2010-07-06

Luca Elia WIP - IGS011/IGS012 Protection (2010-07-04)

I've improved igs011.c by emulating the protection in the IGS011 and IGS012 chips. No new games are working because of this, but the result is a more faithful emulation and understanding of how their hardware really works.

Initially I used ROM patches to completely bypass the protection checks, in order to concentrate on the rest of the hardware. So now I could remove around 150 of those patches (if you notice new bugs, as always, please report on MAME Testers).

These games are protected in several ways, to prevent bootlegging of the hardware or running new games on old hardware:

Encryption - A per-game address lines scrambling plus an address based XOR that affects the program ROMs and, in some games, the graphics ROMs too. This was already taken care of (mostly by other people, except for one game).
EmuCR:Luca Elia WIP - IGS011/IGS012 Protection (2010-07-04)IGS011 - This is the graphics chip, but it has some built-in protection as well. The addresses where the protection is mapped change per game, but it turns out there's a register controlling the range to use. So in theory it's a dynamic thing, even though in practice the games set it once and for all at boot time, and thus use a fixed range. The protection involves an internal value that can be incremented or decremented by writing to the above address ranges. It can also be transformed through boolean functions, and the result goes to a second value, that can be then (or later) written back to the main protection value. The latter is read through a further boolean function, and is checked for correctness throughout the game code.

IGS011? - A second protection is present in nearly all games. It's almost identical to the above IGS011 protection, with the difference that: it uses a fixed address range (i.e. it can't change at run time, even though it changes per game); has no second value (the boolean functions affect the main protection value directly); the functions to transform and read the protection value are different for each game and revision (unfortunately).

EmuCR:Luca Elia WIP - IGS011/IGS012 Protection (2010-07-04)IGS012 - This has no other purpose than protection, and it works similarly to the IGS011 protection. An internal value can be incremented, decremented and its bits can be transformed through boolean functions using a second value as buffer. A further boolean function of the protection value is then checked from time to time. The chip is mapped in memory at a fixed address range, but with mirroring. In addition, it's possible to toggle the address for the mapping between two ranges. It turns out that many games where these protection checks were patched out never actually run those checks, as the IGS012 chip is missing from their boards. For instance Dragon World version 1,3 and 4 are not protected while version 2 is, but they all contain the checks.
EmuCR:Luca Elia WIP - IGS011/IGS012 Protection (2010-07-04)IGS003 - This is the chip used for i/o handling. It contains an 8255 programmable peripheral interface, plus a simple protection that returns a fixed string from some additional registers. In some games however, it also returns a parametric boolean function than I haven't bothered to understand yet. So ROM patches are still in places to bypass these checks in some games (lhb2, vbowl). Note that sometimes the chip is replaced by a plain 8255 (e.g. in lhb) and, indeed, no protection checks are run in those cases.

Note that it is possible to emulate this kind of protection devices by inspecting the game code and reproducing what the 68000 CPU does in a few lines of C code in MAME. This is unlike chips that independently perform complex tasks, such as part of the game logic. Those cases usually involve a microcontroller (MCU) with undumpable internal ROM. Those can't be easily reverse engineered (if at all) and that's when decapping is the only viable option.

Thanks to f205v for PCB infos and pictures.




Source: www.lucaelia.com/mame.php

0 Comments

Post a Comment