iQue reversing infomarshallh notes | mikeryan notesLast updated Sun May 06 16:34:00 CST 2018 BackgroundThe iQue is an Nintendo 64 retooled into an ASIC (application-specific integrated circuit) as a foray into the Chinese video game market by iQue Corporation. Officially licensed from Nintendo, it's based on the original MIPS CPU and RCP design files -- and is not an emulator. Users would plug their iQue's data cartridge into one of a number of kiosks around China (called Depots) and purchase tickets/points which were redeemed for games. DevelopmentConditions leading up to its release were much different than in most other countries. The Chinese government wanted to retain control over the games released while also preventing simple importation of other countries' goods. This created an opening for whoever could develop an original game system and also pitch it as a tool to improve the education of children growing up. Codenamed "BB Player", many new technologies were created to make iQue happen - it's one of the first successful digital content delivery platforms, with DRM that was well-designed enough to completely prevent all piracy for at least a decade in one of the most hostile target markets. The content delivery and protection scheme later served as the basis for the Wii Shop Channel, with which it shares many traits. In fact, BroadOn was later contracted by Nintendo to design the Starlet IO coprocessor in the Wii -- which even preliminary research shows is definitely similar in many ways to the iQue. OperationSoftware can be loaded onto the memory card via two methods.
Depots began to disappear after several years and were hard to find by 2012. However, it was still possible to redeem point cards with iQue@Home and buy games. Finally, the licensing server was shut down in December 2016 making it impossible to load new trials and purchase games. However, fragments of the network like the content server remain online, as the iQue Corporation is still in business as the sole distributor of Nintendo products within the country. Localizations for the iQue Player continued until 2006 with the final game being Animal Crossing. Units were produced from early 2003 onwards, though all units I've disassembled have 2003 datecodes. There are at least two significant versions of the system software. Early versions could only be provisioned from depots and would not function with iQue@Home, but could be upgraded by the depot. Most units in the wild now seem to be the later revision with full USB support. By having a second unit and hot-swapping the older NAND into a booted newer iQue, one can upgrade the SKSA (firmware) by writing a later SKSA, and gain USB functionality. Upon powerup, the users is prompted to setup parental restrictions on gameplay. Because a real-time clock is inside, playtime can be restricted to certain hours of the day, a passcode, or a certain date range. After choosing a game, the iQue shows a warning about spending too much time in front of the TV and encourages users to take frequent breaks. Technical detailsGame localizationTo accomplish the mammoth task of painstakingly translating every single piece of text, image, and sound occurring by the thousands on each game, the iQue team was provided a slightly modernized N64 toolchain as well as the original source code and build tools for each game. BroadOn/Routefree ported the libultra-based N64 SDK to Linux with new wrappers allowing GDB support over USB. Because they were working from original game source, the iQue localization team could afford to be very thorough in their efforts - Star Fox received a full audio dub, while F-ZeroX, Wave Race and Excitebike also received limited dubs. Many references to Nintendo were changed to iQue/Nintendo. Animal Forest has a Chinese Spring Festival instead of its Japanese counterpart. The updated libultra used to re-build these games has new functions to access the modified hardware of the iQue, chiefly regarding savegames and real-time clock. However, to preserve compatibility, games still used the original graphics microcodes they were designed around. Filesystem - dump of mike and I's filesVery basic linked-list type log filesystem that is designed around the rough edges of raw unmanaged NAND flash. The NAND has 512 + 16 byte sectors, and they are organized in 16Kbyte blocks, matching the NAND chip's physical blocksize of 16 Kbytes. If a different NAND is to be used, its blocksize must still be 16Kbytes which makes things a bit more difficult. At the start of NAND is a 64KB encrypted Secure Kernel that is the same on all consoles, followed by tickets and CAM data for the System App which is the iQue Menu. See below. Dumping the flash can now be easily done with emoose's iQueDiagExtend hook which patches the diagnostics program included with the very last release of iQue@Home software, enabling easy NAND dumps. This program also supports reading and writing individual files directly to the NAND, as well as overwriting the SKSA area with a newer version. Listing of files on my card - there are other files that can be created not shown here Possible file extensions:
Decoding the filesLook at the Wii's titlekey and ticket system, seems to be very similar here. emoose has written a very extensive NAND image decoder which will parse all the files and pick out useful information. Non-volatile on-chip memoryOn the ASIC, there are a few NVRAM regions that are referred to as "Virage" by the SDK. Virage is a company specializing in IP blocks (Intellectual property cores) for integration into a vendor's custom chips, in the same way the iQue integrates a USB IP block from Silicon Portals.
There are a maximum of 26 supported trial games, each incrementing a 16-bit integer up to its limit. Zeroing these resets the trial games to an unplayed state. Because there are two blocks, the SK uses whichever block has the higher counter in it. Preliminary tests show that Virage2 can be written, but so far not successfully. It's possible that the erase circuitry for this area is disabled, which would be true OTP where bits are only able to be programmed from a 1 to a 0, but not the other way. So far, 2 writes seems to be the ceiling before a unit is effectively bricked. Boot Process (Theorized)
Savegame SupportOriginally, N64 has several means of storing save data in cartridges: EEPROM, SRAM, and FLASH. The buffer seems to generally be located in high RDRAM at 0x807C0000. As a result, all current iQue game dumps will never save properly on regular N64 hardware without patching. PC-side softwareThe client software consists of:
Main web clientThe main program is a wrapper between the DLL which contains all the resources and an ActiveX Internet Explorer control showing HTML and Javascript from the resource DLL. You can load it up into a resource editor and witness the sloppy javascript if you really want.Listing of the games on the card. It's almost completely full. Zelda and Dr. Mario are full versions, the rest are time limited trials. The non-game is a game instruction manual. Enjoy being creeped out while you choose from Club iQue login, card management, and store listing options The first game listing page Besides being total garbage, it gives random scripting errors occasionally. You can also run some sort of diagnostics from it as well. Driver DLLPretty much a one-line edit and recompile from the BulkUSB DDK sample (as you can see) The connecting chip in the iQue hardware is manufactured by Silicon Portals. HardwareCustom NEC ASIC. Everything possible was consolidated into it. The CPU, RCP, PIF, etc are all in there, along with everything that is new. The R4300i is now clocked at 1.5x the speed it originally was, yielding a clock speed of 140.625 MHz.
RAMIt's wired to a Samsung 16 Mbyte DDR memory chip. This seems to compare admirably to the Rambus RDRAM in the original -- various choppy scenes and lag in the original games are simply gone. This is not simply a result of recompiling the games, either. As far as bandwidth, this would provide effectively 1536 Mbytes/sec, roughly 3x that of a regular N64 at 500MB/sec. Since RAM bandwidth is by far the chief reason for slowdown on N64, the iQue will be an ideal platform for possibly running brutally slow titles like Perfect Dark. NANDThe 64MB (512Mbit) NAND chip is used as the cartridge ROM for each game. An additional hardware layer was developed to allow this NAND to transparently emulate the cartridge PI bus, decrypting AES on the fly. Audio ADPCM streaming is done from it like the original, with the game/CPU executing from RDRAM. When you yank the cartridge while a game's running, audio fails but the game runs until it needs something crucial from ROM. Clock GenerationCustom ICS420BG clock synthesis chip. There is one 14.318mhz quartz crystal (besides the watch crystal for the RTC). I figured out the PLL ratio as 57/17 to generate 48mhz. 96mhz is also generated. 192mhz is generated for clocking the DDR memory controller inside the ASIC which in turn drives the DDR differentially. A different clock may be substituted here, as with the original N64, clocks that are too far out of range will cause VI display corruption even though actual data integrity is preserved. PowerThe included power brick is a typical low-cost DC supply comprising just a transformer, rectifier and smoothing caps. However, the transformer is only wired for 220V so users in North America or Japan will need to find an alternate power brick. Output is 5VDC, 2A. Center tip positive. Empirical testing shows that better A/V output is produced around 6 volts (most transformer-based supplies produce a somewhat higher voltage than rated). Operation cuts out around 4.6 volts. Incoming ~5V goes through a PTC and some passives to a LT1940 dual switching regulator for 2.5V (DDR) and 1.5V (ASIC core). 3.3V for the rest of the ancillary silicon is generated by a generic SOT-223 LDO. Power usage is around 50% of the original N64, clocking in around 3.5 watts, where the regular N64 by itself runs about 7-8 watts. VideoDigital RGB signals are broken out onto test points. This includes the 48.68mhz NTSC pixel clock, just like the regular N64. However, where there is an external NTSC video encoder on the old N64, it seems the composite video generation was integrated into the ASIC. SoundMS6610BS audio DAC, pin compatible with TDA1545. ~1.5mhz bit clock. Line-level output is amplified by a TDA1308 headphone amplifier and run into the A/V umbilical. Seems to use the same right-aligned quasi-I2S as the original N64, and can be inspected through test points. Real-time ClockAn STMicro M41T0, 32.768khz watch crystal and primary lithium cell provide time of day for enforcing play limitations. One of the stipulations of the Chinese government for the device's release was limiting play time, in order to "prevent dereliction of the youth". This RTC chip only contains the most barebones set of registers for reading and writing the time. As such, it's not possible to store any extra data in here such as trial limits, nor to set any alarms - only the clock is stored and incremented. USB ProtocolThe Silicon Portals core currently transfers at USB 1.1 Full-Speed - typical transfer rates are under 300-400kbyte per second. As for the protocol itself (bytes transferred), it's very simple and also quite dumb, but it does the job. Incidentally, the protocol used for shuffling data over the dumb USB pipe is exactly the same as the protocol invented by SGI to perform debugging on the very first Ultra 64 Indy development board almost a decade prior - RDB. PicturesDDR RAM intercept hardwareTheory of OperationThe plan is to wire an FPGA in parallel with the DDR system memory, clock the ram slower, and then allow the RAM to be physically disconnected while the iQue is running so that the FPGA can dump the contents of the RAM. It is unknown if any crypto was used, but it's unlikely as the X360 is the first known console to do so. First unsuccessful attemptBack in 2013 I had an idea to create a board that would physically go in the middle between the RAM and the iQue board. The DDR footprint was mirrored to create a top and bottom connection as a passthrough, but ultimately I found it essentially impossible to solder everything in place. |