NES Console To Cartridge Security In Depth

[Segher] has reverse engineered the hardware and command set for the NES CIC chips. These chips make up the security hardware that validates a cartridge to make sure it has been licensed by Nintendo. Only after authentication will the console’s CIC chip stop reseting the hardware at 1 Hz. The was no hardware information available for these chips (go figure) so [Segher] had to do some sleuthing with the tools at hand which include some rom dumps from the chip pairs. He was nice enough to share his findings with us. We’re betting they’re not of much use to you but we found it an interesting read.

[Thank ppcasm]

[Photo credit: Breaking Eggs and Making Omelets]

45 thoughts on “NES Console To Cartridge Security In Depth

  1. first

    and

    what is the point of continuing to work on the nes, there are already like 30 different emulators for every single system and it doesn’t even have that many good games

    why not work on the xbox 360 or wii or something that actually needs work on it

  2. This is some great work; pretty soon hobbyists will be able to make and use their own NES cartridges without having to modify their NES or tear apart an old cartridge to do so.

  3. Yeah, NES is kinda pointless now. We’ve got emulation on so many platforms, etc.

    However;

    The Wii doesn’t need to be worked on, it’s been hacked for how long now?….

    The Xbox 360 has been hacked more recently, and is running homebrew, etc. However someone needs to figure out how to be able to Jtag for systems updated with the Summer update, which blew the e-fuses.

    Ps3 needs serious work.. no hacks at all period.

  4. I like that they used the discharge time of a capacitor as the random number seed. I bet someone could have shorted the cap to make the nes behave predictably so only one “key exchange” would have to be figured out. Was there much of a nes homebrew scene back when nes was big?

  5. Actually it doesn’t look like he HAS reverse engineered it. Just large parts of it.

    I don’t really agree with kirov, the hundreds of NES emulators all kind of suck (so far I haven’t found a *GOOD* one that will run on a sub 1ghz machine, and I’ve been using them since before nesticle — which is ridiculous).

    Aside from that, I don’t know that his efforts are emulation related. I think he’s just having fun, which is totally worthwhile effort IMO.

  6. The actual communication between the two chips (cart + console) had already been reverse engineered awhile ago. They (nesdev) made a clone called the “ciclone” It’s currently being sold at http://www.retrousb.com . (If you wanna know more about the reverse engineering of the protocol look for a thread called something along the lines of “reverse engineering the nes cic” on http://www.nesdev.com (go to the forums.)

  7. @blizzarddemon and doomstalk:

    just because i have a differnet opinion than you i am “trolling” by thinking the NES doesn’t have a lot of good games?

    most everything done on the NES is redone on the SNES / other systems with improvements in almost any aspects, nostolgia aside the NES does not offer too much not way outdone later

    this does not really extend to the snes and beyond as for exmaple chrono trigger was so well done it is fun to play today, but FFI and FFII on the nes seem like a primitive flash game in comparison.

  8. @Mikey

    You’re a retard, accurate NES emulation is impossible on sub-1GHz machines. When you’re emulating a system at cycle-level granularity rather than the hack-and-slash bullshit approach to emulation that most emulators take, it takes a lot of CPU time. Don’t blame us emulator authors because you’re attached to your Precambrian-era computer.

  9. @kirov

    People like you are what’s wrong with emulation and what’s wrong with this site. All you ever want to hear about is hacking the latest and greatest shit anymore, and all you ever want is to play free games, as if the world’s hackers are your personal slaves to entertain you. You have no fucking appreciation for the amount of work that goes into things like this, you just bitch and bitch and bitch about how nobody’s working on giving you your precious free games and hacks. Fuck you, we’ll work on what we fucking well want to.

  10. @Kirov, you write like the author of this hack has some sort of obligation to deliver something useful specifically for you.
    Not only that, but posting “first” like that makes you some sort of special snowflake doesn’t give subsequent commenters much respect for your opinion.

  11. The PS3 has had reversing done on it. A ROM on the CELL die hides all LPAR/Hypervisor data even from the bridge chip during init, basically. The only thing that hasn’t been done is bus sniffing on XDR/SRAM bus because of the electrical characteristics.

    geohotps3.blogspot.com

    Anyone here who thinks that isn’t super-hacker enough take note that in modern reverse engineering what has been done on the PS3 thus far is about as sophisticated as it gets. You can’t manipulate hardware logic on dies, and there is obviously no external OCD map.

    PS3 also appears to use 2048bit DMA AES with a PKI sheme as stated in the implementation docs provided by IBM for vendors.

  12. its a hack.
    Although will there be a shield coming out for the arduino – my girlfriend took my soldering iron off me…

    On a slightly different note:
    @Kirov, Hitler had a difference of opinion, still made him a cunt.

  13. It is said [Segher] used tools to read the Chip sets using ROM DUMPS? How does one DUMP the chip set?

    I was wondering because a certain piece of hardware I have needs to do an PRE-IPL Check to a chip set(Before it boots)and if I can extract that data as its booting it would be very helpful for me its just I don’t know how you would do this?

    Any help will be great!!

  14. The way the CIC chip sets were dumped, is that they wer decapped, metal/SiO2 layer dissolved off, then a staining chemical applied. Finally, whats left, is a rom region on the die, that shows a logical 1 on areas not stained, and a logical 0 on areas that are stained.

    What [Segher] is looking for, is clear die shots of one of these CIC chip sets, that has NOT had ANY of its layers dissolved.

    And yeah, part of the reason for reverse engineering the CIC chip set, as found in nes games, is that the exact same chip set is also used in snes games too, which will soon mean being able to make our own unlicensed snes game cartridges without the need for pulling CIC chips from a donor cart.

  15. (My name is Segher, not [Segher]).

    I did this just for the joy of it. It is a very nice puzzle (in my twisted mind) to take a rectangle of bits and figure out what it does, without even knowing what the chip architecture is (and no, I still haven’t found any docs on it, this CPU is an embedded CPU from about 1978).

    As why I didn’t work on e.g. the Wii instead, well, you obviously don’t know what you are talking about.

    Segher

  16. @Decius

    Direct quote:

    “with the tools at hand which _include some rom dumps_ from the chip pairs”

    The chips (as caitsith2 stated) had been decapped and read in by nevistki. It stated this in the blog post.

    Direct quote:

    “All credits for doing these go to neviksti thanks!”

    With that being said. I think segher did a great job, and I found his findings rather interesting to say the least, even if one does not have anything to do with nes/snes it is _always_ a plus to have the ability to share and gain knowledge from not only projects you do yourself. But also projects that other people tackle, and this case is no different. Segher is an extremely talented person, and agree or not as people might. It is good to see people who are willing to share information, and for free none the less. :)

  17. Oh, I didn’t mean anything by it Segher It’s just thats how they had your name in the article I just wanted to be clear as possible, I don’t usually understand half the stuff that is posted here but it is fun to read.

    I am sorry for offending anyone, I am not as smart as some here.

    Sorry for the waste of comment space.

  18. Great work. Congrats!

    It is so easy to bash other people’s work. The trolls must have done some really impressive stuff if they are bashing this. Why don’t you show us how great your projects are?

  19. There is a type of beauty inherent to knowing a system well, no matter how old it is!

    I remember once clipping pin 4 of the CIC chip then tying it to ground, so that the system would treat any cartridge as having passed verification.

    I did some digging and found the reasoning for that method here: http://nesdev.parodius.com/nlockout.txt

    However, I like your method better!

  20. um but wheres the hack, aside from a pinout and a few tidbits of information they really didn’t do much, nor explained a whole lot either

    in fact when it started to get interesting they said “but we will leave that up to you!”

    dont get me wrong thanks for sharing but “awesome hack”? really?

  21. Great job !!I love to see these old bit cruncher machines dissected …and exposed{blushes} mmm chip pr0n he-he.
    On another note …. wouldn’t taking a peek at the PS3 Cell chip’s Die be a way to find what is going on in the ROM(s)? I’m pretty sure I must be over looking another security feature/doozey like a smudging effect built into the Die manufacturing process or some thing real subtle like other support mpu’s having their own ROM(s)….eh any ways just throwing that in there

    And Segher,
    It is always great to see a different angle on reverse engineering even if the final product has been reproduced elsewhere ….innovation etc is fueled by curiosity and an open mind.

  22. Oh and by the way….. if you are going to make a negative comment about a post please for the love of all that is bit-bashed ….do some research and know what you are talking about, and at least have some respect…this is a public domain you are posting in. THANX :D

  23. I feel bad about bringing Hitler into the discussion (if it can be called that), and apologise to Segher for lowering the tone –

    Either people hate it, but provide some sound backing other than “omg, its so old school, its not like you did ’nuffing with a Wii”

    Also, “yeah but there has been emulators for like ages” is pretty pointless too. We could see the moon through a telescope for quite some time, didn’t stop us from going to the effort of sending someone up there for a better look.

    Some of the surprising outcomes from what some might consider wasted effort can be found here: http://www.spacecoalition.com/products.cfm

    You not seeing the point in someone else’s efforts, does not make what they do pointless, it simply demonstrates your lack of vision or imagination.

  24. “You not seeing the point in someone else’s efforts, does not make what they do pointless, it simply demonstrates your lack of vision or imagination.”

    I couldn’t agree more!

    Isn’t that essentially the definition of hacking to begin with – taking an existing concept and evolving it into something different? Heck, that also pretty much defines the word “invention” also. Just think – this all started when someone picked up a rock or a stick to use for some new idea.

  25. “Why paint a picture, when you can take a photograph?”

    “Why bake a pizza, when you can buy one from a fast food outlet?”

    “Why restore a car, when you can get one brand new?”

    “Why spend time doing something you love and share your experience with the world, when someone already did same thing before you?”

    Why??????????????????

  26. No one had (publicly) reverse engineered the CIC until now. Tengen’s Rabbit clone is what was reverse engineered to make the CIClone. This is the first time ever that the _original_ CIC program has been understood and publicly documented.

Leave a Reply to CaitSith2Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.