Hello everybody, after some eons the Mame repository was finally cloned and the CAT702 module is still there in the latest version. To my great amazement is a very nice and clean code and well commented, a rarity in Open Source or, actually, in most software projects. I've always wondered what's the big deal with those arcade games, why they are so difficult to reproduce in the first time, and now I know
, the game companies, lead by Sony didn't spare any efforts or money on copy protection, those things were brutal
.
Anyway, from a technical point of view is a very interesting beast and now it explains why we've had such a hard time three decades ago, here is the description and "modus operandi" from the code module:
/*
CAT702 ZN security chip
A serial magic latch.
It's a DIP20 chip with a sticker of the form XXnn, where XX is the
company and nn a number:
AC = Acclaim
AT = Atlus
CP = Capcom
ET = Raizing
KN = Konami
MG = Tecmo
TT = Taito
TW = Atari
There usually are 2 of them, one on the cpu board and one on the rom
board. The cpu board one is usually numbered 01.
Pinout: GND -11 10- GND
? -12 9- +5V
+5V -13 8- Data in
Data out- 14 7- Clock
+5V -15 6- Select
? -16 5- Select
+5V -17 4- +5V
+5V -18 3- +5V
+5V -19 2- +5V
+5V -20 1- ?
The chip works with the '?' lines left unconnected.
The communication protocol is serial, and in practice the standard
psx controller communication protocol minus the ack. Drive both
select to ground to start a communication, send bits and get the
results on the raising clock. Put both select back to +5V when
finished. The bios seems to use two communication clock speeds,
~300KHz (standard psx) and ~2MHz. Driving it with lower clocks
works reasonably, at least at 1KHz.
The data is divided in bytes but there is no signal for end-of-byte.
In all of the following the data will be considered coming and going
lower-bit first.
Internally the chip has a 8-bit state, initialized at communication
start to 0xfc. The structure is simple:
+---------+ bit number +--------+
Clock ------->| bit |-----+-------------------->| bit |---------> Data out
| counter | | | select |
+---------+ v +-------+ out | |
| +-----+ | 8bit |=====>| |
Data in ------------|------->| TF1 |<=>| state | +--------+
| +-----+ | |
| | |
| start +-----+ | |
+------->| TF2 |<=>| |
+-----+ +-------+
The chip starts by tranforming the state with TF2. Then, for each
input bit from 0 to 7:
- the nth bit from the state is sent to the output
- the state is transformed by TF1 if the input bit is 0
TF2 is a fixed linear substitution box (* = and, + = xor):
o = ff*s0 + fe*s1 + fc*s2 + f8*s3 + f0*s4 + e0*s5 + c0*s6 + 7f*s7
TF1 is a chip-dependent set of 8 linear sboxes, one per bit number.
In practice, only the sbox for bit 0 is defined for the chip, the 7
other are derived from it. Defining the byte transformation Shift
as:
Shift(i7..i0) = i6..i0, i7^i6
and noting the sboxes as:
Sbox(n, i7..i0) = Xor( c[n, bit]*i[bit])
0<=bit<=7
then
c[n, bit=0..6] = Shift(c[n-1, (bit-1)&7])
c[n, 7] = Shift(c[n-1, 6])^c[n, 0]
= Shift(c[n-1, 6])^Shift(c[n-1, 7])
*/
Now I really wish to have one to play with
Regarding the Orcad versions, there was academic edition without dongle and some strongly restricted versions with dongle, to be give to the "international partners" for low cost schematic capture and digitization of paper schematics.
I'm curios now what is actually in those archive.org archives, most likely the academic version.
Cheers,
DC1MC