Sega Naomi Security Pic Dumper
as i said before here is the toy
this tool can be used to get the des key from sega arcade gdrom systems to decrypt gdrom games
Wow! Thanks for sharing!
Took a look at the MAME source real quick, and it seems the decryption rutines too use dumped keys are already in there :-)
I guess this is based on the reversing of the Triforce (tmbinc's blog)? Do you know if anyone has looked at the GD-ROM code for the Naomi 1 too? Would be interesting to know if there was any "scrambling" code in there, and if SEGA had a MIL-CD backdoor in their arcade systems as well (as in the Dreamcast)..
ConsoleFun: which code are you talking about? I cannot find it :(
Naomi games are stored in the same way, btw. I don't think there is a backdoor like on dreamcast, but one can never be sure. There is some "development mode" which might help here? (I think that one is activated if the PIC responds with a zero key. Not sure anymore, need to look at the disassembly again). Building a PIC with a zero key wouldn't be that complicated (some people can do that today :).
how could the machine decrypt the game without knowing the key for this game ?
i dont think this is going to work ....
I assume tbminc meant that developent mode meant the game didn't need to be encrypted.
Originally Posted by Serantes
I don't know the exact details (anyone?), but yes. Either the encryption would be disabled or it would be a static key. The interesting part would be if the thing accepts a CDROM in this case, or in whatever way the "development" worked.
By the way, the newer ("type 3") devices contain a nice new secret: They split out all the network/vxworks stuff into a MIPS cpu on a separate board. The GDROM-functionality and the PIC security now happens in the "RX850"-part - whatever that is. My closest guess: RX850 is a small RTOS from NEC for their V850 cpus, and the actual software running the GDROM-stack. The actual firmware isn't stored in a separate flash rom (there just isn't one left...), but uploaded from the SEGABOOT (the triforce-logo and testmenu thing which runs on the gamecube). My guess is that it's the firmware.asic file, a ~96k block-encrypted (DES?) file. I wasn't yet able to decrypt that mysterious data blob, but i'm pretty sure that it turns out to be the gdrom-stack / pic security. The SEGA part must then also contain the CPU - again, there is no other device left. Strange thing, isn't it?
As an interesting side note, the "netfirm" (the software running on the network board) has an open port, which you can use for a various amount of things, like:
- dumping the DIMM memory,
- read/write the *gamecube* memory (with help from SEGABOOT, so it's just part of the DI protocol spoken),
- read/write nvram, netfirm flash, set security keycode.
I still don't have a working GDROM drive, that currently makes me unable to test more things. But the host (=gamecube) peek/poke function is actually already very interesting, you could use it to run code on the gamecube. The gamecube in turn can upload stuff to the DIMM board. SD-game-loader, anyone? (probably better not ;).
Also it seems like the thing has provisions for replacing the GDROM media with something else. There is an IDE-styled connector inside. Is that the rumored harddisk support? "strings SEGABOOT" also shows something about "NAND"... This is new in the type-3 media boards. That makes it even more interesting to hack the RX850 part - whatever it is, exactly.