CPS-2 internals, Reversing Super Street Fighter 2 Turbo,
and Retro-Arcade Cabinet Hacking :)
NoConName 2014
Pau Oliva Fora - <[email protected]>
@pof
Agenda
Basic elements
Controllers: buttons, sticks, microswitches
Cabinets: jamma
CPS2
History
Encryption
Phoenix edition boards
Super Street Fighter II Turbo
Versions, netplay, etc..
Debugging the game, writing cheats, lua
How not to suck at ST
BASIC ELEMENTS
Joysticks
Top (balltop & battop)
top handle
Brands
Happ, Seimitsu LS-32, Sanwa JLF
Buttons
Sanwa OBSF-24 Seimitsu PS-14-DN Happ Horizontal, Happ Competition, Sanwa OBSN-30
Buttons
Sanwa OBSF-30
Switches
Cherry microswitches, Sanwa small switches, Seimitsu small switches, Seimitsu large switches, Sanwa long switches
PCB
PS360+
PCB
Joystick
JAMMA
OUTPUT Monitor Mono Audio Coin Counters
INPUT 2 joysticks /w 3 buttons each 2 start buttons 2 coin triggers from coin mech 1 test switch 1 service switch
Power (12V, 5V, -5V, Ground)
JAMMA: Japan Amusement Machinery Manufacturers Association
JAMMA
Cabinet 101
Cabinet 101
Cabinet 101
Cabinet 101
Cabinet 101
Cabinet 101
Super Turbo Cabinet
AstroCity
SuperGun
SuperGun
SuperGun
Mak Strike
SuperGun
CAPCOM PLAY SYSTEM 2
CPS2
CPS2 A & B boards
UD-CPS2
UD-CPS2
http://forums.shoryuken.com/discussion/146685/ud-cps2-fully-consolized-capcom-play-system-2/p1
CPS2 - Regions
Green: Japan
Blue: North America & Europe
Orange: South America
Grey: Asia
Pink: Brazil
Yellow: All (Rent version)
Black: All in one unit
Green & Blue boards are totally interchangeable.
Grey & Orange boards require 'A' board of matching color
Yellow 'B' boards are rent version and were made to fit 'A' boards as required.
CPS-2 Specs
Primary CPU: Motorola 68000 @ 16 MHz
Sound CPU: Z80 @ 8 MHz
Sound Chips: Q-Sound @ 4 MHz
Display:
Resolution: Raster, 384x224 @ 59.6294 Hz
Color Depth: 12 bit RGB with a 4 bit brightness value (4096 colors)
2048 On-screen colors (128 global palettes with 16 colors each)
CPS-2 History
CPS-1 games where easy to copy & botleggs (unauthorized game copies) appeared
(02/1991) Street Fighter II: The World Warrior
CPS-2 == CPS-1 with a faster processor and encrypted game ROMs
(09/1993) Super Street Fighter II: The New Challengers
(02/1994) Super Street Fighter II Turbo
(12/2003) Hyper Street Fighter II: The Anniversary Edition
CPS-2 Suicide battery
The CPS-a battery-backed memory (SRAM) containing decryption keys needed for the games to run
When the battery dies, the games will no longer work --> blue screen
3.6V Lithium battery Size: 1/2 AA
(Elfa part #69-282-12)
CPS-2 Suicide battery
CPS-2 Encryption
In January 2001, the CPS-2 Shock group (Charles MacDonald, Ange Albertini and Razoola) obtained unencrypted program data by hacking into the hardware
They distributed XOR difference tables (8GiB) to produce unencrypted data from the original ROM images --> Emulation possible
CPS-2 Encryption
In January 2007, the encryption method was fully reverse-engineered by Andreas Naive and Nicola Salmoria (Mame author).
http://andreasnaive.blogspot.com.es/2006_12_01_archive.html
http://andreasnaive.blogspot.com.es/2007_01_01_archive.html
The encryption only affects opcodes, not data.
The encryption consists of two 4-round Feistel networks with a 64-bit key and involves both the 16-bit opcode and the low 16 bits of the address.
The algorithm was thereafter implemented in this state for all known CPS-2 games in MAME.
CPS-2 Encryption
For more info read the MAME source:
mame/machine/cps2crpt.c
http://www.mamedev.org/source/src/mame/machine/cps2crpt.c.html
mame/drivers/cps2.c
http://www.mamedev.org/source/src/mame/drivers/cps2.c.html
CPS2 Memory Map
0x000000 - 0x3FFFFF Main Program
0x400000 - 0x40000A Encryption (the battery memory)
0x618000 - 0x619FFF Shared RAM for the Z80
(tells what sfx or music to play)
0x660000 - 0x663FFF Network Memory
0x900000 - Start of Graphic memory
(can change with each game)
Super Turbo:
0x900000 - 0x903FFF Palette
0x904000 - 0x907FFF 16x16
0x908000 - 0x90BFFF 32x32
0x90C000 - 0x90FFFF 8x8
0x910000 - 0x913FFF 16x16 mainly hud and character
names on select screen
0xFF0000 - 0xFFFFFF Main Memory
Revive Dead B-Boards
Decrypt all encrypted data so that you end up with a fully decrypted ROM image.
Patch the program code so that all read and writes to the 0x400000-0x40000A memory region are changed to 0xFFFFF0-0xFFFFFA (bottom of the normal WORK RAM)
Patch all routines not to clear this region during any memory clearing activities
Patch every part of the game that uses this region of WORK RAM (to store variables and such) to use a different region.
Phoenixed boards
Project to bring dead CPS-2 game boards back to
A power on splash screen
Ability to change region (stored to EEPROM)
A basic Jukebox to listen to game music
68000 exception handling (helps to find errors)
Freeplay option added to regions that missed it
Removal of time locks for certain code activations
Stronger test mode EEPROM memory checks
Phoenixed boards
To phoenix a board:
Purchase the phoenixed EPROMs/data from Razoola
Reprogram the appropriate program EPROMs with the Phoenix ROM data
Desolder/Remove the Battery (bottom right corner of the board)
Short the 2 leads of the electrolytic capacitor next to where the + terminal was together for several seconds. This will drain the juice left in the circuit and allow the phoenix code to operate properly.
Boot up the title. A phoenix logo should appear - at this point, pressing the test button will let the you change the region
decrypted ROMs
Decrypted CPS2 images by L_Oliveira, MottZilla and idc/Team Avalaunch:
http://cps2.avalaunch.net/
Alternative to Phoenix Edition ROMs
They revive dead boards, but are "clean" because they don't have all the extra features that Razoola put in (region change, jukebox, etc.)
STREET FIGHTER
Which is the best version?
Super Street Fighter II X: Grand Master Challenge (Jap. CPS-2)
Running on CPS-2, not emulated!!
NO input LAG
Super Street Fighter II Turbo (North American version)
Dreamcast port
SSF2T HDR (HD Remix)* on PS3 & XBOX360
Netplay
GGPO
Windows only
Adobe Air
Supercade
Windows Only
.NET
HDR
Xbox / PS3
Netplay
GGPO
Windows only
Adobe Air
Supercade
Windows Only
.NET
HDR
Xbox / PS3
GGPO.py
http://poliva.github.io/ggpo/
GGPO.py
GGPO.py
Protocol reverse engineered from the original (windows) GGPO client
Support for Linux & MacOS X
Vulnerabilities found in GGPO server
Start a match without the peer accepting
Start a match even when peer is away
pyQTggpo
GUI client
Windows, Linux & OSX
Ground work (protocol) based on ggpo.py
https://github.com/doctorguile/pyqtggpo
GGPO Server
- Official GGPO server was down for ~1week
- Not actively maintained by its author anymore :(
-
GGPO Server
- Official GGPO server was down for ~1week
- Not actively maintained by its author anymore :(
-
- Announcing GGPO-NG:
http://www.ggpo-ng.com
Source code available on github:
https://github.com/poliva/ggposrv
FEATURES: -UDP hole punching (no port forwarding) -Record & playback games
Debugging ST
mame ssf2xj -debug
Ctrl+M to open memory window
Adress 0xFF844E
Offset for P2 base is 0x400
Debugging ST
Debugging ST
Debugging ST
Scripting:
mame-rr lua
memory.readbyte(), memory.readword(),
memory.writebyte(), memory.writeword()
gui.text(), emu.frameadvance()
Lua Scripting
Cheats
RAM cheats usually change the data the game has in RAM (ie: change the value in a fixed memory address)
force the game engine take a different path
Cheats
<cheat desc="Infinite Time">
<script state="run">
<action>maincpu.pb@FF8DCE=99</action>
</script>
</cheat>
1. maincpu: This is the tag of the CPU whose memory you want to poke, maincpu is in 99% of cases the tag you will need
Cheats
<cheat desc="Infinite Time">
<script state="run">
<action>maincpu.pb@FF8DCE=99</action>
</script>
</cheat>
2. p : memory space that needs to be poked, there are 7 possibilities: p = program write (most RAM cheats need this) m = region write (most ROM cheats use this) r = RAM write (use this for ROM cheats if m doesn't work or for RAM cheats if p doesn't work) o = Opcode Write (use this for ROM cheats if m and r don't work - often used for encrypted memory) d = data write (don't think I've ever used this) i = i/o write (don't think I've ever used this) 3 = SPACE3 write (I've definitely never used this)
Cheats
<cheat desc="Infinite Time">
<script state="run">
<action>maincpu.pb@FF8DCE=99</action>
</script>
</cheat>
3. b : memory size of what's being poked, there are four possibilities: b (byte) w (word=2 bytes) d (doubleword=4 bytes) q (quadword=8 bytes)
Cheats
<cheat desc="Invincibility P1">
<script state="run">
<action>maincpu.pb@FF860D=01</action>
</script>
</cheat>
More examples: https://github.com/poliva/ssf2xj
Cheats
search for all bytes that have decreased by one since we did the cheatinit command
How to find the right addresses to poke?
Cheats
Watchpoints:
wpset 0xFF87DC,1,r,1,{printf "P1 Read @ %X=%X with PC=%X", wpaddr, pb@FF87DC, PC; go}
Patching m68k for dummies
NOP = 0x4e71
BEQ = 0x67XXYYYYZZZZ where XXYYYYZZZZ indicates how far we will jump forward if the previous comparison instruction (usually a TST) was found to be equal.
BNE = 0x66XXYYYYZZZZ where XXYYYYZZZZ indicates how far we will jump forward if the previous comparison instruction (usually a TST) was not equal.
So if we need to invert the logic we can change the BEQ for BNE by swapping a 67 for a 66 on the first byte of the opcode.
If we want to always force a certain code path we can just NOP the branch instruction
Training mode
Infinite time
Health/energy recharge
Disable K.O. slowdown
Dizzy OK
Dummy actions (useful to train combos):
Neutral
Block: everything or only ground attacks
http://pof.eslack.org/2014/04/22/ssf2t-the-quest-for-the-perfect-training-mode/
Want MOAR?
ST-Revival (US):
http://strevival.com
Gamespot Versus (JP):
https://www.youtube.com/user/supersf2turbo/videos
Tournament of Legends & Xmania:
Evo 2012:
http://youtu.be/HJ0SR6Y9GHM
Evo 2014:
http://www.strevival.com/tol2/
http://youtu.be/2c93mDy0HFU
Want MOAR?
Shoryuken wiki:
http://wiki.shoryuken.com/Super_Street_Fighter_2_Turbo
Shoryuken forum:
http://forums.shoryuken.com/categories/super-street-fighter-ii-turbo
The 48 killing arts of yoga:
http://www.youtube.com/watch?v=x4cgh6eRmCE
Questions?
Bibliography
http://www.slagcoin.com/joystick.html
http://www.youtube.com/watch?v=-zIhPV0F_B4
http://en.wikipedia.org/wiki/CP_System_II
http://cps2shock.emu-france.info/
http://forums.shoryuken.com/discussion/169077/hacking-the-st-rom/p1
http://www.mamecheat.co.uk/forums/viewtopic.php?p=13271#p13271