trunk/src/mame/drivers/lindbergh.c
| r243360 | r243361 | |
|---|
| 31 | 31 | The security seems to work in multiple steps. The information here |
| 32 | 32 | is a combination of our research and things found on the internet. |
| 33 | 33 | |
| 34 | | - At boot, the bios unlocks the CF card through an IDE 0x82 command |
| 35 | | with a currently unknown key. There is also a hardware heartbeat |
| 36 | | signal on the IDE bus to avoid hotswapping. |
| 34 | - At boot, the bios unlocks the CF card through an IDE command. There |
| 35 | is also a hardware heartbeat signal on the IDE bus to avoid |
| 36 | hotswapping, and making it hard to dump the card outside of a Lindberg |
| 37 | motherboard. |
| 37 | 38 | |
| 38 | 39 | - The system boots on the CF which holds a customized Montavista linux. |
| 39 | 40 | |
| 40 | | - The CF system can either install the game (from the DVD) or start it (on the HD) |
| 41 | - The CF system can either install the game (from the DVD) or start it |
| 42 | (on the HD) through the "/usr/sbin/segaboot" executable in the second |
| 43 | partition. |
| 41 | 44 | |
| 42 | | - The DVD is decrypted (probably on-the-fly with aesloop) using a |
| 43 | | fixed system key (all the dvd images start identically). |
| 45 | - The DVD includes an ISO-9660 filesystem at a (game-dependant) |
| 46 | offset. It has a handful of files, all encrypted. Of specific |
| 47 | interest and the su[0-3].dat files which are system updates, and the |
| 48 | frontend file which handles the setup of all the other files for the |
| 49 | game. |
| 44 | 50 | |
| 45 | 51 | - The PIC includes an AES-CBC engine and has as data an IV, a key, |
| 46 | 52 | some game-specific identification information, and two pre and |
| r243360 | r243361 | |
|---|
| 49 | 55 | decrypt very large amounts of data through it though, the bandwidth |
| 50 | 56 | would be way too low. |
| 51 | 57 | |
| 52 | | - The HD is probably unlocked by the CF and bootstrap code is |
| 53 | | decrypted through the PIC. That code in turn loop-decrypts/mounts all the |
| 54 | | data needed from the partition (probably /usr, /X11R6 and /home). |
| 58 | - The CF decrypts the dvd/hd files with a custom crypto system which |
| 59 | is keyed by the result of decrypting 16 times 0x00, 16 times 0x01, |
| 60 | ..., 16 times 0x0b through the PIC, giving a 176 bytes secondary key. |
| 61 | segaboot (in the second partition) and lxdecrypt_hard (in the first |
| 62 | partition's initrd) take care of that. |
| 55 | 63 | |
| 56 | | Currently, we do not have access to the CF image, making it impossible |
| 57 | | to do a complete boot/install. |
| 64 | - The HD is unlocked by the CF with lxunlock.hdb in the first |
| 65 | partition's initrd. The method varies depending on the HD model. |
| 66 | That code is also capable of unlocking the CF (but don't forget |
| 67 | the hardware hearbeat there). |
| 58 | 68 | |
| 59 | 69 | |
| 60 | 70 | Lindbergh Game List |
| r243360 | r243361 | |
|---|
| 386 | 396 | ROM_LOAD("fpr-24370b.ic6", 0x000000, 0x400000, CRC(c3b021a4) SHA1(1b6938a50fe0e4ae813864649eb103838c399ac0)) \ |
| 387 | 397 | \ |
| 388 | 398 | ROM_REGION32_LE(0x10000, ":pci:01.0:00.0", 0) /* Geforce bios extension (custom for the card) */ \ |
| 389 | | ROM_LOAD("vid_bios.u504", 0x00000, 0x10000, CRC(f78d14d7) SHA1(f129787e487984edd23bf344f2e9500c85052275)) |
| 399 | ROM_LOAD("vid_bios.u504", 0x00000, 0x10000, CRC(f78d14d7) SHA1(f129787e487984edd23bf344f2e9500c85052275)) \ |
| 400 | DISK_REGION("cf") \ |
| 401 | DISK_IMAGE_READONLY("mda-c0004a_revb_lindyellow_v2.4.20_mvl31a_boot_2.01", 0, SHA1(e13da5f827df852e742b594729ee3f933b387410)) |
| 402 | |
| 403 | |
| 390 | 404 | ROM_START(lindbios) |
| 391 | 405 | LINDBERGH_BIOS |
| 392 | 406 | ROM_END |