MAME SVN History

199869 Revisions

r21773 Saturday 9th March, 2013 at 18:39:33 UTC by David Haywood
bit of rearranging of the stvprot.c code with a view to easier dumping out encrypted / non-encrypted streams.

[src/mame/machine]

stvprot.c

trunk/src/mame/machine/stvprot.c
r21772	r21773
102	102	#include "stvprot.h"
103	103	#include "includes/stv.h"
104	104
	105	// these should become member variables!
	106	UINT32 m_abus_protenable;
	107	UINT32 m_abus_prot_addr;
	108	UINT32 m_abus_protkey;
	109
105	110	static UINT32 a_bus[4];
106	111	static UINT32 ctrl_index;
107	112	static UINT32 internal_counter;
108	113	static UINT8 char_offset; //helper to jump the decoding of the NULL chars.
109	114
	115
	116
110	117	/************************
111	118	*
112	119	* Tecmo World Cup '98
r21772	r21773
123	130	with 0x60651f8
124	131	*/
125	132
	133
	134	//MAIN : 12120000 DATA : 0ad20069 Tecmo logo
	135	//MAIN : 12120000 DATA : e332006b title screen
	136	// TODO: encrypted / compressed data.
	137	// Both points to a section that has a string ("TECMO" / "TITLE")
	138
126	139	static UINT32 twcup_prot_data[8] =
127	140	{
128	141	0x23232323, 0x23232323, 0x4c4c4c4c, 0x4c156301
r21772	r21773
132	145	{
133	146	UINT32 ROM = (UINT32 )space.machine().root_device().memregion("abus")->base();
134	147
135		if(a_bus~~[0]~~ & 0x00010000)~~//protection calculation is activated~~
	148	if(m_abus_protenable & 0x00010000)
136	149	{
137	150	if(offset == 3)
138	151	{
139	152	UINT32 res;
140		logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),a_bus~~[3]~~);
	153	logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),m_abus_protkey);
141	154	#ifdef MAME_DEBUG
142		popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),a_bus~~[3]~~);
	155	popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),m_abus_protkey);
143	156	#endif
144		switch(a_bus~~[3]~~ >> 16)
	157	switch(m_abus_protkey >> 16)
145	158	{
146	159	case 0x1212:
147	160	if(ctrl_index & 2)
r21772	r21773
172	185	}
173	186	}
174	187
175		static WRITE32_HANDLER ( twcup98_prot_w )
176		{
177		COMBINE_DATA(&a_bus[offset]);
178		logerror("A-Bus control protection write at %06x: [%02x] <- %08x\n",space.device().safe_pc(),offset,data);
179	188
180		if(offset == 3)
181		{
182		int a_bus_vector;
183	189
184		a_bus_vector = a_bus[2] >> 16;
185		a_bus_vector\|= (a_bus[2] & 0xffff) << 16;
186		a_bus_vector<<= 1;
187
188		//MAIN : 12120000 DATA : 0ad20069 Tecmo logo
189		//MAIN : 12120000 DATA : e332006b title screen
190
191		/* TODO: encrypted / compressed data.
192		Both points to a section that has a string ("TECMO" / "TITLE") */
193
194		//printf("MAIN : %08x DATA : %08x %08x\n",a_bus[3],a_bus[2],a_bus_vector);
195
196		switch(a_bus[3] >> 16)
197		{
198		case 0x1212:
199		ctrl_index = a_bus_vector;
200		break;
201		}
202
203		}
204		//popmessage("%04x %04x",data,offset/4);
205		}
206
207		void install_twcup98_protection(running_machine &machine)
208		{
209		machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(twcup98_prot_r), FUNC(twcup98_prot_w));
210		}
211
212	190	/**************************
213	191	*
214	192	* Steep Slope Sliders
r21772	r21773
219	197	{
220	198	UINT32 ROM = (UINT32 )space.machine().root_device().memregion("abus")->base();
221	199
222		if(a_bus~~[0]~~ & 0x00010000)//protection calculation is activated
	200	if(m_abus_protenable & 0x00010000)//protection calculation is activated
223	201	{
224	202	if(offset == 3)
225	203	{
226	204	UINT32 res;
227	205
228		logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),a_bus~~[3]~~);
	206	logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),m_abus_protkey);
229	207	#ifdef MAME_DEBUG
230		popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),a_bus~~[3]~~);
	208	popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),m_abus_protkey);
231	209	#endif
232		switch(a_bus[3]>>16)
	210	int read_offset_hack = 0;
	211
	212	/*
	213	MAIN : 2c5b0000 DATA : 000000a6 014c0000
	214	MAIN : 47f10000 DATA : 0f9800a6 014c1f30
	215	MAIN : fcda0000 DATA : 1d4800a6 014c3a90
	216	MAIN : b5e60000 DATA : 29e300a6 014c53c6
	217	MAIN : 392c0000 DATA : 38e900a6 014c71d2
	218	MAIN : 77c30000 DATA : 462500a6 014c8c4a
	219	MAIN : 8a620000 DATA : 555c00a6 014caab8
	220	*/
	221
	222	// I have a feeling rather than the offsets being scrambled they were lazy
	223	// and left unencrypted copies in the ROM... but this still needs verification
	224	switch(m_abus_protkey>>16)
233	225	{
234		case 0x2c5b:
235		case 0x47f1:
236		case 0xfcda:
237		case 0xb5e6:
238		case 0x392c:
239		case 0x77c3:
240		case 0x8a62:
	226	case 0x2c5b: read_offset_hack = 0x60054; break;
	227	case 0x47f1: read_offset_hack = 0x56498; break;
	228	case 0xfcda: read_offset_hack = 0x50b0c; break;
	229	case 0xb5e6: read_offset_hack = 0x4af56; break;
	230	case 0x392c: read_offset_hack = 0x45876; break;
	231	case 0x77c3: read_offset_hack = 0x3fe02; break;
	232	case 0x8a62: read_offset_hack = 0x3a784; break;
	233	}
	234
	235	switch(m_abus_protkey>>16)
	236	{
	237	default:
241	238	if(ctrl_index & 2)
242	239	{
243		res = (ROM[ctrl_index / 4] & 0xffff) << 16;
244		res \|= (ROM[(ctrl_index+4) / 4] & 0xffff0000) >> 16;
	240	res = (ROM[(ctrl_index-read_offset_hack) / 4] & 0xffff) << 16;
	241	res \|= (ROM[((ctrl_index-read_offset_hack)+4) / 4] & 0xffff0000) >> 16;
245	242	}
246	243	else
247	244	{
248		res = ROM[ctrl_index / 4] & 0xffff0000;
249		res \|= ROM[ctrl_index / 4] & 0xffff;
	245	res = ROM[(ctrl_index-read_offset_hack) / 4] & 0xffff0000;
	246	res \|= ROM[(ctrl_index-read_offset_hack) / 4] & 0xffff;
250	247	}
251	248	ctrl_index+=4;
252	249	return res;
r21772	r21773
261	258	}
262	259	}
263	260
264		static WRITE32_HANDLER ( sss_prot_w )
265		{
266		COMBINE_DATA(&a_bus[offset]);
267		logerror("A-Bus control protection write at %06x: [%02x] <- %08x\n",space.device().safe_pc(),offset,data);
268		if(offset == 3)
269		{
270		int a_bus_vector;
271	261
272		a_bus_vector = a_bus[2] >> 16;
273		a_bus_vector\|= (a_bus[2] & 0xffff) << 16;
274		a_bus_vector<<= 1;
275	262
276		/*
277		MAIN : 2c5b0000 DATA : 000000a6 014c0000
278		MAIN : 47f10000 DATA : 0f9800a6 014c1f30
279		MAIN : fcda0000 DATA : 1d4800a6 014c3a90
280		MAIN : b5e60000 DATA : 29e300a6 014c53c6
281		MAIN : 392c0000 DATA : 38e900a6 014c71d2
282		MAIN : 77c30000 DATA : 462500a6 014c8c4a
283		MAIN : 8a620000 DATA : 555c00a6 014caab8
284		*/
285	263
286		// printf("MAIN : %08x DATA : %08x %08x\n",a_bus[3],a_bus[2],a_bus_vector);
287		switch(a_bus[3] >> 16)
288		{
289		/* Note: only the first value is TRUSTED (because it's tested in the code).
290		Others are hand-tuned by checking if there isn't any garbage during display. */
291		case 0x2c5b: ctrl_index = (a_bus_vector-0x60054); break;
292		case 0x47f1: ctrl_index = (a_bus_vector-0x56498); break;
293		case 0xfcda: ctrl_index = (a_bus_vector-0x50b0c); break;
294		case 0xb5e6: ctrl_index = (a_bus_vector-0x4af56); break;
295		case 0x392c: ctrl_index = (a_bus_vector-0x45876); break;
296		case 0x77c3: ctrl_index = (a_bus_vector-0x3fe02); break;
297		case 0x8a62: ctrl_index = (a_bus_vector-0x3a784); break;
298		default:
299		ctrl_index = 0;
300		popmessage("Unknown SSS seed %04x, contact MAMEdev",a_bus[3] >> 16);
301		break;
302		}
303
304		// printf("%08x\n",ctrl_index);
305		}
306		}
307
308		void install_sss_protection(running_machine &machine)
309		{
310		machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(sss_prot_r), FUNC(sss_prot_w));
311		}
312
313	264	/*************************************
314	265	*
315	266	* Radiant Silvergun
r21772	r21773
320	271	{
321	272	UINT32 ROM = (UINT32 )space.machine().root_device().memregion("abus")->base();
322	273
323		if(a_bus~~[0]~~ & 0x00010000)//protection calculation is activated
	274	if(m_abus_protenable & 0x00010000)//protection calculation is activated
324	275	{
325	276	if(offset == 3)
326	277	{
327		logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),a_bus~~[3]~~);
	278	logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),m_abus_protkey);
328	279	#ifdef MAME_DEBUG
329		popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),a_bus~~[3]~~);
	280	popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),m_abus_protkey);
330	281	#endif
331		switch(a_bus~~[3]~~)
	282	switch(m_abus_protkey)
332	283	{
333	284	case 0x77770000: {//rsgun
334	285	UINT32 val =
r21772	r21773
359	310	{
360	311	COMBINE_DATA(&a_bus[offset]);
361	312	logerror("A-Bus control protection write at %06x: [%02x] <- %08x\n",space.device().safe_pc(),offset,data);
362		if(offset == 3)
	313
	314	if (offset == 0)
363	315	{
	316	COMBINE_DATA(&m_abus_protenable);
	317	}
	318	else if(offset == 2)
	319	{
	320	COMBINE_DATA(&m_abus_prot_addr);
	321	}
	322	else if(offset == 3)
	323	{
	324	COMBINE_DATA(&m_abus_protkey);
364	325	// int a_bus_vector;
365	326
366		// a_bus_vector = a_bus[2] >> 16;
367		// a_bus_vector\|= (a_bus[2] & 0xffff) << 16;
	327	// a_bus_vector = m_abus_prot_addr >> 16;
	328	// a_bus_vector\|= (m_abus_prot_addr & 0xffff) << 16;
368	329	// a_bus_vector<<= 1;
369		// printf("MAIN : %08x DATA : %08x %08x\n",a_bus[3],a_bus[2],a_bus_vector);
370		switch(a_bus[3])
	330	// printf("MAIN : %08x DATA : %08x %08x\n",m_abus_protkey,m_abus_prot_addr,a_bus_vector);
	331	switch(m_abus_protkey)
371	332	{
372	333	case 0x77770000: ctrl_index = 0; break;
373	334	}
r21772	r21773
375	336	//popmessage("%04x %04x",data,offset/4);
376	337	}
377	338
378		void install_rsgun_protection(running_machine &machine)
379		{
380		machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(rsgun_prot_r), FUNC(rsgun_prot_w));
381		}
382	339
	340
	341
383	342	/*************************
384	343	*
385	344	* Elandoree
r21772	r21773
390	349	{
391	350	UINT32 ROM = (UINT32 )space.machine().root_device().memregion("abus")->base();
392	351
393		if(a_bus~~[0]~~ & 0x00010000)//protection calculation is activated
	352	if(m_abus_protenable & 0x00010000)//protection calculation is activated
394	353	{
395	354	if(offset == 3)
396	355	{
397	356	UINT32 res;
398		logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),a_bus~~[3]~~);
	357	logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),m_abus_protkey);
399	358	#ifdef MAME_DEBUG
400		popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),a_bus~~[3]~~);
	359	popmessage("Prot read at %06x with data = %08x",space.device().safe_pc(),m_abus_protkey);
401	360	#endif
402		switch(a_bus~~[3]~~ >> 16)
	361	switch(m_abus_protkey >> 16)
403	362	{
404	363	default:
405	364	if(ctrl_index & 2)
r21772	r21773
425	384	}
426	385	}
427	386
428		static WRITE32_HANDLER ( elandore_prot_w )
429		{
430		COMBINE_DATA(&a_bus[offset]);
431		logerror("A-Bus control protection write at %06x: [%02x] <- %08x\n",space.device().safe_pc(),offset,data);
432		if(offset == 3)
433		{
434		int a_bus_vector;
435	387
436		a_bus_vector = a_bus[2] >> 16;
437		a_bus_vector\|= (a_bus[2] & 0xffff) << 16;
438		a_bus_vector<<= 1;
439	388
440		//printf("MAIN : %08x DATA : %08x %08x\n",a_bus[3],a_bus[2],a_bus_vector);
441		switch(a_bus[3] >> 16)
442		{
443		default:
444		ctrl_index = a_bus_vector;
445		break;
446		}
447		}
448		//popmessage("%04x %04x",data,offset/4);
449		}
450
451		void install_elandore_protection(running_machine &machine)
452		{
453		machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(elandore_prot_r), FUNC(elandore_prot_w));
454		}
455
456	389	/*************************
457	390	*
458	391	* Final Fight Revenge
r21772	r21773
724	657	{
725	658	UINT32 ROM = (UINT32 )space.machine().root_device().memregion("abus")->base();
726	659
727		if(a_bus~~[0]~~ & 0x00010000)//protection calculation is activated
	660	if(m_abus_protenable & 0x00010000)//protection calculation is activated
728	661	{
729	662	if(offset == 3)
730	663	{
731	664	#if 0
732	665	UINT32 res;
733	666	#endif
734		logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),a_bus[3]);
735		switch(a_bus[3] >> 16)
	667	logerror("A-Bus control protection read at %06x with data = %08x\n",space.device().safe_pc(),m_abus_protkey);
	668	switch(m_abus_protkey >> 16)
736	669	{
737	670	case 0x10da://ffreveng, boot vectors at $6080000,test mode
738	671	case 0x10d7://ffreveng, boot vectors at $6080000,attract mode
r21772	r21773
761	694	}
762	695	}
763	696
764		static WRITE32_HANDLER ( ffreveng_prot_w )
765		{
766		COMBINE_DATA(&a_bus[offset]);
767		logerror("A-Bus control protection write at %06x: [%02x] <- %08x\n",space.device().safe_pc(),offset,data);
768		if(offset == 3)
769		{
770		int a_bus_vector;
771	697
772		a_bus_vector = a_bus[2] >> 16;
773		a_bus_vector\|= (a_bus[2] & 0xffff) << 16;
774		a_bus_vector<<= 1;
775	698
776		printf("MAIN : %08x DATA : %08x %08x\n",a_bus[3],a_bus[2],a_bus_vector);
777		switch(a_bus[3] >> 16)
778		{
779		case 0x10d7: ctrl_index = a_bus_vector; break;
780		case 0x10da: ctrl_index = a_bus_vector; break;
781		default:
782		ctrl_index = 0;
783		}
784		}
785		//popmessage("%04x %04x",data,offset/4);
786		}
787
788		void install_ffreveng_protection(running_machine &machine)
789		{
790		machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(ffreveng_prot_r), FUNC(ffreveng_prot_w));
791		}
792
793	699	/************************
794	700	*
795	701	* Astra Super Stars
r21772	r21773
798	704
799	705	static READ32_HANDLER(astrass_prot_r)
800	706	{
801		if ( ~~off~~s~~et == 3 && ctrl~~_index != -1 )
	707	if(m_abus_protenable & 0x00010000)
802	708	{
803		UINT32 data = 0;
804		UINT32 prot_data = (UINT32 )space.machine().root_device().memregion("user2")->base();
	709	if(offset == 3)
	710	{
805	711
806		data = prot_data[ctrl_index++];
	712	/* we're reading from a custom region, NOT the rom address, so we're based at 0, the real data likely exists at this address */
	713	int read_offset_hack = 0x4ec260;
807	714
808		if ( ctrl_index >= space.machine().root_device().memregion("user2")->bytes()/4 )
809		{
810		ctrl_index = -1;
811		}
	715	UINT32 data = 0;
	716	UINT32 prot_data = (UINT32 )space.machine().root_device().memregion("user2")->base();
812	717
813		return data;
	718	data = prot_data[(ctrl_index-read_offset_hack)];
	719	ctrl_index++;
	720
	721	if ( (ctrl_index-read_offset_hack) >= space.machine().root_device().memregion("user2")->bytes()/4 )
	722	{
	723	ctrl_index = -1;
	724	}
	725
	726	return data;
	727	}
	728
814	729	}
815	730	return a_bus[offset];
816	731	}
817	732
818		static WRITE32_HANDLER(astrass_prot_w)
	733
	734
	735	static WRITE32_HANDLER ( common_prot_w )
819	736	{
820		COMBINE_DATA(&a_bus[0 + offset]);
821		if ( offset == 3 )
	737	COMBINE_DATA(&a_bus[offset]);
	738	//printf("A-Bus control protection write at %06x: [%02x] <- %08x\n",space.device().safe_pc(),offset,data);
	739
	740	if (offset == 0)
822	741	{
823		~~ctrl~~_inde~~x = 0~~;
	742	COMBINE_DATA(&m_abus_protenable);
824	743	}
	744	else if(offset == 2)
	745	{
	746	COMBINE_DATA(&m_abus_prot_addr);
	747	}
	748	else if(offset == 3)
	749	{
	750	COMBINE_DATA(&m_abus_protkey);
	751	int a_bus_vector;
	752	a_bus_vector = m_abus_prot_addr >> 16;
	753	a_bus_vector\|= (m_abus_prot_addr & 0xffff) << 16;
	754	a_bus_vector<<= 1;
	755	//printf("MAIN : %08x DATA : %08x %08x\n",m_abus_protkey,m_abus_prot_addr,a_bus_vector);
	756
	757	// if you look at the first transfer in ffreveng this is clearly a ROM address from a table \| MAIN : 10d70000 DATA : 0b780013 002616f0
	758	// (opr21872.7, offset 0x616f0, which happens to be 0x2616f0 in the ROM region "game0")
	759	// the values sent by the CPU are plucked from a table above where the data is, located at 0x60000
	760	// Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
	761	// 00060000 00 00 16 F0 00 00 2F A0 00 00 46 90 00 00 4D 04
	762	// this is the first entry in the table, 0x16f0 is the address, 0x2fa0 is the length.
	763	// the next entry is address 0x4690, length 0x4d04. 0x16f0 + 0x2fa0 == 0x4690 so that entry is located straight after the first one
	764	// the game reads the number of bytes specified in the length via the protection device, writing them to RAM. This suggests there
	765	// is no compression going on, only some form of encryption.
	766
	767	ctrl_index = a_bus_vector;
	768	}
825	769	}
826	770
	771
	772
	773
	774	void install_sss_protection(running_machine &machine)
	775	{
	776	machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(sss_prot_r), FUNC(common_prot_w));
	777	}
	778
827	779	void install_astrass_protection(running_machine &machine)
828	780	{
829	781	ctrl_index = -1;
830		machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(astrass_prot_r), FUNC(~~astrass~~_prot_w));
	782	machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(astrass_prot_r), FUNC(common_prot_w));
831	783	}
832	784
	785	void install_ffreveng_protection(running_machine &machine)
	786	{
	787	machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(ffreveng_prot_r), FUNC(common_prot_w));
	788	}
	789
	790	void install_elandore_protection(running_machine &machine)
	791	{
	792	machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(elandore_prot_r), FUNC(common_prot_w));
	793	}
	794
	795	void install_rsgun_protection(running_machine &machine)
	796	{
	797	machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(rsgun_prot_r), FUNC(rsgun_prot_w));
	798	}
	799
	800	void install_twcup98_protection(running_machine &machine)
	801	{
	802	machine.device("maincpu")->memory().space(AS_PROGRAM).install_legacy_readwrite_handler(0x4fffff0, 0x4ffffff, FUNC(twcup98_prot_r), FUNC(common_prot_w));
	803	}
	804
	805
	806
833	807	void stv_register_protection_savestates(running_machine &machine)
834	808	{
835	809	state_save_register_global_array(machine, a_bus);

199869 Revisions