1. We live again. All extra functionality removed for now. Search may be broken as may be other things. With love, ASSEMbler.

Namco System 246/256 - Crypto, Replay attack?

Discussion in 'Arcade and Supergun' started by telmnstr, Jul 12, 2017.

  1. telmnstr

    telmnstr Newly Registered

    Joined:
    Dec 5, 2013
    Messages:
    3
    Likes Received:
    0
    Hello everyone,

    I recently got a System 256, and a a few 246's from a friend to check out and repair. It has upped my curiosity in the platform.

    After doing quite a bit of research at various times, from what I get (correct me if I'm wrong) the PS2 platform had crypto keys compromised which opened the door to vendors building save game backup widgets and the like. The 246/256 uses a PS2 MagicGate memory card that uses a different crypto key that has never been recovered, thus still remains fairly untouchable.

    Dongles can be migrated to different games by transferring the backend rom in the dongle to a donor dongle, but you have to copy a few bytes from original rom to new rom, a binding of the rom to the MagicGate IC in the dongle.

    So two thoughts. How was the original PS2 crypto key compromised -- does anyone know how it was discovered? I am curious how to work on it since that might open the door?

    Second, does anyone know if a simple replay of the dongle conversation on startup to the 246/256 would work? Replay a captured communications session to a magicgate dongle back to the machine to get it it's boot filesystem from the encrypted dongle that way?
     
  2. sp193

    sp193 Well Known Member

    Joined:
    Mar 29, 2012
    Messages:
    1,682
    Likes Received:
    371
    I only know that it was related to the compromise in the PS3's cryptography. There is a PS2 emulator in the PS3, which allowed some MagicGate-protected games like FFXI to be played. So since the emulator was decrypted and so on, perhaps the keys from it were extracted. It was sometime around late 2011, when we had the PS3MCA package. It allowed us to bind the FMCB KELFs to the memory card, using the PS3 memory card adaptor and a PC.

    You don't need to know the keys, to actually do any binding or decryption of the protected content. You can use the MECHACON's services to bind the KELF or to decrypt it, but the actual algorithm and its necessary keys are just within that black box. There are, however, no known facilities to encrypt new content (i.e. make a new KELF) by the MECHACON.

    FMCB v1.8b and earlier used the principle of copying the console's DVD player, replacing part of its unprotected region and then signing the file for the target memory card with the MECHACON.
    According to the SECRMAN of the PS2, the ID of the memory card is used in the binding or decryption process. But the actual process is done within the MECHACON, so a sniffing of the communication between the card and host won't help.
     
    Last edited: Jul 12, 2017
  3. Jackalus

    Jackalus Robust Member

    Joined:
    Jan 22, 2011
    Messages:
    237
    Likes Received:
    23
    You can read the memory card content by simply hooking a reader to the 2nd chip in the memory card PCB. (Not magic gate)

    Read all data out and rewrite as you wish. Reprogram them for other games and most likely even run homebrew.
     
  4. sp193

    sp193 Well Known Member

    Joined:
    Mar 29, 2012
    Messages:
    1,682
    Likes Received:
    371
    I wrote my reply above because you mentioned the crypto keys, which reminded me of the PS3 stuff. But access to content memory cards doesn't strictly depend on those (since you mentioned something related to saves) because we have the real hardware, although the PS3 leaks allowed the PS3MCA package to come about (which allowed card authentication on a PC). I'm not very sure what you're referring to by "save backup widgets" though.

    The system 246 supports regular PlayStation 2 memory cards (with rom0:MCMANO), as well as its dongles (with rom0:MCMAN).
    The dongle MCMAN module uses a special mode for dongle authentication (0xF) when working with the MECHACON, which prevents PlayStation 2 memory cards to be used in a place of a dongle.

    Like @Jackalus wrote, the contents on the memory cards (regular PS2 cards and dongles) are not encrypted in any way. So if you cannot/do not want to deal with unusual MagicGate card authentication, going straight for the flash chip is a valid move.

    Some dongles have a backdoor, which will allow you to replace the program on the dongle with another program on a regular memory card that is in slot 2.
     
    Last edited: Jul 21, 2017 at 12:49 PM

Share This Page