Secrets of the Nintendo CIC Chip - Early Cartridge Anti-Piracy | MVG

Yeah but have you seen our genius methods where we force you to login to play 25 year old easily pirated games?

I had to snip that pin after accidentally buying an NTSC copy of the original Final Fantasy for my PAL NES.

Ok, having been somewhat involved in the process with reverse engineering the CIC, there's a bunch of parts of this video which need clarification: in 2006, before the Nesdev scene knew what processor the CIC used, the Atari/Tengen rabbit chip was reverse engineered. The instruction set of the rabbit chip is DIFFERENT (and slightly more efficient!) than the instruction set of what we later found out was a Sharp SM590 microcontroller that the NES and SNES CIC chips used. This meant that the code it ran is actually not the same as the original NES code, and lends to the idea explained by people who worked at atari, that the copy of the 10NES cic code listing they got from the copyright registrar's office was not actually used during the reverse-engineering, but was done afterward by a legal intern without permission.
The real SM590 code for the NTSC and one of the PAL NES regions, and for the NTSC SNES cic was extracted via decapping around 2007. Once we knew the keys for the NTSC and PAL-1 region on the NES, the keys for the other two regions, PAL-2 and Korea, were brute-forced using traces of the 16 data streams. The reason two CICs had to be decapped is the timing of the NTSC CIC code is older and different from the timing of the two PAL and Korea CICs, the latter 3 likely use the same code with a different key on each. The SNES D411 CIC was decapped, and brute force analysis of streams from the SNES PAL CIC showed that the NTSC D411/F411 CIC and PAL D413/F413 CIC keys only differ by 1 bit.
The N64 CIC is an entirely different can of worms, and much more complicated. There, the N64 has a system management controller in it called the PIF (which has INSIDE THE CHIP a special version of its 'lock' CIC, containing multiple keys, corresponding to different key chips it can use) uses the values returned by the key chips to decrypt one of the earlier boot-sectors for each game upon power-up. The PIF also contains a small bit of boot code that runs on the MIPS processor in the N64, and sets up the RDRAM and then queries the PIF to see what the CIC returned. Reverse engineering the N64 CIC had a major advantage: a clever member of the n64 community discovered that if you apply a higher-than-normal voltage to one of the SM5K3 pins, it will spit out its internal ROM contents in an undocumented debug mode.
This made finally completely reverse engineering the N64 CIC (which has 4 or 5 variants per region, to prevent people swapping ROMs and piggybacking carts between games easily) finally possible. Another interesting thing is the very final version of the cart CIC used on the n64, used on perfect dark 2 and banjo tooie (and one other game?), actually has another layer of encryption implemented by the CIC 'in between' the blocks of bits in the stream of random data that it normally constantly sends back and forth with the PIF, which allows the console cartridge software to send a 'command' to the CIC and get a response back, which was used for additional DRM with those games specifically.

Crazy it took that long, I never looked too much into the chips but I didn't know the same type of setup was used up to the N64!

Nintendo: "We will only allow the best games to be made"
Then proceeds to allow LJN to make games.

This was a fantastic video. I don't have anything insightful to say, just that I like what I see.

Copy protection existed earlier too i was shocked like space invaders 1978 tries to overwrite itself in ROM.
copied chips take the write and the game doesnt play.

I knew a lot of this about the NES CIC... had no idea about the SNES and N64 having one! You always include interesting history that I've not come across before, even when I feel I'm familiar with the subject from the title.

Note that the claim that Atari required the 10NES code to create the Rabbit chip is disputed. That was Nintendo's claim and was repeated, without any apparent diligence to verify it, by David Sheff in "Game Over". I have heard quite different versions of this from the folks who were working at Atari at the time. I don't think any of us are in a position to judge, but I'd call Nintendo's claims at best poorly substantiated. A relevant point is that amateurs have subsequently decapped the CIC, and didn't experience a lot of trouble optically recovering the ROM contents and reverse engineering the algorithm. I was actually told, by someone involved, that the biggest challenge they faced was identifying the Sharp SM590 because the die, as is common for CPUs like this to prevent reverse engineering, contained no indication at to the manufacturer.

from the most difficult DRM to crack to being defeated by a paperclip lol

Great recap! Thank you for listing the homebrew comm so many people worked hard to do this. Thank you for shining some light on this. Spent years myself trying to reverse engineer but gave up.

it's always a good day when mvg uploads

Love these videos. Like a trip down memory lane. Very informative. Thanks. Keep it up!

As always a really good video! And as a computer and electrical engineering student especially interesting.
Hopefully, you make a lot more videos of this kind. There are definitely people interested in this.

I just found this channel and I'm amazed at how something that satisfies my extremely specific interests of hardware and gaming can exist in such a high quality format!!! This is amazing technical information, presented in a very clean and catchy way. I'm going to binge watch all of these technical breakdown videos.

Very interesting. I really like these videos about the cracking of security measures. I am impressed with the tenacity and ingenuity of the community involved.

1:19 hi MVG you are the greatest retro man alive thank you for all your amazingly interesting history and variety of consoles to match every video of what you’re talking about, just wanted to take a moment to appreciate that in whole

Personally my favourite game is the blinking screen. I don't know but when ever I play nes I always get blinking screen so I just sit back and enjoy it and then cry in the shower.

I love these types of videos. Some of my favorite MVG content right here.

The unlicensed NES game publisher American Video Entertainment used to mail out kits back in 1990 which included alligator clips and instructions on how to bridge and bypass the NES10 chip. This came in handy when I wanted to get SuperVision multi-game carts working on the NES. Thanks AVE! :)

Take my sub and thumbs up for delivering great pieces of history and documentaries, Mr. MVG.

MVG I still remember when my dad was talking about your Xbox snes emulator & n64 emulator in 2003-4

Less than a minute to say "Thank you for being persistent with your great uploads!"

Great episode. It's always fascinating to see what type of DRM the game consoles and arcade machines used and how they were reverse engineered.

The description has tons of great links, as MVG says, its really interesting stuff!

Really interesting video! I thought of The Gaming Historian’s Tengen video while watching this.

Fantastic video. Your Explainationon the chip was really easy to understand.

Another fantastic look at retrogaming from a technical angle. I love this channel! 👍

What another fantastic video once again!!! Massive kudos here to you

I did see some video's about this subject only find your video's really fun to watch...
MVG Haves Upload.. grab myself some thee ... relax.... and enjoy the show !!
I love these video's MVG Keep them coming !!

Thanks for makeing so tech deep videos, i really like that. Hope to see more videos soon. Thanks for teaching us.

Damn..... This is neat! I knew about the lock out chip but the deep in details on how it works are the best.. If I had a programing company I would hire you with an offer you will love..

Very interesting. I wouldn’t mind if you made longer bonus videos that go even further into the details. This was still pretty highlevel. A bit of a walkthrough of the CIC firmware would be nice.

Fantastic video on this. You make the best videos on this

Who ever was playing Ninja Gaiden was a Savage!!

Man, I love your channel so much dude.

I don't want to live in a world where there's no MVG Mondays!!, Keep up the magnificent work!!

Great content as always!

Awesome video as always

Modern Nostalgia Gamer. The soundtracks to these vids remind me of sick 80's movies like Tron or something

I didn't know the SNES and N64 used the CIC chip. Crazy stuff.

3:30 Now I know why many modders would prefer to cut out PIN 4 on the 10NES lockout chip.

I love these kinds of videos about console/arcade security

love your videos man, great info on topics that no one else really covers. Do I want to hear some kids top 10 switch games? nah couldnt care less thanks for actually making some interesting gaming content.

Another classic. Thanks bro! Really appreciate it! Instant thumbs up from me!

A new MVG video is perfect to watch while eating breakfast on a Monday morning.

Do you know anything about the supposed "anti-piracy" mechanism found in Pokemon Black and White when you can't gain any EXP?

Amazing content and presented well thanks!

great video, thanks for you hard work and research.

Your eyebrows look powerful in this video. I absolutely love your content, thanks for your hard work!

This is some very cool stuff. Who would've thought so much went into those CIC chips!

Excellent video mate I've always liked your stuff it's very enjoyable to watch and I'm still stoked that you are Australian! The same as me keep up the great work!

Could you make a Video on how DS games where cracked ? / the different ways how DS game makers try to sabotage there games

Mate, your videos are interesting and accurate. Love it.

Im not a coder myself but i looove these videos. The history of my favorite systems is so interesting. Thanks for makong these videos

Loved this. You got any old Amiga games with their unique copy protections? I adored that stuff myself and sure it’d make for a good vid! Thanks as always MVP MVG!

always excellent videos

Thank God for our tech junkies that spend their time cracking these systems and thank you MVG for being apart of that community that I know we all take for granted

That's awesome ! I can't wait to see your video on vm protect.

Yet again another awesome drm video i love this series...
Where did you get that snk shirt ?

Seeing your OSSC in the background all the time, maybe you can make a video about how to find the perfect parameters for each console (backporch, etc.)?

Great video, as always.

A brand new MVG video and a chocolate bar all to myself. Can an evening get any better!

Thanks for another excellent, informative video!

This is one of your more interesting hardware uploads IMO.
From a production hardware perspective, it's interesting that they designed the chip to run identical code on both the base and cartridges. Anyone care to share how they would personally implement better security with a set of similar production hardware constraints, (4-bit μC, identical master/slave, etc)?
-Jake

Interesting content didnt expect this from you

The story of tengen battling nintendo’s Strict policy is one of the most fascinating stories in gaming, it just goes to show that even though they were the new kids Nintendo were willing to be really strict in the US market despite the recent video game crash, there was also a lot of involvement from Namco as at the time they recently purchased the video game division of Atari

the rabbit chip was totally different from the 10NES chip. It was a purpose-built sort of CPU, vs. the 10NES' general purpose microcontroller. Tengen ended up using all the "extra" pins for debug outputs that let a decent amount of state to be read out during operation and this helped to reverse engineer it. I made custom hardware to perform this data dumping as the chip communicated with a lock chip. Interestingly there's a relatively easy way to dump the 10NES' code using the factory test mode but no one figured this out until very recently. Also interesting is ROB's microcontroller is the exact same microcontroller with different code.

I love your vidéo MVG ! very informative, thank you.

Finally, something that gets me so entertained that i can forget my insomnia!! Nice videos MVG!!

While i don't understand half if not most of how any of this is done, this is still by far one of my favorite series on UA-cam. You do a good job at making it followable/understandable to the average shmuck like me.

I love your videos. I was watching one where you showed us how to mod the lights on gamecube ports. Do you have another channel dedicated just to following mod steps? I think that would be rad

Listen, on one hand it's good that everdrive doesn't have to sacrifice 64 games for their cart anymore...
But think for a moment, what else are we going to do with those copies of superman 64?

Most DRM just increase piracy nowadays, but back in the day it worked a bit "better".

Excellent video!

Awesome video 👍🏼

thank you so much for the time and research!!!

one the best UA-cam Channels Keep up the good work.

I think they also used the CIC chip because the Famicom had rampant piracy issues since it didn't have any lock out chips.
To be fair though, I think Nintendo were more worried about squeezing every dime they could out of publishers this way more than they were about piracy. Publishers can to sign agreements to have a certain exclusivity to Nintendo, purchase their own cartridges and chips from Nintendo, artificial chip shortages (still employed by Nintendo today) and only publish so many games in a year. The fees could come quite staggering, pushing some companies to only make Sega games at the time.

Never new anti piracy videos could be entertainment until this channel. Thanks.

LOVE this content!

Dude I love your music selection for your videos. Do you post your soundtrack anywhere?

hell yeah! such a good start in the week!

Ooh I'm early.
Keep up the great videos!

this was an A plus video man. subbed

I dislike DRM fiercely, but I've got to hand it to Nintendo, being able to keep the code for the CIC secret for over 20 years is incredibly impressive, and even then, if it wasn't for Atari it would have taken even longer to figure out.
Of course it was relatively easy to bypass, but no one was able to actually crack it until long after the console stopped being relevant, which is remarkable.

Love your work~

Love all your vids

Fanatically detailed video.

That explains a lot when my console was resetting. Mostly due to dirty carts.

always enjoy that intro!

Love the Nes back in the day. It was my first console. Still love it today.

Wow, you make my breakfast interesting :) with these uploads. Thx for sharing your knowledge, cheers from Chile 👍😉👍.

thumb-up before actually watching 😍 one of my favourite youtube channels :D

Amazing. Thank you! 🌟

When I was a kid I had serious issues with my NES which kept resetting or glitching out with most games, it always seemed to only accept a few "brands" or publishers which I never understood, this still puzzles me to this day because I thought it just had a faulty 72pin connector but the DRM check behavior described here reminds me of those days, pirated games maybe? not unless the video rental I went to had games which gave me those problems... unless they also got pirated games too.

Nice, really interesting info

I tried looking into this some years ago only to find many posts in the relevant nesdev thread nuked. I always wondered if kev wiped the record of his efforts for legal reasons, a new project, new information, or what... But it kinda sucks that some of that process could've been lost to history! Thanks for the informative video.

One solution to the chip modification detection on the carts after people started disabling them would be to attach a switch inline with the reset signal pin. When playing legit games, flip the switch on. When playing unlicensed carts, flip the switch off.

Also, DANG you're good at Ninja Gaiden!