Scooter83 Posted May 27, 2017 Share Posted May 27, 2017 Does anyone know what chip the systems encryption is located on and how to bipass it? Is it a quick chip removal or do I bend out one of the pins on a chip? Any help please. Thanks Quote Link to comment Share on other sites More sharing options...
+DrVenkman Posted May 27, 2017 Share Posted May 27, 2017 See this: Atari 7800 Encryption Quote Link to comment Share on other sites More sharing options...
Andromeda Stardust Posted May 27, 2017 Share Posted May 27, 2017 See this: Atari 7800 Encryption Interesting read. So probing of the 7800 BIOS was not enough to get the keys necessary to generate playable ROMs, and even if you emulated BIOS in emulators, you still can't produce a working homebrew ROM. Someone allegedly dumped the authentication program from an old Atari computer IIRC, and that enabled the homebrew community to self-sign games for playback on the console. Is there no way homebrew could possibly exist on an unmodded 7800 or the keys cracked anyway, had this "dumped" key not been discovered on one of Atari's old computers??? Quote Link to comment Share on other sites More sharing options...
+DrVenkman Posted May 27, 2017 Share Posted May 27, 2017 Interesting read. So probing of the 7800 BIOS was not enough to get the keys necessary to generate playable ROMs, and even if you emulated BIOS in emulators, you still can't produce a working homebrew ROM. Someone allegedly dumped the authentication program from an old Atari computer IIRC, and that enabled the homebrew community to self-sign games for playback on the console. Is there no way homebrew could possibly exist on an unmodded 7800 or the keys cracked anyway, had this "dumped" key not been discovered on one of Atari's old computers??? There are a ton of resources here, too, but you'll have to dig into 33 year old technical docs: Atari Museum 7800 Technical Documentation Of course, in lieu of that, perhaps Tep392 or Trebor will chime in with more layman-friendly explanations. Quote Link to comment Share on other sites More sharing options...
Andromeda Stardust Posted May 27, 2017 Share Posted May 27, 2017 There are a ton of resources here, too, but you'll have to dig into 33 year old technical docs: Atari Museum 7800 Technical Documentation Of course, in lieu of that, perhaps Tep392 or Trebor will chime in with more layman-friendly explanations. Let's just say that I am thankful the 7800's authentication algorithm did get cracked/discovered, or we would not be enjoying all the wonderful homebrews that have been produced for the system, least not on real unmodified hardware. 1 Quote Link to comment Share on other sites More sharing options...
SIO2 Posted May 27, 2017 Share Posted May 27, 2017 IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass. What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles? 1 Quote Link to comment Share on other sites More sharing options...
+-^CrossBow^- Posted May 27, 2017 Share Posted May 27, 2017 IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass. What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles? Homebrews would and could still have existed even if the algo hadn't been found. After all, I believe the Eurpoean bios had already been cracked with NTSC support and that bios doesn't do the encryption check so all 7800 games work regardless. My point being, that had the algo not been found we would all just have to install a bios chip mod. This really isn't anything different from other later generation consoles that still have to use mod chips to get around security checks form the mid 90s and up. 2 Quote Link to comment Share on other sites More sharing options...
Trebor Posted May 27, 2017 Share Posted May 27, 2017 Homebrews would and could still have existed even if the algo hadn't been found. After all, I believe the Eurpoean bios had already been cracked with NTSC support and that bios doesn't do the encryption check so all 7800 games work regardless. My point being, that had the algo not been found we would all just have to install a bios chip mod. This really isn't anything different from other later generation consoles that still have to use mod chips to get around security checks form the mid 90s and up. When looking over the Best Electronics website for the 7800, the "Atari 7800 US Consoles OS Upgrade Kit CB102669 $17.95" is such an upgrade for NTSC consoles. It comes with: -8 page Installation Instructions with 9 color photos -New 7800 OS chip -Jumper wire -New 7800 28 pin OS I.C. Socket -New Interface I.C. -A New set of shorter 7800 Case screws. The added bonus is Asteroids is built-in. If no cart is inserted (Or a cart cannot be read from being too dirty/corrupt/etc), Asteroids runs automatically. IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass. What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles? Besides the added bonus of having Asteroids built-in, there is a no-wait start up. For the curious, PAL compatibility/carts can also be tried and tested. Quote Link to comment Share on other sites More sharing options...
CPUWIZ Posted May 27, 2017 Share Posted May 27, 2017 Even if the encryption keys were not found, it is dead easy to crack the BIOS. I posted a speed BIOS somewhere in this forum, it doesn't give a rats about encryption, I even cut it down to the point where only 7800 games will start, instantly! No silly logo and decryption time spent booting. 2 Quote Link to comment Share on other sites More sharing options...
Trebor Posted May 27, 2017 Share Posted May 27, 2017 Even if the encryption keys were not found, it is dead easy to crack the BIOS. I posted a speed BIOS somewhere in this forum, it doesn't give a rats about encryption, I even cut it down to the point where only 7800 games will start, instantly! No silly logo and decryption time spent booting. CPUWIZ's Speed Bios 3 Quote Link to comment Share on other sites More sharing options...
+-^CrossBow^- Posted May 27, 2017 Share Posted May 27, 2017 As I was trying to illustrate. While wonderful that the encryption algo was found and the program to encrypt the games with it was also found, it wouldn't have prevented homebrew from being developed and played on the systems. Whether it required replacing the bios chip, or even possibly finding out ways to code the games to fool it and not require the signing on them to pass the encryption check. A way would have been found... (chaos theory..). 1 Quote Link to comment Share on other sites More sharing options...
RevEng Posted May 28, 2017 Share Posted May 28, 2017 A way would have been found... (chaos theory..). There are a ton of commercial games for which the bios only checks the signature on the last 4k of ROM. It would be trivial to create a homebrew frankenrom that incoporates the last 4k from one of these games. One nice choice - Midnight Mutants starts up at $ff00, does a bog-standard RAM init, and then jumps directly to $4000. Easy and clean. Quote Link to comment Share on other sites More sharing options...
Andromeda Stardust Posted May 28, 2017 Share Posted May 28, 2017 IIRC a unit that was modified by Atari to bypass the encryption check showed up on auction a while ago. At any rate if it is possible to bypass in emulation it should be possible to mod a console to bypass. What I don't understand is why would you want to mod a console this way since it is possible to sign homebrews to run on unmodified consoles? Is this the same "Euro mod" BIOS that Best released? The Euro Mod used an NTSC tweaked BIOS with Asteroids built in, that skips the rainbow loader and allows unsigned NTSC as well as some PAL games to load. I don't personally care for it, as the "rainbow" BIOS screen is rather nostalgic, doesn't last long enough to be obnoxious, and BIOS hacks aren't needed to load homebrew games. There are also a few "dual region" homebrews and I have no idea if the "Euro Mod" BIOS might cause the game to boot into the PAL mode on an NTSC machine potentially causing glitches. When I ordered my console from Best, I specifically requested the original unmodified "rainbow" BIOS be present on the system. Quote Link to comment Share on other sites More sharing options...
Andromeda Stardust Posted May 28, 2017 Share Posted May 28, 2017 There are a ton of commercial games for which the bios only checks the signature on the last 4k of ROM. It would be trivial to create a homebrew frankenrom that incoporates the last 4k from one of these games. One nice choice - Midnight Mutants starts up at $ff00, does a bog-standard RAM init, and then jumps directly to $4000. Easy and clean. Yes but that's 4kb of extra garbage that cannot be used for game program, plus there may be copyright issues with copied code. Also would this hack work for larger bankswitched boards? Quote Link to comment Share on other sites More sharing options...
CPUWIZ Posted May 28, 2017 Share Posted May 28, 2017 Yes. Quote Link to comment Share on other sites More sharing options...
RevEng Posted May 28, 2017 Share Posted May 28, 2017 Yes but that's 4kb of extra garbage that cannot be used for game program, plus there may be copyright issues with copied code. Of course there would be copyright issues, and of course 4k is wasted. It's not as ideal as the current way, but "a way would have been found" was what I was replying to. The wasted 4k could also be mitigated; banking away the last 16k of a ROM would be a possibility, given what I've seen CPUWIZ boards do in the past. Quote Link to comment Share on other sites More sharing options...
Shawn Posted May 28, 2017 Share Posted May 28, 2017 Is this the same "Euro mod" BIOS that Best released? The Euro Mod used an NTSC tweaked BIOS with Asteroids built in, that skips the rainbow loader and allows unsigned NTSC as well as some PAL games to load. I don't personally care for it, as the "rainbow" BIOS screen is rather nostalgic, doesn't last long enough to be obnoxious, and BIOS hacks aren't needed to load homebrew games. There are also a few "dual region" homebrews and I have no idea if the "Euro Mod" BIOS might cause the game to boot into the PAL mode on an NTSC machine potentially causing glitches. When I ordered my console from Best, I specifically requested the original unmodified "rainbow" BIOS be present on the system. The BIOS doesn't choose NTSC or PAL the hardware does. 1 Quote Link to comment Share on other sites More sharing options...
TomSon Posted June 10, 2017 Share Posted June 10, 2017 It's not as ideal as the current way, but "a way would have been found" was what I was replying to. Just reading this I remembered a conversation with someone about attacking the encryption of early European tv cards. Similar to the NES lockout chip. Or the xbox 360: you take over by hammering the bus or certain lines. For the 7800 it would be almost gentle: when the cart. is mapped in for the checks it is in 7800 mode and starts something that'll decide what is plugged in. So if and only if your cartridge is accessed for the first time, pull the data bus to zero for a defined time: the CPU ends up using the external cartridges BRK vector. (Not what I've implemented in the Tiara since a uProc can do a more intelligent attack) 1 Quote Link to comment Share on other sites More sharing options...
RevEng Posted June 10, 2017 Share Posted June 10, 2017 Just reading this I remembered a conversation with someone about attacking the encryption of early European tv cards. Similar to the NES lockout chip. Or the xbox 360: you take over by hammering the bus or certain lines. I like to follow exploits, and the countermeasures put in place to defeat them. I remember thinking thinking that the countermeasures (like hypervisors) seemed to be winning... and then rowhammer came out. For the 7800 it would be almost gentle: when the cart. is mapped in for the checks it is in 7800 mode and starts something that'll decide what is plugged in. So if and only if your cartridge is accessed for the first time, pull the data bus to zero for a defined time: the CPU ends up using the external cartridges BRK vector. This is lovely in it's simplicity. 1 Quote Link to comment Share on other sites More sharing options...
CPUWIZ Posted June 10, 2017 Share Posted June 10, 2017 IRQ is an input to the CPU (I am using it), I don't see how that would work. EDIT: I guess this could be a behavior of the 6502. Quote Link to comment Share on other sites More sharing options...
RevEng Posted June 10, 2017 Share Posted June 10, 2017 IRQ is an input to the CPU (I am using it), I don't see how that would work. He means override the bus (like bus stuffing) shortly after the cart gets swapped in. Instead of executing the bios signature check, the 6502 executes a BRK (opcode 0). At that point you stop the override. Since the cart is mapped in, the cart's BRK vector is read and executed. Quote Link to comment Share on other sites More sharing options...
CPUWIZ Posted June 10, 2017 Share Posted June 10, 2017 Yeah, I realized that after I posted, hence the edit. I wonder if this works on all flavors of the chip, especially with the same timing. Quote Link to comment Share on other sites More sharing options...
Andromeda Stardust Posted June 11, 2017 Share Posted June 11, 2017 For the 7800 it would be almost gentle: when the cart. is mapped in for the checks it is in 7800 mode and starts something that'll decide what is plugged in. So if and only if your cartridge is accessed for the first time, pull the data bus to zero for a defined time: the CPU ends up using the external cartridges BRK vector. (Not what I've implemented in the Tiara since a uProc can do a more intelligent attack) So just override the data bus with zeros? This sounds eerily similar the NES "Zap" circuit which unlicensed games (except Tengen who 1:1 copied the NES10) used to take the lockout chip offline by feeding it -5v on one of it's pins. Nintendo later blocked unlicensed game exploits in late revision toasters by adding a reverse biased diode and shunt resistor to the lockout circuit. Atari could have done likewise to block said exploit with the 7800, had it been discovered by unlicensed developers, by adding series resistances to the cart bus. This would also have prevented "bus stuffing" demos from running as well. Quote Link to comment Share on other sites More sharing options...
phoenixdownita Posted June 12, 2017 Share Posted June 12, 2017 You guys all certainly know all this but I leave this link for the few of us that didn't know the details on the diff between BRK/IRQ/NMI/RESET http://www.pagetable.com/?p=410 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.