SYS2x6 technical details discussion

doccaz · Aug 19, 2023

So as not to "pollute" other threads with the discussion, I think I'd open this thread to gather all technical discussion on how the SYS2x6 dongle is implemented, how it all works and possible improvements/alternatives.

To start the discussion, I asked what are the differences between the MagicGate dongles from Namco and regular PS2 MagicGate memory cards. According to @DCrosby :

The Encryption key is different on PS2 Memory Cards, vs Namco ones, it has a different hardware profile, you can take the Memory supposedly and move it from a Genuine Namco Key/Dongle and move it to a PS2 card, re-program it, and then move it back to the original cart... but that's a slot of surface mount soldering, and software / know how that I don't have a firm grasp of... if you're interested I suggest you start a new thread that talks more about the nitty gritty of how to do it. But from what I understand you need an original even for the Multi-Cart... you just give it a way to write to the Flash memory via a USB interface chip.

Researching older threads, I found this (very) interesting discussion on how PCSX2 was on the verge of emulating MagicGate completely but decided against it due to legal reasons: https://www.arcade-projects.com/threads/namco-system-246-emulation-on-pcsx2.16482/

Apparently, even all the keys necessary have been dumped through other means (it's on ps2devwiki and archive.org), and there is an "arcade key". Is this the same as the one used for Namco System 246/256 dongles?

doccaz · Aug 19, 2023

I reckon the chip in question has this key pre-programmed in a secure area (possibly protected by e-fuses or similar), thus the need to use a chip coming from an original Namco dongle to decrypt the boot.bin file on the memory card?

doccaz · Aug 19, 2023

Also, does the PS2/System 246/System 256 talk directly to this chip to encrypt/decrypt with additional security checks, or would a complete simulation of the protocol in software be enough to satisfy this, say, via a Pi Pico?

Just curious, haven't studied the architecture on this yet.

DCrosby · Aug 19, 2023

From what I "Understand" and have read, the whole theory of magic gate, as Sony called it, is that with the right "Key" the decryption algorithm unlocks access to the data.
The Key is not universal, I'm not sure how PS2 gives access with it's key to the data. Or how it knows which key is correct, or if all PS2's unsed one key and all 2X6's used another, but I think that'd be sloppy as once you circumvent one key it'd spring open all others.
Something else I learned is that the NAND ram doesn't do really great with data retention, or accuracy, so data has to have a crc/check bit to verify it's genuine, and to circumvent and avoid corrupting the data is written in different places, and has a crc value written to memeory to verify integrity, and if it starts getting back integrity problems it keeps trying to write to new open sectors, the same way a HDD and other media can deem a sector bad, mark it as such, and then move the data while it still can read it elsewhere to preserve integrity.
I'm also a little uncertain that when you write data using a PS2 card, and then move the chip back to a 246 what happens to the encryption / key as it's presumably written with the PS2's key...

doccaz · Aug 19, 2023

DCrosby said:
The Key is not universal, I'm not sure how PS2 gives access with it's key to the data. Or how it knows which key is correct, or if all PS2's unsed one key and all 2X6's used another, but I think that'd be sloppy as once you circumvent one key it'd spring open all others.

Well usually on cryptographic processors that use asymmetric encryption and standard algorithms (e.g. a smart card or a USB token), the private key never leaves the card/chip. Instead every little block is decrypted through the processor itself and returned back to the system, which reassembles the decrypted data. Encryption is done with the public key. But how standard is this implementation by Sony?
I think the private key would be written to a secure area on the chip itself via privileged instruction, even blowing an efuse to avoid being extracted or changed later on.

DCrosby said:
Something else I learned is that the NAND ram doesn't do really great with data retention, or accuracy, so data has to have a crc/check bit to verify it's genuine, and to circumvent and avoid corrupting the data is written in different places, and has a crc value written to memeory to verify integrity, and if it starts getting back integrity problems it keeps trying to write to new open sectors, the same way a HDD and other media can deem a sector bad, mark it as such, and then move the data while it still can read it elsewhere to preserve integrity.
I'm also a little uncertain that when you write data using a PS2 card, and then move the chip back to a 246 what happens to the encryption / key as it's presumably written with the PS2's key...

You mean, like the mechanism used by regular SSDs with spare sectors and wear leveling algorithms? Flash cells have limited write cycles usually.

I guess if it's following the same scheme as I mentioned with crypto processors, there would be a function/syscall on the console to write a binary or block. Give it the raw data, and it'd use the processor to encrypt each block with the internal private key and write the result to the new file on the NAND.

So if you'd move the NAND back from a PS2 card to a Namco card, it would decrypt everything as garbage, as the private key inside the chip would be different, I guess.

doccaz · Aug 19, 2023

What intrigues me is this: https://www.psdevwiki.com/ps2/Talk:Keys

There are 4 keystores, one is named "arcade", with 3 keys and a master key. I'd really like to know if the Namco keys are among these.

Franco23444 · Aug 19, 2023

doccaz said:
What intrigues me is this: https://www.psdevwiki.com/ps2/Talk:Keys

There are 4 keystores, one is named "arcade", with 3 keys and a master key. I'd really like to know if the Namco keys are among these.

I do remember someone who knows more than me on this topic did mention that these Namco keys were among the ones dumped. So yeah, the keys have been dumped a while ago…

Tonybolony · Aug 20, 2023

not sure how the whole thing works , but i found i am able to make my dongles by using Brizzos device, writing a dongle, then using some software that was removed and an adaptor i can write back any dongle i want to , but it has to be on an existing 246 dongle , and the process can be reversed also, there is no soldering or dissecting etc involved at all or PCSX2 , however i do believe some people use PCSX2 to convert the .bins i think

DCrosby · Aug 20, 2023

Yeah I have the USB PS3(PS2) Card Reader, but I didn't think Brizzo's software would work with that, I was under the assumption that you could move the nand from a 246 cart, to a PS2 cart, flash it with the USB PS3(PS2) adapter, and then you had to move the nand back, I also have a copy of the PS3(PS2) adapter card reader software for PC, but again I'm too chicken to mess with surface mount stuff, when I don't understand the whole process. I don't want to risk damaging something if I have no reasonable expectation of success.

If someone wants to lay out, steps on what / how to do this process I may take it on, as I have amassed about 6 Battle Gear 3 Dongles and I have 3-4 PS2 Memory Cards still in original packaging.. I'd be willing to sacrifice 1-2 for the cause. But again I have no clear understanding what hardware / software is needed for this process.

doccaz · Aug 20, 2023

Tonybolony said:
not sure how the whole thing works , but i found i am able to make my dongles by using Brizzos device, writing a dongle, then using some software that was removed and an adaptor i can write back any dongle i want to , but it has to be on an existing 246 dongle , and the process can be reversed also, there is no soldering or dissecting etc involved at all or PCSX2 , however i do believe some people use PCSX2 to convert the .bins i think

Interesting... which adaptor are you using to copy?
I shall be getting a couple of Namco dongles over the next weeks, I could try that.

Franco23444 · Aug 20, 2023

doccaz said:
Interesting... which adaptor are you using to copy?
I shall be getting a couple of Namco dongles over the next weeks, I could try that.

It’s a PS2 to PS3 Memory card adapter, it needs to be the official version as I don’t believe third party versions work at all. These are kinda expensive too get too.

DCrosby · Aug 20, 2023

I had/have purchased one with my Old PS3, as it had backwards compatibility to PS2/PS1 so I wanted to be able to use it with my old save games so I didn't start over.

Tonybolony · Aug 20, 2023

yep thats what i use

djsheep · Aug 20, 2023

From memory @l_oliveira might know something about this?

nem · Aug 20, 2023

https://www.arcade-projects.com/threads/namco-system-246-emulation-on-pcsx2.16482/page-2#post-338563

rtw · Aug 20, 2023

The dongle uses bad block mapping and a file system to get around the bad blocks in a NAND. You can manipulate it using this tool.

http://www.csclub.uwaterloo.ca:11068/mymc/

The boot.bin in each game is tied to the MagicGate.

doccaz · Aug 22, 2023

Franco23444 said:
It’s a PS2 to PS3 Memory card adapter, it needs to be the official version as I don’t believe third party versions work at all. These are kinda expensive too get too.

Managed to snag two of these on Yahoo Auctions Japan for $30, will be here a few weeks, I hope. Any specific software to talk to it?

Franco23444 · Aug 22, 2023

doccaz said:
Managed to snag two of these on Yahoo Auctions Japan for $30, will be here a few weeks, I hope. Any specific software to talk to it?

Yeah, a program is an available and a version of it should be available on GitHub. Instructions on how to use the device and program aren’t available anywhere tho but some kind people can probably guide you through the process.

andymage · Sep 10, 2023

Franco23444 said:
Yeah, a program is an available and a version of it should be available on GitHub. Instructions on how to use the device and program aren’t available anywhere tho but some kind people can probably guide you through the process.

https://github.com/XyLe-GBP/mca-coh-gui
I used this program, but it still failed and prompted an error, but the ps1 memory card read, imported and exported normally.

UnlimitedGregg · Sep 10, 2023

Hello everyone, kind of new here.
Just want to make sure I am understanding this thread correctly.
What your saying is that it SHOULD be possible to remove the nand chip from a 246/256 and install it on a PS2 memory card and read/write using the PS3 memory adapter, then put the nand back onto the 246/256.

A. All of this using custom software that already exists?
B. And this has already been done by some folks on here?
C. Is the memory dump the same as if it had been dumped from Brizzos dongle and therefore existing dumps can be used?

If this is the case I volunteer to be walked through the process a bit and write up a guide from the perspective of someone just entering this arena. Maybe we can turn the nand into a socketed chip for ease of flashing. I know i'm not really personally concerned with flashing any more than a few times.

For context: I own an arcade/Retro Game Store in Pinellas Park FL and have been doing electronics repair my entire life. I am not a master programmer, nor am I an electrical engineer but I keep a fleet of 40 Original cabinets going for public use all with tube monitors preserved and have been fixing what feels like 100's of game consoles a month for 10 years.

Search

Search

SYS2x6 technical details discussion

doccaz

doccaz

doccaz

DCrosby

doccaz

doccaz

Franco23444

Tonybolony

DCrosby

doccaz

Franco23444

DCrosby

Tonybolony

djsheep

Multi Boyz Overlord

nem

rtw

doccaz

Franco23444

andymage

UnlimitedGregg