17 replies to this topic

[das]

If atari/hasbro released the encryption info for the Jaguar, then why does the Jaguar CD need a cd bypass cart?

Thanks!

[jaysmith2000]

das said:

If atari/hasbro released the encryption info for the Jaguar, then why does the Jaguar CD need a cd bypass cart?

Thanks!

They actually didn't release the encryption, they only released the "rights" to the Jaguar.

[AtariDude]

Exactly. They made the Jaguar system "an open system". That means that anyone wanting to make games for it does not need to worry that they are going to have to get a lawyer to prevent a lawsuit.

I think someone has managed to find the encryption key recently since it appears it was lost and none of the former Atari employees knew where it was.

[Mitch]

Yes, the encryption for Jag carts was found. The Jag CD encryption is different and hasn't been found yet.

Mitch
http://atari7800.atari.org

[Thunderbird]

Mitch said:

Yes, the encryption for Jag carts was found. The Jag CD encryption is different and hasn't been found yet.

Mitchhttp://atari7800.atari.org

Glenn can answer this im more detail, but the true encryption was never located.

Each cart has an 8K "header" which contains the size of the data on the cart, the start and end addresses and the authorization "key" for the data on that cart.

Each cart has different data, so each one needed to have Atari make a header for it so it would run on a production Jaguar.

What was found was a special header which someone at Atari created. It's basically a fake header which says the cart data is located at some fixed location in the header itself. The authorization code says something like "Okay... here's the data starting at byte 0 and ending at byte 8" and promptly checks that data, approves it, and passes control to the address following the header (standard cart starting address). So.... you put the header on the beginning of ANY cart, and the Jag thinks it is legal and runs it.

This is not the same thing as "finding the encryption", since the new games are not being encoded in any way. This is essentially a "back door".

I believe Glenn has the software used to encode a cartridge, however the code is useless without a private key which I am told was stored in a vault at Atari.

I am also told by word-of-mouth rumor that the key itself is part of a .WAV file of someone making a "Raspberry" sound.

So, this is why we can make carts. We cannot make CD's. You need a bypass for that.

Luckily, we have software like BattleSphere Gold™ which has the bypass included for FREE. So any jag fan worth his salt will have a copy or two of the bypass anyhow...

:-)

[LinkoVitch]

Thunderbird said:

I am also told by word-of-mouth rumor that the key itself is part of a .WAV file of someone making a "Raspberry" sound.

I'd guess that would be false, unless the private key was inserted into the WAV file after it was created. Public/Private encryption uses Prime numbers to work, spose the sample could have been used to generate the random data needed (like some ssh clients use mouse wiggles for random data).

I wonder how long it would take to find the private key by attacking the keyspace? Some sort of Seti style approach where a client runs on different peoples machines each searching a different part of the key space

[atarifan49]

Tbird is right. The private key for the cartridge and private key for the CD have yet to be found.

To get more detail about the header, its basicly works like this. The header is 8k in size on cartridge (resides in the $800000 - $801FFF region of memory).

This header is encrypted using RSA encryption using 518bit keys (512 bits = 64 bytes + 6 bits for added measure). When decrypted, this header is a program that is run by the DSP to do a MD5 message digest of the cartridge (similar to running a checksum). At the end of this message digest is where the final check is done on whether to allow the cartridge to run or not (looking for the $03D0DEAD value). Only the right cartridge code and header pair will produce that final value (hence why every cart has its own header).

It gets more complicated with the CD. Same basic process but instead the last track on the CD contains the RSA encrypted program and hash table of the CD. This one is larger (approximately 153k in size). The CD boot ROM obviously has a header of its own since the CD unit is seen as a cartridge to the Jag. When the CD boot ROM takes control, it spins the CD, verifies that a CD is in the drive, reads to TOC, looks for the last track, and reads the last track. If the track decrypts correctly, then it proceeds to authenticating the CD. It does three random block samplings of the CD checking blocks of data against the hash table. One of those blocks is from the boot track and the other two from other parts of the CD. And ss far as I know this is done from the second session on (first session, session 0, is not checked).

The discussion about the WAV file is going way off course. I know I've been mentioning about it in the past about Leonard supposably blowing a raspberry into a microphone and Atari using that to make a key from. I really don't know how they made the key. They could've done something like that to use it as "seed value" to generate the actual keys. They could've done a lots things. All I know is its a mystery on how they generated the keys.


Glenn

[Thunderbird]

Glenn,

The source of the information about the "raspberry" comes from someone other than you. I have known about this for years now. Specifically from research done by Scott LeGrand when he worked for VMLabs and we were trying to crack the encryption for BattleSphere™. Lots of former Atari employees worked there and Scott was able to get in touch with the person who wrote the encryption. He mentioned the raspberry I believe. He ALSO mentioned there was a "Back Door" for the cart encryption. He would not say what it was, but I suspect it was the header you located.

[Sauron]

Thunderbird said:

Luckily, we have software like BattleSphere Gold™ which has the bypass included for FREE. So any jag fan worth his salt will have a copy or two of the bypass anyhow...

:-)

Speaking of which, any news on a new run?

[Thunderbird]

Sauron said:

Thunderbird said:

Luckily, we have software like BattleSphere Gold™ which has the bypass included for FREE. So any jag fan worth his salt will have a copy or two of the bypass anyhow...

:-)

Speaking of which, any news on a new run?

Patience. Patience. I have had several (very) pressing matters to attend to and have had to reschedule some things.

[atarifan49]

Thunderbird said:

Glenn,

The source of the information about the "raspberry" comes from someone other than you. I have known about this for years now. Specifically from research done by Scott LeGrand when he worked for VMLabs and we were trying to crack the encryption for BattleSphere™. Lots of former Atari employees worked there and Scott was able to get in touch with the person who wrote the encryption. He mentioned the raspberry I believe. He ALSO mentioned there was a "Back Door" for the cart encryption. He would not say what it was, but I suspect it was the header you located.

TBird,

Thanks for confirming that. I was beginning to doubt the truth behind that story.

Do you think the raspberry sound was probably used as a seed value for generating the keys?

Glenn

[Thunderbird]

atarifan49 said:

Thunderbird said:

Glenn,

The source of the information about the "raspberry" comes from someone other than you. I have known about this for years now. Specifically from research done by Scott LeGrand when he worked for VMLabs and we were trying to crack the encryption for BattleSphere™. Lots of former Atari employees worked there and Scott was able to get in touch with the person who wrote the encryption. He mentioned the raspberry I believe. He ALSO mentioned there was a "Back Door" for the cart encryption. He would not say what it was, but I suspect it was the header you located.

TBird,

Thanks for confirming that. I was beginning to doubt the truth behind that story.

Do you think the raspberry sound was probably used as a seed value for generating the keys?

Glenn

Did you hear the same story from other sources?

I'm not sure how the sound was made into the key. I just know it was supposed to be where the key originated. A seed value is as good an explanation as any.

[Sauron]

Thunderbird said:

Sauron said:

Thunderbird said:

Luckily, we have software like BattleSphere Gold™ which has the bypass included for FREE. So any jag fan worth his salt will have a copy or two of the bypass anyhow...

:-)

Speaking of which, any news on a new run?

Patience. Patience. I have had several (very) pressing matters to attend to and have had to reschedule some things.

That's cool, thanks for the update!

[Thunderbird]

Sauron said:

Thunderbird said:

Sauron said:

Thunderbird said:

Luckily, we have software like BattleSphere Gold™ which has the bypass included for FREE. So any jag fan worth his salt will have a copy or two of the bypass anyhow...

:-)

Speaking of which, any news on a new run?

Patience. Patience. I have had several (very) pressing matters to attend to and have had to reschedule some things.

That's cool, thanks for the update!

It's been a very hectic month or two here and I appreciate your patience. Things will work out in the end for those who were patient. Trust me.

[PeterG]

Hehe, sounds like Battlesphere Platinum is on the way :-)
Or even better more BSG carts and some new games on cd ....yeah that would be cool...
Peter

[Thunderbird]

Peterghiea said:

Hehe, sounds like Battlesphere Platinum is on the way :-)
Or even better more BSG carts and some new games on cd ....yeah that would be cool...
Peter

Perhaps I should have been more clear. I've had non-gaming matters come up recently and it's been a very trying time. The people on the BSG waiting list should be pleased soon.

[Punisher5.0]

Thunderbird said:

Peterghiea said:

Hehe, sounds like Battlesphere Platinum is on the way :-)
Or even better more BSG carts and some new games on cd ....yeah that would be cool...
Peter

Perhaps I should have been more clear. I've had non-gaming matters come up recently and it's been a very trying time. The people on the BSG waiting list should be pleased soon.

Its probably to late to get on the list isnt it?

[Thunderbird]

Please email your request to get on the list to thunderbird @ sprynet . com and we'll see what we can do when things start moving along. I'm sure some folks on the list are going to back out. it always happens.