• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

question for nozzer

michael1

Inactive User
Joined
Jul 28, 2005
Messages
530
Likes
3
#1
nozzer m8 have u any idea why toxic ,when it makes the bin file for u it also includes the rom 10 bin in the file ?. as it does not use it ?


thanks

michael1

ps the 24kb one rom 10 bin .?
 

nozzer

VIP Member
VIP Member
Joined
Jan 25, 2005
Messages
6,662
Likes
72
#2
Its a historical thing !

One of the previous keyroll methods used random parts of the Rom code as DES keys which were then used to decrypt parts of the keyroll.
 

nozzer

VIP Member
VIP Member
Joined
Jan 25, 2005
Messages
6,662
Likes
72
#3
After a little dig through past posts here is an example of the previous keyroll.

Code:
21 40 53 A0 CA 00 00 4D 00 4B 5A 01 42 63 81 DF 37 2B EF FC 93 77 90 DE 2D 4D 6B E0 11 F0 50 E6 86 16 46 55 5D 16 F1 C0 96 FB F9 91 78 A4 2E 00 03 81 42 65 49 CF F2 9C 13 58 2B 93 4B A6 13 1F FD D6 32 DA FD B0 95 AB E2 04 6F DE C9 DE A5 1B 2A 0B 8B CB 59 05 41
This decodes to

Code:
DISASSEMBLY OF CODE:
------------------------------
0081: CD 7A B7     jsr GET2PARMSTORC1   ; Put 2 bytes in RC1H:L
0084: .dw 5E 94                         ; New value of RC1
0086: CD 7A 30     jsr MOVERC1TORC2     ; RC2<-RC1
0089: A6 04        lda #$04             ; Load in A
008B: CD 92 4F     jsr COMPUTESIG       ; Compute signature of A packets (RC1H:L->Data, RC2H:L->VerifyKey)
008E: AE AB        ldx #$AB             ; Load in X
0090: AD 0E        bsr $A0              ; Go to subroutine
0092: AE B5        ldx #$B5             ; Load in X
0094: AD 0A        bsr $A0              ; Go to subroutine
0096: CD 79 15     jsr MV2_182_TO_F8XA  ; Moves 182:182 to F8:F9 & to X:A
0099: A6 17        lda #$17             ; Load in A
009B: AE 26        ldx #$26             ; Load in X
009D: CC 6B 0F     jmp EMMBYTESLEFT     ; Continue processing EMM commands
 
00A0: CD 7A 21     jsr XTORC1           ; RC1H:L<-00:X
00A3: CC 79 04     jmp ENCRYPTBLOK      ; Encrypt data in [RC1H:L], key in $F0..$F8
 
 BYTES DUMP:
---------------------
00A6: 83 5B 01 42 05 72 5E D9 
00AE: F1 02 3B 71 64 42 85 07 
00B6: 0F 7C BA 4E CA 8F 36
This effectively computes the signature of a chunk of Rom10 code starting at Rom address $5E94 and then uses this signature as the DES encrypt key to change the data in the bytes dump to the real key0/key1 used for video decrypt !

So, for this type of keyroll the whole ROM10 ROM code has to be available for reference !
 

english

Inactive User
Joined
Mar 14, 2006
Messages
5,571
Likes
99
#4
After a little dig through past posts here is an example of the previous keyroll.

Code:
21 40 53 A0 CA 00 00 4D 00 4B 5A 01 42 63 81 DF 37 2B EF FC 93 77 90 DE 2D 4D 6B E0 11 F0 50 E6 86 16 46 55 5D 16 F1 C0 96 FB F9 91 78 A4 2E 00 03 81 42 65 49 CF F2 9C 13 58 2B 93 4B A6 13 1F FD D6 32 DA FD B0 95 AB E2 04 6F DE C9 DE A5 1B 2A 0B 8B CB 59 05 41
This decodes to

Code:
DISASSEMBLY OF CODE:
------------------------------
0081: CD 7A B7     jsr GET2PARMSTORC1   ; Put 2 bytes in RC1H:L
0084: .dw 5E 94                         ; New value of RC1
0086: CD 7A 30     jsr MOVERC1TORC2     ; RC2<-RC1
0089: A6 04        lda #$04             ; Load in A
008B: CD 92 4F     jsr COMPUTESIG       ; Compute signature of A packets (RC1H:L->Data, RC2H:L->VerifyKey)
008E: AE AB        ldx #$AB             ; Load in X
0090: AD 0E        bsr $A0              ; Go to subroutine
0092: AE B5        ldx #$B5             ; Load in X
0094: AD 0A        bsr $A0              ; Go to subroutine
0096: CD 79 15     jsr MV2_182_TO_F8XA  ; Moves 182:182 to F8:F9 & to X:A
0099: A6 17        lda #$17             ; Load in A
009B: AE 26        ldx #$26             ; Load in X
009D: CC 6B 0F     jmp EMMBYTESLEFT     ; Continue processing EMM commands
 
00A0: CD 7A 21     jsr XTORC1           ; RC1H:L<-00:X
00A3: CC 79 04     jmp ENCRYPTBLOK      ; Encrypt data in [RC1H:L], key in $F0..$F8
 
 BYTES DUMP:
---------------------
00A6: 83 5B 01 42 05 72 5E D9 
00AE: F1 02 3B 71 64 42 85 07 
00B6: 0F 7C BA 4E CA 8F 36
This effectively computes the signature of a chunk of Rom10 code starting at Rom address $5E94 and then uses this signature as the DES encrypt key to change the data in the bytes dump to the real key0/key1 used for video decrypt !

So, for this type of keyroll the whole ROM10 ROM code has to be available for reference !
but could you say that with a rowntrees fruit pastille in your mouth ? :D
 

michael1

Inactive User
Joined
Jul 28, 2005
Messages
530
Likes
3
#6
thanks nozzer for your answer , it must have been the method they where useing before the bitflop .i was just wondering ....lol.