Hey Guys! So i've read that the IQue Player (N64 Built into a controller and region locked to china) is uncrackable and no progress was ever made in bypassing the piracy protection or creating a flash cart, however with the assistance of the Wayback Machine I found something that might beg to differ? So i was researching Gameboy/GBC clone carts and how they are made when i stumbled upon this page: http://reinerziegler.de/ique/ique.htm This page states that a flash programmer does or at least at one point did exist for this console, however the link was long dead!!! Wayback machine to the rescue!!!: https://web.archive.org/web/2006022...azynation.org:80/N64/IQUE/ique.htm#Programmer They also include a download to a program for dumping/flashing the carts with their programmer. So if this does work and these guys succeeded in being able to dump/flash a mock-up Fugue card and since the ique roms were recently dumped online (albeit still encrypted) i was curious if there's any chance this programmer and flash cart could be recreated now-a-days? The attached file is just a backup of the program that can be downloaded from the second link and the two webpages just in case
It was never a problem reading the flash chip - it's a standard Samsung part. The problem is that the flash content is encrypted and each iQue has a different key - hence although you can back up and restore the flash it still cant be used on anything except the console it was originally used with.
So why havent we been able to change this when we essentially have full control of a PS3, which is miles more ridiculous in security than this? Is it the lack of interest perhaps?
Very probably - this is a unit that was only ever sold in China and runs N64 software so there is little incentive to crack it. I did have a look at the iQue quite a while ago, and the most notable thing to me was that it seems to have better performance (less slowdown) than the real N64. I suspect this is because the original N64 used Rambus memory (fast transfer rates, but terrible latency) and the iQue is using GDDR memory (equally good transfer rates and much lower latency) Internally, it's basically all one chip except for the RAM - the only obvious point of attack I can see would be to build a sniffer for the RAM and see if you can capture some of the internal code. Although it's easy to dump the flash, it doesn't help that much - it has a log-structured filesystem on it that looks a bit like XFS but isn't. The game images are encrypted and they are different between each console - I suspect they are probably decrypted from the distribution format and re-encrypted using the device private key when installed (since that would give you faster startup). The only obvious point of attack would seem to be sniffing the bus between the ASIC and the GDDR - but this is not going to be exactly trivial to do. It's also possible that the RAM is encrypted in which case it wouldn't help anyway.
Anyone know anybody from china who could get their hands on an actual Kiosk unit? Because I mean theoretically it should have a debug/service mode like any other sort of kiosk with money involved. (ATMs, Drink Machines, etc.) Getting one of those and figuring out what makes it tick might help with figuring out how the encryption/decryption works.
One thing I've always wondered about the iQue is how they were able to produce the graphics chip. The N64's GPU was codeveloped by Nintendo and SGI. When the iQue came out (which was 2003, I think), this was after Nintendo and SGI had ended their partnership (or whatever you would call it), I think. SGI still existed, but they had nothing to do with Nintendo. So how was Nintendo able to produce the iQue's GPU? My guess is that either their original agreement allowed Nintendo to do that without SGI's involvement, or they had to make a new agreement to produce the GPU for the iQue. I haven't heard anything to suggest that the latter ever happened, so that seems unlikely. Maybe SGI just didn't care because it was a China-only product.
They were never that common, and I suspect when the customer service places for the iQue were shut down they were all shipped back. Judging from the certs on the memory card, it's designed around public-key crypto anyway, so I'm not sure the kiosk would have any useful secret data in it. They were also able to update the consoles to allow home download on your own PC without any hardware changes, so this also suggests that all the encryption stuff is done inside the unit safe from prying eyes like ours. Normally in a deal like that, the company the parts were made for has the right to produce derivative products from them, which the iQue player certainly qualifies as. I certainly don't think Nintendo would have approved it if they didn't have the necessary rights. Having said that, I can't see SGI caring very much at that point anyway because the design data for pretty much the complete N64 (basically, everything except the CIC and PIF) had already leaked.
I think trimesh has done a good job covering most of this. I really think the lack of interest has really been what stops people from hacking this system fully. I think it can be done and a good attack vector would be iQue @ Home as it's a PC software that is able to upload new games to the device via USB (note not all fw support this, some older units the USB port is not active, I had to get my unit sent back to bejing to get the firmware updated). I'm also not sure if iQue @ Home is even functional anymore (I think the servers were shutdown a while back). From what I know, There was only so many units at retail stores (mostly in the toy section) and when the system aged these units were transferred to service/repair centers who later destroyed the units or sent them back to iQue HQ after a few years. When I tried to get my unit serviced in mid 2000s the repair center had already had their system destroyed and to get the FW upgraded on my unit had to be shipped back to Bejing to be serviced by iQue them selves. So if there are any kiosk still around they are most likely with iQue it self. iQue stuff is so niche that other then TaoBao it's really hard to come across accessories or game manuals for the system. I'm sad I didn't try to pick up the game manuals when I could. I had someone in china get me some but after he moved back to USA he proceeded to loose them. =(
'llo here It's interesting to see some news into iQue scene. it seems that some other people are in the same mood: https://gbatemp.net/threads/ique-player-hacking-possibility-with-ique_diag-exe.466906/page-10
I see a user there, Kevinpuerta (Hi if you refresh this thread), bought one because of one of my old post. =P I still actually have mine in my closet. =)
Hey, yeah I bought one when I was looking at an older thread from a couple years ago on here about IQues. Saw your post mentioning you could find them on taobao and I managed to snag 2, 2 swims, and 1 swim controller. Thanks, at the time I was going to pay $100+ for one on ebay.
Nice hall. Yeah TaoBao is one of the few remaining places to pick up iQue stuff for reasonable price but it's getting harder the last time I look as there isn't as much stuff anymore. Also issue with the ebay units is if they aren't listed as having all the games pre-purchased they are most likely units with the stock firmware that doesn't support iQue @ Home (since support was added via fw update).
