N64 CIC, looking for 710x series info

Discussion in 'Nintendo Game Development' started by jesgdev, Jan 11, 2015.

  1. jesgdev

    jesgdev Member

    Joined:
    Jan 11, 2015
    Messages:
    5
    Likes Received:
    1
    Hey Everyone,

    New to the scene here but love to tinker and am always looking for fun projects. I recently came across an interesting
    document(International Secure System Lab paper 'ccsfp221-kammerstetter.pdf') about
    reverse engineering the N64 CIC and decided to give it a shot. I managed to get the roms/keys(special area of ram address space)
    dumped for the 610x series of chips and made a clone on an ATTiny25. Now, instead on buying a bunch of PAL games just for the CICs,
    I thought I would ask if anyone had ever done this for the 710x series chips. Didn't find much information on these chips when searching.

    I'm guessing the rom is the same as the 610x series(only 6105 is slightly different and it has more ram) and just the keys are different.

    Rom checksums(1K rom, unused locations are 00):
    610x sha1: 5157631786de44a970155dcc961d6e13f604b66d
    6105 sha1: 5754925a33f01032e044d8f27ad624a79925e306

    Anyone ever dump 710x CICs before and can confirm the rom/share the keys?

    Update:
    UltraCIC: http://a.pomf.se/fpjhhh.zip
     
    Last edited: Sep 26, 2015
    JayFoxRox likes this.
  2. LeHaM

    LeHaM Site Soldier

    Joined:
    May 5, 2013
    Messages:
    2,636
    Likes Received:
    295
    I have a bunch of 710x's but have no way of dumping them haha. is it hard to do?
     
  3. JayFoxRox

    JayFoxRox Spirited Member

    Joined:
    Dec 23, 2010
    Messages:
    176
    Likes Received:
    9
    I just read the paper and I'm interested in trying it.
    I have access to couple of PAL games but I'm not sure if I'm allowed to dump them (as it probably still involves removing the CIC).

    If it's possible to inject the opcodes in-circuit I could probably dump them easily. I guess the test pins are not routed to the ROM Pins though?
    I'll ask the owner if he is interested in dumping them.

    //Edit: The paper is from November 2014 btw, so you are probably the first person to repeat the attack!
    //Edit2: Check your inbox jesgdev
     
    Last edited: Jan 31, 2015
  4. bart_simpson

    bart_simpson Dauntless Member

    Joined:
    May 13, 2011
    Messages:
    768
    Likes Received:
    18
    What programmer did you use to dump the cic
    Plus seems like if we dump the main pif chips we could make region free n64
     
  5. JayFoxRox

    JayFoxRox Spirited Member

    Joined:
    Dec 23, 2010
    Messages:
    176
    Likes Received:
    9
    Read the paper if you didn't. - He probably used an AVR to write the dumper.
    You can't just use an existing programmer because the dump happens by using (and exploiting) a hidden testmode in the CIC.

    And yes, we can create a region free CIC already (Because the Paper is based around the PAL CIC, jesgdev completed the thing by dumping the NTSC CIC).
    Not only that but we could add CIC emulation to cartridges like the Everdrive so we don't need any donor cards at all. (Meaning we don't really need a region free PIF. Not even sure if the PIF has the same exploit and changing the console is worse than just modding the cartridge imho. Especially because one could make a simple pass-thru device with the fake CIC.)

    Probably, we also have the "source code" to the 6105 Challenge / Response system now which makes it even better and we can verify the algorithm found earlier.
     
    Last edited: Feb 1, 2015
  6. Zoinkity

    Zoinkity Site Supporter 2015

    Joined:
    Feb 18, 2012
    Messages:
    504
    Likes Received:
    109
    You can not make a "region free" CIC.
    CIC emulation via flashable carts is not going to work. The CIC is in constant communication with the PIF, and if the generated bitsamples do not match at any moment the system will lock. You then need to do a full power cycle (not a soft reset) to restart.

    Also, there is more than just the cartridge CIC. Bootloaders, like the ones in the flashdrives, are based off a hacked version of the code loaded to PIFram during initialization. The part hacked out confirms the bootstrap checksum. The bootstrap is code found in a ROM from 0x40 to 0x1000 run immediately after the PIF initializes hardware. These bootstraps have their own checksums based off the seed byte (which have been reversed) and send the generated value to the PIF for confirmation, written to BFC007F0 and BFC007F4. In a normal boot cycle if this does not match the expected value the system will not continue to the cartridge checksum.

    Without knowing how the PIF confirms the bootstrap checksum it's impossible to know how to subvert it. Since this code is loaded by the PIF to PIFram at boot it cannot be ignored. Currently it's believed the PIF genrates the same bootstrap checksum using a different method, most likely involving the secret number.

    Flashable CICs would require flashing before power-on. After power is on and the flashcart initializes it cannot run the CIC bootstrap crc tests again. If it were it would fail because the generated bitcode will not match the next iteration the PIF expects. Current flashcarts simply pass a different seed value and ignore this test entirely; even when loading a game they are in a constant state of execution to avoid the CIC+PIF lockup.

    The only way to completely break the security features of the N64 is through the PIF--something necessary if you ever intend to have a 64DD IPL in any language other than Japanese.

    Besides security the PIF serves a wide variety of other functions. Dumping its code will prove invaluable.
     
    Last edited: Feb 1, 2015
  7. KRIKzz

    KRIKzz Well Known Member

    Joined:
    Apr 5, 2010
    Messages:
    1,672
    Likes Received:
    2

    NES and SNES multiregion cic changes own algorithm if system did not started with success, cic just change and save algorithm type to internal flash and will try to use another region next time. So, at the next power cycle, cic startup in another region mode. Probably same methods can be used for n64 cic
     
    Last edited: Feb 2, 2015
  8. Zoinkity

    Zoinkity Site Supporter 2015

    Joined:
    Feb 18, 2012
    Messages:
    504
    Likes Received:
    109
    There's 12 unique CICs that have been found, plus one more that should turn up in the hands of a collector. Reset won't work; you need a full power off/on to reset the PIF and and doing that a dozen times is hardly ideal, plus you're supposing that other issues (such as a dirty connector) don't cause the cart to fail booting. This is all supposing nobody creates their own unique CIC+bootstrap, of course.

    At any rate that doesn't result in a "region free" CIC at all. It's basically the same as having a series of CICs on a switch. Using a bootloader to circumvent region or altering the PIF are the only ways to control region. Except for the *105's security feature, a hacked PIF would remove the need for a CIC in the first place. Seeds can be generated from the bootstrap by comparison to its checksum.
     
  9. Goemon

    Goemon AG Member since 2005!

    Joined:
    Feb 4, 2013
    Messages:
    585
    Likes Received:
    17
    Is there even a english or other language IPL?
     
  10. saturnu

    saturnu Spirited Member

    Joined:
    Dec 8, 2011
    Messages:
    143
    Likes Received:
    29
    even if it's not switching through every cic, it would still be usefull.
    homebrews and flashcarts are mainly using CIC6102/CIC7101, so it would be enough, if it could switch between them.
    in case you want to build a repo cartridge, you should know what two CICs your game could use, too.

     
  11. jesgdev

    jesgdev Member

    Joined:
    Jan 11, 2015
    Messages:
    5
    Likes Received:
    1
    I removed them from the carts and hooked up to an FPGA.

    The best you could do here is clock in what cic you want at power up. There is enough time before the cic starts communicating with the console
    that external logic could supply a value to the AVR to choose which cic to emulate.
     
  12. link83

    link83 Enthusiastic Member

    Joined:
    Mar 22, 2008
    Messages:
    526
    Likes Received:
    8
    Last edited: Feb 15, 2015
  13. jesgdev

    jesgdev Member

    Joined:
    Jan 11, 2015
    Messages:
    5
    Likes Received:
    1
    Yes, although I don't have any place to host it. Let me know if you are interested.

    The code I will share will configure the cic at compile time(you pick which cic then compile). What you see in the video is KRIKzz own modifications to work with that pushbutton, something you would have to do as well if you want a feature like that(it is quite easy). On the note of testing, I haven't tested every mode and I'm not 100% sure which ones KRIKzz has tested. I do know that at least 6102, 6105, and 7101 have been tested. The others vary only by static keys so they should be fine assuming the keys are correct.
     
  14. cmonkey

    cmonkey Rising Member

    Joined:
    Mar 29, 2012
    Messages:
    62
    Likes Received:
    20
    Many congratulations to jesgdev and KRIKzz for their hard work and determination in pulling off this amazing feat. :) Well done guys!
     
  15. Dakar

    Dakar Rapidly Rising Member

    Joined:
    Nov 12, 2012
    Messages:
    87
    Likes Received:
    1
    Wow Awesome work Guys- I might have somewhere you can host the files if needed ;)
     
  16. Bad_Ad84

    Bad_Ad84 The Tick

    Joined:
    May 26, 2011
    Messages:
    8,618
    Likes Received:
    1,387
    If you are releasing source, why not just create a github repo? public ones are free
     
  17. TriState294

    TriState294 Site supporter 2016

    Joined:
    Feb 20, 2012
    Messages:
    274
    Likes Received:
    48
    Did this code ever make it out into the wild? I was considering the possibility of replacing a dead CIC chip in this thread and thought to myself how great it would be if we could burn our own replacement chips.
     
  18. root670

    root670 Robust Member

    Joined:
    Apr 4, 2010
    Messages:
    205
    Likes Received:
    17
    Also interested if the code for this will be released at some point.
     
  19. Hayate

    Hayate Member

    Joined:
    Aug 20, 2012
    Messages:
    7
    Likes Received:
    4
    Awesome ! I hoped that it was possible but you DID IT ! Can't wait for the release ! (if there is one) Merci !
     
  20. jesgdev

    jesgdev Member

    Joined:
    Jan 11, 2015
    Messages:
    5
    Likes Received:
    1
    Link in first and next post.
     
    Last edited: Mar 30, 2015

Share This Page