New Life Games Tech Forums

Hello all.  New to NLG, and I'm going to be doing something with an S2000 that probably is not done much.  I have a need to setup an operable S2000 with the minimal hardware on basically a board so I can have full access to all the electronics during operation.  I'm a computer security professional who will be investigating both the software and hardware design of the S2000 in the hopes of uncovering some unique vulnerability vectors, particularly in the random number generation and gaming algorithms in the device. My goal is to find something of interest to turn into a paper to sumbit for one of several computer security conferences.  I realize this probably a very difficult task, but one I'm well suited for with my computer engineering background, and with so little research on the topic I'm willing to bet for as good as IGT has been at making the machines secure, there are still vulnerabilities, bugs, etc, that could potentially be uncovered. I was originally looking at the S+ platform because of the readily available information I could find on both the operation and theory and the slower processor which would make it easier to watch with my current logic analyzer and other tools.  However I've decided the S2000 would be a much more relevant platform to modern day machines.  If any one has any insight or advice into a open bench top setup I would greatly appreciate it.  Also I'm looking for as much documentation on the S2000 as I can find as well as any other info which might be helpful.  I'd greatly appreciate any info members here wish to share which may be of value in the effort.   I've begun to acquire many of the obvious components I'll need, cpu board, displays, power supply, harness, reels, etc, but don't necessary have all of the documentation to get me up to slot tech speed, or have any idea yet what might be possible to omit, or potentially replace with other hardware, i.e. the door optics replaced with just a toggle switch, etc.  If any one is an experienced slot tech and is willing to chat, I'd love to speak with you.

I'm looking forward to being a member here and getting to learn a lot and hopefully give back some as well.  Also hoping that this project might be a fun endeavor not just for me but some of the the  die hard slot techies around here.

Thanks.

Mike

Hi There and welcome to NLG

Interesting project - Please keep us posted
There a a lot of sub assemblies on the S2000 - I think You best bet would be to get a standard S2000 machine - to get it a bit more compact remove the entire top box (You can disconnect the amp and speakers as this wont affect your testing - Dont know if You still need ticket printer) Move the reels to the top of the machine (You may need to extend reel wiring harness and then tilt the entire processor assembly and cut out the top of the reel shelf to gain access)

Alternatively if You are lucky you may be able to source a 960 test rig that allows you acces to the processor etc (There is a current thread with such a tester for the S+/Pe+ platforms - http://newlifegames.net/nlg/index.php?topic=19601.msg160982;topicseen#new

Bear in mind that the S2000 (i960 platform) although widely found is pretty much obsolete - IGT now concentrates mostly on the AVP platform.

Ian

Why would a guy even need the machine case? Other than bypassing the door optics, which is easy and much discussed on here, all other sensors are switches that can be jumpered out and everything else in the machine could be set up on a bench and plugged in for game play and monitoring. Even the MPU can easily be plugged in with all trays and housings removed. I've thought about doing this many times, but eventually decided it wasn't worth sacrificing a game for something I wanted more for personal interest vs personal need.

TZtech and cowboygames

I'll be sure to provide updates as they come.  I decided on the S2000 because it still was widely depolyed versus the S plus so as long as its in widespread use its relavant to vulnerability research. Kind of like windows xp, its basically obsolete, but still in widespread use which makes it an attractive place to explore.  I  figured that I'm going to end up with both a complete functional machine which I'm sourcing here in the next week, and the bench top device as the complete machine will make for good reference.   Compact isn't as much of a concern as the access to the bits and pieces while in operation, and I've seen the S+ tester your taking about.  That probably would be ideal if there was an S2000 equivalent but still kind of hampers access to the CPU board from what I have seen.  Cowboygames, if I could follow up with you once I have some more of the bits and pieces in hand starting next week, would you be interested in providing me some general assistance, i.e. answering some questions, maybe a phone call or two,  seeing as you have at least thought this out a bit?  Obviously I don't care one bit about the case in the bench top setup so its good to hear my thinking isn't way off on making this a reality.

Thanks.

Mike

I'd be glad to help. Honestly though, until about the 20th of the month I'm gonna pretty tied up with vacation and thefirst few days of work so phone help will be out till then. Any questions here on the site, no problem and maybe some better as I am sure there are others who will be interested in following the progress and sharing opinions/information on this topic. It also provides a reference source later on for others who might want to attempt a similarproject. I would first recommend reading the topics that cover optics bypass and jumping out the belly door/cash box door switches. Beyond those, the whole game can be set up to run pieced out on a bench

Coyboygames,

No worries, I wont have parts for the bench top for atleast another week and the following week work will have me tied up so I'm practically on your same timeline. I maybe will have a complete machine this weekend (which I'm going to leave intack other than some simple mods to make use easier), so I should also be able to gather a ton of info from that as well. I'll try and keep the questions here for now anyway as you said so folks can follow the progress and chime in if they have questions, ideas and suggestions.  I already came across the thead on the door optics bypass but I'll look for the other switch jumper ones as well. Trying to gather and learn as much as I can the next week or so to hit ground running when the bits and pieces start to come in.

Thanks.

Mike

sounds good, oughta be fun :89-

Even if there are software vulnerabilities, it is highly improbable that a none employee of a casino could exploit it.
And every game is under the careful eye of Casino Security, so any obvious physical attack is going to draw their attention to it.
Even strong static discharges to the machine have been done by IGT machine did not malfunction and was still playable.
Also someone is going to know every error the machine has within 1 sec of the event because SAS host polls every 40-200ms
I am not saying that the S2000 does not have any weaknesses but with cameras on them that will stop 99.99999% of any chance of some one exploiting it.
IF someone came up with an exploit and could get it into a machine without some one knowing right away, a gaming agent is going to find it the next time that machine is audited
They pull the chips and run 2 or 3 checks compare it to a legit binary of the chip, CRC, and another type test something like  a MD5 but it is called something else, if any one of those tests fail they will investigate it.
speaking of the CRC there is one most eprom programming software does but IGT has its own that they use.
The Game chips that store the main OS are 8 bit wide but the OS is 16 bit wide which makes it harder to look at the OS, without interleaving the 2 chips.

Foster,

I'm not really looking at the physical vulnerability aspects because casinos are such a heavily surveiled area, and are nowhere sophisticated enoughtfor the audience I would want to present to.  What I'm looking at would in practice require no more access than any player would have.  What I want to explore is weaknesses in the game algorithm and random number generation which are often areas that are vulnerable in computer systems.  My end goal would be to be able to predict the random number generation sequence and use something like a smart phone with a custom application to help improve odds.  This is a very general explaination of where I'm looking to go, but not far from work that has been done in encryption systems used in computers where what is seemingly impossible to crack codes are breakable with some clever thinking and knowing how the system works.

Mike

Even if you could figure out how the RNG works and if it is predictable it most likely would not do any one any good.

The S2000 RNG is probably generating numbers the whole time the machine is on, after it finishes its boot and I suspect the seed number also changes over time.
A new number is generated every millisecond or faster, since the main CPU clock is 16MHz.
The only time that I suspect that it the RNG routine is on hold would be during a hard error, while it is playing the current game, etc.

The S2000 grabs the latest number on the random number stack to determine the outcome once a bet is placed.
 
I can guarantee that the programmers have made it harder to predict the next number due to what Ron Harris did in Atlantic City involving a Keno game.
He had legal access to the source code to the software for that system because he was a NGC agent that analyzed computer code in any gaming machine or the like.

The only information an average player could input into an app is the physical stop for each reel if they can determine it by looking at the reel symbols.
Which does not translate into virtual stops

There are 64+ virtual stops per reel depending on the theme. the average is 72,
Here is what I found for virtual stops for the following Five times pay 90, Ten Times pay 120, Twelve Times Pay 128, Triple Dollar with Mystery Reel Action I counted 256 virtual stops.
The higher the value of the symbol the lower the number of stops assigned to it. usually the top award is assigned one virtual stop, there are exceptions to this.
Since blanks are symbols and on a single line game they are 50% of the symbols they usually make up 45% or more of the virtual stops.
The S2000 translates the virtual stops into physical stops, the virtual stops can only be seen when doing a game history which is limited to the last 10 games played and the average player in a casino had not be trying to use a key to access that information.

Foster - I hear what your saying and yes I believe IGT has done its damnest to protect that RNG from prediction.  However in my industry cryptographic algorithms of many more orders of complexity have been broken when thought unbreakable, random number generation thought to be good enough has been proven to be woefully inadequate, etc.  When you have closed systems like this that get little scrutiny, often times there is a false sense of security and a few but notable occurences of interesting event, often with inside access, such as Ron Harris.  When more eyes begin to be placed on it and interest is drawn to the topic, often times a lot of fasicinating things begin to be found.  I've learned time and time again in my industry, if one human created it, another or group of others can find a way to break it. Also 16Mhz is nothing compared to computational resources its very easy to bring to bear in the IT industry.  We have graphics cards with 3000+ cpu cores running at 100s Mhz to 1Ghz speeds and you can write custom software with mathmatical computation algorithms to run on them, not just process graphics data. That is potentially 3 teraflops of computation, which levels the playing field significantly if I reduce the the possibilites to check.   Combine that with precomputation of outputs to do look ups and its possible to treat this like and encryption problem and brute force your way into learning the RNG sequence.  Also aside from when a player presses a button, I'm not seeing a whole lot of good sources of entropy to provide good seeds to the RNG, so even with out cracking open a machine, just based on the research I've been able to do thus far, there are already possibilites to consider and ways to radically up the computational ante to overcome something that might not be easily known. The virtual reel doesn't pose that much of an issue especially when you can get the layout from a PAR sheet, so it only creates more possible outcomes to check which you just throw computational power at. I'm not doing this to ultimately create some sort of system for me to exploit at a casino, as if I'm successful and present the research, I doubt I'd be let near a machine in any casino from that point on.  The whole point of this project for me to look at a system that isn't widely reviewed and possiblity leverage tools that would not normally be used against this system to see what is possible, not pull a Ron Harris. 


But please keep up the questions because its helping me to really think this out in detail and get thoughts and opinions from folks who know these systems.

Mike

Hi Mikec200,
Welcome to NLG!
While I  agree that the RNG inside these machines are not truly random, nor may not have a high entropy seeding, the problem is that the player has no accurate feedback of were the RNG sequence is at any given moment.
As Foster said, the RNG's are constantly running at a very high speed.  Forget the fact that the player has no real feedback as to what pattern of numbers generated coincides with what reel and what reel stop ... Even if it was possible to predict some kind of pattern from the RNG, there would be no possible way for the player to react fast enough to press the "spin" button at exactly the correct moment to stop the RNG on a winning number sequence.
Even what Ron Harris did with the RNG's at Atlantic City, with his inside access to the source code of the Keno program, it was a KENO program that gave Ron actual numbers to work with ... and even with those numbers, combined with a computer program he only had a very small chance (I think it was like 3 percent) that he could predict the next round of 8 numbers, by the previous set  that was revealed.
Unlike KENO, slots have no revealing numbers to base any computations on.
You say that these machines have not been closely scrutinized; this could not be further from the truth.  Slot machine manufactures such as IGT go to extreme lengths to insure their machines are hack proof. 
Unlike many computer networks, were you can monitor the communications between nodes, and possibly use Man in the Middle attracts on a weak system, the end user on a slot machine has no access to the data streams within the machine.

Just my 2 cents.

Joe 

All I know is any system is vulnerable.
The thing is the information still useful since it changes thousands of times a second anyways.
yeah you might be able to guess every number the machine is going to generate but you cant predict which one it uses because it is grabbed at the bet (within a few milliseconds anyways) and that point in time that the bet is placed is determined by a human, except on my machine when I turn on my autoplay device, when max bet light comes on then the max bet is placed on mine.
and I can tell you that the cycle times vary a few milliseconds each game another variable to throw off predictability.

Let me give you an example back in 2009 or was it 2010
I had Haywire Deluxe in my S2000 (using a SB100177) I hit the top award 2 times (progressive) but each 23-26 hours apart both at 3-5am

I had the theme in the machine within the last 18 months put it on auto play do you think it would hit it again nope not even one time.
Yes I have hit other top awards
Tabasco, Double Diamond, Triple Dollar MRA - the Triple Dollar might as well been a Wide Area Progressive with 256 virtual stops per reel.

Each play is an independent outcome.

Commtech - I fully appreciate how much IGT has scrutinized the system, but it's done with tunnel vision as insiders.  Microsoft for instance has a huge internal security team for their software, I know I use to work in it, and they still are handed vulnerabilities by researchers everyday with no access to code and far less resources.  Part of what attracts me is I'm willing to bet there are some trade offs that were made because of the amount of physical security intrinsic to the environment the machines operate in. I'm optimistic because outside of the slot industry there is little interest in the devices, but computer security research would have many techniques which we use daily that would apply here.  I'm not suggesting I'll even be successful in my endevor, but there are some bright points that show promise, and in my circles it more about what you can learn from the challange anyway, and if I and a colleague who has agreed to help can find something presentable, it's all the more fulfilling.

Most folks probably feel this is a waste of time, but I'll guaranteed they don't understand just how breakable what as been considered traditionally unbreakable can be.  I've watched it time and time again in nearly 2 decades in IT and it all starts with someone that has the gall to challenge what most believe is incapable of being challenged.

As I've said before please keep  the thoughts, questions, insights, etc. coming, I'm learning more and more with each reply I'm receiving.

Just and update on where I am on this.  Parts are starting to trickle in,  I currently have, the power supply, power distribution, door I/O and cabinet I/O cards in.  On the way are a complete wiring harness, motherboard, CPU board (minus proms though), multimedia lite board with simm, VFD display assembly, speakers and sound amp, Win/Paid Credit display, reels, coin in/out meters, button set (multi-denom), WBA-12-SS bill validator, and PSA-66-001N ticket printer. I was supposed to also pickup a complete 5 times pay S2000 machine with player tracking hardware today, but the seller couldn't have it ready in time, so I probably won't have that until some time next week.  I know there are some swiches I'll need as well, i.e. reset and possibly a w2g switch, but also a substitute for the cherry switch which I can also do the door optics on.  If I'm missing anything beside the proms or the switches I've mentioned or you have any suggestions for stuff I should also acquire please let me know.

I've also managed to compile a ton of documentation from wiring diagrams to various manuals, but I have yet to come accross a maintenance manual, If anyone can point me in the right direction on that, I'd appreciate it.

stayoutadabunker had an S+ test rig (which I think he still uses) for the bench. It is an S+ mounted on wood with no cabinet. Maybe he will chime in here and make a comment or two?

Thanks for that info.  Looking forward to him chiming in.

IF you look on eBay use IGT S2000 as the search and sort by price lowest to highest with shipping you will come across many parts you might need.
 
In a machine in a casino the cherry switch turns on a light that is mounted behind the BV and maybe to an alarm or door monitor system in a casino setting.
You can use the switch as easy way to bypass the optics. I did in my machine.

Trying to add a W2G jackpot to credits switch would be easy if you have the wires for it. other wise you are going to have to add wire into the cabinet I/O harness for one side of the switch and ground of course for the other.
In a regular main harness you will only have 4 spade connectors
2 used for the handle switch and 2 used for the Jackpot Reset switch. in fact you will have some connectors you wont be using in a test setup because you wont be installing the Fluorescent lights normally)

Thanks Foster.  Most of the parts I've received or I'm waiting on actually are from eBay.  I almost always look there first for anything.  I'm figuring I'm going to have a lot of left over spaghetti in the main harness I'll never use in the complete internal harness I have coming.  But I won't hack it up as I'll end up probably turning this into a functioning machine when I'm done.  Actually because of the rarity I would love to try and acquire WOF pieces over the next year for that purpose and it would probably take at least that long to find the key elements specific to that game.

I'm figuring I can sub any old switch in my config for the cherry at least on the door optic bypass use.  It's my understanding that cherry switch is normally open for the light contacts and normally closed for the contacts used in the door bypass, so I'm thinking a plain double pole switch will do the job, and a couple momentary switches for the reset and w2g.  Anything else you suggest I must jumper out or possibly need a switch for to get the test rig to work on the bench?   Also I don't have a stock power switch so if you have a suggestion there I would be very interested.

if you have received a complete machine harness you should have received the power switch
It is a Double Pole Single Throw switch

I completely understand what you are saying about computer security.  I have learned so much over the past few years on this subject by listening to Steve Gibson of GRC's "Security Now" Podcast series.
It will be interesting to see what you find.

Very interesting thoughts & Ideas.
I hope no one ends up in the slammer for Hacking.
I would think I.G.T. may want to visit someone?
All of this wanting to know & advertising it is a Red Flag to ??
Just my $.02.

Foster - harness is a complete harness but anything that was plugged into it was removed to be sold as a separate component.  Figured I could refer to wiring diagrams and some questions here to find a suitable substitute.  With your info and the wiring diagram I think I now have it squared away.

Thanks.

IFFV68,

Thanks for the interest.  My intent here is not for illegal purposes, its about research and opening a dialogue on the topic of vulnerability research in gamine machines, and I would hope that if anything does come of this IGT will be interested in discussing those findings, much like how vulnerability disclosure is handled in the IT arena.  If I was looking to do this to find a way to beat the casinos, I definitely would not be publically taking about it here or anywhere else.  The term "hacking" has a bad connotation to it because so often times it is used to refer to the nefarious side of being curious about the operation of a device.  In this case you could call this investigation "hacking" in its purest form (but I won't use that term) because it seeks to understand the operation of the machine, but then the same can be said about a lot of the mods, and other topics discussed here.  I frown on the use of term because it gives a very negative connotation to very positive and meaningful research and desire for knowledge.  The intent of the term originally was meant to refer to being curious about the operation of a device and examining how it functions in exactly this manner, but has grown to be better associated with the illegal side of computer intrusion primarily, hence why this work is being performed as computer system vulneraility research and will be handled along with any finding as such. In addition should anything come out of this research, part of the disclosure process will be to work with IGT in a responsible manner to provide an opportunity for them to address any such findings.  Besides if IGT has done their due diligence in the design of the machines and software then they should feel very good about the security of there machines and have little to come ask questions about and should welcome such scrutiny.  Bringing such attention would be a sure tip off there is somethign they don't want explored, which would cause alot more folks to be interested, and go much further underground about the work.

Hopefully this should quell any issues with the work that is to be done once the bench top research machine is actually operational.

This means NLG members will not see the results of your research.

Why?
Because IGT won't allow any of your findings to be published without their consent.

Furthermore, there's no way in hell that IGT will let a bunch of home slot owners be part of the "disclosure process".

Good luck with your project.

Please correct me if I am misunderstanding anything?

Stayouttadabunker,

I think you're going to find IGT has more limitiations to prevent the disclosure of research than you think.  Much of what would be done in the analysis would fall under fair use of a product by the end user as well. About the only case where IGT would have a foot hold to stop publication would be if they employed a "protection measure" which needs to be circumvented in order to gain access to code which could be covered under DMCA.  Unless they protect the data on the the proms say by encrypting the code, there isn't likely a protection measure to be circumvented here. From what I have read here, the proms are easily readable, so this does not appear to be the case. Also just because a company is given an opportunity to address any issues found during a remediation period prior to publishing ("responsible disclosure") doesn't mean the issue and the research around it will never get disclosed or the generalities around it can be discussed without providing specifics.  We battle this over in the IT side all of the time, and there isn't an awful lot the manufacturer can do about preventing the information from being released as long as nothing illegal was done in obtaining it, where they may have a opportunity in court to seek an injunction.   

One could argue some of the discussions here on NLG could be things IGT would have a problem with, but I haven't seen anything in the threads where IGT or any of the other makers of devices discussed here have had an issue with this site and its content.

If you're all about open disclosure and information gathering... maybe you should fill out your profile so that people can learn about you. Just in case you do find something ground breaking and after talking to IGT, you all of a sudden come up "missing". We'll at least have something to tell the authorities 
:208-  :279- :89-

Crgadyk,

Wow, I should take that personally but I won't, as I suspected I was going to stir the pot a bit with this discussion.

Basically the only difference between my profile and yours is  gender, age and location and you have a few pictures of machines you own, which I can't provide as I have none yet.  Not sure how age and location really matter that much here, and gender should be obvious from my user name, but if you really need more info on me here goes.  I'm male, 30 something, IT industry consultant in Metro Atlanta. I have have a background from an education standpoint in computer engineering, and my professional background is in IT covering application development, computer security(network and application), back office infrastructure and systems, and network routing and switching, which I practice thru my own company.  My research is purely form an personal interest stand point along with that of some IT industry collegues that specialize in areas that would be of help in this effort. Anything else you want to know I'm happy to share within the confines of what doesn't get into excessive information sharing that violates my privacy.  I also don't want or intend for this effort to be an advertisement for my company at this site which is why I haven't shared any details on it.  If you need to get a hold of me my email address is posted in my profile, and if its not visible please let me know, as I'm figuring the "hide email address from public" option does not prevent registered members from seeing it, if not, I'll gladly change it.  Unless anyone here feels I need all this in my profile let me know, otherwise I'll stick with the basics others have opted for.



Also I would think just the public discussion about what I'm looking into and what I'm sharing should indicate my willingness to be open, as some folks have already suggested I probably shouldn't discuss this project.  And I have plenty of folks who know me and are aware of my research in the event I go missing as you suggest, so that is not a concern I have.

It was actually a joke since there is always stories of people who try to go up against IGT and lose miserably. But either way, thanks for the information  :279-

Personally I don't believe that anything would happen. IGT would have to go after the MAME crowd, etc. So I support the OP in his efforts. If he did find a code flaw and didn't report his findings to IGT, I believe that would be irresponsible as you would have a "moral obligation" to at least let them know. If IGT didn't take action after that, well, shame on them. See what happened with the I phone, after a group "jailbroke" it to work with any carrier, ATT had to allow others to use it.

If it was meant jokingly, then I can appreciate a good joke.  If you have any background on such stories I'd love to hear it.  Can't hurt knowing where folks have treaded before and what the outcome is, but I'd be willing to be in those cases it wasn't pure research at the heart of the matter, likely more of a personal gain issue, and not done under fair use.

Reho33 - great post, couldn't agree more.  The whole point in vulnerability research is to improve security not undermine it, which is why there is an implicit obligation to inform the affected party.  Their response is their choice but most end up coming around to correcting the issue, not fighting to keep it quiet when everyone works together.

And you know what the great thing is? We, regular people here on this forum, figured out a whole lot of "non sanctioned" add ons and solutions for the S+, S2000, and I game platforms. We figured it out for FREE for ourselves, for furthering the hobby and for the love of it. IGT with all their paid guns and engineering talent couldn't figure out how to make stand alone TITO? Just goes to show you that sometimes free development IS better! Maybe they should pay US for all the cool things that we have developed. (Think deep fried Twinkies). Some on here disagree saying that you only have the right to use the product as it is and not to play with it. If I choose to deep fry my Twinkies does Hostess have the right to sue me saying that Twinkies were never meant to be "deep fried" and that by doing so I have violated there fair use agreement? I think not. So please tell me where I am wrong in supporting the OP in his quest for find "vulnerabilities" in IGT's source code for their games?

Again couldn't agree more.  Love the Twinkies fair use comparison by the way!

Update:

Most parts are in and I've been working thru figuring out the jumble of wires I received for a harness, and making great head way with the field supplement schematics and diagrams. It would be much easier with a complete machine for reference, but then I miss out on all the schematic reading fun (I need to get well acquainted with it any way).  Reel harness was missing by accident, but is on its way, along with eproms for the S2000 mpu board (I still need to get key and clear eproms as well).   Pictures to follow after I pickup some switches and begin to lay this thing out a bit in organized manner.

Question on the the door harness and VFD.  The door harness I got has the small black molex connector on it for the 7 segment display, so I'm assuming the harness came out of a slant top or one of the uprights where the VFD and 7 segment are all lined up.   My VFD connects with the small little flat 5 pin connector and the 2 pin power connector back to the I/O motherboard with harness I have, and I have 2 options on 7 segment displays, one (PN# 25321300 rev A)which has the old large white molex connection (homemade adapter or wiring hack up needed to use) and I have one (PN# 75128401  rev A) with the black connector that also has the small white connector which appears to go to the VFD from what I have seen in some of the photos here.  Here is the question.  Can I use the VFD connected direct to the I/O motherboard (jumper 2 a netplex jumper as I recall going to VFD driver PN#75117700 rev D), and the 7 segment with the black Molex connector and skip connecting the VFD via the 7 segment display board?  Or do I just need to suck it up and rewire that connection and put a large white molex on it and use the other older display that lacks a VFD connection. I am aware the pin outs are different thanks to some great threads on the molex adapters from the white to black connections, so at least I have the pin outs between the 2 connectors straight if i need to adapt/makeshift connect it.   I know the machine the harness came out out of used the I/O board for the VFD connection based on it being part of the harness assembly and that harness relating to the schematics, just not sure how things are going to react with a 7 segment that has the VFD pass thru and no VFD attached. Any insight is appreciated.

Its a bit of a frankenslot from a parts perspective, then again the whole bench set up is anyway, but the prices were hard to pass up on some of the items so if I need to ditch a few and add a piece or two to get what I have functional its not a huge issue. It is what it is.

Also if any one has PAR sheets they can share on SB100059 and SB100064 I would much appreciate it.  I'm going to use these in conjunction with SG000362 and VS011GX1 and VFD0007.  If there is anything I need to know about those combinations I'm all ears.

The VFD and 7 Segment display are never connected to each other
the very small white connector you see on the 7 segment display is for the multi-denom LED box and touch pad.

The white connectors on the motherboard are Molex Mini-Fit Jr (most of the white connectors that look like them in the S2000 are also Mini-Fit Jr
the ones with a arrow shape on them are also molex but are called something else (door optics, bell)
the black connector on your 7 segment and harness is a Molex Micro-Fit 3.0
the ones that go to the BV are Molex SL 0.100 connectors (look similar to the audio connection on back of internal CD/DVD drives (yes they latch into the matching connector)

Cabinet and Door I/O are connected to the motherboard by SENET you need make sure you plug them into the right SENET port on the motherboard (yes they are labeled)
The Door SENET plugs into the top of the door I/O a 12 or 14 pin connector
door I/O passes also passes the SENET bus to the display
You will have a spare senet port on the motherboard.
Cabinet I/O is responsible for the physical meters, bell, handle, hopper, candle
if you do not have the meters you will need to do the bypass in the meter connector - a 10 pin SL connector cut the black wire and the wire next to the black one strip both and twist then together or connect the meters. if you do not you will get meter disconnected error.

Netplex handles all the following
VFD
Printer
Bill acceptor
Spectrum II
V
when you plug in the netplex the only one that has to be in particular netplex port on the motherboard is the 12 pin connector - it has the extra wires that go to the BV door switch you must either install a switch that you can turn off and on or jumper the 2 wires (they will be green wires with small female connectors on them.

Foster,

Thanks for clearing up the VFD versus touchpad, looking at those photos again I now see what I missed.  So the question is then can I still use that touchpad enabled display without a touch pad connected?

On the rest of the connectors I did manage to figure out proper placement of all of the Senet connections and that Door I/O is connected by that additional cable back to the I/O Motherboard Door Senet connector, but that is still good info for anyone reading this thread regardless, as it took me a while going thru the wiring diagrams and schematics to figure that out.  I do have meters but knowing how to bypass could come in handy if space becomes a premium.  Good to know on the netplex that the ports used by anything but the BV are totally generic.  The schematic I have been referring to had J2 connecting to the VFD (althoght not specifically marked for the VFD just traced in associated diagrams), J14 marked as the printer netplex, and J10 as the BV netplex.  I have both a PSA-66-001N printer and WBA-12-SS BV so I'll be hooking those up for sure, but again as space becomes a premium I may want to remove or bypass out as needed.

I know I need to bypass the door encoders, and now also the BV door switch,  I'll want a jackpot reset switch, but are door drop and card cage switches needed or necessary to bypass?

Once this is all setup and running if there is any specific logic timing anyone has needed for a particular component or in figuring out how to interface something to mimic a component, I should be able to help with that using an 8 channel logic analyzer.

In the S2000 the card cage is usually bypassed by default, you have to remove a resistor or such to enable it, just leave it as is.
It is to detect when some one removes the MPU to gain access to it.
I have not come across a S2000 that has it enaled as of yet.

There should be a jumper installed for the drop door. in the main harness.
Do not confuse it with the belly door jumper in the door harness.

you can use the 6-6-3 7 segment display without the touch pad. the 6 6 3 is the number of digits for winner paid 6, credits 6, and credits played 3 there is also a 5 5 2 that does not have the touch pad port on it, when you change the machine from 5 5 2 to 6 6 3 in the key config menu, yes you will have to do so or you will get an error.
you do not need the touch pad but you will be limited to 1 denom, unless you get a touchpad, with a 6 6 3, even though the newer button harness has the wiring for the denom switch on the deck
to use the denom button on the deck you have to use a 5 5 2 display

So that is what the card cage is.  I was thinking it had to do the casino cage, maybe payout related.  Belly door jumper I found with the factory bypass, that's NJ specific as I recall reading, so I was expecting to see that setup for me.  Drop door I think I need to do something about as it just a couple of  slide on connectors that need to be hooked to something, but I need to double check that.

Thanks for confirming the touch pad isn't needed.  I knew about needing to change the 552 vs 663 in the setup, but didn't now how to tell which display  was which  other than maybe counting 7 segments but the touch pad connector makes it easy. That is a good piece of info that the demon switch won't work with a 663, which I'm sure would have drove me crazy at some point.

Thaks again for the info.

The drop door is s long wire with a 2 pin connector just like the belly door.
none of the wires for the drop door are orange.

Another update:  I managed to get most of the parts assembled on to a board this weekend and verify what I could is working, i.e. power supply, VFD display, MPU board at least powers and errors without eproms.  I have the final pieces showing up today and should know if the system is functional.  Thanks to several members for there assistance, including Foster.  Pictures to follow tonight most likely.  I was also able to acquire a complete and operational 5 Times Pay S2000 machine this weekend as well, but was able to figure out most of the wiring without needing it for reference. I'm expecting however that it will come in very handy for troubleshooting. I would just throw the MPU in the from the complete machine, but would rather not take any chances at the moment. Having never seen the inside of one of these machines other than during a reset for hand pay at a casino, I can say you you can learn alot about a machine using no other reference other than the S2000 Field Service Supplement, provided you have an electronics background. However this site and its members are and have been a incredible resource nonetheless.   

Good news to report.  Post office was a day late with my parts, can't complain though as it gave me an opportunity to play with the complete machine.  Got proms in and reels connected tonight and the bench top is alive after a main battery swap to a cr2032 and holder.  I need to redo the initial accounting setup as I screwed up the coin denom some how and I think something is up with the bill validator as I haven't heard it do a thing, but everything else that is expected to happen is.  Need to figure out some reel mounting and play button mounting yet as well.  I tried taking some pictures with my camera phone but they look like crap as it doesn't want to focus right in the basement light so I'll need to grab my old digital camera which is going to need a charge first.  Should have more to report and some photos finally tomorrow. Still in need of par sheets for the two stepper bases noted above which will help with making some make shift reel strips.

Its working fully with the exception of a faulty bench BV and no permanent mounting yet of reels or buttons.  Confirmed by swapping BV from my complete 5X Pays machine.  Anyone have any idea why a BV will not cycle on power up yet, works in test modes using the dip switches?  One thing I did note is the faulty BV is a WBA 12 SS transport with a WBA 11 head, but I understand that should work.  Will try WBA 12 head from 5X Pays in faulty transport later and see if it makes a difference

Still on the hunt for PAR sheets for  SB100059 and SB100064 if someone can help out.

BV update - leaning toward software on the unit is incorrect for IGT, there is no info as to what version of software is on it.  Oh well was only $15 bucks complete.  I can still get credits on the machine using the BV from the complete machine.

Wonder how this project is going?

CVSlots,

Its going, a deluge of work and some personal stuff has slowed it a bit more than I'd like, but such is life.  I got my BV issue solved, so the bench unit is fully operational.  Still need to get reels and buttons more properly mounted, but its a secondary need at the moment.  Also interesing to have a complete and working machine to just put some extended no cost play on. I've observed some interesting things in the first 15 minutes from power on, so really interested to dig deep, its likely no more than coincidence, but does seem to backup why they don't get put into use right away when first installed in a casino.   Still looking for par sheets on the SB100059 and SB100064, and if you know of any leads on that its appreciated. Started looking at software but there are some challenges there its going to take some time to work through to really get down to doing the research I want to do.  Also want to look at communications to the BV and see if a BV emulator can be cooked up for the S2000.  That would have some value to folks here I'm sure.

I'll continue to post as things progress and I'm obviously monitoring the board and checking in from time to time so please feel free to check in with me.

I don't know about that. I have worked in the industry for years and when a machine goes on the floor, brand new or used, they go on right after setup (or clear and setup). With the exception maybe of a bill and a paytable test. Volatility can be high up to 1 million games but it evens out over time so there is no reason for a game to not go live from 0 meters. Besides accounting/audit have a cow when every .01 is not accounted for, they usually insist on a full clear before a machine goes live.

Mirage_chaser,

I've read some interesting discussion here about burn in time prior to allowed use by the public on caloors for new banks of mac  Interesting to hear it is not universally done.  Individually it might be less of a concern as well, just seems there might be something to letting the rng run a bit prior to actual gaming.

I would be surprised if it is widely done at all.

It seems like an armature move.

Look at it this way, all slot machines have a target % and they will reach that % regardless of how the machine pays in the first few days of going live. You are basically saying that machines are not put on the floor right away because they may pay out at an unusually high rate- but even if that were true (which it may or may not be because high volatility does not equal high payout) any knowledgeable slot director or manager would be glad to have that on the floor to bring interest to the games. More winners means more players. And if you can get a game to have big interest the moment it goes on the floor then that equals more play which in turn means higher win/day.

Like higher payouts in the first 30 or so games? If so, so have we, and many other members here have experienced the same. It also seems to occur when machine comes out of attract mode, whether in a casino or a home setting. BUT! These are in no way rock solid hypotheses, only pure speculation....and more than likely PURE coincidence.

Cvslots,

Yes, exactly what I'm talking about, particularly near top line payout.  Really curious about that and random number generator seeding effecting that from cold start.