Results 1 to 7 of 7

Thread: Sega Naomi Security Pic Dumper

  1. #1
    Foot Soldier
    Serantes's Avatar

    Join Date
    May 2007
    Location
    Valencia - Spain
    Posts
    295

    Sega Naomi Security Pic Dumper

    Ok
    as i said before here is the toy
    this tool can be used to get the des key from sega arcade gdrom systems to decrypt gdrom games

    http://www.megaupload.com/?d=QRFSF8VL

    credits :
    Elsemi
    Mrsporty
    tmbinc
    myself :P

  2. #2
    Wow! Thanks for sharing!

    Took a look at the MAME source real quick, and it seems the decryption rutines too use dumped keys are already in there :-)

    I guess this is based on the reversing of the Triforce (tmbinc's blog)? Do you know if anyone has looked at the GD-ROM code for the Naomi 1 too? Would be interesting to know if there was any "scrambling" code in there, and if SEGA had a MIL-CD backdoor in their arcade systems as well (as in the Dreamcast)..

  3. #3
    Foot Soldier
    tmbinc's Avatar

    Join Date
    Oct 2006
    Posts
    103
    ConsoleFun: which code are you talking about? I cannot find it :(

  4. #4
    Foot Soldier
    tmbinc's Avatar

    Join Date
    Oct 2006
    Posts
    103
    Naomi games are stored in the same way, btw. I don't think there is a backdoor like on dreamcast, but one can never be sure. There is some "development mode" which might help here? (I think that one is activated if the PIC responds with a zero key. Not sure anymore, need to look at the disassembly again). Building a PIC with a zero key wouldn't be that complicated (some people can do that today :).

  5. #5
    Foot Soldier
    Serantes's Avatar

    Join Date
    May 2007
    Location
    Valencia - Spain
    Posts
    295
    how could the machine decrypt the game without knowing the key for this game ?
    i dont think this is going to work ....

  6. #6
    mamedev Combat Soldier
    smf's Avatar

    Join Date
    Apr 2005
    Location
    England
    Posts
    997
    Quote Originally Posted by Serantes
    how could the machine decrypt the game without knowing the key for this game ?
    i dont think this is going to work ....
    I assume tbminc meant that developent mode meant the game didn't need to be encrypted.

  7. #7
    Foot Soldier
    tmbinc's Avatar

    Join Date
    Oct 2006
    Posts
    103
    I don't know the exact details (anyone?), but yes. Either the encryption would be disabled or it would be a static key. The interesting part would be if the thing accepts a CDROM in this case, or in whatever way the "development" worked.

    By the way, the newer ("type 3") devices contain a nice new secret: They split out all the network/vxworks stuff into a MIPS cpu on a separate board. The GDROM-functionality and the PIC security now happens in the "RX850"-part - whatever that is. My closest guess: RX850 is a small RTOS from NEC for their V850 cpus, and the actual software running the GDROM-stack. The actual firmware isn't stored in a separate flash rom (there just isn't one left...), but uploaded from the SEGABOOT (the triforce-logo and testmenu thing which runs on the gamecube). My guess is that it's the firmware.asic file, a ~96k block-encrypted (DES?) file. I wasn't yet able to decrypt that mysterious data blob, but i'm pretty sure that it turns out to be the gdrom-stack / pic security. The SEGA part must then also contain the CPU - again, there is no other device left. Strange thing, isn't it?

    As an interesting side note, the "netfirm" (the software running on the network board) has an open port, which you can use for a various amount of things, like:
    - dumping the DIMM memory,
    - read/write the *gamecube* memory (with help from SEGABOOT, so it's just part of the DI protocol spoken),
    - read/write nvram, netfirm flash, set security keycode.

    I still don't have a working GDROM drive, that currently makes me unable to test more things. But the host (=gamecube) peek/poke function is actually already very interesting, you could use it to run code on the gamecube. The gamecube in turn can upload stuff to the DIMM board. SD-game-loader, anyone? (probably better not ;).

    Also it seems like the thing has provisions for replacing the GDROM media with something else. There is an IDE-styled connector inside. Is that the rumored harddisk support? "strings SEGABOOT" also shows something about "NAND"... This is new in the type-3 media boards. That makes it even more interesting to hack the RX850 part - whatever it is, exactly.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •