How Capcom's clever CPS2 Arcade Game Copy Protection stopped bootleg games | MVG

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I'd be pretty upset if I spent a couple grand on an arcade machine knowing that the whole thing would die if the battery died.

👍︎︎ 19 👤︎︎ u/enderandrew42 📅︎︎ May 23 2019 🗫︎ replies
Captions
[Music] since the earliest days of arcade games bootlegs have existed many arcade PCBs or printed circuit boards come with a manual outlining the schematics of the board and the chips this is mainly for arcade technicians to identify if there were any issues with the board's bootleggers would simply replicate as best they could the contents of the motherboard and the chips on the motherboard was simply dumped usually with a cheap EEPROM burner to this day bootlegs of arcade boards are rampant with the market flooded with them now you may ask why anyone would want to bootleg an arcade game well like most markets bootleggers wanted a cut of the profits and would try to sell these boards back to arcade operators and a cheaper price than the cost of an original there were other reasons for bootlegging of course if you have the expertise you could essentially make a copy of the game for yourself and replicate the arcade experience through it loggers would not only just make replicas of games however they went even further by altering game data sprite tile and code they were able to build new games based off the games that they were working with here's a few examples [Music] not only our arcade PCB bootlegs generally frowned upon the PCBs usually have many issues including poor sound graphical glitches and much more they also pose a greater risk of damaging the arcade cabinet if voltages on the boards were not regulated correctly in general most bootlegs are designed from cheaper parts and lots of guesses and corners were cut in order to get the games to run so we can conclude bootlegs are bad and arcade manufacturers wanted to put a stop to them so they started to implement copy protection and ROM encryption this was sometimes in the form of dedicated lockout chips that started to appear in PCBs these chips were custom and they were not easily dumped this meant that when bootleggers attempted to make a copy of the board the game would not run or just contain scrambled graphics other games were more creative on face value that they appeared to run fine but they were crippled in some way in 1985 Sega released hang on in the arcades which contained two motorola 68000 cpus the game contained encrypted row data which was controlled by the second 68000 if this was missing the track would contain no bends at all and completely kill off any incentive to play the game [Music] there are other examples be storm was released for the IGS PGM arcade hardware in 2001 while IGS PGM runs on a motorola 68000 some IGS PGM cartridges contain an arm 7 CPU and custom ASIC without these chips the enemies won't fire any bullets and the game is rendered unplayable but these methods were eventually bypassed and defeated too in some cases arcade games contain the same copy protection across different games so in this instance it's just a matter of using an original board that contained the protection and then burning EEPROM chips with a different game that used the same protection scheme this is what's known as a conversion rather than a bootleg although ROM encryption and different methods for protecting their games became commonplace arcade manufacturers were facing an uphill battle to stop the bootlegging of their games so they came up with new and interesting ways to stop hackers from getting access to game data encryption by itself usually wasn't enough in the mid 80s to store protected data arcade manufacturers started to utilize RAM chips wait a minute did I did I just say Ram chips a RAM chip stands for a random access memory chip when power is lost to this chip it also loses the contents of this data arcade manufacturers would store this data on a battery backup device if a bootleg was attempted the data in the RAM would get wiped and render the bootleg unusable a side-effect of this of course was when the battery would die after a few years of usage the game would stop dead in its tracks and this is the origins of the term suicide battery when we think of a suicide batteries it's easy to pin the blame on Capcom but Sega was actually the first to use them in 1987 they were being implemented in their system 16 arcade games Sega's method was to use a battery to backup the RAM that holds a table for decrypting the program roms to stop bootlegging they encased both the battery and the CPU in a little black epoxy block that plugs right into the CPU socket there were two versions of this as z80 block and a 68,000 block the z80 CPU was usually for the sound so if the battery died there would be no sound the 68000 however is the main CPU and when it's dead the game doesn't work at all in 1988 Capcom released arcade games on the C ps1 arcade hardware these were some of the best games ever developed and ones that frequent retro throwback collections that you see to this day the earlier games had no copy protection but by 1991 with games like king of the Dragons and The Punisher it utilized the suicide battery approach however the battery did not power a ram chip rather it powered a custom chip that displayed graphics for the game so when the battery died the graphics did not display correctly or at all but this method was easy to bypass by modifying a circuit to a battery less state see ps1 games were simple to revive with this method and there was no other protection in place at all and with this many C ps1 bootlegs flooded the market Capcom went back to the drawing board and came up with arcade hardware that would take many many years to defeat [Music] [Music] [Applause] [Music] in 1993 Capcom released the successor to the very popular and widely bootlegged CPS one known as CPS - or Capcom play system - hardware every single board utilized a suicide battery the CPS 2 came standard with very similar hardware to CPS one including the 68000 CPU running at 16 megahertz the seon CPU as a standard z80 at 8 megahertz the same CPS a and B graphics processes found in the CPS 1 were also implemented in CPS 2 and the Capcom custom QC on chip for DSP processing runs at 4 megahertz CPS 2 is capable of up to 900 sprites on screen at one time and ran at 384 by 224 with a 24-bit color palette with the hardware design Capcom was very much aware and learned it's lessons from CPS 1 bootlegging the main CPU was not exposed on the motherboard rather it was encrypted and embedded into the Capcom DL 1525 custom chip but this time rather than just use a simple protection system Capcom encrypted every single CPU instruction with a decrypted table stored in the battery backed up Ram once this battery runs out you guessed it the game is lost and the PCB becomes a paperweight replacing the battery won't help because the RAM is already cleared although widely criticized and heavy-handed this new method meant there were a total of 0 bootlegs or ROM hacks for the entire lifecycle of the hardware that is from 1993 to 2003 Capcom had finally beat the bootleggers so what we have here guys is the Capcom CPS to Marvel vs. Capcom game this is the original CPS 2 arcade board now unfortunately when we powered it up as you saw we've got a green screen on my arcade machine which is a sign that this board is completely dead the problem with the suicide battery-based see ps2 hardware is obvious once it dies it's dead forever this meant that arcade operators either had to be diligent in replacing batteries every few years themselves which in itself is no simple feat or they'd need to send the boards back to Capcom and for a fee Capcom would provide a new battery and restore the contents of the RAM and revive the board while all this was going on hackers were attempting to defeat the cps 2 encryption which was no simple feat if you attempted to even patch a single line of code it would result in a black screen it looked like capcom had won the battle but the war was far from over [Music] Capcom's biggest competition at the time was SNK and their Neo Geo arcade hardware when the Neo Geo home system the AES was released in 1991 capcom responded and developed their own home console known as the CPS charger it contained cut-down CPS hardware meant for the home and was an absolute failure but one of the CPS Charger games that came for the system was Street Fighter zero which was a back port of a/c ps2 game when the game was dumped it was quickly realized that this version of Street Fighter zero was decrypted and this meant that hackers could find important information and clues in the code that may help with the CPS to decryption effort the team known as CPS to shock made an important discovery Street Fighter zero has an internal debugger and it was determined that some memory ranges were not encrypted at all what this meant was a simple dumper program could be inserted into those blocks of code in 2001 the very first dump of the game Street Fighter zero was released to the public but this was not the end of the story this was the unencrypted dump that was extracted from the game the encryption method and the data stored in the backup Ram was still very much unknown and there was still no way to revive dead see ps2 boards that had suicided the unencrypted roms that were added to emulators such as final burn alpha and MAME but they still didn't work on real Hardware if you attempted to put the decrypted code on a Dead Sea ps2 board it would not boot and no one was really sure why but it wasn't long until this question was answered it was determined that when a see ps2 board lose its it's protected Ram and the decryption table is erased the memory address locations for both graphics and sounds are different and when patching them will revive the board this is the basis of what's known as the Phoenix Edition ROM sets a patched a set of C ps2 roms useful for reviving dead see ps2 boards these Phoenix roms also include extra features including a jukebox and the ability to change the region of the game easily phoenix drums were also quite controversial in the scene as the developer roseola who discovered how to revive dead cps two boards would charge a fee for this many argued that it was no different than Capcom charging for their revival service Phoenix edition roms also change some code which was argued that may provide a different gameplay experience but overall Phoenix edition roms was exactly what the arcade scene needed finally all cps two boards could be revived so now we can preserve all cps two games by dumping and patching decrypted sets and using phoenix roms but the cps 2 encryption as of 2001 was still unknown it wasn't until six years later in 2007 when the encryption algorithm was cracked by utilizing advanced mathematical techniques and custom hardware it was determined that the algorithm used was a feistel cipher and a 64-bit key this meant that the now dead cps 2 boards could be revived without resorting to decrypted or Phoenix Edition sets although the encryption method was discovered it was still unclear as to how capcom would revive dead cps 2 motherboards but in April of 2016 Artemio Urbina in court and Eduardo Cruz successfully made this possible they were able to reverse and D suicide any dead capcom cps two motherboard without any hardware modifications in fact methods using simple Arduino devices can now revive NEC ps2 game and even simpler methods are out there today including the Infinity which will permanently revive any dead see ps2 boards ultimately Capcom learned from their failures with protection on the cps one board and from super street fighter 2 in 1993 to hyper street fighter 2 in 2003 and all the way up to 2007 the capcom cps 2 encryption method stood firm as one that could not be defeated and although weaknesses were found in the code and data to ultimately allow for other methods of running these games capcom had successfully stopped the bootleggers in their tracks so there you have it guys that's the story of the capcom cps 2 arcade hardware protection it's an awesome feat that Capcom was able to keep the encryption intact for such a long time before it was finally defeated now the good news is we can revive NEC ps2 arcade bored out there and that means that things like preservation and emulation really is very important in this day and age especially considering that arcade hardware over time slowly starts to fail on you so it's really good to see that we can actually revive these particular boards now before I go guys there are a lot of people I need to give credits to so I'm going to leave every single person that is involved in the CPS 2 decryption and the whole kind of timeline of this in the comments below because this was not a single person or group of people that made these discoveries it was a lot of different people over many different years and I really think it's important to thank everyone that was involved in this whole process well guys that will do it for this video thank you so much for watching if you liked this video you know what to do give me a thumbs up and as always don't forget to Like and subscribe and I'll catch you guys in the next video bye for now [Music]
Info
Channel: Modern Vintage Gamer
Views: 901,076
Rating: undefined out of 5
Keywords: capcom, cps2, arcade, arcade games, copy protection, marvel vs capcom, cps1, sega, system 16, mvg, modern vintage gamer, arcade bootlegs, jamma, roms, emulators, mame, final burn alpha, cps2 phoenix, arcade drm, street fighter 2, rainbow edition street fighter 2, street fighter, classic games, games, retro, final fight, pcb, video game, arcade game
Id: vCtXZM8iG-o
Channel Id: undefined
Length: 14min 30sec (870 seconds)
Published: Mon May 20 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.