Forum Index | FAQ | New User | Login | Search

Make a New PostPrevious ThreadView All ThreadsNext Thread*Show in Threaded Mode


SubjectHitachi Encryption new Reply to this message
Posted byfinaldave
Posted on08/26/04 09:35 AM




Charles has gone a bit quiet on this :-( - thought he was going to storm all the Hitachi stuff in a day or something ;-)

But it is interesting what he found about the 4xxx type opcodes. Here's a quick example. I don't know if these are the same but they could be. This is Thunderblade Japan (j) and Thunderblade Custom/USA (u)

Notice the 4e75 <==> 0e75, 4eb9 <==> 0eb9 bits, that's what Charles was talking about I think. Should really put a disassmbly on this as well for more clarity on what is data.

j    0: ffff ff00 0000 0404 0000 0400 0000 0400 
u 0: 3347 f299 8301 abde 0000 0402 0000 0400

j 60: 0000 0400 0000 0400 0000 0d60 0000 0400
u 60: 0000 0400 0000 0400 0000 0d4e 0000 0400
j 70: 0000 0b28 0000 0400 0000 0400 0000 0400
u 70: 0000 0b16 0000 0400 0000 0400 0000 0400

j 6b0: 4e75 13fc 0004 0029 c006 08f8 0001 8112
u 6b4: 0e75 cb5d 8bfa 222c d993 ab3c e6a3 537d
/\
j 6c0: 4eb9 0001 7d04 4e75 2e7c ffff ff00 13fc
u 0eb9 92c8 1aa8 0e75 efea 9687 ce75 52e0
/\ /\
j 6d0: 0008 0029 c006 08b8 0000 8118 46fc 2100
33e7 23a7 8c95 8a65 3f23 d12d 06fc fe58
/\



You learn something old everyday...



SubjectRe: Hitachi Encryption new Reply to this message
Posted bysmf
Posted on09/11/04 03:19 AM



Yeah it is odd that they left in opcodes which could so easily be used to decrypt the rom contents. The "state" problem is weird, mame emulates some system16 games because there were encrypted bootlegs. None of them have anything like this though.

I do wonder if it's a timing/voltage/whatever issue & not related to the encryption at all.

smf





SubjectRe: Hitachi Encryption new Reply to this message
Posted byfinaldave
Posted on09/11/04 06:03 PM



> Yeah it is odd that they left in opcodes which could so easily be used to
> decrypt the rom contents.
Are there some opcodes which can used for decryption?


> The "state" problem is weird, mame emulates some
> system16 games because there were encrypted bootlegs. None of them have anything
> like this though.

What is the 'state' problem?


>
> I do wonder if it's a timing/voltage/whatever issue & not related to the
> encryption at all.
>
> smf
>


"Tread the well-trodden path well..."



SubjectRe: Hitachi Encryption new Reply to this message
Posted byR. Belmont
Posted on09/11/04 11:32 PM



> What is the 'state' problem?

Go read cgfm's page since you clearly haven't lately :)





SubjectRe: Hitachi Encryption new Reply to this message
Posted bysmf
Posted on09/13/04 11:43 AM



> Are there some opcodes which can used for decryption?

yes, it's well documented on his site ( fwiw I came up with the pea/odd vector method charles used, he credited me by my first name for some reason ).

unfortunately there seems to be a point where the encryption changes. it could be a one time thing ( i.e. boot code is encrypted one way & the rest is encrypted another ) or different parts of the game may be encrypted differently.

after the ( from memory ):
move.w #$2700, SR
cmp.l #$52ffff, d0

The encryption changes. I sent charles some more things to try but haven't heard back.

smf





SubjectRe: Hitachi Encryption Reply to this message
Posted byfinaldave
Posted on09/15/04 08:00 PM



> > What is the 'state' problem?
>
> Go read cgfm's page since you clearly haven't lately :)
>

w00t!
http://cgfm2.emuviews.com/

You're right I missed it all! Excellent!

Charles+MameDev versus FD1094... ROUND ONE FIGHT!
There's a lot to digest!

"Tread the well-trodden path well..."



Subjectcmpi.l #$0091ffff,d0 new Reply to this message
Posted byfinaldave
Posted on09/17/04 07:47 AM



> > > What is the 'state' problem?
> >
> > Go read cgfm's page since you clearly haven't lately :)
> >
>
> w00t!
> http://cgfm2.emuviews.com/

http://cgfm2.emuviews.com/
cmpi.l #$0091ffff,d0
This does look very like a 'switch to key 0x91' doesn't it?

... this may be wishful thinking, but is it at all possible that different boards, if they did a cmpi.l #$0091ffff,d0 instruction would switch to decoding words in the *same* way as this board?

For example, if you could somehow insert a cmpi.l #$0091ffff,d0 into Tetris, would you get the same decryption table method as DDCrew? And then would that mean all FD1094s are the same, just with different keys activatied with cmpi.l instructions?


Or is this defintely out of the question...?


"Tread the well-trodden path well..."



SubjectScreenshots! new Reply to this message
Posted byfinaldave
Posted on09/20/04 08:19 AM



> > > > What is the 'state' problem?
> > >
> > > Go read cgfm's page since you clearly haven't lately :)
> > >
> >
> > w00t!
> > http://cgfm2.emuviews.com/
>
> http://cgfm2.emuviews.com/


Now if people understood the signicance of those Tetris screenshots it would probably be front-page news on all the emulation sites! ;-)
Though maybe Charles would prefer things to stay quiet for now, the last thing he needs is lots of people nagging to decrypt X Y and Z!

But damn good work nevertheless!



"Tread the well-trodden path well..."



SubjectRe: Screenshots! new Reply to this message
Posted bysmf
Posted on09/21/04 02:54 AM



> the last thing he needs is lots of people nagging to decrypt X Y and Z!

I suspect that this has already happened.

The progress is great, being able to decrypt an entire game is amazing. But I'll save my celebrations until the data is reduced down to an algorithm.

smf





SubjectRe: Screenshots! new Reply to this message
Posted byfinaldave
Posted on09/22/04 11:09 AM



> > the last thing he needs is lots of people nagging to decrypt X Y and Z!
>
> I suspect that this has already happened.
>
> The progress is great, being able to decrypt an entire game is amazing. But I'll
> save my celebrations until the data is reduced down to an algorithm.

Agreed, it's far too tempting to just jump straight to decryption...

For example we still don't have an algorithm for CPS2 do we!

>
> smf
>


"Tread the well-trodden path well..."



SubjectRe: Screenshots! new Reply to this message
Posted byR. Belmont
Posted on09/28/04 01:50 PM



> For example we still don't have an algorithm for CPS2 do we!

Nope, and Raz is still holding us hostage on a few games we might otherwise support as a result.




SubjectRe: Screenshots! new Reply to this message
Posted byBarry Rodewald
Posted on09/28/04 06:59 PM



> Nope, and Raz is still holding us hostage on a few games we might otherwise
> support as a result.

Can you give a few examples? Only one I'm aware of is Progear, which still lacks a complete dump.

- Barry Rodewald
http://galemu.emuunlim.com/




SubjectRe: Screenshots! new Reply to this message
Posted bysmf
Posted on09/30/04 01:44 AM



> Can you give a few examples? Only one I'm aware of is Progear, which still
> lacks a complete dump.

_We_ don't have a complete dump.

smf





Previous ThreadView All ThreadsNext Thread*Show in Threaded Mode