NES:Disabling CIC Chip: Difference between revisions

From ConsoleMods Wiki
Jump to navigation Jump to search
(wip, too tired to go on)
 
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
As the NES was developed from the Famicom, Nintendo of America got the dubious double award of being the first console corporation to release anti-competitive measures - unlicensed title "blocking" and region locking.
In order to prevent a glut of unlicensed games flooding the game market as with previous consoles, Nintendo implemented a lockout system in the [[NES:NES Mods Wiki|Nintendo Entertainment System]] to prevent both unlicensed and out-of-region games from being played on the console. This lockout system, known as the '''10NES''', consists of two 4-bit Sharp SM590 microcontrollers, one in the NES console and the other inside the game cartridge. The chip inside the NES (the "lock") looks for its counterpart in the cartridge (the "key"), and if the chip is not present, the console will go into a 1 Hz reset loop and prevent the game from booting.


Third parties still came up with more or less ingenious ways of bypassing it, but this is not particularly helpful if playing imports is desired - and, unlike on the SNES and N64, there is (mostly) no advantage in keeping the security chip, so it may be advantageous to remove it - which is exactly what happened at design stage to the NES-101.
Third party game companies devised several ways to bypass the 10NES system, ranging from reverse-engineered copies of the 10NES chip (Tengen) to sending a voltage spike to "knock out" the chip in the NES (Color Dreams/Wisdom Tree). However, the lockout system hampers efforts to play official games from other regions, particularly with PAL-A and PAL-B region games where some titles were released in one region but not the other. It should be noted that the redesigned NES-101 console lacks the 10NES system entirely, presumably to reduce costs.  


==Disadvantages==
Fortunately, it is relatively easy to disable the 10NES chip in the NES and there are several methods of accomplishing this.  
The main disadvantage is in fact with some unlicensed NES games, chiefly those that generate electrical spikes to attempt to [[Xbox_360:RGH|glitch]] the 10NES - some have been reported to overheat without their "load"; of course, this logic can also be taken out of service afterwards.


A couple of first party titles do actually require the CIC-generated "cart reset" signal but, those titles being the Nintendo World Championships series, it is unlikely to ever affect most gamers :P
== Classic method: Two keys and no locks ==
As outlined above, the 10NES system works through two equal chips trading sequences of code, with the console-side chip generating a reset loop if not satisfied. Because the chips are the same, '''pin 4'''  of the chip is pulled either up (connected to 5V) or down (connected to ground) depending on if the chip is to act as the "lock" or "key". By pulling pin 4 of the "lock" to ground, it is possible to disable the lockout process and allow for all games to be played.


Additionally, there's the matter that anti-CIC mods have traditionally been misleadingly promoted as a solution to NES reboot loops: while this result will be achieved, it is not a [[Cartridge Cleaning|panacea for bad connections]] and allowing a game to run in such state may in fact promote save corruption, for those with directly mapped SRAM.
=== Disadvantages ===
One of the main disadvantages of bypassing the lockout chip is that with some unlicensed NES games, chiefly those that generate electrical spikes to attempt to [[Xbox_360:RGH|glitch]] the 10NES, have been reported to overheat without their "load". This voltage spike circuitry can also be bypassed if necessary.


==Classic method: 2 keys and no locks==
A very small number of first party titles require the CIC-generated "cart reset" signal, namely the extremely rare Nintendo World Championships cartridges. Although this issue is unlikely to affect most people, it is still something to consider when performing the lockout bypass.
The 10NES system works through two equal chips trading totally-not-random sequences, with (only) the console-side one generating a reset if not satisfied.


As the chips are the same, '''pin 4''' is pulled either up or down to switch it between respectively console or gamecard duty, therefore it '''can be disconnected from the PCB and shorted to ground'''.
Additionally, there is a misconception that bypassing the 10NES will drastically improve reliability when loading games. While this result can be somewhat achieved, it is not a [[ConsoleMods_Wiki:Cartridge Cleaning|solution for bad connections]] and allowing a game to run in such a state may corrupt save files for games with directly mapped SRAM.


==Complete removal and replacement==
=== Procedure ===
On the other hand, ignoring its protection aspect, the 10NES can be considered a fancy reset generator, which fires (to pin 9) on internal conditions (key mismatch) as well as external ones (reset button - pin 7).
# Disassemble the NES using a Phillips head screwdriver. Remove the top case and then unscrew the RF shielding from the motherboard. Continue with disassembly until the motherboard is free and fully exposed.
# Locate the 10NES chip on the motherboard. It is located near the RF/power box and is labeled either "3193A" for NTSC consoles, "3195A" for PAL-B consoles, "3196A" for Asian/Hong Kong consoles and "3197A" for PAL-A consoles.
# Take a pair of flush cutters and cut pin 4 of the chip at the base of the pin where it is soldered into the motherboard. Carefully pull it up at a 90 degree angle.
# Solder a wire to pin 4 and then cover the exposed pin with heat shrink to prevent possible shorts.
# Solder the other end of the wire to the nearest ground source.
# Reassemble and test. The NES should now be able to accept other region games and unlicensed games without problems, aside from games which will not work with a different region PPU. As a side effect, the NES will no longer go into a reset loop due to an improper connection.


''to be written''
Note that simply cutting off pin 4 will also accomplish the same goal, but this is not completely recommended as it may cause harm to the 10NES chip which is still used for resetting the console.


==Full bypass==
== CIC Bypass ==
''to be written''
Aside from its protection aspect, the 10NES can be considered a fancy reset generator, which fires (to pin 9) on internal conditions (key mismatch) as well as external ones (reset button - pin 7). Due to this reason, simply completely removing the 10NES will not work and will prevent the NES from booting. However, by adding several additional components, it is possible to completely remove the CIC chip and still have the console remain fully functional.
 
=== Procedure ===
[[Image:NESCICBypass.jpg|thumb|right|350px|A completed CIC bypass.]]
 
# Disassemble the NES using a Phillips head screwdriver. Remove the top case and then unscrew the RF shielding from the motherboard. Continue with disassembly until the motherboard is free and fully exposed.
# Locate the 10NES chip on the motherboard. It is located near the RF/power box and is labeled either "3193A" for NTSC consoles, "3195A" for PAL-B consoles, "3196A" for Asian/Hong Kong consoles and "3197A" for PAL-A consoles. This assumes that the lockout chip has not yet been removed.
# Desolder the CIC using a desoldering gun or desoldering braid. Be sure to add additional solder and flux as needed to help the solder joints flow better and prevent damage to the board.
# Solder a 100k ohm resistor between pins 6 (clock input) and 10 (CIC reset) of the CIC chip footprint.
# Desolder the leg of resistor R1 closest to the rear of the board, then solder it into the via to the right of where the resistor leg once was or to ground.
# Solder a small wire between pin 9 of the CIC chip footprint (console reset) and the (now clear) rear through-hole of R1.
# Solder a small wire between pin 7 of the CIC chip footprint (reset) and the frontmost via of crystal X2. Note that X2 can be removed since it supplied the clock signal to the CIC, which by this point will have been removed.
# Reassemble and test.
 
== Links ==
* [https://forums.nesdev.org/viewtopic.php?t=9260 NESdev thread on completely bypassing the 10NES chip]
 
[[Category:NES]]

Latest revision as of 17:16, 26 May 2024

In order to prevent a glut of unlicensed games flooding the game market as with previous consoles, Nintendo implemented a lockout system in the Nintendo Entertainment System to prevent both unlicensed and out-of-region games from being played on the console. This lockout system, known as the 10NES, consists of two 4-bit Sharp SM590 microcontrollers, one in the NES console and the other inside the game cartridge. The chip inside the NES (the "lock") looks for its counterpart in the cartridge (the "key"), and if the chip is not present, the console will go into a 1 Hz reset loop and prevent the game from booting.

Third party game companies devised several ways to bypass the 10NES system, ranging from reverse-engineered copies of the 10NES chip (Tengen) to sending a voltage spike to "knock out" the chip in the NES (Color Dreams/Wisdom Tree). However, the lockout system hampers efforts to play official games from other regions, particularly with PAL-A and PAL-B region games where some titles were released in one region but not the other. It should be noted that the redesigned NES-101 console lacks the 10NES system entirely, presumably to reduce costs.

Fortunately, it is relatively easy to disable the 10NES chip in the NES and there are several methods of accomplishing this.

Classic method: Two keys and no locks

As outlined above, the 10NES system works through two equal chips trading sequences of code, with the console-side chip generating a reset loop if not satisfied. Because the chips are the same, pin 4 of the chip is pulled either up (connected to 5V) or down (connected to ground) depending on if the chip is to act as the "lock" or "key". By pulling pin 4 of the "lock" to ground, it is possible to disable the lockout process and allow for all games to be played.

Disadvantages

One of the main disadvantages of bypassing the lockout chip is that with some unlicensed NES games, chiefly those that generate electrical spikes to attempt to glitch the 10NES, have been reported to overheat without their "load". This voltage spike circuitry can also be bypassed if necessary.

A very small number of first party titles require the CIC-generated "cart reset" signal, namely the extremely rare Nintendo World Championships cartridges. Although this issue is unlikely to affect most people, it is still something to consider when performing the lockout bypass.

Additionally, there is a misconception that bypassing the 10NES will drastically improve reliability when loading games. While this result can be somewhat achieved, it is not a solution for bad connections and allowing a game to run in such a state may corrupt save files for games with directly mapped SRAM.

Procedure

  1. Disassemble the NES using a Phillips head screwdriver. Remove the top case and then unscrew the RF shielding from the motherboard. Continue with disassembly until the motherboard is free and fully exposed.
  2. Locate the 10NES chip on the motherboard. It is located near the RF/power box and is labeled either "3193A" for NTSC consoles, "3195A" for PAL-B consoles, "3196A" for Asian/Hong Kong consoles and "3197A" for PAL-A consoles.
  3. Take a pair of flush cutters and cut pin 4 of the chip at the base of the pin where it is soldered into the motherboard. Carefully pull it up at a 90 degree angle.
  4. Solder a wire to pin 4 and then cover the exposed pin with heat shrink to prevent possible shorts.
  5. Solder the other end of the wire to the nearest ground source.
  6. Reassemble and test. The NES should now be able to accept other region games and unlicensed games without problems, aside from games which will not work with a different region PPU. As a side effect, the NES will no longer go into a reset loop due to an improper connection.

Note that simply cutting off pin 4 will also accomplish the same goal, but this is not completely recommended as it may cause harm to the 10NES chip which is still used for resetting the console.

CIC Bypass

Aside from its protection aspect, the 10NES can be considered a fancy reset generator, which fires (to pin 9) on internal conditions (key mismatch) as well as external ones (reset button - pin 7). Due to this reason, simply completely removing the 10NES will not work and will prevent the NES from booting. However, by adding several additional components, it is possible to completely remove the CIC chip and still have the console remain fully functional.

Procedure

A completed CIC bypass.
  1. Disassemble the NES using a Phillips head screwdriver. Remove the top case and then unscrew the RF shielding from the motherboard. Continue with disassembly until the motherboard is free and fully exposed.
  2. Locate the 10NES chip on the motherboard. It is located near the RF/power box and is labeled either "3193A" for NTSC consoles, "3195A" for PAL-B consoles, "3196A" for Asian/Hong Kong consoles and "3197A" for PAL-A consoles. This assumes that the lockout chip has not yet been removed.
  3. Desolder the CIC using a desoldering gun or desoldering braid. Be sure to add additional solder and flux as needed to help the solder joints flow better and prevent damage to the board.
  4. Solder a 100k ohm resistor between pins 6 (clock input) and 10 (CIC reset) of the CIC chip footprint.
  5. Desolder the leg of resistor R1 closest to the rear of the board, then solder it into the via to the right of where the resistor leg once was or to ground.
  6. Solder a small wire between pin 9 of the CIC chip footprint (console reset) and the (now clear) rear through-hole of R1.
  7. Solder a small wire between pin 7 of the CIC chip footprint (reset) and the frontmost via of crystal X2. Note that X2 can be removed since it supplied the clock signal to the CIC, which by this point will have been removed.
  8. Reassemble and test.

Links