Niue Ziel Theory
"Build a new god / To medicate and to ape / Sell us ersatz / Dressed up and real fake" - "Rock Is Dead," Marilyn Manson
Now that we've gone through the basic concepts of dumping as well as a real life example that makes use of these concepts, I'd like to go one step further and delve into the theory behind the Niue Ziel system that I used to dump a decrypted version of the KOF2K P1 ROM. The Neo-0 P1 was the first time that anything from an encrypted cart had been dumped in decrypted form and released. My experiments with the Neue Ziel and a Garou cart led to me to say that I had suspicions that the logic chips that the P ROMs passed through actually CONTAINED data necessary to form a complete, normal set of P ROMs and added in this data as it processed the P ROMs. It marked an important first step in conquering the NeoGeo encryption scheme.
A few quick facts about encryption:
1. Technically speaking, only the C ROMs were truly encrypted.
2. There was no physical S1 ROM present. Instead, the data for the S1 was generated by decrypting the C ROMs.
3. The P ROMs did not use a real encryption scheme. They were merely banked in a non-standard format. However, sometimes they WERE missing some data. This missing data was added in by the logic chip controlling the banking. Ever wonder why KOF99 and Garou have a .sma file in their sets? Well, that .sma file is the missing data that is only on the logic chip and NOT in the ROM itself.
The Niue Ziel is an offshoot of Apollo 69's edge dumping method. His method failed to produce any data from an encrypted cart since the logic chip on the cart checks to make sure that there is a signal from the MVS before sending out any decrypted data. The signal being checked for on the P ROMs board is the clock (24B = 68KCLKB). What my Niue Ziel does is fake out the cart. I have the Niue Ziel connected to both my MVS and my ROM reader. So the MVS supplies the necessary clock signal, while my reader gets the already decrypted data from the edge. The problem was a lack of control, since the way to normally bank and control an old style cart does NOT work with the new encrypted carts.
Here's a picture of the Niue Ziel:
The Niue Ziel is composed of 3 parts: the socket adapter, the edge connector socket that the board being dumped plugs into, and the sacrificial board which allows the Niue Ziel to be connected to the MVS.
Here's a picture of the socket adapter:
Here're some pictures of the edge connector:
Here're some pictures of the sacrificial board:
I attached wires from the edge connector to the adapter using the edge out schematics from Apollo69. These schematics are included in the "Goodies" directory. I also soldered wires onto a sacrificial board. As you can see from the pictures above, all connections on the sacrifical board between the stuff on the board and the edge connectors have been severed. This way, I can be sure that there is no interference. The clock wire MUST be attached for encrypted games. Some of the other wires also needed signals from the MVS to set them. Mainly, I was playing around with the wires labelled 23A-33A and 24B-34B when I was trying to figure out a way to rombank.
Tyris was able to figure out a way to successfully read off ALL the P ROMs on a non-protected oldstyle board. I tested this method out on RBFF2 and verified that it works. Here's the method:
1. Cart must be powered by MVS
2. Attach 24B-28B to the MVS
3. Attach 22A-24A, and 27A to the MVS
4. Attach 25A and 26A and 33B to switches
5. Turn on MVS.
6. Set 33B to GND and 25A and 26A to VCC
7. Read, save as p1.rom
8. Set 33B to VCC and 25A and 26A to VCC
9. Temporarily disconnect edge 05A and 06A from the reader
10. Connect edge 28A to MVS
11. Connect edge 06A and 05A to GND
12. Leave it like this for second to make sure the logic chip picks up the signal
13. Disconnect edge 28A from the MVS
14. Connect edge 28A to GND
15. Disconnect edge 06A and 05A from GND
16. Reconnect edge 06A and 05A to its previous location on the EPROM reader
17. Set 33B to VCC and 25A and 26A to GND
18. Read, save as p200.rom
19. Repeat steps 8-17, except set 06A to GND and 05A to VCC in step 10
20. Read, save as p201.rom
21. Repeat steps 8-17, except set 06A to VCC and 05A to GND in step 10
22. Read, save as p210.rom
23. Repeat steps 8-17, except set 06A and 05A to VCC in step 10
24. Read, save as p211.rom
Unfortunately, this fails for the newer encrypted boards since the 33B line on those is NOT CONNECTED. I was able to apply this method and get the P1 ROM of KOF2K, but the P2 dumps were never stable / were still severely garbled. However, it serves as a great proof-of-concept since it shows how it would be possible to get the other ROMs. Given enough time, it would have been possible to use trial and error to figure out the proper control signals to get the other ROMs.
The Niue Ziel method is not the only way to break through the encryption. Two other notable methods were developed by Razoola and Billy Jr. Unfortunately, they have not shared the details of how they did it, so all I can give is a brief summary of the bits of information that they announced while working on it.
The Razoola method: Write a special bios for the MVS. Instead of playing the game, have the bios display the data it is getting on the screen like a hex editor program. By using this bios, it is possible to manipulate the cart and get the parts that you want read displayed on the screen. The only drawback is the output is to the screen and NOT to the ROM reader, but that could probably be overcome with some sort of OCR software. This bios was never given out, so I have no idea about how it worked exactly aside from a few screenshots that Razoola posted while he was working on it. You could probably attempt this method successfully if you knew how to program an MVS bios.
The Billy Jr. method: Build a specialized card that plugs into your PC. Then create specialized software for that card. Build an edge dumping device like the Niue Ziel, except instead of using a real MVS unit, use that card to send the signals. Also use the card to send the control signals. Now bank it to the part of data that you want to read and read it off. Essentially, this is the same as the Niue Ziel except the control scheme is now much easier (done through a special card rather than manually moving wires around). You could probably attempt this method successfully if you knew how to build a special card, write the special software, and figure out what the control codes were. Actually, all I needed to know were the control codes since once I knew which wires did what, I would be able to use the Niue Ziel and get all the data. I offered to give Billy Jr. a brand new, original Metal Slug 3 cart (since he said he wanted donations to buy that for dumping) if he would share the control codes, but he turned down my offer.
Quick recap:
Facts about encryption
Niue Ziel
Banking P ROMs with Niue Ziel
Other methods
Next Section:
Conclusion
Go back to the table of contents
