Ok, having been somewhat involved in the process with reverse engineering the CIC, there's a bunch of parts of this video which need clarification: in 2006, before the Nesdev scene knew what processor the CIC used, the Atari/Tengen rabbit chip was reverse engineered. The instruction set of the rabbit chip is DIFFERENT (and slightly more efficient!) than the instruction set of what we later found out was a Sharp SM590 microcontroller that the NES and SNES CIC chips used. This meant that the code it ran is actually not the same as the original NES code, and lends to the idea explained by people who worked at atari, that the copy of the 10NES cic code listing they got from the copyright registrar's office was not actually used during the reverse-engineering, but was done afterward by a legal intern without permission. The real SM590 code for the NTSC and one of the PAL NES regions, and for the NTSC SNES cic was extracted via decapping around 2007. Once we knew the keys for the NTSC and PAL-1 region on the NES, the keys for the other two regions, PAL-2 and Korea, were brute-forced using traces of the 16 data streams. The reason two CICs had to be decapped is the timing of the NTSC CIC code is older and different from the timing of the two PAL and Korea CICs, the latter 3 likely use the same code with a different key on each. The SNES D411 CIC was decapped, and brute force analysis of streams from the SNES PAL CIC showed that the NTSC D411/F411 CIC and PAL D413/F413 CIC keys only differ by 1 bit. The N64 CIC is an entirely different can of worms, and much more complicated. There, the N64 has a system management controller in it called the PIF (which has INSIDE THE CHIP a special version of its 'lock' CIC, containing multiple keys, corresponding to different key chips it can use) uses the values returned by the key chips to decrypt one of the earlier boot-sectors for each game upon power-up. The PIF also contains a small bit of boot code that runs on the MIPS processor in the N64, and sets up the RDRAM and then queries the PIF to see what the CIC returned. Reverse engineering the N64 CIC had a major advantage: a clever member of the n64 community discovered that if you apply a higher-than-normal voltage to one of the SM5K3 pins, it will spit out its internal ROM contents in an undocumented debug mode. This made finally completely reverse engineering the N64 CIC (which has 4 or 5 variants per region, to prevent people swapping ROMs and piggybacking carts between games easily) finally possible. Another interesting thing is the very final version of the cart CIC used on the n64, used on perfect dark 2 and banjo tooie (and one other game?), actually has another layer of encryption implemented by the CIC 'in between' the blocks of bits in the stream of random data that it normally constantly sends back and forth with the PIF, which allows the console cartridge software to send a 'command' to the CIC and get a response back, which was used for additional DRM with those games specifically.
LJN was a way for Acclaim to publish more games, similar to Konami with Ultra Games. Most LJN/Acclaim games were made by different devs and companies, so it was a gamble on what would an LJN game be. Hell, Rareware made the Roger Rabbit game they published.
Copy protection existed earlier too i was shocked like space invaders 1978 tries to overwrite itself in ROM. copied chips take the write and the game doesnt play.
I knew a lot of this about the NES CIC... had no idea about the SNES and N64 having one! You always include interesting history that I've not come across before, even when I feel I'm familiar with the subject from the title.
Note that the claim that Atari required the 10NES code to create the Rabbit chip is disputed. That was Nintendo's claim and was repeated, without any apparent diligence to verify it, by David Sheff in "Game Over". I have heard quite different versions of this from the folks who were working at Atari at the time. I don't think any of us are in a position to judge, but I'd call Nintendo's claims at best poorly substantiated. A relevant point is that amateurs have subsequently decapped the CIC, and didn't experience a lot of trouble optically recovering the ROM contents and reverse engineering the algorithm. I was actually told, by someone involved, that the biggest challenge they faced was identifying the Sharp SM590 because the die, as is common for CPUs like this to prevent reverse engineering, contained no indication at to the manufacturer.
It's a real shame (for Nintendo ;) because it was Nvidia's vulnerable bootrom code that allowed hackers full access. The Switch OS itself is actually extremely secure.
Great recap! Thank you for listing the homebrew comm so many people worked hard to do this. Thank you for shining some light on this. Spent years myself trying to reverse engineer but gave up.
1:19 hi MVG you are the greatest retro man alive thank you for all your amazingly interesting history and variety of consoles to match every video of what you’re talking about, just wanted to take a moment to appreciate that in whole
Personally my favourite game is the blinking screen. I don't know but when ever I play nes I always get blinking screen so I just sit back and enjoy it and then cry in the shower.
blinking screen usually just means dirty contacts, pop open the nes and clean the pins the cartridge connects to with some ISO and a cotton swab and see if it helps
The unlicensed NES game publisher American Video Entertainment used to mail out kits back in 1990 which included alligator clips and instructions on how to bridge and bypass the NES10 chip. This came in handy when I wanted to get SuperVision multi-game carts working on the NES. Thanks AVE! :)
the rabbit chip was totally different from the 10NES chip. It was a purpose-built sort of CPU, vs. the 10NES' general purpose microcontroller. Tengen ended up using all the "extra" pins for debug outputs that let a decent amount of state to be read out during operation and this helped to reverse engineer it. I made custom hardware to perform this data dumping as the chip communicated with a lock chip. Interestingly there's a relatively easy way to dump the 10NES' code using the factory test mode but no one figured this out until very recently. Also interesting is ROB's microcontroller is the exact same microcontroller with different code.
As always a really good video! And as a computer and electrical engineering student especially interesting. Hopefully, you make a lot more videos of this kind. There are definitely people interested in this.
I know how the Gen 5 Pokemon games AP features work: the original games had a IR sensor built in the carts. When the game starts, it checks the IR sensor after 5 minutes. If its there, its legit. If it doesn't detect, the program assumes its pirate copy and starts the AP measure. The program disables EXP gain in all battles, and later starts crashing and freezing randomly. This was later patched by hackers with patched ROMs and emulators and Flashcard kernels that could run the clean ROMs without these problems. Still, there are emulators and some flashcards that need the patched ROMs (HGSS too) to work. Since many of those patches are old, many have been lost on the Internet. Its much easier to find clean ROM nowdays. The guys at GBATemp made a thread for recivering any old patch for DS games because TWLMenu++ needs AP patched ROMs.
This is one of your more interesting hardware uploads IMO. From a production hardware perspective, it's interesting that they designed the chip to run identical code on both the base and cartridges. Anyone care to share how they would personally implement better security with a set of similar production hardware constraints, (4-bit μC, identical master/slave, etc)? -Jake
Upcycle Electronics A slightly larger internal ROM for more patterns, maybe some code to disguise the pattern. Oh and an 8 pin chip to save production cost. Maybe feed some of the actual game ROM lines through the chip and require that game data to contain a certain pattern. Auth failure would feed the CPU unplayable garbage.
Thank God for our tech junkies that spend their time cracking these systems and thank you MVG for being apart of that community that I know we all take for granted
The story of tengen battling nintendo’s Strict policy is one of the most fascinating stories in gaming, it just goes to show that even though they were the new kids Nintendo were willing to be really strict in the US market despite the recent video game crash, there was also a lot of involvement from Namco as at the time they recently purchased the video game division of Atari
Seeing your OSSC in the background all the time, maybe you can make a video about how to find the perfect parameters for each console (backporch, etc.)?
Listen, on one hand it's good that everdrive doesn't have to sacrifice 64 games for their cart anymore... But think for a moment, what else are we going to do with those copies of superman 64?
Very interesting. I really like these videos about the cracking of security measures. I am impressed with the tenacity and ingenuity of the community involved.
That’s a fairly false statement. I don’t think I’ve ever read where DRM was proven to increase piracy within a market. Please reference the industry study your comment is referencing.
I think they also used the CIC chip because the Famicom had rampant piracy issues since it didn't have any lock out chips. To be fair though, I think Nintendo were more worried about squeezing every dime they could out of publishers this way more than they were about piracy. Publishers can to sign agreements to have a certain exclusivity to Nintendo, purchase their own cartridges and chips from Nintendo, artificial chip shortages (still employed by Nintendo today) and only publish so many games in a year. The fees could come quite staggering, pushing some companies to only make Sega games at the time.
I just found this channel and I'm amazed at how something that satisfies my extremely specific interests of hardware and gaming can exist in such a high quality format!!! This is amazing technical information, presented in a very clean and catchy way. I'm going to binge watch all of these technical breakdown videos.
When I was a kid I had serious issues with my NES which kept resetting or glitching out with most games, it always seemed to only accept a few "brands" or publishers which I never understood, this still puzzles me to this day because I thought it just had a faulty 72pin connector but the DRM check behavior described here reminds me of those days, pirated games maybe? not unless the video rental I went to had games which gave me those problems... unless they also got pirated games too.
Damn..... This is neat! I knew about the lock out chip but the deep in details on how it works are the best.. If I had a programing company I would hire you with an offer you will love..
One solution to the chip modification detection on the carts after people started disabling them would be to attach a switch inline with the reset signal pin. When playing legit games, flip the switch on. When playing unlicensed carts, flip the switch off.
love your videos man, great info on topics that no one else really covers. Do I want to hear some kids top 10 switch games? nah couldnt care less thanks for actually making some interesting gaming content.
While i don't understand half if not most of how any of this is done, this is still by far one of my favorite series on UA-cam. You do a good job at making it followable/understandable to the average shmuck like me.
The Nintendo NES looked so much like a VCR that if you buy NES used games online, specifically those which originally come from rental stores. The NES games had STICKERS placed on them. Which said "PLEASE REWIND! OR GET FINED!" OR other similar "please rewind" messages!
20 years, meaning it worked. Protection only needs to work long enough to protect the immediate market. And also think about this, this chip would have been dirt cheap for them to reproduce in large quantities, so you could argue this has been one of the most efficient means of protecting not just one game, but all of them.
This isn’t the only console that utilized this technique. I remember going to the landfill to dump our garbage, and saw a dead console motherboard with a cart still in it, so I exchanged my garbage for their garbage, and took it home. Later, I parted it out, and opened the cart, and lo and behold, there was a ROM and a 16-pin DIP IC. There were two (or maybe three) ASICs on the motherboard, along with three 16-pin chips, each with the same part #, but with a different dash extension (-A, -B, and -C): the “extra” IC in the cart had a similar part number, and a -B extension. My guess, is they were some sort of lock-and-key, though I was just guessing. Now, knowing Nintendo did it, it’s not such a stretch to imagine someone else did too.
The universal "blinking reset loop of doom" is the behavior described at 2:55. Even with properly licensed cartridges, the 10NES system was finicky and would easily go out of sync, especially as connectors corroded.
The fascinating thing about the NES and CIC (later consoles have no equivalents) is that the Famicom has no such security, and neither do the top-loader NES systems released late in the system's life. (Both the japanese and western top loaders contain no security chip.) The existence of these later revisions with no security chip makes disabling the lockout chip all the more obvious as a basic workaround.
I dislike DRM fiercely, but I've got to hand it to Nintendo, being able to keep the code for the CIC secret for over 20 years is incredibly impressive, and even then, if it wasn't for Atari it would have taken even longer to figure out. Of course it was relatively easy to bypass, but no one was able to actually crack it until long after the console stopped being relevant, which is remarkable.
Very interesting. I wouldn’t mind if you made longer bonus videos that go even further into the details. This was still pretty highlevel. A bit of a walkthrough of the CIC firmware would be nice.
I watch these videos even tho I know jack shit about programming or cracking piracy or making homebrew, etc. I just like hearing about this kind stuff. *shrugs*
If you haven't done so already, you could make a whole series based on Commodore 64 copy protection. The lengths I had to go through to copy some disks was insane. Fat Tracks, Half Tracks, nonstandard Bit Rates, Track Synchronization, the list of methods goes on and on. Then there was the more physical approach, code wheels and paragraph books, but dongles were the worst. Not only were they sometimes quite tricky to build, you could fry your system if you made it wrong.
A Floyd Renegade/Maverick was my go to “archival” utility, but I had Fast Hackem and bunch of other tools in my arsenal. My comment wasn’t about what tool cracked which copy protection. I was suggesting a rundown of all the different methods companies implemented to protect their intellectual property. The Commodore 64 was so popular that it makes sense that so many copy protection schemes were utilized on the platform.
Loved this. You got any old Amiga games with their unique copy protections? I adored that stuff myself and sure it’d make for a good vid! Thanks as always MVP MVG!
Excellent video mate I've always liked your stuff it's very enjoyable to watch and I'm still stoked that you are Australian! The same as me keep up the great work!
I think Atari left the "code readout" enabled on purpose. They didn't tell anybody how it worked or if it did, but banked on someone out there figuring it out soon enough. Leaves their hands clean.
Ofcourse, with the internet having so many heads and access to tools and hardware being astronomically higher now, this situation could never happen again. Even so, it might have been broken a little bit faster if there was extra incentive to. I'm always reminded of how Denuvo bragged about a game not being broken after a couple months. But it had turned out to just be that nobody in the hacking world had been interested in the game so hadn't tried. But Denuvo bragging about it and effectively insulting those people, gave them a reason to try and it was broken within a week after they bragged.
I wonder how'd this be in comparison to other companies in the console race of late 80 into mid 90 Atari trying to recovering with the 7800 and Jaguar. There was the more lenient Sega and other people in the background like Neo Geo, Phillips, and Turbo-Grax 16. To name a few and not even getting into the portable trend that the game boy started.
The voltage spike thing was the result of a small-but-critical flaw of the design: the lock chip's only active response is on check failure (resets the system) while passing the test simply results in it doing nothing. Perhaps if the lock was _two_ chips, one which tests the cartridge and reports to the other, which would be the one to reset the CPU upon failure or non-communication?
I am the senior programmer for a local game company. One of the things I put in to determine if the system is authentic was for the user to be able to hold 3-keys down at a time and it would state if the program running (that I wrote) is authentic or not. I don't do this initially for bootup as it would greatly slow down the execution each time. But as the keystrokes are known only to my team and myself - there's little chance of someone guessing these keystrokes and thereby learning where to bypass this in the master engine I wrote. I realize this is pretty cumbersome today. Methods today involve checking ONLINE to see if someone has actually purchased the game or they check online the program running against a master copy. I'm - not that advanced a programmer so I have to resort to offline methods for our software protection and integrity.
i was wondering after watching this if the chips are directly wired to each other couldn't you just take a cic chip out of a cartridge and solder it directly to the top of the cic chip in the console?
7:05 Plastic, not ceramic. By the 1970s plastic had displaced ceramic in nearly all DIP chips, as it is substantially cheaper. It’s what we use to this day for most chips. It’s actually plastic (often epoxy) with a high amount of mineral filler, so that it retains a coefficient of expansion similar to the chip inside - otherwise it would shear off the bond wires.
Whats more interesting is how different the video game industry would be today if the deal went through when Nintendo approached Atari and wanted Atari to sell the NES in the USA for them.
I don't think that those chips were meant to stop piracy. Their main goal was to stop unlicensed games from being released on the system - the thing that killed Atari 2600 and lead to video game crash. Anyone could make Atari 2600 games and with initial success many companies flooded the market with expensive but unplayable shovelware. As you described CIC chip on NES could be easily bypassed by user with cutting reset PIN. So piracy was technically possible, but pirates went in totally different direction. In early 90's NES clones started to appear. I live in Poland and there was no official NES or SNES distribution, but one local company imported NES clone and sold it as "Pegasus" brand with pirated games within console: Mario Bros, Contra, and dozen of other games. It became huge hit, it was affordable and was promoted in TV. Those consoles had no CIC chip and were famicom clones that worked in PAL rather than EU NES clones. Soon many people started to import such clones from the east and company that started all this created a store chain from money they've earned from stealing Nintendo's intellectual property. Anyway I'm looking forward to see how SNES piracy with custom floppy drive worked.
I remembered seeing these chips, but I never knew what they were. It's amazing it took so long to crack them, but Nintendo did have some amazing engineers...
Did some early NES units ship without this security chip? I remember a family friend back in the day had a NES where we could play those 800-in-1 type cartridges you could buy when vacationing in Spain. Those cartridges never worked on my NES, and I know our friend never did any modding to his NES.
this was very educational , i hope Nintendo see this video as nothing more than love & education for there hard work & stop the flagging of your Nintendo videos
CIC chip security is probably another huge reason why Nintendo 64 was cartridge based even though CD technology had been around for a while. Would have also made Nintendo 64 more expensive if it was CD based. I'm glad, because loading times are a hassle even nowadays. PS5 with M.2 or faster SSD will hopefully finally solve that. Nintendo is still the best, Switch Homebrew is awesome!
Ive watched alot of your videos and i had to sub your vids are really good and for someone who has created emulations and shit when you review videos like this you actually know what your talking about instead of someone not knowing anything about reverse engineering ur more fit for the job to explain it
Yeah but have you seen our genius methods where we force you to login to play 25 year old easily pirated games?
Intriguing
Oh hi Todd
@@NOCTURNAL351 You should have used it reggie
@@FancyGeeks *16 times the detail
Lmao!!
Ok, having been somewhat involved in the process with reverse engineering the CIC, there's a bunch of parts of this video which need clarification: in 2006, before the Nesdev scene knew what processor the CIC used, the Atari/Tengen rabbit chip was reverse engineered. The instruction set of the rabbit chip is DIFFERENT (and slightly more efficient!) than the instruction set of what we later found out was a Sharp SM590 microcontroller that the NES and SNES CIC chips used. This meant that the code it ran is actually not the same as the original NES code, and lends to the idea explained by people who worked at atari, that the copy of the 10NES cic code listing they got from the copyright registrar's office was not actually used during the reverse-engineering, but was done afterward by a legal intern without permission.
The real SM590 code for the NTSC and one of the PAL NES regions, and for the NTSC SNES cic was extracted via decapping around 2007. Once we knew the keys for the NTSC and PAL-1 region on the NES, the keys for the other two regions, PAL-2 and Korea, were brute-forced using traces of the 16 data streams. The reason two CICs had to be decapped is the timing of the NTSC CIC code is older and different from the timing of the two PAL and Korea CICs, the latter 3 likely use the same code with a different key on each. The SNES D411 CIC was decapped, and brute force analysis of streams from the SNES PAL CIC showed that the NTSC D411/F411 CIC and PAL D413/F413 CIC keys only differ by 1 bit.
The N64 CIC is an entirely different can of worms, and much more complicated. There, the N64 has a system management controller in it called the PIF (which has INSIDE THE CHIP a special version of its 'lock' CIC, containing multiple keys, corresponding to different key chips it can use) uses the values returned by the key chips to decrypt one of the earlier boot-sectors for each game upon power-up. The PIF also contains a small bit of boot code that runs on the MIPS processor in the N64, and sets up the RDRAM and then queries the PIF to see what the CIC returned. Reverse engineering the N64 CIC had a major advantage: a clever member of the n64 community discovered that if you apply a higher-than-normal voltage to one of the SM5K3 pins, it will spit out its internal ROM contents in an undocumented debug mode.
This made finally completely reverse engineering the N64 CIC (which has 4 or 5 variants per region, to prevent people swapping ROMs and piggybacking carts between games easily) finally possible. Another interesting thing is the very final version of the cart CIC used on the n64, used on perfect dark 2 and banjo tooie (and one other game?), actually has another layer of encryption implemented by the CIC 'in between' the blocks of bits in the stream of random data that it normally constantly sends back and forth with the PIF, which allows the console cartridge software to send a 'command' to the CIC and get a response back, which was used for additional DRM with those games specifically.
nice
I had to snip that pin after accidentally buying an NTSC copy of the original Final Fantasy for my PAL NES.
yeah and than watch in horror as it tries to render an ntsc game in pal mode
@@ajddavid452 Sounds like nightmare fuel.
Crazy it took that long, I never looked too much into the chips but I didn't know the same type of setup was used up to the N64!
huh I didn't know you watch his videos Mario
Yello, mario.
This was a fantastic video. I don't have anything insightful to say, just that I like what I see.
Hi Kenny 👋 I know your channel and its has lots of value and great insights nice to see you here ! 🤗
that’s the usual and this is what i like to hear
That's how I feel around here. I'm just driving up engagement.
Nintendo: "We will only allow the best games to be made"
Then proceeds to allow LJN to make games.
LJN was a way for Acclaim to publish more games, similar to Konami with Ultra Games. Most LJN/Acclaim games were made by different devs and companies, so it was a gamble on what would an LJN game be. Hell, Rareware made the Roger Rabbit game they published.
@@kerokerocola99 I actually didn't know LJN was a shell company like Ultra Games, neat
Thanks to LJN we have AVGN haha
@@FacchiniBRTV Laughin' Jokin' Numbnuts
James, is that you?
Copy protection existed earlier too i was shocked like space invaders 1978 tries to overwrite itself in ROM.
copied chips take the write and the game doesnt play.
I knew a lot of this about the NES CIC... had no idea about the SNES and N64 having one! You always include interesting history that I've not come across before, even when I feel I'm familiar with the subject from the title.
Note that the claim that Atari required the 10NES code to create the Rabbit chip is disputed. That was Nintendo's claim and was repeated, without any apparent diligence to verify it, by David Sheff in "Game Over". I have heard quite different versions of this from the folks who were working at Atari at the time. I don't think any of us are in a position to judge, but I'd call Nintendo's claims at best poorly substantiated. A relevant point is that amateurs have subsequently decapped the CIC, and didn't experience a lot of trouble optically recovering the ROM contents and reverse engineering the algorithm. I was actually told, by someone involved, that the biggest challenge they faced was identifying the Sharp SM590 because the die, as is common for CPUs like this to prevent reverse engineering, contained no indication at to the manufacturer.
from the most difficult DRM to crack to being defeated by a paperclip lol
And before then, tweezers!
It's a real shame (for Nintendo ;) because it was Nvidia's vulnerable bootrom code that allowed hackers full access. The Switch OS itself is actually extremely secure.
All you need to bypass the lockout chip on an original NES is a screwdriver and something to snip one contact from the board.
@@bluephreakr long live team twiizers, now known as fail0verflow.
Adam Smith that works for most games but not for all and if done wrong can burn out the system
it's always a good day when mvg uploads
Nice makeup Kim. I see you have been watching the UA-cam beauty channels. 😉
I heard you met The Real Donald!
Kim’s favorite game? Atari’s Missile Command
Except when his facts are wrong...
Great recap! Thank you for listing the homebrew comm so many people worked hard to do this. Thank you for shining some light on this. Spent years myself trying to reverse engineer but gave up.
1:19 hi MVG you are the greatest retro man alive thank you for all your amazingly interesting history and variety of consoles to match every video of what you’re talking about, just wanted to take a moment to appreciate that in whole
Personally my favourite game is the blinking screen. I don't know but when ever I play nes I always get blinking screen so I just sit back and enjoy it and then cry in the shower.
But you can see the screen blinking i want a switch but my poverty keeps me away from buying it.
blinking screen usually just means dirty contacts, pop open the nes and clean the pins the cartridge connects to with some ISO and a cotton swab and see if it helps
have you tried shaking it like a baby?
Is the crying in the shower from the NES game not playing or from the shame you feel for treating your body like an amuesment park while you shower?
*@tuffasgong*
Cursed comment,
The unlicensed NES game publisher American Video Entertainment used to mail out kits back in 1990 which included alligator clips and instructions on how to bridge and bypass the NES10 chip. This came in handy when I wanted to get SuperVision multi-game carts working on the NES. Thanks AVE! :)
Who ever was playing Ninja Gaiden was a Savage!!
MVG played that while editing the rest of the vid, he's just that beastly.
@@wompastompa3692 haha i love when people engrose other people for being cool members of this society
Probably tool assisted gameplay
@@argedismun2 It is a TAS, specifically the old version from 2006: watch?v=xMxjodJY0xs
Dude I just paused the video because I had to lay down props for that. That player is an ace.
Less than a minute to say "Thank you for being persistent with your great uploads!"
MVG I still remember when my dad was talking about your Xbox snes emulator & n64 emulator in 2003-4
the rabbit chip was totally different from the 10NES chip. It was a purpose-built sort of CPU, vs. the 10NES' general purpose microcontroller. Tengen ended up using all the "extra" pins for debug outputs that let a decent amount of state to be read out during operation and this helped to reverse engineer it. I made custom hardware to perform this data dumping as the chip communicated with a lock chip. Interestingly there's a relatively easy way to dump the 10NES' code using the factory test mode but no one figured this out until very recently. Also interesting is ROB's microcontroller is the exact same microcontroller with different code.
I don't want to live in a world where there's no MVG Mondays!!, Keep up the magnificent work!!
Do you know anything about the supposed "anti-piracy" mechanism found in Pokemon Black and White when you can't gain any EXP?
I think it's an infrared thing
This is an interesting topic.
@Kyle Applin thanks dude. This is all I need.
PERFECT LOW LEVEL RUN TRICK
As always a really good video! And as a computer and electrical engineering student especially interesting.
Hopefully, you make a lot more videos of this kind. There are definitely people interested in this.
Could you make a Video on how DS games where cracked ? / the different ways how DS game makers try to sabotage there games
Makes me think of Chrono Trigger (DS). That was the first ROM I personally had to patch
@@ZippletTech Didn't he already make a video of that?
I know how the Gen 5 Pokemon games AP features work: the original games had a IR sensor built in the carts. When the game starts, it checks the IR sensor after 5 minutes. If its there, its legit. If it doesn't detect, the program assumes its pirate copy and starts the AP measure. The program disables EXP gain in all battles, and later starts crashing and freezing randomly.
This was later patched by hackers with patched ROMs and emulators and Flashcard kernels that could run the clean ROMs without these problems. Still, there are emulators and some flashcards that need the patched ROMs (HGSS too) to work.
Since many of those patches are old, many have been lost on the Internet. Its much easier to find clean ROM nowdays. The guys at GBATemp made a thread for recivering any old patch for DS games because TWLMenu++ needs AP patched ROMs.
@@CanaldoZenny that must be why I can't play Pokemon on my bootleg flash cart lol
Yesss
3:30 Now I know why many modders would prefer to cut out PIN 4 on the 10NES lockout chip.
I didn't know the SNES and N64 used the CIC chip. Crazy stuff.
This is one of your more interesting hardware uploads IMO.
From a production hardware perspective, it's interesting that they designed the chip to run identical code on both the base and cartridges. Anyone care to share how they would personally implement better security with a set of similar production hardware constraints, (4-bit μC, identical master/slave, etc)?
-Jake
Upcycle Electronics A slightly larger internal ROM for more patterns, maybe some code to disguise the pattern. Oh and an 8 pin chip to save production cost. Maybe feed some of the actual game ROM lines through the chip and require that game data to contain a certain pattern. Auth failure would feed the CPU unplayable garbage.
Thank God for our tech junkies that spend their time cracking these systems and thank you MVG for being apart of that community that I know we all take for granted
Yeah too many people take this community as a form of stone!! 😉
FYI it is "taken for granted" not granite lol
The Mad Modder / your right. Spell check on my iPhone corrected. SwiftKey App so I can have a black keyboard
The story of tengen battling nintendo’s Strict policy is one of the most fascinating stories in gaming, it just goes to show that even though they were the new kids Nintendo were willing to be really strict in the US market despite the recent video game crash, there was also a lot of involvement from Namco as at the time they recently purchased the video game division of Atari
Seeing your OSSC in the background all the time, maybe you can make a video about how to find the perfect parameters for each console (backporch, etc.)?
i wish i knew lol, i need to dial mine in better
Listen, on one hand it's good that everdrive doesn't have to sacrifice 64 games for their cart anymore...
But think for a moment, what else are we going to do with those copies of superman 64?
do what protonjon did?
I love these types of videos. Some of my favorite MVG content right here.
Very interesting. I really like these videos about the cracking of security measures. I am impressed with the tenacity and ingenuity of the community involved.
Im not a coder myself but i looove these videos. The history of my favorite systems is so interesting. Thanks for makong these videos
The description has tons of great links, as MVG says, its really interesting stuff!
A brand new MVG video and a chocolate bar all to myself. Can an evening get any better!
Most DRM just increase piracy nowadays, but back in the day it worked a bit "better".
And they make the game crappier to the consumer because of constant background checks
*COUGH* denuvo *COUGH*
@@pmangano 🦀🦀🦀🦀 DENUVO IS GONE 🦀🦀🦀🦀
@@tadpolegaming4510 What do you mean by gone?
@@pmangano its the crab rave meme. Hence the crabs in the comment...
That’s a fairly false statement. I don’t think I’ve ever read where DRM was proven to increase piracy within a market. Please reference the industry study your comment is referencing.
I think they also used the CIC chip because the Famicom had rampant piracy issues since it didn't have any lock out chips.
To be fair though, I think Nintendo were more worried about squeezing every dime they could out of publishers this way more than they were about piracy. Publishers can to sign agreements to have a certain exclusivity to Nintendo, purchase their own cartridges and chips from Nintendo, artificial chip shortages (still employed by Nintendo today) and only publish so many games in a year. The fees could come quite staggering, pushing some companies to only make Sega games at the time.
Never new anti piracy videos could be entertainment until this channel. Thanks.
Great episode. It's always fascinating to see what type of DRM the game consoles and arcade machines used and how they were reverse engineered.
I just found this channel and I'm amazed at how something that satisfies my extremely specific interests of hardware and gaming can exist in such a high quality format!!! This is amazing technical information, presented in a very clean and catchy way. I'm going to binge watch all of these technical breakdown videos.
When I was a kid I had serious issues with my NES which kept resetting or glitching out with most games, it always seemed to only accept a few "brands" or publishers which I never understood, this still puzzles me to this day because I thought it just had a faulty 72pin connector but the DRM check behavior described here reminds me of those days, pirated games maybe? not unless the video rental I went to had games which gave me those problems... unless they also got pirated games too.
I love these kinds of videos about console/arcade security
Damn..... This is neat! I knew about the lock out chip but the deep in details on how it works are the best.. If I had a programing company I would hire you with an offer you will love..
Take my sub and thumbs up for delivering great pieces of history and documentaries, Mr. MVG.
This is some very cool stuff. Who would've thought so much went into those CIC chips!
Your eyebrows look powerful in this video. I absolutely love your content, thanks for your hard work!
That explains a lot when my console was resetting. Mostly due to dirty carts.
Awesome video as always
Fantastic video. Your Explainationon the chip was really easy to understand.
One solution to the chip modification detection on the carts after people started disabling them would be to attach a switch inline with the reset signal pin. When playing legit games, flip the switch on. When playing unlicensed carts, flip the switch off.
love your videos man, great info on topics that no one else really covers. Do I want to hear some kids top 10 switch games? nah couldnt care less thanks for actually making some interesting gaming content.
While i don't understand half if not most of how any of this is done, this is still by far one of my favorite series on UA-cam. You do a good job at making it followable/understandable to the average shmuck like me.
The Nintendo NES looked so much like a VCR that if you buy NES used games online, specifically those which originally come from rental stores. The NES games had STICKERS placed on them. Which said "PLEASE REWIND! OR GET FINED!" OR other similar "please rewind" messages!
20 years, meaning it worked. Protection only needs to work long enough to protect the immediate market. And also think about this, this chip would have been dirt cheap for them to reproduce in large quantities, so you could argue this has been one of the most efficient means of protecting not just one game, but all of them.
Love the Nes back in the day. It was my first console. Still love it today.
This isn’t the only console that utilized this technique. I remember going to the landfill to dump our garbage, and saw a dead console motherboard with a cart still in it, so I exchanged my garbage for their garbage, and took it home. Later, I parted it out, and opened the cart, and lo and behold, there was a ROM and a 16-pin DIP IC. There were two (or maybe three) ASICs on the motherboard, along with three 16-pin chips, each with the same part #, but with a different dash extension (-A, -B, and -C): the “extra” IC in the cart had a similar part number, and a -B extension. My guess, is they were some sort of lock-and-key, though I was just guessing.
Now, knowing Nintendo did it, it’s not such a stretch to imagine someone else did too.
Finally, something that gets me so entertained that i can forget my insomnia!! Nice videos MVG!!
The universal "blinking reset loop of doom" is the behavior described at 2:55. Even with properly licensed cartridges, the 10NES system was finicky and would easily go out of sync, especially as connectors corroded.
The tale behind the Atari RABBIT chip is an interesting one unto its own for sure!
tale*
@@madmodder123 Yeah, caught it when it when I saw the notification of a reply. :P
Man, I love your channel so much dude.
20 years.. Dang. Someone did an amazing job.
Nintendo thanks this guy way too much.
Hope he got rewarded accordingly.
Fantastic video on this. You make the best videos on this
The fascinating thing about the NES and CIC (later consoles have no equivalents) is that the Famicom has no such security, and neither do the top-loader NES systems released late in the system's life.
(Both the japanese and western top loaders contain no security chip.)
The existence of these later revisions with no security chip makes disabling the lockout chip all the more obvious as a basic workaround.
Modern Nostalgia Gamer. The soundtracks to these vids remind me of sick 80's movies like Tron or something
I dislike DRM fiercely, but I've got to hand it to Nintendo, being able to keep the code for the CIC secret for over 20 years is incredibly impressive, and even then, if it wasn't for Atari it would have taken even longer to figure out.
Of course it was relatively easy to bypass, but no one was able to actually crack it until long after the console stopped being relevant, which is remarkable.
Mate, your videos are interesting and accurate. Love it.
Really interesting video! I thought of The Gaming Historian’s Tengen video while watching this.
Great content as always!
thank you so much for the time and research!!!
Thanks for makeing so tech deep videos, i really like that. Hope to see more videos soon. Thanks for teaching us.
Very interesting. I wouldn’t mind if you made longer bonus videos that go even further into the details. This was still pretty highlevel. A bit of a walkthrough of the CIC firmware would be nice.
Amazing content and presented well thanks!
I watch these videos even tho I know jack shit about programming or cracking piracy or making homebrew, etc. I just like hearing about this kind stuff. *shrugs*
There's nothing wrong in being curious - on the contrary. :) Have a great day mate!
I'm the same way.
same here even if I may be too old for videogames 😂😂
@@nightcat7741 you're never too old to play games.
@@Silver_Adventures THIS! I just said that to my sister in law. Bless the internet for feeding me with tech and game vids.
If you haven't done so already, you could make a whole series based on Commodore 64 copy protection. The lengths I had to go through to copy some disks was insane. Fat Tracks, Half Tracks, nonstandard Bit Rates, Track Synchronization, the list of methods goes on and on. Then there was the more physical approach, code wheels and paragraph books, but dongles were the worst. Not only were they sometimes quite tricky to build, you could fry your system if you made it wrong.
xnetpc Apparently you never had Fast Hackem.
A Floyd Renegade/Maverick was my go to “archival” utility, but I had Fast Hackem and bunch of other tools in my arsenal.
My comment wasn’t about what tool cracked which copy protection. I was suggesting a rundown of all the different methods companies implemented to protect their intellectual property. The Commodore 64 was so popular that it makes sense that so many copy protection schemes were utilized on the platform.
Loved this. You got any old Amiga games with their unique copy protections? I adored that stuff myself and sure it’d make for a good vid! Thanks as always MVP MVG!
Another classic. Thanks bro! Really appreciate it! Instant thumbs up from me!
Excellent video mate I've always liked your stuff it's very enjoyable to watch and I'm still stoked that you are Australian! The same as me keep up the great work!
I think Atari left the "code readout" enabled on purpose. They didn't tell anybody how it worked or if it did, but banked on someone out there figuring it out soon enough. Leaves their hands clean.
Great video, as always.
always excellent videos
Ofcourse, with the internet having so many heads and access to tools and hardware being astronomically higher now, this situation could never happen again.
Even so, it might have been broken a little bit faster if there was extra incentive to. I'm always reminded of how Denuvo bragged about a game not being broken after a couple months. But it had turned out to just be that nobody in the hacking world had been interested in the game so hadn't tried. But Denuvo bragging about it and effectively insulting those people, gave them a reason to try and it was broken within a week after they bragged.
Can't understand why people thumbs down MVG. This shit is interesting!
I wonder how'd this be in comparison to other companies in the console race of late 80 into mid 90 Atari trying to recovering with the 7800 and Jaguar. There was the more lenient Sega and other people in the background like Neo Geo, Phillips, and Turbo-Grax 16. To name a few and not even getting into the portable trend that the game boy started.
Hiroshi Yamauchi always looked like a movie villain to me.
Took 'em long enough, but for the sake of historical preservation, this was very important that the CIC chip be cracked wide open.
i had a pair of blue basketball shorts that had a nintendo seal of approval on the tag
The voltage spike thing was the result of a small-but-critical flaw of the design: the lock chip's only active response is on check failure (resets the system) while passing the test simply results in it doing nothing.
Perhaps if the lock was _two_ chips, one which tests the cartridge and reports to the other, which would be the one to reset the CPU upon failure or non-communication?
I am the senior programmer for a local game company. One of the things I put in to determine if the system is authentic was for the user to be able to hold 3-keys down at a time and it would state if the program running (that I wrote) is authentic or not.
I don't do this initially for bootup as it would greatly slow down the execution each time. But as the keystrokes are known only to my team and myself - there's little chance of someone guessing these keystrokes and thereby learning where to bypass this in the master engine I wrote.
I realize this is pretty cumbersome today. Methods today involve checking ONLINE to see if someone has actually purchased the game or they check online the program running against a master copy. I'm - not that advanced a programmer so I have to resort to offline methods for our software protection and integrity.
i was wondering after watching this if the chips are directly wired to each other couldn't you just take a cic chip out of a cartridge and solder it directly to the top of the cic chip in the console?
lojik
7:05 Plastic, not ceramic. By the 1970s plastic had displaced ceramic in nearly all DIP chips, as it is substantially cheaper. It’s what we use to this day for most chips. It’s actually plastic (often epoxy) with a high amount of mineral filler, so that it retains a coefficient of expansion similar to the chip inside - otherwise it would shear off the bond wires.
Whats more interesting is how different the video game industry would be today if the deal went through when Nintendo approached Atari and wanted Atari to sell the NES in the USA for them.
Fanatically detailed video.
I don't think that those chips were meant to stop piracy. Their main goal was to stop unlicensed games from being released on the system - the thing that killed Atari 2600 and lead to video game crash. Anyone could make Atari 2600 games and with initial success many companies flooded the market with expensive but unplayable shovelware.
As you described CIC chip on NES could be easily bypassed by user with cutting reset PIN. So piracy was technically possible, but pirates went in totally different direction.
In early 90's NES clones started to appear. I live in Poland and there was no official NES or SNES distribution, but one local company imported NES clone and sold it as "Pegasus" brand with pirated games within console: Mario Bros, Contra, and dozen of other games. It became huge hit, it was affordable and was promoted in TV. Those consoles had no CIC chip and were famicom clones that worked in PAL rather than EU NES clones.
Soon many people started to import such clones from the east and company that started all this created a store chain from money they've earned from stealing Nintendo's intellectual property.
Anyway I'm looking forward to see how SNES piracy with custom floppy drive worked.
I remembered seeing these chips, but I never knew what they were. It's amazing it took so long to crack them, but Nintendo did have some amazing engineers...
Ooh I'm early.
Keep up the great videos!
i feel like am taking expensive college classes every time i watch a MVG video. i grow a brain cell & love for each console with every video
Did some early NES units ship without this security chip? I remember a family friend back in the day had a NES where we could play those 800-in-1 type cartridges you could buy when vacationing in Spain. Those cartridges never worked on my NES, and I know our friend never did any modding to his NES.
this was very educational , i hope Nintendo see this video as nothing more than love & education for there hard work & stop the flagging of your Nintendo videos
CIC chip security is probably another huge reason why Nintendo 64 was cartridge based even though CD technology had been around for a while. Would have also made Nintendo 64 more expensive if it was CD based. I'm glad, because loading times are a hassle even nowadays. PS5 with M.2 or faster SSD will hopefully finally solve that. Nintendo is still the best, Switch Homebrew is awesome!
Ive watched alot of your videos and i had to sub your vids are really good and for someone who has created emulations and shit when you review videos like this you actually know what your talking about instead of someone not knowing anything about reverse engineering ur more fit for the job to explain it