Understanding neo geo copy protection

Jiggle

Timid Neo Newbie
Joined
Jan 5, 2022
Posts
6
Hi,

I’ve been doing some reading and research about the neo geo MVS copy protection schemes. I am hoping someone could double check my summary below to see if I am correct, and also answer a few questions that I have (or point me to where I can find this info).

Essentially, MVS systems have three forms of copy protection: scrambling, encryption and other ASIC-based functionality. Not all games use all of them, and some use none. Scrambling refers to shuffling the data and address lines which go to the various mask ROMs in the cartridge, as well as storing the various ROM chunks in unusual ways. Encryption is exactly that; using some form of cipher to hide the content of the mask ROM. The extra ASIC functionality is varied, but it involves some sort of communication with a special chip in the cartridge. A decrypted ROM on a cartridge may not work without these special ASICs

Some questions I have:
1. Are the data reads descrambled by the time they reach the cartridge edge connector? Or are the scrambled addresses embedded in the 68k code too?
2. Similarly, are the data reads decrypted by the time they reach the edge connector (ie by some ASIC)? Or is there some 68k magic?
3. Is the ASIC protection for different cartridges documented anywhere?
4. Is there a list of “correct” encrypted and decrypted ROM checksums or hashes somewhere online?
5. When people speak about decrypted *and* patched ROMs, are the patches just to remove the checks for the ASICs in the cartridge?

Thanks in advance for any pointers!
 

SignOfZeta

Genam's Azami Sharpener
15 Year Member
Joined
Sep 18, 2003
Posts
1,519
Historically, yes. But short of curiosity is this useful info for anyone? The ROMs are all out there and have been for ages. The copyright protection used in-period didn’t work even then so someone making a new game would need something better (epoxy). I don’t known exactly why pirates would care either but it seemed most realistic. Maybe he’s an emulator author?
 

Jiggle

Timid Neo Newbie
Joined
Jan 5, 2022
Posts
6
Hi again,

I am indeed interested in trying to make a flash cart, but also trying to understand the architecture of the neo geo better. It is purely out of curiosity (and maybe a little nostalgia for the system…); if I wanted to buy one there are plenty that exist already for way less effort.
 

HMG

H = Heinously, M = Massive, G = Gonad,
10 Year Member
Joined
Apr 3, 2011
Posts
5,041
Some questions I have:
1. Are the data reads descrambled by the time they reach the cartridge edge connector? Or are the scrambled addresses embedded in the 68k code too?
2. Similarly, are the data reads decrypted by the time they reach the edge connector (ie by some ASIC)? Or is there some 68k magic?
3. Is the ASIC protection for different cartridges documented anywhere?
4. Is there a list of “correct” encrypted and decrypted ROM checksums or hashes somewhere online?
5. When people speak about decrypted *and* patched ROMs, are the patches just to remove the checks for the ASICs in the cartridge?

Thanks in advance for any pointers!

1. Yes, the data is unscrambled “by the time it reaches the cartridge connector”. Putting data in different areas of the 68k address range is more of a superficial protection measure, it all ends up looking same to the 68k, all said and done.

2. Yes, data is also decrypted before it hits the 68k, if a decryption chip is involved. The 68k, even if it was fast enough to decrypt a program ROM by itself, wouldn’t have much time left over to run the actual game code. Besides, did you know SNK would also encrypt C ROM (Graphics) chips? The 68k has no way of directly accessing the graphics system, how would it decrypt anything there?

3. I don’t really understand what you mean by ”ASIC” protection, as if it’s different from decryption. Unless you are thinking of Indie game releases by NG:Dev.Team? I’m not familiar with how their cartridges work or how they’re copy protected.

4. Dunno, check with the MAME guys.

5. There‘s only decrypted roms for the Neo Geo. Where are these patched roms you’re finding? Again, for SNK releases, “ASIC” and encryption are most likely the same thing, going by your descriptions.


Perhaps I can better categorize your copy protection ideas using official SNK cartridge boards.

The closest example of ”data scrambling“ I can think of is the CHA-42G board. https://wiki.neogeodev.org/index.php?title=CHA42G

Maybe this “ASIC” protection you’re thinking of is the PROG-G2 board? It uses the PRO-CT0 graphics multiplexer chip as a security chip instead. Only 3 games ever used it, those being Fatal Fury 2, Super Sidekicks 2 and Viewpoint. https://wiki.neogeodev.org/index.php?title=PROG-G2

Otherwise, 99% of SNK’s copy protection was just encryption. Boards with encryption include the program boards PROGEOP, PROGLBA, PROGBK2 and 3 and their derivatives and for character boards, pretty much just CHAFIO which had two different NEO-CMC chips produced which weren’t compatible. There’s a whole page of these boards here you can read:

 

SignOfZeta

Genam's Azami Sharpener
15 Year Member
Joined
Sep 18, 2003
Posts
1,519
I think there may have been some patched ROMs like 20 years ago, patched to work with emulators though. In other words…bad ROMs by todays definition. I may have dreamed that though…
 

Jiggle

Timid Neo Newbie
Joined
Jan 5, 2022
Posts
6
Thanks for the replies. I didn’t think to look at the MAME source code for documentation, but there is tons of info there! I also was looking for the wrong keywords on the neo geo wiki, the correct search phrase is “slot check security”: https://wiki.neogeodev.org/index.php?title=Slot_check_security

There are indeed patched/hacked ROMs floating around to defeat these protected games (for example, emulating metal slug 5 was an issue for a while due to the protection). That isn’t an issue nowadays as the protection has been reverse engineered.

ASIC stands for Application Specific Integrated Circuit aka custom chips. From looking further at this info it seems that the main protection done in hardware is this chip: https://wiki.neogeodev.org/index.php?title=NEO-CMC which is indeed on the cartridge (as you mentioned), and it is responsible for the deinterleaving of the obfuscated ROM layout, as well as decryption using the weird XOR tables thing outlined in MAME.
 
Last edited:

Jag-Master

"Hey, are we done here?..., Cause I'm losing my bu
15 Year Member
Joined
May 7, 2008
Posts
959
Wishing you luck on your bootlegs :-J
 
Top