Sega Naomi Security Pic Dumper

Discussion in 'Arcade and Supergun' started by Serantes, Jul 24, 2008.

  1. Serantes

    Serantes Peppy Member

    Joined:
    May 1, 2007
    Messages:
    300
    Likes Received:
    2
    Location:
    Valencia - Spain
    Ok
    as i said before here is the toy
    this tool can be used to get the des key from sega arcade gdrom systems to decrypt gdrom games

    http://www.megaupload.com/?d=QRFSF8VL

    credits :
    Elsemi
    Mrsporty
    tmbinc
    myself :p
     
  2. ConsoleFun

    ConsoleFun Gutsy Member

    Joined:
    Dec 21, 2004
    Messages:
    441
    Likes Received:
    3
    Wow! Thanks for sharing!

    Took a look at the MAME source real quick, and it seems the decryption rutines too use dumped keys are already in there :)

    I guess this is based on the reversing of the Triforce (tmbinc's blog)? Do you know if anyone has looked at the GD-ROM code for the Naomi 1 too? Would be interesting to know if there was any "scrambling" code in there, and if SEGA had a MIL-CD backdoor in their arcade systems as well (as in the Dreamcast)..
     
  3. tmbinc

    tmbinc Spirited Member

    Joined:
    Oct 10, 2006
    Messages:
    103
    Likes Received:
    0
    ConsoleFun: which code are you talking about? I cannot find it :(
     
  4. tmbinc

    tmbinc Spirited Member

    Joined:
    Oct 10, 2006
    Messages:
    103
    Likes Received:
    0
    Naomi games are stored in the same way, btw. I don't think there is a backdoor like on dreamcast, but one can never be sure. There is some "development mode" which might help here? (I think that one is activated if the PIC responds with a zero key. Not sure anymore, need to look at the disassembly again). Building a PIC with a zero key wouldn't be that complicated (some people can do that today :).
     
  5. Serantes

    Serantes Peppy Member

    Joined:
    May 1, 2007
    Messages:
    300
    Likes Received:
    2
    Location:
    Valencia - Spain
    how could the machine decrypt the game without knowing the key for this game ?
    i dont think this is going to work ....
     
  6. smf

    smf mamedev

    Joined:
    Apr 14, 2005
    Messages:
    1,064
    Likes Received:
    2
    I assume tbminc meant that developent mode meant the game didn't need to be encrypted.
     
  7. tmbinc

    tmbinc Spirited Member

    Joined:
    Oct 10, 2006
    Messages:
    103
    Likes Received:
    0
    I don't know the exact details (anyone?), but yes. Either the encryption would be disabled or it would be a static key. The interesting part would be if the thing accepts a CDROM in this case, or in whatever way the "development" worked.

    By the way, the newer ("type 3") devices contain a nice new secret: They split out all the network/vxworks stuff into a MIPS cpu on a separate board. The GDROM-functionality and the PIC security now happens in the "RX850"-part - whatever that is. My closest guess: RX850 is a small RTOS from NEC for their V850 cpus, and the actual software running the GDROM-stack. The actual firmware isn't stored in a separate flash rom (there just isn't one left...), but uploaded from the SEGABOOT (the triforce-logo and testmenu thing which runs on the gamecube). My guess is that it's the firmware.asic file, a ~96k block-encrypted (DES?) file. I wasn't yet able to decrypt that mysterious data blob, but i'm pretty sure that it turns out to be the gdrom-stack / pic security. The SEGA part must then also contain the CPU - again, there is no other device left. Strange thing, isn't it?

    As an interesting side note, the "netfirm" (the software running on the network board) has an open port, which you can use for a various amount of things, like:
    - dumping the DIMM memory,
    - read/write the *gamecube* memory (with help from SEGABOOT, so it's just part of the DI protocol spoken),
    - read/write nvram, netfirm flash, set security keycode.

    I still don't have a working GDROM drive, that currently makes me unable to test more things. But the host (=gamecube) peek/poke function is actually already very interesting, you could use it to run code on the gamecube. The gamecube in turn can upload stuff to the DIMM board. SD-game-loader, anyone? (probably better not ;).

    Also it seems like the thing has provisions for replacing the GDROM media with something else. There is an IDE-styled connector inside. Is that the rumored harddisk support? "strings SEGABOOT" also shows something about "NAND"... This is new in the type-3 media boards. That makes it even more interesting to hack the RX850 part - whatever it is, exactly.
     

Share This Page