CIC-NUS: Difference between revisions
no edit summary
(Patched incorrect CIC pinout, and added unverified notice.) |
No edit summary |
||
Line 1:
The CIC-NUS (usually called "CIC") is a protection chip that is present on all N64 cartridges and implements the required security measures to allow the game to boot on an unmodified console.
Once the cartridge is inserted into the slot, the CIC is electrically connected to the [[PIF-NUS]], the peripheral and protection chip within the N64 itself, via two lines (roughly, clock and data), and communicates with it. The PIF is in charge of securing the boot sequence and is able to halt the CPU if the protection fails, preventing the game from booting. Since the PIF can be regarded as the "master" of the communication between the CIC and itself, the whole boot sequence is documented in the [[PIF-NUS]] page in the wiki. Please refer to it for more details about how the secure boot works.
==== CIC ====▼
'''Disclaimer: All of the CIC actions described below have been done successfully as part of a University project. Some of the details are missing whether it was to avoid encouraging piracy, simply not required for the core of the paper or lost in the language translation (authors live in Germany) is unknown.'''▼
The 64DD (which plugs to the bottom of the console) comes with its own CIC. The N64DD games on the magnetic disk support do not have a CIC themselves, so the secure boot is completed by the 64DD firmware, which then loads the games from the disk and boot it.
[[File:CIC decap pinslabeled.png|alt=CIC decap pins labeled|thumb|'''CIC decap pins labeled''']]▼
=== Variants ===
There are different models of CIC, which normally differentiates themselves for small details in the firmware and different "secret keys" used to secure the boot. As explained in the PIF-NUS page, each variant of the CIC comes in pair with a different boot software (called IPL3), which is part of the secure boot, and is embedded in the cartridge itself (in a special area of the ROM: offset 0x40 - 0x1000). A mismatch of IPL3 with CIC would be detected by the previous secure boot stage (IPL2) which is hardwired in the console itself because of a failed checksum.
The following table lists all known CIC variants, with some overview of the main differences between them.
{| class="wikitable"
|+CIC/
!Variant
!Used in
!
!Comment
|-▼
|6102 / 7101▼
|Most titles (~ 88% of commercial games)
|u32@0x08▼
|▼
* Identical IPL between NTSC (6102) and PAL (7101)▼
|-
|5101
Line 27 ⟶ 38:
|
* Identical to 6102 except that it hardcode entrypoint to 0x80000480 whatever the ROM header says.
▲|-
▲|6102 / 7101
▲|u32@0x08
▲|
▲* Identical IPL between NTSC (6102) and PAL (7101)
|-
|6103 / 7103
Line 41 ⟶ 46:
|-
|6105 / 7105
|Banjo-Tooie, Perfect Dark, Zelda OOT, Zelda MM, ...
|u32@0x08
|
* Identical IPL between NTSC (6105) and PAL (7105)
* More complex protection scheme which involves the RSP at boot, plus a special challenge/response security protocol that is invoked by the CPU during gameplay.
|-
|6106 / 7106
Line 52 ⟶ 57:
|
* Identical IPL between NTSC (6106) and PAL (7106)
*
* No junk byte at the end
*
|-
|5167
Line 61 ⟶ 66:
u32@0x101c if u16@0x16 == 0
|
* This is an "imaginary" CIC that does not exist in physical shape. It was used as part of the home-brew effort to convert 64DD games from the disk format to the cartridge format, to facilitate playing pirated versions on emulators and flashcarts.
|-
|8303
Line 78 ⟶ 84:
|
|}
[1] IPL3 is in charge for loading the game into RDRAM and jumping to its entrypoint. Normally, for instance in the case of the IPL3 code for the vastly popular CIC 6102, the entrypoint is stored in the ROM header at a fixed offset and is thus readily available. Some IPL3s somehow "mangle" the entrypoint, possibly in an effort to obfuscate it. This table reports where the entrypoint is.
=== UltraCIC ===
The name "UltraCIC" normally refers to a physical chip that can acts as a CIC clone. There have been a few projects sharing this name, based on several different MCUs. Normally, the project can be found on GitHub as open source, complete with the full source code. These clones are normally found in "reproduction cartridges" (aka physical cartridges that can be bough and programmed to eg. distribute physical copies of a homebrew game) to allow the cartridge to boot correctly on a real N64.
UltraCICs are normally "universal", that is, they can act as any CIC variant. To switch variant, it is necessary to either flash a modified firmware, or send a custom command typically through a different bus available to the MCU (eg: SIPO).
Programmable flashcarts such as Everdrive 64 or 64drive also features some sort of "UltraCIC" to allow games to boot. Sometimes the CIC emulation functionality is provided by the main FPGA, while in other cases it is a real separate chip.
These are a few links to explore:
* https://github.com/jago85/UltraCIC_C
* https://github.com/perkinsb1024/UltraCIC-II
* https://github.com/ManCloud/UltraCIC-III
▲[[File:CIC decap pinslabeled.png|alt=CIC decap pins labeled|thumb|'''CIC decap pins labeled''']]
{| class="wikitable"
|+CIC Pinout (16 Pin DIP Package)
Line 152 ⟶ 176:
|!RESET
|}
=== Hacking the CIC ===
▲
The main entry point is to use the "test mode", a feature of the SM5 core that is available on known CIC variants.
===== To Enable Test Mode(s) =====
| |||