RNBOsproFormatPacket packet format
 

RNBOsproFormatPacket takes a 0x404 bytes long packet. Does anybody know its format please?

Git

Try find on http://reng.ru/board/ post by MeteO with detail description packet format.

WBR

Thanks FoxB. I looked at all posts by MeteO and couldn't find it. It doesn't help that I don't read Russian. I did find his packet en/decryption routines though, which is very useful.

Do you have a copy of the info or a link to it please?

Git

Ooops..........small bug :)

Try http://wasm.ru/forum/index.php?action=vthread&forum=5&topic=7253 for packet format
and http://reng.ru/board/viewtopic.php?t=1074&start=15 for en/decrypt routines.

WBR

Excellent. Now I stand a chance of understanding this emulator ;)

Git

I wish I know Russian, it seems that the big guys in the scene of dongle killing are russians

Do enyone have some knowledge to embedded SPRO Query math routines?

Generally most of the SPRO emulators use Query/Responce tables, which sometimes is really dificult to produce (for instance SLM 7.2 used by IAR Q/R emulation tables reguire about 1K QWORD for each table, what makes the emulator size huge, and worst this tables are version dependent)

The older RnboPRO keys implements CAT702 ZN security chip. This chip also is used on various games ->

CAT702 ZN security chip

A serial magic latch.

It's a DIP20 chip with a sticker of the form XXnn, where XX is the
company and nn a number:
AC = Acclaim
AT = Atlus
CP = Capcom
ET = Raizing
KN = Konami
MG = Tecmo
TT = Taito
TW = Atari

There usually are 2 of them, one on the cpu board and one on the rom
board. The cpu board one is usually numbered 01.

Pinout: GND -11 10- GND
? -12 9- +5V
+5V -13 8- Data in
Data out- 14 7- Clock
+5V -15 6- Select
? -16 5- Select
+5V -17 4- +5V
+5V -18 3- +5V
+5V -19 2- +5V
+5V -20 1- ?

The chip works with the '?' lines left unconnected.

The communication protocol is serial, and in practice the standard
psx controller communication protocol minus the ack. Drive both
select to ground to start a communication, send bits and get the
results on the raising clock. Put both select back to +5V when
finished. The bios seems to use two communication clock speeds,
~300KHz (standard psx) and ~2MHz. Driving it with lower clocks
works reasonably, at least at 1KHz.

The data is divided in bytes but there is no signal for end-of-byte.
In all of the following the data will be considered coming and going
lower-bit first.

Internally the chip has a 8-bit state, initialized at communication
start to 0xfc. The structure is simple:


+---------+ bit number +--------+
Clock ------->| bit |-----+-------------------->| bit |---------> Data out
| counter | | | select |
+---------+ v +-------+ out | |
| +-----+ | 8bit |=====>| |
Data in ------------|------->| TF1 |<=>| state | +--------+
| +-----+ | |
| | |
| start +-----+ | |
+------->| TF2 |<=>| |
+-----+ +-------+

The chip starts by tranforming the state with TF2. Then, for each
input bit from 0 to 7:
- the nth bit from the state is sent to the output
- the state is transformed by TF1 if the input bit is 0

TF2 is a fixed linear substitution box (* = and, + = xor):
o = ff*s0 + fe*s1 + fc*s2 + f8*s3 + f0*s4 + e0*s5 + c0*s6 + 7f*s7

TF1 is a chip-dependent set of 8 linear sboxes, one per bit number.
In practice, only the sbox for bit 0 is defined for the chip, the 7
other are derived from it. Defining the byte transformation Shift
as:
Shift(i7..i0) = i6..i0, i7^i6

and noting the sboxes as:
Sbox(n, i7..i0) = Xor( c[n, bit]*i[bit])
0<=bit<=7
then
c[n, bit=0..6] = Shift(c[n-1, (bit-1)&7])
c[n, 7] = Shift(c[n-1, 6])^c[n, 0]
= Shift(c[n-1, 6])^Shift(c[n-1, 7])