CIC-NUS: Difference between revisions
no edit summary
(→Pinout) |
No edit summary |
||
Line 176:
|!RESET
|}
=== Description of operation ===
This section tries to detail how a CIC works. The differences between CICs themselves are actually minimal and mostly related to data (region, security keys) rather than code (functionality).
The CIC is powered by a Sharp SM5 core, running a custom firmware that is burnt within the chip and cannot be modified. Most of the CIC firmwares have been dumped via a trick explained below in the section "Hacking the CIC", and the firmwares have been analyzed. This link https://github.com/jago85/UltraCIC_C/blob/master/cic_c.c contains a C implementation very faithful to the original firmware that can be regarded as a pseudo-code reference of the workings of CIC. Everything described in this section can be cross-referenced to that C source code.
==== '''Physical connection with PIF''' ====
Each CIC is connected to PIF via two lines: Pin 14 (aka Data CLK) and pin 15 (aka Data I/O). In this simple serial protocol, the PIF acts as the master, and the CIC as the slave. Whenever the PIF firmware is ready to send or receive data, it will pulse the CLK line and then either move the DATA line (in case PIF is wiring), or read the line status as moved by CIC (in case of reading). The protocol makes it clear beforehand whether a write or a read should happen. Any time the CIC needs to either read a data from the PIF or write a data for it, it spins waiting to see the front on the CLK line.
==== Boot sequence ====
===== 1. ID =====
[[File:ID nibble.png|thumb|ID nibble with value 0101 (yellow = CLK, cyan = DATA)]]
The CIC writes 1 nibble (4 bits) to the PIF called "ID". The bits are as follow (in order of transmission, so what we call here "bit 0" would actually be "bit 3" in a reconstructed 4 bit register).
* Bit 0: "type". This is 0 for normal CICs, and 1 if the CIC is part of a 64DD unit.
* Bit 1: "region". This is 0 for NTSC CICs, and 1 for PAL CICs. This value is hardcoded in the firmware, which makes the CIC region-locked.
* Bit 2: always 0
* Bit 3: always 1
===== 2. Seeds =====
The CIC writes 6 nibbles which contains one of the boot secrets: the checksum seeds. These are 2 seeds of 1 byte each one, called IPL2 seed and IPL3 seed (please refer to the [[PIF-NUS]] page for a description of how these seeds are then used by PIF). In all known PIF variants, the two seeds happen to be exactly the same byte, even though the protocol would allow for them to differ. A table in the PIF-NUS page lists the seeds for all known CIC variants. In addition these 2 bytes, a third byte is transmitted first, which is a fixed value (0xB5).
[[File:Seed.png|thumb|Scrambled seed (yellow = CLK, cyan = DATA)]]
For instance, the transmitted sequence for a CIC 6102 which uses 0x3F as seed is <code>B5 3F 3F</code>.
Before putting the data on the wire, the 3 bytes are scrambled via a very light obfuscation algorithm to avoid to directly leak the secrets on the wire. The algorithm is very simple: starting from the second byte, each byte is added to the previous one, and the result is further incremented by 1; the first byte is not changed.
For instance, the sequence <code>B5 3F 3F</code>is scrambled as follows:
* The second byte <code>3F</code> is added to the first byte <code>B5</code>, producing <code>F4</code>, which is further incremented becoming <code>F5</code>.
* The third byte <code>3F</code> is added to the scrambled second byte <code>F5</code>, producing <code>34</code>, which is further incremented before <code>35</code>.
The resulting scrambled sequence is then <code>B5 F5 35</code>, which is transmitted as 6 nibbles on the wire.
=== Hacking the CIC ===
This section describes a way that can be used to hack the CIC, that is take control of it up to the point of dumping its internal ROM. The actions described below have been done successfully as part of a University project. Some of the details are missing whether it was to avoid encouraging piracy, simply not required for the core of the paper or lost in the language translation (authors live in Germany) is unknown.
| |||