Museum of the Game® & International Arcade Museum® Forums

TLDR; At the bottom of the post are the ROMs to revive a suicided Johnny Nero and Special Forces Elite Training board. I'm posting a bunch of other technical info for anyone interested.


There's been discussion over the years about the "suicide battery" on Johnny Nero and Special Forces... some where it simply dies, killing the board - and others where the user has an unrelated problem, thinks swapping the battery might help (despite a pin soldered in place that blocks the battery from being removed and the large text that instructs them to only replace with the board powered on), which kills it.

This has intrigued me for a while, but I had never come across one of these boards, so I was only able to make some assumptions based on a little bit of information available, and an incomplete MAME driver. But just recently @Crzmx sent me two boards to check out, though it turns out only one had a dead battery, and neither of them were actually dead.

I started digging into the technical details and confirmed that the battery was connected to the Xilinx FPGA (I didn't remove the heatsink, but based on the IC package and bitstream size, likely a Virtex-II Pro XC2VP7 in a FF672 package). These can have a key loaded to battery backed memory to allow a 3DES encrypted bitstream to be used. Therefore when the battery dies, the key, and the ability to load those encrypted bitstream dies with it. These FPGAs are pretty old, and there's a known vulnerability to extract the key by doing a power analysis ( https://eprint.iacr.org/2011/390/ ), but this requires a board with a working key, and a specialized hardware and software setup to crack. It's also possible that just a single key was used (essentially DES instead of 3DES), in which case the bitstream could likely be brute-force cracked. But again the technical details to do so would require a bit of effort to get to the point to attempt that.

But the good news is that as I mentioned above, one board had a dead battery, but wasn't dead! After dumping the boot ROM, I looked at the file and found what I suspected was the FPGA bitstream at offset 0x70000. Given that it had a large amount of 0x00 bytes, I was fairly certain that the bitstream was NOT encrypted, and therefore not susceptible to a dead battery. An encyrpted bitstream will appear to be mostly random data. Looking at the same 0x70000 offset in the Special Forces boot file, I saw the expected blob of random looking data (encrypted FPGA bitstream).

This unencrypted Johnny Nero ROM is labeled D170.05523 . From a bit of searching, I found where people have had a suicided Johnny Nero, and the pictures posted looked to have a boot ROM labeled D170.04 . So simply replacing their D170.04 boot ROM (and possibly other versions) with the D170.05523 boot ROM should revive a Johnny Nero. This is a 27C801 (or equivalent) EPROM. This ROM was already dumped in MAME, though typo'd to D710.05523 (and actually, the D170.04 with encrypted FPGA isn't dumped, so if anyone can dump that ROM for completeness, please do!). And anyone already running D170.05523 should be immune to any problems caused by the dead battery.
Back
Top Bottom