The text contained with this *nearly lost* French post is also worth making sure an archive sticks around:
https://web.archive.org/web/2010120...érale-=/=-La-Sécurité-des-GDRoms-Naomi-=.html
You'll see the link at the bottom of:
http://wiki.pcbotaku.com/wiki/NAOMI_security_PIC
The detail is a bit vague as to how one goes from a Saleae dump to "The following is the output from a program I wrote to decode the traffic between the PIC and the Naomi. The encryption algorithm is pretty well documented in the mame source."
The French text above has all the deep details.
"- Directly, one thing comes to mind on the orange curve. a very fast signal (more than the others anyway) very similar to a clock signal.
- Actually the Orange signal (extracted from RB3) is a clock generated by the Dimm Board and thus allows to synchronize the data sent on the other Pins (Green curve "RB0", Violet "RB1" and Blue "RB2").
- we can say that RB3 = CLK (Clock)
- RB2 = Data1 (Data Line No. 1)
- RB1 = Data2 (Data line N ° 2)
- RB0 = Data3 (Data line N ° 3)
- It's very nice, we have 3 lines of data! in fact it's quite difficult to reform a word of 8 bits (1 byte) with an odd data (3 * 3 = 9 bits or so 3 * 2 = 6 bits!) In other words it is not won! !!!
- = Decryption of the Data: = -
- As have the view above, we have 3 lines of data, asser diffrent to reform a word of 8 bits!
- As much to say that Sega did not do in the lace, they used a system of parity (like a RS232 link) so we have 8 bits of Data and 1 bit of parity !!!! here is the trick !! so we have 9 bits (3 * 3) so 8 bits = 1 byte + 1 parity bit !!!!!
- I indicate the direction of the reading by starting with the bit of weak weight and that ending by the bit of strong weight as well as the bit of parity !!!
- On this byte, we have in binary 0b01111011 and the last bit of parity: 0b1
- You will tell me Youpi !! we decoded an octet !!
- Yeah Youpi 1 byte to decode knowing that the frame has 8 bytes and therefore 8 bits of parity if you followed !!!
- Ok we have a frame of 8 octets cool !!! but what are we doing now !!!
- = Decryption of the frame: = -
- If we take again the frame of above this is what we have:
- in hexadecimal: 0x7B 0x7F 0x85 0x87 0x55 0x69 0x64 0x91 Here is our frame and when we try to get out something, well we get nothing at all !!!!! The reason is very simple, the Dimm Board send frame until the OK we can follow but Sega have not done in lace, this frame is encrypted!
- well it is encrypted is how do you do to decrypt it ??
- nothing more simple lol !!
- So we resume, in fact, when the Dimm Board communicates with the Dongle, the Dimm Board encodes the frame with a key of 16 bytes !! of course you will say "But what's the key?"
- So to answer this question I said immediately that I will not give this key because it is a subject that angry in the arcade scene! do a search on google and you will see that there is no information about this famous encryption key for Naomi !!
- So I take again lol! The Dimm board sends the Dongle this frame which is coded. The dongle once the frame received made its small operation to decrypt this frame. Here is the decryption algorithm of the frame with the key of 16 Bytes.
- Take the case of the very first octet: 0x7B
- Take the key of 16 Byte. Our plot is 8 odd Octet because 2 * 8 = 16 already there is a report.
- So we split the key by 16 bytes in two which gives us two halfs of 8 bytes.
- In fact just do the following operation: We take the first byte of the frame and we make an Xor (or Exclusive) with the first byte of the second part of the key. Then we take the result and add it with the byte of the first half of the key!
- after this little mill we get 0x62 and if we look at the Ascii table, we get the letter "b" !!! yes you have read, it is legible character !!!!
- continue to apply our system in the second octet: 0x7F
- we make an Xor with the second byte of the second half then we add with the second byte of the first half and we get: 0x73 and hop is the letter "s" !!
- in the end when we apply this to the complete frame, we obtain the string of character following "bsec_ver" finally a chain comprehensible by the human being !!!!
..."
