1. We live again. All extra functionality removed for now. Search may be broken as may be other things. With love, ASSEMbler.

Namco System 246/256 - Crypto, Replay attack?

Discussion in 'Arcade and Supergun' started by telmnstr, Jul 12, 2017.

  1. telmnstr

    telmnstr Newly Registered

    Dec 5, 2013
    Likes Received:
    Hello everyone,

    I recently got a System 256, and a a few 246's from a friend to check out and repair. It has upped my curiosity in the platform.

    After doing quite a bit of research at various times, from what I get (correct me if I'm wrong) the PS2 platform had crypto keys compromised which opened the door to vendors building save game backup widgets and the like. The 246/256 uses a PS2 MagicGate memory card that uses a different crypto key that has never been recovered, thus still remains fairly untouchable.

    Dongles can be migrated to different games by transferring the backend rom in the dongle to a donor dongle, but you have to copy a few bytes from original rom to new rom, a binding of the rom to the MagicGate IC in the dongle.

    So two thoughts. How was the original PS2 crypto key compromised -- does anyone know how it was discovered? I am curious how to work on it since that might open the door?

    Second, does anyone know if a simple replay of the dongle conversation on startup to the 246/256 would work? Replay a captured communications session to a magicgate dongle back to the machine to get it it's boot filesystem from the encrypted dongle that way?
  2. sp193

    sp193 Well Known Member

    Mar 29, 2012
    Likes Received:
    I only know that it was related to the compromise in the PS3's cryptography. There is a PS2 emulator in the PS3, which allowed some MagicGate-protected games like FFXI to be played. So since the emulator was decrypted and so on, perhaps the keys from it were extracted. It was sometime around late 2011, when we had the PS3MCA package. It allowed us to bind the FMCB KELFs to the memory card, using the PS3 memory card adaptor and a PC.

    You don't need to know the keys, to actually do any binding or decryption of the protected content. You can use the MECHACON's services to bind the KELF or to decrypt it, but the actual algorithm and its necessary keys are just within that black box. There are, however, no known facilities to encrypt new content (i.e. make a new KELF) by the MECHACON.

    FMCB v1.8b and earlier used the principle of copying the console's DVD player, replacing part of its unprotected region and then signing the file for the target memory card with the MECHACON.
    According to the SECRMAN of the PS2, the ID of the memory card is used in the binding or decryption process. But the actual process is done within the MECHACON, so a sniffing of the communication between the card and host won't help.
    Last edited: Jul 12, 2017

Share This Page