| Cable |
|
retro gamer
|
|
|
|
|
Reged: 08/30/08
|
|
Posts: 131
|
|
Loc: UK
|
|
|
|
Send PM
|
|
|
Naomi Protection broken!
#245857 - 02/06/11 03:28 PM
|
|
|
This is a quote from CaH4e3 (through google translate)...
"Thanks to the tremendous work done Deunan Knute, the remnants of protection NAOMI were broken. Principles of all three types of encryption and decompression, including protected DMA, now known. It is quite possible to renounce the use of patches with decrypted data, including the DMA mode. Virtua Fighter 4 Evolution. Thus, launched earlier does not run games, including Giant Gram 2000 and cartridge version of Virtua Fighter 4 Evolution."
|
|
|
|
Re: Naomi Protection broken!
[Re: Cable]
#245859 - 02/06/11 03:48 PM
|
|
|
Well, it was only a matter of time with the dedication of the people working on it. I'm curious, so I'll probably take a look at the MAME documentation on the platform once it's fully implemented.
|
---
Try checking the MAME manual at http://docs.mamedev.org
|
|
| R. Belmont |
|
Cuckoo for IGAvania
|
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 9713
|
|
Loc: ECV-197 The Orville
|
|
|
|
Send PM
|
|
|
Re: Naomi Protection broken!
[Re: Cable]
#245861 - 02/06/11 04:01 PM
|
|
|
> This is a quote from CaH4e3 (through google translate)...
>
> "Thanks to the tremendous work done Deunan Knute, the remnants of protection NAOMI
> were broken. Principles of all three types of encryption and decompression, including
> protected DMA, now known. It is quite possible to renounce the use of patches with
> decrypted data, including the DMA mode. Virtua Fighter 4 Evolution. Thus, launched
> earlier does not run games, including Giant Gram 2000 and cartridge version of Virtua
> Fighter 4 Evolution."
To get the sequence right, Olivier Galibert cracked the PIO compression-after-encryption and then DK got the scramble-DMA figured out (which looks to also be a compression scheme. but with a XOR on top for obfuscation). Ya get those two guys and Andreas Naive on the same email thread and something cool's bound to happen ;-)
Edited by R. Belmont (02/06/11 04:07 PM)
|
|
|
|
Re: Naomi Protection broken!
[Re: R. Belmont]
#245868 - 02/06/11 04:53 PM
|
|
|
yeah, thanks to DK, OG, AN, CaH4ez and others we have totally reversed naomi cart protection.
great work guys!
good reason to celebrate 
add: it's good, because if there are some bugs you are sure it is not protection issues, but emulation.
btw, we (Demul team) think some newer naomi carts have some encryption/protection similar to GD-ROMs, but can't approve it on practice, because we don't have real dumps, only hacked/trojaned .bin's.
Edited by MetalliC (02/06/11 05:10 PM)
|
|
|
| CptGuapo |
|
Beat'em-ups Lover
|
|
|
|
|
Reged: 03/18/08
|
|
Posts: 342
|
|
Loc: Off to Never Never Land
|
|
|
|
Send PM
|
|
|
Re: Naomi Protection broken!
[Re: Cable]
#245874 - 02/06/11 05:57 PM
|
|
|
Yahoo! It seems this will be an awesome year for emulation...Thanks for all your impressive efforts, guys! 
|
"Mythology is what grownups believe, folklore is what they tell children and religion is both."
|
|
| R. Belmont |
|
Cuckoo for IGAvania
|
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 9713
|
|
Loc: ECV-197 The Orville
|
|
|
|
Send PM
|
|
|
Re: Naomi Protection broken!
[Re: MetalliC]
#245876 - 02/06/11 07:15 PM
|
|
|
> btw, we (Demul team) think some newer naomi carts have some encryption/protection
> similar to GD-ROMs, but can't approve it on practice, because we don't have real
> dumps, only hacked/trojaned .bin's.
100% agreed. Unfortunately I don't have any "clean" dumps of those games either.
|
|
|
|
Re: Naomi Protection broken!
[Re: Cable]
#245902 - 02/07/11 12:34 AM
|
|
|
Great to see yet another encryption cracked open by the gurus.
|
|
|
|
Re: Naomi Protection broken!
[Re: R. Belmont]
#245906 - 02/07/11 12:47 AM
|
|
|
Has anyone documented this along the way on their blog(s)?
I love seeing how the solution slowly evolves over time and how they ended up figuring it out.
|
GroovyMAME support forum on BYOAC
|
|
|
Re: Naomi Protection broken!
[Re: krick]
#245908 - 02/07/11 01:02 AM
|
|
|
well, very many peoples was involved in this research.
some things can be founded on Deunan Knute's blog, others on CaH4e3 blog, maybe something on RB's WIP page, dunno if other peoples have blogs.
anyway, then MAME 141u2 comes out - imho comments in sources is a best place to read the story.
Edited by MetalliC (02/07/11 01:04 AM)
|
|
|
|
Re: Naomi Protection broken!
[Re: MetalliC]
#245910 - 02/07/11 01:06 AM
|
|
|
Could someone please explain what this means in practical terms for MAME and NAOMI emulation?....
Does it simply make life alot easier for dumping the games, therefore only of benefit to a few Mame devs or will it have benefits for end users of MAME like myself...
Obviously its not going to make NAOMI games any faster in MAME (or will it?)....
|
|
|
|
Re: Naomi Protection broken!
[Re: Ziggy100]
#245913 - 02/07/11 01:16 AM
|
|
|
> Does it simply make life alot easier for dumping the games
Yes, it does, no needed anymore to trojan protection data from games, make protection patches and other dirty things
> Obviously its not going to make NAOMI games any faster in MAME (or will it?)....
No
|
|
|
|
Re: Naomi Protection broken!
[Re: MetalliC]
#245941 - 02/07/11 05:43 AM
|
|
|
> well, very many peoples was involved in this research.
> some things can be founded on Deunan Knute's blog, others on CaH4e3 blog, maybe
> something on RB's WIP page, dunno if other peoples have blogs.
> anyway, then MAME 141u2 comes out - imho comments in sources is a best place to read
> the story.
And for anyone interested, Andreas Naive's blog is here. Unfortunately it hasn't been updated since 2008 but when he was actively updating it there was some interesting reading.
|
|
|
|
Re: Naomi Protection broken!
[Re: MetalliC]
#245974 - 02/07/11 01:11 PM
|
|
|
> yeah, thanks to DK, OG, AN, CaH4ez and others we have totally reversed naomi cart
> protection.
Really? We know how the address scrambling works? It looks like it's what plaguing crazy taxi, but I may be misreading the code. naomibd.c is not a model of readability...
OG.
|
|
|
|
|
> > yeah, thanks to DK, OG, AN, CaH4ez and others we have totally reversed naomi cart
> > protection.
>
> Really? We know how the address scrambling works? It looks like it's what plaguing
> crazy taxi, but I may be misreading the code. naomibd.c is not a model of
> readability...
>
> OG.
if you mean controls problem, doesn't seems that thing related, taxi works almost fine in demul just now...
|
|
|
|
Re: Naomi Protection broken!
[Re: CaH4e3]
#245980 - 02/07/11 02:49 PM
|
|
|
> > > yeah, thanks to DK, OG, AN, CaH4ez and others we have totally reversed naomi cart
> > > protection.
> >
> > Really? We know how the address scrambling works? It looks like it's what plaguing
> > crazy taxi, but I may be misreading the code. naomibd.c is not a model of
> > readability...
> >
> > OG.
>
> if you mean controls problem, doesn't seems that thing related, taxi works almost
> fine in demul just now...
No, I mean, the "SC" flag (according to your description).
OG.
|
|
|
|
|
> > if you mean controls problem, doesn't seems that thing related, taxi works almost
> > fine in demul just now...
>
> No, I mean, the "SC" flag (according to your description).
>
> OG.
no, no I mean what the problem with crazy taxi in mame? even if that bit ignored, taxi seems works fine here... so i'm not sure if any problem with taxi now scramble-related...
|
|
|
|
Re: Naomi Protection broken!
[Re: CaH4e3]
#245985 - 02/07/11 03:53 PM
|
|
|
> > > if you mean controls problem, doesn't seems that thing related, taxi works almost
> > > fine in demul just now...
> >
> > No, I mean, the "SC" flag (according to your description).
> >
> > OG.
>
> no, no I mean what the problem with crazy taxi in mame? even if that bit ignored,
> taxi seems works fine here... so i'm not sure if any problem with taxi now
> scramble-related...
Last time I tried it it was hitting the:
logerror("Protected DMA not handled for this game (dma_offset %x)\n", get_safe_token(device)->dma_offset);
in naomibd_get_dmaoffset. I should try again though. What do you do in demul when SC is 0 for that game?
OG.
|
|
|
| R. Belmont |
|
Cuckoo for IGAvania
|
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 9713
|
|
Loc: ECV-197 The Orville
|
|
|
|
Send PM
|
|
|
|
> Last time I tried it it was hitting the:
> logerror("Protected DMA not handled for this game (dma_offset %x)\n",
> get_safe_token(device)->dma_offset);
> in naomibd_get_dmaoffset. I should try again though. What do you do in demul when SC
> is 0 for that game?
Let me translate your question into proper standalone-author-ese ;-)
Cah4e3, does Naomi Crazy Taxi use the M1 protection? It certainly appears to as OG notes, but I seem to recall hearing it does run in Makaron and DEMUL even if you don't emulate it.
|
|
|
|
Re: Naomi Protection broken!
[Re: R. Belmont]
#245988 - 02/07/11 04:26 PM
|
|
|
> > Last time I tried it it was hitting the:
> > logerror("Protected DMA not handled for this game (dma_offset %x)\n",
> > get_safe_token(device)->dma_offset);
> > in naomibd_get_dmaoffset. I should try again though. What do you do in demul when
> SC
> > is 0 for that game?
>
> Let me translate your question into proper standalone-author-ese ;-)
>
> Cah4e3, does Naomi Crazy Taxi use the M1 protection? It certainly appears to as OG
> notes, but I seem to recall hearing it does run in Makaron and DEMUL even if you
> don't emulate it.
Tsk tsk tsk RB, I'm *not* talking about M1, I'm talking about the address scrambling crap.
OG.
|
|
|
| R. Belmont |
|
Cuckoo for IGAvania
|
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 9713
|
|
Loc: ECV-197 The Orville
|
|
|
|
Send PM
|
|
|
|
> > yeah, thanks to DK, OG, AN, CaH4ez and others we have totally reversed naomi cart
> > protection.
>
> Really? We know how the address scrambling works? It looks like it's what plaguing
> crazy taxi, but I may be misreading the code. naomibd.c is not a model of
> readability...
My understanding is it's not actually an address scramble; that was a misconception caused by the games being sloppy and also including the data in cleartext elsewhere. Apparently what it actually does is covered by Deunan's latest code he mailed us, and hooking that up in naomibd should solve it.
Also I believe Kale mentioned Crazy Taxi dies because of some non-protection reason, but I could be mis-remembering.
|
|
|
| R. Belmont |
|
Cuckoo for IGAvania
|
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 9713
|
|
Loc: ECV-197 The Orville
|
|
|
|
Send PM
|
|
|
|
> Tsk tsk tsk RB, I'm *not* talking about M1, I'm talking about the address scrambling
> crap.
We're discussing NAOMIBD_FLAG_ADDRESS_SHUFFLE, right?
Look at the games naomibd can support for that (mvsc2 and qmegamis) and compare to the list of games Deunan's M1 code solves. It's not a scramble, it's a misnamed flag ;-)
|
|
|
|
|
> Last time I tried it it was hitting the:
> logerror("Protected DMA not handled for this game (dma_offset %x)\n",
> get_safe_token(device)->dma_offset);
> in naomibd_get_dmaoffset. I should try again though. What do you do in demul when SC
> is 0 for that game?
ignore it. it's not "Actel" type cart and can't be used for "non-actel" games the same way. the same as for derbyox for example. some other games didn't set that bit too for dma...
for "non-actel" carts this bit using for changing roms mapping, some mappings is the same, some diferent (for example 800000 moved to 400000 etc), some (like World Kicks) wanted both different mappings to work...
As Deunan said, there must be some fixed lookup tables for roms mappings or maybe the same fixed one...
|
|
|
|
Re: Naomi Protection broken!
[Re: R. Belmont]
#245992 - 02/07/11 04:54 PM
|
|
|
> > Tsk tsk tsk RB, I'm *not* talking about M1, I'm talking about the address
> scrambling
> > crap.
>
> We're discussing NAOMIBD_FLAG_ADDRESS_SHUFFLE, right?
>
> Look at the games naomibd can support for that (mvsc2 and qmegamis) and compare to
> the list of games Deunan's M1 code solves. It's not a scramble, it's a misnamed flag
> ;-)
scramble it's just an old name given by some reson
|
|
|
|
Re: Naomi Protection broken!
[Re: R. Belmont]
#246062 - 02/08/11 12:45 PM
|
|
|
These newer games have a PIC on the rom board.
I believe this is the same security as used on Sega Auroa, L&B etc. But the PIC isn't decapped, and nobody is interested, because when you dump the carts via D Knute's method the data is decoded already.
|
|
|
| TheGuru |
|
MAMEDev Dumper
|
|
|
|
|
|
Reged: 06/13/04
|
|
Posts: 1226
|
|
Loc: Dumpville
|
|
|
|
Send PM
|
|
|
Re: Naomi Protection broken!
[Re: AndyGeezer]
#246088 - 02/08/11 11:10 PM
|
|
|
> These newer games have a PIC on the rom board.
>
> I believe this is the same security as used on Sega Auroa, L&B etc. But the PIC isn't
> decapped, and nobody is interested, because when you dump the carts via D Knute's
> method the data is decoded already.
nobody is interested? I seriously doubt it. All that means is they want to keep it a secret so they can sell copies of those newer games for the CF module with the data already hacked up. There's a ton of hacked games floating around already. They originated from 2 or 3 people who know each other.....
|
|
|
| R. Belmont |
|
Cuckoo for IGAvania
|
|
|
|
|
|
Reged: 09/21/03
|
|
Posts: 9713
|
|
Loc: ECV-197 The Orville
|
|
|
|
Send PM
|
|
|
Re: Naomi Protection broken!
[Re: AndyGeezer]
#246091 - 02/09/11 01:12 AM
|
|
|
> These newer games have a PIC on the rom board.
>
> I believe this is the same security as used on Sega Auroa, L&B etc. But the PIC isn't
> decapped, and nobody is interested, because when you dump the carts via D Knute's
> method the data is decoded already.
The DEMUL team's interested and so am I 
|
|
|
|
Re: Naomi Protection broken!
[Re: TheGuru]
#246118 - 02/09/11 04:46 PM
|
|
|
I gave DK an Asian Dyanmite cart I don't know if he has looked into it, and yes there is unprotected dumps floating around from the usual sources - I guess you think I am involved, but that was the same guy who does those multi G-Net CF cards.
|
|
|
Index 
Threaded 
Naomi Protection broken!
Reply
[Re: 
