CG121
Inactive User
- Joined
- Jun 1, 2007
- Messages
- 520
- Reaction score
- 113
As I can't post on this forum yet, I'll put this here....
ok, it would appear 2 EMMs are to blame for the corruption to the primary key.
Looking at both EMMs, we can clearly see 2 bytes from key0 are altered by each EMM. The thing is, each EMM changes 2 different bytes.
The first EMM alters byte 3 and 8 in the primary key.
The second EMM alters byte 1 and 7 in the primary key...
The primary key is the 8 bytes that follow the 42 05 command in the EMM..
The secondary (unaffected key) is the 8 bytes that follow the 42 85 command...
Also notice, bytes 1 and 7 are valid in the first EMM and bytes 3 and 8 are valid in the second EMM...
So basically, a keyroll now consists of 2 EMMs. Each EMM ensures it doesn't writeout the others bytes..
Meaning, all you need do is ensure $AD = 1E & $B2 = 40 after the first EMM executes and $AB = ED & $B1 = 60 after the second EMM executes...
It's the calcs that use the register ($02) which cause the emu to fail as it can't fully emulate it...
(and they know this)
Either patch the opos emu to modify the register (both $02 and the previously used $07) or patch the ROM code..
Njoy
ok, it would appear 2 EMMs are to blame for the corruption to the primary key.
Looking at both EMMs, we can clearly see 2 bytes from key0 are altered by each EMM. The thing is, each EMM changes 2 different bytes.
The first EMM alters byte 3 and 8 in the primary key.
The second EMM alters byte 1 and 7 in the primary key...
The primary key is the 8 bytes that follow the 42 05 command in the EMM..
The secondary (unaffected key) is the 8 bytes that follow the 42 85 command...
Also notice, bytes 1 and 7 are valid in the first EMM and bytes 3 and 8 are valid in the second EMM...
So basically, a keyroll now consists of 2 EMMs. Each EMM ensures it doesn't writeout the others bytes..
Meaning, all you need do is ensure $AD = 1E & $B2 = 40 after the first EMM executes and $AB = ED & $B1 = 60 after the second EMM executes...
It's the calcs that use the register ($02) which cause the emu to fail as it can't fully emulate it...
(and they know this)
Either patch the opos emu to modify the register (both $02 and the previously used $07) or patch the ROM code..
Njoy
Code:
You don't have permission to view the code content. Log in or register now.
