Supermodel Forum

[TheDeath]

Hello Guys
I was hoping to find an answer here about the decryption of the protected games on Model 2, like Zero Gunner or Pilot Kids.
I'm not lying, i'm more than a convert guy on this hardware. I have basically got from an arcade rental 5 pcbs of Virtua Striker and since then i was able to convert them in the games i'd like to have and play (Sonic The Fighters, Last Bronx, Virtual On, and so on) but i was obviously stuck for these protected ones.
There is a guy, thanks to your work (and probably others), that was able to modify the main CPU code, IC15 and IC16 on the boards, mostly, in order to have the game boot without the security pcb.
Since this guy is not sharing any information about this, i was hoping to try figure it out by myself.
Unfortunatly i'm not an emulator guy, and i was hoping that someone could teach me how the decryption works in order to be able to change the hex values in the eeproms in order to the game finally boot.
Can you help me someway?
Thank you very much

[Bart]

Defeating copy protection for deployment to a retail arcade location sounds legally dicey. That said, I don't know anything about Model 2. On Model 3, the games upload encrypted data to a board and then read back decrypted data. You'd have to roll up your sleeves and dig into the emulator to detect where these transfers are taking place and how to patch them. If the decrypted and encrypted data are the same size (no compression), then you could probably figure out where in ROM the data originated from and overwrite it, and then patch out the decryption board transfer. Another approach would be to code up the decryption algorithm in assembly language and insert that in some unused part of the code ROMs and then patch the decryption logic to use that routine instead.

It requires getting down and dirty with machine code. I'm not sure about the Model 2 security system, though.

[model3man]

From what I can see, there are 3 games on Model2 that also use the Sega 315-5881 chipset for decryption. This is also used on Model3, Naomi, Hikaru, and maybe even some others.

The 315-5881 seems to be a programmable MCU, or ASIC with onboard EEPROM. THere are a couple guys that are able to reflash the keys inside with a different game's keys for conversions. Depending on the system, it may be easier to patch the game cpu roms themselves, which seems to be what is happening in your case.

Look at the 315-5881 crypt code in MAME source, find the memory address it's mapped at, then concatenate all the Zero Gunner (or whatever roms) into a single contiguous file, load it in IDA with I960, and get to reversing

There's a reason these guys keep their cards close to their chest on this. It's a good bit of work, and probably worth just paying for if you need it.