Monday 20 March 2017

A Journey Into Capcom's CPS2 Silicon - Part 1

capcom cps2

Capcom's Play System 2, also known as CPS2, was a new arcade platform introduced in 1993 and the company call on bootlegging. Featuring similar but improved specs to its predecesor CPS1, the system introduced a new security architecture that gave Capcom for the first time a piracy-free platform. A fact that remained true for its entire commercial lifespan and that later on it even prevented projects like Mame from gaining proper emulation of the system for years.

Whereas CPS1 philosophy on protection had to do mainly with providing a mechanism to control game pcb conversions, CPS2 instead brought back the focus to cpu code encryption just like its old ancestor Kabuki and Capcom's first go on security. Using a similar approach to Kabuki, CPS2 employs battery backed ram hidden away from user access, once this battery runs out the information needed to run the game is lost with it rendering the game unusable for life.


Enclosed in a plastic shell, CPS2 retains CPS1's characteristic 2-layer pcb assembly style consisting on a base board known as A board, and a game board known as B board. Some later games added additional boards featuring expanded memory and cross-game communication capabilities. The two most important differences of this new generation system are: 1) the A board no longer features the system main cpu, this is now moved to the top B board, and 2) the amount of custom chips has grown considerably as seen in the images below.

CPS2 A base board outside of its plastic shell

CPS2 B top board removed from its plastic shell

A later cost down revision of CPS2 shrank the pcb stack to just one pcb enclosed in a metal black case. Most roms also replaced by a single flash memory module, a technology introduced first in Capcom's CPS3 system in 1996.

"All-in-one" CPS2 cost down revision removed from its case


Encryption meets conservation

First attempts to take control of the platform started circa 1999 by the CPS-2 Shock team, with early emulation following soon in the year 2001 right at the end of its commercial lifecycle. The platform saw one last commemorative game title release from Capcom in December of 2003: Hyper Street Fighter II: The Anniversary Edition, so technically speaking emulation did happen during its commercial life.

A bug found in Capcom's security implementation allowed unencrypted memory dumping on the fly, this discovery enabled the CPS-2 Shock team to retrieve clear program code dumps that led to the production of non-encrypted game rom sets for emulation and dead board "phoenixing", a term used by the arcade community referring to game boards altered to run unencrypted game code.

Thanks to these efforts emulation became possible and countless CPS2 dead boards were converted to run unencrypted versions of games thus saved from hitting the bin.

Capcom's encryption mystery remained a secret for six more years until in 2007 a team composed by Charles McDonald, Andreas Naive and Nicola Salmoria (Mame founder) managed to crack the algorithm via custom hardware and mathematical analysis. Their work revealed CPS2 used two four-round feistel ciphers with a 64 bit key and at this point original code emulation became possible.

From there on the picture for CPS2 hardware owners remained pretty much the same: run out of battery and lose your original game forever, phoenixing your board was the only way out of the situation, but at least it was an option.


Capcom's Customfest

CPS2's use of customs was extensive featuring as many as 11 custom made QFP chips, all of them stamped with Capcom logos. For years the maker, exact nature and purpose of many of  these chips has also been a mystery, something especially true for the ones located on the top B board as many of the A board customs are just a continuation of the ones found in CPS1.

Capcom QFP 160 pin custom chip dated Week 47 1993 

The level of custom integration in CPS2 even touched its main cpu, previously featured in CPS1 as a single Motorola 68000 chip, the arrival of CPS2 saw the 68000 cpu fading away somewhere inside one of the new custom chips, nobody exactly knew which. Another interesting thing about the customs found on the top B board is the fact that they all receive battery power while the board is at rest, an obvious exercise to hide away its security implementation and possible targets.


The widow maker

Present in CPS2 systems since B board revision 5 (93646B-5), this little JST NH 6 pin type connector became over time an item of interest and research by the curious. Its purpose unknown but contained a nasty surprise for whoever was brave enough to mess with it: it killed your board.

CPS2 CN9 connector

This connector brought many questions without answer and one clear result: messing with CN9 suicided your board exactly as running out of battery would do. Why Capcom would include such feature? How was it related to the system encryption? Was it of any real use? or could it just be a distraction?

Over the next series of articles we will explore the inner workings of Capcom's CPS2 security implementation, these findings and discoveries are part of the efforts that led to successful reverse engineering of the system security programming methods late last year: Capcom CPS2 Security Programming Guide.

Stay tuned for more.

Part 2