Jump to content
Have You Played Atari Today?
2600|5200|7800|Lynx|Jaguar|Forums|Store
IGNORED

7800 encryption bipass

Scooter83

By Scooter83
in Atari 7800

 Share

Recommended Posts

Andromeda Stardust Quadrunner

Andromeda Stardust

Posted
Posted

See this:

 

Atari 7800 Encryption

Interesting read. So probing of the 7800 BIOS was not enough to get the keys necessary to generate playable ROMs, and even if you emulated BIOS in emulators, you still can't produce a working homebrew ROM.

 

Someone allegedly dumped the authentication program from an old Atari computer IIRC, and that enabled the homebrew community to self-sign games for playback on the console. Is there no way homebrew could possibly exist on an unmodded 7800 or the keys cracked anyway, had this "dumped" key not been discovered on one of Atari's old computers???

Link to comment
Share on other sites
DrVenkman Quadrunner

+DrVenkman

Posted
Posted

Interesting read. So probing of the 7800 BIOS was not enough to get the keys necessary to generate playable ROMs, and even if you emulated BIOS in emulators, you still can't produce a working homebrew ROM.

 

Someone allegedly dumped the authentication program from an old Atari computer IIRC, and that enabled the homebrew community to self-sign games for playback on the console. Is there no way homebrew could possibly exist on an unmodded 7800 or the keys cracked anyway, had this "dumped" key not been discovered on one of Atari's old computers???

 

There are a ton of resources here, too, but you'll have to dig into 33 year old technical docs:

 

Atari Museum 7800 Technical Documentation

 

Of course, in lieu of that, perhaps Tep392 or Trebor will chime in with more layman-friendly explanations.

Link to comment
Share on other sites
Andromeda Stardust Quadrunner

Andromeda Stardust

Posted
Posted

 

There are a ton of resources here, too, but you'll have to dig into 33 year old technical docs:

 

Atari Museum 7800 Technical Documentation

 

Of course, in lieu of that, perhaps Tep392 or Trebor will chime in with more layman-friendly explanations.

Let's just say that I am thankful the 7800's authentication algorithm did get cracked/discovered, or we would not be enjoying all the wonderful homebrews that have been produced for the system, least not on real unmodified hardware. ;-)

  • Like 1
Link to comment
Share on other sites
SIO2 Stargunner

SIO2

Posted
Posted

IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass.

 

What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles?

  • Like 1
Link to comment
Share on other sites
-^CrossBow^- Quadrunner

+-^CrossBow^-

Posted
Posted

IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass.

 

What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles?

 

Homebrews would and could still have existed even if the algo hadn't been found. After all, I believe the Eurpoean bios had already been cracked with NTSC support and that bios doesn't do the encryption check so all 7800 games work regardless. My point being, that had the algo not been found we would all just have to install a bios chip mod. This really isn't anything different from other later generation consoles that still have to use mod chips to get around security checks form the mid 90s and up.

  • Like 2
Link to comment
Share on other sites
Trebor Quadrunner

Trebor

Posted
Posted

Homebrews would and could still have existed even if the algo hadn't been found. After all, I believe the Eurpoean bios had already been cracked with NTSC support and that bios doesn't do the encryption check so all 7800 games work regardless. My point being, that had the algo not been found we would all just have to install a bios chip mod. This really isn't anything different from other later generation consoles that still have to use mod chips to get around security checks form the mid 90s and up.

:thumbsup:

 

When looking over the Best Electronics website for the 7800, the "Atari 7800 US Consoles OS Upgrade Kit CB102669 $17.95" is such an upgrade for NTSC consoles.

 

It comes with:

-8 page Installation Instructions with 9 color photos

-New 7800 OS chip

-Jumper wire

-New 7800 28 pin OS I.C. Socket

-New Interface I.C.

-A New set of shorter 7800 Case screws.

 

The added bonus is Asteroids is built-in. If no cart is inserted (Or a cart cannot be read from being too dirty/corrupt/etc), Asteroids runs automatically. :)

IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass.

 

What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles?

Besides the added bonus of having Asteroids built-in, there is a no-wait start up.

 

For the curious, PAL compatibility/carts can also be tried and tested. ;)

Link to comment
Share on other sites
CPUWIZ Quadrunner

CPUWIZ

Posted
Posted

Even if the encryption keys were not found, it is dead easy to crack the BIOS. I posted a speed BIOS somewhere in this forum, it doesn't give a rats about encryption, I even cut it down to the point where only 7800 games will start, instantly! No silly logo and decryption time spent booting. ;)

  • Like 2
Link to comment
Share on other sites
-^CrossBow^- Quadrunner

+-^CrossBow^-

Posted
Posted

As I was trying to illustrate. While wonderful that the encryption algo was found and the program to encrypt the games with it was also found, it wouldn't have prevented homebrew from being developed and played on the systems. Whether it required replacing the bios chip, or even possibly finding out ways to code the games to fool it and not require the signing on them to pass the encryption check. A way would have been found... (chaos theory..).

  • Like 1
Link to comment
Share on other sites
RevEng Quadrunner

RevEng

Posted
Posted

A way would have been found... (chaos theory..).

There are a ton of commercial games for which the bios only checks the signature on the last 4k of ROM. It would be trivial to create a homebrew frankenrom that incoporates the last 4k from one of these games.

 

One nice choice - Midnight Mutants starts up at $ff00, does a bog-standard RAM init, and then jumps directly to $4000. Easy and clean.

Link to comment
Share on other sites
Andromeda Stardust Quadrunner

Andromeda Stardust

Posted
Posted

IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass.

 

What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles?

Is this the same "Euro mod" BIOS that Best released? The Euro Mod used an NTSC tweaked BIOS with Asteroids built in, that skips the rainbow loader and allows unsigned NTSC as well as some PAL games to load.

 

I don't personally care for it, as the "rainbow" BIOS screen is rather nostalgic, doesn't last long enough to be obnoxious, and BIOS hacks aren't needed to load homebrew games.

 

There are also a few "dual region" homebrews and I have no idea if the "Euro Mod" BIOS might cause the game to boot into the PAL mode on an NTSC machine potentially causing glitches. When I ordered my console from Best, I specifically requested the original unmodified "rainbow" BIOS be present on the system.

Link to comment
Share on other sites
Andromeda Stardust Quadrunner

Andromeda Stardust

Posted
Posted

There are a ton of commercial games for which the bios only checks the signature on the last 4k of ROM. It would be trivial to create a homebrew frankenrom that incoporates the last 4k from one of these games.

 

One nice choice - Midnight Mutants starts up at $ff00, does a bog-standard RAM init, and then jumps directly to $4000. Easy and clean.

Yes but that's 4kb of extra garbage that cannot be used for game program, plus there may be copyright issues with copied code. Also would this hack work for larger bankswitched boards?

Link to comment
Share on other sites
RevEng Quadrunner

RevEng

Posted
Posted

Yes but that's 4kb of extra garbage that cannot be used for game program, plus there may be copyright issues with copied code.

Of course there would be copyright issues, and of course 4k is wasted. It's not as ideal as the current way, but "a way would have been found" was what I was replying to.

 

The wasted 4k could also be mitigated; banking away the last 16k of a ROM would be a possibility, given what I've seen CPUWIZ boards do in the past.

Link to comment
Share on other sites
Shawn Quadrunner

Shawn

Posted
Posted

Is this the same "Euro mod" BIOS that Best released? The Euro Mod used an NTSC tweaked BIOS with Asteroids built in, that skips the rainbow loader and allows unsigned NTSC as well as some PAL games to load.

 

I don't personally care for it, as the "rainbow" BIOS screen is rather nostalgic, doesn't last long enough to be obnoxious, and BIOS hacks aren't needed to load homebrew games.

 

There are also a few "dual region" homebrews and I have no idea if the "Euro Mod" BIOS might cause the game to boot into the PAL mode on an NTSC machine potentially causing glitches. When I ordered my console from Best, I specifically requested the original unmodified "rainbow" BIOS be present on the system.

 

The BIOS doesn't choose NTSC or PAL the hardware does.

  • Like 1
Link to comment
Share on other sites
  • 2 weeks later...
TomSon Space Invader

TomSon

Posted
Posted

It's not as ideal as the current way, but "a way would have been found" was what I was replying to.

Just reading this I remembered a conversation with someone about attacking the encryption of early European tv cards.

Similar to the NES lockout chip. Or the xbox 360: you take over by hammering the bus or certain lines.

 

For the 7800 it would be almost gentle: when the cart. is mapped in for the checks it is in 7800 mode and starts something that'll

decide what is plugged in. So if and only if your cartridge is accessed for the first time, pull the data bus to zero for a defined time:

the CPU ends up using the external cartridges BRK vector.

(Not what I've implemented in the Tiara since a uProc can do a more intelligent attack)

  • Like 1
Link to comment
Share on other sites
RevEng Quadrunner

RevEng

Posted
Posted

Just reading this I remembered a conversation with someone about attacking the encryption of early European tv cards.

Similar to the NES lockout chip. Or the xbox 360: you take over by hammering the bus or certain lines.

I like to follow exploits, and the countermeasures put in place to defeat them. I remember thinking thinking that the countermeasures (like hypervisors) seemed to be winning... and then rowhammer came out.

 

For the 7800 it would be almost gentle: when the cart. is mapped in for the checks it is in 7800 mode and starts something that'll

decide what is plugged in. So if and only if your cartridge is accessed for the first time, pull the data bus to zero for a defined time:

the CPU ends up using the external cartridges BRK vector.

This is lovely in it's simplicity. :thumbsup:
  • Like 1
Link to comment
Share on other sites
RevEng Quadrunner

RevEng

Posted
Posted

IRQ is an input to the CPU (I am using it), I don't see how that would work.

He means override the bus (like bus stuffing) shortly after the cart gets swapped in. Instead of executing the bios signature check, the 6502 executes a BRK (opcode 0). At that point you stop the override. Since the cart is mapped in, the cart's BRK vector is read and executed.

Link to comment
Share on other sites
Andromeda Stardust Quadrunner

Andromeda Stardust

Posted
Posted

 

For the 7800 it would be almost gentle: when the cart. is mapped in for the checks it is in 7800 mode and starts something that'll

decide what is plugged in. So if and only if your cartridge is accessed for the first time, pull the data bus to zero for a defined time:

the CPU ends up using the external cartridges BRK vector.

(Not what I've implemented in the Tiara since a uProc can do a more intelligent attack)

So just override the data bus with zeros? This sounds eerily similar the NES "Zap" circuit which unlicensed games (except Tengen who 1:1 copied the NES10) used to take the lockout chip offline by feeding it -5v on one of it's pins. :thumbsup:

 

Nintendo later blocked unlicensed game exploits in late revision toasters by adding a reverse biased diode and shunt resistor to the lockout circuit. Atari could have done likewise to block said exploit with the 7800, had it been discovered by unlicensed developers, by adding series resistances to the cart bus. This would also have prevented "bus stuffing" demos from running as well.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
AtariAge
Forums
Store
General
Follow AtariAge

Copyright ©1998-2023 AtariAge

×
×
  • Create New...