Previous 199869 Revisions Next

r33393 Saturday 15th November, 2014 at 18:43:22 UTC by Andreas Naive
Use of security PIC's readouts for Naomi-M4 decryption [Andreas Naive]
[src/mame/drivers]naomi.c
[src/mame/machine]naomim4.c naomim4.h

trunk/src/mame/drivers/naomi.c
r241904r241905
26612661 */
26622662
26632663static MACHINE_CONFIG_DERIVED( naomim4, naomi_base )
2664   MCFG_NAOMI_M4_BOARD_ADD("rom_board", ":rom_key", "naomibd_eeprom", ":boardid", WRITE8(dc_state, g1_irq))
2664   MCFG_NAOMI_M4_BOARD_ADD("rom_board", ":pic_readout", "naomibd_eeprom", ":boardid", WRITE8(dc_state, g1_irq))
26652665MACHINE_CONFIG_END
26662666
26672667/*
r241904r241905
55975597   ROM_LOAD( "fpr-24333.ic8", 0x0000000, 0x4000000, CRC(a467b69c) SHA1(66a841b72ef1bb8cbabbfb1d14081b4dff14b1d3) )
55985598   ROM_LOAD( "fpr-24334.ic9", 0x4000000, 0x4000000, CRC(13d2d1dc) SHA1(6a47cfaddf006e6ff46837fac956fbcc20619d79) )
55995599
5600   ROM_REGION( 4, "rom_key", 0 )
5601   ROM_LOAD( "mushik2e-key.bin", 0, 4, CRC(b32a0633) SHA1(984c01e43cf359d8e8a0c6cb1a04c5dc3da47d39) )
5600   // ROM_REGION( 4, "rom_key", 0 )
5601   // ROM_LOAD( "mushik2e-key.bin", 0, 4, CRC(b32a0633) SHA1(984c01e43cf359d8e8a0c6cb1a04c5dc3da47d39) )
5602   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5603   ROM_LOAD( "317-0437-com.ic3", 0, 20, NO_DUMP )
56025604
56035605   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x02))
56045606ROM_END
r241904r241905
56125614   ROM_LOAD( "epr-24357.ic7", 0x0000000, 0x0400000, CRC(a2236d58) SHA1(3746b9d3c0f7ecf6340619bb8bf01f170ac4efb7) ) // EPR mode, overwrite FPR data
56135615   ROM_LOAD( "fpr-24334.ic9", 0x4000000, 0x4000000, CRC(13d2d1dc) SHA1(6a47cfaddf006e6ff46837fac956fbcc20619d79) )
56145616
5615   ROM_REGION( 4, "rom_key", 0 )
5616   ROM_LOAD( "mushik2e-key.bin", 0, 4, CRC(b32a0633) SHA1(984c01e43cf359d8e8a0c6cb1a04c5dc3da47d39) )
5617   // ROM_REGION( 4, "rom_key", 0 )
5618   // ROM_LOAD( "mushik2e-key.bin", 0, 4, CRC(b32a0633) SHA1(984c01e43cf359d8e8a0c6cb1a04c5dc3da47d39) )
5619   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5620   ROM_LOAD( "317-0437-com.ic3", 0, 20, NO_DUMP )
56175621
56185622   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x82))
56195623ROM_END
r241904r241905
56265630   ROM_LOAD( "fpr-24338.ic8", 0x0000000, 0x4000000, CRC(1423c374) SHA1(e6a3f0eaccd13c161d07705bcd00f447f08fc186) )
56275631   ROM_LOAD( "fpr-24339.ic9", 0x4000000, 0x4000000, CRC(11883792) SHA1(1782db04f74394f981f887ab1a95d687eb2c0b35) )
56285632
5629   ROM_REGION( 4, "rom_key", 0 )
5630   ROM_LOAD( "zunou-key.bin", 0, 4, CRC(cbe35afb) SHA1(78877655800aae27661bf720e1c37d6c6f2e3d1c) )
5633   // ROM_REGION( 4, "rom_key", 0 )
5634   // ROM_LOAD( "zunou-key.bin", 0, 4, CRC(cbe35afb) SHA1(78877655800aae27661bf720e1c37d6c6f2e3d1c) )
5635   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5636   ROM_LOAD( "317-0435-jpn.ic3", 0, 20, NO_DUMP )
56315637
56325638   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x02))
56335639ROM_END
r241904r241905
56425648   ROM_LOAD( "fpr-24415.ic10", 0x8000000, 0x4000000, CRC(133c742c) SHA1(89f857a31731dc918afc72b6cb716f5c77cb9d6e) )
56435649   ROM_LOAD( "fpr-24416.ic11", 0xc000000, 0x4000000, CRC(562fb88e) SHA1(172678e3e27cfad7f7e6217c4653a4ba119bfbdf) )
56445650
5645   ROM_REGION( 4, "rom_key", 0 )
5646   ROM_LOAD( "sl2007-key.bin", 0, 4, CRC(d5d1e807) SHA1(8a0cc371729c622bb05c5d26b3e39ec31d29ace1) )
5651   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5652   ROM_LOAD( "317-5129-jpn.ic3", 0, 20, CRC(b6191cea) SHA1(13e14ff013bf2728203641303141c016e82b10a3) )
56475653
56485654   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x04))
56495655ROM_END
r241904r241905
56585664   ROM_LOAD( "fpr-24384.ic10", 0x8000000, 0x4000000, CRC(2e9116c4) SHA1(58903a33c4ce72a1f75aefcab94393fc2e8bd2d9) )
56595665   ROM_LOAD( "fpr-24385.ic11", 0xc000000, 0x4000000, CRC(2b79f45d) SHA1(db97d980bf1590df4b983a4b7786977687238ef5) )
56605666
5661   ROM_REGION( 4, "rom_key", 0 )
5662   ROM_LOAD( "asndynmt-key.bin", 0, 4, CRC(bf5396a9) SHA1(0b27fdc800143fb977cb2f1e937078d7a7006939) )
5667   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5668   ROM_LOAD( "317-0495-com.ic3", 0, 20, CRC(675aca7b) SHA1(5127189e1f960abf9ed3f643158747d9abcaee1c) )
56635669
56645670   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x04))
56655671ROM_END
r241904r241905
56745680   ROM_LOAD( "fpr-24439.ic10", 0x8000000, 0x4000000, CRC(c02040f9) SHA1(27ad2cb45e8a516433917f060ca9798412bb95f7) )
56755681   // IC11 Populated, Empty
56765682
5677   ROM_REGION( 4, "rom_key", 0 )
5678   ROM_LOAD( "illvelo-key.bin", 0, 4, CRC(e164952f) SHA1(6c0dfe567640e1e843a5d7bf858a24c101dfcf95) )
5683   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5684   ROM_LOAD( "317-5131-jpn.ic3", 0, 20, CRC(44ab8ca9) SHA1(c17b10041e70590547ed010dc16a4dd2510fcc80) )
56795685
56805686   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x04))
56815687ROM_END
r241904r241905
56905696   ROM_LOAD( "ic10.bin", 0x8000000, 0x4000000, CRC(76fb945f) SHA1(448be0c3d9a7c3956dd51aca3c4d8d28f8cec227) )
56915697   // IC11 Populated, Empty
56925698
5693   ROM_REGION( 4, "rom_key", 0 )
5694   ROM_LOAD( "mamonoro-key.bin", 0x000000, 0x000004, CRC(264ca27a) SHA1(3b81b9794d86697f8eac7ea6945d992564ad6199) )
5699   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5700   ROM_LOAD( "317-5132-jpn.ic3", 0, 20, CRC(f2089de5) SHA1(12af0681decb22bbfa4b3e01037c3503846f265a) )
56955701
56965702   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x04))
56975703ROM_END
r241904r241905
57085714   ROM_LOAD( "ic12.bin",     0x10000000, 0x4000000, CRC(b8a6bff2) SHA1(befbc2e917b3107f1c4bfb9169623282ff97bfb2) )
57095715   ROM_LOAD( "ic13.bin",     0x14000000, 0x4000000, CRC(4886329f) SHA1(6ccf6fb83cfdbef3f85f6c06e641c38ff434d605) )
57105716
5711   ROM_REGION( 4, "rom_key", 0 )
5712   ROM_LOAD( "mbaa-key.bin", 0x000000, 0x000004, CRC(f4ad909f) SHA1(27ba44592c2642b5862a24f68c755ad4115e6047) )
5717   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5718   ROM_LOAD( "317-5133-jpn.ic3", 0, 20, CRC(3dc7d902) SHA1(bb70e80dff878bca3652088f3333079e0781f482) )
57135719
57145720   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x06))
57155721ROM_END
r241904r241905
57275733   ROM_LOAD( "ic12.bin",     0x10000000, 0x4000000, CRC(b8a6bff2) SHA1(befbc2e917b3107f1c4bfb9169623282ff97bfb2) )
57285734   ROM_LOAD( "ic13.bin",     0x14000000, 0x4000000, CRC(4886329f) SHA1(6ccf6fb83cfdbef3f85f6c06e641c38ff434d605) )
57295735
5730   ROM_REGION( 4, "rom_key", 0 )
5731   ROM_LOAD( "mbaa-key.bin", 0x000000, 0x000004, CRC(f4ad909f) SHA1(27ba44592c2642b5862a24f68c755ad4115e6047) )
5736   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5737   ROM_LOAD( "317-5133-jpn.ic3", 0, 20, CRC(3dc7d902) SHA1(bb70e80dff878bca3652088f3333079e0781f482) )
57325738
57335739   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x86))
57345740ROM_END
r241904r241905
57425748   ROM_LOAD( "ic9.bin", 0x4000000, 0x4000000, CRC(16cf2e7a) SHA1(ff7c6540e4507f84e3128ba03be4826ba504678c) )
57435749   // IC10 and IC11 Populated, Empty
57445750
5745   ROM_REGION( 4, "rom_key", 0 )
5746   ROM_LOAD( "radirgyn-key.bin", 0x000000, 0x000004, CRC(c158cf3b) SHA1(c128646d7fee79fc10bf7bbaa23121f347df77f4) )
5751   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5752   ROM_LOAD( "317-5138-jpn.ic3", 0, 20, CRC(babcc420) SHA1(653cdcfa388426f4ce03c76506046ec6fd070562) )
57475753
57485754   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x04))
57495755ROM_END
r241904r241905
57575763   ROM_LOAD( "ic9.bin",    0x4000000, 0x4000000, CRC(18c994d7) SHA1(159e1425b2fc645133814b0d26d93a90e9849b1a) )
57585764   // IC10 and IC11 Populated, Empty
57595765
5760   ROM_REGION( 4, "rom_key", 0 )
5761   ROM_LOAD( "ausfache-key.bin", 0, 4, CRC(93cdc793) SHA1(f0a0c321a3bdf8ca87cbd840a168a9057c08f16a) )
5766   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5767   ROM_LOAD( "317-5130-jpn.ic3", 0, 20, CRC(3e0c010b) SHA1(b6da97d4ecb228e73fb9a5ada837d0d6699ab0f1) )
57625768
57635769   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x04))
57645770ROM_END
r241904r241905
57775783   ROM_REGION( 0x200000, "ioboard", 0) // touch screen I/O board, program disassembles as little-endian SH-4
57785784   ROM_LOAD( "fpr24351.ic14", 0x000000, 0x200000, CRC(4d1b7b89) SHA1(965b8c6b5a2e7b3f1b1e2eac19c86000c3b66754) )
57795785
5780   ROM_REGION( 4, "rom_key", 0 )
5781   ROM_LOAD( "pokasuka-key.bin", 0, 4, CRC(f00bcd61) SHA1(b8315b851656c2e0b7853979988d1c44eab0886b) )
5786   // ROM_REGION( 4, "rom_key", 0 )
5787   // ROM_LOAD( "pokasuka-key.bin", 0, 4, CRC(f00bcd61) SHA1(b8315b851656c2e0b7853979988d1c44eab0886b) )
5788   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5789   ROM_LOAD( "317-0461-com.ic3", 0, 20, NO_DUMP )
57825790
57835791   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x05))
57845792ROM_END
r241904r241905
57975805   ROM_REGION( 0x200000, "ioboard", 0) // touch screen I/O board, program disassembles as little-endian SH-4
57985806   ROM_LOAD( "fpr24351.ic14", 0x000000, 0x200000, CRC(4d1b7b89) SHA1(965b8c6b5a2e7b3f1b1e2eac19c86000c3b66754) )
57995807
5800   ROM_REGION( 4, "rom_key", 0 )
5801   ROM_LOAD( "pokasuka-key.bin", 0, 4, CRC(f00bcd61) SHA1(b8315b851656c2e0b7853979988d1c44eab0886b) )
5808   // ROM_REGION( 4, "rom_key", 0 )
5809   // ROM_LOAD( "pokasuka-key.bin", 0, 4, CRC(f00bcd61) SHA1(b8315b851656c2e0b7853979988d1c44eab0886b) )
5810   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5811   ROM_LOAD( "317-0461-com.ic3", 0, 20, NO_DUMP )
58025812
58035813   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x05))
58045814ROM_END
r241904r241905
58165826   ROM_LOAD( "fpr-24425.ic10", 0x08000000, 0x4000000, CRC(6223ebac) SHA1(64c0ec61c108acbb557e7d3837f578deba832cb6) )
58175827   ROM_LOAD( "fpr-24426.ic11", 0x0c000000, 0x4000000, CRC(c78b0981) SHA1(f889acf9065566e11ff985a3b6c4824e364d57ae) )
58185828
5819   ROM_REGION( 4, "rom_key", 0 )
5820   ROM_LOAD( "rhytngk-key.bin", 0x000000, 0x000004, CRC(e2560d28) SHA1(46fb9b47a0df3035f92db2b0c63a6e4e0745ad29) )
5829   ROM_REGION( 20, "pic_readout", 0 ) // data obtained using a custom PIC reader
5830   ROM_LOAD( "317-0503-jpn.ic3", 0, 20, CRC(69fc3f47) SHA1(3a887c62e93fa264b307c954eb39a4fca1bdfad6) )
58215831
58225832   ROM_REGION(0x4, "boardid", ROMREGION_ERASEVAL(0x04))
58235833ROM_END
trunk/src/mame/machine/naomim4.c
r241904r241905
1616// phase is indeed a nibble-based linear combination.
1717// With that block cipher, a stream cipher is constructed by feeding the output result of the 1st round
1818// of a certain 16-bits block as a whitening value for the next block. The cart dependent data used by
19// the algorithm is comprised by a 16-bits "key" and a 16-bits IV (initialization vector) --though they
20// will be merged in a only 32-bits number in the code--. The hardware auto-reset the feed value
19// the algorithm is a 32-bits key stored in the PIC16C621A. The hardware auto-reset the feed value
2120// to the cart-based IV every 16 blocks (32 bytes); that reset is not address-based, but index-based.
2221
2322const device_type NAOMI_M4_BOARD = &device_creator<naomi_m4_board>;
2423
2524const UINT8 naomi_m4_board::k_sboxes[4][16] = {
26   {13,14,1,11,7,9,10,0,15,6,4,5,8,2,12,3},
27   {12,3,14,6,7,15,2,13,1,4,11,0,9,10,8,5},
28   {6,12,0,10,1,5,14,9,7,2,15,13,4,11,3,8},
29   {9,12,8,7,10,4,0,15,1,11,14,2,13,5,6,3}
25   {9,8,2,11,1,14,5,15,12,6,0,3,7,13,10,4},
26   {2,10,0,15,14,1,11,3,7,12,13,8,4,9,5,6},
27   {4,11,3,8,7,2,15,13,1,5,14,9,6,12,0,10},
28   {1,13,8,2,0,5,6,14,4,11,15,10,12,3,7,9}
3029};
3130
3231// from S29GL512N datasheet
r241904r241905
6766   key = tempkey & 0xffff;
6867#else
6968   const UINT8 *key_data = memregion(key_tag)->base();
70   key = (key_data[2] << 8) | key_data[3];
71   iv = (key_data[0] << 8) | key_data[1];
69   subkey1 = (key_data[17] << 8) | key_data[16];
70   subkey2 = (key_data[19] << 8) | key_data[18];
7271#endif
7372   buffer = auto_alloc_array(machine(), UINT8, BUFFER_SIZE);
7473   enc_init();
r241904r241905
117116   encryption = false;
118117   cfi_mode = false;
119118   counter = 0;
120   cur_iv = 0;
119   iv = 0;
121120}
122121
123122void naomi_m4_board::board_setup_address(UINT32 address, bool is_dma)
r241904r241905
176175void naomi_m4_board::enc_reset()
177176{
178177   buffer_actual_size = 0;
179   cur_iv = iv;
178   iv = 0;
180179   counter = 0;
181180}
182181
182UINT16 naomi_m4_board::decrypt_one_round(UINT16 word, UINT16 subkey)
183{
184   return one_round[word ^ subkey] ^ subkey ;
185}
186
183187void naomi_m4_board::enc_fill()
184188{
185189   const UINT8 *base = m_region->base() + rom_cur_address;
186190   while(buffer_actual_size < BUFFER_SIZE) {
187191      UINT16 enc = base[0] | (base[1] << 8);
188      UINT16 output_whitening = key ^ cur_iv;
189      cur_iv = one_round[enc ^ cur_iv];
190      UINT16 dec = one_round[key ^ cur_iv] ^ output_whitening;
191
192      UINT16 dec = iv;
193      iv = decrypt_one_round(enc ^ iv, subkey1);
194      dec ^= decrypt_one_round(iv, subkey2);
195     
192196      buffer[buffer_actual_size++] = dec;
193197      buffer[buffer_actual_size++] = dec >> 8;
194198
r241904r241905
198202      counter++;
199203      if(counter == 16) {
200204         counter = 0;
201         cur_iv = iv;
205         iv = 0;
202206      }
203207   }
204208}
trunk/src/mame/machine/naomim4.h
r241904r241905
3232   static const UINT8 k_sboxes[4][16];
3333
3434   const char *key_tag;
35   UINT16 key, iv;
35   UINT16 subkey1, subkey2;
3636   UINT16 *one_round;
3737
3838   UINT8 *buffer;
3939   UINT32 rom_cur_address, buffer_actual_size;
40   UINT16 cur_iv;
40   UINT16 iv;
4141   UINT8 counter;
4242   bool encryption;
4343   bool cfi_mode;
r241904r241905
4545   void enc_init();
4646   void enc_reset();
4747   void enc_fill();
48   UINT16 decrypt_one_round(UINT16 word, UINT16 subkey);
4849};
4950
5051extern const device_type NAOMI_M4_BOARD;

https://github.com/mamedev/mame/commit/3a88ec90eeb06f604ddcc01503a730cfb7ea4f72

Previous 199869 Revisions Next

© 1997-2024 The MAME Team