N64 CIC, looking for 710x series info

Hey Everyone,

New to the scene here but love to tinker and am always looking for fun projects. I recently came across an interesting
document(International Secure System Lab paper 'ccsfp221-kammerstetter.pdf') about
reverse engineering the N64 CIC and decided to give it a shot. I managed to get the roms/keys(special area of ram address space)
dumped for the 610x series of chips and made a clone on an ATTiny25. Now, instead on buying a bunch of PAL games just for the CICs,
I thought I would ask if anyone had ever done this for the 710x series chips. Didn't find much information on these chips when searching.

I'm guessing the rom is the same as the 610x series(only 6105 is slightly different and it has more ram) and just the keys are different.

Rom checksums(1K rom, unused locations are 00):
610x sha1: 5157631786de44a970155dcc961d6e13f604b66d
6105 sha1: 5754925a33f01032e044d8f27ad624a79925e306

Anyone ever dump 710x CICs before and can confirm the rom/share the keys?

Update:
UltraCIC: http://a.pomf.se/fpjhhh.zip

 

I have a bunch of 710x's but have no way of dumping them haha. is it hard to do?

 

I just read the paper and I'm interested in trying it.
I have access to couple of PAL games but I'm not sure if I'm allowed to dump them (as it probably still involves removing the CIC).

If it's possible to inject the opcodes in-circuit I could probably dump them easily. I guess the test pins are not routed to the ROM Pins though?
I'll ask the owner if he is interested in dumping them.

//Edit: The paper is from November 2014 btw, so you are probably the first person to repeat the attack!
//Edit2: Check your inbox jesgdev

 

What programmer did you use to dump the cic
Plus seems like if we dump the main pif chips we could make region free n64

 

Read the paper if you didn't. - He probably used an AVR to write the dumper.
You can't just use an existing programmer because the dump happens by using (and exploiting) a hidden testmode in the CIC.

And yes, we can create a region free CIC already (Because the Paper is based around the PAL CIC, jesgdev completed the thing by dumping the NTSC CIC).
Not only that but we could add CIC emulation to cartridges like the Everdrive so we don't need any donor cards at all. (Meaning we don't really need a region free PIF. Not even sure if the PIF has the same exploit and changing the console is worse than just modding the cartridge imho. Especially because one could make a simple pass-thru device with the fake CIC.)
Probably, we also have the "source code" to the 6105 Challenge / Response system now which makes it even better and we can verify the algorithm found earlier.

 

You can not make a "region free" CIC.
CIC emulation via flashable carts is not going to work. The CIC is in constant communication with the PIF, and if the generated bitsamples do not match at any moment the system will lock. You then need to do a full power cycle (not a soft reset) to restart.

Also, there is more than just the cartridge CIC. Bootloaders, like the ones in the flashdrives, are based off a hacked version of the code loaded to PIFram during initialization. The part hacked out confirms the bootstrap checksum. The bootstrap is code found in a ROM from 0x40 to 0x1000 run immediately after the PIF initializes hardware. These bootstraps have their own checksums based off the seed byte (which have been reversed) and send the generated value to the PIF for confirmation, written to BFC007F0 and BFC007F4. In a normal boot cycle if this does not match the expected value the system will not continue to the cartridge checksum.

Without knowing how the PIF confirms the bootstrap checksum it's impossible to know how to subvert it. Since this code is loaded by the PIF to PIFram at boot it cannot be ignored. Currently it's believed the PIF genrates the same bootstrap checksum using a different method, most likely involving the secret number.

Flashable CICs would require flashing before power-on. After power is on and the flashcart initializes it cannot run the CIC bootstrap crc tests again. If it were it would fail because the generated bitcode will not match the next iteration the PIF expects. Current flashcarts simply pass a different seed value and ignore this test entirely; even when loading a game they are in a constant state of execution to avoid the CIC+PIF lockup.

The only way to completely break the security features of the N64 is through the PIF--something necessary if you ever intend to have a 64DD IPL in any language other than Japanese.

Besides security the PIF serves a wide variety of other functions. Dumping its code will prove invaluable.

 

NES and SNES multiregion cic changes own algorithm if system did not started with success, cic just change and save algorithm type to internal flash and will try to use another region next time. So, at the next power cycle, cic startup in another region mode. Probably same methods can be used for n64 cic

 

There's 12 unique CICs that have been found, plus one more that should turn up in the hands of a collector. Reset won't work; you need a full power off/on to reset the PIF and and doing that a dozen times is hardly ideal, plus you're supposing that other issues (such as a dirty connector) don't cause the cart to fail booting. This is all supposing nobody creates their own unique CIC+bootstrap, of course.

At any rate that doesn't result in a "region free" CIC at all. It's basically the same as having a series of CICs on a switch. Using a bootloader to circumvent region or altering the PIF are the only ways to control region. Except for the *105's security feature, a hacked PIF would remove the need for a CIC in the first place. Seeds can be generated from the bootstrap by comparison to its checksum.

 

Is there even a english or other language IPL?

 

even if it's not switching through every cic, it would still be usefull.
homebrews and flashcarts are mainly using CIC6102/CIC7101, so it would be enough, if it could switch between them.
in case you want to build a repo cartridge, you should know what two CICs your game could use, too.

 

I removed them from the carts and hooked up to an FPGA.

The best you could do here is clock in what cic you want at power up. There is enough time before the cic starts communicating with the console
that external logic could supply a value to the AVR to choose which cic to emulate.

 

Looks like jesgdev and KRIKzz have been working together and have succeeded in making a multi region CIC clone for the N64!:
https://twitter.com/krikzz/status/566205204157460480
https://www.youtube.com/watch?v=IW-C1gp7Xaw
Great work everyone!

...any chance the files might be released/open source when your finished testing? Would love to make a clone CIC for my EverDrive 64.

 

Yes, although I don't have any place to host it. Let me know if you are interested.

The code I will share will configure the cic at compile time(you pick which cic then compile). What you see in the video is KRIKzz own modifications to work with that pushbutton, something you would have to do as well if you want a feature like that(it is quite easy). On the note of testing, I haven't tested every mode and I'm not 100% sure which ones KRIKzz has tested. I do know that at least 6102, 6105, and 7101 have been tested. The others vary only by static keys so they should be fine assuming the keys are correct.

 

Many congratulations to jesgdev and KRIKzz for their hard work and determination in pulling off this amazing feat. Well done guys!

 

Wow Awesome work Guys- I might have somewhere you can host the files if needed

 

If you are releasing source, why not just create a github repo? public ones are free

 

Did this code ever make it out into the wild? I was considering the possibility of replacing a dead CIC chip in this thread and thought to myself how great it would be if we could burn our own replacement chips.

 

Also interested if the code for this will be released at some point.

 

Awesome ! I hoped that it was possible but you DID IT ! Can't wait for the release ! (if there is one) Merci !

 

Link in first and next post.