Various MAMEWIPs
Haze:
I’ve added the missing linescroll to the Magical Cat Adventure driver, it’s actually used in most levels for various little effect. Thanks to kold666 for the report at Mametesters.
R. Belmont: (Now this is cool!) ;-)
On the “new†but non-MAME front, M1 and Audio Overload both work well on the PS3. It’s kinda funny playing a PSF2 on the PS3 =)
The correlations between the 96-bit keys of the two Feistel networks were crucial in getting the s-boxes with 4 or 5 inputs “in sync”–that is, make them idential to the real ones apart from a fixed XOR or permutation applied to the whole box.
Eventually, I ended with a layout which I’m 99.9% sure is equivalent to the real one. We cannot know the exact contents of the real s-boxes without getting them from the actual hardware, but the current ones should be matematically equivalent.
The result is here: http://xoomer.alice.it/nicola.salmoria/cps2crptv2.zip.
The most notable news is that the key is now reduced to 64 bits, and the one we are currently using should be identical to the one used by the hardware, apart from a fixed permutation of the bits.
Finding the real permutation would be nice, but obviously that’s not something we can determine from the algorithm, since the order of the bits of the key is completely irrelevant.
What is interesting to note is that the keys used by some games don’t seem to be random. If they were random one would expect there to be around 32 0s and 32 1s, but sometimes this isn’t the case. E.g.
pzloop2: 3332206a0077f829
mshj: 01c0c951370f4c80
dstlka: 04048b4e2a498879
ringdest: 0405541367806575
cybotsj: 0404821534388354
Of these, the last three literally scream “I’m not a random number!”. Guessing the right bit order to make something appear, of course, is another matter.
Some of the watchdog values contain birth dates, e.g. cmpi.l #$19660419,D1, so I expect the same thing might be happening here.
Also, it makes sense for the pzloop2 one to be more regular than the others because it’s third party game.
On the key extraction front, things are going reasonably well. The brute force attack described in the previous article is working decently on most games, however for some of them the available data isn’t enough. I’ll have a more precise list once I’ve finished going through all the games. After that, we’ll need to devise a better attack if we want to get the missing keys.
The discovery that the key is only 64 bits might help to construct a better attack, though at the moment I don’t have many ideas. The fact that the algorithm is divided in two parts, with the output of the first one affecting the key on the second part, complicates things.
Happy New Year!
So it seems San Francisco’s got itself a cold weekend ahead of it. Good thing I’ve got an Intel P4 to keep the house warm! Seriously though, the weather’s kinda’ miserable right now, so I’m gonna’ take that as an excuse to sit around and spend some quality time with the world’s bestestest emu. It’s, of course, got some stiff competition with the Bears and Chargers games this weekend, but I figure I’ll be able to pull my hands out of the vat of beer and brats long enough to write a few lines of code.
Recently I’ve been busy relative to my normal lackadaisical MAME behavior. Still getting little done, but that’s nothing new. I’ve put Polygonet Commanders on the back burner since SMF may be carrying the driver ahead. I’m not sure though - he expressed interest awhile back and hasn’t mentioned it since. Honestly, it gives me an excuse to take a break from that driver again, so I’m happy.
Awhile back gregf (of MAMEworld fame) pointed me to a King Pin PCB for sale on ebay. I bought it, drove to pick it up, popped out the ROMs, sent ‘em to a dumper here in the US, and gathered the results from the guy. Now I’m attempting to emulate the thing. It’s been fun seeing it go from its discovery to where it is now.
The hardware isn’t particularly complex. Two Z80’s, a TMS9928 for video, and an AY-3-8912 for audio. All stuff that’s well emulated in MAME. The trick is figuring out the oddball early-80’s junk that glues it all together. So I’ve stripped a KingPin PCB, scanned it, and am now tracing it in an image editor. Luckily the leads are only on the surfaces of this board, so it’s relatively simple. I’m halfway done, but then I need to figure what it all means :P.
To that end, I’ve been trying to teach myself how to read schematics. Things are making sense, but there are still a few vital points I’m missing. I’ll get it eventually, but if anyone knows of a good tutorial online about the things, please feel free to share (e-mail is on the left, or I’m “drewcifer” on MAMEworld’s boards).
And yeah, that last link was the other thing I’m messing around with. As per Aaron’s call-to-arms about laserdisc games in MAME, I’ve taken it upon myself to try to get the Astron Belt hardware working. Aaron and a bunch of others are doing great things towards emulating those games in MAME, so stay tuned for some awesome updates in the near future.
Also, I don’t know if you noticed, but things are just as exciting in MAME land as they’ve always been. A certain dumper has been working hard to dump a lot of old crappy boards, a certain founder has been cracking encryption schemes, and the regular devs are cranking out more stuff than I’ve seen in a long time. Congrats to all involved!
