Hacking the 3DO... Some notes.

Tools and projects
Post Reply
Mobius

Hacking the 3DO... Some notes.

Post by Mobius » Mon Apr 06, 2009 5:20 am

As I mentioned in the fansubbing thread, I've started to tinker with the 3DO's "encryption" to understand it a little better. (But really, the data isn't encrypted, it's just digitally signed.) I'm going to use this thread as a place to keep some notes as I experiment. Hopefully others will find this useful, or if you do any tinkering yourself, please share your knowledge.

Starting with my post from last night:
Mobius wrote:This thread has gotten me thinking and tinkering again. I looked up the basics of digital signatures, and from what I gather, it works like this:

1. A hash function is run to get a hash of the source data
2. The results of the hash are encrypted
3. The encrypted hash is bundled with the data and delivered
4. The encrypted hash is decrypted at the destination
5. The hash function is run on the delivered data
6. If the calculated hash matches the decrypted hash, the signature is verified

So assuming this is the scheme the 3DO uses, there are a couple of ways to approach running homebrew. We could learn the encryption key so that we can create our own signatures, or we can create data that matches an existing signature. Depending on the complexity of the hashing algorithm, creating data to match an existing signature could be fairly straightforward.

Does anyone have more information about what changes to an ISO break a game and what changes don't? As Gir Draxa and 3DOkid have talked about, modifying data files and keeping them the same size doesn't break the game. I just did a test and verified that modifying the main executable (LaunchMe) and keeping it the same size doesn't break it, either.

Does adding a file break it? How about deleting a file? Or changing a file name? Do all files have to remain the same size, or just certain ones? Can you extract and rebuild the ISO and have it work, or do you have to directly edit the original?

I could do some more experiments to answer these questions, but if anyone knows off the top of their head, it would save me some trouble. :)
More notes in the following posts...

Mobius

Post by Mobius » Mon Apr 06, 2009 5:56 am

Some tests I've done so far... I've primarily worked off of the Homebrew Pack #1 with Freedo, using either a standard FZ-1 or hacked bios.

1.) Hex edited the ISO to modify the contents of the LaunchMe file. Changed all instances of "Select a program" to "Modify a program". Kept all file lengths the same, just modified the contents.

Status:
FZ-1 bios: Works.
Hacked bios: Works.

2.) Used OperaFS[De]Compiler to decompile then recompile an ISO.

Status:
FZ-1 bios: Doesn't work.
Hacked bios: Works.

Recompiling the ISO with OperaFS[De]Compiler does not recreate the same file structure with all the same avatars as the original. Instead, it creates the ISO with only one copy of each file. This seems to break the digital signature. This MAY work with ISOs that do not use avatars, but I'm not aware of any releases that don't use them, so I don't know how to test this currently.

3.) Hex edited the ISO to modify the contents of the BannerScreen file. I tried replacing it wholesale with the "Bogus Title" banner screen and also simply changing a few bytes. The results were the same both ways.

Status:
FZ-1 bios: Doesn't work.
Hacked bios: Works.

So it seems that the hashing algorithm pays special attention to the BannerScreen but not the LaunchMe. Any change to the BannerScreen breaks the digital signature, but that's not the case with LaunchMe.

As a side note, this is probably why all of Mnemonic's releases have the Game Guru banner screen. He's not actually using the Game Guru code anywhere, he just has a proper digital signature for that file and is reusing it.

4.) Some observations regarding the "signatures" file:
  • The file is called signatures (plural), and has a varying amount of data depending on the release. So there must be several different signatures per game, each signature corresponding to a different hash. But what information gets hashed?
  • I compared the signatures from five releases: Crash N Burn, Game Guru, Icebreaker II (Mnemonic release), Homebrew Pack #1 (Mnemonic release), UFO (unsigned release)
  • The signatures file is always 335871 bytes. Unused space is padded out with "U".
  • The signatures file Game Guru and Homebrew Pack #1 start off identically:

    00000000000000000000000000000000B05AD4B1FBD4FE4C6AF36D2A6A9931A061619C9AEB4C4D2D781C28A9A88DD67B

    Is this the signature for the BannerScreen file, which is also identical between the two releases? Icebreaker II starts off similarly, but not quite the same:

    00000000000000000000000000000000B01AD4B1FBD49E4C1AF36D2A4A9991A061619C9AEB4C4D2D781C28A9A88DD67B

    Maybe this isn't the signature for the BannerScreen, since the BannerScreen is identical across all three releases. I would expect the signature to be the same, as well. Maybe there is another file that's identical for Game Guru and Homebrew Pack and slightly different for Icebreaker II? I'll have to look into stuff like the AppStartup, rom_tags, disc label, etc.
  • The following string of bytes shows up repeatedly in all of the signature files:

    FE5B2229C782BD04E680DE55CC238725

    Because of this, the 0 padding at the start of the signature files, and the length of the identical signatures in GG and HBP, I think a single signature is probably 16 bytes, but may be 32.
To Do:
  • Search signature files of the releases that use the Game Guru banner screen for other strings that are identical. Strings repeated across the files may be the signature for the BannerScreen.
  • Further explore what changes cause the digital signature to break and what doesn't. What files can I modify without breaking the signature, and which can be changed?

User avatar
BryWI
3DO ZERO USER
Posts: 1334
Joined: Sat Feb 03, 2007 8:16 pm
Location: Kenosha, WI, USA
Contact:

Post by BryWI » Mon Apr 06, 2009 8:27 am

interesting. good luck with your findings. we're cheering you on! heh.

User avatar
3DO Experience
3DO ZONE ADMIN
Posts: 3686
Joined: Sun Jun 24, 2007 8:47 am
Location: U.S.A.

Post by 3DO Experience » Tue Apr 07, 2009 2:22 am

Um ok, I should mention I've been working on a stupid way to force "unencrypted" protos to run. I've only had one that actually worked in anyway, a partial boot and then crash. What I need is the exact build that was used to make one of the OlderGames releases. It most likely won't work but it could give us a good chunk of data towards reaching our objective.

Image
"Wait. You don't have a bag of charcoal in your gaming room???"

Mobius

Post by Mobius » Tue Apr 07, 2009 3:21 am

3DO Experience wrote:Um ok, I should mention I've been working on a stupid way to force "unencrypted" protos to run. I've only had one that actually worked in anyway, a partial boot and then crash. What I need is the exact build that was used to make one of the OlderGames releases. It most likely won't work but it could give us a good chunk of data towards reaching our objective.

Image
Interesting, what have you been trying?

User avatar
3DO Experience
3DO ZONE ADMIN
Posts: 3686
Joined: Sun Jun 24, 2007 8:47 am
Location: U.S.A.

Post by 3DO Experience » Wed Apr 08, 2009 4:15 am

A really stupid brute force way... I'm too embarrassed to mention here. Knowing now that there is a hash my method will never work. However if I could get an exact build that was used to make one of the OlderGames releases I could produce some data that might help our cause.
"Wait. You don't have a bag of charcoal in your gaming room???"

User avatar
3DOKid
3DO ZONE ADMIN
Posts: 4683
Joined: Sat Jan 13, 2007 4:21 pm
Location: Cambridgeshire, UK
Contact:

Post by 3DOKid » Wed Apr 08, 2009 7:01 am

Ban Request. Withholding information that would (humour) benefit the community.

User avatar
3DO Experience
3DO ZONE ADMIN
Posts: 3686
Joined: Sun Jun 24, 2007 8:47 am
Location: U.S.A.

Post by 3DO Experience » Wed Apr 08, 2009 5:32 pm

I'm not withholding (looks at WindowsKiller), I'm waiting until I have some good data.
"Wait. You don't have a bag of charcoal in your gaming room???"

Mobius

Post by Mobius » Thu Apr 09, 2009 12:52 am

5.) Hex edited the ISO to modify data from the AppStartup file.

Status:
FZ-1 Bios: Works
Hacked Bios: Works

6.) Hex edited the ISO to modify data from the rom_tags file.

Status:
FZ-1 Bios: Doesn't work
Hacked Bios: Works

7.) More about the signatures file:
  • The following signature string shows up in all three signature files (Game Guru, Homebrew, Icebreaker II) at line three:

    61 61 9C 9A EB 4C 4D 2D 78 1C 28 A9 A8 8D D6 7B
  • Strings of zero show up in all three files at lines 1 and 15

    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • The following strings show up repeatedly across all three files, generally in large blocks towards the end of the signatures, before some 0 and 55 padding:

    FE 5B 22 29 C7 82 BD 04 E6 80 DE 55 CC 23 87 25
Some observations
  • AppStartup is not hashed, but rom_tags is
  • I believe I've found the proper signature for the Game Guru boot screen.
Questions:
  • Is the disc label isn't hashed? (it's probably not, but worth a look)
  • Is the BannerScreen signature always the third line of the signatures file?
To Dos
  • Try to find the BannerScreen signature in another, official game.
  • If I can find it, then replace the BannerScreen with the Game Guru BannerScreen and the signature with the suspected Game Guru BannerScreen signature to see if it boots. This could confirm the identified string is actually the Game Guru BootScreen signature.

Scarlettkitten
3DO ZERO USER
Posts: 267
Joined: Thu Nov 27, 2008 3:01 am
Location: UK

Post by Scarlettkitten » Thu Apr 09, 2009 1:15 am

Great thread folks, keep up the good work 8)

Mobius

Post by Mobius » Thu Apr 09, 2009 11:41 pm

8.) Hex edited the ISO to modify data from Disc label.

Status:
FZ-1 Bios: Crashes FreeDO
Hacked Bios: Crashes FreeDO

As expected, this didn't accomplish much. :) I was surprised it flat out crashed FreeDO, but I guess it makes sense. There may be an expected format that I broke.

User avatar
3DO Experience
3DO ZONE ADMIN
Posts: 3686
Joined: Sun Jun 24, 2007 8:47 am
Location: U.S.A.

Post by 3DO Experience » Sat Apr 11, 2009 12:49 am

I'm PMing you the moronic way I tried to do this.
"Wait. You don't have a bag of charcoal in your gaming room???"

WindowsKiller
3DO ZERO USER
Posts: 109
Joined: Fri Aug 08, 2008 12:35 pm
Location: Germany

Post by WindowsKiller » Sun Apr 12, 2009 12:27 pm

8.) Hex edited the ISO to modify data from Disc label.
The Disc label always points to sector 0 (first sector) and contains, among other things, the size of the disc in sectors. That info, however, isn't really used and you don't have to care about it.

rom_tags tells the system which files to load when booting (always on the 2nd sector on a proper Opera disc); those files are all digitally signed. They include BannerScreen, boot_code, os_code, misc_code. Note that the rom_tags file doesn't hold any filenames. It only refers to sectors and how many bytes to read.

User avatar
3DOKid
3DO ZONE ADMIN
Posts: 4683
Joined: Sat Jan 13, 2007 4:21 pm
Location: Cambridgeshire, UK
Contact:

Post by 3DOKid » Sun Apr 12, 2009 1:53 pm

Now, if we can only figure out the hashing algorithm used...

I wonder if they used a proprietary one or something common like MD5?

WindowsKiller
3DO ZERO USER
Posts: 109
Joined: Fri Aug 08, 2008 12:35 pm
Location: Germany

Post by WindowsKiller » Sun Apr 12, 2009 2:00 pm

RSA, of course. The algorithm is no secret. But that won't help you much without knowing the private key if you want to do proper encryption without hacking.

User avatar
3DOKid
3DO ZONE ADMIN
Posts: 4683
Joined: Sat Jan 13, 2007 4:21 pm
Location: Cambridgeshire, UK
Contact:

Post by 3DOKid » Sun Apr 12, 2009 2:09 pm

WindowsKiller wrote:RSA, of course. The algorithm is no secret. But that won't help you much without knowing the private key if you want to do proper encryption without hacking.
That weird sound just now was the penny finally dropping. doh.

Mobius

Post by Mobius » Mon Apr 13, 2009 6:44 am

WindowsKiller wrote:
8.) Hex edited the ISO to modify data from Disc label.
The Disc label always points to sector 0 (first sector) and contains, among other things, the size of the disc in sectors. That info, however, isn't really used and you don't have to care about it.

rom_tags tells the system which files to load when booting (always on the 2nd sector on a proper Opera disc); those files are all digitally signed. They include BannerScreen, boot_code, os_code, misc_code. Note that the rom_tags file doesn't hold any filenames. It only refers to sectors and how many bytes to read.
Ahh, interesting, this explains some of the things I've been seeing. Thanks for the info!

User avatar
3DOKid
3DO ZONE ADMIN
Posts: 4683
Joined: Sat Jan 13, 2007 4:21 pm
Location: Cambridgeshire, UK
Contact:

Post by 3DOKid » Mon Apr 13, 2009 8:41 am

It also explains why the Oldergames stuff has the GameGuru boot screen.

User avatar
3DOKid
3DO ZONE ADMIN
Posts: 4683
Joined: Sat Jan 13, 2007 4:21 pm
Location: Cambridgeshire, UK
Contact:

Post by 3DOKid » Mon Apr 13, 2009 8:43 am

Who will have the private key? Couldn't we just ask for it? The Atari Jaguar crowd have theirs.

User avatar
3DO Experience
3DO ZONE ADMIN
Posts: 3686
Joined: Sun Jun 24, 2007 8:47 am
Location: U.S.A.

Post by 3DO Experience » Wed Mar 03, 2010 12:25 am

N:9848629834960601161765696679721159386472195710802975774894097161799508454663972383623145204190992555825654001836919677277509412015512909914412280235809649
P:92148915259187652735546324658820788400295573942653196481790449977806032404181
Q:106877327934456063902508171996636457205791109741669452896794832726122641936429
D:1293424431840119233399718499814761414763663098446392305026374327045918630228589915421353480949734793978038214646649008563728161865424388240308738298816913
E:10001

N:9300599932705551463599466527377771225341583519175853550791859282008578500399528445758115451929935900334192412333960106705831250250018072975160929028951191
P:102106380843014298455267940231597303383797415119238106578205549799648313818033
Q:91087352777736422185650838559165253112994476944665706613483581549384947517127
D:3507397765183296525975568232054284081271911083455623853820296964384119163790981747009862925376317583489353369459236855907689701499704961726960510915919713
E:10001

User avatar
3DOKid
3DO ZONE ADMIN
Posts: 4683
Joined: Sat Jan 13, 2007 4:21 pm
Location: Cambridgeshire, UK
Contact:

Post by 3DOKid » Wed Mar 03, 2010 5:14 pm

How do we use this?

Does this mean we can hack games, by unCDROM, modify the contents, then resign them and play them on standard 3DO?

So, how do we resign?

User avatar
3DÖ
3DO ZERO USER
Posts: 24
Joined: Wed Jul 15, 2009 1:30 am
Location: The Kingdom Of Sweden
Contact:

Post by 3DÖ » Thu Mar 04, 2010 12:43 am

If this will let me play Blue forest story on my PAL 3do then I will open up the chamPAgne:)

and of course running homebrew will be fun too and the possibility for a policenauts english patch :p

Post Reply