Skip to main content

A Short History of Device Lockout Methods in Consumer Electronics, Part 1

Submitted by kmeisthax on Mon, 11/26/2012 - 23:49 in Rants

For the purpose of this article a "Device Lockout Method" will refer to any means a consumer electronics manufacturer uses to prevent unauthorized use of it's hardware. Manufacturers use device lockout to protect and enhance their business models by ensuring that third parties cannot produce compatible add-on hardware or software without a licensing agreement, and ensuring that end users cannot alter the functionality of the hardware beyond what it is specified to do.

Atari Video Computer System (VCS) / Atari 2600

The first successful consumer electronics device with interchangeable cartridges that most people would recognize as a game console. This is also notable for being the first game console with significant third party development. For the purpose of this article "third party development" will include any activity by people other than the manufacturer to create add-ons, games, cartridges, or software for a consumer electronics device. It's important to note that all Atari third-party development was unlicensed. Atari actually sued the first third-party Atari developer, Activision, and lost; this established the legitimacy of Atari third-party development.

More notable is the fact that most Atari third-party development was, quite frankly, complete and total shit. This resulted in a crisis in the confidence of software quality for Atari and more generally all game consoles. While Atari themselves were more than not responsible for the resulting crash in the game console market; it was widely believed at the time and going forward that a rush of inexperienced and unqualified third-party developers was responsible for it.

Mattel Intellivision II

I'm not too familiar with the Intellivision, but it's redesign, the Intellivision II, is notable for being, as far as I can tell, the first attempt to detect and lockout unlicensed third-party developed cartridges. The console was designed around a fairly hefty BIOS ROM, which contained a copyright routine which displayed a big green "COPYRIGHT MATTEL ELECTRONICS" screen. Naturally an unlicensed Intellivision cartridge is going to skip that routine because it's not a Mattel cartridge; the Intellivision 2 BIOS ROM will check if the copyright screen was bypassed (by looking for valid copyright data in the cartridge ROM) and halt the game if that were to happen. Some Intellivision games produced by Mattel before the Intellivision II skipped the Copyright routine anyway and didn't have the proper copyright data in their ROMs, and thus won't run.

This kind of lock-out we'll call Trademark Protection. It's designed to lock out unauthorized third-party developers by requiring that all games display a copyright screen of the manufacturer. The legal status of Trademark Protection based lockouts is dubious, however, most unauthorized third-party cartridges, as well as unauthorized clone/pirate cartridges (which we'll discuss later), will attempt to avoid displaying the trademarks of the manufacturer they didn't license from.

Nintendo Family Computer (ファミコム Famicom) / Nintendo Entertainment System (NES)

The Famicom / NES is notable for being the first game console to actively allow third-party development, but only under an extremely restrictive licensing scheme. Game developers paid large sums of money for expensive development hardware which had to be stored in secure facilities such that development hardware wouldn't fall into the hands of unlicensed developers. This isn't technically a lock-out mechanism, but I did want to mention how much of a pain it is to work with the manufacturer.

Suprisingly enough the Famicom actually lacked any lockout mechanism whatsoever. Nintendo, perhaps because at the time they were mainly a Japanese company with little experience with America's harsh games market at the time, didn't think to use lockout. As such the only real restriction on producing unlicensed cartridges was a lack of documentation, which wouldn't stop people for long.

When Nintendo of America attempted to shop the Famicom for US release, they made a number of changes to the design including larger cartridges, a boxier, VCR-like design, and a new, rewired cartridge bus. This cartridge bus also featured a few new pins allocated to a special chip mysteriously labeled "10NES". This was a 4-bit "CIC" microcontroller present on both the cartridge and the system board wired in such a way that they can communicate with each other. More importantly the CIC microcontroller on the system board is holding the RESET line of the CPU and will toggle it every second if the cartridge CIC doesn't validate or stops validating mid-game. This is a form of hardware-based lockout, and it's designed mainly to ensure that people cannot mass-produce cartridges without Nintendo's permission.

Most people would be familiar with the 10NES lockout because of the NES's notable reliability problems - the cartridge slot would warp over time. This had various side effects, including some hilarious graphical glitches due to the split graphics/data ROM bus. However, if the CIC pins are warped, then games would display a characteristic, tell-tale "blinking" as the system CIC constantly reset the game.

Nintendo's CIC lockout was effective for a while, but the increased popularity of the NES ensured that this wouldn't stay for long. A number of workarounds were created: The simplest was to just wire a second cartridge port on top and plug in a game with a legitimate CIC on the top. This version of CIC lockout had no means to authenticate that the game connected to the CPU was the same as the the game the authenticating CIC was on. It's technically undefeatable, but also cumbersome, and also very dodgy (from the point of view of a game buyer). It was, however, particular effective for unauthorized non-game cartridges - cheat devices such as the Galoob Game Genie (which was proven legal in court) didn't even need to explain that the authentication was even there in the first place.

A second way to defeat the CIC was with a voltage spike, which worked until an NES manufacturing revision that added diodes on the lines that connect to the cartridge bus.

Thirdly, a particularly thorny unlicensed developer named Tengen (ironically founded by the Atari people) just cloned the 10NES entirely by industrial espionage (they went to the Patent Office and grabbed a copy of the 10NES patent). This was the most effective but also left them open to legal attacks. Interestingly enough there was a clean-room disassembly of the chip going on at Tengen, but requesting documents from the Patent Office kind of dirties your clean-room.

Most third-party developers got licensed. Nintendo's third-party developers still stand as an example of why manufacturer lockout is a terribly bad thing for consumers and developers. Nintendo enforced a large host of restrictions on developers - they could only release five games per year, Nintendo controlled production of game cartridges and decided how much your game would sell, and you were banned from developing for competing consoles. This last big sparked an FTC lawsuit which was resolved by... giving everyone $5 coupons towards the purchase of more NES games; and thus the reputation of games consoles being a closed platform was firmly established because the FTC let Nintendo get away with most of it. Yes, Nintendo had to let people develop games for Sega, but they still got to control the whole pipeline otherwise.

Sega Mega Drive / Genesis

The Mega Drive has a strangely similar lockout situtation to the Intellivision. The first revision had no lockout; however, all developers were required to use a Sega provided boot screen routine. Later revisions (before the Model 2 Genesis) had a lockout known as "Trademark Security System" (TMSS). It was accomplished by way two lock-outs in tandem - first, there was a bootrom, which would check for a "SEGA" at a location in the game ROM and refuse to boot if it wasn't there; second, the game would have to write "SEGA" to a particular input port before making any VDP accesses, or the system would lockup. Both were required, and the former would cause a screen to appear saying "PRODUCED BY OR UNDER LICENSE FROM SEGA ENTERPRISES LTD".

Despite having been planned since 1989 Sega was unable to avoid the same problem the Intellivision II had of locking out licensed games. In fact, it locked out more - a grand total of ten or eleven so far are known to be unplayable on Model 2 Mega Drives.

The effectiveness of TMSS ceased when Sega v. Accolade ruled that there was no copyright or trademark infringement resulting from producing unlicensed games that bypass Trademark Protection. So long as your game stated it was unlicensed, it could bypass TMSS all it liked. Accolade settled with Sega out of court and Sega no longer enforced TMSS through legal means.

The Mega Drive also has two region bits: Foriegn/Domestic and NTSC/PAL. These were used by games for a new type of lockout designed to prevent games from being sold outside of an authorized region - if a game sees that it's on the wrong type of Mega Drive, it'll just refuse to run. This is known as regional lockout, and is one of the first lockout systems targeted at end-users. Regional lockout systems exist mainly for the purpose of enforcing the broken corporate organization of large scale media companies on end users. It's even more of a deliberately anti-consumer tactic than third-party development lockout.

Nintendo Game Boy

The Game Boy also uses a similar Trademark Protection type lockout. There's a Nintendo logo in the game cartridge header. The system's bootrom loads the logo from the cartridge, displays it on screen, and then verifies it against it's own copy of the logo. If it doesn't display "Nintendo" the game doesn't run. Unlike previous Trademark Protection lockouts, this one was present in all models and thus did not have the problem of locking out legitimate games.

Like the CIC lockout, most people are more familiar with this when cartridges would show a dirty or nonexistent Nintendo logo and their games wouldn't run.

As both the Mega Drive and Game Boy have similar lockout provisions, they were both rendered ineffective by Sega v. Accolade. The Game Boy most likely used Trademark Protection type lockout due to a lack of cartridge space for a dedicated security circuit.

A strange quirk of the Gameboy and Gameboy Color is that their Trademark Protection enforcement is actually incomplete and it's possible to make custom Gameboy bootrom logos. This is because both models of handheld have faulty enforcement. The Gameboy reads the bootrom twice, so it's possible to provide it your custom logo the first time (when it copies to the screen) and the official Nintendo logo the second (when it actually checks the logo). The Gameboy Color just forgets to check the second half, so there's a lot of unlicensed cartridges out there with Nintendo logo edits ranging from creative to absolutely cheap.

Nintendo Super Famicom / Nintendo Super Entertainment System (SNES)

The SNES on the other hand continued the use of CIC-type hardware lockout. The Super Famicom also gained CIC-type hardware lockout as well. The CIC-lockout also gained an aspect of region locking as the European SNES has a separate CIC program - this was mainly to prevent interoperability between European SNES hardware and Super Famicom hardware, as they used identical cartridge housings. The American SNES used it's own cartridge housing which would not physically fit into a European SNES or a Super Famicom.

Games themselves grew anti-piracy routines during this period in time. Cheap Chinese-manufactured game copier devices were manufactured which would copy a legitimate game ROM onto floppy discs or store it in internal memory. Game developers themselves started designing their own lock-out mechanisms to prevent their games running on nonauthentic hardware. Simple anti-piracy lockout routines would do things like check for SRAM or the wrong size of SRAM, as most game copiers were unaware if a game required battery-backed saves and would simply provide as much as possible. (Some Genesis games also started doing this as well.)

Some more drastic anti-piracy tactics were to simply put extra CPUs on the game cartridge with their own ROMs. This was actually more of a response to the Super Nintendo's rather anemic CPU, although most of the time it also disrupted game copiers.

This article has covered most lockout methods up until 1994. A number of trends have started to emerge which will radically change the target of lock-out from corporations and developers to end-users. Additionally, we'll see new storage media, new lock-out methods, and the expansion of lock-out beyond the realm of game consoles.