If you’ve been following recent news / various GIT commits then you might have noticed that we recent connected the dots between the encryption/compression schemes used on Naomi carts and those used on other Sega systems (ST-V, Model 2, Model 3) etc.
In many cases these were used as a simple protection (especially on Model 2 / 3 and Radiant Silvergun in STV) just writing some values, reading them back and comparing them against a string in the code (which is very easy to bypass) but the reality is that there is a chip performing rather complex decompression and decryption operations on the data written in order to get that result, and in some cases it was actually used properly!
It was discovered by ANY and others that many of these boards used a 315-5881 chip, we’d long suspected it could be the same scheme, but had never actually managed to make a firm connection. Software to extract data for analysis from a Naomi board already exists, and it turned out that by transplanting one of the chips from an ST-V cartridge onto a Naomi board we could use the existing extraction code and obtain a key thus confirming the chips were exactly the same thing just programmed with different keys.
The encryption implementation, as it turned out, was missing some important details, features that none of the Naomi games really used (multiple encrypted/compressed blocks in a stream with mid-stream headers, non-power of 2 sizes for compressed data etc.) furthermore our encryption implementation was incomplete, so Andreas needed to further study the data and fill in some gaps. I poked around with the multiple block side of things a little, and eventually we’ve ended up with this
previously both these graphics (the Tecmo logo and entire title screen) were displayed as garbage because they’re both compressed and encrypted. I do wonder if there aren’t still some flaws (the Tecmo logo looks rather rough) but it could be right (see next statement), and the title screen definitely looks fine. An interesting fact is that the game also checks a few values in the decompressed Tecmo logo and if they don’t match the expected return values then the game breaks in various ways, for example the ball / player movement.
If you’re curious, the Tecmo logo is a single compressed stream with one block of compressed data. The title screen is a single stream with 4 blocks of compressed data (one for each quarter of the screen)
Performance still isn’t great here (it’s a high resolution ST-V game, and our video rendering code is slow)
Astra Super Stars also benefited from this, previously we were handling the HUD layer by loading the HUD data from the Sega Saturn version as a fake ‘ROM’ file in the romset, with the decryption hooked up I was able to remove the fake rom, the resultant data from the decryption process is identical so there’s no visible change, just the knowledge that we’re no longer depending on data that wasn’t on the PCB. Astra Superstars was a bit of odd one really, for some reason the chip marked ‘315-5881 317-5040-COM’ was actually used by 3 games (the other 2 being ‘Shin Nihon Pro Wrestling Toukon Retsuden 4 Arcade Edition’ and ‘World Kicks’) meaning we already had a key from the previous work on Naomi.
Note, while this will help a number of ST-V games once we get the correct keys it WILL NOT help Decathlete because Decathlete uses an entirely different chip.
My next plan is to hook this up to Model 2 / Model 3 in MAME, it won’t really improve the MAME driver, but if we can extract / brute force an encryption key for Dirt Devils it should allow the SuperModel devs to fix the 2D layer (see here) if they decide to update the emulator again.
Will this enable VS2’99 to work? Last time I checked in MAME it didn’t boot and in Supermodel it hangs out when the first match is about to begin.
Thanks for the hard work!
vs299 is protected with this (and we have a key) however I don’t know if the protection is the source of the issues you mention.
I plan on hooking what I can to model 3 fairly soon.
Congrats. I was following Andreas’s posts over at the dev forum regarding this topic. A very impressive amount of effort went into this, and took brains far in excess then mine. Hopefully this helps further refinement of the Model 2 / 3 emulation. By far my favorite system(s).
Amazing work Haze.
it seems there are quite consistently similar problems across many Model 2/3 hardware games where layers and geometry appear screwed up to varying degrees but the game otherwise runs stably. Is this actually a bad decryption issue and if so, won’t your discovery help these too?
Did Sega use the same encryption strategy as far back as model 1? even WingWar has similar issues so at least superficially looks like it maybe the same root cause.
no, the model 2/3 games don’t really make extensive use of it, usually just dumb checks, using a proper implementation feels good tho.
the issue with model 2 is a combination of CPU bugs, incomplete video emulation, bad interrupt handling, and problems with stalling CPUs when FIFOs are empty etc. (for Model 2 the games protected with this are Dynamite Cop, Zero Gunner and Pilot Kids) Dead or Alive is earlier and looks like something a bit different to me.
interestingly the way Pilot Kids fails is meant to be a sign of protection fail – but we return the same protection data ElSemi does, so it’s probably a CPU bug.
You should consider that ElSemi’s Model 2 emulator runs with basically the same protection hacks as MAME and runs most games perfectly. Model 3 has at least one game (Dirt Devils) with significant sue of the chip, which is why Super Model can’t run that one properly.
Model 1 has nothing designed as protection as such, just internal maths programs which differ between games (so end up protecting the games simply through the hardware choice) I think some of the polygon fighting probably happens on real hardware there, it was early 3d, so anything was impressive.
2015 get some shine hope.
> Will this enable VS2’99 to work? Last time I checked in MAME it didn’t boot a
I just checked, and yes, it allows VS2 99 to work, without the protection emulation it hangs at kickoff, with it hooked up it allows you to kick off.
Haze send that code to Bart, i want to play those last vs2 versions on supermodel 3, even a small svn update is enough for me.
Thanks for your priceless work, David. Football fans are very happy today.
Great work! Is the version of MAME with this fix for Tecmo World Cup 98 released? After years of waiting, I’ll be able to play this at home, my preferred game of STV along Steep Slope Sliders.
Keep up the good work!
0.158 with these fixes in will likely be released on Wednesday
However, you might want to wait until we’ve optimized the ST-V driver a bit, while the title screen etc. has been fixed the gameplay performance hasn’t really changed since the current release.
Thank you for the answer, Haze.
Looking foordward to see this fully working, I love bizarre football games like this and Libero Grande.