leonardoliveira & Idc's clean decrypted roms

[MrSandman]

If anyone is wondering how this CPS3 revival stuff works, it has to do with that "unknown" chunk of code at address 0x7FF00 every game has and that doesn't seem to decrypt with the game keys....

Supposed facts:...

Thanks for the explanation.

But i am a bit confused about the bootloader bit: the bootloader is part of every game CD, it is decrypted by a set on stone key (where is that stored), which differs according to the 4 different security chips and carries the (4 different) security keys for the game?

There are encrypted bootladers for each of the four security chips and each games, that will re-write the security key for the game to the cart?

[Wurstkopp]

Forgive me, I still didn't get it : does it really mean you are now able to desuicide any working CPS3 game?

[Collin]

Very nice! Will you be willing to re flash carts for other people in the same wy eventually? I have a second impact setup on the way. And would be happy to do any testing I'm capable of, and pay you for your time and work to re flash.

[samsho]

What will I need to achieve this when all is said and done?
I have a good programmer but I need an adapter for a AMD MACH111?

Are you going to be releasing everything on how and what to program? Maybe a step by step guide to the "leonardoliveira process"?
If so, I would make a donation if you setup a donation page somewhere.

Thanks again!!!

[idc]

As I see it, a battery free "zombie cart" fix would require a modified BIOS, therefore the flash ROM would need to be de-soldered, reprogrammed and re-soldered, so we're talking some fine SMT work there, which might not be for everyone.

However, a new battery with a security key re-flash should theoretically be a plug and play job.

We'll see how things progress as to which "services" will be offered and which information will be released for free. Everyone involved in the project would need to come to an agreement.

Suffice to say, this isn't some massive money-making scheme, but if we have to invest in hardware or carts for testing, it might be nice to come out at the end of it without being out of pocket.

[Rossyra]

Would donate to the project...

[cools]

As I see it, a battery free "zombie cart" fix would require a modified BIOS, therefore the flash ROM would need to be de-soldered, reprogrammed and re-soldered, so we're talking some fine SMT work there, which might not be for everyone.

Piggyback board no good?

[leonardoliveira]

Would donate to the project...

I really could use dead cartridges of the types I don't have yet.
The two I have are of the exact same type and both work the same way with the same keys at 0x7FF00.

Now, for the confused people:

We figured out that there's no boot loader. The bootloader is the BIOS on the flash.

What the chip seeks is a set number of bytes at 0x7FF00 to reprogram it's encryption engine.

[Collin]

IDC, great to see you over here, buddy! Thanks for the info. I meant to say in my initial post, I'm happy to donate, or to pay a premium for an early suicide-free cart!

Leonardo, what carts do you need? I've got a couple dead ones coming to me. Am happy to help in whatever little way I can, and/or to donate money to help you and everyone involved recoup expenses.

[Rossyra]

I meant cold hard cash

If I had dead carts idc would already have 'em

[IDCHAPPY]

Would donate to the project...

This for sure man, i'd donate

[MrSandman]

Would donate to the project...

I really could use dead cartridges of the types I don't have yet.

I have a dead Warzard cart if you'd need, but I can't see any stickers on it to tell which of the 4 chips it is.

[YZRider926]

I have a dead 3rd strike cart. Would need to take the cover off and see what the number or letter on it is. I'm also in the states so not sure if that will be a pain with shipping and all.

[leonardoliveira]

Well, while I am not on this for money, I would indeed welcome hardware to aid on this project.

Mostly I need carts (at least one of each kind) for "butchering" and "testing".

I surely have some ideas on how to build an device to reprogram the keys without opening the carts but, flashing the exact same 8 byte sequence CAPCOM feeds the SH2 chip to set the key at the flashrom inside the cart (0x7FF00) and removing the battery will cause it to restore itself every time it's powered on.

Effectively making it battery free.

So anyone who is willing to send me some hardware (for now, dead carts different than the "D" ones I have here is all I need) can PM me. (some did already, thanks)

[samsho]

so we're talking some fine SMT work there, which might not be for everyone.

I can solder/desolder 29f016 flash chips. Those AMD MACH111 on the CPS3 carts look much easier if that is the chip that needs to be reworked.

I am hoping the code gets put out there for anyone to do on their own if they have the skills.
Right now people are charging $150 a pop to reflash a cart which is robbery.

[DandySephy]

Right now people are charging $150 a pop to reflash a cart which is robbery.

Unfortunately the knowledge being public or semi public can often mean there are more people doing the same thing. A certain american guy selling Naomi stuff springs to mind...

[leonardoliveira]

so we're talking some fine SMT work there, which might not be for everyone.

I can solder/desolder 29f016 flash chips. Those AMD MACH111 on the CPS3 carts look much easier if that is the chip that needs to be reworked.

I am hoping the code gets put out there for anyone to do on their own if they have the skills.
Right now people are charging $150 a pop to reflash a cart which is robbery.

MACH111 is there as glue logic, it has nothing to do with the security.

The SH2 CPU needs to see a specific sequence of 8 bytes at a certain address (0x7FF00) when it has no keys programmed before it can operate.
If you take a dead cart now and remove the battery, it will start to do this key reset process every time it's powered on. But for the boot to happen the number feed to it must be correct match with the data on the flash (bios) and the kind of chip it is as there's some sort of obfuscation on the chip for this "keys". Each type of chip will need a different number stream to play, for example SF3 Third strike.

[leonardoliveira]

Right now people are charging $150 a pop to reflash a cart which is robbery.

Unfortunately the knowledge being public or semi public can often mean there are more people doing the same thing. A certain american guy selling Naomi stuff springs to mind...

Well I discovered this by pure luck, accident. Who knows if someone else did the same thing as me years ago and instead decided to get rich from it ?

[YZRider926]

The SH2 CPU needs to see a specific sequence of 8 bytes at a certain address (0x7FF00) when it has no keys programmed before it can operate.
If you take a dead cart now and remove the battery, it will start to do this key reset process every time it's powered on. But for the boot to happen the number feed to it must be correct match with the data on the flash (bios) and the kind of chip it is as there's some sort of obfuscation on the chip for this "keys". Each type of chip will need a different number stream to play, for example SF3 Third strike.

So could you essentially reflash any cart to any game once all the keys are discovered?

[DandySephy]

Well I discovered this by pure luck, accident. Who knows if someone else did the same thing as me years ago and instead decided to get rich from it ?

Well it wouldn't be a surprise. Of course some people can't or won't do things like this by themselves even if the knowledge is there so having people able to do it is good. They certainly couldn't charge a lot if it's common knowledge.