How are video arcade games copy-protected, and why?
by rollingcaker On May 15, 2009 | MAC | Hits: 31
Software you need: MAME
One of the most devious methods - unhackable until MAME - was Atari's "Slapstic" security chip. When the game was run, the game code checked for the security board in various ways. If it wasn't there, the game malfunctioned or refused to run. (This is similar to the hardware "dongle" protection used by some high-end PC software.) Since the security chip came only with purchased games, copies of the ROMs were unusable. This is why games like Marble Madness and Indiana Jones could previously not be emulated, though their ROMs were available.
Another way to protect ROMs was to encrypt them. A custom CPU or special chips on the main board decoded (decrypted) the data as it ran the game. Copying the ROMs was futile unless the encryption system had been "broken". As such, it is difficult to extract the key and decryption algorithm from these chips, but weaknesses in the algorithms or their implementation can be exploited to recover the algorithm and/or the key. Encryption can affect graphics (as in the case of later Neo Geo games and Funky Jet), sound (as in some Seibu games), program code (as in Sega System 16/18, Capcom CPS-2 and -3, or the C-Chip in many Taito games), sprites (as in Raiden II), or a combination of things.
Some systems store the key in battery backed RAM, instead of ROM. This insures that altering the data or trying to dump the decryption key will disable your board. This is also known as a "suicide battery" - the board would be rendered useless if the battery dies or is disconnected. This is used on a number of boards, for example Capcom's CPS-2, CPS-3 and Sega's System 16 and System 18 boards.
Yet another method of copy protection is an MCU (microcontroller unit), which is a custom processor, and can have an internal ROM inside it. This holds either program code or important data for the game and only allows the game to access it under certain conditions.
These dedicated protection devices can be used for a multitude of protective tasks. They can perform collision detection between rectangles or other simple math operations (Sega and Konami both did this a lot), they can do DMA transfers (Konami K055550, seen in Violent Storm and Monster Maulers), they can pull sprite data out of work RAM and generate a priority-sorted display list in sprite RAM (many Konami games starting with TMNT 2), set up palette RAM (Konami did this, as did Atari), return executable code that the main CPU runs (Taito liked to do this) - without the device the code is invalid and the CPU crashes - or they can set magic values in RAM that the main game code needs to function (Sega did this a lot, and Run and Gun seems to also).
Dumping this code is often a very difficult, or even an impossible task. However, there are sometimes ways to trick the MCU program to bypass the security measures and read the contents. Sometimes, though, the only option for the developer is to guess what the MCU does and simulate it as well as they can.
Of course, it gets even better if all of these are combined. The Dallas DS5002FP security chip (manufactured by Dallas Semiconductor) combines encryption of the internal ROM with a sort-of suicide battery that destroys the contents of the internal ROM if it is tampered with. It is also completely custom as opposed to for example the M68705 which has been used in many arcade games (for example Bubble Bobble) and therefore there is a lot of information available about it on the Internet. The Dallas security chip prevents a lot of Gaelco games from being emulated, for example. It's not invincible, though, since Markus Kuhn claims to have cracked it, although the process he describes is not easy.
One of the most devious methods - unhackable until MAME - was Atari's "Slapstic" security chip. When the game was run, the game code checked for the security board in various ways. If it wasn't there, the game malfunctioned or refused to run. (This is similar to the hardware "dongle" protection used by some high-end PC software.) Since the security chip came only with purchased games, copies of the ROMs were unusable. This is why games like Marble Madness and Indiana Jones could previously not be emulated, though their ROMs were available.
Another way to protect ROMs was to encrypt them. A custom CPU or special chips on the main board decoded (decrypted) the data as it ran the game. Copying the ROMs was futile unless the encryption system had been "broken". As such, it is difficult to extract the key and decryption algorithm from these chips, but weaknesses in the algorithms or their implementation can be exploited to recover the algorithm and/or the key. Encryption can affect graphics (as in the case of later Neo Geo games and Funky Jet), sound (as in some Seibu games), program code (as in Sega System 16/18, Capcom CPS-2 and -3, or the C-Chip in many Taito games), sprites (as in Raiden II), or a combination of things.
Some systems store the key in battery backed RAM, instead of ROM. This insures that altering the data or trying to dump the decryption key will disable your board. This is also known as a "suicide battery" - the board would be rendered useless if the battery dies or is disconnected. This is used on a number of boards, for example Capcom's CPS-2, CPS-3 and Sega's System 16 and System 18 boards.
Yet another method of copy protection is an MCU (microcontroller unit), which is a custom processor, and can have an internal ROM inside it. This holds either program code or important data for the game and only allows the game to access it under certain conditions.
These dedicated protection devices can be used for a multitude of protective tasks. They can perform collision detection between rectangles or other simple math operations (Sega and Konami both did this a lot), they can do DMA transfers (Konami K055550, seen in Violent Storm and Monster Maulers), they can pull sprite data out of work RAM and generate a priority-sorted display list in sprite RAM (many Konami games starting with TMNT 2), set up palette RAM (Konami did this, as did Atari), return executable code that the main CPU runs (Taito liked to do this) - without the device the code is invalid and the CPU crashes - or they can set magic values in RAM that the main game code needs to function (Sega did this a lot, and Run and Gun seems to also).
Dumping this code is often a very difficult, or even an impossible task. However, there are sometimes ways to trick the MCU program to bypass the security measures and read the contents. Sometimes, though, the only option for the developer is to guess what the MCU does and simulate it as well as they can.
Of course, it gets even better if all of these are combined. The Dallas DS5002FP security chip (manufactured by Dallas Semiconductor) combines encryption of the internal ROM with a sort-of suicide battery that destroys the contents of the internal ROM if it is tampered with. It is also completely custom as opposed to for example the M68705 which has been used in many arcade games (for example Bubble Bobble) and therefore there is a lot of information available about it on the Internet. The Dallas security chip prevents a lot of Gaelco games from being emulated, for example. It's not invincible, though, since Markus Kuhn claims to have cracked it, although the process he describes is not easy.
Related Articles
Top in All Articles More
Article Categories
Popular Searches More
Most popular searches among our users
Avira
computer boot up problems
computer won t boot up
delete browsing history hangs up in ie 8
How to convert MKV to WMV HD
how to recover windows when computer won t boot up
malware
MKV to WMV HD
MKV to WMV HD Converter
open pptx on linux
open pptx on mac
play mkv format files
pptx files
rebuild Rome Empire with Cradle of Rome
windows startup
© 2009 Softwarehowtos.com - All Rights Reserved Worldwide.