What's new
By:
Filters

Can change 315-5881 Security Bootleg Board's Key?

waiji

waiji

Student
Joined
Jan 8, 2021
Messages
42
Reaction score
40
Location
South korea
hello.
I have a Virtua Striker 2 bootleg security board and a Dynamite Deka bootleg security board.
These boards used FPGA chips.
So, I am wondering if it is possible to extract the data inside this FPGA chip and modify it so that it can be used to decrypt other games by inserting the 'key' of another game.
Looking at the MAME source, the "29260e96" key was used in 'Fighting Vipers 2', and the "292f2b04" key was used in Spike Out.
Is it possible to edit the 'KEY' of the FPGA chip?
I don't have much knowledge about programming or hardware, so this may be a stupid question, but I'm asking because I'm really curious.
 

Attachments

  • VS2.jpg
    VS2.jpg
    106.1 KB · Views: 58
  • DynamiteDeka.jpg
    DynamiteDeka.jpg
    95.6 KB · Views: 60
ekorz said:
I don’t think you can reprogram those fpga pcbs but http://triplemoonstar.brinkster.net/THESHED/default.asp will sell you patched program rom code for some (all?) games, and then you burn new roms just remove the security board altogether.
Click to expand...
I asked AndyGeezer about purchasing a decryption ROM, and was told that they no longer produce or sell it. If you tell me that FPGA can be modified and used, I am willing to study it. I also recognize that FPGA programming is very difficult. But I hope it's a possibility.
 
What game are you looking to convert?
 
Well I don’t have those but if Andy’s not selling them maybe someone here will pm them to you.

If you’re looking to do work on it, there’s a chance that just loading the game in MAME runs the program code through the decryption, so you could just dump it from mame once it has booted. Otherwise you need to find and patch the security checks. Do you know how to use the debugger? Probably easier than trying to work out the fpga unless hardware is your wheelhouse.
 
ekorz said:
Well I don’t have those but if Andy’s not selling them maybe someone here will pm them to you.

If you’re looking to do work on it, there’s a chance that just loading the game in MAME runs the program code through the decryption, so you could just dump it from mame once it has booted. Otherwise you need to find and patch the security checks. Do you know how to use the debugger? Probably easier than trying to work out the fpga unless hardware is your wheelhouse.
Click to expand...
Thank you for the hint on how to use MAME. I've used the debugger to the point where I can look into the memory, but I need to study more.
 
The driver makes it seem like the security device has its own memory, so there may be reads/writes to it during boot (or other times). In other words, probably not simply decrypted on boot.

void model3_state::model3_5881_mem(address_map &map)
{
model3_mem(map);
map(0xf0180000, 0xf019ffff).mirror(0x0e000000).ram();
map(0xf01a0000, 0xf01a003f).mirror(0x0e000000).m(m_cryptdevice, FUNC(sega_315_5881_crypt_device::iomap_64be));
}

So now you're stuck modifying the program roms (probably the work Andy did at one point). Watching reads/writes to that memory region, and changing things around.

wpset f01a0000,3f,wr

That might get you somewhere to start. I haven't booted these up in mame and don't know RISC at all.
 
ekorz said:
The driver makes it seem like the security device has its own memory, so there may be reads/writes to it during boot (or other times). In other words, probably not simply decrypted on boot.

void model3_state::model3_5881_mem(address_map &map)
{
model3_mem(map);
map(0xf0180000, 0xf019ffff).mirror(0x0e000000).ram();
map(0xf01a0000, 0xf01a003f).mirror(0x0e000000).m(m_cryptdevice, FUNC(sega_315_5881_crypt_device::iomap_64be));
}

So now you're stuck modifying the program roms (probably the work Andy did at one point). Watching reads/writes to that memory region, and changing things around.

wpset f01a0000,3f,wr

That might get you somewhere to start. I haven't booted these up in mame and don't know RISC at all.
Click to expand...
Thank you for your kind reply. I just entered a watchpoint into the debugger. There is a possibility that a decrypted ROM can be created by analyzing the input/output data in the memory of the decryption board. I'll give it a try.
 
You must log in or register to reply here.
Back
Top