CIC-NUS

CIC

Disclaimer: All of the CIC actions described below have been done successfully as part of a University project. Some of the details are missing whether it was to avoid encouraging piracy, simply not required for the core of the paper or lost in the language translation (authors live in Germany) is unknown.

CIC/IPL variants
Variant	Used in	Real Entrypoint	Comment
5101	Aleck 64 titles	u32@0x08 - 0x100000
6101	Starfox 64	0x80000480	Entrypoint is hard-coded to 0x80000480 whatever the ROM header says.
7102	Lylat wars	0x80000480	Identical to 6102 except that it hardcode entrypoint to 0x80000480 whatever the ROM header says.
6102 / 7101	Most titles	u32@0x08	Identical IPL between NTSC (6102) and PAL (7101)
6103 / 7103	Banjo-Kazooie, Diddy Kong Racing, ...	u32@0x08 - 0x100000	Identical IPL between NTSC (6103) and PAL (7103)
6105 / 7105	Banjo-Tooie, Perfect Dark, ...	u32@0x08	Identical IPL between NTSC (6105) and PAL (7105) More complex protection scheme which involves the RSP
6106 / 7106	F-ZeroX, Yoshi's Story, ...	u32@0x08 - 0x200000	Identical IPL between NTSC (6106) and PAL (7106) Has IPL3_part2 ciphered No junk byte at the end (should have been called 6104, but "4" is the "unlucky" number, so it was renamed to 6106.)
5167	64DD ROM conversion	u32@0x08 if u16@0x16 != 0 u32@0x101c if u16@0x16 == 0
8303	64DD IPL Retail (J)	u32@0x08	Longer game checksum (6xu32)
8401	64DD IPL Dev (J)
8501 ?	64DD IPL Retail (U)

CIC Pinout (16 Pin DIP Package)
N64 Function	SM5 Function	Number	Number	SM5 Function	N64 Function
VDD	VDD	Pin 1	Pin 16	VDD	VDD
	P5:0	Pin 2	Pin 15	P2:0	D_OUT
	P5:1	Pin 3	Pin 14	P2:1	D_IN
	P5:2	Pin 4	Pin 13	P2:2	GND
	P5:3	Pin 5	Pin 12	P2:3
GND	TS:0	Pin 6	Pin 11	CLK	CLK
GND	TS:1	Pin 7	Pin 10	TIO
GND	GND	Pin 8	Pin 9	Reset	!RESET

The test modes of the CIC are available on most (all?) retail cartridges.

To Enable Test Mode(s)

Pulling TS:0 and/or TS:1 high before power on will place the SM5 controller in one of 3 test modes. (Which test modes and which pin states are unknown) It's also unclear if you can change between test modes while the unit is powered on.

The fourth state is standard usage with TS:0 and TS:1 tied to ground.

It's unknown how slowly you can clock the CIC.

In Test Mode

Which mode is still unclear but the following functionality is available.

Arbitrary Code Execution

Instructions can be set 1 nibble at a time on Port 5 pins, most instructions are 1 byte long so they must be entered 1 nibble at a time then toggle the clock line.

Halt Instruction

The Halt instruction is encoded as 0x77 which is nice because it doesn't matter which nibble you send first. This instruction also has a nice benefit of causing a clear external change, the TIO line defaults to the Clock signal but after the Halt instruction it stops outputting a clock signal.

Stop Instruction

The Stop instruction is encoded as 0x76 which will assist in determining if the high or low nibble should be input first. This instruction also stops the TIO clock upon execution, so we have a clear external indication of success.

Output Data

Port 2 of the CIC can be used to output either the AREG register or the Program Counter (PC), it's unclear at this time if the difference is achieved with different test modes or by modifying internal configuration registers.

NOTE: On power up Port 2 is configured for Input, an internal configuration register must be modified to make it output.

Load Constant into Accumulator LDX

The LDX instuction can be used to populate the AREG with a known value that can be checked on Port 2

Dumping the CIC code

This process is very confusing so it may take some experimentation to work out the exact steps and details, the original document tries to explain but it feels like some details are missing.

Jump Instructions are 2 bytes, the first nibble is the instruction and the following 12 bits are the destination address.

Being in test mode seems to have a side effect on this instruction, inputting only the Jump instruction followed by a zero nibble, the second byte is loaded from the ROM, which is an instruction but is treated as data. The Jump instruction is then executed and the PC can be viewed on Port 2, as well

PIF

The PIF handles a lot of very core functions in the console. While the PIF chip is clearly a custom part, it appears to be heavily based on the SM5K (4/5/6) series. The instruction set and features match closely.

PIF Pinout (28 Pin SOP Package)
	N64 Function	SM5 Function	Pin	Pin	SM5 Fuction	N64 Function	Direction
	PIF Clock		Pin 1	Pin 28	VDD	VDD	Power
	RC Cold		Pin 2	Pin 27		Reset Button	Input
	CIC D Out		Pin 3	Pin 26		N/C (No Connect)
	RC Rand		Pin 4	Pin 25		INT 2 VR4300 CPU	Output
	CIC D In		Pin 5	Pin 24		EEPROM Data	I/O
	/Cold		Pin 6	Pin 23		EEPROM Data	I/O
	NMI VR4300 CPU		Pin 7	Pin 22		Player 4 Controller	I/O
	Power Good		Pin 8	Pin 21		Player 4 Enable	Output
	PIF CLK Input from RSP		Pin 9	Pin 20		Player 3 Controller	I/O
Input	Test 0	??	Pin 10	Pin 19		Player 3 Enable	Output
	PIF ADR from RSP		Pin 11	Pin 18		Player 2 Controller	I/O
Input	Test 1	??	Pin 12	Pin 17		Player 2 Enable	Output
	PIF DATA from RSP		Pin 13	Pin 16		Player 1 Controller	I/O
Power	GND	GND	Pin 14	Pin 15		Player 1 Enable	Output

References

https://sites.google.com/site/consoleprotocols/home/techinfo/lowlevel/pif12

https://code.google.com/archive/p/mupen64plus/wikis/SoftResetNotes.wiki

https://github.com/jago85/UltraCIC_C/blob/master/cic_c.c

https://github.com/hcs64/pif_rom_dumper