM contents and reverse engineering the algorithm. I was actually told, by someone involved, that the biggest challenge they faced was identifying the Sharp SM590 because the die, as is common for CPUs like this to prevent reverse engineering, contained no indication at to the manufacturer.
Great recap! Thank you for listing the homebrew comm so many people worked hard to do this. Thank you for shining some light on this. Spent years myself trying to reverse engineer but gave up.
I knew a lot of this about the NES CIC... had no idea about the SNES and N64 having one! You always include interesting history that I've not come across before, even when I feel I'm familiar with the subject from the title.
1:19 hi MVG you are the greatest retro man alive thank you for all your amazingly interesting history and variety of consoles to match every video of what you’re talking about, just wanted to take a moment to appreciate that in whole
Copy protection existed earlier too i was shocked like space invaders 1978 tries to overwrite itself in ROM. copied chips take the write and the game doesnt play.
As always a really good video! And as a computer and electrical engineering student especially interesting. Hopefully, you make a lot more videos of this kind. There are definitely people interested in this.
Thank God for our tech junkies that spend their time cracking these systems and thank you MVG for being apart of that community that I know we all take for granted
The unlicensed NES game publisher American Video Entertainment used to mail out kits back in 1990 which included alligator clips and instructions on how to bridge and bypass the NES10 chip. This came in handy when I wanted to get SuperVision multi-game carts working on the NES. Thanks AVE! :)
It's a real shame (for Nintendo ;) because it was Nvidia's vulnerable bootrom code that allowed hackers full access. The Switch OS itself is actually extremely secure.
Personally my favourite game is the blinking screen. I don't know but when ever I play nes I always get blinking screen so I just sit back and enjoy it and then cry in the shower.
blinking screen usually just means dirty contacts, pop open the nes and clean the pins the cartridge connects to with some ISO and a cotton swab and see if it helps
I just found this channel and I'm amazed at how something that satisfies my extremely specific interests of hardware and gaming can exist in such a high quality format!!! This is amazing technical information, presented in a very clean and catchy way. I'm going to binge watch all of these technical breakdown videos.
While i don't understand half if not most of how any of this is done, this is still by far one of my favorite series on TH-cam. You do a good job at making it followable/understandable to the average shmuck like me.
I know how the Gen 5 Pokemon games AP features work: the original games had a IR sensor built in the carts. When the game starts, it checks the IR sensor after 5 minutes. If its there, its legit. If it doesn't detect, the program assumes its pirate copy and starts the AP measure. The program disables EXP gain in all battles, and later starts crashing and freezing randomly. This was later patched by hackers with patched ROMs and emulators and Flashcard kernels that could run the clean ROMs without these problems. Still, there are emulators and some flashcards that need the patched ROMs (HGSS too) to work. Since many of those patches are old, many have been lost on the Internet. Its much easier to find clean ROM nowdays. The guys at GBATemp made a thread for recivering any old patch for DS games because TWLMenu++ needs AP patched ROMs.
The story of tengen battling nintendo’s Strict policy is one of the most fascinating stories in gaming, it just goes to show that even though they were the new kids Nintendo were willing to be really strict in the US market despite the recent video game crash, there was also a lot of involvement from Namco as at the time they recently purchased the video game division of Atari
Very interesting. I really like these videos about the cracking of security measures. I am impressed with the tenacity and ingenuity of the community involved.
That’s a fairly false statement. I don’t think I’ve ever read where DRM was proven to increase piracy within a market. Please reference the industry study your comment is referencing.
I did see some video's about this subject only find your video's really fun to watch... MVG Haves Upload.. grab myself some thee ... relax.... and enjoy the show !! I love these video's MVG Keep them coming !!
I watch these videos even tho I know jack shit about programming or cracking piracy or making homebrew, etc. I just like hearing about this kind stuff. *shrugs*
One solution to the chip modification detection on the carts after people started disabling them would be to attach a switch inline with the reset signal pin. When playing legit games, flip the switch on. When playing unlicensed carts, flip the switch off.
Listen, on one hand it's good that everdrive doesn't have to sacrifice 64 games for their cart anymore... But think for a moment, what else are we going to do with those copies of superman 64?
20 years, meaning it worked. Protection only needs to work long enough to protect the immediate market. And also think about this, this chip would have been dirt cheap for them to reproduce in large quantities, so you could argue this has been one of the most efficient means of protecting not just one game, but all of them.
Damn..... This is neat! I knew about the lock out chip but the deep in details on how it works are the best.. If I had a programing company I would hire you with an offer you will love..
7:05 Plastic, not ceramic. By the 1970s plastic had displaced ceramic in nearly all DIP chips, as it is substantially cheaper. It’s what we use to this day for most chips. It’s actually plastic (often epoxy) with a high amount of mineral filler, so that it retains a coefficient of expansion similar to the chip inside - otherwise it would shear off the bond wires.
this was very educational , i hope Nintendo see this video as nothing more than love & education for there hard work & stop the flagging of your Nintendo videos
I think they also used the CIC chip because the Famicom had rampant piracy issues since it didn't have any lock out chips. To be fair though, I think Nintendo were more worried about squeezing every dime they could out of publishers this way more than they were about piracy. Publishers can to sign agreements to have a certain exclusivity to Nintendo, purchase their own cartridges and chips from Nintendo, artificial chip shortages (still employed by Nintendo today) and only publish so many games in a year. The fees could come quite staggering, pushing some companies to only make Sega games at the time.
This is one of your more interesting hardware uploads IMO. From a production hardware perspective, it's interesting that they designed the chip to run identical code on both the base and cartridges. Anyone care to share how they would personally implement better security with a set of similar production hardware constraints, (4-bit μC, identical master/slave, etc)? -Jake
Upcycle Electronics A slightly larger internal ROM for more patterns, maybe some code to disguise the pattern. Oh and an 8 pin chip to save production cost. Maybe feed some of the actual game ROM lines through the chip and require that game data to contain a certain pattern. Auth failure would feed the CPU unplayable garbage.
The universal "blinking reset loop of doom" is the behavior described at 2:55. Even with properly licensed cartridges, the 10NES system was finicky and would easily go out of sync, especially as connectors corroded.
the rabbit chip was totally different from the 10NES chip. It was a purpose-built sort of CPU, vs. the 10NES' general purpose microcontroller. Tengen ended up using all the "extra" pins for debug outputs that let a decent amount of state to be read out during operation and this helped to reverse engineer it. I made custom hardware to perform this data dumping as the chip communicated with a lock chip. Interestingly there's a relatively easy way to dump the 10NES' code using the factory test mode but no one figured this out until very recently. Also interesting is ROB's microcontroller is the exact same microcontroller with different code.
I have absolutely no idea what most of this technical mumbo jumbo means, but I love these old systems and your videos are very fascinating. One reason I love classic consoles over modern consoles. Stuff like this will keep these consoles alive and kicking for many more years to come, while in 30 years most modern consoles will be bricks after their servers are shut down.
I dislike DRM fiercely, but I've got to hand it to Nintendo, being able to keep the code for the CIC secret for over 20 years is incredibly impressive, and even then, if it wasn't for Atari it would have taken even longer to figure out. Of course it was relatively easy to bypass, but no one was able to actually crack it until long after the console stopped being relevant, which is remarkable.
love your videos man, great info on topics that no one else really covers. Do I want to hear some kids top 10 switch games? nah couldnt care less thanks for actually making some interesting gaming content.
This isn’t the only console that utilized this technique. I remember going to the landfill to dump our garbage, and saw a dead console motherboard with a cart still in it, so I exchanged my garbage for their garbage, and took it home. Later, I parted it out, and opened the cart, and lo and behold, there was a ROM and a 16-pin DIP IC. There were two (or maybe three) ASICs on the motherboard, along with three 16-pin chips, each with the same part #, but with a different dash extension (-A, -B, and -C): the “extra” IC in the cart had a similar part number, and a -B extension. My guess, is they were some sort of lock-and-key, though I was just guessing. Now, knowing Nintendo did it, it’s not such a stretch to imagine someone else did too.
I think there is a mistake in the video. At 7:51 it is said that there are no branching instructions at all. This is not correct. The Sharp MCU used supports 4 levels of subroutine nesting as well as conditional execution. Feel free to refer to the tables on page 9 of the SM590 datasheet.
The Nintendo NES looked so much like a VCR that if you buy NES used games online, specifically those which originally come from rental stores. The NES games had STICKERS placed on them. Which said "PLEASE REWIND! OR GET FINED!" OR other similar "please rewind" messages!
When I was a kid I had serious issues with my NES which kept resetting or glitching out with most games, it always seemed to only accept a few "brands" or publishers which I never understood, this still puzzles me to this day because I thought it just had a faulty 72pin connector but the DRM check behavior described here reminds me of those days, pirated games maybe? not unless the video rental I went to had games which gave me those problems... unless they also got pirated games too.
I am the senior programmer for a local game company. One of the things I put in to determine if the system is authentic was for the user to be able to hold 3-keys down at a time and it would state if the program running (that I wrote) is authentic or not. I don't do this initially for bootup as it would greatly slow down the execution each time. But as the keystrokes are known only to my team and myself - there's little chance of someone guessing these keystrokes and thereby learning where to bypass this in the master engine I wrote. I realize this is pretty cumbersome today. Methods today involve checking ONLINE to see if someone has actually purchased the game or they check online the program running against a master copy. I'm - not that advanced a programmer so I have to resort to offline methods for our software protection and integrity.
The voltage spike thing was the result of a small-but-critical flaw of the design: the lock chip's only active response is on check failure (resets the system) while passing the test simply results in it doing nothing. Perhaps if the lock was _two_ chips, one which tests the cartridge and reports to the other, which would be the one to reset the CPU upon failure or non-communication?
Seeing your OSSC in the background all the time, maybe you can make a video about how to find the perfect parameters for each console (backporch, etc.)?
If you haven't done so already, you could make a whole series based on Commodore 64 copy protection. The lengths I had to go through to copy some disks was insane. Fat Tracks, Half Tracks, nonstandard Bit Rates, Track Synchronization, the list of methods goes on and on. Then there was the more physical approach, code wheels and paragraph books, but dongles were the worst. Not only were they sometimes quite tricky to build, you could fry your system if you made it wrong.
A Floyd Renegade/Maverick was my go to “archival” utility, but I had Fast Hackem and bunch of other tools in my arsenal. My comment wasn’t about what tool cracked which copy protection. I was suggesting a rundown of all the different methods companies implemented to protect their intellectual property. The Commodore 64 was so popular that it makes sense that so many copy protection schemes were utilized on the platform.
Only nintendo NWCS cart required the lockout chip to run on nes, if you tryed to bypass it via a region convertor or by dissabling the lockout chip, the game refuses to load it’s rom, later snes games did heavily made use of this method as well ,wich is called 50/60hz detection or as nintendo called it “ RMC, region marketing control” Some snes game may also use the 30nn reading delay check and Sram detection to assume whether you use a Tslot or copier unit or not.
Makes sense. The Famicom didn't have a lockout chip in the first place, and late revisions of the NES don't either. (toploader.) This wouldn't be plausible if it was commonplace for games to check for a missing or altered lockout chip. But the SNES is a different matter, since no revision of it lacks the security chip.
Excellent video mate I've always liked your stuff it's very enjoyable to watch and I'm still stoked that you are Australian! The same as me keep up the great work!
I don't think that those chips were meant to stop piracy. Their main goal was to stop unlicensed games from being released on the system - the thing that killed Atari 2600 and lead to video game crash. Anyone could make Atari 2600 games and with initial success many companies flooded the market with expensive but unplayable shovelware. As you described CIC chip on NES could be easily bypassed by user with cutting reset PIN. So piracy was technically possible, but pirates went in totally different direction. In early 90's NES clones started to appear. I live in Poland and there was no official NES or SNES distribution, but one local company imported NES clone and sold it as "Pegasus" brand with pirated games within console: Mario Bros, Contra, and dozen of other games. It became huge hit, it was affordable and was promoted in TV. Those consoles had no CIC chip and were famicom clones that worked in PAL rather than EU NES clones. Soon many people started to import such clones from the east and company that started all this created a store chain from money they've earned from stealing Nintendo's intellectual property. Anyway I'm looking forward to see how SNES piracy with custom floppy drive worked.
Yeah but have you seen our genius methods where we force you to login to play 25 year old easily pirated games?
Intriguing
Oh hi Todd
@@NOCTURNAL351 You should have used it reggie
@@FancyGeeks *16 times the detail
Lmao!!
Ok, having been somewhat involved in the process with reverse engineering the CIC, there's a bunch of parts of this video which need clarification: in 2006, before the Nesdev scene knew what processor the CIC used, the Atari/Tengen rabbit chip was reverse engineered. The instruction set of the rabbit chip is DIFFERENT (and slightly more efficient!) than the instruction set of what we later found out was a Sharp SM590 microcontroller that the NES and SNES CIC chips used. This meant that the code it ran is actually not the same as the original NES code, and lends to the idea explained by people who worked at atari, that the copy of the 10NES cic code listing they got from the copyright registrar's office was not actually used during the reverse-engineering, but was done afterward by a legal intern without permission.
The real SM590 code for the NTSC and one of the PAL NES regions, and for the NTSC SNES cic was extracted via decapping around 2007. Once we knew the keys for the NTSC and PAL-1 region on the NES, the keys for the other two regions, PAL-2 and Korea, were brute-forced using traces of the 16 data streams. The reason two CICs had to be decapped is the timing of the NTSC CIC code is older and different from the timing of the two PAL and Korea CICs, the latter 3 likely use the same code with a different key on each. The SNES D411 CIC was decapped, and brute force analysis of streams from the SNES PAL CIC showed that the NTSC D411/F411 CIC and PAL D413/F413 CIC keys only differ by 1 bit.
The N64 CIC is an entirely different can of worms, and much more complicated. There, the N64 has a system management controller in it called the PIF (which has INSIDE THE CHIP a special version of its 'lock' CIC, containing multiple keys, corresponding to different key chips it can use) uses the values returned by the key chips to decrypt one of the earlier boot-sectors for each game upon power-up. The PIF also contains a small bit of boot code that runs on the MIPS processor in the N64, and sets up the RDRAM and then queries the PIF to see what the CIC returned. Reverse engineering the N64 CIC had a major advantage: a clever member of the n64 community discovered that if you apply a higher-than-normal voltage to one of the SM5K3 pins, it will spit out its internal ROM contents in an undocumented debug mode.
This made finally completely reverse engineering the N64 CIC (which has 4 or 5 variants per region, to prevent people swapping ROMs and piggybacking carts between games easily) finally possible. Another interesting thing is the very final version of the cart CIC used on the n64, used on perfect dark 2 and banjo tooie (and one other game?), actually has another layer of encryption implemented by the CIC 'in between' the blocks of bits in the stream of random data that it normally constantly sends back and forth with the PIF, which allows the console cartridge software to send a 'command' to the CIC and get a response back, which was used for additional DRM with those games specifically.
nice
This was a fantastic video. I don't have anything insightful to say, just that I like what I see.
Hi Kenny 👋 I know your channel and its has lots of value and great insights nice to see you here ! 🤗
that’s the usual and this is what i like to hear
That's how I feel around here. I'm just driving up engagement.
Nintendo: "We will only allow the best games to be made"
Then proceeds to allow LJN to make games.
LJN was a way for Acclaim to publish more games, similar to Konami with Ultra Games. Most LJN/Acclaim games were made by different devs and companies, so it was a gamble on what would an LJN game be. Hell, Rareware made the Roger Rabbit game they published.
@@kerokerocola99 I actually didn't know LJN was a shell company like Ultra Games, neat
Thanks to LJN we have AVGN haha
@@FacchiniBRTV Laughin' Jokin' Numbnuts
James, is that you?
I had to snip that pin after accidentally buying an NTSC copy of the original Final Fantasy for my PAL NES.
yeah and than watch in horror as it tries to render an ntsc game in pal mode
@@ajddavid452 Sounds like nightmare fuel.
it's always a good day when mvg uploads
I heard you met The Real Donald!
Kim’s favorite game? Atari’s Missile Command
Except when his facts are wrong...
Crazy it took that long, I never looked too much into the chips but I didn't know the same type of setup was used up to the N64!
huh I didn't know you watch his videos Mario
Yello, mario.
Note that the claim that Atari required the 10NES code to create the Rabbit chip is disputed. That was Nintendo's claim and was repeated, without any apparent diligence to verify it, by David Sheff in "Game Over". I have heard quite different versions of this from the folks who were working at Atari at the time. I don't think any of us are in a position to judge, but I'd call Nintendo's claims at best poorly substantiated. A relevant point is that amateurs have subsequently decapped the CIC, and didn't experience a lot of trouble optically recovering the ROM contents and reverse engineering the algorithm. I was actually told, by someone involved, that the biggest challenge they faced was identifying the Sharp SM590 because the die, as is common for CPUs like this to prevent reverse engineering, contained no indication at to the manufacturer.
Great recap! Thank you for listing the homebrew comm so many people worked hard to do this. Thank you for shining some light on this. Spent years myself trying to reverse engineer but gave up.
I knew a lot of this about the NES CIC... had no idea about the SNES and N64 having one! You always include interesting history that I've not come across before, even when I feel I'm familiar with the subject from the title.
1:19 hi MVG you are the greatest retro man alive thank you for all your amazingly interesting history and variety of consoles to match every video of what you’re talking about, just wanted to take a moment to appreciate that in whole
Copy protection existed earlier too i was shocked like space invaders 1978 tries to overwrite itself in ROM.
copied chips take the write and the game doesnt play.
Who ever was playing Ninja Gaiden was a Savage!!
MVG played that while editing the rest of the vid, he's just that beastly.
@@wompastompa3692 haha i love when people engrose other people for being cool members of this society
Probably tool assisted gameplay
@@argedismun2 It is a TAS, specifically the old version from 2006: watch?v=xMxjodJY0xs
Dude I just paused the video because I had to lay down props for that. That player is an ace.
Less than a minute to say "Thank you for being persistent with your great uploads!"
I don't want to live in a world where there's no MVG Mondays!!, Keep up the magnificent work!!
Love these videos. Like a trip down memory lane. Very informative. Thanks. Keep it up!
As always a really good video! And as a computer and electrical engineering student especially interesting.
Hopefully, you make a lot more videos of this kind. There are definitely people interested in this.
Thank God for our tech junkies that spend their time cracking these systems and thank you MVG for being apart of that community that I know we all take for granted
Yeah too many people take this community as a form of stone!! 😉
FYI it is "taken for granted" not granite lol
The Mad Modder / your right. Spell check on my iPhone corrected. SwiftKey App so I can have a black keyboard
The unlicensed NES game publisher American Video Entertainment used to mail out kits back in 1990 which included alligator clips and instructions on how to bridge and bypass the NES10 chip. This came in handy when I wanted to get SuperVision multi-game carts working on the NES. Thanks AVE! :)
from the most difficult DRM to crack to being defeated by a paperclip lol
And before then, tweezers!
It's a real shame (for Nintendo ;) because it was Nvidia's vulnerable bootrom code that allowed hackers full access. The Switch OS itself is actually extremely secure.
All you need to bypass the lockout chip on an original NES is a screwdriver and something to snip one contact from the board.
@@bluephreakr long live team twiizers, now known as fail0verflow.
Adam Smith that works for most games but not for all and if done wrong can burn out the system
Im not a coder myself but i looove these videos. The history of my favorite systems is so interesting. Thanks for makong these videos
I love these types of videos. Some of my favorite MVG content right here.
Never new anti piracy videos could be entertainment until this channel. Thanks.
3:30 Now I know why many modders would prefer to cut out PIN 4 on the 10NES lockout chip.
Personally my favourite game is the blinking screen. I don't know but when ever I play nes I always get blinking screen so I just sit back and enjoy it and then cry in the shower.
But you can see the screen blinking i want a switch but my poverty keeps me away from buying it.
blinking screen usually just means dirty contacts, pop open the nes and clean the pins the cartridge connects to with some ISO and a cotton swab and see if it helps
have you tried shaking it like a baby?
Is the crying in the shower from the NES game not playing or from the shame you feel for treating your body like an amuesment park while you shower?
*@tuffasgong*
Cursed comment,
A new MVG video is perfect to watch while eating breakfast on a Monday morning.
I just found this channel and I'm amazed at how something that satisfies my extremely specific interests of hardware and gaming can exist in such a high quality format!!! This is amazing technical information, presented in a very clean and catchy way. I'm going to binge watch all of these technical breakdown videos.
While i don't understand half if not most of how any of this is done, this is still by far one of my favorite series on TH-cam. You do a good job at making it followable/understandable to the average shmuck like me.
Could you make a Video on how DS games where cracked ? / the different ways how DS game makers try to sabotage there games
Makes me think of Chrono Trigger (DS). That was the first ROM I personally had to patch
@@ZippletTech Didn't he already make a video of that?
I know how the Gen 5 Pokemon games AP features work: the original games had a IR sensor built in the carts. When the game starts, it checks the IR sensor after 5 minutes. If its there, its legit. If it doesn't detect, the program assumes its pirate copy and starts the AP measure. The program disables EXP gain in all battles, and later starts crashing and freezing randomly.
This was later patched by hackers with patched ROMs and emulators and Flashcard kernels that could run the clean ROMs without these problems. Still, there are emulators and some flashcards that need the patched ROMs (HGSS too) to work.
Since many of those patches are old, many have been lost on the Internet. Its much easier to find clean ROM nowdays. The guys at GBATemp made a thread for recivering any old patch for DS games because TWLMenu++ needs AP patched ROMs.
@@CanaldoZenny that must be why I can't play Pokemon on my bootleg flash cart lol
Yesss
The description has tons of great links, as MVG says, its really interesting stuff!
I love these kinds of videos about console/arcade security
Great episode. It's always fascinating to see what type of DRM the game consoles and arcade machines used and how they were reverse engineered.
The story of tengen battling nintendo’s Strict policy is one of the most fascinating stories in gaming, it just goes to show that even though they were the new kids Nintendo were willing to be really strict in the US market despite the recent video game crash, there was also a lot of involvement from Namco as at the time they recently purchased the video game division of Atari
I didn't know the SNES and N64 used the CIC chip. Crazy stuff.
Very interesting. I really like these videos about the cracking of security measures. I am impressed with the tenacity and ingenuity of the community involved.
Finally, something that gets me so entertained that i can forget my insomnia!! Nice videos MVG!!
Awesome video as always
Most DRM just increase piracy nowadays, but back in the day it worked a bit "better".
And they make the game crappier to the consumer because of constant background checks
*COUGH* denuvo *COUGH*
@@pmangano 🦀🦀🦀🦀 DENUVO IS GONE 🦀🦀🦀🦀
@@tadpolegaming4510 What do you mean by gone?
@@pmangano its the crab rave meme. Hence the crabs in the comment...
That’s a fairly false statement. I don’t think I’ve ever read where DRM was proven to increase piracy within a market. Please reference the industry study your comment is referencing.
MVG I still remember when my dad was talking about your Xbox snes emulator & n64 emulator in 2003-4
A brand new MVG video and a chocolate bar all to myself. Can an evening get any better!
I did see some video's about this subject only find your video's really fun to watch...
MVG Haves Upload.. grab myself some thee ... relax.... and enjoy the show !!
I love these video's MVG Keep them coming !!
Ooh I'm early.
Keep up the great videos!
I watch these videos even tho I know jack shit about programming or cracking piracy or making homebrew, etc. I just like hearing about this kind stuff. *shrugs*
There's nothing wrong in being curious - on the contrary. :) Have a great day mate!
I'm the same way.
same here even if I may be too old for videogames 😂😂
@@nightcat7741 you're never too old to play games.
@@Silver_Adventures THIS! I just said that to my sister in law. Bless the internet for feeding me with tech and game vids.
This is some very cool stuff. Who would've thought so much went into those CIC chips!
Take my sub and thumbs up for delivering great pieces of history and documentaries, Mr. MVG.
Fanatically detailed video.
Great content as always!
One solution to the chip modification detection on the carts after people started disabling them would be to attach a switch inline with the reset signal pin. When playing legit games, flip the switch on. When playing unlicensed carts, flip the switch off.
Another fantastic look at retrogaming from a technical angle. I love this channel! 👍
Listen, on one hand it's good that everdrive doesn't have to sacrifice 64 games for their cart anymore...
But think for a moment, what else are we going to do with those copies of superman 64?
do what protonjon did?
20 years, meaning it worked. Protection only needs to work long enough to protect the immediate market. And also think about this, this chip would have been dirt cheap for them to reproduce in large quantities, so you could argue this has been one of the most efficient means of protecting not just one game, but all of them.
Damn..... This is neat! I knew about the lock out chip but the deep in details on how it works are the best.. If I had a programing company I would hire you with an offer you will love..
7:05 Plastic, not ceramic. By the 1970s plastic had displaced ceramic in nearly all DIP chips, as it is substantially cheaper. It’s what we use to this day for most chips. It’s actually plastic (often epoxy) with a high amount of mineral filler, so that it retains a coefficient of expansion similar to the chip inside - otherwise it would shear off the bond wires.
Fantastic video on this. You make the best videos on this
this was very educational , i hope Nintendo see this video as nothing more than love & education for there hard work & stop the flagging of your Nintendo videos
Love the Nes back in the day. It was my first console. Still love it today.
Fantastic video. Your Explainationon the chip was really easy to understand.
Man, I love your channel so much dude.
Your eyebrows look powerful in this video. I absolutely love your content, thanks for your hard work!
I think they also used the CIC chip because the Famicom had rampant piracy issues since it didn't have any lock out chips.
To be fair though, I think Nintendo were more worried about squeezing every dime they could out of publishers this way more than they were about piracy. Publishers can to sign agreements to have a certain exclusivity to Nintendo, purchase their own cartridges and chips from Nintendo, artificial chip shortages (still employed by Nintendo today) and only publish so many games in a year. The fees could come quite staggering, pushing some companies to only make Sega games at the time.
This is one of your more interesting hardware uploads IMO.
From a production hardware perspective, it's interesting that they designed the chip to run identical code on both the base and cartridges. Anyone care to share how they would personally implement better security with a set of similar production hardware constraints, (4-bit μC, identical master/slave, etc)?
-Jake
Upcycle Electronics A slightly larger internal ROM for more patterns, maybe some code to disguise the pattern. Oh and an 8 pin chip to save production cost. Maybe feed some of the actual game ROM lines through the chip and require that game data to contain a certain pattern. Auth failure would feed the CPU unplayable garbage.
Do you know anything about the supposed "anti-piracy" mechanism found in Pokemon Black and White when you can't gain any EXP?
I think it's an infrared thing
This is an interesting topic.
@Kyle Applin thanks dude. This is all I need.
PERFECT LOW LEVEL RUN TRICK
Mate, your videos are interesting and accurate. Love it.
The universal "blinking reset loop of doom" is the behavior described at 2:55. Even with properly licensed cartridges, the 10NES system was finicky and would easily go out of sync, especially as connectors corroded.
the rabbit chip was totally different from the 10NES chip. It was a purpose-built sort of CPU, vs. the 10NES' general purpose microcontroller. Tengen ended up using all the "extra" pins for debug outputs that let a decent amount of state to be read out during operation and this helped to reverse engineer it. I made custom hardware to perform this data dumping as the chip communicated with a lock chip. Interestingly there's a relatively easy way to dump the 10NES' code using the factory test mode but no one figured this out until very recently. Also interesting is ROB's microcontroller is the exact same microcontroller with different code.
Modern Nostalgia Gamer. The soundtracks to these vids remind me of sick 80's movies like Tron or something
Amazing content and presented well thanks!
20 years.. Dang. Someone did an amazing job.
Nintendo thanks this guy way too much.
Hope he got rewarded accordingly.
I have absolutely no idea what most of this technical mumbo jumbo means, but I love these old systems and your videos are very fascinating.
One reason I love classic consoles over modern consoles. Stuff like this will keep these consoles alive and kicking for many more years to come, while in 30 years most modern consoles will be bricks after their servers are shut down.
Another classic. Thanks bro! Really appreciate it! Instant thumbs up from me!
always excellent videos
I dislike DRM fiercely, but I've got to hand it to Nintendo, being able to keep the code for the CIC secret for over 20 years is incredibly impressive, and even then, if it wasn't for Atari it would have taken even longer to figure out.
Of course it was relatively easy to bypass, but no one was able to actually crack it until long after the console stopped being relevant, which is remarkable.
Interesting content didnt expect this from you
Can't understand why people thumbs down MVG. This shit is interesting!
love your videos man, great info on topics that no one else really covers. Do I want to hear some kids top 10 switch games? nah couldnt care less thanks for actually making some interesting gaming content.
Great video, as always.
thank you so much for the time and research!!!
This isn’t the only console that utilized this technique. I remember going to the landfill to dump our garbage, and saw a dead console motherboard with a cart still in it, so I exchanged my garbage for their garbage, and took it home. Later, I parted it out, and opened the cart, and lo and behold, there was a ROM and a 16-pin DIP IC. There were two (or maybe three) ASICs on the motherboard, along with three 16-pin chips, each with the same part #, but with a different dash extension (-A, -B, and -C): the “extra” IC in the cart had a similar part number, and a -B extension. My guess, is they were some sort of lock-and-key, though I was just guessing.
Now, knowing Nintendo did it, it’s not such a stretch to imagine someone else did too.
Thanks for makeing so tech deep videos, i really like that. Hope to see more videos soon. Thanks for teaching us.
i feel like am taking expensive college classes every time i watch a MVG video. i grow a brain cell & love for each console with every video
I think there is a mistake in the video. At 7:51 it is said that there are no branching instructions at all. This is not correct. The Sharp MCU used supports 4 levels of subroutine nesting as well as conditional execution. Feel free to refer to the tables on page 9 of the SM590 datasheet.
Omfg yes it's about time you explain this
Heck yes finally a good explanation on it.
The Nintendo NES looked so much like a VCR that if you buy NES used games online, specifically those which originally come from rental stores. The NES games had STICKERS placed on them. Which said "PLEASE REWIND! OR GET FINED!" OR other similar "please rewind" messages!
When I was a kid I had serious issues with my NES which kept resetting or glitching out with most games, it always seemed to only accept a few "brands" or publishers which I never understood, this still puzzles me to this day because I thought it just had a faulty 72pin connector but the DRM check behavior described here reminds me of those days, pirated games maybe? not unless the video rental I went to had games which gave me those problems... unless they also got pirated games too.
I am the senior programmer for a local game company. One of the things I put in to determine if the system is authentic was for the user to be able to hold 3-keys down at a time and it would state if the program running (that I wrote) is authentic or not.
I don't do this initially for bootup as it would greatly slow down the execution each time. But as the keystrokes are known only to my team and myself - there's little chance of someone guessing these keystrokes and thereby learning where to bypass this in the master engine I wrote.
I realize this is pretty cumbersome today. Methods today involve checking ONLINE to see if someone has actually purchased the game or they check online the program running against a master copy. I'm - not that advanced a programmer so I have to resort to offline methods for our software protection and integrity.
The voltage spike thing was the result of a small-but-critical flaw of the design: the lock chip's only active response is on check failure (resets the system) while passing the test simply results in it doing nothing.
Perhaps if the lock was _two_ chips, one which tests the cartridge and reports to the other, which would be the one to reset the CPU upon failure or non-communication?
Seeing your OSSC in the background all the time, maybe you can make a video about how to find the perfect parameters for each console (backporch, etc.)?
i wish i knew lol, i need to dial mine in better
Really interesting video! I thought of The Gaming Historian’s Tengen video while watching this.
great video, thanks for you hard work and research.
The tale behind the Atari RABBIT chip is an interesting one unto its own for sure!
tale*
@@madmodder123 Yeah, caught it when it when I saw the notification of a reply. :P
Took 'em long enough, but for the sake of historical preservation, this was very important that the CIC chip be cracked wide open.
If you haven't done so already, you could make a whole series based on Commodore 64 copy protection. The lengths I had to go through to copy some disks was insane. Fat Tracks, Half Tracks, nonstandard Bit Rates, Track Synchronization, the list of methods goes on and on. Then there was the more physical approach, code wheels and paragraph books, but dongles were the worst. Not only were they sometimes quite tricky to build, you could fry your system if you made it wrong.
xnetpc Apparently you never had Fast Hackem.
A Floyd Renegade/Maverick was my go to “archival” utility, but I had Fast Hackem and bunch of other tools in my arsenal.
My comment wasn’t about what tool cracked which copy protection. I was suggesting a rundown of all the different methods companies implemented to protect their intellectual property. The Commodore 64 was so popular that it makes sense that so many copy protection schemes were utilized on the platform.
Only nintendo NWCS cart required the lockout chip to run on nes, if you tryed to bypass it via a region convertor or by dissabling the lockout chip, the game refuses to load it’s rom, later snes games did heavily made use of this method as well ,wich is called 50/60hz detection or as nintendo called it “ RMC, region marketing control”
Some snes game may also use the 30nn reading delay check and Sram detection to assume whether you use a Tslot or copier unit or not.
Makes sense. The Famicom didn't have a lockout chip in the first place, and late revisions of the NES don't either. (toploader.)
This wouldn't be plausible if it was commonplace for games to check for a missing or altered lockout chip.
But the SNES is a different matter, since no revision of it lacks the security chip.
Excellent video mate I've always liked your stuff it's very enjoyable to watch and I'm still stoked that you are Australian! The same as me keep up the great work!
LOVE this content!
thumb-up before actually watching 😍 one of my favourite youtube channels :D
I don't think that those chips were meant to stop piracy. Their main goal was to stop unlicensed games from being released on the system - the thing that killed Atari 2600 and lead to video game crash. Anyone could make Atari 2600 games and with initial success many companies flooded the market with expensive but unplayable shovelware.
As you described CIC chip on NES could be easily bypassed by user with cutting reset PIN. So piracy was technically possible, but pirates went in totally different direction.
In early 90's NES clones started to appear. I live in Poland and there was no official NES or SNES distribution, but one local company imported NES clone and sold it as "Pegasus" brand with pirated games within console: Mario Bros, Contra, and dozen of other games. It became huge hit, it was affordable and was promoted in TV. Those consoles had no CIC chip and were famicom clones that worked in PAL rather than EU NES clones.
Soon many people started to import such clones from the east and company that started all this created a store chain from money they've earned from stealing Nintendo's intellectual property.
Anyway I'm looking forward to see how SNES piracy with custom floppy drive worked.
That's awesome ! I can't wait to see your video on vm protect.
hell yeah! such a good start in the week!