Jaguar CD Encryption Bypass thread!

[walter_J64bit]

Update:

 

After playing phone tag for a few days' date=' Glenn Bruner and I finally spoke at great length last night and I went over some of the items that may lead to the final release of the encryption components need by the homebrew community:

 

1. I will scan and release all of the faxes and memo's between Richard Miller, Leonard Tramiel and RSA technologies regarding Jag encryption.

 

2. I will release a ZIP image of the C sources that were used to create the encryption.

 

3. I have 3 sets of .key files from various dates from November 1995, these are public.key private.key and publiccd.key which I am hoping will all be valid prime number keys which were used to generate encryption for the Jag.

 

4. I will release ZIP's of Jagcrypt and CdENC which are the Jag Cartridge and JagCD encryption programs, in the CdENC are utitlities for generation JagTOC files that the weird format of the JagCD's require.

 

5. Added bonus, I will also release the source code to Club Drive.

 

This will all be posted here on AA and in the new Atari Jaguar section of the Atari Museum website this weekend.

 

I will also make available for anyone who doesn't have broadband and wants all these programs and code a CD-ROM for sale for $9.99 will all this code, plus a lot of additional Jag utilities including Rendering and Polygon generation code and the engine and sources for American Hero.

 

 

 

Curt[/quote']

 

We're not worthy!!

[TXG/MNX]

CURT I will also make available for anyone who doesn't have broadband and wants all these programs and code a CD-ROM for sale for $9.99 will all this code, plus a lot of additional Jag utilities including Rendering and Polygon generation code and the engine and sources for American Hero.

 

Hmm these tools sound very interesting good work people... I hope more will come in the near future

[PeterG]

I'd like a Club Drive with better control and a higer framerate. A network mode of play would be a lot of fun too!

Yay, and to quote Starcat from some talk we had. Throw in some textures and some weapons and you have a cool Jaguar Version of Battlewheels.....

Now THAT would rock

Peter who wants Club Drive Gold badly now :-)

[Thunderbird]

I'd like a Club Drive with better control and a higer framerate. A network mode of play would be a lot of fun too!

 

Club Drive was demo'ed at CES with Voice Modems at one time.

[Curt Vendel]

I will start posting this stuff tomorrow morning, I'm transferring it off the ST tonight... oh! These are ST based utilities, so you'll either need an ST or Steem to run them, I don't know if you could run an CD burner through Steem and it would work though....

 

someone else will have to answer that, I'm not much on the emulators, I prefer the real thing!

 

 

 

Curt

[Thunderbird]

I will start posting this stuff tomorrow morning' date=' I'm transferring it off the ST tonight... oh! These are ST based utilities, so you'll either need an ST or Steem to run them, I don't know if you could run an eprom burner through Steem and it would work though....

 

someone else will have to answer that, I'm not much on the emulators, I prefer the real thing!

 

Curt[/quote']

 

This is the coolest thing since the TYPEAB cartridge header (which the name TYPEO applies better) was discovered!!!

 

Curt rules!!!!! Thank you Curt!

[Goochman]

What kind of ST - 1040/MEag/MegaSTE/Falcon/TT o does it matter?

 

1/2/4/8 meg of Ram?

[Sinigord]

I will start posting this stuff tomorrow morning' date=' I'm transferring it off the ST tonight... oh! These are ST based utilities, so you'll either need an ST or Steem to run them, I don't know if you could run an eprom burner through Steem and it would work though....

 

someone else will have to answer that, I'm not much on the emulators, I prefer the real thing!

 

 

 

Curt[/quote']

 

I look forward to tomorrow. I will certainly be investigating the code / programs you upload. Here's hoping encryption bypasses can be made extinct.

 

Gordon

[Curt Vendel]

Okay, here are hopefully the files and keys everyone has been looking for.

 

 

Jagcrypt.zip : Jag Cartridge encryption utilities with keys

 

entest.zip : Various Encryption generation and testing utlitilities, also with keys

 

cdenc.zip : JagCD encryption utilities, patches and TOC utils, plus the lastest set of the keys out of all 3 zip files.

 

 

Hope this is it guys, there are some source files and other interesting files there to pick apart, could prove useful...

 

 

Regards,

Curt

jagcrypt.zip

entest.zip

cdenc.zip

[Curt Vendel]

What kind of ST - 1040/MEag/MegaSTE/Falcon/TT o does it matter?

 

1/2/4/8 meg of Ram?

 

 

These files came off of a TT030 HD, so I don't know if it will require the 030 processor and more ram, but I will say this, some of these utilities can take upwards of 10 mins to generate code on a tt030 with lots of memory, so I would recommend a higher end ST or again, if these will work on Steem, then run them in emulation since you can run many things much faster that way, best of luck.

 

 

Curt

[Thunderbird]

Okay' date=' here are hopefully the files and keys everyone has been looking for.

 

 

Jagcrypt.zip : Jag Cartridge encryption utilities with keys

 

entest.zip : Various Encryption generation and testing utlitilities, also with keys

 

cdenc.zip : JagCD encryption utilities, patches and TOC utils, plus the lastest set of the keys out of all 3 zip files.

 

 

Hope this is it guys, there are some source files and other interesting files there to pick apart, could prove useful...

 

 

Regards,

Curt[/quote']

 

 

Curt,

 

Thanks for uploading these files!

 

On my quick and dirty first attempt, I was unable to get the cart encryption to work. :-(

 

In reading the text files that came with the programs, I suspect that the actual "Private.Key" file is not present. The text says that the "Private.Key" included is for testing putposes only and that the "distribution" copy of the key is on a disk that was under control of management. (We sort of knew this already from discussions with former Atari employees).

 

I suppose there could be a chance the distribution keys are included in the archive and I didn't see them in my quick browse, but the ones in the main jagcrypt directory don't seem to generate a working ROM.

 

Of course I could have done something wrong and screwed it up myself as well, so I will go back and try again with some other binaries and see if I can get something working.

 

All hope is not lost, as at least now we have the code that encrypted the Jag ROMS, so even without the private key it might be possible to reverse engineer what the keys are, or find a weakness in the routine to exploit.

 

This information is invaluable, even if the "distribution" keys are still lost.

 

Thanks again, Curt!!!

[D-lag]

Thanks Curt for this gift to the Jaguar community

[oesii]

The text says that the "Private.Key" included is for testing putposes only and that the "distribution" copy of the key is on a disk that was under control of management. (We sort of knew this already from discussions with former Atari employees).

 

 

Yeah, taken from the readme:

 

"The PUBLIC.KEY and PRIVATE.KEY included in this directory are for testing purposes only. The actual Jaguar distribution public key is in the file PUBLICD.KEY; the private key is available only on the magic disk (see Leonard)."

 

 

Magic disk? If Leonard actually kept it on his person at all times must have been a very secure protection scheme Damn, paranoid Atari

[atarifan49]

It's nice to see the PC version of the cartridge encryption tool and source code was found! I have a copy of the written procedure that goes with this program. I had been looking for it! Thanks Curt.

 

Now just need to come up with a method to brute force hack the private key without taking the remaining time there exists in the universe to do it! I bet the NSA could do it!

 

Would be nice to have the cartridge encryption private key, but the CD key is the real challenge!

 

Glenn

[Thunderbird]

It's nice to see the PC version of the cartridge encryption tool and source code was found! I have a copy of the written procedure that goes with this program. I had been looking for it! Thanks Curt.

 

Now just need to come up with a method to brute force hack the private key without taking the remaining time there exists in the universe to do it! I bet the NSA could do it!

 

Would be nice to have the cartridge encryption private key' date=' but the CD key is the real challenge!

 

Glenn[/quote']

 

 

In reading the documentation and source code files, I get the impression that Atari possibly used the same "distribution private key" on that one Magic Disk for both cartridge and CD encryption.

 

It sounds like the same keys were used on both.

 

Glenn, is there any way you can post the documentation that describes the procedures? This might help me find any flaws in what I am doing trying to make this work as it is.

[LinkoVitch]

from my breif look at the keys (in months past not these), the keys were only around the 512 bit mark, which I believe has been cracked and can be done so in a few years.

 

The actual process of cracking the keys is quite simple, it just happens to involve some very big numbers and take time to do.

[LinkoVitch]

thinking about it. T-Bird if you hav ethe time and inclination you could test your cart encrypting process with the keys provided if you replaced the public key in the jags boot rom with the test one.

 

You would at least know then that you have the process right.

 

Also a quick compare of the public key from the jag and the one with the code curt uploaded would also show if the keypair is the valid one for production units.

[Thunderbird]

from my breif look at the keys (in months past not these)' date=' the keys were only around the 512 bit mark, which I believe has been cracked and can be done so in a few years.

 

The actual process of cracking the keys is quite simple, it just happens to involve some very big numbers and take time to do.[/quote']

 

 

I bet that if everyone here that volunteers to help out could run a cracker program and we assign each person a range of key values, that we could crack it in under a year.

[LinkoVitch]

I think my stab it it worked out that a lone 1GHz PC would probably do it in around 30 years. So 30 PC's going at it should be a year, I think we could must more than 30 1GHz systems between us all, so I don't see why not.

 

Just a matter of getting the whole thing setup

 

(plus there are some nice tricks, like you only have to search half the keyspace to find it anyway )

[Goochman]

Ive got a 3ghz machine and a 1ghz machine available - that should cut 6 months off the time

 

Then again someone would have to walk me through what the hell I was doing.

[Thunderbird]

Does anyone else suspect that the private keys are the same for the Cart and CD encryptions?

[LinkoVitch]

surley comparing the public keys off the Jag Boot rom and the CD Unit would tell us?

 

They would be identical I would have thought if the same private key was used.

[Sinigord]

I don't think the private keys are the same for both CD and Cart as the CDEncrypt program wants to get a file called PRIVATCD.KEY from the A: drive when it runs.

 

We don't appear to have a PRIVATCD.KEY file anywhere in these zip files so it seems that Leonard Tramiel still has the magic floppy.

 

Gordon

[Thunderbird]

I don't think the private keys are the same for both CD and Cart as the CDEncrypt program wants to get a file called PRIVATCD.KEY from the A: drive when it runs.

 

We don't appear to have a PRIVATCD.KEY file anywhere in these zip files so it seems that Leonard Tramiel still has the magic floppy.

 

Gordon

 

Not sure I can agree with you. The public keys appear to be indentical, so why would they make the same public key amd different private keys?

[atarifan49]

For the record here are the actual Public keys for the cartridge boot and CD boot and some ROM location info for them.

 

Cartridge Public Key:

 

;public:

dc.b $2F,$C5,$0F,$79,$B7,$96,$1B,$10

dc.b $A2,$EA,$46,$AB,$A1,$F0,$1D,$AF

dc.b $C5,$C7,$94,$C0,$08,$B9,$81,$80

dc.b $5E,$5B,$93,$F5,$03,$02,$41,$FE

dc.b $75,$B7,$1C,$E8,$E7,$22,$79,$A3

dc.b $D5,$BE,$30,$45,$F9,$EA,$35,$D9

dc.b $8A,$0A,$15,$40,$B4,$B4,$E8,$4E

dc.b $A6,$DD,$17,$EE,$42,$33,$10,$0D

dc.b $F9

 

The above key is located at offset $222 in the K series boot ROM and $82C in the M series boot ROM. Starting at these locations are three zero bytes. These three bytes + the 65 bytes listed above are loaded to location $F03000 in GPU RAM with the deRSA code.

 

 

CD Public Key:

 

;public:

dc.b $2C,$80,$1E,$32,$56,$F3,$58,$0F

dc.b $1F,$73,$48,$8A,$32,$20,$3E,$B7

dc.b $E8,$C7,$03,$17,$11,$51,$6F,$8F

dc.b $92,$DC,$64,$C2,$4B,$AE,$E6,$E0

dc.b $C9,$CA,$38,$35,$0E,$07,$03,$EC

dc.b $4E,$3B,$A8,$F3,$1F,$2F,$90,$A6

dc.b $43,$C2,$CD,$A0,$FF,$2D,$5B,$26

dc.b $8E,$4A,$A9,$3B,$4A,$63,$A6,$AA

dc.b $27

 

Same basic thing applies with the above public key for the CD. The three zero bytes plus the above key can be found at offset $31C6 in the CD boot ROM. Loaded into the same area of GPU RAM as the cartridge public key.

 

Here are three facts about the keys:

- the keys are 518 bits (both public and private)

- it takes at least 65 bytes to hold 518 bits

- the two upper bits of the 65 bytes are always zero since they are bits 519 and 520

 

And I believe the lowest bit is always equal to 1.

 

I've attached the above key's in a Zip file that can be downloaded below.

 

 

Cheers,

Glenn

public_key_files.zip