Difference between revisions of "FD1094"

From Sega Retro

 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{sub-stub}}
+
{{cleanup}}
The '''FD1094''' (also labeled '''FD1089'''; the differences are unknown) is a [[MC68000]] clone manufactured by [[Hitachi]] for use in [[Sega]] arcade games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.
+
{{ICBob
 +
| image=FD1094.jpg
 +
| title=
 +
| designer=
 +
| date=
 +
}}
 +
The '''FD1094''' (also labeled '''FD1089'''; the differences are unknown) is a [[MC68000]] clone manufactured by [[Hitachi]] for use in [[Sega]] [[arcade]] games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.
  
 
In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.
 
In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.
Line 7: Line 13:
 
  cmpi.l #$00xxFFFF,d0
 
  cmpi.l #$00xxFFFF,d0
 
where xx is the encryption state.
 
where xx is the encryption state.
 +
 +
In addition, the chip disables the pc-relative addressing modes (d16(pc) and d8(pc,xN.w/.l)). According to the MAME source, the pc-relative modes would make it easier to dump the unencrypted data somehow (TODO).
  
 
It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.
 
It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.
Line 13: Line 21:
 
:''TODO''
 
:''TODO''
  
==External Links==
+
==External links==
*[http://mamedev.org/source/src/mame/machine/fd1094.c.html MAME FD1094 decryption source]
+
*[https://github.com/mamedev/mame/blob/master/src/mame/machine/fd1094.cpp MAME FD1094 decryption source]
 
*[http://cgfm2.emuviews.com/fdconv.php Charles MacDonald's FD1094 information page]
 
*[http://cgfm2.emuviews.com/fdconv.php Charles MacDonald's FD1094 information page]
*[http://www.arcadecollecting.com/dead/dead.html Information (and partial list) from The Dead Battery Society (scroll down past Capcom)]
+
*[http://www.arcadecollecting.com/dead/dead.html Information (and partial game list) from The Dead Battery Society (scroll down past Capcom)]
 +
 
 +
==References==
 +
<references />

Latest revision as of 12:31, 19 October 2017

Cleanup.svg
This article needs cleanup.
This article needs to be edited to conform to a higher standard of article quality. After the article has been cleaned up, you may remove this message. For help, see the How to Edit a Page article.
FD1094.jpg
FD1094

The FD1094 (also labeled FD1089; the differences are unknown) is a MC68000 clone manufactured by Hitachi for use in Sega arcade games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.

In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.

There are multiple possible encryption modes freely selectable by the game; they are selected with the opcode

cmpi.l #$00xxFFFF,d0

where xx is the encryption state.

In addition, the chip disables the pc-relative addressing modes (d16(pc) and d8(pc,xN.w/.l)). According to the MAME source, the pc-relative modes would make it easier to dump the unencrypted data somehow (TODO).

It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.

List of Boards and Games

TODO

External links

References