Game console - security ic ???

[Noopy]

Hi all,


just out of curiosity I did a teardown of a low-cost game console (15€, "Tchibo Retro-Mini-Spielekonsole").
Most parts were no suprise. Unfortunately I wasn´t able to identify the controller.
But one thing really puzzeld me: It seems that there is a kind of security chip on the board. Why the hell would a 15€-console need a security chip? 


Perhaps some experts can give me a hint:
- What kind of controller works in this console?
- What might the unknown chip do?
- What kind of chip might the unkown chip be?


And now pictures:






The upper SO-8 is a 25Q32 4MB-Flash.
The blob in the middle contains the controller.
The lower SO-8 is the interesting chip. Supply, ground and three "logic lines".




The mystery chip.




Backside of the mystery chip.




So what´s happening here?




After startup the controller fetches 8kB from the flash.
1,3s later the mystery chip is adressed for the first time.
Then there is a lot of data between flash and controller.
Every 95ms (in the menu) or 63ms (in a game) the Controller talks to the mystery chip. Every time only one short "hello".




Clock for the flash is 16MHz. Clock to the mystery chip seems to be 33kHz.
First communication contains "two impulses", all the other communications contain only "one impulse" always at the same location.
Without the chip the game is dead.




Controller-Die




B1056 




The mystery-chip-die.


And here everything on my hompage (in german):
https://www.richis-lab.de/tcm_rg.htm


Any ideas?


Greetings,

Richard

[ebclr]

What about a realtime clock ?

[Prehistoricman]

What about a realtime clock ?

Unlikely IMO. It's being accessed very often for that, and doesn't have its own clock or battery backup. And there's this:

First communication contains "two impulses", all the other communications contain only "one impulse" always at the same location.

Do you still have a working one? It would be interesting to know which of those 3 signals are outputs or inputs.

[T3sl4co1l]

No idea, but I just want to say that was an awful lot more work than I was expecting.

Tim

[Noopy]

Thanks for your replys! 

What about a realtime clock ?

Me neither. No battery, no reason for a unnamed chip and as far as I tested the game no need for a realtime clock.

Do you still have a working one? It would be interesting to know which of those 3 signals are outputs or inputs.

There is still one left.
Hm... What´s the best way to check the data direction...

No idea, but I just want to say that was an awful lot more work than I was expecting.

Just out of curiosity... 

[amyk]

The main IC may be from Sunplus/Generalplus or one of the more obscure high-volume companies that make COB MCUs.

Mystery chip could be an EEPROM for things like saved games/high scores?

[Noopy]

Mystery chip could be an EEPROM for things like saved games/high scores?

Hm... Good idea...
But the communication is extreme slow...
And the die doesn´t look like a memory...

Unfortunately I didn´t really play the games but I think there was nothing like saved games or high score. Veeeery low-cost... 

[SeanB]

Looks like an EEprom, with that load of glue logic, one monster of an on die capacitor and 8 blocks of what could be flash, and with a pretty beefy set of transistors to generate the erase and program voltages. Probably writing game state regularly as it is limited in RAM, storing the scores between game sessions, or put there as a deliberate way to fail the game when the EEPROM wears out, and get the punters to buy a new one with the new games on it.

[Noopy]

Hm, perhaps I´m wrong...
Haven´t seen such an EEPROM. But I haven´t seen so much of them. 

Still the communication is curious slow in my view and why no marking? 

[SeanB]

It is a custom chip, with all that unused area, and all the unused cells of logic in it, but it is definitely programmable, and there is a lot of EEprom there. Might be doing some decryption key for the main chip to prevent cloners from cloning a cheap game, or just doing some housekeeping, but I do not really know. A key for each section of the game is likely, so the manufacturer protects the IP of their game ( probably "borrowed" from a big player in part or entirely) from being similarly appropriated.

[Noopy]

Sounds convincing.

Thanks! 

Where do you see the big capacitor which you descriped earlier? The big plate in the middle? I thought that´s only a screen to shield something, perhaps a secret logic block...
Looks like a face... 

[amyk]

You can dump the flash and see if people recognise the CPU/instruction set. There might be some useful text strings in there too. There are other forums exclusively for discussing game console electronics, possibly someone there might even recognise this unit and/or the CPU in it.

[Noopy]

You can dump the flash and see if people recognise the CPU/instruction set. There might be some useful text strings in there too.

I already tried to dump the flash.

I thought "Hey I have a expensive GALEP-5, that should be no Problem!"



Well no.
The Galep knows 25Q32BV, 25Q32DW and 25Q32V but no 25Q32JV! 

I know it´s no big problem to dump such a flash but I don´t like programming, so I have to look for the easiest way to get the data.

There are other forums exclusively for discussing game console electronics, possibly someone there might even recognise this unit and/or the CPU in it.

Do you have a recommendation for me?

[Bicurico]

My guess is that it is indeed some crypto-chip to protect the games on the flash.

There seems to be an industry in China for low cost development of low cost 8-bit alike games to be legally used in cheap retro-consoles.

You can find those mini arcades in consumer electronics stores: there are two kind: those that cost around 30 Euro offering one single game like Galaga and which effectively use an emulator and original ROM's and those that cost around 20 Euro and offer 200 games, all of which are a piece of crap!

I think that the company/companies that develop these crap games need to protect them, so that they are not just copied. I tried to find some web links, but as usual it is very difficult to find the chinese manufacturer at the origin of any product...

Emulation can only be used if royalties have been paid, otherwise the consumer electronics stores won't be able to sell them - they would be quickly confiscated.

As a funny note: the better retro  arcade consoles can be hacked: while they do come with just one game, the flash contains several, as the board is the same for all models. One can open the case and change something on the PCB (cannnot remember what it was) to play different games.

Regards,
Vitor

[Noopy]

and those that cost around 20 Euro and offer 200 games, all of which are a piece of crap!

It is definitely one of this! 

Thanks for your input! 

[RoGeorge]

The wires from pins 7 and 8 in the photo looks like they are switched between them when connected to the ZIF socket.  7 seems to be going to 8, and 8 to 7.  Is this intentional?

[Noopy]

You are right, it looks like it´s switched but the high-res-photo shows that the connection was right.

Moreover the Galep was able to read the id but wasn´t happy with the numbers... 

[Prehistoricman]

There is still one left.
Hm... What´s the best way to check the data direction...

Desolder the chip and see what lines are still active 

[Noopy]

There is still one left.
Hm... What´s the best way to check the data direction...

Desolder the chip and see what lines are still active 

That´s convincing if the Pins can source and sink.
Otherwise (Lowsider on the one side, Pull-Up on the other side) the measurement would be misleading.
But ok, probably it is a push-pull-output...
I will do that.

[wraper]

Well no.
The Galep knows 25Q32BV, 25Q32DW and 25Q32V but no 25Q32JV! 

Quickly looking into datasheets I see no reason why it 25Q32JV cannot be dumped with 25Q32V selected.

[Noopy]

Well no.
The Galep knows 25Q32BV, 25Q32DW and 25Q32V but no 25Q32JV! 

Quickly looking into datasheets I see no reason why it 25Q32JV cannot be dumped with 25Q32V selected.

The software got an slightly differerent device id than expected for the 25Q32V.
My read is that it would have been no problem to dump the data anyway but the Galep didn´t want to.


I did some measurements at the unmarked chip:
Pin 2 seems to be an output
Pin 3 seems to be an Input
Pin 4 could be anything (without connection there is nothing to see)

[wraper]

My read is that it would have been no problem to dump the data anyway but the Galep didn´t want to.

Isn't there any setting to ignore device ID?

[Noopy]

My read is that it would have been no problem to dump the data anyway but the Galep didn´t want to.

Isn't there any setting to ignore device ID?

Unfortunately not... 

[wraper]

Unfortunately not... 

That's some bullshit software then. Especially just for reading purposes as even if there are significant differences, EPROM or FLASH usually can still be read as other similar device. In my Wellon programmer software device ID check checkbox is not even checked by default. Even when programming, there were cases when newer lower voltage version of FLASH was not supported. I simply selected different IC and lowered voltage in settings.
BTW I suggest ordering cheap ZIF socket from China. Will save you a lot of time wasted on soldering spider legs. https://www.ebay.com/itm/150mil-SOP8-Socket-Adapter-Universal-IC-ZIF-Programmer-Converter-For-PCB/152059011073?hash=item23676c6001:g:KHsAAOSwqbZXFJub They are actually quite good and durable.

[Prehistoricman]

Unfortunately not... 

Hack it if you know how to use Cheat Engine and x86 assembly.