Sunday, January 14, 2007

CPS2 Getting Closer

The correlations between the 96-bit keys of the two Feistel networks were crucial in getting the s-boxes with 4 or 5 inputs "in sync"--that is, make them idential to the real ones apart from a fixed XOR or permutation applied to the whole box.

Eventually, I ended with a layout which I'm 99.9% sure is equivalent to the real one. We cannot know the exact contents of the real s-boxes without getting them from the actual hardware, but the current ones should be matematically equivalent.
The result is here: http://xoomer.alice.it/nicola.salmoria/cps2crptv2.zip.

The most notable news is that the key is now reduced to 64 bits, and the one we are currently using should be identical to the one used by the hardware, apart from a fixed permutation of the bits.
Finding the real permutation would be nice, but obviously that's not something we can determine from the algorithm, since the order of the bits of the key is completely irrelevant.

What is interesting to note is that the keys used by some games don't seem to be random. If they were random one would expect there to be around 32 0s and 32 1s, but sometimes this isn't the case. E.g.
pzloop2:  3332206a0077f829
mshj: 01c0c951370f4c80
dstlka: 04048b4e2a498879
ringdest: 0405541367806575
cybotsj: 0404821534388354

Of these, the last three literally scream "I'm not a random number!". Guessing the right bit order to make something appear, of course, is another matter.
Some of the watchdog values contain birth dates, e.g. cmpi.l #$19660419,D1, so I expect the same thing might be happening here.
Also, it makes sense for the pzloop2 one to be more regular than the others because it's third party game.

On the key extraction front, things are going reasonably well. The brute force attack described in the previous article is working decently on most games, however for some of them the available data isn't enough. I'll have a more precise list once I've finished going through all the games. After that, we'll need to devise a better attack if we want to get the missing keys.

The discovery that the key is only 64 bits might help to construct a better attack, though at the moment I don't have many ideas. The fact that the algorithm is divided in two parts, with the output of the first one affecting the key on the second part, complicates things.

6 comments:

Ernst said...

Thank you so much Nicola, this is amazing ;)

Btw, here are a few XOR files I made 4-5 years ago for my "private" use:

http://marsupilami60.free.fr/btcax.zip

It makes Battle Circuit (Asia) playable. Please let me know if you are able to extract the key for this game with the files I've provided.

BisonSAS said...

This comment has been removed because it linked to malicious content. Learn more.

Haze said...

The hacked xors will probably only confuse matters.

They'll have the data encryption from one game, and the code encryption from another, a complete mess. They provide no more useful data than just having the 2 original revisions / xors from which they were made (which using Nicolas method isn't currently enough) and probably only make matters worse as you can no longer see how they were formed.

The hacked xors are pretty stupid, as you can hack the cps2 code as much as you want by just changing the xor data, what you're doing when you're using them is simply using the code from one game region with the data from another. In some cases the data will match, but when you 're-encrypt' it to create the hacked xor all you create is a fake mess.

Paul Priest said...

It's probably worth just trying the same key for msh with ddsom, given they have the same watchdog instruction.
Has any correlation between the watchdog instruction and the key been discounted (as stupid as that would be)?
- Paul P

Nicola Salmoria said...

There is no correlation between the watchdog and the encryption key. I think the encryption device has 128 bits of internal RAM, 64 are for the encryption key, 48 for the watchdog instruction and 16 for the encryption range.

xw0lf said...

Nicola, can we... in no one known attack works with a few games that you can't crack because lack of data, use u pure brute force for 64b key... if we create dedicated network like seti@home/boinc, can we crack that few games in next year or less...???

what you think?