Friday, October 14, 2011

frequency modifier

As I said in previous posts, the Custom SH2 is feeded with a 6.25Mhz clock. and then multiplied by a factor of 4.

According to SH2 specificactions, this should be done by writting a certain value (2 in this case to address H'FFFFFE90). This must be done from the cache memory (H'C0000000 area). Until this is done, the CPU runs at 6.25Mhz. This means that Flash rom is being read at a lower pace until we force the CPU to run faster.

Still waiting for the sygnal analyzer....

knowing the cartridge better

I made a couple of corrections to my previous post. Apparently none of the chips on the CPU board(except the SH2) have any tricky protection-related function and they seem to be used to generate signals for the SH2 which is constantly powered.

The pinout seems to be identical to the one of the SH2(SH7604), so at this moment I can only think of two ways of reprogramming the keys insides.

* One option is that the SH2 can still run code but with a different unknown-factory-set-key. In that case replacing the BIOS allows the manufacturer to execute code that can reset the keys. I can confirm/refute this optionwhen I get the new sygnal analyzer.
* Another option would be a combination of signals to activate a "programming mode", like i.e.put the two keys in the data bus and activate some control pins.

It also intrigates me that replacing the custom SH2 with a standard SH2, doesn't work. Was the BIOS properly decrypted? Are the control signals on the SH2 working in the same way?

Monday, October 10, 2011

Moving forward

I finally received a good bunch of Flash memories and 2 adaptors for these memories, so I can make myself so many tests as I want.

If you have a look at the pictures below, you'll notice that the cartridge is prepared from factory to work with 2 types of flash roms, the 29f400 (located at position U2 of the cartridge ) and the 28f400(located at U5). The one located at U2 has a similar distance between pins as the SH2, which is a nightmare to solder without the proper equiment, the other one in the back side(U5) has a much nicer pinout, which allows me to connect an eprom to it and test many BIOS.See pictures below of front and back side of cartridge. Notice that the tiny sub-pcb on the back side is just fixed with tape.

I have ordered a digital analyzer so I can check by myself if there is real traffic going on between CPU and EPROM. If nothing happens, that would be bad news, as it will mean that the CPU is somehow blocked. However if it can be unblocked by Capcom, it must be reading something, I just needs to find out where.

I send several re-encrypted Bios to some people interested on trying them, they were re-coded with combinations of keys to ffff and 0's, none of them apparently worked, but as I said before, instead of making blind shots, I'd check first if there is real traffic going on.

In one of the many tests that I did, I tried to run the system with a working and non working cartridges.Once I forgot to insert any cartridge and I got the same picture as with a dead cartridge?!? See picture below.

In the meanwhile I have made a small schematics of the cartridge, see picture at the end. Several interesting conclusions can be made:

I have found a QFP144 pinout of the SH2 that provides helpful information about the structure of the system. (actually i'ts a SH7604, more info here:

The Pinout of the the Custom SH2 doesn't match with the pinout of the QFP-144 SH2, therefore replacing it with a standard SH2, won't work at all. Even if.replacing the SH2 was the solution, this.
Replacing the SH2 is something that I don't like much, as replacing SMDs is not available for everyone, so I'd like something easier, like removing the U2 flash and soldering a new one @ U5.

Another interesting thing is that there is a crystal quartz which is feeding the Custom SH2, which is constantly powered. I still don't know why this frequency is being used instead of the 25Mhz to which is supposed to run.   Frequency of crystal is 25Mhz/4 (6.25Mhz), the SH2 can be configured to run using a multiple (x4) of this frequency.

Bottom line: The custom SH2 is more custom than I expected and as the pinout is proving, however if there is real traffic between the SH2 and the Eprom, it would be just a question of trying several keys.
If there is no traffic, I'll have to use the sygnal analyzer and try to find out the real pinout of the whole thing....and that's going to take sooome time. Let's hope chinese post is fast.