CPS-2 Encryption Scheme Broken

Acheon writes: "The CPS-2 arcade board from Capcom uses some hard encryption scheme that has been a very hot issue in emulation for years. Yet finally the code was broken Final Burn, a quite recent arcade emulator, showed concrete results by running previously unsupported games such as Street Fighter Zero using decrypted ROM images. The CPS-2 Shock Team, who managed to reverse engineer the process for scratch, really outdone themselves and it is a very uncommon achievement." Thanks to Jamie for also pointing out more info.

Encryption NOT Cracked

Actually the CPS2 Encryption scheme has not been cracked. Instead a method has been found to dump the roms unencrypted (without actually knowing the keys). All work to actually crack the encryption has ceased. Don't you guys actually read any of the linked articles.

Re:Encryption NOT Cracked

[British]

So they didn't pick the lock, they just removed the hinges on the door?

Re:oh PLEASE!

[johnnyb]

Please don't use terms like 'intellectual property' as if they were really property. Its absurd. The whole notion is absurd. The framers of the constitution didn't think of copyright as any sort of property. In fact, the founding fathers (if your from America, that is) said that property is an innate right, but copyright is something that the public _can_ give to someone if it deems it in the public interest. Most of the things in the constitution are deemed moral imperatives. Copyright, however, is said to be something that can be granted or taken away as the people see fit.

If you don't think its right, that's fine. But PLEASE don't confuse property rights with "intellectual property". Don't call it "pirating" or "stealing", because those words bring out extra connotations than what is actually being done. Call it "unauthorized copying", because that is what is going on. Noone's property is being stolen by any stretch of the imagination.

"It shouldn't be hard now."

[astrashe]

Why shouldn't it be hard now? Was this a "security through obscurity" thing that is no longer obscure?

I don't understand why they wouldn't have used well known algorithms that are believed to be strong. I'm pretty sure that I was using PGP with RSA and IDEA in 1993.

Re:"It shouldn't be hard now."

[Shinobi]

One factor is performance. The method you propose is definitely not fast enough for games, and even less so back in 1993...

Re:"It shouldn't be hard now."

[AaronStJ]

Why shouldn't it be hard now? Was this a "security through obscurity" thing that is no longer obscure?

Kind of. The problem with solving the encryption algorithm original was that there were no known variables. No one knew wha the encryption system was (still don't), what the encryption keys are (still don't), or what the unencrypted data was. Sort of like doing a jigsaw puzzle with square pieces and know picture on it.

Know that they have the unencrypted data, they at least have the picture on the puzzle, so they can check to see if the methods they try out are close to working or not. Combining that with what they've been able to gather about the encryption scheme anyway, someone should be able to crack it much easier now.

ps: I'm a bit confused as to why they don't know the encryptions keys. Since they're stored in an SRAM chip, should they be able to just read them out?

Re:oh PLEASE!

[johnathan]

If you steal things, then you are a thief. At least recognize that and then resume your thievery. Don't say "I am not *really* a thief, I am more of a 'borrower' of items no longer in use since I only take older things".

I recognize that downloading ROMs is illegal, and in that sense, if I do it, I am a committing a crime. (Incidentally, it's been years since I downloaded a ROM, so this is more of a bit of advocacy than my own current experience.) But look at what you say -- "If you steal things". What thing have I stolen through the act of downloading? It's been said a million times before, but this is not the same as taking another's physical property. When you do that, they are deprived of something. When you download an old ROM, what is the copyright holder deprived of? The ROM? No. The money they could have made from the sale of the ROM? No -- they're not selling it!

So, yes, I recognize that it's a crime, but at the same time, I feel completely morally justified. There are plenty of immorral laws out there. If you sell me a beer on Sunday, then you're a criminal (in my state, at least). Does that mean it's morally wrong?

--

Re:Responsible Emulation

[JCCyC]

In order to cover their asses, CPS2shock say:

CPS2shock will no longer release any information that can be used to break CPS-2 encryption until such times as Capcom no longer release new titles on the system

Well, okay, let's say 3 months from now some guys in Uzbekistan come up with a dumping method just like CPS2shock, only they release ALL information on how to do it. What keeps Capcom from screaming, "hey, you leaked the information! Bastards! Lawsuit! Lawsuit!". On the other hand, if the CPS2shock people DID leak the information (carefully as to not leave traces), what keeps them from saying they didn't?

Heck, that's what PGP, public terminals and temporary web-mail accounts are for.

Encryption WAS Cracked

[fmaxwell]

Their "encryption scheme" is a combinations of algorithms and hardware. If someone finds a way to decrypt the roms, whether through mathematics, brute force, or exploits of the hardware, the encryption scheme has been "cracked."

This is not the same as saying that the algorithm was found to contain a fundamental flaw or that the key storage was compromised, but the effect is the same.

hacking arcade games

check out Wiretap for a boat load of arcade game hacking resources.

Re:oh PLEASE!

[johnathan]

It's just as illegal to distribute an old rom that you don't own than it is for a new one. Did someone at Capcom call up the cps2shock guys and say "Hey listen, we are having a hard time deciding which of our older CPS2 titles should be released to the public for free, can you make the decision for us?" Yeah I thought not.

It's not that I have a problem with arcade emu because I don't. But I also don't lie to myself when I download a ROM I don't own by saying "Oh it's ok, this is an older game."

Sure, it is still illegal to distribute an older ROM. But this is entirely a different question than whether it is moral to do so. If I download a ROM for which the copyright owner has no further marketing plans, I don't think I'm lying to myself if I say that it's OK. It may be illegal, but the copyright holder is not injured in any way. In fact, the copyright holder is probably better off for having their game remain in the public consciousness, since it will create new fans of the game (in case they do decide later to rerelease it) and of the company. And if it is rerelased, then the moral thing to do would be to buy it or stop using it.

--

MAME's Status?

[IanCarlson]

Now that encryption has been broken on these Capcom ROMS, will MAME begin to support these games that we've been robbed of stealing for so long?

[ Ack! Robbed of stealing. Figure that logic out. ]

Responsible Emulation

[milkme123]

A big thank-you to the cps2shock team for promoting responsible emulation. Capcom has been *extremely* fair with the emulation community (going so far as to distribute legal cps-1 roms with the HotRod joystick), and it would be a shame for their hand to be forced. So emulation nuts will get to play earlier cps-2 titles, and Capcom will still be able to sell machines like Street Fighter Alpha 3.

Not so fast

[Big+Jason]

From http://cps2shock.retrogames.com/, in case it gets /.'ed.

Now that CPS2shock has reached its goal in making it possible to play CPS-2 games in emulators we've taken a few days to think about the future of CPS2shock.

The Future Intent of CPS2shock

CPS2shock will no longer release any information that can be used to break CPS-2 encryption until such times as Capcom no longer release new titles on the system.

CPS2shock will work of dumping older CPS-2 games and releasing them for your enjoyment to play in emulators.
____________________________________

This decision is based on the the following;
CPS-2 games are still in production.
Emulation is at a point now where it can have a direct influence on future plans of the game manufactures. Knowing the encryption method COULD kill CPS-2 & any future planned game releases. Need I say more.
To help stop bootlegging of new CPS-2 releases.
Due to the fact that CPS-1 and CPS-2 hardware is so similar knowing how the encryption system works would leave new CPS-2 games wide open to bootlegging.
To control the release of games.
CPS2shock does not want to see newer games emulated until they are well past their sell by date. CPS2shock will not allow CPS-2 emulation to go down the same road as NeoGeo did if we have anything to do with it.
____________________________________

If you still can't see the logic behind our decision when I make you aware of the following.
We had the logic, knowledge and intelligence to find a way to allow emulation of CPS-2 games. The same logic, knowledge and intelligence was used to reach this decision.
If you still don't like it there is nothing stopping you from breaking the encryption yourself, just don't expect us to help you. Instead of bitching about it use that energy to start you on your way.

If you don't understand what all this means don't worry CPS2shock will be dumping more CPS-2 games so you can play them in your favourite emulators.

Encryption has not been broken.

[Gridle]

Sorry to burst your bubble and smash the integrity of this news piece, but the encryption algorithm has not been broken, nor any of the actual encryption keys are known.

CPS2Shock team however managed to do something that nobody has done before - extract unencrypted data from the board using 68k code on the hardware itself. This will help figuring out the actual algorithm, but as of yet, the encryption has not been broken. The current files are only useful for playing Street Fighter Zero on emulators, and the painful process to extract this unencrypted data will have to be re-done on EVERY game if nobody can reverse-engineer the actual algorithm.

CPS-2 encryption sounds simple, but it has been used for 8 years now (since 1993 and Super Street Fighter 2, the first CPS-2 system game) and no bootlegs have been made of the games. It doesn't have to mean that it's an overly complicated algorithm, but so far nobody has had any unencrypted data to work against. What makes this scheme devious is that it only encrypts 68k code, not data, so the 0xFFFF and 0x0000 fills don't get encrypted (0xFF and 0x00 fills were crucial in breaking the Kabuki algorithm, used in CPS-1 games' Qsound program roms). Without the unencrypted 68k code, it was impossible to figure out what the encrypted values are related to. It is known that it works on word values (change any bit in the first word and only its encrypted / unencrypted values change, none of the others') and that the address of the value in question is probably used as one of the coefficients in the algorithm.

The files that CPS2Shock released are XOR tables. When used against the original encrypted program ROM file they will produce a ROM file with unencrypted code, but data intact (since it was never encrypted anyway). Go ahead and see if you can actually break the encryption, it shouldn't be that hard now.

(Encrypted) CPS2 ROMs, get the encrypted Street Fighter Zero program ROM from here and XOR table from CPS2Shock.