New CPS-2 algo related discovery.
 
While playing around coding on a dead CPS-2 board I have today I found that the encryption algo is still fully in place even after the CPS-2 board has suicided. That said, on examining values the number do not match those of the expected game. This almost certainly confirms that their is only _one_ algo over all CPS-2 games with the only difference being key data (like Kabuki on CPS-1).
 
I passed some test code onto Charles MacDonald so that he can see the values he gets there on his dead SFA3 board. That should match what I see here and to be honest it looks just a formality. When you consider the watchdog on a suicide board is 0xFFFF,0xFFFF,0xFFFF (MOVE.L #$FFFFFFFF,$FFFF0000 will trigger it) it all starts to make sence.
 
There was a big debate over this going back to when we first broke past the protection. The worry voiced by some DEVs was that all boards would be needed again to get the algo for each game. This new discovery certainly confirms that once the algo is known for one game all the others can be brute forced using the XOR tables as templates.
 
As for figuring out the algo itsself whats needed now is a complete dump of tables (8gig) of the algo executing in this default state. Using this the algo should be easier to understand because any key data used for math should be 0xFFFF. I have quickly dumped a complete table for a couple of addresses and while it still looks a mess there are certinally more patterns compared to a normal game.

CPS-2 Rebirth !!!!
 
Well it's finally happened, suicide CPS-2 boards brought back to life FULLY by simply replacing program ROM's with a revised version. I still have things to iron out but to show its done look at the following AVI.
  CPS2-Rebirth.avi
I have also updated our suicide page with all the info on how to bring dead CPS-2 games back to life without the need to return them to Capcom. I wanted to be sure the fix worked on other dead boards apart from my own before I updated the page with all the info.

More good news on the suicide front, I'm now able to get everything working on all 3 of my dead boards apart from sprites and maybe EEPROM saving. Once I've worked out sprites it should spell the end of CPS-2 suicide.

I've spent the last few weeks looking at CPS-2 suicide and a couple of days ago I took a giant step closer... I have managed to get a dead board almost fully running again with absolutely no hardware modification apart from new program ROM's. Here's what works;

• 68000 - Running decrypted code 100%
• Gfx bg layers - All seem good
• Gfx sprites - Not working
• Sound - 100% working
• Inputs - All tested work so far
• Outputs - All tested work so far
• EEPROM - not tested yet

On the downside out of 3 dead boards I have only 1 achieves this result, the other 2 do show signs of life but no Gfx, Sound or Inputs at this point.
 
Sprites are currently my main concern because the Vram used gets allocated to a different region in the memory map that overwrites data held in the ROM region. Sprite ports also seem to either not to work or have moved to a different address space which I have not yet found. I have not been able to gets sprites to display onscreen.
 
More news as it happens.

Spending time working on The UNIVERSE BIOS.

Not alot has really been happening since the last update but in the last couple of weeks I have been looking at another unemulated system with a couple of other people (not CPS-3). Although the program data is encrypted in most games on the platform I have confirmed a way to dump it noncrypted. Good news indeed though its going to be a while yet before the system is fully emulated.

While I have no Metal Slug 3 cart I spent the last 2 days getting the banking system sussed on the data scrambled 'P' ROM version of Kof2000. It's now fully playable.
 
Mr. K. (Kawaks author) has worked with me very closely on both Garou & Kof2000, he deserves much credit too.

Our Garou work is now completed so one should expect a release very soon. Since NeoGeo 'C' ROM encryption is now known (thanks to Nicola S.) there is simply no point in us spending time on it, instead we'll work on Metal Slug 3 once I have a cart to work with.
 
As some Dev's will be aware there is 256k of data that seems to be missing from the scrambled P1 & P2 ROM's of these newer games. We can confirm this data IS NOT stored on P1 or P2, it is stored on the custom SMS chip. This chip also controls program ROM address / data line scrambling and the new banking system.

Garou is almost completed, all the banking looks to be done and only a few tile errors due to changes in the final released 'C' ROM's remain. It still needs some work and testing so don't expect a release just yet.
 
Once Garou is finished I'm going to spend some time looking at the 'C' ROM encryption, and after move onto CPS-3, or course CPS-2 work will continue also.

I have spent some time looking at NeoGeo 'C' ROM's. Basically all games looked at use the same decryption process for these ROM's (garou, kof99, and mslug3). Once the algo is known for one it can be used on the others to get decrypted gfx.
 
The stored tile format is different from the older NeoGeo games. The old system would have 1 tile stored in 2 'C' ROM's. The new system has 1 tile stored through all 8 'C' ROM's. This means there are either some line swaps through the 'C' ROM's or decrypted 'C' ROM's will not have tile data stored in the old format.

I have been looking at the tiles (graphics) in Garou and have found evidence that proves the missing S ROM data is stored within the C ROM's. I am basically able to display partial 16x16 tiles on the 8x8 layer which means the 8x8 data is coming from the 16x16 storage space.
 
What is interesting is the part of the 16x16 displayed on the 8x8 layer is entirely correct. This means 8x8 and 16x16 tiles are stored in the same format which is not the way it's stored in older games. It also means the stored tile format (encryption aside) is probably different from the normal NeoGeo standard.
 
In simple terms the encrypted KOF99 C ROM's will not contain data (in the same place) as the KOF99 prototype C ROM's once decrypted. Tiles displayed on screen are still the same in both though.

After Team Japump dumped the KOF99 P ROM's (the first people to actually do it off board to my knowledge) it turns out there was never any encryption on these new SNK carts in the first place. It looks more a simple case of line swapping, and of course the new banking system.
 
Garou will need its GFX dumping and decrypted before we can continue with it as tiles are in different locations compared to the prototype version. There is also more than 128k stored on what would be the S ROM.
 
We are now looking into at ways to get nonencrypted graphics off these boards.

We now have good P1 and P2 roms for arcade version of Kof99, but due to a nasty new banking system used on these boards data in the last meg of P2 is scrambled (as stored on ROM). The custom chips take the scrambled data and corrects it depending on the values it receives while running. Its very possible that all the new NeoGeo games use this system, even ones that arn't encrypted.

This is a bit of a draw back but nothing we can't handle.

The MVS hardware arrived today and I wasted no time in getting my trojan running on it (very easy). The data transfer protocol (sending non encrypted dumps to PC) is almost finished to, there were some problems at first but they're history now :) Just waiting on kof99 & garou now.

I'm still waiting for the NeoGeo Hardware to arrive but I've already started coding the custom NeoGeo BIOS needed. I'm using emulaion platforms to test my code, here's where I'm at so far (test mode triggers my code).
 
Main Menu.
 
Memory Viewer.
 
Dump Screen.
 
Verify Screen.
  Not much for me to do now accept to wait for the new hardware to arrive :))

Still no progress with getting any suicide CPS-2 boards running again but I haven't given up just yet.
 
I'm now going to spend a little time writing a trojan so we can dump the NeoGeo MVS encrypted P1 and P2 rom's. Our goal for now is to simply get correct arcade dumps of Kof99 and Garou. Once achieved we'll go on from there. This will not interfere with our releasing CPS-2 XOR's.

I killed my SFZ board the other day (cut out battery) in an attempt to bring it back to life. As yet no success but I'm still very hopeful.
 
What was interesting was the fact that the game DID still work with no battery attached for some time. In fact the board still worked after being LEFT OFF the 'A' board for over an hour. I suspect replacing CPS-2 batteries is allot less risky than people think, a simple cut out old and place in new should be safe enough. I will need to do more experimenting with to be sure it wasn't a one off.

We will now be concentrating on dumping older games and not spending time on breaking the encryption. Please read our statement on 07/01/0001 for more information.

Does anyone out there have a dead SFZ board (suicide) they would like to donate to us? We want to know if using non encrypted ROM's brings boards back to life.
 
I'm going to spend the next week or so tidying up my code and stuff. Then we will be looking into actually breaking encryption scheme. Stay tuned.