What's new

bobbydilley

Professional
Joined
Apr 29, 2018
Messages
407
Reaction score
316
Location
England
A few times over the past few years I've dabbled in looking at what it would take to emulate the Namco System 246 on the PCSX2 emulator. Though random posts on various forums I've also gotten a few messages asking about if I ever got anywhere with it, so I thought this would be a good place to write everything down and see if anyone has any ideas. I definately don't have the skills to do it myself, but thought I'd start a conversation about it if only for someone more skilled to help explain to others why it cannot be done.

The PCSX2 emulator (a playstation 2 emulator) is capable of booting the BIOS from the Namco System 246. It crashes if you try to boot the BIOS from the Namco System 256. You can find the bios if you google 'namco system 246 bios mame'. Take the file from within the .zip file and place it in the 'bioses' folder in your PCSX2 installation and then you'll be able to load from it.

Here is an example video of someone playing with it:
View: https://www.youtube.com/watch?v=k9mZFZ16H1E


After the BIOS boots, it tries to load a program from the 'dongle' which is a magicgate memory card. Images of the dongles can be found here: https://www.arcade-projects.com/threads/sys2x6-usb-dongle-rollup-pack.6743/

The bios loads from the memory card in slot one, so make sure you insert it there in the emulator.

As a side note: In the bios it refers to files with the medium they are on, a colon and then the file name. For example `rom0:TESTMODE` refers to a TESTMODE binary in the bios (the test mode binary just displays colour bars), `mc0:boot.bin` refers to a file called boot.bin on a memory card in the first slot.

The program the bios will try to load is `mc0:boot.bin`. This is boot.bin on the memory card in slot one. When it cannot load this file it'll display a series of different error messages depending on why:

Dongle Driver Load Fail - I made it display this by changing mc0:boot.bin to cdrom0:boot.bin, you can guess what this means.
Dongle Card Does Not Exist or Is Not Right - It will display this if there is no memory card inserted, or one that is 'curroupted'.
Boot File Not Exit - It'll display this with a blank memory card inserted.
Boot File Is Not Right - It'll display this when an arcade dongle dump is inserted. It'll also display this if you change `mc0:boot.bin` to something that it has on the room e.g `rom0:TESTMODE`, as it can access it but it's not 'right' (whatever right means).

So my question is, what about `boot.bin` in the arcade dongle dump is not right? What makes a file 'right'?

I am aware that there is some sort of magicgate protection applied to these memory cards, but I am unaware at what level this is applied or how it works. The memory card dump can be displayed, and so the entire thing isn't encrypted. This contains some files that are clearly ELFs (TK4GAME for example), and others that I'm unsure what format they are (boot.bin, TK4LOAD).

Code:
$ python mymc.py tekken4-tef3verc.bin ls
rwx--d----+----      30 2001-09-05 05:36:54 .
-wx--d----+--H-       0 2001-06-02 07:36:43 ..
rwx-f--8--+----   46224 2001-06-02 07:36:46 boot.bin
rwx-f--8--+----   86561 2001-06-02 07:36:47 ACLOAD
rwx-f--8--+----      50 2001-06-02 07:36:47 title.txt
rwx-f--8--+----       4 2001-09-05 05:35:59 PS2AC02
rwx-f--8--+----      16 2001-08-09 05:55:11 PS2AC01
rwx-f--8--+----      22 2001-09-05 05:36:00 PS2AC03
rwx-f--8--+---- 2029568 2001-09-05 05:36:20 TK4DATA
rwx-f--8--+----   73520 2001-09-05 05:36:22 TK4LOAD
rwx-f--8--+---- 1235329 2001-09-05 05:36:31 TK4GAME
rwx-f--8--+----  126002 2001-09-05 05:36:33 FPGA
rwx-f--8--+----   32644 2001-09-05 05:36:34 JVFIRM
rwx-f--8--+----   44589 2001-09-05 05:36:36 PADMAN
rwx-f--8--+----   25317 2001-09-05 05:36:37 LIBSD
rwx-f--8--+----    9081 2001-09-05 05:36:38 SDRDRV
rwx-f--8--+----    6429 2001-09-05 05:36:39 ACCORE
rwx-f--8--+----    2477 2001-09-05 05:36:40 ACFPGALD
rwx-f--8--+----    2005 2001-09-05 05:36:41 ACJVLD
rwx-f--8--+----    1625 2001-09-05 05:36:42 ACJV
rwx-f--8--+----    4885 2001-09-05 05:36:43 ACRAM
rwx-f--8--+----    1249 2001-09-05 05:36:44 ACSRAM
rwx-f--8--+----    2073 2001-09-05 05:36:45 ACMEM
rwx-f--8--+----    5861 2001-09-05 05:36:46 ACMEME
rwx-f--8--+----    2681 2001-09-05 05:36:47 ACTIMER
rwx-f--8--+----   11309 2001-09-05 05:36:48 ACATA
rwx-f--8--+----   34649 2001-09-05 05:36:49 ACCDVD
rwx-f--8--+----   80009 2001-09-05 05:36:51 IOPRP21A
rwx-f--8--+----   83725 2001-09-05 05:36:53 MCMANAC
rwx-f--8--+----    2849 2001-09-05 05:36:54 RWCFGAC

The python source code for mymc.py which can list these files is here: http://www.csclub.uwaterloo.ca:11068/mymc/index.html

When extracting boot.bin and looking at it, there is a lot of what looks like possibly encrpyted/compressed data with some words that are broken up.

https://wiki.pcbotaku.com/wiki/Category:Sys246

The link above claims that:
  • only boot.bin is affected by magic gate on system246, it loads another file within the FS which is a lamely xored ELF file, and that one is the game boot
I'm interested to see how this would work, and what the 'other' file is that is lamely xored. Could we maybe jump past boot.bin, and just load the right file directly?

I've heard that the boot.bin files have unique 32 bytes that ties them into the magicgate encryption chip on the donglee?

I'd like to understand exactly how the magicgate chip is able to decrypt a single file, and also why the encryption algorithm leaves pretty much plain text at the end of boot.bin.

--

It's worth noting that even if this gets solved, there are still some other problems: https://github.com/mamedev/mame/blob/master/src/mame/drivers/namcops2.cpp#L171

The RAM32 PCB that it loads CDROM data into needs to be sorted. This looks like it's probably just some memories, so shouldn't be too hard to add into the emulator.
The 'Namco MOTHER PCB' would need to be emulated, and this is a large board that would likely require some real skill to do.
HLE JVS emulation will need to be done (but this should be fairly easy, as it's well known about)

Any advice / comments / questions would be really appreciated on this!
 
Last edited:

Franco23444

Professional
Joined
Apr 24, 2020
Messages
334
Reaction score
136
Location
Durham,NC
Also, don’t the I/0 boards need to be emulated in order for the games to boot properly as well, for example, tekken 4 will not boot unless some JVS board or the Namco I/0 board is recognized. I’m not 100% sure if this could also be an issue. Ridge racer v arcade battle also has extra boards needed to play the game as well.
 

bobbydilley

Professional
Joined
Apr 29, 2018
Messages
407
Reaction score
316
Location
England
# Update 1

The boot.bin file is a magicgate-encrypted ELF with a non-standard keyset.

You can tell this because
The keys for the PS2 magicgate were apparently extracted from the PS2's emulator on the PS3 written by Sony.

Unforunately these keys are far far too large to do any sort of brute force attack on.
 

bobbydilley

Professional
Joined
Apr 29, 2018
Messages
407
Reaction score
316
Location
England
# Update 2

Full boot process is fairly well known now (This is for Tekken):
  • BIOS Loads
  • BIOS loads `mc0:boot.bin` which is decrypted through magicgate
  • boot.bin loads TC4LOAD with argument `DANGLE` (and probably does some other setup stuff)
  • TC4LOAD decompresses and loads `mc0:TC4GAME`
  • TC4GAME then does various things
You can seemingly skip boot.bin by just loading the TC4LOAD elf through PCSX2 with the argument DANGLE. PCSX2 seems to get stuck at loading `mc0:ACCORE` which seems to stand for Arcade Core, and returns a -6 fd error apparently meaning 'No such device or address': https://github.com/ps2dev/ps2sdk/bl...c32d3496eeab5f7f81/common/include/errno.h#L29.
 
Last edited:

brizzo

Staff member
Champion
Joined
Jun 21, 2017
Messages
840
Reaction score
2,394
Location
Canada
The keys for the PS2 magicgate were apparently extracted from the PS2's emulator on the PS3 written by Sony.

Unforunately these keys are far far too large to do any sort of brute force attack on.
This is my understanding as the blocker to emulating 246, that the private keys are almost unobtanium at this point in time.
 

l_oliveira

Professional
Joined
Jun 26, 2015
Messages
545
Reaction score
561
Location
Brazil

Hydreigon

Enthusiast
Joined
Sep 15, 2019
Messages
196
Reaction score
63
Location
U.S.
Short answer: Needs TLCS-900 CPU emulation to progress further.

Long answer: Any 2X6 hardware uses a TLCS-900 based CPU for inputs, JVS and media access (IDE). These Magicgate encrypted "dongles" store the TLCS-900 program which is required to boot the game (without it, the pcb would sit at a blank screen and the disc drive won't do anything). Simulating the TLCS-900 would really cause more harm that good imo. It would be a matter of:
  • How the main CPU communicates with the sub TLCS-900
  • Which ram chip would be used for uploading the TLCS-900 program
If that isn't enough, there is also a TLCS-870 CPU used in 246B and later systems that controls additional peripherals (ethernet is all I can think of). This CPU contains an internal rom that is yet to be dumped. Best way to source this is from a scrap pcb and send this in for decapping.
 

Franco23444

Professional
Joined
Apr 24, 2020
Messages
334
Reaction score
136
Location
Durham,NC
Sure, emulation won’t happen right now, but with this new information, emulation might be achieved in less than 10 years? Maybe? I don’t know how emulators work.
 

bobbydilley

Professional
Joined
Apr 29, 2018
Messages
407
Reaction score
316
Location
England
The Neo Geo Pocket uses the Toshiba TLCS900, and there are various open source emulators for that: https://github.com/alekmaul/race/blob/master/emu/tlcs900h.cpp

Would the above not suffice?

I think as well the system needs to be able to address more ram, but other than that these are the only differences?

I can't see that there is now anything stopping a competent software engineer from doing this emulator, other than studying this TLCS900 board and working out what is connected to what?

--

Edit: Ah looks like there is much more to it than just the Toshiba chip lol

https://wiki.arcadeotaku.com/images/b/b8/System246_MOTHER_PCB.jpg
 
Last edited:
Top