Cracking the Case of Capcom’s CPS2 Security

We love a good deep-dive on a specialized piece of technology, the more obscure the better. You’re getting a sneak peek into a world that, by rights, you were never meant to know even existed. A handful of people developed the system, and as far as they knew, nobody would ever come through to analyze and investigate it to find out how it all went together. But they didn’t anticipate the tenacity of a curious hacker with time on their hands.

[Eduardo Cruz] has done a phenomenal job of documenting one such system, the anti-piracy mechanisms present in the Capcom CPS2 arcade board. He recently wrote in to tell us he’s posted his third and final entry on the system, this time focusing on figuring out what a mysterious six pin header on the CPS2 board did. Hearing from others that fiddling with this header occasionally caused the CPS2 board to automatically delete the game, he knew it must be something important. Hackaday Protip: If there’s a self-destruct mechanism attached to it, that’s probably the cool part.

He followed the traces from the header connector, identified on the silkscreen as C9, back to a custom Capcom IC labeled DL-1827. After decapping the DL-1827 and putting it under the microscope, [Eduardo] made a pretty surprising discovery: it wasn’t actually doing anything with the signals from the header at all. Once the chip is powered up, it simply acts as a pass-through for those signals, which are redirected to another chip: the DL-1525.

[Eduardo] notes that this deliberate attempt at obfuscating which chips are actually connected to different headers on the board is a classic trick that companies like Capcom would use to try to make it harder to hack into their boards. Once he figured out DL-1525 was what he was really after, he was able to use the information he gleaned from his earlier work to piece together the puzzle.

This particular CPS2 hacking journey only started last March, but [Eduardo] has been investigating the copy protection systems on arcade boards since 2014.

[Thanks to Arduino Enigma for the tip.]

Desuiciding Capcom Arcade Boards

Capcom’s CPS2 – or CP System II – was the early to mid-90s arcade hardware famous for Super Street Fighter II, Alien vs. Predator, and a few of the Marvel and Capcom crossover arcade games. As you would expect, these boards have become collectors items. Unfortunately for future generations, Capcom took some short-sighted security measures to prevent copying the games, and the boards have been failing over the last two decades.

After months of work, [ArcadeHacker] and several other arcade enthusiasts have reverse engineered the security protocol and devised a method of de-suiciding these arcade boards, allowing for the preservation of this hardware and these games. The code that does the trick is up on GitHub.

Last year, [ArcadeHacker] reverse engineered the on-chip security for Capcom’s Kabuki processor, the CPU used in some of Capcom’s earlier arcade boards. It used a similar protection scheme. In the Kabuki hardware, the on-chip ROM was interspersed with a few XOR gates on the processor’s bus. With a security key kept in battery-backed memory, this was enough to keep the code for the game secret, albeit at the cost of preventing historical preservation.

Over the next few weeks, [ArcadeHacker] will post more detailed information about the copy protection scheme of the CPS2 board, but the proof-of-concept works right now. It’s now possible to revive a CPS2 board that has killed itself due to a dead battery, and the hardware is as simple as an Arduino and a few test clips. You can check out a video of the exploit in action below.

Continue reading “Desuiciding Capcom Arcade Boards”