The Definitive 'We Really Need to Phoenix CPS3' Thread

[TerryMasters]

It's come to my attention that more and more suicided CPS3 boards have gone for sale in the recent weeks. This concerns me, as I own one myself and fear that something as simple as a broken battery lead (as found on these forums, ironically) could render my purchase and replacement worthless.

We all know these games have been emulated in MAME. My memory is a little shady, but IIRC we did completely crack CPS3 encryption. Again I could be wrong. But if that's true, surely it was the encryption that was more difficult and not the copy protection hardware itself that changed from the CPS2?

 

[Dion]

There are about three of these threads on these forums already. Its not as easy as you may think to revive these things. Seems there are very few people with any kind of desire on the hardware end or skill on the software end at this time.

 

[mainman]

Where to start with this. It is proven that the cps2 hardware can run unencrypted program code. I believed a experiment was done on the cps3 in which a cart was equipped with a decrypted bios and it did not boot so what worked on cps2 did not appear to work for cps3. Now the variable here is all on the assumption that the decrypted bios used on the cps3 experiment was sound along with little things such as soldering but since it was done by someone in the loop with the mame emulation we will have to assume it was a good decryption and the fault was a hardware issue. So its a software-hardware mod that will be required.

Bottom line is there is a mob of people who can do the hardware work but those on the other end of the table who can provide software help are fewer and don't want to share or work pro bono.

 

[jew90]

Are Capcom no-longer offering repairs on their boards? Or is it really pricey?

 

[mainman]

Are Capcom no-longer offering repairs on their boards? Or is it really pricey?

Officially only capcom japan reboots JAPANESE carts. The U.S branch does not offers this service and the device used to physically do this is locked up or destroyed and the software has been archived/lost or both.

One of the rebooting devices and corresponding software for the asian non japanese market is assumed to have been acquired by a third party who reboots cart to the asian configuration.

 

[smkdan]

The most practical approach is to make a bios that works with a dead cart for all games. This isn't really difficult since the base hardware is understood well enough and the dev tools are all there already. No one knows how to get a dead cart to run any code at all though, or what additional security measures (beyond encryption) are in place. The easy solutions have already been attempted and they didn't work.

Even though it's been decrypted,emulated etc. there isn't much known about how the security is actually implemented on a real CPS3 which holds back progress on the software end of things.

I can say by digging thru the the bios a while ago that there are bits of code that would not function the same with the decryption tests that were previously attempted. I get the impression that these (and others like it,whereever they are) need to be dealt with before this has any chance of working.

If I had more personal interest in this I'd be working on it regularly but I'm not as motivated. Maybe if Razoola ever gets the time or whatever, it might be sorted out.

 

[TerryMasters]

Yeah, I understand not a lot of people care enough to make it happen. The emulation community can be a selfish bunch so I don't blame them. I'm just hoping someone comes to the table willing to put that aside for the greater good. With the fragility, and seemingly sheer randomness of events that take these carts out I really feel now is the time to act to try and save these things. I'm not a programmer myself, but I'm absolutely willing to read the material necessary to make an attempt - though I lost the documents I had on assembly programming and the like (34010 and 68000 specifically) which I would love to find again if I could.

 

[Kyuusaku]

The emulation community can be a selfish bunch so I don't blame them. I'm just hoping someone comes to the table willing to put that aside for the greater good.

Selfish or they don't have hundreds of hours to work on something for the greater good of a few enthusiasts who out of self-interest and lack of skill make requests of others to protect their own personal property.

 

[TerryMasters]

I meant the people who illegally download games play them then complain about something (hair) not being emulated correctly. Thanks for that though.

 

[Hewitson]

Is there any reason the technique used in MAME hasn't been used on a real board? I don't know much about it, but surely with hardware modifications this is possible.

 

[Kyuusaku]

Just because the BIOSes were decrypted doesn't mean the rest of the hardware doesn't need unlocking by a separate algorithm (think Nintendo CICs).

 

[Hewitson]

I realise that, but what I'm saying is, wouldn't it be possible to modify a board in order to make it function exactly the same way as the MAME driver?

 

[Kyuusaku]

Sure, but that might mean replacing huge surface mounts with adapters and subcircuits more expensive than the CPS3 itself. If the ASIC need reimplementing with programmable logic because the algorithm and protocol can't be broken is there really a benefit to inaccurate hardware emulation over inaccurate software emulation?

 

[jew90]

While were on the subject of CPSIII stuff.

I seem to recall a few years ago when MAME were trying to get the system emulated after the roms were decrypted they accessed a menu in the Security cart which indicated you could reflash things.

I think mame accessed this by a wrong pointer in their emulated bios, not sure if you can still access it in MAME? It'd be interesting to explore it more though.

Maybe this menu works in conjuction with a different board that Capcom plug the cart into in order to reflash it or it works on a regular CPS3 system with special CD / unknown commands / plug in hardware to make it boot, who knows.

Last I heard was that Capcom Japan don't have any new security carts left so they just reflash the old one and send it out.

There are also some early revision PCBs floating around that have what appears to be an RS232 serial IO on the board and a Battery / SRAM under the plastic cover. Again the purpose of this is unknown and it could be a way of talking to the board or it could even be some kind of high-score / multi-link prototype that was unused.

I think we should lurk outside of Capcom Japan and bribe one of their techies with some money for insider information.

If capcom ASIA are more relaxed with what they re-flash, couldn't we send a trojan horse type cart to be reflashed, one with an attached data-loggin IC on all the address lines so we can see what they do to it? and a note saying 'do-not-remove'

 

[Artemio]

I quote myself from this thread at arcadeotaku: http://forum.arcadeotaku.com/viewtopic.php?f=26&t=8576

[...]although I have some technical knowledge, I am nowhere near the capacity of figuring this out myself. However I was looking into this issue because I imagined that maybe the CPS-3 hardware is capable of resurrecting carts if some files are present in a CD, with certain contents. This is pure speculation on my part of course.

What I did was decrypt the BIOS of some dumped carts using the MAME source code, and then proceeded to realign all the bytes in the BIOS to make the strings in the cart readable. I did this because of some information I found that they had found a hidden menu in CPS-3 carts. These are my findings (which of course the MAME team knows already)

Third Strike:

Apr 09 1999
17:01:36
(#)kernel 1.00e 1998/06/30 
(#)kernel: nothing task control block.
kernel: stack overflow in task.
RAM Over
[ PUSH 1P START TO MENU     ]
  ERROR: 11
  ERROR: 1X
  ERROR: 2X
  ERROR: 3X
  ERROR: 4X
  ERROR: 5X
  ERROR: 60
  http://www.capcom.co.jp/
                CO.,LTD. 1996,97,98
  http://www.capcom.com/
  http://www.capcomasia.com.hk/
 THIS SECURITY CASSETTE IS NOT PRODUCT VERSION
 THIS SECURITY CASSETTE IS NOT PRODUCT VERSION
 SCSI DEVICE IS NOT CONNECTED
    PUSH SHOT1 TO RETURN    
   .BMP
SHO.MCR
 RE.BIN
   READING BITMAP FILE...
  EXECUTING
  FILE NOT FOUND
 SIMM NOT FOUND
 ABORT    
 DONE     
 READING DISK...
               
READING DIRECTORIES...
DRIVE NOT READY                                       
    <DIR> 
   %y-%m-%d %H:%M
 ANALIZE MACRO ...
%d
end
..ERASING         ...
READING            
WRITING
SECURITY CASSETTE UTILITY MENU  Ver 2.00
 1. FLASH MEMORY
 2. DISK & FILES
 3. GAME BOOT
 4. EXIT
SELECT = 1P UP or DOWN
START  = 1P SHOT1
2 . D I S K   &   F I L E S
 VOLUME LABEL:
 PATH:
 ENTRIES
 EXIT = 1P START & SHOT1
 1. DISK DUMP
 2. EJECT MEDIUM
 3. DEVICE INFORMATION
1. EXECUTE AS MACRO
2. WRITE TO FLASH MEMORY
3. CHECKSUM
4. FILE DUMP
5. LOAD AS MS-BITMAP
1. ONBOARD
2. SIMM1
3. SIMM2
4. SIMM3
5. SIMM4
6. SIMM5
7. SIMM6
8. SIMM7
START OFFSET = 00000000
E X E C U T E   M A C R O
 FILENAME     SIMM   OFFSET   RESULT
  CANCEL = 1P START
 D I S K   D U M P
  BLOCK = XXXXXXXX  BLOCK SIZE = XXXXXXXX
 OFFSET    +0   +2   +4   +6  01234567
 DEVELOPER'S SECURITY CASSETTE UTILITY Ver 2.00a
 PROPERTIES             
   GAME: UNKNOWN
     CODE:
 STATUS:
1P START = NEXT MODE
BOARD
SIMM1  
SIMM2  
SIMM3  
SIMM4  
SIMM5  
SIMM6  
SIMM7  
???        
FUJITSU    
Intel/SHARP
HITACHI    
MXIC       
???    
ERASED 
WRITTEN
Now reading the CD-ROM. Please wait...
 ERROR: Unable to rewrite. Please try again.
If problem persists please contact Capcom
or your distributor.
There is not enough memory installed on the PCB.
Turn off power,
and install more memory before restarting.
The CD-ROM Drive is not properly connected.
Please turn the power off
and correct it properly.
Please keep in mind that loading
a new CD-ROM will erase the prior memory
and it will take about    minutes
to rewrite the new game.
Approximately    Min.    Sec.
before completing the procedure.
Now rewriting. Please wait...
 NOTE:
Please do not turn the power off at this time.
Rewrite the game
Cancel
You have inserted
You have inserted an invalid CD-ROM.
a CD-ROM of the updated version of the game.
Press 1P Start button to eject the CD-ROM.
Now loading the game.        
Please insert a valid CD-ROM.
CD-ROM cannot be found.
Now reading data.            
a new CD-ROM.
  Now ejecting the CD-ROM. Please wait...
Now erasing the prior memory.
32M
ERASING... 
RESTORE... 
WRITING... 
CHECKSUM...
           
READING... 
     sec. 

1 . F L A S H   M E M O R Y
 . OPERATION = 
BOARD :
SIMM1   :
SIMM2   :
SIMM3   :
SIMM4   :
SIMM5   :
SIMM6   :
SIMM7   :
 BANK XX   +0   +2   +4   +6   +8   0123456789
 EXIT = 1P START & SHOT1
ERASE ALL                
OVERERASE RESTORE        
WRITE TEST               
QUICK CHECKSUM           
QUICK CHECKSUM 32M ONLY  
QUICK CHECKSUM     (OLD) 
QUICK CHECKSUM 32M (OLD) 
CHECKSUM                 
CHECKSUM 32M ONLY        
PROGRAM SIMM COPY    1->2
DMA SOURCE SIMM COPY 3->4

FUJITSU          
  Intel/SHARP      
  HITACHI          
0123456789abcdef0123456789ABCDEF
CD001
@(#)screen library 0.17a 1998/07/03
cgram: loked
cspr: permission denied.
cspr: invalid cell.
@(#)switch library 0.02a 1998/09/18
0123456789abcdefghijklmnopqrstuvwxyz

Of special interest in that BIOS are the SHO.MCR and RE.BIN file names that the BIOS references. Of course it is unknown how to access this SECURITY CASSETTE UTILITY MENU Ver 2.00, if it is even accessible though our carts though. Not to mention the DEVELOPER'S SECURITY CASSETTE UTILITY Ver 2.00a. It seems it can load BMPS and list the directory structure and files with dates form the CD, but there is not much more.

However, I did the same process with other carts.. and they don't have those menus at all. For instance, the first game being Red Earth only has:

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
|%b %D %H:%M:%S %Y|%b %D %Y|&H:%M:%S
:Jan:January:Feb:Feburuary:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
%a %c
2:UTC:UTC:0
Day Mon dd hh:mm:ss yyyy
 RAM Over
 RESET ERROR
 RESET OK !!
FORCE REWRITE ALL            
FORCE REWRITE DMA SOURCE ONLY
  WAIT A MOMENT...
64M
32M
128M
PC RESET ERROR. TRY AGAIN
NOW READING...
SCSI HARDWARE ERROR
MEDIUM OR DRIVE NOT READY
REWRITE(1P SHOT1) OR REBOOT(1P SHOT2) ?
REWRITING... (HALT = 1P START)
       0%
 NOT FOUND
ERASING
       
             
	WRITING
VERIFY 
HALTED
     100%
COMPLETE
                                           
BINREAD.MCR
REWRITE MACRO-FILE ORDER
C P - S Y S T E M 
@CAPCOM CO., LTD. 1996 ALL RIGHTS RESERVED.
WELCOME TO CP-SYSTEM
 PCB SETUP
NORMAL REWRITE
ONBOARD D
SIMM1   P
SIMM2   P
SIMM3   D
SIMM4   D
SIMM5   D
SIMM6   D
SIMM7   D
SCSI DEVICE
PROGRAM ID
MEDIUM  ID
UNKNOWN          
FUJITSU          
4Intel/SHARP      
HITACHI          
MXIC             
HDD      
TAPE     
PRINTER  
PROCESSOR
WORM     
CD-ROM   
SCANNER  
MO       
CHANGER  
COMM     
NOT USE   
NEED 128MB
 NEED  32MB

   S Y S T E M   D E B U G G E R
MODE = REGISTERS & DISASSEMBLE
   R0   00000000  R1   00000000  R2   00000000
   R3   00000000  R4   00000000  R5   00000000
   R6   00000000  R7   00000000  R8   00000000
   R9   00000000  R10  00000000  R11  00000000
   R12  00000000  R13  00000000  R14  00000000
   SP   00000000  SR   00000000  GBR  00000000
   MACH 00000000  MACL 00000000  PR   00000000
TC PC   00000000
 Address  Code Nemonic                        
REBOOT = 1P START & 2P START
   MODE = SYSTEM INFORMATION
 BOOT ID:
COUNTRY:
  VERSION:
  ONBOARD:
  SIMM1  :
  SIMM2  :
  SIMM3  :
  SIMM4  :
  SIMM5  :
  SIMM6  :
  SIMM7  :
  GAME ID:
CLRT                    
   NOP                     
   RTS                     
   SETT                    
   DIV0U                   
   SLEEP                   
   CLRMAC                  
   RTE                     
   LDS.L   @m+,MACH        
   LDC.L   @m+,SR          
   LDS     m,MACH          
   LDC     m,SR            
   LDS.L   @m+,MACL        
   LDC.L   @m+,GBR         
   LDS     m,MACL          
   LDC     m,GBR           
   LDS.L   @m+,PR          
   LDC.L   @m+,VBR         
   LDS     m,PR            
   LDC     m,VBR           
   STC     SR,n            
   BSRF    n               
   STS     MACH,n          
   STC     GBR,n           
   STS     MACL,n          
   STC     VBR,n           
   BRAF    n               
   MOVT    n               
   STS     PR,n            
   CMP/PL  n               
   CMP/PZ  n               
   DT      n               
   TAS.B   @n              
   ROTL    n               
   ROTR    n               
   ROTCL   n               
   ROTCR   n               
   SHAL    n               
   SHAR    n               
   SHLL    n               
   SHLR    n               
   SHLL2   n               
   SHLR2   n               
   SHLL8   n               
   SHLR8   n               
   SHLL16  n               
   SHLR16  n               
   JMP     @n              
   JSR     @n              
   STC.L   SR,@-n          
   STC.L   GBR,@-n         
   STC.L   VBR,@-n         
   STS.L   MACH,@-n        
   STS.L   MACL,@-n        
   STS.L   PR,@-n          
   MOV.B   m,@(R0,n)       
   MOV.W   m,@(R0,n)       
   MOV.L   m,@(R0,n)       
   MUL.L   m,Rn            
   MOV.B   @(R0,m),n       
   MOV.W   @(R0,m),n       
   MOV.L   @(R0,m),n       
   MAC.L   @m+,@n+         
   MOV.B   m,@n            
   MOV.W   m,@n            
   MOV.L   m,@n            
   MOV.B   m,@-n           
   MOV.W   m,@-n           
   MOV.L   m,@-n           
   DIV0S   m,n             
   TST     m,n             
   AND     m,n             
   XOR     m,n             
   OR      m,n             
   CMP/STR m,n             
   XTRCT   m,n             
   MULU.W  m,n             
   MULS.W  m,n             
   CMP/EQ  m,n             
   CMP/HS  m,n             
   CMP/GE  m,n             
   DIV1    m,n             
DMULU.L m,n             
CMP/HI  m,n             
SUB     m,n             
SUBC    m,n             
SUBV    m,n             
ADD     m,n             
Q	wDMULS.L m,n             
ADDC    m,n             
|ADDV    m,n             
MAC.W   @m+,@n+         
MOV.B   @m,n            
)d MOV.W   @m,n            
iMOV.L   @m,n            
MOV     m,n             
XN^MOV.B   @m+,n           
MOV.W   @m+,n           
MOV.L   @m+,n           
*NOT     m,n             
SWAP.B  m,n             
SWAP.W  m,n             
lNEGC    m,n             
NEG     m,n             
EXTU.B  m,n             
AEXTU.W  m,n             
EXTS.B  m,n             
EXTS.W  m,n             
MOV.B   @(d,m),R0       
MOV.W   @(d,m),R0       
MOV.B   R0,@(d,n)      
MOV.W   R0,@(d,n)      
BT      d               
BF      d               
>L.BT/S    d               
UROBF/S    d               
NICMOV.B   R0,@(d,GBR)     
uMOV.W   R0,@(d,GBR)     
HARMOV.L   R0,@(d,GBR)     
CITMOV.B   @(d,GBR),R0     
TESMOV.W   @(d,GBR),R0     
   MOV.L   @(d,GBR),R0     
MOVA    @(d,PC),R0      
CMP/EQ  #i,R0           
TRAPA   #i              
TST     #i,R0           
AND     #i,R0           
XOR     #i,R0           
HECOR      #i,R0           
NG.TST.B   #i,@(R0,GBR)    
AND.B   #i,@(R0,GBR)    
 Y XOR.B   #i,@(R0,GBR)    
TIOOR.B    #i,@(R0,GBR)    
   MOV.L   m,@(d,n)        
MOV.L   @(d,m),n        
IMMBRA     d               
XX BSR     d               
  0MOV.W   @(d,PC),n       
RT MOV.L   @(d,PC),n       
 STADD     #i,n            
   MOV     #i,n            
   R0
HR10
CXXXXXXXX
   JAPAN   
_ASIA    
IMMEURO    
1->USA     
OURHISPANIC
OPYBRAZIL  
   OCEANIA 
   NORMAL VERSION        
7CHARACTER CHEK VERSION
APUBLICITY VERSION     
 LOCATION TEST VERSION 
0SHOW VERSION          
ERASING... 
RESTORE... 
WRITING... 
CHECKSUM...
           
READING... 
     sec. 
ANG        
0F L A S H   M E M O R Y   U T I L I T Y
RODOPERATION = 
ONBOARD :
SSIMM1   :
TSIMM2   :
 SIMM3   :
BSIMM4   :
2SIMM5   :
eSIMM6   :
eSIMM7   :
BANK XX   +0   +2   +4   +6   +8   0123456789
 EXIT = 1P START & SHOT1, REBOOT = 1P & 2P START
ERASE ALL                
icOVERERASE RESTORE        
viWRITE TEST               
viQUICK CHECKSUM           
geQUICK CHECKSUM 32M ONLY  
ioCHECKSUM                 
CHECKSUM 32M ONLY        
taPROGRAM SIMM COPY    1->2
hiDMA SOURCE SIMM COPY 3->4
                 
U FUJITSU          
ITIntel/SHARP      
1,HITACHI          
STMXIC             
S C S I   D E V I C E   U T I L I T Y
SCSI ID         = 1
DEVICE TYPE     =
REMOVABLE       =
ISO VERSION     =
ECMA VERSION    =
`ANSI VERSION    =
VENDER ID       =
PRODUCT ID      =
PRODUCT VERSION =
EXIT = 1P START & SHOT1, REBOOT = 1P & 2P START
Direct Access Device    
NsSequential Access Device
Printer Device          
o{Processor Device        
Write-Once Device (WORM)
CD-ROM Device           
Scanner Device          
Optical Device          
1-kMedia Changer Device    
Comminucation Device    
TFilesystem install failed
.Please reset this system
HF I L E   U T I L I T Y
VEXIT = 1P START & SHOT1, REBOOT = 1P & 2P START
HDD      
TTAPE     
ZPRINTER  
PROCESSOR
WORM     
CD-ROM   
SCANNER  
MO       
CHANGER  
COMM

Again another MCR file: BINREAD.MCR, these might be the MACROs referred in the text. It also has a debugger in there. That specific cart also has asm code as strings (!?)

No idea if that track would lead to something. I was looking to something more obvious. The files referenced gave me some hope at first, but in case those were used we would need to know the syntax used and how to access this menu (which don't point to using the files at all). I also tried disassembling the SH2 code in these, but I believe that someone with good knowledge is needed for that task and it might lead nowhere.

Anyway, I decided to share this info.

It must also be noted that there are different revisions of the board, We started documenting them on that thread as well and summarized them on this wiki page:

http://wiki.arcadeotaku.com/w/CPS3_board_models

I had (have) the hope that the earliest ones that have the battery and SRAM under that white piece of plastic (photo below, need to integrate that on the wiki) would be able to help on this. Those boards do have serial communications capabilities, but no more progress has been made on these efforts.

http://smg.photobucket.com/albums/v...arcade/CPS3/?action=view&current=DSC01178.jpg

 

[TerryMasters]

I had no idea about that earlier version, that's good stuff to know. You're right, it could be the key to all this along with 95682A-1 if anyone finds one (would have to be a Warzard/Red Earth most likely). I don't know if I can help - at worst I have the motive to try - but without those PDF documents I'm a fish out of water.

 

[smkdan]

What would the SRAM onboard help with? The only use for something like that is to hold game settings that wouldn't fit on the EEPROM (also pictured there). Seems that Capcom thought the tiny storage offered by the EEPROM was enough and did away with it in future revisions. There's no reason to store anything related to solving this problem on that chip regardless.

 

[TerryMasters]

It implies there are most likely different physical carts, for the record.

 

[Artemio]

What would the SRAM onboard help with? The only use for something like that is to hold game settings that wouldn't fit on the EEPROM (also pictured there). Seems that Capcom thought the tiny storage offered by the EEPROM was enough and did away with it in future revisions. There's no reason to store anything related to solving this problem on that chip regardless.

My olny hope and line of thought aside from documenting it, is he serial port and the possible implication of that SRAM with it. The only line of investigation after all.