Tuesday, 13 September 2016

Capcom CPS2 Security Programming Guide

Dear all, after a few months of testing we are extremely happy to release the new clean desuicide / security programing method for Capcom's CPS2 hardware.



This guide is the result of almost two years of work by an small group of arcade enthusiasts to unravel the secrets of the security implementation found in one of the largest and most popular arcade platform systems. Thanks for this work it is now possible to fully preserve any CPS2 systems as original hardware.

Over the coming weeks additional details about the CPS2 hardware internals will be released providing unseen insights into how Capcom implemented security.

Thanks to everyone who has helped test and validate this release throughout the summer, special thanks to Bill DeLeo, Jeremy Walski, Leonard Oliveira and rtw.


Capcom CPS2 Security Programming Guide

This document will guide you through the basics of preparing your setup and testing the new clean desuicide method on any of the known CPS2 board revisions. You can find a pdf copy of this guide and code on the following link: https://github.com/ArcadeHacker/ArcadeHacker_CPS2



What's needed
Arduino programmer hardware












  • Power supply capable of 5 volts @ 1.5 amps or more, eg: arcade or ATX PC power supply.




  • Soldering iron and solder


CPS2 motherboard tools and supplies








Software






Assembling and preparing your Arduino programmer
  1. Solder the 7 pin strip to the top right most socket of the LCD Keypad Shield


  1. Assemble the Arduino Uno and LCD Keypad Shield together


  1. Download and install software for your OS from https://www.arduino.cc/en/Main/Software
  2. Connect your arduino to your PC via USB
  3. Open the ArcadeHacker_CPS2.ino file in the Arduino environment.
  4. Compile and Upload the sketch to the Arduino, next boot sequence should display what's shown below. If you can't see anything you may want to double check the screen contrast setting.




  1. Locate digital pins 2, 3, 11, 12 (top right) and GND (top left icsp connector) on your LCD Keypad Shield. Label them if possible.




  1. Connect the dupont cables to the pinout as shown above. Label them if possible.




Assembling the CPS2 target power cable
Attach two female dupont ends to the female molex power plug.





Identifying your CPS2 B board type
There are several revisions of PCB. These are the relevant ones:


93646B-3:
93646B-3-FRONT.jpg

93646B-4:
19xx_pcb_1.jpg


93646B-5:



93646B-6 and 93646B-7:
93646B-6-FRONT.jpg



97691A-3 (Black case, single board):



Pinout for board revisions 93646B-3 and 93646B-4
CN2 interface pins:


DATA Arduino #2 → CN2 A32
SETUP1 Arduino #3 → CN2 A30
CLOCK Arduino #11 → CN2 A31
SETUP2 Arduino #12 → CN2 A29


CN7 power pins:


+5V Power supply → CN7 A25
GND Power supply & Arduino GND → CN7 A23
GND Power supply & Arduino GND → CN7 B23



Pinout for board revisions 93646B-5
CN9 interface pins:


DATA Arduino #2 → CN9 #2
SETUP1 Arduino #3 → CN9 #3
CLOCK Arduino #11 → CN9 #4
SETUP2 Arduino #12 → CN9 #5


CN7 power pins:


+5V Power supply → CN7 A25
GND Power supply & Arduino GND → CN7 A23
GND Power supply & Arduino GND → CN7 B23



Pinout for board revision 93646B-6, 93646B-7 and 97691A-3
CN9 pins:

+5V ---------------- → CN9 #1
DATA Arduino # 2 → CN9 #2
SETUP1 Arduino # 3 → CN9 #3
CLOCK Arduino # 11 → CN9 #4
SETUP2 Arduino # 12 → CN9 #5
GND Arduino GND → CN9 #6




Preparing your CPS2 B board
  1. Open the CPS2 B Board plastic case using the Torx Security T20 screwdriver head (the photo below does not apply to revision 97961A-3 "all in one black")



  1. Identify your PCB revision and check the battery voltage




  1. If needed replace the battery with a fresh spare, fit a battery holder when possible





Desuiciding revisions 93646B-3 and 93646B-4
  1. Connect your hooking cables to the corresponding outputs of the arduino programmer (2, 3, 11, 12 & GND)




  1. Connect all pins to CN2 following the order described below.
                                                                                                                                                                
DATA Arduino # 2 → CN2 A32
SETUP1 Arduino # 3 → CN2 A30
CLOCK Arduino # 11 → CN2 A31
SETUP2 Arduino # 12 → CN2 A29


GROUND Arduino # GND → CN2 C32




  1. Connect power cables to CN7 A23 & B23 (GND) and A25 (+5)


cps2img.png


  1. Connect the molex connector to the power supply (power supply off!)



  1. Make sure the CPS2 A board and B board are disconnected from each other




  1. Turn on the power supply connected to your CPS2 B board, then power up your Arduino programmer (plug the USB cable to a USB power source, eg: your computer)




  1. Follow the on-screen instructions and program the game configuration you wish to upload. Use the up/down/right/left buttons to advance through the game options.
  2. Once programmed, disconnect power to the Arduino programmer followed by switching off the main power supply to your CPS2 B board
  3. Disconnect all arduino and power supply wires connected to the PCB
  4. Assemble the CPS2 A and B boards together and test for results. If unsuccessful take your time to review your setup before attempting a new keyload.


Desuiciding revisions 93646B-5, 93646B-6, 93646B-7, 97691A-3
  1. Connect the ic clips to the corresponding outputs of the arduino programmer (2, 3, 11, 12 & GND)




  1. Connect all grabbers to CN9 following this order. You can also use a JST NH 6pin connector, pins are part number SHF-001T-0.8BS or SHF-002T-0.8BS depending on your wire gauge.


DATA Arduino # 2 → CN9 #2
SETUP1 Arduino # 3 → CN9 #3
CLOCK Arduino # 11 → CN9 #4
SETUP2 Arduino # 12 → CN9 #5
GND Arduino GND → CN9 #6


capcom.png


  1. [Revisions 93646B-6, 93646B-7, 97691A-3 only] Attach the power cable as shown below. GND connects to the existing arduino grabber.




  1. [Revision 93646B-5 only] Connect power cables to CN7 A23, B23 (GND) and A25 (+5)




  1. Connect the molex connector to the power supply (power supply off!)




  1. Make sure the CPS2 A board and B board are disconnected from each other





  1. Turn on the power supply connected to your CPS2 B board, then power up your Arduino programmer (plug the USB cable to a USB power source, eg: your computer)





  1. Follow the on-screen instructions and program the game configuration you wish to upload. Use the up/down/right/left buttons to advance through the game options.
  2. Once programmed, disconnect power to the Arduino programmer followed by switching off the main power supply
  3. Disconnect all arduino and power supply wires connected to the PCB
  4. Assemble the CPS2 A and B boards together and test for results. If unsuccessful take your time to review your setup before attempting a new keyload.


Hands-on video tutorial by Artemio

https://www.youtube.com/watch?v=ulIi9B74HMs


47 comments:

  1. Thanks for making this happen Ed

    ReplyDelete
  2. Awesome work guys! Thanks for all the effort and time you put to make this happen :)

    ReplyDelete
  3. Amazing stuff and awesome work to everyone involved! Thanks for the incredibly detailed write up too!

    ReplyDelete
  4. Thanks for this. I'd screw it up myself but my cousin will get it done. Fantastic work.

    ReplyDelete
  5. This is awesome! Thank you very much for sharing this with everybody. I am a big fan of the D&D games, now my Tower of Doom is safe if someday the battery is fully drained. From now on, do you have a new objective in mind?

    ReplyDelete
  6. This is fantastic! Thnx for sharing! Sharing is caring and that is the true arcade spirit IMHO };-P
    <3 Elgen };-P
    (ElgensRepairs)

    ReplyDelete
  7. Thank you very much for your awesome work! This is what arcade gaming should be about, preserving it on all levels!
    It begins with preserving the ROMs themself, goes over to sharing findings and finally keeping all the hardware alive as close to the original state as you can get.
    Arcade games are no mass ware like Super Nintendos or Playstations, so people need to see how important this work realy is!!
    Thank you again!!

    ReplyDelete
  8. Can we program different games to different motherboards?

    Example... xmen vs street fighter ... change to Super Street Fighter 2 turbo?

    ReplyDelete
  9. Are you planning to publish the details of how to go from the keys in the MAME source to the keys in the Arduino code? (e.g. if a game with a different encryption key is cracked open in the future?)

    ReplyDelete
    Replies
    1. He is preparing an post with the technicalities. I am very anxiously waiting for it myself.

      As for adding new keys, the code is very easy to read and understand. Adding new keys should not be an issue, at all.

      Delete
    2. He should keep those details to himself and not give away his work to the likes of the lazy and incompetent Mame devs, whom for years have practiced bad coding procedures like depending on global_alloc_clear, which bit them in the ass with Mame 176 with the ui menu appearing off the screen http://mametesters.org/view.php?id=6335. Funny I was the first to actually complain about it on the mameworld forums long before any lazy official Mametester noticed it.

      Like I said, he should keep his secrets to himself and let the Mame devs figure it out on their own, or at least charge them a fee for the info.

      Delete
    3. @Anonymous: Some of the guys with whom we collaborate *are* also MAME devs. We're on good terms, and intend to keep it that way.

      Delete
  10. Muchas gracias por este arduo trabajo para preservar la historia de los videojuegos.

    ReplyDelete
  11. This is truly amazing

    Great work!

    ReplyDelete
  12. Eduardo.....It's just fantastic ^^
    Thanks, a dream come true :)
    Cps1 and now Cps2 you're a good killer ^^
    Respect man :) i'm your fan lol ;-)

    ReplyDelete
  13. wow! i can fix my all battery dead ROM, thank you very much! :)

    ReplyDelete
  14. This is some absolutely INCREDIBLE work and THANK YOU for doing this! :)
    As an owner of a couple of grey Asia region CPS2 boards, I will now be able to revive my dead games.

    I am especially fascinated as to how this works inside the actual chips.
    Do you plan on putting together another technical presentation like the one with the CPS1 desuicide project?
    I did some guesswork on how I thought the CPS2 logic worked in one of your previous blog entries and am eager to see how wrong I was. :) I am eager to learn about the differences in the engineering techniques were between CPS1 and CPS2 (and CPS3's SH2 custom cpu?). I was betting it was the same guy(s) @ capcom's product technology division!

    You sir, are an inspiration and I thank you again for keeping my mind open and active.

    Muchas gracias!

    ReplyDelete
  15. This works for CPS 1.5 / DASH - The Punisher?

    ReplyDelete
  16. Amazing work! Thank you for releasing this!

    ReplyDelete
  17. Wow nice!

    Does it work with Black board CPS2? (I own a Hyper Street Fighter II)

    Thanks :)

    ReplyDelete
    Replies
    1. Yes, it works with black all-in-one CPS2 boards. :)

      Delete
  18. Sooo...your telling me this will make a cps2 board "rise from your grave"...(altered beast style)

    ReplyDelete
  19. Hi Eduardo !

    I'm a french arcade collector.
    Your work is very impressive. So fast and efficient !
    I follow your cps2 tutorial and bought a Genuino Uno.
    Thanks to you, my Marvel vs Capcom single black work again now :-)

    Ian Court said that's working for black all-in-one CPS2 boards.
    I found Marvel vs Capcom in the list (mvscjsing), and I confirm that's working great !
    But I don't found the 5 others titles in the list (Gigawing, Street fighter zero 3, Hyper street fighter 2, Mars Matrix and Dimahoo)
    It's not working for these single black board for the moment, or we can use the same code as japanese B board ?


    Moreover, I have a problem with ArcadeHacker-CPS1 and ArcadeHacker_Kabuki-Master.
    When I want to verify/compile, it's not working, I have this message:
    collect2.exe: error: ld returned 5 exit status

    exit status 1
    Error compiling for board Arduino/Genuino Uno.

    Here's come a pic of this message:
    http://hpics.li/871ff0e

    Have you any idea for help me ?
    Or I need another Arduino/Genuino like the MEGA version ?

    Thanks for all ;-)

    ReplyDelete
    Replies
    1. For your other all in one boards, just use the keys for the regular B-board type, selecting the appropriate region (Japanese for most, if not all black boards I believe). Please confirm if it works or not! :)

      We'll have to get back to you regarding your issues with Kabuki and CPS1.

      Delete
    2. I'll not confirm that's working with my others black board, because they still working and I change the battery few years ago.
      I just have a dead MvC for test, so I can confirm with this game.

      If someone have a dead black board game, I can try and leave a feedback as soon as possible...

      Thanks in advance for the 2 others tuto (I have a dead block block in a box XD)

      Delete
  20. Hi Eduardo !

    I'm a french arcade collector.
    Your work is very impressive. So fast and efficient !
    I follow your cps2 tutorial and bought a Genuino Uno.
    Thanks to you, my Marvel vs Capcom single black work again now :-)

    Ian Court said that's working for black all-in-one CPS2 boards.
    I found Marvel vs Capcom in the list (mvscjsing), and I confirm that's working great !
    But I don't found the 5 others titles in the list (Gigawing, Street fighter zero 3, Hyper street fighter 2, Mars Matrix and Dimahoo)
    It's not working for these single black board for the moment, or we can use the same code as japanese B board ?


    Moreover, I have a problem with ArcadeHacker-CPS1 and ArcadeHacker_Kabuki-Master.
    When I want to verify/compile, it's not working, I have this message:
    collect2.exe: error: ld returned 5 exit status

    exit status 1
    Error compiling for board Arduino/Genuino Uno.

    Here's come a pic of this message:
    http://hpics.li/871ff0e

    Have you any idea for help me ?
    Or I need another Arduino/Genuino like the MEGA version ?

    Thanks for all ;-)

    ReplyDelete
  21. This is really amazing, thank you for this. I am putting the parts together currently, to resurrect my Street Fighter Alpha board which just suicided while changing the battery. Finding a good source for a JST NH 6 connector has been extremely challenging. Digging through my spare connectors drawer, I found the below connector which attaches perfectly to CN9 and CN7. It can probably be purchased at a local electronics store (like Fry's) or online easily.
    http://s56.photobucket.com/user/noaffinity/library/Good%20Connector%20for%20CPS-2%20Desuicide
    Where is the best place to post results of my effort, once I get everything together and follow these instructions?

    ReplyDelete
    Replies
    1. Thanks for sharing your tips, please keep the coming.

      Delete
  22. Disregard my post from late last night. I have re-checked my setup this morning, and followed the instructions implicitly, and now have a working SF Alpha board! Thank you so much for this amazing contribution! FYI, to others that will be doing this, be sure to strictly follow the instructions of powering the board first, then powering the arduino; and when done programming, de-energize the arduino first, then de-energize the board.

    ReplyDelete
  23. I have a 93646B-4 board I am looking to revive. It looks like the CN7 A25 and B25 +5V pins are connected. Can anyone verify this as well?

    ReplyDelete
  24. Amazing work! You guys really have your names set in stone for such an achievement in arcade preservation. One question though: is the key the same between different revisions of the same game?

    ReplyDelete
    Replies
    1. Hi there, in cps2 capcom used different keys for game regions.

      Delete
  25. Thanks for an answer. But my question was about different revisions of the same region release. Like Street Fighter Zero 2 revision 960430 and Street Fighter Zero 2 revision 960227.

    ReplyDelete
    Replies
    1. IIRC same keys across revisions. Regards.

      Delete
  26. I just checked out your site. I like Arcade games and I'm still learning tricks of programming when it comes to hacking. Could you provide some info on hacking pinball flash games in IE, Firefox or Chrome?

    ReplyDelete
  27. Another board de-phoenix'ed and returned to native suicide battery operation. This time, Street Fighter Zero 2 Alpha. Re-programmed the roms with SFZ2ALJ set from MAME, as well as SFZ2ALJ encryption key.

    https://youtu.be/jzlMikTSzGc

    ReplyDelete
  28. Another board resurrected, for a fellow collector. Alien vs. Predator USA blue board. :)

    ReplyDelete
  29. Sorry, but orange 93646B-4 with MVC Brazil is not working.

    93646B-7 with MVC Hispanic is ok.

    Thanks for your work guys.



    ReplyDelete
    Replies
    1. Hi Raph, happy to go over with you on the orange box issue, let me know if you would like to do so.

      Delete
    2. Olá, Eduardo, how are you?

      Mr. Artermio tried help me in his youtube channel (https://www.youtube.com/watch?v=YSiPd8z4fes&lc=z12ojrdbwoafulwf2220upaoaky1zh2y104) but i always the same results. I do the process but the -4 board is still dead.

      Others -6 and -7 are all good, only the -4 orange is a problem.

      I remade the cables and nothing.

      I'll wait till a new method comes.

      Thanks man.

      Delete
    3. Never experimented with the orange type boards. If you are willing to send it over to me I would definitely put time in to understand why it doesnt work. Let me know if you like the idea. Regards.

      Delete
  30. De-suicided a MVC blue US board (93646B-4) for a fellow collector.

    ReplyDelete