![ukVac: UK's Video Arcade Collecting](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="708" height="245"><rect fill-opacity="0"/></svg>)
dannywrayuk
Newbie
- Credits
- 37CR
Hey there 👋
I recently purchased a Dinosaur King Machine. I loved this game when I was a kid and it used to be a highlight of my family holidays. So when I saw one for sale I couldn’t resist. However, when I bought it I was already aware that there is a management chip inside that causes a few issues.
For those that don't already know, SEGA have put a limitation on the number of times you can play the machine by using an RFID chip that contains a counter. Once this counter hits 0, you need to replace it before you can play the game again. Traditionally this would have been given to you with the purchase of new dinosaur cards from SEGA.
Nowadays, I don’t think you can even buy the chips from Sega directly anymore, so they have to be purchased on the aftermarket. I also don’t want to spend money on these and, inevitably, they will likely become harder and harder to come by.
It doesn’t seem like there is a solution to this problem. There are lots of threads of people asking about cloning the chips, but no answers. Rumours of “development chips” that last forever, and some suggestions that there could be a software patched version of the game, but I haven’t found anything concrete.
Before I even bought the machine I liked the sound of this challenge, and fancied my chances at solving it..
I’m happy to report that after a bit of research I’ve found a method to read, clone and create new ‘chips’ and allow us to use the machines indefinitely for free, no chips required. In this post I'm going document the journey of how I got there and how you can do this yourself!
Background
Online it seems like the most commonly cited approach to solving the chip issue involves ‘cloning’ a chip. The idea is that while a chip has credits remaining, a duplicate could be made. Then once the original chip has expired, it can be replaced with the duplicate that still has credits. Unfortunately, an issue with this approach can be found in the maintenance manual for the machine. When a chip is used the machine stores the serial number of the chip along with the number of credits remaining. If the number of credits increases then the machine flags this as an Illegal chip and won’t turn on. This is the approach that I started to research.
This post is interesting. But as far as I can see the chips use a proprietary format that doesn’t exists anymore, so I doubt a modern reader will work.
Reading the chip with a modern reader is unlikely to work, but you know what can read the chip? The machine! In fact, there are two “Picochet” readers in every machine that work using this proprietary standard. If we could utilise the Picochet reader we could potentially read a chip.
The Machine and the Picochet
Below is a screenshot from the maintenance manual. It shows how the machine communicates with the Picochet. And it’s good news! The board in the middle uses RS232, a super common serial standard. Here’s the plan, we stick a device in-between the machine and the Picochet and send all serial activity happening on the bus over to a computer for analysis.
At this point I wasn’t 100% sure if this would actually be helpful. For all I knew the serial data could be encrypted, rendering the output basically useless. Even so, I bought an Arduino Mega clone for about £20 on Amazon and gave it a go.
The first problem I encountered was a pretty basic one, the manual for the machine or the Picochet don’t tell us what any of the 5 wires do. I guessed that Red and black would be power and ground, which is pretty standard. It turns out that I was completely wrong. To figure this out I had to write a program for the Arduino that would plot the activity on the wires like an oscilloscope. Doing so revealed the following:
This was my set up. I would turn on the machine in service mode, run the maintenance chip test and see what happening.
Queue the second problem. Serial data can be transmitted at multiple frequencies (baud) and in multiple formats. I knew none of these. It was at this point I started researching the Picochet a little more. All I had was the manual and it was pretty useless. After quite a bit of digging, I was able to find this on the Japanese manufacturers website!
Source, Source
Lots of useful information on there, but nothing about the serial data format. This next stage was probably one of the longest parts of the entire process.
First I tried all of the standard bauds, none of them gave an output that seemed very meaningful. I figured that it must be a non-standard baud so I wrote a simple Arduino program to measure the shortest time between signals. After running this a few times I was consistently getting ~52ms. This corresponds to a baud of 19200 and had me a little surprised given I’d already tried that rate. So finally I went through all the possible data formats allowed by the Arduino’s serial port and the only one that gave a sensible output was SERIAL_8E1.
But weirdly the machine was still not reading the chip.
It was as if the Arduino between the machine and the reader was causing an interference. Eventually it dawned on me that the communication between the computer and the Arduino had to be faster than the communication between the machine and the Picochet, otherwise the responses wouldn’t be fast enough. After fixing that, it finally worked. I checked the serial output on my computer and I had about 90 bytes of communication between the machine and the Picochet. This was quite a big milestone, the machine was no longer directly connected to a chip.
The data that I extracted can bee seen here. The machine on the left, and the Picochet response on the right.
Emulating the Picochet
One of the responses from the Picochet was quite long and contained a lot of zeros. Upon closer inspection, the data was 128bytes long, which is exactly same size as the chip. After reformatting the data into rows of 4 bytes this is what I had.
By adding up the counter values (E2 + FF + FF) and converting to decimal, we get 736! This is exactly how many plays I have left on the chip! It also means that the data on the serial bus is not encrypted! From this point on I knew exactly what to do. I would play a game on the machine while recording all the activity, including the message the machine sends to decrease the value of the chip. Then I would write an ‘emulator’ for my Arduino that would mimic the responses that the Picochet sends to the machine.
This took a few days. All the program is doing is listening for the machine to send a request, then it would send over the a copy of the response the we extracted from the Picochet earlier, just with and chip data being replaced with whatever we want. The machine has no way to tell the difference between the Picochet and the Arduino. To begin, I just had the Arduino respond with the exact same content that I had extract from the chip.
The machine would display “Read Success” without being connected to the Picochet. Obviously the very next thing I tried was increasing the number of credits back up to the original 800. Unsurprisingly, the manual is right, and I got an illegal chip error. However, since I had complete control of the chip, I could modify the serial number. I changed it and it worked! The machine read this as a brand new chip. I now had a fake chip with the full 800 credits.
(Sorry for the bad quality this happened at 2am or something)
Since then, I’ve added some extra logic into the program that waits for the chip to reach zero, then resets the count back to 800 and picks a new serial number. After some experimentation, I've found that by changing Serial0 or Serial1 will cause the machine to think that it is a different chip.
By automatically changing the serial numbers, this program is able to represent so many chips. At 64bits it’s something stupid like 2^64, and then 800 plays for each of those chips. Crazy stuff, good luck using all those anytime soon
Doing it yourself
If you would like unlimited plays on your own machine, here’s what you need to do. (These instructions might change, see the GitHub repo for the latest updates.)
Step 1. Get an Arduino.
These are quite cheap. I’m currently recommending the Mega, as that’s what I have. It might be possible to get this working using the software serial on another board.
Step 2. Load it with the program I’ve written.
https://github.com/dannywrayuk/dinosaur-king-chip-emulator
There are plenty of tutorials on how to do this on YouTube. It’s quite easy.
Step 3. Run the setupEEPROM command.
Use the serial monitor and send 'setupEEPROM' command should initialise it.
Step 4. Wire up the Arduino to the machine.
I’d recommend opening up the Picochet and inserting some wires into the ends of the connector.
Red: Vin. Green: GND. Yellow: 18 (TX1). Black: 19(RX1). White isn’t required.
Step 5. Turn on your machine and enjoy never needing a management chip again! 🎉
I'm happy to answer any questions if anything is unclear, I'm probably going to post more information about this on my website so be sure to check there soon dannywray.co.uk
I recently purchased a Dinosaur King Machine. I loved this game when I was a kid and it used to be a highlight of my family holidays. So when I saw one for sale I couldn’t resist. However, when I bought it I was already aware that there is a management chip inside that causes a few issues.
For those that don't already know, SEGA have put a limitation on the number of times you can play the machine by using an RFID chip that contains a counter. Once this counter hits 0, you need to replace it before you can play the game again. Traditionally this would have been given to you with the purchase of new dinosaur cards from SEGA.
Nowadays, I don’t think you can even buy the chips from Sega directly anymore, so they have to be purchased on the aftermarket. I also don’t want to spend money on these and, inevitably, they will likely become harder and harder to come by.
It doesn’t seem like there is a solution to this problem. There are lots of threads of people asking about cloning the chips, but no answers. Rumours of “development chips” that last forever, and some suggestions that there could be a software patched version of the game, but I haven’t found anything concrete.
Before I even bought the machine I liked the sound of this challenge, and fancied my chances at solving it..
I’m happy to report that after a bit of research I’ve found a method to read, clone and create new ‘chips’ and allow us to use the machines indefinitely for free, no chips required. In this post I'm going document the journey of how I got there and how you can do this yourself!
Background
Online it seems like the most commonly cited approach to solving the chip issue involves ‘cloning’ a chip. The idea is that while a chip has credits remaining, a duplicate could be made. Then once the original chip has expired, it can be replaced with the duplicate that still has credits. Unfortunately, an issue with this approach can be found in the maintenance manual for the machine. When a chip is used the machine stores the serial number of the chip along with the number of credits remaining. If the number of credits increases then the machine flags this as an Illegal chip and won’t turn on. This is the approach that I started to research.
This post is interesting. But as far as I can see the chips use a proprietary format that doesn’t exists anymore, so I doubt a modern reader will work.
Reading the chip with a modern reader is unlikely to work, but you know what can read the chip? The machine! In fact, there are two “Picochet” readers in every machine that work using this proprietary standard. If we could utilise the Picochet reader we could potentially read a chip.
The Machine and the Picochet
Below is a screenshot from the maintenance manual. It shows how the machine communicates with the Picochet. And it’s good news! The board in the middle uses RS232, a super common serial standard. Here’s the plan, we stick a device in-between the machine and the Picochet and send all serial activity happening on the bus over to a computer for analysis.
At this point I wasn’t 100% sure if this would actually be helpful. For all I knew the serial data could be encrypted, rendering the output basically useless. Even so, I bought an Arduino Mega clone for about £20 on Amazon and gave it a go.
The first problem I encountered was a pretty basic one, the manual for the machine or the Picochet don’t tell us what any of the 5 wires do. I guessed that Red and black would be power and ground, which is pretty standard. It turns out that I was completely wrong. To figure this out I had to write a program for the Arduino that would plot the activity on the wires like an oscilloscope. Doing so revealed the following:
- Red: +5v
- Green: ground
- Black: Machine TX, Picochet RX
- Yellow: Machine RX, Picochet TX
- White: Nothing
Queue the second problem. Serial data can be transmitted at multiple frequencies (baud) and in multiple formats. I knew none of these. It was at this point I started researching the Picochet a little more. All I had was the manual and it was pretty useless. After quite a bit of digging, I was able to find this on the Japanese manufacturers website!
Source, Source
Lots of useful information on there, but nothing about the serial data format. This next stage was probably one of the longest parts of the entire process.
First I tried all of the standard bauds, none of them gave an output that seemed very meaningful. I figured that it must be a non-standard baud so I wrote a simple Arduino program to measure the shortest time between signals. After running this a few times I was consistently getting ~52ms. This corresponds to a baud of 19200 and had me a little surprised given I’d already tried that rate. So finally I went through all the possible data formats allowed by the Arduino’s serial port and the only one that gave a sensible output was SERIAL_8E1.
But weirdly the machine was still not reading the chip.
It was as if the Arduino between the machine and the reader was causing an interference. Eventually it dawned on me that the communication between the computer and the Arduino had to be faster than the communication between the machine and the Picochet, otherwise the responses wouldn’t be fast enough. After fixing that, it finally worked. I checked the serial output on my computer and I had about 90 bytes of communication between the machine and the Picochet. This was quite a big milestone, the machine was no longer directly connected to a chip.
The data that I extracted can bee seen here. The machine on the left, and the Picochet response on the right.
Emulating the Picochet
One of the responses from the Picochet was quite long and contained a lot of zeros. Upon closer inspection, the data was 128bytes long, which is exactly same size as the chip. After reformatting the data into rows of 4 bytes this is what I had.
By adding up the counter values (E2 + FF + FF) and converting to decimal, we get 736! This is exactly how many plays I have left on the chip! It also means that the data on the serial bus is not encrypted! From this point on I knew exactly what to do. I would play a game on the machine while recording all the activity, including the message the machine sends to decrease the value of the chip. Then I would write an ‘emulator’ for my Arduino that would mimic the responses that the Picochet sends to the machine.
This took a few days. All the program is doing is listening for the machine to send a request, then it would send over the a copy of the response the we extracted from the Picochet earlier, just with and chip data being replaced with whatever we want. The machine has no way to tell the difference between the Picochet and the Arduino. To begin, I just had the Arduino respond with the exact same content that I had extract from the chip.
The machine would display “Read Success” without being connected to the Picochet. Obviously the very next thing I tried was increasing the number of credits back up to the original 800. Unsurprisingly, the manual is right, and I got an illegal chip error. However, since I had complete control of the chip, I could modify the serial number. I changed it and it worked! The machine read this as a brand new chip. I now had a fake chip with the full 800 credits.
(Sorry for the bad quality this happened at 2am or something)
Since then, I’ve added some extra logic into the program that waits for the chip to reach zero, then resets the count back to 800 and picks a new serial number. After some experimentation, I've found that by changing Serial0 or Serial1 will cause the machine to think that it is a different chip.
By automatically changing the serial numbers, this program is able to represent so many chips. At 64bits it’s something stupid like 2^64, and then 800 plays for each of those chips. Crazy stuff, good luck using all those anytime soon
Doing it yourself
If you would like unlimited plays on your own machine, here’s what you need to do. (These instructions might change, see the GitHub repo for the latest updates.)
Step 1. Get an Arduino.
These are quite cheap. I’m currently recommending the Mega, as that’s what I have. It might be possible to get this working using the software serial on another board.
Step 2. Load it with the program I’ve written.
https://github.com/dannywrayuk/dinosaur-king-chip-emulator
There are plenty of tutorials on how to do this on YouTube. It’s quite easy.
Step 3. Run the setupEEPROM command.
Use the serial monitor and send 'setupEEPROM' command should initialise it.
Step 4. Wire up the Arduino to the machine.
I’d recommend opening up the Picochet and inserting some wires into the ends of the connector.
Red: Vin. Green: GND. Yellow: 18 (TX1). Black: 19(RX1). White isn’t required.
Step 5. Turn on your machine and enjoy never needing a management chip again! 🎉
I'm happy to answer any questions if anything is unclear, I'm probably going to post more information about this on my website so be sure to check there soon dannywray.co.uk
