CIC-NUS: Difference between revisions

The 64DD (which plugs to the bottom of the console) comes with its own CIC. The N64DD games on the magnetic disk support do not have a CIC themselves, so the secure boot is completed by the 64DD firmware, which then loads the games from the disk and boot it.

 

There are different models of CIC, which normally differentiates themselves for small details in the firmware and different "secret keys" used to secure the boot. As explained in the PIF-NUS page, each variant of the CIC comes in pair with a different boot software (called IPL3), which is part of the secure boot, and is embedded in the cartridge itself (in a special area of the ROM: offset 0x40 - 0x1000). A mismatch of IPL3 with CIC would be detected by the previous secure boot stage (IPL2) which is hardwired in the console itself because of a failed checksum.

 

 

 

[[File:CIC decap pinslabeled.png|alt=CIC decap pins labeled|thumb|'''CIC decap pins labeled''']]

{| class="wikitable"

|}

 

This section tries to detail how a CIC works. The differences between CICs themselves are actually minimal and mostly related to data (region, security keys) rather than code (functionality).

 

The CIC is powered by a Sharp SM5 core, running a custom firmware that is burnt within the chip and cannot be modified. Most of the CIC firmwares have been dumped via a trick explained below in the section "Hacking the CIC", and the firmwares have been analyzed. This link https://github.com/jago85/UltraCIC_C/blob/master/cic_c.c contains a C implementation very faithful to the original firmware that can be regarded as a pseudo-code reference of the workings of CIC. Everything described in this section can be cross-referenced to that C source code.

 

Each CIC is connected to PIF via two lines: Pin 14 (aka Data CLK) and pin 15 (aka Data I/O). In this simple serial protocol, the PIF acts as the master, and the CIC as the slave. Whenever the PIF firmware is ready to send or receive data, it will pulse the CLK line and then either move the DATA line (in case PIF is wiring), or read the line status as moved by CIC (in case of reading). The protocol makes it clear beforehand whether a write or a read should happen. Any time the CIC needs to either read a data from the PIF or write a data for it, it spins waiting to see the front on the CLK line.

 

 

[[File:ID nibble.png|thumb|ID nibble with value 0101 (yellow = CLK, cyan = DATA)]]

The CIC writes 1 nibble (4 bits) to the PIF called "ID". The bits are as follow (in order of transmission, so what we call here "bit 0" would actually be "bit 3" in a reconstructed 4 bit register).

* Bit 3: always 1

 

The CIC writes 6 nibbles which contains one of the boot secrets: the checksum seeds. These are 2 seeds of 1 byte each one, called IPL2 seed and IPL3 seed (please refer to the [[PIF-NUS]] page for a description of how these seeds are then used by PIF). In all known PIF variants, the two seeds happen to be exactly the same byte, even though the protocol would allow for them to differ. A table in the PIF-NUS page lists the seeds for all known CIC variants. In addition these 2 bytes, a third byte is transmitted first, which is a fixed value (0xB5).

[[File:Seed.png|thumb|Scrambled seed (yellow = CLK, cyan = DATA)]]

The resulting scrambled sequence is then <code>B5 F5 35</code>, which is transmitted as 6 nibbles on the wire.

 

The CIC now waits for the Data CLK line to go low. While the pin stays high, the CIC keeps incrementing an internal memory location.

 

On the other side of the line, the PIF is now executing a part of the boot process in sync with the CPU, and at some point it is also using a hardware time-based random number generator (it's waiting for a capacitor to charge in a RC connected to one of its pin). Once this is done, the PIF puts the DCLK line low. The amount of time it takes to get this is subject to some entropy (mostly because of the time-based RNG), and thus the CIC will increment the memory location a number of times that changes across boots, which in turns produces something akin to a random number.

 

[[File:Checksum.png|thumb|A checksum transmitted to PIF (yellow: CLK, cyan: DATA)]]

The CIC writes 16 nibbles which contain the other boot secret: the IPL2 checksum. This is a 6 byte checksum that is used by the PIF to verify that the IPL3 found in the cartridge is the correct one for this CIC. The exact process (that also involves the CPU at its IPL2 stage) is detailed in the [[PIF-NUS page]].

After the checksum has been transmitted, the boot sequence is finished, and the CIC enters its main operation loop.

 

During the main loop, the CIC waits until the PIF transmits a 2-bit command. After a command is received, the CIC executes the command, which might involve receiving additional bits from PIF and/or transmitting bits to it. After this a command is processed, the CIC starts wiring for the next command.

 

The follow paragraphs detail the 4 different commands that can be sent by PIF.