N64 PIF/CIC-NUS-6105 Algorithm Finally Reversed

happyhacking · Sep 5, 2011

CAN THIS BE THE ANSWER FOR JET FORCE GEMINI AND BANJO TOOIE SUPPORT ON EVERDRIVE 64 ??

N64 PIF/CIC-NUS-6105 Algorithm Finally Reversed

Recently, LaC challanged us to find a small and concise algorithm that would
emulate the behaviour of PIF/CIC-NUS-6105 challenge/response (C/R) protection
scheme. This would allow the replacement of 'pif2.dat' file of Project 64, that
contains all the 268 C/R pairs used by 'Jet Force Gemini' and 'Banjo Tooie',
with a concise algorithm. After many hours of careful, exhaustive and detailed
analysis of 'pif2.dat' C/R pairs, I'm pleased to announce that I've
finally found a very concise algorithmic representation of the C/R process,
which emulates the desired behaviour of the PIF/CIC-NUS-6105. This is the
actual C source of the algorithm:

Code:
void n64_cic_nus_6105(char chl[], char rsp[], int len)
{
static char lut0[0x10] = {
0x4, 0x7, 0xA, 0x7, 0xE, 0x5, 0xE, 0x1,
0xC, 0xF, 0x8, 0xF, 0x6, 0x3, 0x6, 0x9
};
static char lut1[0x10] = {
0x4, 0x1, 0xA, 0x7, 0xE, 0x5, 0xE, 0x1,
0xC, 0x9, 0x8, 0x5, 0x6, 0x3, 0xC, 0x9
};
char key, *lut;
int i, sgn, mag, mod;

for (key = 0xB, lut = lut0, i = 0; i < len; i++) {
rsp = (key + 5 * chl) & 0xF;
key = lut[rsp];
sgn = (rsp >> 3) & 0x1;
mag = ((sgn == 1) ? ~rsp : rsp) & 0x7;
mod = (mag % 3 == 1) ? sgn : 1 - sgn;
if (lut == lut1 && (rsp == 0x1 || rsp == 0x9))
mod = 1;
if (lut == lut1 && (rsp == 0xB || rsp == 0xE))
mod = 0;
lut = (mod == 1) ? lut1 : lut0;
}
}
The complete software package is available online at: http://goo.gl/wNRPY

You should read the 'README' file as it contains a complete explanation of the
whole package, the purpose of each file, and the explanation of the four typos
that where found in the 'pif2.dat' file during the research process. These
'pif2.dat' challenge/response pairs were the only resource I've used during
this project. There was no kind of physical access to N64 hardware.

I truly hope this contribution helps the N64 community keeping the magical
spirit of this console alive for a long time.

Finally, this project would have never been possible without the contribuitions
of the following individuals and organizations:

- Oman: For being at the right place at the right time and being brave
enough to pay a personal price so we could understand in a much deeper
way how this magical console really works. We owe you so much.

- Jovis: For all the positive energy and impressive hacking spirit that you
shared with the N64 community. You were absolutely instrumental in
several key events that shaped the N64 community in the last 14 years.
Even if you're not physically with us anymore, your heritage, your
knowledge and your attitude will never be forgotten.

'The candle that burns twice as bright burns half as long.'

- LaC: For the endless contributions that you've given to the N64 community
since the early days, when N64 was the next big thing. I've always
admired the deep knowledge that you've gathered about the most little
hardware details. Recently, you challanged us to find a small and
concise algorithm that would emulate the behaviour of CIC-NUS-6105
challenge/response protection scheme and here is the final result.
LaC, Oman and Jovis were definitly the dream team of N64 reversing in
the late 90's. Without your contributions, we would be much poorer.

- marshall: For keeping the N64 scene alive during the last decade, when
most people lost interest and moved along to different projects. You
are the force that has been keeping us all together in the later
years. When almost nobody cared about N64 anymore, you were always
there, spreading the word, developing in the console, and lately,
making impressive advances on the hardware side. I wish the best
success to your new 64drive project.

- hcs: For your contributions to the better understanding of the inner
workings of the Reality Co-Processor (RCP). Your skills have impressed
me for a long time now. And without your precious help by sharing your
kownledge, I would have never understood the immense importance of
Oman, Jovis and LaC achievements. Thank you !

- Azimer & Tooie: For sharing with the N64 community your findings about the
challenge/response pair used in 'Jet Force Gemini' and the 267
challenge/response pairs used in 'Banjo Tooie', all stored in the
'pif2.dat' file of Project 64. They were instrumental to the final
success of this endeavour.

- Silicon Graphics, Inc. (SGI): For creating MIPS R4000, MIPS R4300 and
Reality Co-Processor (RCP). You were the ultimate dream creator during
the late 80's and early 90's. A very special word of gratitude goes to
the two teams that during those years created RCP and MIPS R4300. They
were technological breakthroughs back then.

On a personal note, I would like to show my deepest gratitude to _Bijou_,
for being always a source of endless hope and inspiration.
-= X-Scale =- (#n64dev@EFnet)
Click to expand...

sanni · Sep 6, 2011

Jet Force Gemini is already supported.

Delirious17 · Sep 6, 2011

Banjo Tooie! Banjo Tooie!

derekb · Sep 6, 2011

this was found awhile ago

alexh · Sep 8, 2011

The answer is no. Search the forum and you'll find a discussion I started with KRIKzz about this.

Turns out this is only half of the encryption/authentication procedure.

happyhacking · Sep 8, 2011

No hope then

Then there is no hope, well i will pick up a banjo tooie at ebay r8 now...

alexh said: ↑

The answer is no. Search the forum and you'll find a discussion I started with KRIKzz about this.

Turns out this is only half of the encryption/authentication procedure.
Click to expand...

N64 PIF/CIC-NUS-6105 Algorithm Finally Reversed

happyhacking Member

sanni Intrepid Member

Delirious17 Rising Member

derekb Well Known Member

alexh Member

happyhacking Member

Share This Page

N64 PIF/CIC-NUS-6105 Algorithm Finally Reversed

happyhacking Member

sanni Intrepid Member

Delirious17 Rising Member

derekb Well Known Member

alexh Member

happyhacking Member

Share This Page

Useful Searches