SNES Lockout Chip Mods/Queries

Started by Link83, December 31, 2008, 04:33:34 AM

Previous topic - Next topic

Link83

Hi all,
Recently I have been intrigued by the lockout chips used in the SNES and have a few questions I would love answered. As far as I know, there were three revisions of the lockout chip used in each region, which have the foillowing codes:-
NTSC     PAL
F411      F413              Launch/First revision consoles
F411A    F413A            Mid produced consoles
F411B    F413B            Later/last produced consoles

I have read that the F411B/F413B lockout chip used in later SNES consoles cannot be disabled like the earlier lockout chips - but is this confirmed? Has anybody actually tested the common lockout disable method (Method 1 below) doesnt work on the F411B/F413B chips? Or is it just a rumour?

My next query is regarding the best method for disabling the SNES lockout chip - I have read so many methods for doing this that I am totally bewildered!

Having read this document by Mark Knibbs:-
http://home.freeuk.com/markk/Consoles/SNES_Lockout.txt
I understand that the lockout chip simply holds the CPU and PPU chips in a state of 'reset' until its given the 'key' by the security chip in the cartridge, then it releases the chips from the 'reset' state.

The first mod suggest by Mark Knibbs seems to be the one most commonly used and is shown in the link below - I will call this Method 1:-
http://www.mmmonkey.co.uk/console/nintendo/snes-switches-2.htm
However some games are still incompatible with this mod (Such as Super Mario RPG, unless you mod the game)

Mark Knibbs also mentions two other possible mod methods:-
Method 2"The first involves connecting the lockout chip's input to its own output. Thus it may always think that its counterpart chip is present."
Method 3
"The second involves simply disconnecting the chip's clock input."
But I have no idea if these work - has anybody tested either of these and had any success?

Method 4
silver_surfers mod(?)
http://cgcc.ca/forum/viewtopic.php?t=4473&start=0&postdays=0&postorder=asc&highlight=&sid=a9598226d093caa42046fceea302453b
and
http://www.mmmonkey.co.uk/console/nintendo/snes-alt-region.htm
I am guessing this mod connects the two 'reset' points together, allowing the SNES to boot without the lockout chip at all - and that by removing the lockout chip it no longer 'challenges' the cartridge for the security chip/key at all? In theory this could be the best method? silver_surfer seemed to have had great success with it, but didnt seem to know about or use the 50/60hz mod.

Method 5
The last method (which I am guessing is the most successful) is to remove the security chip from a SNES game (from the same region as the console) and connect it directly to the lockout chip itself. Then cut the traces/lift the pins from the cartridge port that correspond to the lockout chip.
However this mod requires butchering a game, and is quite complex for a beginner, so I would prefer any of the previous methods to this.

So what is the overal consensus? I am leaning towards Method 4 being the best, but its not easily reversible if im wrong.  :(

...Or is there another option I have not covered? If it helps at all here are some links to the SNES lockout chip patent sheets where the idea for the Method 1 mod came from:-
http://www.google.com/patents?id=81EWAAAAEBAJ&dq=4,799,635
http://www.google.com/patents?id=h8kpAAAAEBAJ&dq=5,070,479
The pdf diagrams at the bottom of the links are quite interesting  ;)

Perhaps we could come up with a new improved method!  ;D

Tiido Priimägi

I have F413A in my PAL SNES, and its disabled in the "standard" manner, and it works fine.

How does tha Mario RPG cart work actually ?

I did an alternative lockout removal by just cutting the reset output from the chip, and wired the CPU side end to reset switch through an inverter (you can use one part of the logic chip on the lockout chip clock generator in NTSC machines) or make the switch use other power line, and single pull up resistor.
Mida sa loed ? Nagunii aru ei saa ;)

l_oliveira

If you have access to failed SNES/SFC consoles, the F411/3 chip in them can be used as both key and lock.
Actually games such as "Super Mario World 2: Yoshi's Island" do use a F411 chip of the same kind that the one inside the console.
Remove one from a dead console and wire up as key chip then save yourself the hassle of ruining an perfectly fine cartridge.

Link83

#3
Thanks for the replies and sorry for letting this thread die, I kept meaning to come back to it but just never got round to it...

Anyway, recently I have been looking into the SNES lockout chip some more and have been wondering why certain games (Super Mario RPG, Kirby's Fun Pak, Street Fighter 2 Alpha, etc) wont work with the lockout chip disabled.

I read that the reason these few games dont work is because the security chip in the cartridge is able to detect the 'deadlock' status with the lockout chip disabled (as a key), and since 'silver_surfers' mod (lockout chip totally removed) supposedly works with these games, it suggests to me that I could just disable the lockout chip in the usual way and then lift the F411/F413 CIC data in and CIC data out legs off the board (Pins 1 & 2?):-
http://www.dforce3000.de/snes/cic_pinout_d4s.txt
Shouldnt this then prevent the deadlock status as the cart CIC wouldnt be able to detect the error?

The only question I have is - if I lift these legs can I just leave them floating or should I connect them to something? Also would it be even necessary to lift the 'data in' pin, or could I just lift 'data out'?

Hope that all makes sense, and thanks in advance  :)

Tiido Priimägi

I'd like to get one of those trouble games, but I'm not particulary fond of any...

I guess there is a reset line on the cartslot ? Perhaps the CIC in the cart is connected to it ? If so, cutting that line will make things work... Or if you don't want to mess with the cart, you'd have to cut it in the console... I don't think any of the special chip games make use of that signal, not sure...
Mida sa loed ? Nagunii aru ei saa ;)

Hojo_Norem

I can't be certain but I guess that the reset output of the cart's lockout chip could be connected to the cart's mapper somehow.  If the cart can't validate the console then the lockout inside the cart could disable access to the rom (or do something nasty like tie the battery ram #WE and #CE low and continuously corrupt the save ram.)

The lockout for the NES was designed with this cind of feature but it was never used in any carts.  As the SNES lockout is very similar to the NES one its a surprise that Nintendo didn't use this function in their carts sooner than later.
l
Formerly 'butter_pat_head'

Link83

#6
Thanks for the replies :)

One of the things I realised whilst doing abit more research (although this may have been obvious to some people) is that all the games that are incompatible with the lockout chip disabled use a SNES 'enhancement chip' of some kind, such as the SA1 (Super Mario RPG) or S-DD1 (Street Fighter Alpha 2)

Now you may be wondering whats so special about these two enhancement chips compared to the Super FX or DSP chips, Well the CIC security chip in these games has actually been combined with the extra processor chip! Its not a separate security chip anymore as it is in most other games. So now this CIC security chip actually has control over something - it can disable this extra processor so the game wont run :( Hence why these particular games have problems when the consoles lockout chip is disabled.

------------------------------------------------------------------------------------------------------------------------------------------

One interesting thing I found out about the SA1 and S-DD1 chips that seems to be relatively unknown is that the CIC/security chip thats inside the processor can actually be 'switched' to be either NTSC or PAL! No other Nintendo CIC security chip that I know off can be configured in this way.

On the SA1 chip if Pin 127 is connected to Ground the internal CIC will be NTSC and if its connected to VCC it will be PAL. See these pictures of the rear of a carts PCB for comparison (The key difference is circled in red):-
SA1 NTSC (GND)-------------------------------------SA1 PAL (VCC)

(Game is Kirby Super Star/Kirby's Fun Pak)

On the S-DD1 chip if Pin 82 is connected to Ground the internal CIC will be NTSC and if its connected to VCC it will be PAL. See these pictures of the rear of a carts PCB for comparison (The key difference is circled in red):-
S-DD1 NTSC (GND)-----------------------------------S-DD1 PAL (VCC)

(Game is Street Fighter Alpha 2)

All pictures taken from SNES Central:-
http://www.snescentral.com/

If you are interested in modding these games for your region all you need to do is lift the particular leg on the chip and then connect it to whichever point you need for your region. You must have a working/enabled console lockout chip though  :-\

------------------------------------------------------------------------------------------------------------------------------------------

Although configuring each game to work on NTSC or PAL consoles is one solution, its not really what I am aiming for as it still requires the consoles lockout chip to be fully working :-[

However, after abit of research I am pretty confident I have a solution that should work (Although I havent tested it yet!) Basically theres four main signals that go from the SNES console to the carts CIC. Three of them come from the consoles CIC, they are:-
CIC Data In
CIC Data Out
CIC Reset Signal

and the last one is a separate Clock signal.

Now after reading a few old threads and your replies im pretty confident that if I remove either the Clock signal, the Reset signal, or both, that this will allow these games to work...

I have just bought an SA1 game for testing and when it arrives I will experiment with removing different signals and let you know how I get on - wish me luck!  ;D

<EDIT> Fixed broken picture links

phreak97

I'm pretty keen to have a look at the lines that go between the cartridge and the cic, I remember i had a quick look be yeah, snes death stopped me from doing any more.. I've got a new console set up for testing now, so staying away from silver's mod i should be able to find something...

simonbelmont2

#8
I've search about "Silver mod" and I found that was used on SNES MODEL II (don't know if Super Nintendo Jr. or Super Famicom Jr.). If someone tried Method 2 and Method 3 or know how to do please inform me.

By the way here are the patent sheets where the idea for the Method 1 mod came from (direct links):

- U.S. patent 4,799,635: http://www.google.com/patents?id=81EWAAAAEBAJ&pg=PA2&dq=4799635&source=gbs_selected_pages&cad=1_1#PPA1,M1

- U.S. patent 5,070,479: http://www.google.com/patents?id=h8kpAAAAEBAJ&pg=PA2&dq=5070479&source=gbs_selected_pages&cad=1_1#PPA1,M1

simonbelmont2

#9
I've made some research about snes games with special chips and I found this sites:
http://wiki.pocketheaven.com/SNES_games_with_special_chips (list with little description)
and this
http://www.raregame.ru/file/c1/SNES_Games_with_Chips.doc (list with good description)
http://www.raregame.ru/file/50/SNES_Carts_List.txt (list without description)
Here you will find a list with some games that use special chips (SA-1 for example)

simonbelmont2

#10
About the lockout chip, I have one question: if I don't disable the lockout chip (lockout chip is enabled) and change to 60 Hz it will damage the console (it's about a pal game on a pal console modded)? An friend of mine tried this and he said the console was working :o
If you do this it's realy working?

phreak97

the refresh rate and the lockout chip (cic) are completely seperate parts of the console, you can have either of them switched either way at any time, you cant damage the console by doing that. the only way you would damage the console is if you wired it up incorrectly.

simonbelmont2

Then the pal games with special chip will work on the modded pal console when the frequency is 60 and the lockout chip is disabled.
So the problem is for ntsc console with pal games with special chip and pal console with ntsc games with special chip?

phreak97

yep, thats right:)
but it just doesnt work, it wont actually damage anything.

simonbelmont2

#14
I think the best idea is to create a mod that simulate "lockout chip enabled". When the lockout chip is disabled actually will be "enabled".
I think if this mode can be done :-\

phreak97

that's what my mod does, but I dont have any of the games that dont normally run so i cant really test it.

taxititan

Hi Ive just gotten a region lockout switch & also have a 60hz switch.
Mega man x3 pal uses the speedcheck pal protection every time you try to enter a door in the game when playing in 60hz.
So the lockout switch wont help any.
neither a converter will let me play mmx3 pal cart in 60hz.

Is there any action replay code I can use as bypass this??
I have a action replay mk3.

phreak97

As far as I know you'll just have to play in 50Hz. Chances are it will run too fast in 60Hz anyway..
I dont think I have any games which perform that check, otherwise I'd look into it for you.

taxititan

Mega man x3 pal cart 50hz 60hz speed check issue Solved!

It works with action replay mk3 in 60hz!
I just start the game when the action replay MK3 cart switch is on the middle setting, and I choose europe in the meny, then start the game.
A great thing is that I dont have to insert an another cart into the other cart slot, on the action replay MK3 device.

Wow this game "ROX" un-emulated in 60hz with RGB!


And another thing Im sure of.
This game is not pal optimized,so 60hz mode gives both correct speed and aspect ratio ;)
Just compare with any emulator.

l_oliveira

Why not hack the cart ROM and make it into a full NTSC Megaman X3 game, then ?
;)

taxititan

There is also flash cart available from tototek.
But I dont wanna mess with my original mmx3 cartrige since I got it boxed, & its the most expensive pal game.

AlmostOriginal

#21
Hello
I recently disabled my snes lockout chip it works great but I don't own any NTSC/JAP games to test it out.
Does any one know which NTSC/JAP/PAL games that don't work? Does the snes work the same as a nes whit a disabled lockout chip?

???

Did anybody bought the Ultra16 Snes?

Shadow_Zero

Has there been any more insight in this? Or should I just go with the "lift pin 4 of the lockout chip and solder a switch to it" method?

AlmostOriginal

I have made some research on this and if you lift the pin you get a regionfree system. But some games won´t work:

- Games with SA1 chips wont no longer work since there is no CIC inside the system to communicate with the CIC inside the cart. (PAL system there is no diffrents because there is the wrong CIC to communicate with.)
- Games like Super mario world & Donkey kong country wont work either. Not because of the CIC but because it also locked due to 50/60 Hz setting on the system. (PAL cart on NTSC system)

If you want to switch between "Region lock" and "Region free" you do like Shadow_Zero said: "Lift pin 4 of the lockout chip and solder a switch to it". (Guides should be available online)

snesicom

Hi all,

Sorry to dig up an old thread, but didn't want to start a new one when it was directly related to the above. That and I have been discussing this thread with Link83.

I have Street Fighter Zero 2 Super Famicom cart, but have a PAL SNES .

I bought this cartridge thinking it would work like my other Jap carts i.e. with a Universal Adapter/Action Replay etc. That, and a PAL version of this cartridge was triple the price at the time, and couldn't really justify spending that on a game I would rarely play. I'm not really a collector - the majority of my stuff is just from my childhood, and I've just added like 5 games to my collection which I didn't have growing up. Didn't really want to buy extra NTSC consoles etc.

Unfortunately the game didn't boot, which I now know was due to the S-DD1 chip.

I wasn't overly fussed, as it wasn't the best port anyway, and I own it on my arcade machine anyway. I guess I more so wanted it as I had all the other Street Fighter games on SNES from when I was growing up, and wanted to complete the collection.

I came across this thread so I thought, what the hell, I'll give the workaround a shot. That is, lift pin 82 on the S-DD1 chip, and give it + voltage

I've attached a pic to this thread which is an example of what I performed (photo shows a star ocean cart instead - but I used the same voltage location).

I put the game into the console directly - it booted now! It gave a warning that it was not intended for PAL, but still proceeded to do the CAPCOM and Zero 2 intro screen, and let me play the game itself.

However - once you play just one complete fight, and win, and your 'taunt' screen comes up, instead of going to the next fight - it goes back to the PAL warning screen, and restarts the entire cartridge - as though you literally pressed the reset button on the SNES.

Funnily enough, if you download the Japanese ROM online, load it in ZSNES emulator, and tick the option 'force PAL' in the ROM selection screen, and then load the ROM, the symptoms are identical to real life hardware!

Any ideas? or is this just an extra second layer of region security?

Cheers


snesicom

#25
Hi all,

I'm Anthony, from down under Australia. Further to above, I thought I'd add more info

I'm generally not a tinkerer when it comes to games, but I've joined this forum seeking some insight.

I recently purchased Street Fighter Zero 2, Super Famicom cart, for use with my PAL SNES. Assuming it would work like a Street Fighter 2 Turbo Super Famicom cart I bought as a kid in the 90's, using a Universal Adapter, I tried it out - no good, just jail bars on the screen.

Tried my Pro Action Replay with a PAL game piggy-backed - same issue.

After some research, I found it was due to the S-DD1 security chips in these carts (like Star Ocean), which forbid devices like these adapters from blocking its ability to talk to the security chip inside the SNES to verify region.

I found some information online, showing one way around this, was to open the cart, lift pin 82 on the S-DD1 chip, removing it from ground, and giving it 5v. I performed this modification to force it to PAL, and as such, communicate with the SNES directly (with no adapter), thus allowing its region security procedure to run.

This worked. The game booted up directly slotted into the PAL SNES, however with a warning 'This game pack was not designed for use with your Super Nintendo Entertainment System (PAL)'.

The game continues to boot, and performs its normal game introduction.
I proceeded to play the game, and it played well. That was, until I won my first fight, and the finish 'taunt' screen comes up with Ken on the screen and his one liner...
After that screen, instead of going to the next fight, the 'PAL' warning message comes up again, and reboots the entire game.

Although I bypassed the hardware security in this cart, it appears Capcom has a coded security check to check for region / 60hz perhaps. It teases you and lets you play a bit before rebooting. I found other games around, like Demons Crest on Youtube, does the same thing after playing one level, when using it in a PAL system.

After looking online, I found a good way to see if it was my hardware fix at fault, or a code thing. I downloaded the Japanese Zero 2 ROM, and tested it on ZSNES emulator, with the option 'force PAL' - Identical symptoms! Reboots after one fight and same PAL warnings.

Now you're thinking 'why bother with PAL' and 'ugly borders' and 'slower frames' etc.

You're right, PAL is inferior to the purist, I agree.

But, I have my childhood SNES, and my entire collection is all PAL (so I'm not starting again), except 2 carts, and I'm not really looking to increase my collection any further in future, other than a couple of extra carts here and there. I just wanted Zero 2, because I had all other Street Fighter carts on SNES and just wanted to complete the collection.

A few things I wanted to clear up, and I might be unreasonable so I apologise

- I don't want to hard-modify my console with a new CIC, or a switch for 50/60Hz. Not for the sake for just one Zero 2 cart not working, and not when all my other games work perfect. Seems drastic. I know it'd be beneficial to have an NTSC option if I were to get an Everdrive cart for example, but I know that won't be a path I'd be going down, and I dont forsee any further NTSC titles at this point.

- If I cant get this cart working, I'm not spending 3-4 times the amount on a PAL version of Alpha 2. I'll probably just give up on the idea and just keep the cart for the sake of having all Street Fighter SNES games in my collection. I have Zero 2 on my arcade machine, so I'm not really in it for the fast 60Hz speed or perfection, so if it were to run in PAL i'd be happy to throw it in and play it every now and then on the SNES.

- I dont want to buy a Super Famicom console just for the one cart to work.

- Why bother you ask - it's a challenge I guess, to see if there IS a way to get it working as is in PAL mode, via modification to the cart, or means of action replay.

Now that's out of the way, I'll tell you what I have done to try and troubleshoot.

1. Now that the cart was hard modified to PAL, I thought I'd try the Action Replay route again. With no piggy back PAL cart on the back, Zero 2 boots as normal, however still complaining about 'not designed for PAL'. The action replay does not trick the 50/60hz check.
With a PAL piggy back cart inserted on the rear, the game does not boot, it goes back to a jail-bar screen (as it did prior to modification), assumably due to the security chip being blocked I'd suppose. Universal adapter with piggy back - jail bars. The cart will now only function if directly connected to SNES, or with Action Replay with no piggy back cart, but of course with a PAL warning/reboot after one fight.

2. I found an Action Replay code online for 'Alpha 2', whereby you can select what 'level' fight you want to start at. I entered it in choosing level 2 or 3 from memory as the code, then started the game.
I chose my character at the character select screen, and then it showed 'next fight', and sure enough it started me on 'fight 3' with two other fighters crossed off my list as though I had fought and beat them already (despite only just booting the game) LOL. It left me fight, and I won, and then came the finish taunt one liner with Kens face, followed by 'not designed for PAL', and game rebooted. So basically, the security isn't set to JUST check after one fight, but its set to check after any fight it seems.

3. Upon research online, I found a tool called UCON64. I used it on the Japanese ROM I downloaded of Zero 2, using the switch -f , which removes region check on the rom. It edited the ROM file, and made a new .sfc rom file export.
I used the new rom in ZSNES, with 'force PAL' - issue resolved. No more PAL warning screen, despite being in 'force PAL'
Unfortunately though, not resolved in real life on my actual SNES, as this was fixed by editing a ROM file on a PC.
I then performed a command in UCON64 to check the original ROM file VS the newly modified file (I also performed this check in a normal HEX editor comparing tool) - both gave me this same information:

1 difference between the two files:

Original ROM
0000271c f0

Fixed ROM
0000271c 80

This is where I got stuck. I don't know what I can do with this data.

I guess I was hoping for a solution which is cart based, not console e.g:

1. I thought that there might be a way to use the above data from the fixed rom, to make a Pro Action Replay code (remembering the cart boots with Pro Action Replay, as though it were a PAL cart, provided no piggy back cart is connected). I was wondering if a Pro Action Replay code could be made from this, as a way to bypass the 50/60Hz check.

I can see there's action replay codes to bypass SRAM check here for Donkey Kong Country 2, I have to imagine there's a way for Action replay to bypass the region check:

http://board.zsnes.com/phpBB3/viewtopic.php?f=9&t=10645

Does someone have the ability to read the data from the game to work out how to obtain such Action Replay codes?!

If the above code doesn't help make an Action Replay code - is there any other way to bypass 50/60Hz check without modifying the console?

2. There is a bypass for the S-DD1 hardware chip via forcing it to PAL via pin 82 to + voltage. Are there any further mods which can be done to the one cartridge, to overlook the 60Hz 'PAL' concern?

3. I imagine there'd be a way to re-write the 'fixed' ROM file to the current rom chip in the Zero 2 cart, or replacing it with another chip. Problem is, the costs involved in getting a replacement chip and writing hardware, would just write off the cart, and may as well just get a PAL cart (which I dont want to bother spending money on).

I guess if either of the two above options are possible, please let me know.

Thanks heaps!


----

EDIT: Update 20/10/16.

Here is a post I made in another forum, after being provided an update with Pro Action Replay Codes:





Hi all,

Thank you for your detailed and prompt responses!

I received responses on here, as well as ROMHacking forum, as I was trying to get maximum exposure on such a select problem.

'Revenant' from here provided a code C0271C80 - Thanks!

and, on the other forum, I was provided a code 7E1DC700 by user 'rainponcho' - Thanks!

I tested both codes individually on PC, on ZSNES, with 'force PAL'. These were the results:

1. Code C0271C80 - bypassed the boot warning of 'This Game Pack was not designed for your SNES (PAL)'. I played a couple of fights, and after each fight, the next fight came up! It works 100%

2. Code 7E1DC700 - bypassed the boot warning of 'This Game Pack was not designed for your SNES (PAL)'. I played one fight, and directly after the taunt screen following the fight, the 'This Game Pack was not designed for your SNES (PAL)' warning came up, and the game rebooted. Strange that it was able to bypass the initial warning screen though?! It's as though it fixed half the problem.

Unfortunately, in real life (not emulation), I only own a Pro Action Replay 1. I did test code C0271C80 on it - and it did not work at all.
I imagine this to be due Revenant's comment, that only Pro Action Replay 2 or 3 will work with this code due to working with ROM, not just RAM (if i understood that correctly).

I have not had a chance to test 7E1DC700 code in real life on Pro Action Replay 1 - I'll try tonight - though I imagine if it does in fact beat the initial 'PAL' Hz check screen, that it will demonstrate the same issue that the emulation shows - that the protection kicks in after the first fight is completed. It's as though code 7E1DC700 is part of the equation. Perhaps a second code is needed for the additional checks the game performs?! Not sure. Chances are my Action Replay 1 might not even be capable full stop with either code provided.

So I guess this leaves me with a question. ZSNES allows you to enter multiple codes from different cheat devices. It says 'enter a Game Genie, Pro action replay code etc etc.'. So when you enter in C0271C80 , how do we know which cheat device the ZSNES is emulating?! Is it, it's own cheat engine? Does the code depict which device it needs to use? How do we know this code isn't in fact just working by emulating one certain device. Is there a way to find out what exact device or BIOS zsnes is using to make this code work?

Basically, I want to make certain that a Pro Action Replay 2 will in fact 100% work with code C0271C80, before I spend the money on one. My aim would be to buy an Action Replay 2 (easily available locally), and sell my Action Replay 1 to offset the cost (they seem to sell easy locally which is good). I just dont want to buy an Action Replay 2, to find out, I have to sell it, and chase down a rarer Action Replay 3 from overseas instead.

Any info would be greatly appreciated and thanks for everyone's efforts so far!!

Anthony.

snesicom

Thank you for all the help put in, this is now working 100% with no console modification.

Ive put some photos up. I really need to get a CRT :)

Basically, once the S-DD1 chip is modified for PAL on the Zero 2 cart (pin 82 lifted, and wired to 5v), you then connect the game to an Action Replay 2 with version 2 BIOS firmware, and enter code C0271C80, in order to bypass the secondary 'this game pack is not designed for PAL' security message.

Once I entered in the code, pressed enter to start game, I flicked the action replays' switch to the top position in order to activate codes, then pressed Reset on the SNES console, and off it went.

Thanks again!