Revealing Capcom’s Custom Silicon Security

Ask any security professional and they’ll tell you, when an attacker has hardware access it’s game over. You would think this easily applies to arcade games too — the very nature of placing the hardware in the wild means you’ve let all your secrets out. Capcom is the exception to this scenario. They developed their arcade boards to die with their secrets through a “suicide” system. All these decades later we’re beginning to get a clear look at the custom silicon that went into Capcom’s coin-op security.

Alas, this is a “part 1” article and like petulant children, we want all of our presents right now! But have patience, [Eduardo Cruz] over at ArcadeHacker is the storyteller you want to listen to on this topic. He is part of the team that figured out how to “de-suicide” the CP2 protections on old arcade games. We learned of that process last September when the guide was put out. [Eduardo] is now going through all the amazing things they learned while figuring out that process.

These machines — which had numerous titles like Super Street Fighter II and Marvel vs. Capcom — used battery-backed ram to store an encryption key. If someone tampered with the system the key would be lost and the code stored within undecipherable thanks to “two four-round Feistel ciphers with a 64-bit key”. The other scenario is that battery’s shelf life simply expires and the code is also lost. This was the real motivation behind the desuicide project.

An overview of the hardware shows that Capcom employed at least 11 types of custom silicon. As the board revisions became more eloquent, the number of chips dropped, but they continued to employ the trick of supplying each with battery power, hiding the actual location of the encryption key, and even the 68000 processor core itself. There is a 6-pin header that also suicides the boards; this has been a head-scratcher for those doing the reverse engineering. We assume it’s for an optional case-switch, a digital way to ensure you void the warranty for looking under the hood.

Thanks for walking us through this hardware [Eduardo], we can’t wait for the next installment in the series!

48 thoughts on “Revealing Capcom’s Custom Silicon Security

          1. Specifically quarters.
            Though here the DRM was mostly to prevent bootleg machines from being built but it probably also made them a lot of money in service calls for things that normally could be repaired by any tech.

        1. So do I have to spend it as soon as I get it, or can I wait until I have enough to buy something more expensive? An until that point, should I store it in a pile of cash on my front lawn? I wouldn’t want to seem greedy by putting it somewhere that would make it more difficult for someone to take it from me. Do you keep yours an a bank? Care to share your bank info with the group?

          1. PS: Donations for “Jerry’s Typing Lesson Fund” are welcome…apparently someone came on to my front lawn and made off with my pile of money.

        1. You can’t buy another from Capcom so it’s not greed. It really is to prevent piracy. Capcom, Taito and others lost millions in quarters to the myriad of Galaxian / Pac-Man / Space Invader clones that were very prevalent in the early days of arcade gaming.

          1. anytime a company doesnt build a product that could last literally forever it is accused of “planned obsolescence” as if the user of the term “planned obsolescence” has the slightest idea what that would require from the company’s perspective. I suppose this is born of the baby boomers generation where every product is thought of as simply as a screwdriver or a toaster and everything is supposed to last forever and be serviceable.

          2. @Padrote How about just using common parts, a high quality PCB that doesn’t catch fire when you try to resolder something and providing test points and a service schematic a la BBC Micro (Or weirdly, the Wink Hub? That puppy was wonderfully well made).

            No-one can expect electronic products to just live forever. But EVERYONE should expect their products to be inherently repairable, if not by an end user (fair cop) then at least by a competent engineer with a basic set of tools and skills.

            Instead, one-way plastic clips, PCB so shoddy it’s almost defeated by central heating and unlabelled or custom ‘black blob’ chips that are not available outside the original factory where a product is assembled.

            … custom optical drives that are firmware coded to each individual logic board, deliberate use of substandard capacitors with a limited lifespan (and see the point about PCB’s), hard sealed internal li-on batteries…

            That last one is the latest fun-time. In order to replace the battery in a recent Apple laptop, you have to replace the mouse, keyboard, half the sensors and 40% OF THE OUTER SHELL. Way to spike the repair costs and force people to buy even-more-expensive new machines, Apple!

        2. They probably did fix boards that went dead when they were still supported as an arcade machine would be much too expensive to be a disposable item.
          But now it’s a big problem for collectors as you can no longer send in a board to be repaired.

  1. Is there code that remains inaccessible due to the security system? If so, can someone provide an estimation of what it would take to brute-force a 64-bit Feistel cypher?

      1. Yah, although similar to DES which is regarded as weak, it has got those pesky extra 8 bits over it. Also it isn’t really suitable for attacks other than brute force, because it’s not like you can run known plaintexts through it. It could be reasonably quick, like a day or two, to discover if it’s a previously known bit identical ROM. However, since the purpose of doing it would be to preserve different ROM variations, localisations and bug fixed or patch levels, then if you’ve got one that’s not been made available for “education and research” on teh interwebz, then it’s full keyspace brute force or nothing….. annnnd I think that’s going to take upwards of a month on a well specced 5 GPU or so Hashcat rig…. so if you’ve got electric heat, this is how you stay warm next winter.

          1. Well yes and no, you’re going to want the larger, spendier FPGAs, and several times as many as GPUs, because they’ll clock a lot slower even if internally more efficient, which means your hardware costs can be much higher, even though you might drop power requirement significantly. So going to have to calculate whether it’s going to be cheaper to run the GPUs longer at higher power cost, or FPGAs shorter at same or less power cost and spend more in hardware and development.

  2. How are the batteries on these units still working at all is my question. Can you even swap them out easily? These are not nuclear batteries or anything, right? Even smoke detectors are only good for a decade or so at the most.

    1. Possible with lithium batteries. I have a lithium battery made clearly before 1990 – there’s “West Germany” written on the package. It still holds its voltage when measured with a multimeter. Also I have an lamp built about 15 years ago, with a light bulb, switch and 3 lithium batteries, when some weeks ago I switched it on for several seconds, it still worked.

      1. I have old batteries that still work too but not if they have had any appreciable current draw. I even have watches from 10 or 15 years ago that still work but what kind of current draw do these have and how large of a battery are they? They are clearly always using up power so they do have a lifespan and many of these machines came out close to 20 years ago now?

        1. The light bulb in that 15 year old lamp was shining at full power when I switched it on. I suspect that small CMOS static RAM takes approximately the same power as a watch, but I didn’t check how much power it actually uses

          1. The light switch is probably a static battery though with zero current use when off? I am not arguing that batteries can hold a charge for 15 years or so but even a very small drain over long enough will exhaust many small button batteries.

    2. if you swap out the batteries the encryption key is lost, which is why i called it greedy above, i have no issue with people protecting their IP, but it should never severely limit the function or long term viability of a product.

        1. Perhaps the Internet should learn how to read before posting a non-sequitur (hey! got the spelling right)?

          Some “cloud” stuff are simply greed, some are just practical and some are a mix of the two. Some isn’t really “cloud” at all.

        1. you might, it should work as long as they haven’t done something sneaky like look for resistance changes, not that one couldn’t design around that too.

          it all runs a risk though.

        2. >Wouldn’t it be possible to power the circuit with another battery in parallel throughout a battery swap?

          With the CPS2 you can remove the battery for a few minutes to swap it for a new one.

          Source: Done it myself a few times + this info has been on the internet for at least a decade.

      1. Looks to me as though Capcom was intending for these games to have a hard End Of Life, beyond which they would no longer give them another “1-UP” (if they ever would ‘recharge’ them by reloading the decryption key). The goal? Forcing all their old games to be scrapped to make room for new games from Capcom.

        What if your laptop or smartphone was completely, totally dead forever if you removed the battery or it got old enough it would no longer hold a charge? Would anyone stand for that? What if vehicles were done this way? Dead or disconnected starting battery = permanently dead car, or at least requiring it to be taken to a dealer to be re-activated, and if the manufacturer decides to no longer provide the service, you can only keep using the car as long as its last battery holds out.

        It’s another variation of that one Nintendo portable game with saves that cannot be erased. What happens when all the save memory is filled? Useless cartridge?

        1. >Looks to me as though Capcom was intending for these games to have a hard End Of Life,

          You’re wrong then. It’s nothing to do with “End of life” and everything to do with bootlegging, dodgy arcade ops etc.
          Capcom was servicing suicided boards (for a fee) long after the CPS2 was current.
          The battery exists to make the decryption keys for the data fragile. So if someone tampers with the board to try to dump the keys to pirate the game or tries to replace the keys so they can burn another game onto the eeproms instead of buying it from Capcom the board gets bricked and they don’t try it again. Remember this was in an age before software could call home to a server to check it’s properly licensed.

        2. While not exactly the same, we now have hardware that is so dependent on software that a lack of updates almost instantly renders it unusable. In this case, that means you cannot trust any sort of data to is that is remotely sensitive. Even though there are hundreds of thousands of people still older Android versions with known vulnerabilities in it, their devices should be considered unserviceable.

    3. Back in the late 80’s the company I was working for used Dallas Semiconductor dip packaged lithium batteries. Several rails (about 25 per rail) expired and I rescued them because…free batteries! I found them in my garage in 2015 while cleaning and about 1/3 of them were still at full voltage, 3.6V. Did not check capacity though.

    4. If you combine a good lithium battery with a well engineered circuit they can last a long time. In 1985 I got a stereo system that uses a lithium coin cell coldered to the board to keep the station memory and a few other things. I never changed the battery and when I dug it out a few weeks ago and measured the battery, it still had just below 3V and all stations were still present.

      I also have a radio controlled clock here which I bought in 2002, it still runs with the original AA (non-alcaline!) battery.

      1. I once got a very old Z80-based access control system (manufactured in 1987) which had one of those all-in-one RTC chips with built-in RAM, crystal and lithium battery. It still works and reports the right date and time.
        I can’t measure battery voltage because it’s not broken out on pins, but I assume it’s still full.

  3. All of the effort Capcom put into DRM was basically wasted. As this effort shows, had there been just a modicum of desire contemporaneously it would have not been tremendously difficult to moot it all.

    1. Well before at least there was the profit angle. That isn’t even there now and people are still endeavoring to overcome this now for amusement and nostalgia than profit.

  4. John Jacobson over at johnsarcade.com replaced a battery on a SF board and recorded the process. He gave himself something like 5 mins before the board would fail (based on a report from a pal) but desoldered and attached a new battery in about 90 seconds. His board works perfect again even though his original battery was something like 20 years old and still held a charge. It wasn’t a difficult job solder wise. There are also updated rom sets you can download to physical roms which have bypassed this old protection feature. Never let a board die folks is the takeaway here.

  5. This has nothing to do with planned obsolescence. Everyone* thinks corporations are evilly planning to make devices self-destruct, when these decisions are motivated by anti-piracy, ease of updates, cost, etc.
    If you’d told Calvin that in 2017 we’d have Occulus games, and MMORPEGs running on our phones, but people would bitch because they can’t play an old cap on arcade, they’d never have believed you.
    Apple laptops aren’t serviceable not to make you buy new ones, but because most people want super light thin ones (meaning glued not screwed), and anyway the processors are too slow to run new software long before the batteries die. I’ve plenty of old iPod touches, the batteries are fine, it’s the software that won’t run.
    17″ MBP is doing fine on the battery, but newer software won’t run because the GPU isn’t good enough.

    * except people who take time to think, or who have ever worked in a big company

    1. And having worked in web and desktop development, when an old platform is finally unsupported it’s such a relief… supporting older HW/SW is always disproportionately expensive.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s