SNES How exactly did the SNES/Super Famicom CIC Lockout work?

[PopetherevXXVIII]

The other day I realized the easiest way to play North American games on my Super Famicom was to just undo the top. This led to a talk with a friend of mine (who lives in Pal Land) about how the PAL SNES and NTSC systems handle each other's games...as in they don't Some games just don't boot others display a message saying it's not compatible with this system. On You Tube I saw switch mods that adjust 50hrz and 60herz but also a region switch. Then there's the Honey Bee Converter that requires a Pal game to play an NTSC game.

So was there more than just a physical region lock on the SNES/SFC or were games programmed to interact with a CIC chip in a certain way?

 

[Tyree_Cooper]

I'd like to know too. I'm sure there are pages on the internest that explain it though.

 

[PopetherevXXVIII]

Not much from what I've found.

 

[Trimesh]

On the simplest level, the two chips in the console and the cart just sent strings of pseudo-random data to each other. If the data sent by the other chip didn't match what was expected then the CIC chip in the console asserted the CPU reset line.

In general, the CIC in the cart wasn't connected to anything except the power and signals from the console - which is why those piggyback adapters worked - you could redirect the signals to a CIC in another cart and this would keep the console happy, but the cart didn't care.

There were some exceptions though - the commonest one is that some games checked the video mode that the PPUs were operating in and verified that it matched the expected mode for the cartridge - if it didn't match you got that "not designed for your system" screen. On top of this, there were some carts that did care about the CIC data - such as carts that used the SA-1 or SDD-1 custom chips. These carts didn't have an actual CIC chip, but rather had the CIC function embedded into the custom chip, and would disable access to the ROM if they didn't see the expected data.

 

[Trenton_Net]

On the simplest level, the two chips in the console and the cart just sent strings of pseudo-random data to each other. If the data sent by the other chip didn't match what was expected then the CIC chip in the console asserted the CPU reset line.

In general, the CIC in the cart wasn't connected to anything except the power and signals from the console - which is why those piggyback adapters worked - you could redirect the signals to a CIC in another cart and this would keep the console happy, but the cart didn't care.

There were some exceptions though - the commonest one is that some games checked the video mode that the PPUs were operating in and verified that it matched the expected mode for the cartridge - if it didn't match you got that "not designed for your system" screen. On top of this, there were some carts that did care about the CIC data - such as carts that used the SA-1 or SDD-1 custom chips. These carts didn't have an actual CIC chip, but rather had the CIC function embedded into the custom chip, and would disable access to the ROM if they didn't see the expected data.

How psudo random was the data? Perhaps there was only a finite sequence of key-pairs you needed to worry about? Or was there some way for the system to generate really random numbers so it would be impossible to just remember what key-pair sequence to use?

 

[Trimesh]

How psudo random was the data? Perhaps there was only a finite sequence of key-pairs you needed to worry about? Or was there some way for the system to generate really random numbers so it would be impossible to just remember what key-pair sequence to use?

There are 16 possible sequences, but each one is completely deterministic. The chip in the console mode uses a timing cap that's connected to one of its pins to determine which of the 16 possible sequences are used and this selection is also sent to the chip in the cartridge so it knows what to expect.

Each sequence is exactly the same each time it's used - it's just random looking.

 

[Trenton_Net]

There are 16 possible sequences, but each one is completely deterministic. The chip in the console mode uses a timing cap that's connected to one of its pins to determine which of the 16 possible sequences are used and this selection is also sent to the chip in the cartridge so it knows what to expect.

Each sequence is exactly the same each time it's used - it's just random looking.

Couldn't they just make knockoff chips by interfering with the timing cap to coax out the recording of all 16 sequences? No need to figure out complicated logic? I suppose that's only possible because we know there are only 16 sequences, but I assume if they took large enough sample sizes, they'd also figure out that sequences were being reused?

 

[rama]

But if you're already hacking the CIC timing, requiring hardware, why not use a CIC clone directly?

 

[Trimesh]

Couldn't they just make knockoff chips by interfering with the timing cap to coax out the recording of all 16 sequences? No need to figure out complicated logic? I suppose that's only possible because we know there are only 16 sequences, but I assume if they took large enough sample sizes, they'd also figure out that sequences were being reused?

Because the repetition time of each sequence is extremely long, and given the cost of memory when the SNES was produced storing a long enough section of the sequence to enable a reasonable amount of play time would have been excessively expensive.

The pirates took a more direct approach - they had someone decap and delayer the chip and make physical layout level clones on it. They didn't bother figuring out how it worked because they didn't need to. One amusing thing is that the clone CIC chips tend to have fake camouflage part numbers on them, but they are physically 100% identical to the original Nintendo chips.

 

[Trenton_Net]

Because the repetition time of each sequence is extremely long, and given the cost of memory when the SNES was produced storing a long enough section of the sequence to enable a reasonable amount of play time would have been excessively expensive.

The pirates took a more direct approach - they had someone decap and delayer the chip and make physical layout level clones on it. They didn't bother figuring out how it worked because they didn't need to. One amusing thing is that the clone CIC chips tend to have fake camouflage part numbers on them, but they are physically 100% identical to the original Nintendo chips.

Ah, I though the CIC chip did a small handshake at boot and that was the end of it. I had no idea it was generating random data over the lifetime of the system in order to keep it alive. Interesting stuff!

 

[Trimesh]

Here are some examples of bootleg carts from back in the day, with cloned CICs



The one on the left is a surprisingly good quality bootleg copy of Mario Kart - the board seems to be electrically a 1:1 clone of the SHVC-1K1B board that the real Mario Kart used - the CIC is the chip marked "TEN-E" at the bottom and the chip marked 5458A is a cloned DSP-1.

The board at the top right is a bootleg of Super Street Fighter II - the CIC here is the chip marked "CIVIC 74LS11" - which seems a strange choice since a real 74LS11 (which is a triple 3-input AND gate) is in a 14 pin package and not 16 - it's also using a 16 bit ROM which is why it needs the pair of 'LS257 multiplexers to select which byte to send to the console. Although the board has space for decoupling caps, they haven't been installed.

Both of these are running exact 1:1 copies of the original game ROM.

The final board on the lower right is a good example of a hacked up bootleg - the game is Hudson's J-League Super Soccer '95, but the code has been modified to operate without backup memory - the CIC here is marked "D1 9515" this board also has no decoupling caps and the ROM is a COB type covered with resin (AKA "glob-top").

The clone CICs are exact copies of the originals on a functional level - I've removed them from bootleg boards and installed them into original Nintendo boards and they work exactly like the real ones.

 

[supersega]

Here are some examples of bootleg carts from back in the day, with cloned CICs

View attachment 5749

The one on the left is a surprisingly good quality bootleg copy of Mario Kart - the board seems to be electrically a 1:1 clone of the SHVC-1K1B board that the real Mario Kart used - the CIC is the chip marked "TEN-E" at the bottom and the chip marked 5458A is a cloned DSP-1.

The board at the top right is a bootleg of Super Street Fighter II - the CIC here is the chip marked "CIVIC 74LS11" - which seems a strange choice since a real 74LS11 (which is a triple 3-input AND gate) is in a 14 pin package and not 16 - it's also using a 16 bit ROM which is why it needs the pair of 'LS257 multiplexers to select which byte to send to the console. Although the board has space for decoupling caps, they haven't been installed.

Both of these are running exact 1:1 copies of the original game ROM.

The final board on the lower right is a good example of a hacked up bootleg - the game is Hudson's J-League Super Soccer '95, but the code has been modified to operate without backup memory - the CIC here is marked "D1 9515" this board also has no decoupling caps and the ROM is a COB type covered with resin (AKA "glob-top").

The clone CICs are exact copies of the originals on a functional level - I've removed them from bootleg boards and installed them into original Nintendo boards and they work exactly like the real ones.

One thing I'm a bit confused about is the top right bootleg. How did, supposedly a triple 3-input AND gate and a pair of muxes stump the hackers of even today for so long? Specifically, how did it take them that long to figure out how to make modern chips if that's all that is required? Unless that Civic chip name is just some sort-of cover for a cloned CIC lockout chip...

 

[Trimesh]

One thing I'm a bit confused about is the top right bootleg. How did, supposedly a triple 3-input AND gate and a pair of muxes stump the hackers of even today for so long? Specifically, how did it take them that long to figure out how to make modern chips if that's all that is required? Unless that Civic chip name is just some sort-of cover for a cloned CIC lockout chip...

It's just camouflage - the chip is a precise copy of the Nintendo D411 CIC and as such is obviously in violation of both Nintendo's and Sharp's copyrights - so they marked it as something else. I don't know if there was any plan to the choice of number, although I have also seen bootleg PAL carts (which originally used a D413 CIC) marked as "74LS13" and in both cases the last 3 digits in the marking match the part number of the original CIC, although this may be a complete coincidence.

In both cases, even the most superficial inspection makes it clear that the marked part number is bogus - both the 74LS11 and the 74LS13 are 14-pin chips, but these CIC clones are (like a real CIC) 16 pin.

The two muxes on the street fighter bootleg have nothing to do with the protection - they are just there so that the board can use a 2M word x 16 bit ROM despite the SNES only having an 8 bit data bus.

 

[supersega]

It's just camouflage - the chip is a precise copy of the Nintendo D411 CIC and as such is obviously in violation of both Nintendo's and Sharp's copyrights - so they marked it as something else. I don't know if there was any plan to the choice of number, although I have also seen bootleg PAL carts (which originally used a D413 CIC) marked as "74LS13" and in both cases the last 3 digits in the marking match the part number of the original CIC, although this may be a complete coincidence.

In both cases, even the most superficial inspection makes it clear that the marked part number is bogus - both the 74LS11 and the 74LS13 are 14-pin chips, but these CIC clones are (like a real CIC) 16 pin.

The two muxes on the street fighter bootleg have nothing to do with the protection - they are just there so that the board can use a 2M word x 16 bit ROM despite the SNES only having an 8 bit data bus.

Ahhh, gotcha. I misread what you said, I guess! Wouldn't surprise me if that was on purpose, just for identifying purposes probably. I also guess that a customs inspector wouldn't expect to see that it's only supposed to have 14 pins, if it were looked at.

Makes sense on the muxes too. Are they normally on SNES carts, as in legit ones? I looked around for a while but didn't see any muxes on most of the common boards.

 

[Trimesh]

Makes sense on the muxes too. Are they normally on SNES carts, as in legit ones? I looked around for a while but didn't see any muxes on most of the common boards.

No, I've only ever seen them on bootleg carts - I guess Nintendo were operating in large enough volumes that they could get get high capacity mask ROMs made with an 8-bit interface.

 

[supersega]

No, I've only ever seen them on bootleg carts - I guess Nintendo were operating in large enough volumes that they could get get high capacity mask ROMs made with an 8-bit interface.

Hmm... interesting! It's always cool to see how pirates bypass such things with what they have. Maybe this is just basic electronics but it still is super cool to me.

 

[PocketTim]

MVG does a light but fairly informative video on it.

 

[rama]

That board with no caps. PP5 is so awsome, it doesn't require deglitching! ;p