Difference between revisions of "FD1094"

From Sega Retro

("capcom pre-CPS games")
m (Text replacement - "==External Links==" to "==External links==")
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{sub-stub}}
 
{{sub-stub}}
The '''FD1094''' (also labeled '''FD1089'''; the differences are unknown) is a [[MC68000]] clone manufactured by [[Hitachi]] for use in [[Sega]] arcade games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.
+
The '''FD1094''' (also labeled '''FD1089'''; the differences are unknown) is a [[MC68000]] clone manufactured by [[Hitachi]] for use in [[Sega]] [[arcade]] games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.
  
 
In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.
 
In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.
Line 7: Line 7:
 
  cmpi.l #$00xxFFFF,d0
 
  cmpi.l #$00xxFFFF,d0
 
where xx is the encryption state.
 
where xx is the encryption state.
 +
 +
In addition, the chip disables the pc-relative addressing modes (d16(pc) and d8(pc,xN.w/.l)). According to the MAME source, the pc-relative modes would make it easier to dump the unencrypted data somehow (TODO).
  
 
It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.
 
It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.
Line 13: Line 15:
 
:''TODO''
 
:''TODO''
  
==External Links==
+
==External links==
*[http://mamedev.org/source/src/mame/machine/fd1094.c.html MAME FD1094 decryption source]
+
*[https://github.com/mamedev/mame/blob/master/src/mame/machine/fd1094.cpp MAME FD1094 decryption source]
 
*[http://cgfm2.emuviews.com/fdconv.php Charles MacDonald's FD1094 information page]
 
*[http://cgfm2.emuviews.com/fdconv.php Charles MacDonald's FD1094 information page]
 +
*[http://www.arcadecollecting.com/dead/dead.html Information (and partial game list) from The Dead Battery Society (scroll down past Capcom)]
 +
 +
[[Category:Microchips]]

Revision as of 19:12, 22 March 2016


This teeny-tiny article needs some work. You can help us by expanding it.


The FD1094 (also labeled FD1089; the differences are unknown) is a MC68000 clone manufactured by Hitachi for use in Sega arcade games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.

In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.

There are multiple possible encryption modes freely selectable by the game; they are selected with the opcode

cmpi.l #$00xxFFFF,d0

where xx is the encryption state.

In addition, the chip disables the pc-relative addressing modes (d16(pc) and d8(pc,xN.w/.l)). According to the MAME source, the pc-relative modes would make it easier to dump the unencrypted data somehow (TODO).

It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.

List of Boards and Games

TODO

External links