After close to 4 months, Charles MacDonald, the author of SMS Plus, Genesis Plus, TGEmu, Sega System 24, and more, has posted an update to his website!

I've been doing some research on the CPS-2 hardware in the last few months, starting as soon as the System 32 work was put on hold. I'll give a basic overview of the encryption, however I should point out I'm just elaborating on the findings that Razoola originally made, which are at CPS-2 Shock. As you can imagine the results of his prior experiments have been absolutely essential to this project.

 

The CPS-2 hardware uses a custom 68000 CPU running at 16MHz, though the effective speed is lower due to video DMA. Out of the 16MB address range, the lower 4MB is allocated for ROMs storing program code and data. The first 1MB of this area is where decryption is enabled, though the exact boundary under the 4MB point may change from game to game.

 

In addition to the address range check, there is a timer that expires after a certain amount of time has passed. When this happens, decryption is turned off and the 68K will execute code exactly as it is read from memory. A sequence of one or more specific instructions, changing on a per-game basis, will reset the timer and enable encryption again. The timer can be restarted after any duration from when it has expired.

 

The decryption logic uses bits A16 through A1 of the 68K address bus, meaning the encryption wraps every 128K. For each encrypted word at a given address there is exactly one unique output; in contrast to the FD1094 there are no disabled opcodes or 'blanked' data that resolve to the same decrypted value. Data read from the supervisor or user code space is decrypted (e.g. opcodes and operands) and data from the supervisor or user data space is not.

 

The size of a complete set of decrypted data for one game quite large, totalling 8GB - it takes forever to dump. There are no duplicate tables within a game's table set or between sets for different games, though I've only examined tables dumped from the two 'B' boards I have.

 

I've discussed analysis of the table data with a few other people and so far the encryption seems to be pretty tough to solve. As a result, I think progress will depend on additional help. If you have skill in this type of thing (strong mathematics background and familiarity with encryption) and would like to lend a hand, then please get in contact with me.

 

Working with the CPS-2 hardware has been challenging due to the large amount of custom parts involved. I designed a communications board with a USB adapter, DTACK generator, and interface to the CPS-2 video and peripheral bus, as well as several adapters to replace the 16V8 GALs with more capable 22V10 GALs that have their own shared I/O bus.

»» http://cgfm2.emuviews.com/

»» Help him out!

1. GameEx 5.12 released. Changes:

2nd October 2005  - GameEx 5.12

 

    * Map files working again (broken in 5.10)

    * Updated support files

2. JEmu WIP:

Oct. 2, 2005 - A minor update has been done, but an enhancement which had much demand: Controls are now configurable!

3. MAMEinfo: PCBinfos 0.100u3 DIFF-Update>> http://www.mameworld.net/mameinfo

4. Thundermame release: MAME32JPƒx-I686 VER.0.68_X'(2005.10.3)>> http://www.geocities.co.jp/SiliconValley-Sunnyvale/8595

5. R.Belmont WIP:

Down the mountain

Guru dumped Alpine Racer 2 on Super System 22 hardware. Haven’t tried very hard to make it work in MAME yet, but here’s a few samples from M1. I think Namco’s sound team was listening to a lot of hair metal when they made this game.

 

UPDATE: Got it going in MAME as well. Looks pretty good.

WinUAE 1.1 (02.10.2005)

=======================

 

Major bugs introduced in 1.0 fixed:

 

- Picasso96 graphics corruption after ALT-TAB

- Zipped Amiga Forever Kickstart ROM image decryption problem

- JIT FPU ACOS bug (incorrect result if argument was negative)

 

Older bugs fixed:

 

- More stable on the fly configuration loading

- In windowed mode Amiga window height was sometimes slightly

  larger than requested size

- "the desktop is too small for the specified window size"-check

  was not completely correct

- AHI recording mode memory leak

- Some Amiga monitor drivers work now properly (for example Euro36)

- Incorrect paths if WinUAE was run from networked drive

- Some custom chipset emulation bugs (Obliterator intro, Elfmania

  scoreboard, Warp and others)

- Directory filesystem directory modification date bug if comment

  or protection flags were modified

- Improved directory filesystem compatibility

- Rare disk emulation bug introduced in 0.9.90

- Action Replay statefile restore bug introduced in 0.9.90

- OCS/ECS color translation to native colors fixed. (this was bug

  since the beginning of UAE..) Colors are now slightly brighter.

  No effect on AGA-mode colors.

 

New features:

 

- Configurable Catweasel joystick support, MK4 mouse support added

  (NOTE: Right and middle mouse button may not work with all mice,

  requires Catweasel driver/firmware update)

- MMKeyboard support added

- Transparent "drive led status bar"

- SPTI (Windows 2K/XP) SCSI emulation includes non-CDROM SCSI devices

- Improved uaescsi.device SCSI interface selection

- Custom emulation updates (Death Trap, Loons Docs, Spanish Rose by

  Creed, Filled Perspective by Zero Defects, Himalaya by Avalanche..)

- Improved default path setting, Amiga Forever 2005 paths supported

- More missing keycodes added to input-panel

- Copper debugger: tracing, single step and breakpoint

- Disk swapper: right button doubleclick in "Disk image"-column:

  removes disk in disk swapper panel. right button singleclick in

  "Drive"-column: remove disk in drive

- New-style ROM config entries

- Compressed hardfiles supported (limitations: max 100MB, all written

  data will be lost after reset or exit, hardfile file name extension

  must be either hdz, zip, rar or 7z)

- Hardfile drag&drop to harddisk-panel

 

and more..

>> Get it HERE

10/02/2005 - bsnes v0.012 released

      The main features of this release are sound support and improved NMI / IRQ timing.

 

    Changelog:

* Added S-DSP emulation

* Added sound output support via DirectSound -- no sound buffering though, so sound is muted by default

* Added option to record raw sound output to WAV files

* Added multiple color adjustment filters to the video output

* Added mode3/4 direct color support

* Added mode7 direct color and mosaic support

* Greatly improved mode7 rendering algorithm thanks to anomie

* Fixed mode7 screen repitition and EXTBG effects

* Greatly increased accuracy of NMI and IRQ timing, and emulated many newly discovered hardware quirks involving the two

* A few speed improvements courtesy of Nach for profiling the code for me.

>> Get it HERE