Points of Required Attention™
Smaghetti, a new Super Mario Advance 4 editor, is currently in development! Check out the thread HERE!

Please chime in on a proposed restructuring of the ROM hacking sections.
Views: 88,319,496
Main | FAQ | Uploader | IRC chat | Radio | Memberlist | Active users | Latest posts | Calendar | Stats | Online users | Search 03-29-24 01:02 PM
Guest: Register | Login

0 users currently in ROM Hacking | 2 guests | 1 bot

Main - ROM Hacking - Potential D411 SNES CIC lock-out chip crack New thread | New reply


jargon
Posted on 09-24-09 11:25 AM Link | Quote | ID: 116012


Ninji
Banned until 2010-10-15 for an utterly psychedelic posting style
Level: 36

Posts: 186/247
EXP: 299540
Next: 8570

Since: 12-10-07
From: 480/85260

Last post: 4921 days
Last view: 4579 days
Potential D411 SNES CIC lock-out chip crack:
http://retromachineshop.com/dl/consoledev/

Only reason I am taking the time to crack this is: I was promised lots of free SNES carts.

First off, "./readme.txt":

'"d411crack" freeBASIC SNES CIC lock-out chip rom decoding test program 0x003
'Created September 23rd-24th 2009 by Timothy Robert Keal alias jargon
'Released under the Gnu Public License 2.0
'
'http://retromachineshop.com/
'irc://chat.freenode.net/puzzlum
'
'Please review the Gnu Public License, Thank you.
'The GPL can be located online at http://www.gnu.org/copyleft/gpl.html

File Info:
D411_ROM.txt
This file is a dump of the D114 SNES CIC lock-out chip ROM.
d411crack.exe
This file converts the dump between CIC key/lock.
d411crack.nas
This file is the freeBASIC plain/text source code for "d411crack.exe".
license.txt
This file contains the Gnu Public License 2.0 information.
url.txt
This file contains the URL to the online location where the dump was
obtained.
D411_ROM.raw.txt
This file contains the dump with whitespace and linebreaks omitted.
D411_ROM.raw.txt.txt
This file is the result of passing d411_ROM.raw.txt to d411crack.exe.
D411_ROM.raw.txt.txt.txt
This file is the result of passing d411_ROM.raw.txt.txt to
d411crack.exe. Notice it is the identical as the original dump data.
readme.txt
The file containing the documenation you are currently reading.

How to Use:
Drag drop the plain/text file of the ascii "1"s and "0"s per bit dump of
the ROM from the "D411" SNES CIC lock-out chip onto the Windows icon of
d411crack.exe. It will then create a new file with the filename same as
the drag-dropped file except with ".txt" appended to the end of a filename.
If the file to be created already exists, the program will erase then
overwrite.

How to compile:
1. Download freeBASIC from: http://sourceforge.net/projects/fbc/
2. Install freeBASIC.
3. Double click d411crack.bas in Windows.
4. In the freeBASIC menu system:
Change the "View" -> "Settings" -> "FreeBASIC" -> "Compiler Command" to:
"<$fbc>" "<$file>" -s gui -mt
5. In the freeBASIC menu system:
Use "Run" -> "Compile"
6. It should now be compiled.

Source Code Documentation:
main program
The main program simply converts the provided ROM.
1. Program loads rom from command line input as massive string variable
of only the "0" and "1" ascii characters.
2. Program converts characters into a 32bit integer array.
3. Program cycles thru amount of bits in list and instead returns bswap12
resulting bit address's bit.
4. Program overwrites result to the filename of the input's filename with
".txt" appended to the filename.
function bswap(value as byte) as byte
This function is a bitwise bswap.
1. Takes a byte as input and return the value with the order of bits
flipped.
function bswap12(value as integer) as integer
This function is an addressing bswap.
1. This function takes a signed 32bit integer as input.
2. It then cycles thru each of the lesser significant 12 bits of input.
3. The least significant power bit cycled is 0 while the power of the
greatest significant bit cycled is 11.
4. Each 4bit value of the power in the cycle is adjusted from a 0 to 11
range to a 0 to 15 range.
4. The result value is then 4bit bswapped.
5. The result value is then converted back from a 0 to 15 range to a
0 to 11 range.
6. The result value is then subtracted from 11.
7. The former result is then the value of what power to move the current
power in the loop.
8. After cycling thru all 12 bits, the result is returned as a signed
32bit integer.
function bswap4(value as byte) as byte
This function works the similar to bswap12 but takes a byte and returns
a byte, and additionally is for 4 bits of input and output.
function bswap8(value as byte) as byte
This function works the similar to bswap8 but takes a byte and returns
a byte, and additionally is for 8 bits of input and output.


Next, "D411_ROM.txt":

1111101111110011000110110011101100010111010110110001010111101110
0000011010110011110101101011101111101100110001001001000010111111

1010100111111100001010010010010100001010010011100010101011111111
1001111000111010000011101100111010001110110011100000101110101110

0010101000111111101010111111101110001011010011101000101110011111
0111111111111011111111110111111100111111100101100111101100111111

1001111001101110110011110110111111001110110111100000011011101111
0101111011111101011111100101110000011110001111100001110010001111

1010011101100101001101111000011010011101100101110000010011100111
1111111011001110111111111100111111001111110011111000111011001110

1111101111111110100110111001111110111010101011101000101011111111
0100111111101101001011100011110001101111110111110000110011101111

0101111111011110000011111011111101111111111011110000111011111111
0011101110111011000110110111111101101011110011110001101111111111

1110111111111111100011111110111110101111100011011000110111111111
0111111101101011001011100011110100111010100110000000100001111111

0000111111111001101001101010101010000100010001011010000000010111
0011111111110111111110110111101101100111111001110010001101101111

1100111111101111111001111111111111111111011001110101011111111111
0010111101011110101111111001111110011110000001111000111011011111

1110110011101111101111011110110010111101101111111010110011111111
1100111011111110111111111111111111111111111111101100111111101111

1100111111111111111111111011111101111111101011111001111111111111
0011111111101110001111111110111000101011100010100010111010101111

0110110111110111110011001101110111001110010111110100010011111111
0100111101111101000011111011110100000111111011110000010101110111

1110111110111111101011101111111011101110111111111010111011111111
0101111101101111001111110010111101111111000111111010111101111111

0101000111001011010110110110011101011011001100111100011101011111
1111111111011111110011111100011111010111110101111100011101011111

1010111111111111100011111000111110001111110011111001111101100111
1010111111111111111110111011100110011101110011011011100110111110

1101100110111111100111111111111101011101011100010001011111101110
1011001011010111011101101111011100010000000000001111111011111111

1110110110011011110101011111011011110111101001011001000011111110
1011101001000101001011111011111110111111101110100000000010111110

0010011111110011111001101101000011000000100001000110101011111011
0111011110111101100101101111111111001010010000101011010111011111

1111111011101001011011111110001101101010111100100110010101101111
1110000111100000111111011111000010110000101000001111111011111110

1111111110001011100011111011110101101110001011100100100111101101
0010011111110001101101101011011010100110101001101111100011111111

1111011110111000101111111111101111101011111011101011000011111011
0000001111011110111110111111111111010011110000110111111001111111

1101011111101111110001111101010001010001011000011100111011111110
0011101110010100101110111111111111111111001110111001000001111111

1110010111001010111111001100011111110110111001001101100111111111
0011001011011101110101101111111011100110001000101001010010111111

1000111001000110111010110111101111111001101010000100001011111111
1011100011111011010111100000001100101100001010000001001111100111

0001101011000000101110101001011100111010010100101010010111111111
0111100011101111011010111110101101111001011010010111111011101111

0111111001110011111110011111100101111000110110000111010101111111
1101111111111101110110101101001011010010110000101101010011111111

0001011110011100011110111111001100000011010000111101110010111111
1010001011011101110011111111101111100110111000001000101110111111

0110111101011011010011001111111010101100001111001100101011111111
1101111101111010011111011011100111111001110110010011110011111111

1110110110110010110000111001001010100000101100011000011010110110
0011111010110001111110111011111010111010011110101111010110111111

0111110101111000100001110101101110000011100001110110001001111001
1111111111111010110111100111010001110100010101000101001111011111

1100100011011111111111101111111110011110100111001111101001110111
1110101111101011110011111101100111011001100010011101110111111110


Now, disclaimer:

This is 100% untested. This is just an intuitive wild guess that I pulled out of my ass. This is the only surefire way to encrypt data without using seeds. (There doesn't seem to be any seeds in the D411 CIC chip.)

This "d411crack.exe" simply only does the raw ROM directly and back.

I have no idea what the bit alignment is (I used zero bit offset per every bit), what the "addressing bswap" bit-depth is (I used 12bit to fit the entire ROM at once.) And I have no idea what direction each bank counts the clock cycles and whether each clock is 128bit for a full bank or not. (I assume there are thirty-two 128bit clocks, with the ROM giving starting values in each bank.)

I have no idea if the addressing values are cycled by a clock, nor if the addressing values are mutated further somehow. Nor do I have any clue at all whether how multiple bits per input/output are used. ..I am flying by the seat of my ass, and not a damn person seems to be willing to help me learn how to mod a Super Nintendo in-order to sample the D411 SNES CIC lock-out chip input/output/clock traffic myself.

The floor is now open for discussion.


____________________
NIHYFDTTMWTMR

jargon
Posted on 09-26-09 09:01 AM (rev. 2 of 09-26-09 09:06 AM) Link | Quote | ID: 116182


Ninji
Banned until 2010-10-15 for an utterly psychedelic posting style
Level: 36

Posts: 188/247
EXP: 299540
Next: 8570

Since: 12-10-07
From: 480/85260

Last post: 4921 days
Last view: 4579 days
Download at:
http://retromachineshop.com/dl/consoledev/d411crack-fbc004.200909252248.LZMA.7z

"readme.txt":
'"d411crack" freeBASIC SNES CIC lock-out chip rom decoding test program 0x004
'Created September 23rd-25th 2009 by Timothy Robert Keal alias jargon
'Released under the Gnu Public License 2.0
'
'http://retromachineshop.com/
'irc://chat.freenode.net/puzzlum
'
'Please review the Gnu Public License, Thank you.
'The GPL can be located online at http://www.gnu.org/copyleft/gpl.html

File Info:
D411_ROM.txt
This file is a dump of the D114 SNES CIC lock-out chip ROM.
d411crack.exe
This file converts the dump between CIC key/lock.
d411crack.nas
This file is the freeBASIC plain/text source code for "d411crack.exe".
license.txt
This file contains the Gnu Public License 2.0 information.
url.txt
This file contains the URL to the online location where the dump was
obtained.
D411_ROM.raw.txt
This file contains the dump with whitespace and linebreaks omitted.
D411_ROM.raw.dump.txt
This file is the dumped result of passing the d411_ROM.raw.txt 4096bit
ROM's initial starting data to d411crack.exe.
readme.txt
The file containing the documenation you are currently reading.

How to Use:
Drag drop the plain/text file of the ascii "1"s and "0"s per bit dump of
the ROM from the "D411" SNES CIC lock-out chip onto the Windows icon of
d411crack.exe. It will then create a new file with the filename same as
the drag-dropped file except with ".txt" appended to the end of a filename.
If the file to be created already exists, the program will erase then
overwrite.

How to compile:
1. Download freeBASIC from: http://sourceforge.net/projects/fbc/
2. Install freeBASIC.
3. Double click d411crack.bas in Windows.
4. In the freeBASIC menu system:
Change the "View" -> "Settings" -> "FreeBASIC" -> "Compiler Command" to:
"<$fbc>" "<$file>" -s gui -mt
5. In the freeBASIC menu system:
Use "Run" -> "Compile"
6. It should now be compiled.

Source Code Documentation:
main program
The main program simply converts the provided ROM.
1. Program loads WROM from command line input as massive string variable
of only the "0" and "1" ascii characters.
2. Program converts characters into a 32bit integer array.
3. Main loop begins.
4. If "Esc" key is hit, program exits.
5. Program cycles thru amount of bits in WROM in 4 overlapping clock
alignment skews.
6. Program renders WROM bits to display.
7. Program echos current "Addressing BSWAP" bit in WROM from looped
addresses of all bits in WROM along with hexidecimal index of currnet
bit in dump file.
8. Program writes ascii char either "0" or "1" to file having filename of
the command line argument filename with ".dump.txt" appended to the
filename.
9. Program "Addressing BSWAP" shuffles the bits in WROM.
10. loop repeats.
function bswap(value as byte) as byte
This function is a bitwise bswap.
1. Takes a byte as input and return the value with the order of bits
flipped.
function bswap12(value as integer) as integer
This function is an addressing bswap.
1. This function takes a signed 32bit integer as input.
2. It then cycles thru each of the lesser significant 12 bits of input.
3. The least significant power bit cycled is 0 while the power of the
greatest significant bit cycled is 11.
4. Each 4bit value of the power in the cycle is adjusted from a 0 to 11
range to a 0 to 15 range.
4. The result value is then 4bit bswapped.
5. The result value is then converted back from a 0 to 15 range to a
0 to 11 range.
6. The result value is then subtracted from 11.
7. The former result is then the value of what power to move the current
power in the loop.
8. After cycling thru all 12 bits, the result is returned as a signed
32bit integer.
function bswap4(value as byte) as byte
This function works the similar to bswap12 but takes a byte and returns
a byte, and additionally is for 4 bits of input and output.
function bswap8(value as byte) as byte
This function works the similar to bswap8 but takes a byte and returns
a byte, and additionally is for 8 bits of input and output.
sub drawrom(px as integer,py as integer,cols as integer,rows as integer)
This subroutine renders the current WROM contents to the screen. "px" and
"py" are the signed 32bit integer column and row for the upper left of the
render. "cols" and "rows" are the signed 32bit integer of the span
horizontally and vertically of the render.
sub clockstep(first as integer,last as integer,m as integer,c as integer)
This function cycles clock ticks in WROM. "first" and "last" are the signed
32bit integer of the first and last indiced bit in WROM to cycle the signed
32bit integer "c" carry values thru, the signed 32 integer "m" multiples
argument tells the span between bits in the clock. The "first" and "last"
can be either same bit, or from lower address bit to higher address bit, or
from higher address bit to lower address bit.
sub bankswap(first as integer,last as integer,flag as integer)
This function cycles bits in WROM to be reassigned to and from a pseudo
WROM table. The "first" and "last" can be either same bit, or from lower
address bit to higher address bit, or from higher address bit to lower
address bit.
Disclaimer:
This is 100% unverified. This is just an intuitive wild guess that I pulled
out of my ass. This is the oly surefire way to encrypt data without using
seeds. (There doesn't seem to be any seeds in the D411 CIC chip.) I have no
idea what the bit alignment is (I used zero bit offset per every bit), what
the "addressing bswap" bit-depth is (I used 12bit to fit the entire ROM at
once.) And I have no idea what direction each bank counts the clock cycles
and whether each clock is 128bit for a full bank or not. (I assume there are
16x64 16bit clocks in all 4 alignment/endian combinations, with the WROM
giving starting values in each bank.) I have no idea if the addressing
values are cycled by a clock, nor if the addressing values are mutated
further somehow. (I had it count every tick cycle through 1bit thru 1 thru
4096 bits, with current offset dumped from WROM being the "Addressing BSWAP"
of that offset) Nor do I have any clue at all whether how multiple bits per
input/output are used. (I used straight out 1bit stream) ..I am flying by
the seat of my ass, and not a damn person seems to be willing to help me
learn how to mod a Super Nintendo in-order to sample the D411 SNES CIC
lock-out chip input/output/clock traffic myself. (Update: icekiller helped
me immensely in-order to set up my own D411 dumping rig.)


"D411_ROM.txt" (D411 WROM dump):
1111 1011 1111 0011 0001 1011 0011 1011 0001 0111 0101 1011 0001 0101 1110 1110
0000 0110 1011 0011 1101 0110 1011 1011 1110 1100 1100 0100 1001 0000 1011 1111

1010 1001 1111 1100 0010 1001 0010 0101 0000 1010 0100 1110 0010 1010 1111 1111
1001 1110 0011 1010 0000 1110 1100 1110 1000 1110 1100 1110 0000 1011 1010 1110

0010 1010 0011 1111 1010 1011 1111 1011 1000 1011 0100 1110 1000 1011 1001 1111
0111 1111 1111 1011 1111 1111 0111 1111 0011 1111 1001 0110 0111 1011 0011 1111

1001 1110 0110 1110 1100 1111 0110 1111 1100 1110 1101 1110 0000 0110 1110 1111
0101 1110 1111 1101 0111 1110 0101 1100 0001 1110 0011 1110 0001 1100 1000 1111

1010 0111 0110 0101 0011 0111 1000 0110 1001 1101 1001 0111 0000 0100 1110 0111
1111 1110 1100 1110 1111 1111 1100 1111 1100 1111 1100 1111 1000 1110 1100 1110

1111 1011 1111 1110 1001 1011 1001 1111 1011 1010 1010 1110 1000 1010 1111 1111
0100 1111 1110 1101 0010 1110 0011 1100 0110 1111 1101 1111 0000 1100 1110 1111

0101 1111 1101 1110 0000 1111 1011 1111 0111 1111 1110 1111 0000 1110 1111 1111
0011 1011 1011 1011 0001 1011 0111 1111 0110 1011 1100 1111 0001 1011 1111 1111

1110 1111 1111 1111 1000 1111 1110 1111 1010 1111 1000 1101 1000 1101 1111 1111
0111 1111 0110 1011 0010 1110 0011 1101 0011 1010 1001 1000 0000 1000 0111 1111

0000 1111 1111 1001 1010 0110 1010 1010 1000 0100 0100 0101 1010 0000 0001 0111
0011 1111 1111 0111 1111 1011 0111 1011 0110 0111 1110 0111 0010 0011 0110 1111

1100 1111 1110 1111 1110 0111 1111 1111 1111 1111 0110 0111 0101 0111 1111 1111
0010 1111 0101 1110 1011 1111 1001 1111 1001 1110 0000 0111 1000 1110 1101 1111

1110 1100 1110 1111 1011 1101 1110 1100 1011 1101 1011 1111 1010 1100 1111 1111
1100 1110 1111 1110 1111 1111 1111 1111 1111 1111 1111 1110 1100 1111 1110 1111

1100 1111 1111 1111 1111 1111 1011 1111 0111 1111 1010 1111 1001 1111 1111 1111
0011 1111 1110 1110 0011 1111 1110 1110 0010 1011 1000 1010 0010 1110 1010 1111

0110 1101 1111 0111 1100 1100 1101 1101 1100 1110 0101 1111 0100 0100 1111 1111
0100 1111 0111 1101 0000 1111 1011 1101 0000 0111 1110 1111 0000 0101 0111 0111

1110 1111 1011 1111 1010 1110 1111 1110 1110 1110 1111 1111 1010 1110 1111 1111
0101 1111 0110 1111 0011 1111 0010 1111 0111 1111 0001 1111 1010 1111 0111 1111

0101 0001 1100 1011 0101 1011 0110 0111 0101 1011 0011 0011 1100 0111 0101 1111
1111 1111 1101 1111 1100 1111 1100 0111 1101 0111 1101 0111 1100 0111 0101 1111

1010 1111 1111 1111 1000 1111 1000 1111 1000 1111 1100 1111 1001 1111 0110 0111
1010 1111 1111 1111 1111 1011 1011 1001 1001 1101 1100 1101 1011 1001 1011 1110

1101 1001 1011 1111 1001 1111 1111 1111 0101 1101 0111 0001 0001 0111 1110 1110
1011 0010 1101 0111 0111 0110 1111 0111 0001 0000 0000 0000 1111 1110 1111 1111

1110 1101 1001 1011 1101 0101 1111 0110 1111 0111 1010 0101 1001 0000 1111 1110
1011 1010 0100 0101 0010 1111 1011 1111 1011 1111 1011 1010 0000 0000 1011 1110

0010 0111 1111 0011 1110 0110 1101 0000 1100 0000 1000 0100 0110 1010 1111 1011
0111 0111 1011 1101 1001 0110 1111 1111 1100 1010 0100 0010 1011 0101 1101 1111

1111 1110 1110 1001 0110 1111 1110 0011 0110 1010 1111 0010 0110 0101 0110 1111
1110 0001 1110 0000 1111 1101 1111 0000 1011 0000 1010 0000 1111 1110 1111 1110

1111 1111 1000 1011 1000 1111 1011 1101 0110 1110 0010 1110 0100 1001 1110 1101
0010 0111 1111 0001 1011 0110 1011 0110 1010 0110 1010 0110 1111 1000 1111 1111

1111 0111 1011 1000 1011 1111 1111 1011 1110 1011 1110 1110 1011 0000 1111 1011
0000 0011 1101 1110 1111 1011 1111 1111 1101 0011 1100 0011 0111 1110 0111 1111

1101 0111 1110 1111 1100 0111 1101 0100 0101 0001 0110 0001 1100 1110 1111 1110
0011 1011 1001 0100 1011 1011 1111 1111 1111 1111 0011 1011 1001 0000 0111 1111

1110 0101 1100 1010 1111 1100 1100 0111 1111 0110 1110 0100 1101 1001 1111 1111
0011 0010 1101 1101 1101 0110 1111 1110 1110 0110 0010 0010 1001 0100 1011 1111

1000 1110 0100 0110 1110 1011 0111 1011 1111 1001 1010 1000 0100 0010 1111 1111
1011 1000 1111 1011 0101 1110 0000 0011 0010 1100 0010 1000 0001 0011 1110 0111

0001 1010 1100 0000 1011 1010 1001 0111 0011 1010 0101 0010 1010 0101 1111 1111
0111 1000 1110 1111 0110 1011 1110 1011 0111 1001 0110 1001 0111 1110 1110 1111

0111 1110 0111 0011 1111 1001 1111 1001 0111 1000 1101 1000 0111 0101 0111 1111
1101 1111 1111 1101 1101 1010 1101 0010 1101 0010 1100 0010 1101 0100 1111 1111

0001 0111 1001 1100 0111 1011 1111 0011 0000 0011 0100 0011 1101 1100 1011 1111
1010 0010 1101 1101 1100 1111 1111 1011 1110 0110 1110 0000 1000 1011 1011 1111

0110 1111 0101 1011 0100 1100 1111 1110 1010 1100 0011 1100 1100 1010 1111 1111
1101 1111 0111 1010 0111 1101 1011 1001 1111 1001 1101 1001 0011 1100 1111 1111

1110 1101 1011 0010 1100 0011 1001 0010 1010 0000 1011 0001 1000 0110 1011 0110
0011 1110 1011 0001 1111 1011 1011 1110 1011 1010 0111 1010 1111 0101 1011 1111

0111 1101 0111 1000 1000 0111 0101 1011 1000 0011 1000 0111 0110 0010 0111 1001
1111 1111 1111 1010 1101 1110 0111 0100 0111 0100 0101 0100 0101 0011 1101 1111

1100 1000 1101 1111 1111 1110 1111 1111 1001 1110 1001 1100 1111 1010 0111 0111
1110 1011 1110 1011 1100 1111 1101 1001 1101 1001 1000 1001 1101 1101 1111 1110


"d411crack.bas":
'"d411crack" freeBASIC SNES CIC lock-out chip rom decoding test program 0x004
'Created September 23rd-25th 2009 by Timothy Robert Keal alias jargon
'Released under the Gnu Public License 2.0
'
'http://retromachineshop.com/
'irc://chat.freenode.net/puzzlum
'
'Please review the Gnu Public License, Thank you.
'The GPL can be located online at http://www.gnu.org/copyleft/gpl.html
declare function bswap(value as byte) as byte
declare function bswap8(value as byte) as byte
declare function bswap4(value as byte) as byte
declare function bswap12(value as integer) as integer
declare sub drawrom(px as integer,py as integer,cols as integer,rows as integer)
declare sub clockstep(first as integer,last as integer,m as integer,c as integer)
declare sub bankswap(first as integer,last as integer,flag as integer)
dim as string cmd=command,buffer=string(0,0),filename="D411_ROM.txt"
filename=cmd
dim as integer mode=0,o=0,ct=0
redim shared as integer dat(0),dat2(0)
mode=freefile
open filename for input as #mode
if (eof(mode)=0) and (lof(mode)>0) then
buffer=string(lof(mode),0)
get #mode,,buffer
endif
close #mode
o=0
ct=0
do
if o>=len(buffer) then
exit do
endif
if mid(buffer,o+1,1)="1" or mid(buffer,o+1,1)="0" then
ct=ct+1
endif
o=o+1
loop
redim dat(0 to ct-1),dat2(0 to ct-1)
o=0
do
if o>=ct or o>=len(buffer) then
exit do
endif
if mid(buffer,o+1,1)="1" or mid(buffer,o+1,1)="0" then
dat(o)=val(mid(buffer,o+1,1))
endif
o=o+1
loop
dim as integer o2=0, addr=0
dim as string ret=string(0,0)
screenres 640,480,32,16,,120
screenset 1,0
o=0
dim as integer x=0,y=0,o3=0,offset=0
dim as string d=string(1,0)
mode=freefile
open filename+".dump.txt" for output as #mode
close #mode
mode=freefile
open filename+".dump.txt" for binary as #mode
do
if inkey=chr(27) then
exit do
endif
for o2=0 to &hfff step 16
clockstep o2,o2+15,1,1
next
for o2=0 to &hfff step 16
clockstep 0,&hfff,16,1
next
for o2=0 to &hfff step -16
clockstep o2+15,o2,1,1
next
for o2=0 to &hfff step -16
clockstep &hfff,0,16,1
next
bankswap 0,&hfff,0
bankswap 0,&hfff,1
line(0,0)-(639,479),0,bf
drawrom 0,0,64,64
o3=bswap12(o)
x=o3 and 63
y=fix(o3/64)
line((x shl 2)-1,(y shl 2)-1)-((x+1) shl 2,(y+1) shl 2),rgb(255,0,0),b
line((x shl 2)-2,(y shl 2)-2)-(((x+1) shl 2)+1,((y+1) shl 2)+1),rgb(255,0,0),b
line((x shl 2)-3,(y shl 2)-3)-(((x+1) shl 2)+2,((y+1) shl 2)+2),rgb(255,0,0),b
d=str(dat(o3))
color rgb(255,255,255)
locate 1,34
print d;
locate 3,34
print hex(offset);
put #mode,,d
screensync
screencopy 1,0
o=(o+1) and &hfff
offset=offset+1
loop
close #mode
end
'for o2=0 to &hfff
' addr=bswap12(o2)
' ret=ret+str(dat(addr))
' 'o=o+1
' 'if o=64 then ret=ret+chr(13)+chr(10)
' 'if o=128 then
' 'ret=ret+chr(13)+chr(10)+chr(13)+chr(10)
' 'o=0
' 'endif
'next
'mode=freefile
'open filename+".txt" for output as #mode
'close #mode
'mode=freefile
'open filename+".txt" for binary as #mode
'put #mode,,ret
'close #mode
'end
function bswap(value as byte) as byte
return ((value and &h80) shr 7) _
or ((value and &h40) shr 5) _
or ((value and &h20) shr 3) _
or ((value and &h10) shr 1) _
or ((value and &h8) shl 1) _
or ((value and &h4) shl 3) _
or ((value and &h2) shl 5) _
or ((value and &h1) shl 7)
end function
function bswap8(value as byte) as byte
dim as byte ret=0
dim as integer o=0,o2=0
for o=0 to 7
o2=7-(bswap(o) shr 5)
ret=ret or (((value shr o) and 1) shl o2)
next
return ret
end function
function bswap4(value as byte) as byte
dim as byte ret=0
dim as integer o=0,o2=0
for o=0 to 3
o2=3-(bswap(o) shr 6)
ret=ret or (((value shr o) and 1) shl o2)
next
return ret
end function
function bswap12(value as integer) as integer
dim as integer ret=0
dim as byte o=0,o2=0
for o=0 to 11
o2=11-(((bswap(o*15/11) shr 4) and &hf)*11/15)
ret=ret or (((value shr o) and 1) shl o2)
next
return ret
end function
sub drawrom(px as integer,py as integer,cols as integer,rows as integer)
dim as integer index=0,x=0,y=0,c=0
for index=0 to 4093
x=index mod cols
y=fix(index/cols)
c=dat(index)*&hff
line(x shl 2,y shl 2)-((x shl 2) or 3,(y shl 2) or 3),rgb(c,c,c),bf
next
end sub
sub clockstep(first as integer,last as integer,m as integer,c as integer)
dim as integer s=0,o=0,c2=c,o2=first
if first<last then
s=1
elseif first>last then
s=-1
else
dat(first)=dat(first) xor c
c=0
return
endif
for o2=0 to abs(m)-1
c2=c
for o=first to last step s*abs(m)
c=dat(o+o2)+c
dat(o+o2)=c and 1
c=(c shr 1) and 1
next
next
return
end sub
sub bankswap(first as integer,last as integer,flag as integer)
dim as integer s=0,o=0
if first<last then
s=1
elseif first>last then
s=-1
else
s=1
endif
select case flag
case 0
for o=first to last step s
dat2(o)=dat(bswap12(o))
next
case 1
for o=first to last step s
dat(o)=dat2(o)
next
end select
return
end sub


Sample "d411crack.exe" 0x004 test dump:
0011 0000 0111 1010 0001 0101 1100 1100 1111 1000 0000 0011 0100 1110 0101 1111
0111 1000 0111 1010 1100 1000 1100 1100 0001 0010 0000 0010 0000 1111 0101 1011
1000 0001 1101 1101 0000 1111 1000 1000 0111 0001 0101 0010 0000 0000 0011 1010
1101 1101 1101 1101 1000 1010 1000 1000 0100 0111 0101 0111 0100 1010 0011 1010
1111 1110 0000 1100 0100 0100 0101 0111 1111 1001 0000 0010 0100 1110 0101 1111
0001 1000 0000 1000 0000 0111 0101 0111 0001 0010 0000 0010 0000 1111 0101 1011
0111 1010 0101 0111 0000 0110 0011 0000 0111 0001 0101 0011 0000 0001 0011 1010
0100 0001 0101 0001 0100 0000 0011 0000 0100 0111 0101 0111 0100 1010 0011 1010
0011 0011 0001 0110 1101 0100 1110 1001 1001 1001 1010 0000 1011 1101 0001 0101
0001 0100 0001 0110 1110 1100 1110 1001 1001 0010 1010 0010


The floor is now open for discussion.

Posted by KP9000
What is the difference between this and your other thread?


Posted by NightKev
<+Keal> NightKev it isn't the same program as the other one
<+Keal> The documentation has been updated, additonal routines have been added, the algorithm is twacked, the dump is different, etc.
<~NightKev> keal
<~NightKev> 1) rename thread
<~NightKev> 2) edit post
<~NightKev> it's the same program, just a newer version
<+Keal> It is too big to put in the same thread, and it isn't worth replacing the orginal due to losing original docs that way,
<+Keal> Otherwise the thread would grow to several hundred kb.
<+Keal> It isn't the same program, it is a different algorithm using a similar function set
<~NightKev> if you were worried about losing the old docs/etc then just new reply
<+Keal> If you are an admin, simply merge the new post as a response to the original thread, since I can't do that.
<~NightKev> the admins can't do that either
<~NightKev> there's no such feature on the board


Okay apparently you can close this thread he posted his infos in the other one now.


(Merged new thread having two replies with this thread.)

____________________
NIHYFDTTMWTMR

magno
Posted on 10-28-09 08:50 PM Link | Quote | ID: 118134

Newcomer
Level: 3

Posts: 1/1
EXP: 72
Next: 56

Since: 10-28-09

Last post: 5265 days
Last view: 5032 days
This is great!! What a job you are doing!!!

Maybe you could fin useful information about Tengen CIC chip (which was used on NES) that was some time ago "reversed ingenieered"... ROM content and source code are available in NesDev Forum.

Please, keep us updated about any news.

Main - ROM Hacking - Potential D411 SNES CIC lock-out chip crack New thread | New reply

Acmlmboard 2.1+4δ (2023-01-15)
© 2005-2023 Acmlm, blackhole89, Xkeeper et al.

Page rendered in 0.027 seconds. (358KB of memory used)
MySQL - queries: 47, rows: 70/70, time: 0.015 seconds.