Cracking the Case of Capcom’s CPS2 Security

We love a good deep-dive on a specialized piece of technology, the more obscure the better. You’re getting a sneak peek into a world that, by rights, you were never meant to know even existed. A handful of people developed the system, and as far as they knew, nobody would ever come through to analyze and investigate it to find out how it all went together. But they didn’t anticipate the tenacity of a curious hacker with time on their hands.

[Eduardo Cruz] has done a phenomenal job of documenting one such system, the anti-piracy mechanisms present in the Capcom CPS2 arcade board. He recently wrote in to tell us he’s posted his third and final entry on the system, this time focusing on figuring out what a mysterious six pin header on the CPS2 board did. Hearing from others that fiddling with this header occasionally caused the CPS2 board to automatically delete the game, he knew it must be something important. Hackaday Protip: If there’s a self-destruct mechanism attached to it, that’s probably the cool part.

He followed the traces from the header connector, identified on the silkscreen as C9, back to a custom Capcom IC labeled DL-1827. After decapping the DL-1827 and putting it under the microscope, [Eduardo] made a pretty surprising discovery: it wasn’t actually doing anything with the signals from the header at all. Once the chip is powered up, it simply acts as a pass-through for those signals, which are redirected to another chip: the DL-1525.

[Eduardo] notes that this deliberate attempt at obfuscating which chips are actually connected to different headers on the board is a classic trick that companies like Capcom would use to try to make it harder to hack into their boards. Once he figured out DL-1525 was what he was really after, he was able to use the information he gleaned from his earlier work to piece together the puzzle.

This particular CPS2 hacking journey only started last March, but [Eduardo] has been investigating the copy protection systems on arcade boards since 2014.

[Thanks to Arduino Enigma for the tip.]

17 thoughts on “Cracking the Case of Capcom’s CPS2 Security

  1. why dont they go to capcom to get the info?

    if the hacking is being done as part of hame preservation society then capcom should be happy to allow it.

    unless capcom or who ever bought out capcom intends to or is still using that security method on their latest titles.

    just in the same way that are dusting off old phishing methods like the 900 number dialer capcom or it’s new owner may intend to bring back the same protection

    1. Sometimes companies are forthcoming with the info, and sometimes they aren’t. If there are any intellectual property rights at stake and any unknowns (such as questions about who holds rights), companies tend to get very tight-lipped. Also, like others have said, sometimes information gets lost.

        1. CD Projekt Red? Tell Tale? Obsidian?
          Guess it depends on how you define “good”, and I fully admit even the above “off the top of my head” list is embarrassingly tiny, but there are still some good studios and dev houses out there.

  2. Oh I can think of a lot of reasons:
    – They just aren’t bothered to reply to someone asking for what basically is abandon ware
    – CapCom doesn’t want to spend time and money to dig it out of the archives, if it’s in the archives at all
    – Patents, need I say more?
    – Licencing, maybe the protection was outsourced, disclosing it may lead to a legal battle
    – The information is lost, archives, files, degradation of media, hardware/software that contains the info doesn’t work anymore etc get lost over time.

    1. Once the game is no longer supported, Capcom has no reason to keep any documents relating to it. Any documents they do have are likely in a dusty file cabinet or on backup tapes that would take serious effort to restore.

        1. Really, really, really, incredibly unlikely 20-odd years later. Modern hardware almost certainly has nothing in common with it. CPS2, as far as I remember, is Motorola 68000 series with a tile mapping / sprite engine. Modern arcade games, such as they even make any more, are often modified console hardware, which is cheaper.

      1. There must be some almost-pensioned guy over at Capcom, of whom nobody knows anymore what he’s doing there, but who’s still on the payroll, who resides in a lab that has all the supplies that anyone could wish for, and who knows where to find all the stuff that he ever worked on in the past. I’m sure of it.

        1. Yeah but he’s Japanese, and they have weird things about company loyalty. It’s like life or death to them, vs the begrudgement and mistrust more enlightened peoples feel towards their companies.

        2. I did get a guy at Moog-Animatics to dig up all the info on an old Animatics servo controller, as used in a Light Machines PLM 2000 benchtop CNC bed mill. He was with Animatics before Moog bought the company. They’d kept old backup hard drives from before. One of these days I may explore some of the functionality Light Machines (and later, Intelitek) never used. The controller has some internal program storage for running G-Code without an external control computer. Set it up right and one need only poke a button to repeatedly run the code.

    2. You are over-thinking it. Most legal departments take a reasonable position on risk mitigation:

      void request_info (details)
      {
      if (revenue opportunity)
      return boilerplate();
      else
      return “no”;
      }

      The return type is not a mistake….

  3. What a fascinating read! I had read his first post on trying to figure out that long-lasting security measure and was wondering when he would manage. He even shared a way to reconfigure/de-suicide CPS2 board using an arduino. So many boards will be able to be saved/repaired now that this is available. Truly in the spirit of Hack-A-Day!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.