And now for the more technical post. It's LONG. If you're not interested in the technical details then you should probably stop reading.
I have been toying with this project for years. At first, I had no idea how to approach it. I did a lot of searching, reading and research. Gathering information from all sorts of reference material. Reading that reference material over and over and over. 5% sank in at first. Then maybe 10%. Each reading would provide an incremental understanding but the overall understand eluded me.
I built a substitution and simulation board but I got the simulation board wrong. I revised it but it turns out I didn't need it. I got it figured out yesterday with my first success. At least on the initial part. I had planned to do something else today but I got carried away because I kept making progress. Why stop when you're on a roll?
Here are the boards. The project should be obvious from the boards.
boards_350.jpg
There is the WPC-S daughter board for my CPU board, a prototype board to allow using a larger and faster processor with some diagnostic LEDs and two ZIF socket adapter boards to allow easy insertion and removal of ICs.
The two biggest issues with this project are the handshake and the switch matrix reading. I was fairly sure I got the switch matrix reading side working since I already had a prototype board that illuminated the corresponding LED in an 8x8 LED block based on the switches closed in a matrix fashion. The handshake was what was going to give me grief. I did a lot of reading of the same information over and over again and finally got the algorithm working. I had no way to verify it while away so I had to wait for my return.
I got it working on the bigger, faster processor and ported it to the standard processor. The PIC16F57. That's a very limited processor. Not much computing power. I got the handshake working on this processor.
boards_351.jpg
But the switch matrix reading had issues. Purely timing related. The communication protocol between the game and the security PIC is not a true handshake. There isn't any acknowledgement. It's more a post message, delay and expect a response in a certain amount of time rather than a send message and wait for reply. The reason for this is that the security protocol is grafted onto the switch matrix protocol to keep changes to the WPC CPU board and software simple. It really is post, wait, read response. I had to mess with the switch matrix reading code to get it to work on the PIC16F57.
Then I switched to focus on the bigger processor. I chose to use a PIC18F45K42 which is a (maximally) 64MHz processor with 40 pins. One input only pin and 35 input/output pins. Plenty of pins to do what I need. The extra processor grunt allowed me to actually compute the required data for the handshake rather than use static data. The PIC16F57 is so limited that static data is required. There simply isn't enough grunt to compute the data at startup. The ability to compute the data allows for the game number and the serial number to be specified.
One of the interest things is that if the game software gets the incorrect game number, it will attempt to do an "unlock" with the game number that it (the game software) is expecting. This means that the security code knows what the expected game number is. The problem is that the game software sends that information after the handshake and there's no way for the security code to reset the game processor to "try again".
However, the security code can store the expected game number so on the next startup, it can provide the correct answer. Since it computes the data at startup, it can compute the correct result. That's exactly what the security code now does.
Here's the example.
- Game is 526 and security is 536. This results in "INCORRECT U22" but the security code knows the game is 526 so it writes that for the next start. boards_352.jpg
- On the next start, game is 526 and security is 526. This passes and everything works. boards_353.jpg
- Switch game ROM. Game is 536 and security is 526. This results in "INCORRECT U22". Security knows game is 536 so it writes that. boards_354.jpg
- On the next start, game is 536 and security is 536. This passes and everything works. boards_355.jpg
In essence, it's a "smart" security PIC. It only takes one error to fix itself. I can't think of a way to predict the game number. The software just isn't clairvoyant. It can self correct though.
All of this is fine. It all works. So there are a few paths forward that I invite anybody who has read this far to contribute with suggestions. The self correction code is all I need for my bench. I just want something that works on the bench with whatever game ROM is used. Others may want other things, such as the ability to write your own serial number rather than the generic "999999" or "777777" or similar.
The issue with this is that the serial number has to be stored somewhere. It can be stored on chip but access to this requires special software and hardware to read/write the PIC. It's not a simple "serial" interface. Storing the serial number on external storage (EEPROM) means that the security code must read that EEPROM and the EEPROM must be accessible on the board through some interface. Common interfaces are SPI and I2C but there's no software to access this interface from a PC or Mac. This is my quandary.
So I invite comments:
- Is writing your own serial number important?
- Is having a selectable game number better than being self correcting?
- Does any of this really matter? Who cares about all of this? It's a super niche market with almost no demand.
Sorry for the long technical post. I figured someone might find it interesting. A lot of this information is actually available if your search-fu is good. It's putting it all together that was the biggest challenge for me.
I welcome any comments - public or private. My personal usage preference is self correcting on my bench. That's really all I need. I did it for a challenge more than anything else.
Now back to the regularly scheduled program. If I can find some time then I will clean this up (shrink it down the minimum rather than the big proto board). I also want to find some time to work on the PWM stuff but I still have a long big board queue that needs work. Perhaps in a billion years, the Earth's rotation will have slowed down enough that there will be 40 hours in a day.