Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Encryption Security

CPS-2 Encryption Scheme Broken 45

Acheon writes: "The CPS-2 arcade board from Capcom uses some hard encryption scheme that has been a very hot issue in emulation for years. Yet finally the code was broken Final Burn, a quite recent arcade emulator, showed concrete results by running previously unsupported games such as Street Fighter Zero using decrypted ROM images. The CPS-2 Shock Team, who managed to reverse engineer the process for scratch, really outdone themselves and it is a very uncommon achievement." Thanks to Jamie for also pointing out more info.
This discussion has been archived. No new comments can be posted.

CPS-2 Encryption Scheme Broken

Comments Filter:
  • Surely a file that can be XORed with an encrypted ROM to yield an unencrypted ROM is the intellectual property of capcom.
  • You are missing the point of emulation, according to the people that produce emulators.

    With emulation going more mainstream every day, there are a lot of people around today that treat and use emulation as another form of warez. But the people writing the emulators, and the old-skool fans have two driving interests in this. Most important is the technical challenge involved. And in the background, there is the idea of preserving 'video game heritage'.

    CPS2shock are acting completely within these aims in doing what they have done, and not going any further. They have no interest in playing the latest titles, and they don't have anything but respect for Capcom. This isn't an 'us and them' issue, unlike most encryption stories. This is more about responsibility and technical excellence.
  • it's not just figuring out the key. it's figuring out the encryption algorithm as well. besides, until now there was no known way to even get the plaintext ROM.

    Go and actually read their website, and you'll realize how stupid you sound...

  • the CPS2 has been in the mame source for a while now, but disabled. So part of it is probably already emulated. It was just that there was no way of dumping the decrypted roms until now.
  • Now that we have the <sarcasm>lovely</sarcasm> DMCA hanging over our heads, are such reverse-engineering activities deemed illegal? Can Capcom turn around and sue FinalBurn's ass to oblivion?
  • He says in the FAQ that he'll release any info he finds to the MAME team.

  • And the decision has nothing to do with the fact that they'd be in court in a heartbeat under the terms of the DMCA if Capcom wanted to? While I do think it was a responsible decision, I also think that there was some enlightened self-interest at work as well (even if the team denies it).

    And to the team, congratulations, a great achievement.

    .technomancer

  • You are in error.

    Any method that allows you access to encrypted data is a break.

    Any process that allows you access to all possible encrypted data of a given crypto system (such as CPS2) is a break of the Encryption system.

    Herein lies the falacy of media encryption. Eventually the decrypted data must be made available to the machine, and that makes it available to any hacker of the machine. Even if CSS was not broken, DVD rips would still be possible for this very reason (Just hack the code of a DVD player to dump the screen frames to an AVI file).

    You have to understand, that a break consists of any method that allows you to get the decrypted data in less time than it would take to do a brute-force attack.

    Go study a good crypto good, like Applied Cryptography by Bruce Schneier before you think to argue with the above.

  • By your logic, archeologists and museums are the biggest thieves of this world.

    What you fail to recognize is that the words "crime", "thief" and "property" are all arbitrary. We don't all put the same meaning into them, nor should we. So your intolerance to other interpretations than your own makes you blind as a bat in a hat!

    - Steeltoe

    An argumentative mind can't hold any wisdom, so wise men leave them alone.
  • Word for Word means that it's not a strong algorithm (i.e, not chaining the blocks). Yes, it should be relatively easy to break it knowing the plaintext and ciphertext.
  • It's probably _very_ easy, this is from their W.I.P:

    "One intresting point so far is the fact one value ($235B) is the same encrypted as it is nonencrypted."

  • Since they're stored in an SRAM chip, should they be able to just read them out?

    It's tamper-proof. Whenever the battery voltage changes, the SRAM holding the keys clears itself. This has come to be known as "Capcom Suicide."


    Like Tetris? Like drugs? Ever try combining them? [pineight.com]
  • Of course, the battery voltage doesn't change much while the system is in operation.
    Like Tetris? Like drugs? Ever try combining them? [pineight.com]
  • This isn't strictly true. The game is not gone, but the volatile RAM of the decryption chip is. Capcom is capable of restoring such a "dead" board by replacing the battery and uploading the code into the chip again. I've heard that this costs 75-90 USD or so.
  • cps2shock isn't distributing any roms and there is a valid need to decrypt CPS2 games because once the battery on the board dies the game is gone for good.
  • The obvious reasons are
    1) US export controls on crypto.
    2) Key management difficulties makes using super tough crypto far less relevant. If people really try hard enough they can get the key for these systems, so why bother using really tough crypto. It's just to make things a bit harder.

    Coz I doubt you'll see arcade operators sticking in their personal smartcards into their arcade machines and entering their pass sequences. (If machines get pirated, they can then trace them to the arcade operator).
  • Sorry to burst your bubble...

    I hate that phrase. You're not sorry at all. If you really felt bad about it, you probably wouldn't do it.

    Yes, I'm glad you made the post. It was nicely informative. But you're still not sorry.
  • It's not your place to decide when and where it's ok to give away someone elses intellectual property.

    It really doesn't matter if it's an hour old or a million years old, you don't own it...

    I'm not trying to make everyone stop downloading ROMs but at least I am realistic enough to say "I am fully aware I do not own this and I am going to download it anyhow" rather than deluding myself with weak-ass "justifications".

    If you steal things, then you are a thief. At least recognize that and then resume your thievery. Don't say "I am not *really* a thief, I am more of a 'borrower' of items no longer in use since I only take older things".

  • If they had any concern whatsoever about Capcoms intellectual property, they wouldn't have tried to circumvent the protection scheme in the first place.
    You know what? It's just as illegal to distribute an old rom that you don't own than it is for a new one. Did someone at Capcom call up the cps2shock guys and say "Hey listen, we are having a hard time deciding which of our older CPS2 titles should be released to the public for free, can you make the decision for us?" Yeah I thought not.

    It's not that I have a problem with arcade emu because I don't. But I also don't lie to myself when I download a ROM I don't own by saying "Oh it's ok, this is an older game."

    The one thing I noticed about a lot of people in the emu scene is how they look on "warez kiddies" with disdain and yet in most cases thats exactly what these people are. They run sites the same way, they trade other peoples property the same way.

    The cps2shock team is trying to cover their ass and hoping they don't get swarmed by capcom lawyers.

    Let's call a spade a spade here.

  • It's tamper-proof. Whenever the battery voltage changes, the SRAM holding the keys clears itself. This has come to be known as "Capcom Suicide."

    Seems to make sense. Now I'm curious as to how it can be read by the cps2 board. The SRAM must be read sometime, by the hardware itself. How does that get past the countermeasure?
  • First of all, using PGP is not a smart idea. How would you do it? If you encrypt the entire ROM with PGP, then at runtime you would have to decrypt the entire ROM. At that point you just apply +5V and ground and read out the entire contents of the ram buffer, and CPS2 would have been broken only days after it came out. Let's say that we made it more difficult, let's only encrypt/decrypt portions of ROMS at a time. If you do this you have to force the programmers to know what part of the ROM they were going to use at what time, or otherwise face some massive slowdowns as it decrypted it realtime upon access. If we made it so each instruction was ecnrypted at a time, then PGP would have been a massive failure. Thinking about how PGP works ... generate a random symmetric key, encrypting the data, then applying the asymetric encryption for key exchange. Far too much work to do on a per instruction basis. Remember this was 1993, we were still using 20mhz 386sx's then. Technology could not have kept up with decrypting per instruction. Besides, if you used PGP in 1993, you probasbly still wouldn't have had a RTU in a commerical application, and you certainly wouldn't have had the right to export out of the US. From what I've read about CPS2, it's quite an smart system. No matter what system you use, PGP or CPS2's encryption, you have to store the keys somewhere. Without a cryptographic smart card, it has to be placed in RAM or ROM somewhere. So Capcom put it in some extremely volatile ram, making any sort of tampering very difficult to do, much like disabling a bomb. Once the board detected tampering, then it would lose the keys and render the board brain dead. Next they made it so the encryption worked in real time. It didn't have to be extremely strong, but it had to be fast. They relyed on the keys being protected by the suicide circuit. From what I understand, the CPS2Shock first started watching the instructions as they were being loaded on the data bus. They never could have got all the data off the roms in this manner, unless every code branch was executed. But they learned what the CPU sees ... and they were able to inject their own code into the running system. From that point they were able to develop a brute force system to look at memory, and later they refined their technique to eliminate certain possibilites. So CPS2Shock rocked the world by releasing the first translation table that made the encrypted ROMS useable. Next up, if they break the encryption, then they could simply attack the ROMS instead of having to use this process of finding the final value vs the value stored on the ROM. It's sort of an security by obscurity, but I think that holding up for 8 years as well as it did, the CPS2 protection is still quite a formidable opponent. It may be even more difficult to break than the DVD code, since the keys for that hack were simply copied out of the code from a poorly implemented DVD player. WIth CPS2, you don't have easy access to the keys, and the team broke the code through analysis, brute force, and key elmination. Next up they're going after the encryption itself since they now know both the decrypted info and the encrypted info.
  • that was SFZ for the Capcom changer system, not the CPS2 system.
  • First of all, using PGP is not a smart idea. How would you do it? If you encrypt the entire ROM with PGP, then at runtime you would have to decrypt the entire ROM. At that point you just apply +5V and ground and read out the entire contents of the ram buffer, and CPS2 would have been broken only days after it came out.

    Let's say that we made it more difficult, let's only encrypt/decrypt portions of ROMS at a time. If you do this you have to force the programmers to know what part of the ROM they were going to use at what time, or otherwise face some massive slowdowns as it decrypted it realtime upon access. If we made it so each instruction was ecnrypted at a time, then PGP would have been a massive failure. Thinking about how PGP works ... generate a random symmetric key, encrypting the data, then applying the asymetric encryption for key exchange. Far too much work to do on a per instruction basis. Remember this was 1993, we were still using 20mhz 386sx's then. Technology could not have kept up with decrypting per instruction.

    Besides, if you used PGP in 1993, you probasbly still wouldn't have had a RTU in a commerical application, and you certainly wouldn't have had the right to export out of the US.

    From what I've read about CPS2, it's quite an smart system. No matter what system you use, PGP or CPS2's encryption, you have to store the keys somewhere. Without a cryptographic smart card, it has to be placed in RAM or ROM somewhere. So Capcom put it in some extremely volatile ram, making any sort of tampering very difficult to do, much like disabling a bomb. Once the board detected tampering, then it would lose the keys and render the board brain dead.

    Next they made it so the encryption worked in real time. It didn't have to be extremely strong, but it had to be fast. They relyed on the keys being protected by the suicide circuit.

    From what I understand, the CPS2Shock first started watching the instructions as they were being loaded on the data bus. They never could have got all the data off the roms in this manner, unless every code branch was executed. But they learned what the CPU sees ... and they were able to inject their own code into the running system. From that point they were able to develop a brute force system to look at memory, and later they refined their technique to eliminate certain possibilites.

    So CPS2Shock rocked the world by releasing the first translation table that made the encrypted ROMS useable. Next up, if they break the encryption, then they could simply attack the ROMS instead of having to use this process of finding the final value vs the value stored on the ROM.

    It's sort of an security by obscurity, but I think that holding up for 8 years as well as it did, the CPS2 protection is still quite a formidable opponent. It may be even more difficult to break than the DVD code, since the keys for that hack were simply copied out of the code from a poorly implemented DVD player.

    WIth CPS2, you don't have easy access to the keys, and the team broke the code through analysis, brute force, and key elmination. Next up they're going after the encryption itself since they now know both the decrypted info and the encrypted info.

  • that once it's decrypted in RAM, then it's just a matter of dumping the RAM buffers to get the unencrypted rom.
  • I am not an electrical engineer or an expert at electronics, however I am familiar with some arcade machines, being well entrenched in the emultion scene. The ROM images of the recent games out there are only a few meg, I doubt you'd see any images of more then 100 megs, even with recent games, and old games were alot less, many not even reaching 1 meg. So why not encrypt the data using pgp or another strong encryption scheme, and then at boot, where some of the games run through a long boot sequence anyways, decode the information and store it in RAM? Not sure if the games main processor would be able to decode it fast enough, but a dedicated cpu and circuit should.

    Just my $.02
  • Actually, there's a hack here [retrogames.com] to change the battery and keep the contents of the board.

    Although, gotta say, I'd rather do it with a PSU and bigger same-voltage battery. Keep it alive for a bit longer.

    Ben^3
  • FinalBurn's maker had nothing to do with the deincription of the roms, just has a Cps2 emulator, its the Cps2hack that has to worrry, but Capcom is not dumb, and are already screwing people with this copy-protection scheme, which renders 5 year old boards useles, so they wont complain. Plus to safe guard them selves the people releasing these games are only releasing old ones.
  • I believe the fine folks at www.project-0.com also deserve some recognition for successfully bypassing the encryption of King of Fighters 2000 (which is contained on a neo geo pocket cartridge within the KOF 2000 cartridge). long live snk!
  • The battery swap technique isn't fool-proof, and it's not a permanent solution either. If in fact un-encrypted ROMs do solve the problem of suicide boards, alot of collectors will be happy. The only way to revive a board before was to send it back to Capcom, and they wouldn't even touch one that has already been opened. Boards older than 5 years old are the only ones really at risk of comitting suicide, so 97 seems like a reasonable year to me.
  • by Anonymous Coward
    Actually the CPS2 Encryption scheme has not been cracked. Instead a method has been found to dump the roms unencrypted (without actually knowing the keys). All work to actually crack the encryption has ceased. Don't you guys actually read any of the linked articles.
  • Please don't use terms like 'intellectual property' as if they were really property. Its absurd. The whole notion is absurd. The framers of the constitution didn't think of copyright as any sort of property. In fact, the founding fathers (if your from America, that is) said that property is an innate right, but copyright is something that the public _can_ give to someone if it deems it in the public interest. Most of the things in the constitution are deemed moral imperatives. Copyright, however, is said to be something that can be granted or taken away as the people see fit.

    If you don't think its right, that's fine. But PLEASE don't confuse property rights with "intellectual property". Don't call it "pirating" or "stealing", because those words bring out extra connotations than what is actually being done. Call it "unauthorized copying", because that is what is going on. Noone's property is being stolen by any stretch of the imagination.
  • Why shouldn't it be hard now? Was this a "security through obscurity" thing that is no longer obscure?

    I don't understand why they wouldn't have used well known algorithms that are believed to be strong. I'm pretty sure that I was using PGP with RSA and IDEA in 1993.
  • One factor is performance. The method you propose is definitely not fast enough for games, and even less so back in 1993...
  • If you steal things, then you are a thief. At least recognize that and then resume your thievery. Don't say "I am not *really* a thief, I am more of a 'borrower' of items no longer in use since I only take older things".
    I recognize that downloading ROMs is illegal, and in that sense, if I do it, I am a committing a crime. (Incidentally, it's been years since I downloaded a ROM, so this is more of a bit of advocacy than my own current experience.) But look at what you say -- "If you steal things". What thing have I stolen through the act of downloading? It's been said a million times before, but this is not the same as taking another's physical property. When you do that, they are deprived of something. When you download an old ROM, what is the copyright holder deprived of? The ROM? No. The money they could have made from the sale of the ROM? No -- they're not selling it!

    So, yes, I recognize that it's a crime, but at the same time, I feel completely morally justified. There are plenty of immorral laws out there. If you sell me a beer on Sunday, then you're a criminal (in my state, at least). Does that mean it's morally wrong?

    --

  • So they didn't pick the lock, they just removed the hinges on the door?
  • In order to cover their asses, CPS2shock say:

    CPS2shock will no longer release any information that can be used to break CPS-2 encryption until such times as Capcom no longer release new titles on the system

    Well, okay, let's say 3 months from now some guys in Uzbekistan come up with a dumping method just like CPS2shock, only they release ALL information on how to do it. What keeps Capcom from screaming, "hey, you leaked the information! Bastards! Lawsuit! Lawsuit!". On the other hand, if the CPS2shock people DID leak the information (carefully as to not leave traces), what keeps them from saying they didn't?

    Heck, that's what PGP, public terminals and temporary web-mail accounts are for.

  • Why shouldn't it be hard now? Was this a "security through obscurity" thing that is no longer obscure?

    Kind of. The problem with solving the encryption algorithm original was that there were no known variables. No one knew wha the encryption system was (still don't), what the encryption keys are (still don't), or what the unencrypted data was. Sort of like doing a jigsaw puzzle with square pieces and know picture on it.

    Know that they have the unencrypted data, they at least have the picture on the puzzle, so they can check to see if the methods they try out are close to working or not. Combining that with what they've been able to gather about the encryption scheme anyway, someone should be able to crack it much easier now.

    ps: I'm a bit confused as to why they don't know the encryptions keys. Since they're stored in an SRAM chip, should they be able to just read them out?
  • Their "encryption scheme" is a combinations of algorithms and hardware. If someone finds a way to decrypt the roms, whether through mathematics, brute force, or exploits of the hardware, the encryption scheme has been "cracked."

    This is not the same as saying that the algorithm was found to contain a fundamental flaw or that the key storage was compromised, but the effect is the same.

  • by Anonymous Coward on Sunday January 07, 2001 @05:38AM (#525248)
    check out Wiretap [spies.com] for a boat load of arcade game hacking resources.
  • by johnathan ( 44958 ) on Sunday January 07, 2001 @09:46AM (#525249) Homepage
    It's just as illegal to distribute an old rom that you don't own than it is for a new one. Did someone at Capcom call up the cps2shock guys and say "Hey listen, we are having a hard time deciding which of our older CPS2 titles should be released to the public for free, can you make the decision for us?" Yeah I thought not.

    It's not that I have a problem with arcade emu because I don't. But I also don't lie to myself when I download a ROM I don't own by saying "Oh it's ok, this is an older game."

    Sure, it is still illegal to distribute an older ROM. But this is entirely a different question than whether it is moral to do so. If I download a ROM for which the copyright owner has no further marketing plans, I don't think I'm lying to myself if I say that it's OK. It may be illegal, but the copyright holder is not injured in any way. In fact, the copyright holder is probably better off for having their game remain in the public consciousness, since it will create new fans of the game (in case they do decide later to rerelease it) and of the company. And if it is rerelased, then the moral thing to do would be to buy it or stop using it.

    --

  • by IanCarlson ( 16476 ) on Sunday January 07, 2001 @04:54AM (#525250) Homepage
    Now that encryption has been broken on these Capcom ROMS, will MAME begin to support these games that we've been robbed of stealing for so long?

    [ Ack! Robbed of stealing. Figure that logic out. ]
  • by milkme123 ( 302350 ) on Sunday January 07, 2001 @05:19AM (#525251)
    A big thank-you to the cps2shock team for promoting responsible emulation. Capcom has been *extremely* fair with the emulation community (going so far as to distribute legal cps-1 roms with the HotRod joystick), and it would be a shame for their hand to be forced. So emulation nuts will get to play earlier cps-2 titles, and Capcom will still be able to sell machines like Street Fighter Alpha 3.
  • by Big Jason ( 1556 ) on Sunday January 07, 2001 @05:37AM (#525252)
    From http://cps2shock.retrogames.com/, in case it gets /.'ed.

    Now that CPS2shock has reached its goal in making it possible to play CPS-2 games in emulators we've taken a few days to think about the future of CPS2shock.

    The Future Intent of CPS2shock

    CPS2shock will no longer release any information that can be used to break CPS-2 encryption until such times as Capcom no longer release new titles on the system.

    CPS2shock will work of dumping older CPS-2 games and releasing them for your enjoyment to play in emulators.
    ____________________________________

    This decision is based on the the following;
    CPS-2 games are still in production.
    Emulation is at a point now where it can have a direct influence on future plans of the game manufactures. Knowing the encryption method COULD kill CPS-2 & any future planned game releases. Need I say more.
    To help stop bootlegging of new CPS-2 releases.
    Due to the fact that CPS-1 and CPS-2 hardware is so similar knowing how the encryption system works would leave new CPS-2 games wide open to bootlegging.
    To control the release of games.
    CPS2shock does not want to see newer games emulated until they are well past their sell by date. CPS2shock will not allow CPS-2 emulation to go down the same road as NeoGeo did if we have anything to do with it.
    ____________________________________

    If you still can't see the logic behind our decision when I make you aware of the following.
    We had the logic, knowledge and intelligence to find a way to allow emulation of CPS-2 games. The same logic, knowledge and intelligence was used to reach this decision.
    If you still don't like it there is nothing stopping you from breaking the encryption yourself, just don't expect us to help you. Instead of bitching about it use that energy to start you on your way.

    If you don't understand what all this means don't worry CPS2shock will be dumping more CPS-2 games so you can play them in your favourite emulators.
  • by Gridle ( 17502 ) on Sunday January 07, 2001 @06:22AM (#525253)
    Sorry to burst your bubble and smash the integrity of this news piece, but the encryption algorithm has not been broken, nor any of the actual encryption keys are known.

    CPS2Shock team however managed to do something that nobody has done before - extract unencrypted data from the board using 68k code on the hardware itself. This will help figuring out the actual algorithm, but as of yet, the encryption has not been broken. The current files are only useful for playing Street Fighter Zero on emulators, and the painful process to extract this unencrypted data will have to be re-done on EVERY game if nobody can reverse-engineer the actual algorithm.

    CPS-2 encryption sounds simple, but it has been used for 8 years now (since 1993 and Super Street Fighter 2, the first CPS-2 system game) and no bootlegs have been made of the games. It doesn't have to mean that it's an overly complicated algorithm, but so far nobody has had any unencrypted data to work against. What makes this scheme devious is that it only encrypts 68k code, not data, so the 0xFFFF and 0x0000 fills don't get encrypted (0xFF and 0x00 fills were crucial in breaking the Kabuki algorithm, used in CPS-1 games' Qsound program roms). Without the unencrypted 68k code, it was impossible to figure out what the encrypted values are related to. It is known that it works on word values (change any bit in the first word and only its encrypted / unencrypted values change, none of the others') and that the address of the value in question is probably used as one of the coefficients in the algorithm.

    The files that CPS2Shock released are XOR tables. When used against the original encrypted program ROM file they will produce a ROM file with unencrypted code, but data intact (since it was never encrypted anyway). Go ahead and see if you can actually break the encryption, it shouldn't be that hard now.

    (Encrypted) CPS2 ROMs [tlt3.com], get the encrypted Street Fighter Zero program ROM from here and XOR table from CPS2Shock [retrogames.com].

My mother is a fish. - William Faulkner

Working...