10 Days of Hacking, Day 1: The NES

January 14, 2014


We all know how much the NES revolutionized the market and even saved it from the crash generated from all the shovelware titles in the Atari 2600, but what most of us don’t know is that it was also the first console to be hacked if we rely on the modern term of console hacking: bypassing the security inflicted on games to prevent unauthorized game copies to be played.

Although the idea of playing backups from your own games was not the main goal at the time, playing pirated and other unauthorized content was the main goal achieved by these hacks. Back then there was no real way for you to buy a black cartridge, connect it to your PC and “burn” a downloaded or backed up copy of a game, and homebrews was not even an idea conceived at the moment. So why was the NES hacked then? you couldn’t backup your games and you couldn’t download homebrews, what was the point? well there are three different points here, for that I need to explain one mayor thing: the actual security mechanism of the NES and what it wanted to do.

BOOTLEGS

Piracy has been around for ages, and not even the NES was could escape it. Although back then piracy was not as mainstream as today, and we couldn’t really download and “burn” games, we could find very cheap bootleg cartridges that included collections of games, sometimes offering 100-in-1 collections, or something along the lines, for a much cheaper price than official games who only offered 1 or 2 games per cartridge. Although most of the games in these megapacks were the same games listed multiple times with slight variations created through hacking, it was still a much cheaper investment than original ones.

NINTENDO AND THIRD PARTY SOFTWARE

Due to countless third party shovelware titles that plagued the 2600 and lead to the industry crash (well see this in more details when I write the 8 Days of Gaming feature), Nintendo was very strict about third party companies, often using what we may consider today to be draconian, to ensure a minimum quality in the titles released. Some of these restrictions included limiting the amount of games a third party company could produced annually to three, but most important of all is the inclusion of a specially lockout chip called the 10NES.

10NES Lockout Chip

The 10NES Lockout Chip was formed of two parts: the lock, which goes into the system, and the corresponding key, which goes on the cartridge. The 10NES’ function was simple: keep restarting the system indefinitely until a cartridge with its corresponding 10NES key was inserted into the system. The 10NES chip was used by Nintendo to prevent the release and distribution of unlicensed third party games, pirated games and imported games. Yes, the restriction also applied to games from other regions.

The 10NES came with a problem though: even if the game is legit, if there is not a strong connection between the system and the cartridge, it will not detect it, and will block the game. This is normally what we expect from cartridges: if it doesn’t connect well, it doesn’t work.
The problem here was that the NES itself was a greatly flawed machine when it comes to the design choices. The first thing we notice when we compare the NES to pretty much every other cartridge-based console, including the ones that came before it, is that it was not a top loading device, but it was rather created to simulate the zero-insertion method of VCR’s, one of Nintendo’s design choices to make the NES look more like a generic entertainment device rather than a console.
The difference is that, while with VCR’s the tape was safely inserted into place by machinery, on the NES you had to do the actual insertion yourself, having to press down on the cartridge to have it lock into place.

This was a problem because it lead to the pins inside the system to bend over time, causing the games to have a hard time connecting to the system, and thus having the 10NES lockout chip refuse to boot your copy of the game.
This also lead to the theory that blowing your cartridges was good as it removed dust and debris, ensuring a solid connection, the truth is that the air you blow into the cartridge is heavily moist, and moisture is a good conductor of electricity, so you basically allowed the cartridge to connect better to the system, but that came at a price, as this moisture also leads to corrosion, which ultimately damages your cartridges beyond repair.

So let’s recap: the 10NES chip prevented small time third party developers (who we would today call indie devs) from creating games for the system, and it was a mayor contributor for all the broken games that you had in your childhood, on top of that there were people selling illegal all-in-one cartridges that contained a lot more games that what a single official cartridge would get you for much less the price, so it’s reasonable to assume that people wanted to circumvent this protection, but how did they do it?

CIRCUMVENTING THE 10NES

Early third party games as well as the well known Game Genie used a very peculiar method: they had a slot on them where you had to insert an original game. Essentially the cartridge simply replaced the original game’s data with its own, essentially the 10NES key from the original game was bridged onto the system. Pretty clever, but we can’t forget that it was 1980′s electronics, they weren’t so advanced.

You can of course guess why that method was not that effective: you still had the 10NES active and the problem with bent connector pins still existed. Other companies developed a different method of knocking off the 10NES itself: they used voltage spikes, basically frying up the 10NES to be able to circumvent it.
This is obviously not a good idea, we don’t want a cartridge that temporarily fries a component of our console, and we still have the problem of our legit cartridges not being recognized by the 10NES.

So comes the best hack one can do to the 10NES: disable it internally.
Pin 4 of the 10NES is a +5V pin that when cut away from the motherboard, the 10NES chip becomes fully disabled.
This hack not only allowed you to easily play unlicensed games and bootlegs, but it also allowed you to play your legit games again without the 10NES interfering, you can also play import games.
This hack is more in line with modern hacking methods and could be considered the first actual console hack.


There is of course a legal way to play your legit games and imports without the 10NES and bent pins getting in your way, and that is by buying the NES 2, a remodeled version of the NES that did not include the 10NES lockout chip and had a top loading design like every other console ever, so I’d grab that one if I were you.

CONCLUTION

While electronics was much simpler back then, it doesn’t take much for one to go out and find hacks so old that resemble the ones we got today, one can only wish that hacks did not ultimately derived in piracy.
Stay tuned for more!

Tweet this!Tweet this!

Previous post:

Next post: