In September of 1996, after numerous delays, the Nintendo 64 was launched in North America to critical acclaim. The Super Nintendo towards the end of its life was starting to feel a little dated. With games like Killer Instinct coming to the arcades, the Super Nintendo version was impressive, but its lack of 3D was starting to show. The Nintendo 64 was the system that brought 3D into the household. It came stock with impressive hardware, all thanks to the reality coprocessor chip - something that you would normally spend hundreds of dollars on for a 3D effects card on your PC. But somehow, it was all squeezed into a small motherboard and for only 199 US dollars. Nintendo invested heavily on the hardware, even with the decision to stick with cartridges. While initially proving unpopular, especially compared to the Sony PlayStation and Sega Saturn, it ended up being the right move for Nintendo at the time. But what about security? The Super Nintendo was one of the most pirated game consoles going around. You could easily buy a disk copier like an MGD2, or a Super WildCard, connected up and play games from floppy disks, or you could even rent and borrow games from your local blockbuster and dump them to disk. The Super NES used a CIC lockout chip, just like on the original NES. Every licensed game cartridge would contain this chip and there would be an identical one on the console. Both the CIC chips would communicate with each other in step to validate that the game being played was not a bootleg. The concept goes back to the early 80s. The same CIC lockout paradigm was used on the NES. However, the chip could have been circumvented simply by disabling the circuit. On the NES, developers did not only rely on the CIC to protect their games, but they added additional protection checks around SRAM and other measures, but in the end, while these measures were a minor deterrent, expert crackers knew how to defeat all of the different anti-piracy measures, and games were uploaded to FTP sites worldwide. Nintendo knew that they had a fight on their hands with the Nintendo 64 the Super NES was widely pirated as a console system with a simple disk copier that connected into the cartridge port. You were able to rip your games pretty easily. So with the Nintendo 64, Nintendo decided to use a more sophisticated approach, but they didn't really deviate too far away from the approach on the Super Nintendo and the NES before it, and continued to stick with the CIC security lockout chip on the Nintendo 64. The Nintendo 64 carried over the CIC chip from the NES and Super NES, and you're probably wondering: "Why would they have done this, considering it's easy to circumvent the protection?" Nintendo knew that CIC chips were easy to bypass, so they came up with a more sophisticated method for the Nintendo 64. Each game cartridge still uses a custom CIC chip, but this time around, on the console motherboard, there is no matching chip. Rather, the CIC from the cartridge communicates with that chip known as a "Peripheral InterFace bus", or "PIF". The PIF has a few uses: it contains the IPL, or Initial Program Loader, or boot code. In other words, when the Nintendo 64 is turned on, the boot code from the PIF is first executed. The PIF also handles inputs from peripherals such as the controllers, but its main use is security where it manages region protection and anti-tampering. This time around, the CIC and the PIF do not communicate in step, so there's no easy way just to disable the circuit. If you attempt to do that, the game will simply not boot. In fact, when game copiers and backup devices were released for the Nintendo 64, they all relied on the use of an original cartridge for its CIC chip to interface with the PIF. There was no easy method of booting anything on the N64 without a CIC. Even as late as 2014, with the arrival of Everdrive 64 cartridges, the Everdrive 64 would require a donor CIC chip that was taken from an original game to work correctly. Just like the NES and Super NES CIC chips, on the Nintendo 64 at the time, there was no known way to crack the protection. But more on that later. To add further complexity, there were multiple CIC chips with a total of 5 different variants across both PAL and NTSC. The CIC-6102 is considered the standard chip for the majority of games, but not all. This meant that if you owned a backup device and used a donor cartridge with a 6102, but wanted to play Star Fox 64 that used a 6101, it simply would not work. Like any computer program or game console, the Nintendo 64 has an address location in memory where the boot process starts. This is known as the "Entry Point", or "Boot Vector". And it's located on the N64 at this hexadecimal location. To further add complexity, two variations of the CIC chip would also relocate this Entry Point as an additional security measure. Just like in the days of the Super Nintendo, the CIC lockout chip wasn't always enough protection for some developers. And in the case of Rare, they added additional protection to games like Donkey Kong Country 2 and 3, as well as Killer Instinct, with some additional checks around SRAM. On the Nintendo 64, things were quite similar. Although a backup device required and an original cartridge with a CIC chip in place in order for that chip to communicate with the PIF chip, companies like Rare decided to add some additional checks in some of their games to stop the pirates from spreading around, and ripping their games, and leaking them onto the Internet. Just like on the Super NES, second-party developer Rare began to incorporate additional security checks in order to make life difficult for pirates. Rare knew that adding a donor CIC on a backup device would work around pretty much any issue. So additional checks were added into the code. Donkey Kong 64 was one such game. It used a 6105 CIC chip in North America, which was only used by a handful of other games. We mentioned earlier that any backup device would require a donor CIC chip, such as the 6102, which was the most popular and commonly used. However, the game would still boot and play, if it detected a 6102, but at random during any points of the game, it would erase all save data. JetForce Gemini was another title that used this stealth approach. It also contained a 6105. And if it located a different variant of a CIC chip, during the game, all of the weapons were disabled and you could not run at full speed. But even still with this, the security on the Nintendo 64 stood firm for years, with only a very small handful of unauthorized, or bootleg, cartridges ever released. So this is my early Everdrive 64 cartridge, and this one has the 6102 CIC chip. And as you can see, when I play JetForce Gemini, the anti-piracy is triggering here. You can see that it's running slow, and I cannot shoot with my character. Although there were ways to bypass security on the Nintendo 64 for over 20 years, the CIC chip stood firm and was not yet defeated. Now, you could argue that, well, it was easy enough just to bypass it from the earliest Dr. V64s all the way up to the earliest, or the first, revisions of the everdrive cartridges, simply by providing a donor CIC chip, and that will certainly get you around the security mechanism. But what was not yet really understood was what the program code was doing inside the CIC chip. And that was all the way up to the early 2010's, when some smart security researchers decided to take a look at the internal workings of the CIC chip on the Nintendo 64 by utilizing sophisticated decapping techniques. As with most security systems, hackers were curious and wanted to learn the secrets of the CIC chip on the Nintendo 64. The code itself was not accessible. And if you attempted to capture the data between the chip and the PIF, it would just send back and forth a random stream of bytes. On the NES, a lucky break was discovered, when a debug line was located on the clone Tengen RABBIT chip which exposed the inner working of that chip. But on the Nintendo 64, there is no easy way of dumping the chip, other than a process known as "decapping". Still, this did not deter people. Emulation also played a huge part. Popular emulator Project64 contained these challenge-response data calls returned from the CIC. This enabled games like Banjo-Tooie and JetForce Gemini to bypass its anti-piracy. From this data alone, hackers were able to reverse-engineer the algorithm for the 6105 chip which meant that emulators could now boot these ROMs and make them playable. In 2015, security researchers Mike Ryan, John McMaster and Marshallh worked together to expose the inner workings of the CIC and PIF chips. The method was to decap both chips and understand the inner working. It was revealed that both chips contain Sharp SM5 4-bit microprocessors, and from here, they were able to learn the challenge-response flow between the two chips. High level, it works something like this: when the Nintendo 64 is powered on and assuming that is a working cartridge in place, the PIF sends a random set of values to the CIC, the CIC then sends a response back, and the sequence continues back and forth until the power on the N64 is turned off. This means that a swap trick approach won't work. A valid CIC must always exist and interface with the PIF. The PIF contains a small area of RAM that contains code. This code is used to determine the checksum and region from the CIC. This information is sent back to the PIF, and if it doesn't match what's expected, then the game is locked out. If all matches up, then the PIF sends data back to the CIC and lets it know that all is good and the main game then boots up, but as mentioned earlier, the communication between the PIF and the CIC never stops. Once the chips were decapped, the program code was able to be extracted. With this information, an SM5 emulator was developed on a PC. And with some trial and error over time, the team was able to reproduce the algorithm for the 6105. There were also some interesting things discovered. The checksum that is generated by the CIC at boot time is encoded by the PIF with the key that's random-based on delay. And also discovered was that the encryption key used to decode their Seed Data from the CIC is always 0xB5. And with all this discovery and breakthrough, the ultimate goal is to develop an open-source these findings, and that's exactly what happened. The UltraCIC clone chip was developed that replicates the CIC copy protection that can be burned onto a PIC16F1613 microcontroller. These cloned chips meant that the SD-based cartridges like the Everdrive 64 would no longer require the use of original CIC chips that were removed from other games. The UltraCIC is now a standard with all everdrive cartridges and aftermarket homebrew cartridges. And with the current-version III model, they are able to detect the region of the game and automatically switch to that region. In the past, the region needed to be set on the board itself. So in conclusion, did Nintendo really stop piracy on the Nintendo 64? In many ways, no, they didn't. Recall that the earliest emulator UltraHLE released in 1999. Since that time, Nintendo 64 emulation has always been improving. There were also backup copiers. They weren't cheap, however, and required you to use an original game. And hopefully, you would have one with the CIC that was compatible with the majority of games. On the other hand, Nintendo all but stamped out the unlicensed bootlegs of their games with this hardware. And it wasn't until over 20 years later where the chip was cloned and made available to the public. Whichever way you believe to be true, It's an amazing feat that Nintendo stuck with the same security method and same Sharp 4-bit CPU CIC chips for three generations of their console, something that we will most likely never see happen again. So, there you have it, guys, that is the anti-piracy system on the Nintendo 64, not really a huge deviation from the Super Nintendo. But the PIF chip inside the system was just a little more sophisticated overall, and it really stopped the flow of unlicensed bootlegs when the Nintendo 64 was being sold in the shelves in the late 90s. Now, in this day and age, it's very easy to buy, you know, reproduction cartridges, ROM hacks, all sorts of stuff like that, which I think is a really cool thing. But back in those days, Nintendo certainly did not want any unauthorized resellers selling ROM hacks, or bootlegs, back in the stores. And the CIC chip really stood firm for the duration of the life cycle of the N64, and that is a really good thing to see. It lasted for over 20 years, until, you know, the decapping methods came belong in the kind of early to mid-to-2010's. And finally, we learnt the secrets of the CIC chip and were able to essentially just, you know, clone the chip and then use that in things like the everdrive cartridge and any aftermarket bootlegs and ROM hacks and... ...and things that are being sought by, you know, third-party resellers. So guys, let me know what you thought about this video in the comments below. If you liked it, you know what to do: leave me a thumbs up. And as always, don't forget to like and subscribe, and I'll catch you, guys, in the next video. Bye for now. [Subtitles by: Sashabox Entertainment]
Been loving MVGβs historical focus lately. Even when the technical specifics go over my head he has such a clean presentation and heβs so passionate about it. Also he got me started on my emulation addiction.
I love MVG's videos. He's good in explaining the technicalities in a understandable way and the video topics are so engaging
I love technical writeup videos like this. Especially MVG's videos which have popped up for me the past year. They're always interesting!
Can also recommend Retro Game Mechanics Explained which has just been a plethora of entertaining brain food the past years.