CPS-3 Encryption Broken and Partially Emulated!

[iq_132]

Hmmmmmmmm….

 

 

System 3

 

Andreas is pretty good at decryption…. now, are we good enough to emulate it? Sounds like a challenge.

 

It’s looking somewhat complex at the moment, but we’ll see.

 

As things stand the only game decrypted is JoJo (but that may change soon) and the game gets stuck at this point, and I’m not quite sure what it’s waiting for.

 

As I said, it’s going to be a challenge, but hopefully an enjoyable one.

 

...due to the encryption it looks like it might require some .. interesting.. modifications to the sh2 core

 

...Basically the SH-2 DMA should bypass the encryption completely by the looks of things, and it sends the Flash commands via DMA so at the moment the wrong commands get sent. (that explains why some of the flash commands were strangely not encrypted in the bios when everything else is)

 

I’ve been talking this through with ElSemi and Dox too.

 

Some more shots:

1

2

 

 

http://haze.mameworld.info/2007/06/09/hmmmmmmmm/

 

Thanks to Emu-France for the news.

[Haldrie]

I have one thing to say about this...it's about time (and I think I speak for everyone when I say that).

[Diso]

I have one thing to say about this...it's about time (and I think I speak for everyone when I say that).

 

agreed. Glad to see they are making some headway with this.

[Lucandrake]

omg omg omg omg

 

I can not wait!!!!! Maybe it'll help boost up 1emu as well!!! This is awesome!!!!

[iq_132]

Drake... what the hell? Davis?

[olaf]

I believe I speak for the rest of the community when I say...

 

F*CK YEAH!

 

It's about time! I think the community as a whole has been very patient -- and it's going to pay off soon -- hopefully.

[Wizard]

Ha now if they can dump the boards without frying them.

[Alpha]

Wow! This is some huge news. Glad to see it finally happening.

[Agozer]

Ha now if they can dump the boards without frying them.

Yeah, I'd like to see that as well. Who knows, maybe they'll soon figure out how to pull it off.

[iq_132]

what will be infinitely more interesting is if the decrypted roms can be burned onto the CD and run 'phoenix' style.

[BlackKnight]

Crazy. This seemed like one of those things that would be forgotten about and never emulated.

[ken_cinder]

I'll stick to my Dreamcast, for the 4 out 6 games on this hardware available on it.

None of which I even like (But that's irrelevant), and are certainly going to be a BIG waste of space on one's hard drive via CPS3 emulation.

 

I'm VERY surprised anyone is even wasting their time emulating CPS3, what with only 6 games (3 of which are Street Fighter games), it has to be the record holding interchangeable platform with the lowest # of titles on it.

 

Even the Hyper Neo-Geo 64 has more titles for it, and that thing BOMBED.

 

Oh though don't get me wrong, kudos to the devs and good luck.

[Wizard]

The only thing no one has tried would be Warzards.

[Ghosty]

I dunno about you guys, but I'm gonna go masturbate to those screenies!

[Alpha]

This is the best explanation of the CPS3 encryption system that I have found. Basically, if the hardware notices any tampering, it'll self destruct or erase the decryption key. Therefore, it can get costly for the hackers if they don't know what they're doing.

 

For any of you who are confused,

 

Cs-3 used a protection scheme so complex it makes AACS look like a joke. Here's the overview:

 

Every time the system is powed on, the game memory (RAM) is filled from a CD-ROM drive. The game is encrypted, so obviously you can't do a CDROM dump, nor can you swap out with a homebrew CDROM unless you know the proprietary encryption algorithm + key

The RAM is decrypted on the fly by a special decoder chip with no spec.

The decryption key for the above hardware decoder chip is stored in volatile RAM with a finicky battery keeping it in memory. If you reset the circuit with the decryption key (NOT the arcade machine itself, but the part with the decoder chip), or there's any error in the decryption process, or heck, if the battery goes dead, the decryption key is obviously no longer stored in said volatile RAM, and you're left with a brick.

Basically, if there's any funny business, BAM, the secondary logic board commits suicide and no more game decrypting for you.

 

The article claims that Andres somebody wrote a program that can read the data right off the CDROM and decrypt it. But Andre's blog (warning: spanish is not my first language) seems to indicate that he may have found a weakness in the algorithm but it's far from a working decrypt/game rom.

http://www.digg.com/gaming_news/CPS3_decry...t_near_you_soon