Go Back   Project64 Forums > Public Version > Project 64 - v1.6

 
 
Thread Tools Display Modes
  #1  
Old 13th July 2011, 12:45 PM
XScale XScale is offline
Junior Member
 
Join Date: Jul 2011
Posts: 1
Default N64 PIF/CIC-NUS-6105 Algorithm Finally Reversed


Recently, LaC challenged us to find a small and concise algorithm that would
emulate the behavior of PIF/CIC-NUS-6105 challenge/response (C/R) protection
scheme. This would allow the replacement of 'pif2.dat' file of Project 64, that
contains all the 268 C/R pairs used by 'Jet Force Gemini' and 'Banjo Tooie',
with a concise algorithm. After many hours of careful, exhaustive and detailed
analysis of 'pif2.dat' C/R pairs, I'm pleased to announce that I've
finally found a very concise algorithmic representation of the C/R process,
which emulates the desired behavior of the PIF/CIC-NUS-6105. This is the
actual C source of the algorithm:

Code:
void n64_cic_nus_6105(char chl[], char rsp[], int len)
{
    static char lut0[0x10] = {
        0x4, 0x7, 0xA, 0x7, 0xE, 0x5, 0xE, 0x1, 
        0xC, 0xF, 0x8, 0xF, 0x6, 0x3, 0x6, 0x9
    };
    static char lut1[0x10] = {
        0x4, 0x1, 0xA, 0x7, 0xE, 0x5, 0xE, 0x1, 
        0xC, 0x9, 0x8, 0x5, 0x6, 0x3, 0xC, 0x9
    };
    char key, *lut;
    int i, sgn, mag, mod;
        
    for (key = 0xB, lut = lut0, i = 0; i < len; i++) {
        rsp[i] = (key + 5 * chl[i]) & 0xF;
        key = lut[rsp[i]];
        sgn = (rsp[i] >> 3) & 0x1;
        mag = ((sgn == 1) ? ~rsp[i] : rsp[i]) & 0x7;
        mod = (mag % 3 == 1) ? sgn : 1 - sgn;
        if (lut == lut1 && (rsp[i] == 0x1 || rsp[i] == 0x9))
            mod = 1;
        if (lut == lut1 && (rsp[i] == 0xB || rsp[i] == 0xE))
            mod = 0;
        lut = (mod == 1) ? lut1 : lut0;
    }
}
The complete software package is available on-line at: http:// goo.gl/Ub9FG

You should read the 'README' file as it contains a complete explanation of the
whole package, the purpose of each file, and the explanation of the four typos
that where found in the 'pif2.dat' file during the research process. These
'pif2.dat' challenge/response pairs were the only resource I've used during
this project. There was no kind of physical access to N64 hardware.

I truly hope this contribution helps the N64 community keeping the magical
spirit of this console alive for a long time.

Finally, this project would have never been possible without the contributions
of the following individuals and organizations:

- Oman: For being at the right place at the right time and being brave
enough to pay a personal price so we could understand in a much deeper
way how this magical console really works. We owe you so much.

- Jovis: For all the positive energy and impressive hacking spirit that you
shared with the N64 community. You were absolutely instrumental in
several key events that shaped the N64 community in the last 14 years.
Even if you're not physically with us anymore, your heritage, your
knowledge and your attitude will never be forgotten.

'The candle that burns twice as bright burns half as long.'

- LaC: For the endless contributions that you've given to the N64 community
since the early days, when N64 was the next big thing. I've always
admired the deep knowledge that you've gathered about the most little
hardware details. Recently, you challenged us to find a small and
concise algorithm that would emulate the behavior of CIC-NUS-6105
challenge/response protection scheme and here is the final result.
LaC, Oman and Jovis were definitely the dream team of N64 reversing in
the late 90's. Without your contributions, we would be much poorer.

- marshall: For keeping the N64 scene alive during the last decade, when
most people lost interest and moved along to different projects. You
are the force that has been keeping us all together in the later
years. When almost nobody cared about N64 anymore, you were always
there, spreading the word, developing in the console, and lately,
making impressive advances on the hardware side. I wish the best
success to your new 64drive project.

- hcs: For your contributions to the better understanding of the inner
workings of the Reality Co-Processor (RCP). Your skills have impressed
me for a long time now. And without your precious help by sharing your
knowledge, I would have never understood the immense importance of
Oman, Jovis and LaC achievements. Thank you !

- Azimer & Tooie: For sharing with the N64 community your findings about the
challenge/response pair used in 'Jet Force Gemini' and the 267
challenge/response pairs used in 'Banjo Tooie', all stored in the
'pif2.dat' file of Project 64. They were instrumental to the final
success of this endeavor.

- Silicon Graphics, Inc. (SGI): For creating MIPS R4000, MIPS R4300 and
Reality Co-Processor (RCP). You were the ultimate dream creator during
the late 80's and early 90's. A very special word of gratitude goes to
the two teams that during those years created RCP and MIPS R4300. They
were technological breakthroughs back then.

On a personal note, I would like to show my deepest gratitude to _Bijou_,
for being always a source of endless hope and inspiration.
-= X-Scale =- (#n64dev@EFnet)

Last edited by XScale; 25th August 2012 at 12:04 AM. Reason: Software package dead URL http://goo.gl/wNRPY updated to http://goo.gl/Ub9FG
  #2  
Old 13th July 2011, 01:21 PM
ExtremeDude2's Avatar
ExtremeDude2 ExtremeDude2 is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Apr 2010
Location: USA
Posts: 3,109
Default

Umm...cool?
Sound interesting
__________________
Quote:
Originally Posted by dsx! View Post
are you american or something
  #3  
Old 13th July 2011, 01:37 PM
squall_leonhart's Avatar
squall_leonhart squall_leonhart is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Mar 2007
Location: Sydney, Australia
Posts: 2,918
Default

this isn't getting my sammich made.
__________________

CPU:Intel Xeon x5690 @ 4.2Ghz, Mainboard:Asus Rampage III Extreme, Memory:48GB Corsair Vengeance LP 1600
Video:EVGA Geforce GTX 1080 Founders Edition, NVidia Geforce GTX 1060 Founders Edition
Monitor:ROG PG279Q, BenQ BL2211, Sound:Creative XFI Titanium Fatal1ty Pro
SDD:Crucial MX300 275, Crucial MX300 525, Crucial MX300 1000
HDD:500GB Spinpoint F3, 1TB WD Black, 2TB WD Red, 1TB WD Black
Case:NZXT Phantom 820, PSU:Seasonic X-850, OS:Windows 7 SP1
  #4  
Old 13th July 2011, 09:13 PM
HatCat's Avatar
HatCat HatCat is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Feb 2007
Location: In my hat.
Posts: 16,236
Default

For some reason, Tooie knew about the algorithm but chose to use a static list of these "challenge and response" pairs instead. I don't remember reading what reason, but I imagine it was to save calculation time by having predefined data as a resource.

Thanks for sharing this algorithm, by the way. No doubt that zilmar was aware of it, but I might be able to instantiate it.


What happened to Dextrose?

Quote:
Originally Posted by XScale
Recently, LaC challanged us to find a small and concise algorithm that would
emulate the behaviour of PIF/CIC-NUS-6105 challenge/response (C/R) protection
scheme.
And I thought LaC left the emulation scene or at least N64.
  #5  
Old 3rd June 2013, 08:50 AM
oman_ oman_ is offline
Junior Member
 
Join Date: Jun 2013
Posts: 1
Default Wow

Holy crap! Some things never die huh...
Thanks for the kind words. "Right place at the right time" is right.
  #6  
Old 3rd June 2013, 12:32 PM
ExtremeDude2's Avatar
ExtremeDude2 ExtremeDude2 is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Apr 2010
Location: USA
Posts: 3,109
Default

Bot ?
__________________
Quote:
Originally Posted by dsx! View Post
are you american or something
  #7  
Old 3rd June 2013, 03:46 PM
HatCat's Avatar
HatCat HatCat is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Feb 2007
Location: In my hat.
Posts: 16,236
Default

Looking over this thread now since months I can't help but realize a few ways to rewrite a small part of that code.

Code:
...
        sgn = (rsp[i] >> 3) & 0x1;
        mag = ((sgn == 1) ? ~rsp[i] : rsp[i]) & 0x7;
        mod = (mag % 3 == 1) ? sgn : 1 - sgn;
        if (lut == lut1 && (rsp[i] == 0x1 || rsp[i] == 0x9))
            mod = 1;
        if (lut == lut1 && (rsp[i] == 0xB || rsp[i] == 0xE))
            mod = 0;
        lut = (mod == 1) ? lut1 : lut0;
I'm finding it would be more static and branch less if it did this (my changes):
Code:
...
        sgn = (rsp[i] >> 3) & 0x1;
        mag = (rsp[i] ^ -sgn) & 0x7;
/*
 * note:  sgn can only be a 0 or a 1,
 * so 1 - sgn can only be either a 1 or a 0, varying inversely with domain 0:1
 */
        mod = sgn ^ (mag % 3 != 1);
        if (lut != lut1) goto SKIP_CLAMP;
        mod |= ((rsp[i] == 0x1) | (rsp[i] == 0x9)); // (rsp[i] & 07) == 01
        mod &= !((rsp[i] == 0xB) | (rsp[i] == 0xE)); 
SKIP_CLAMP:
        lut = (mod == 0) ? lut0 : lut1;
Maybe somebody could post those rewrites to the EmuTalk thread since my fat ass is still banned there.

But to me the actual skill applied to hack out the algorithm is still unthinkable.

I am not much of a reverse-engineer person, just an artistic person.
Pretty insistent however about my code there being more direct.

Quote:
Originally Posted by ExtremeDude2 View Post
Bot ?
Unlikely...
  #8  
Old 3rd June 2013, 04:00 PM
HatCat's Avatar
HatCat HatCat is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Feb 2007
Location: In my hat.
Posts: 16,236
Default

Actually I was sort of self-conflicted about how to write that last line.

Code:
        lut = (mod == 0) ? lut0 : lut1;
It really doesn't matter.
50% chance says the MOD bit will be set; 50% chance says it won't.

In the absence of preference I would tend to write it like this:
Code:
        lut = mod ? lut1 : lut0;
But NOT the original way that was posted in the OP of this thread:
Code:
        lut = (mod == 1) ? lut1 : lut0;
Because then, you don't know that CMP to 1 is at least as slow as bit-pattern testing or JNZ/JZ. Comparison to zero tends to be faster than to any other immediate value, or you're assuming that the compiler knows that 1 and 0 are the only possible ints for mod and will optimize that for you as (mod != 0).
  #9  
Old 4th June 2013, 02:03 AM
mudlord_ mudlord_ is offline
Alpha Tester
Project Supporter
Senior Member
 
Join Date: Dec 2012
Posts: 381
Default

Quote:
Originally Posted by ExtremeDude2 View Post
Bot ?
Oman is not a bot. He is a saviour to N64 emulation.
  #10  
Old 6th June 2013, 11:20 AM
et500 et500 is offline
Project Supporter
Senior Member
 
Join Date: Sep 2008
Posts: 113
Default

I wish we knew more about CIC-NUS-7105 to cover the European side of things.

Last edited by et500; 6th June 2013 at 03:11 PM.
 

Tags
cic 6105, n64, nintendo 64, pif, sgi ultra 64

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 11:02 AM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.