CPS-2 internals, Reversing Super Street Fighter 2 Turbo, and Retro

CPS-2 internals,
Reversing Super Street Fighter 2 Turbo,
and Retro-Arcade Cabinet Hacking :)
NoConName 2014
Pau Oliva Fora - <[email protected]>
@pof
Agenda
Basic elements
Controllers: buttons, sticks, microswitches
Cabinets: jamma
CPS2
History
Encryption
Phoenix edition boards
Super Street Fighter II Turbo
Versions, netplay, etc..
Debugging the game, writing cheats, lua
How not to suck at ST
BASIC ELEMENTS
Joysticks
Top (balltop & battop)
top handle
Brands
Happ, Seimitsu LS-32, Sanwa JLF
Buttons
Sanwa OBSF-24
Seimitsu PS-14-DN
Happ Horizontal, Happ Competition, Sanwa
OBSN-30
Buttons
Sanwa OBSF-30
Switches
Cherry microswitches, Sanwa small switches,
Seimitsu small switches, Seimitsu large
switches, Sanwa long switches
PCB
PS360+
PCB
Joystick
JAMMA
OUTPUT
Monitor
Mono Audio
Coin Counters
INPUT
2 joysticks /w 3 buttons each
2 start buttons
2 coin triggers from coin mech
1 test switch
1 service switch
Power (12V, 5V, -5V, Ground)
JAMMA: Japan Amusement Machinery Manufacturers Association
JAMMA
Cabinet 101
Cabinet 101
Cabinet 101
Cabinet 101
Cabinet 101
Cabinet 101
Super Turbo Cabinet
AstroCity
SuperGun
SuperGun
SuperGun
Mak Strike
SuperGun
CAPCOM PLAY SYSTEM 2
CPS2
CPS2
A & B boards
UD-CPS2
UD-CPS2
http://forums.shoryuken.com/discussion/146685/ud-cps2-fullyconsolized-capcom-play-system-2/p1
CPS2 - Regions
Green: Japan
Blue: North America & Europe
Orange: South America
Grey: Asia
Pink: Brazil
Yellow: All (Rent version)
Black: All in one unit
Green & Blue boards are totally interchangeable.
Grey & Orange boards require 'A' board of matching color
Yellow 'B' boards are rent version and were made to fit 'A' boards as
required.
CPS-2 Specs
Primary CPU: Motorola 68000 @ 16 MHz
Sound CPU: Z80 @ 8 MHz
Sound Chips: Q-Sound @ 4 MHz
Display:
Resolution: Raster, 384x224 @ 59.6294 Hz
Color Depth: 12 bit RGB with a 4 bit brightness value
(4096 colors)
2048 On-screen colors (128 global palettes with 16
colors each)
CPS-2 History
CPS-1 games where easy to copy & botleggs
(unauthorized game copies) appeared
(02/1991) Street Fighter II: The World Warrior
CPS-2 == CPS-1 with a faster processor and
encrypted game ROMs
(09/1993) Super Street Fighter II: The New Challengers
(02/1994) Super Street Fighter II Turbo
(12/2003) Hyper Street Fighter II: The Anniversary Edition
CPS-2
Suicide battery
The CPSa battery-backed memory
(SRAM) containing
decryption keys needed
for the games to run
When the battery dies, the
games will no longer work
--> blue screen
3.6V Lithium battery
Size: 1/2 AA
(Elfa part #69-282-12)
CPS-2
Suicide battery
CPS-2
Encryption
In January 2001, the CPS-2 Shock group (Charles
MacDonald, Ange Albertini and Razoola)
obtained unencrypted program data by hacking
into the hardware
They distributed XOR difference tables (8GiB) to
produce unencrypted data from the original
ROM images --> Emulation possible
CPS-2
Encryption
In January 2007, the encryption method was fully
reverse-engineered by Andreas Naive and Nicola
Salmoria (Mame author).
http://andreasnaive.blogspot.com.es/2006_12_01_archive.html
http://andreasnaive.blogspot.com.es/2007_01_01_archive.html
The encryption only affects opcodes, not data.
The encryption consists of two 4-round Feistel
networks with a 64-bit key and involves both the
16-bit opcode and the low 16 bits of the address.
The algorithm was thereafter implemented in this
state for all known CPS-2 games in MAME.
CPS-2
Encryption
For more info read the MAME source:
mame/machine/cps2crpt.c
http://www.mamedev.org/source/src/mame/machine/cps2crpt.c.html
mame/drivers/cps2.c
http://www.mamedev.org/source/src/mame/drivers/cps2.c.html
CPS2
Memory Map
0x000000 - 0x3FFFFF
Main Program
0x400000 - 0x40000A
Encryption (the battery memory)
0x618000 - 0x619FFF
Shared RAM for the Z80
(tells what sfx or music to play)
0x660000 - 0x663FFF
0x900000 -
Network Memory
Start of Graphic memory
(can change with each game)
Super Turbo:
0x900000 - 0x903FFF
Palette
0x904000 - 0x907FFF
16x16
0x908000 - 0x90BFFF
32x32
0x90C000 - 0x90FFFF
8x8
0x910000 - 0x913FFF
16x16 mainly hud and character
names on select screen
0xFF0000 - 0xFFFFFF
Main Memory
Revive
Dead B-Boards
Decrypt all encrypted data so that you end up with a
fully decrypted ROM image.
Patch the program code so that all read and writes to
the 0x400000-0x40000A memory region are
changed to 0xFFFFF0-0xFFFFFA (bottom of the
normal WORK RAM)
Patch all routines not to clear this region during any
memory clearing activities
Patch every part of the game that uses this region of
WORK RAM (to store variables and such) to use a
different region.
Phoenixed
boards
Project to bring dead CPS-2 game boards back to
A power on splash screen
Ability to change region (stored to EEPROM)
A basic Jukebox to listen to game music
68000 exception handling (helps to find errors)
Freeplay option added to regions that missed it
Removal of time locks for certain code activations
Stronger test mode EEPROM memory checks
Phoenixed
boards
To phoenix a board:
Purchase the phoenixed EPROMs/data from Razoola
Reprogram the appropriate program EPROMs with the
Phoenix ROM data
Desolder/Remove the Battery (bottom right corner of the
board)
Short the 2 leads of the electrolytic capacitor next to where
the + terminal was together for several seconds. This will
drain the juice left in the circuit and allow the phoenix
code to operate properly.
Boot up the title. A phoenix logo should appear - at this
point, pressing the test button will let the you change the
region
decrypted ROMs
Decrypted CPS2 images by L_Oliveira, MottZilla
and idc/Team Avalaunch:
http://cps2.avalaunch.net/
Alternative to Phoenix Edition ROMs
They revive dead boards, but are "clean" because
they don't have all the extra features that
Razoola put in (region change, jukebox, etc.)
STREET FIGHTER
Which is the
best version?
Super Street Fighter II X: Grand Master
Challenge (Jap. CPS-2)
Running on CPS-2, not emulated!!
NO input LAG
Super Street Fighter II Turbo (North
American version)
Dreamcast port
SSF2T HDR (HD Remix)* on PS3 &
XBOX360
Netplay
GGPO
Windows only
Adobe Air
Supercade
Windows Only
.NET
HDR
Xbox / PS3
Netplay
GGPO
GGPO.py
Windows only
Adobe Air
Supercade
Windows Only
.NET
HDR
Xbox / PS3
http://poliva.github.io/ggpo/
GGPO.py
GGPO.py
Protocol reverse engineered from the original
(windows) GGPO client
Support for Linux & MacOS X
Vulnerabilities found in GGPO server
Start a match without the peer accepting
Start a match even when peer is away
pyQTggpo
GUI client
Windows, Linux & OSX
Ground work (protocol) based on ggpo.py
https://github.com/doctorguile/pyqtggpo
GGPO Server
- Official GGPO server was down for ~1week
- Not actively maintained by its author anymore :(
-
GGPO Server
- Official GGPO server was down for ~1week
- Not actively maintained by its author anymore :(
FEATURES:
- Announcing GGPO-NG:
http://www.ggpo-ng.com
Source code available on github:
https://github.com/poliva/ggposrv
-UDP hole punching
(no port forwarding)
-Record & playback games
Debugging ST
mame ssf2xj -debug
Ctrl+M to open memory window
Adress 0xFF844E
Offset for P2 base is 0x400
Debugging ST
Debugging ST
Debugging ST
Scripting:
mame-rr lua
memory.readbyte(), memory.readword(),
memory.writebyte(), memory.writeword()
gui.text(), emu.frameadvance()
Lua Scripting
Cheats
RAM cheats usually change the data the game
has in RAM (ie: change the value in a fixed
memory address)
force the game engine take a different path
Cheats
<cheat desc="Infinite Time">
<script state="run">
<action>maincpu.pb@FF8DCE=99</action>
</script>
</cheat>
1. maincpu: This is the tag of the CPU whose
memory you want to poke, maincpu is in 99%
of cases the tag you will need
Cheats
<cheat desc="Infinite Time">
<script state="run">
<action>maincpu.pb@FF8DCE=99</action>
</script>
</cheat>
2. p : memory space that needs to be poked, there are 7 possibilities:
p = program write (most RAM cheats need this)
m = region write (most ROM cheats use this)
r = RAM write (use this for ROM cheats if m doesn't work or for RAM
cheats if p doesn't work)
o = Opcode Write (use this for ROM cheats if m and r don't work - often
used for encrypted memory)
d = data write (don't think I've ever used this)
i = i/o write (don't think I've ever used this)
3 = SPACE3 write (I've definitely never used this)
Cheats
<cheat desc="Infinite Time">
<script state="run">
<action>maincpu.pb@FF8DCE=99</action>
</script>
</cheat>
3. b : memory size of what's being poked,
there are four possibilities:
b (byte)
w (word=2 bytes)
d (doubleword=4 bytes)
q (quadword=8 bytes)
Cheats
<cheat desc="Invincibility P1">
<script state="run">
<action>maincpu.pb@FF860D=01</action>
</script>
</cheat>
More examples: https://github.com/poliva/ssf2xj
Cheats
How to find the right addresses to poke?
search for all bytes that have decreased by one since we did the cheatinit command
Cheats
Watchpoints:
wpset 0xFF87DC,1,r,1,{printf "P1 Read @ %X=%X with PC=%X", wpaddr, pb@FF87DC, PC; go}
Patching m68k
for dummies
NOP = 0x4e71
BEQ = 0x67XXYYYYZZZZ where XXYYYYZZZZ indicates
how far we will jump forward if the previous comparison
instruction (usually a TST) was found to be equal.
BNE = 0x66XXYYYYZZZZ where XXYYYYZZZZ indicates
how far we will jump forward if the previous comparison
instruction (usually a TST) was not equal.
So if we need to invert the logic we can change the BEQ for
BNE by swapping a 67 for a 66 on the first byte of the
opcode.
If we want to always force a certain code path we can just
NOP the branch instruction
Training mode
Infinite time
Health/energy recharge
Disable K.O. slowdown
Dizzy OK
Dummy actions (useful to train combos):
Neutral
Block: everything or only ground attacks
http://pof.eslack.org/2014/04/22/ssf2t-the-quest-for-theperfect-training-mode/
Want MOAR?
ST-Revival (US):
http://strevival.com
Gamespot Versus (JP):
https://www.youtube.com/user/supersf2turbo/videos
Tournament of Legends & Xmania:
Evo 2012:
http://youtu.be/HJ0SR6Y9GHM
Evo 2014:
http://www.strevival.com/tol2/
http://youtu.be/2c93mDy0HFU
Want MOAR?
Shoryuken wiki:
http://wiki.shoryuken.com/Super_Street_Fighter_2_Tu
rbo
Shoryuken forum:
http://forums.shoryuken.com/categories/super-streetfighter-ii-turbo
The 48 killing arts of yoga:
http://www.youtube.com/watch?v=x4cgh6eRmCE
Questions?
Bibliography
http://www.slagcoin.com/joystick.html
http://www.youtube.com/watch?v=-zIhPV0F_B4
http://en.wikipedia.org/wiki/CP_System_II
http://cps2shock.emu-france.info/
http://forums.shoryuken.com/discussion/169077/hacking-the-st-rom/p1
http://www.mamecheat.co.uk/forums/viewtopic.php?p=13271#p13271