Actions

FD1094

From Sega Retro

Revision as of 17:12, 22 March 2016 by Black Squirrel (talk | contribs) (Text replacement - "==External Links==" to "==External links==")

This teeny-tiny article needs some work. You can help us by expanding it.

The FD1094 (also labeled FD1089; the differences are unknown) is a MC68000 clone manufactured by Hitachi for use in Sega arcade games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.

In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.

There are multiple possible encryption modes freely selectable by the game; they are selected with the opcode

cmpi.l #$00xxFFFF,d0

where xx is the encryption state.

In addition, the chip disables the pc-relative addressing modes (d16(pc) and d8(pc,xN.w/.l)). According to the MAME source, the pc-relative modes would make it easier to dump the unencrypted data somehow (TODO).

It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.

List of Boards and Games

TODO

External links