Minor corrections and lots more info for BootGods CIC article!
Not all of the added 12 pins from 60->72 are used for the CIC. Only 4 are connected. 10 pins are used to connect the cart to the (useless) expansion slot at the bottom. But thats 14 pin, not 12! For some reason cart audio expansion was removed for the NES, which took out 2 pins.
The CIC inside the NES is called the lock, and the CIC inside the cart is called the key. Key goes into lock to open it. Lock can reset the NES, but key is just waiting for commands from the lock. When you cut pin 4, you are changing the NES CIC from a lock to a key. Both the NES and cart CICs are now keys, just waiting for commands from the lock that doesn't exist. The reset button on the console also goes through the CIC. When you cut pin 4 the chip is still running, so the reset button will work. When you stun/crash the chip, the reset button will not work!
The NES board revisions (NES-CPU-7, NES-CPU-9, NES-CPU-11) are almost entirely to add protection against the CIC stun attacks. Very few of the stun games will work on a NES-CPU-11, the last front loader revision. Variant collectors must get them all!
Tengen cracked the CIC in two separate ways. The first was reverse engineering it, which would have been completely legal. They likely looked at the outputs and opened up the chip, much like what was done
Unfortunately other Tengen employees also went to the Copyright Office (not Patent Office) and claimed they needed the CIC software for a nonexistent lawsuit. That is what they were sued for and eventually lost. Patent info is always public and free, but the
CIC patent does not have enough info to build a replacement. We do not know if the Rabbit uses information from the stolen copyrighted code or not.