Hi guys, new here. So I've been probing and digging for info on the 2X6 systems. I've probed deep into the forum and have read previous posts on the work that had been put into dumping game and Security Dongle back-ups and have been impressed by all the hard work put into this system and keeping a fantastic database. From what I have read and found; - The BIOS has been dumped and loaded into a PS2 emulator but currently can not emulate 2X6 games due to the encryption method held on the Memory cards. - Security Dongle creation is possible using a physical method with an existing dongle (converting from one game to another) - PC assisted PS2 memory card dumpers are not compatible with 2X6 security dongles and not possible to use them to access or dump encrypted keys. This is a much as I'm aware of. What I would like to know is if it is possible, or if there is a method for essentially jailbreaking the actual unit for homebrew in a similar sense to the Playstation2? I am aware both systems run the same board with vastly differing bios. I own both the 246 and 256 and love the systems immensely, though my curiosity with tinkering with thing usually gets the better of me. I am not asking for sake of piracy and nor do I condone it though the system itself is intriguing and I'd like to play with it. TL;DR Is there an exploit tool (online or otherwise) capable of allowing the system to run homebrew software? I know I can backup my owned discs, that's not what I'm after, my owned copies are safe I know this can be a touchy subject amongst some people with the taboo of cracking 'current production systems'. I'm curious if you would consider this an out of service system and if it's ok to look into now as I can't recall the last time I saw one out making $$. Anywho, I'll leave it at that and looking forward to seeing what's in the works for the system. It's a system I hold dear and want to see preserved in all it's glory. PS: I am well aware of the Multi Security Dongle project though currently out of the loop on it's progress. Keep up the great work.
I do not know if the System 246 folks have made any headway in the MagicGate stuff, but here's my 2-cents. To get normal homebrew software to work on the system 246 is not going to be an easy thing since it is more like a TOOL than a CEX PlayStation 2. The system 246 may have a newer default IOP kernel from the CEX PlayStation 2. It's not really a BIOS (it handles bootup and offers kernels that can be replaced, as on the PS2), so that is a good thing... Thankfully, only one IOP module is downright incompatible, and it is possible to replace it. I participated in a short experiment in 2013 with @l_oliveira and his friend(s), I remember that I reboot the IOP with an IOPRP image that contained the old FILEIO and IOMAN modules from a PlayStation 2. I think the system 246's IOPBTCONF file also had the loading of CDVDMAN and CDVDFSV commented out, so my IOPRP image also included a new IOPBTCONF file that loaded these modules (which were already designed to work with the drive-less system 246!). Some homebrew software also use board-specific files. This will require the software to be reworked to not use the board-specific files. The dongle uses the update system, which you can use to boot software. However, for as far as I understand, the System 246 is still considered secure because the PlayStation 3 leaks did not reveal the keys for this system. Interestingly, the ROM was made to support a backdoor in (some?) dongles. There are two versions of MCMAN: MCMAN and MCMANO. One of them would work with the dongle, while the other was for regular PS2 memory cards. The one for accessing the dongle is always loaded by default (hence you can only boot from dongles). At least some dongles will check for and replace the unprotected binary (and IOPRP image) on the dongle, with similarly-named files from a PS2 memory card that is inserted in the other slot (!). Hence you can replace the START.bin file on such a dongle with anything you want... Some information here may be outdated or inaccurate, since I don't actually touch the system 246. It was a small, side project that a friend asked for help in.
Hey, Glad to see another 2x6 fan here. Discussion of hacking the system is totally fine. The only one not so much is "How can I clone this more expensive game onto the cheap gundam dongle" =P I'm a big 2x6 fan myself. Me and another user here were responsible for building out the current known software list referenced by a few sites. We were pretty disappointed with how fragmented the information out there is. I do hope one day someone can hack/patch the system so early 246 games can be made 256 compatible (it has to do with some of the disc drive commands). As well as maybe hack Ridge Racer 5 to not require the Force Feedback test to successfully boot. Interesting. I don't think i've seen any games out there that use this setup. The only game that uses a 2nd card is Soul Calibur 2 and that was for data storage. The only known upgradable games were late Taiko no Tatsujin games that would dump updated content via USB onto the HDD.
I've seen/got 2 interesting photos on that front, though I don't know enough about chipsets and hardware to confirm legitimacy. Also at the same I have agree'd to the 'don't tell' agreement so... woops? (It's not even a secret that it exists though, so I don't know). Oh hell yeah man, absolutely love the system even when it's being uncooperative. Not going to lie, it's tempting and would be nice, as I'm still trying to track down Soul Calibur 3. Proving tough to find though I haven't opened all channels, still a feshy to the system (picked up a 246 2-3 years ago and a 256 last year). I've usually tried before I've bought (Pandora board/multiboards etc.), or had a multiboard to build and test a cabinet under repair as they're light and easy to work. There's quite a number of games I'm looking to purchase because of piracy... I like legit hardware and if I see an interesting game I've never heard of that I enjoy, I go looking for it. (Rage of Dragons) for Neo Geo being one. I own Chou DragonBall Z and would get a cheap Gundam dongle converted as a security measure. I keep my stuff safe, I'm anal about it, but sometimes life happens and things get broken or lost. Image link(currently on mobile): https://ibb.co/cq90vn So RR5 needs a response back from a wheel in order to boot? I can see that being a bit of a hurdle on the emulation side of things. As for the disk drive, Tekken 4 will forever be unhappy
SC3 isn't very difficult to find. Just have to give it I get the paranoia but DBZ isn't a rare/expensive game in the first place. Not to mention the cards are fairly resilient. So they're not just going to up and fail over night (I've got a *k ton of them). I also hate the idea as one might otherwise destroy a less common game with out knowing it. I've actually have multiple copies of Tekken 4 and that's because I have a collection of different revisions to the game. Yet since most just see it as simply tekken 4 they were all balls cheap. I've also come up with less common revisions to some other games due to this as well. On Boot RR5 will use the force feedback motor to turn the wheel. It then checks the wheel analog pot to see how much it turned. If it is with in the expected tolerance it passes if not fails. I have a side burner project where I tried to convert a logitech ps2 wheel to play the game. It actually kind of worked a few times but since my electrical skills at the time were not great I did not properly step down the voltage from the drive pcb and caused my wheel's analog pot to break (and make a horrible noise that freaked my wife out, lol). I haven't had much time to revisit the project (probably should). All early 246 games up till about Soul Calibur 2 suffer from this issue. It's not purely a hw drive issue but something with in the ide controller in the 256 is just not compatible. So the load will fail even with a compatible drive from a 246. =(
I've been looking for 2 years now. If you have a spare or know of anyone selling I'm more than keen if my wallet permits. Oh I know, I just haven't seen another copy besides the one I own. I'm more concerned about user error, things get lost. I'm still new in this system and often don't join forums and pick the usually chanels (eBay/local sales. It's a habit I need to break). Also, I agree fully which is why I'm waiting eagerly for multicard project. Which reminds me, I should track down a secondary Neo Geo MVS board. Current one has 'calandar error' and needs the battery replaced. (I have never soldered in my life ) Oh for sure! Everything's worth a second shot. If you get it going I'd be highly interested to see it. Hardware dies and if someone is able to find a suitable counterpart, it's a step to preserving these old games and keeping them playable, what's a game worth if if can't be played besides a memory. On a side note, been restoring this (Chinese/Korean?) Candy. Got 2 of them for $270aud, was a steal!. They were originally set up as a back to back Taito type X2 system running on a pass-through. I'd like to put the 246 in it and keep the 256 in my New Astro City. Need to sort out power though, as you're aware, the 246 is a greedy power hog. Easy fix, just need to stop being lazy and get it done. Not much left to go on it. Locks, coin mech, front door and then screw everything down and she's done! Image link: https://ibb.co/hXjQvn
It's been done. To RR5 and some other games that required a special board. RR5 also has hacks to partially fix the shitty brightness, widescreen, and controls remapping for digital input lol. The problem is that Gundam exploit disc does not dump files, because of a MECHACON restriction which prevents from hotswapping the dongles. It's used for replacing the boot file with a homebrew, then to do blatant piracy (i.e reinjecting files from donor dumps to the modified Gundam dongle).
Heh, I wasn't even aware of a Gundam exploit. I own one of the Gundams (hell if I remember which one) and play it a fair bit. I was speaking more of having a secondary DBZ backup card incase I were to missplace mine. It's unlikely I will though I like to be safe. In any case, like Subbie brought up. I would much prefer using a writable dongle (in dev) than 'destroying/converting' one from one game to another. I don't endorse piracy but I do support backing up of owned media for preservation purposes. It's a very thin blade to walk on. As I stated before, I go looking for legitimate copies of ganes I've enjoyed that I've found on multiboards. It's a very fine line but if there was an exploit that allowed for operation without specific security measures I'd use it if it means getting a longer life out of my games BUT at the same time it is a genuine worry that it can be used for flat out piracy. I had a hell of a time exploiting the original PSP. It had some awesome homebrew app created for it and is still an underated system, though I went through using UMDump and backed up all my physical games to memory sticks. I'm a heavy collector and have a fair wall of physical discs. I'm just worried of things getting scratched, broken and to preserve old games. Hell, I'd like my kids to have a crack at my old games when they get older and if I can preserve them, I sure as hell will.
Sorry I did not noticed that my sentance got cut off. They do pop up from time to time, I see ebay had one in november. Just have to keep a look out. Sadly I don't have one to sell on as I got rid of my copy a while back. I enjoy Soul Calibur but my main plays on 2x6 are Gundam Next, Tekken 5.1 and Taiko Drum series. =) Oh, The game is supper common on yahoo auctions and you can just use a proxy like buyee to purchase/ship it to you. Ah, good to know. I will have to bug you in the future about this. I've still got all the software for this game (and the force pcb). Do you know if anybody has been able to get Dragua running?
Ah craaaaaap must've just missed SC3. I own SC2 but I really want to give 3 a crack on arcade. I am aware SC2 is the better game but I need Tira back in my life. Excited for the new installment coming this year. Tekken 5.1 is also high on my list. I'll eventually track down a 367(?) For tekken 6 but that's a whole different monster on it's own. Annnnnyway. I guess I'll wait. I have experience in using tools made by others but I have no coding knowledge. My knowledge lies in 3D game art (minimal). As for general gaming I prefer to keep physical carts/discs. Very rarely buy digital game (besides Steam). I know it's the direction the future is moving but I like stuff on shelves https://ibb.co/nR3SrS
It's probably a secret backdoor that was left behind from development days. It should be considered a major security loophole, just merely hidden under a veil of obscurity. No better than hiding the key to the door, under the doormat... We found it because the dongle had its NAND chip desoldered and dumped.
I've no idea, sorry. Dev dongles do that (self-update on startup with files in the PS2 MC on slot 2, without security measures). The only security dongle I know to self-update is KN00002, and I reuse its boot program as base loader in my sys2x6 dongle (for chain-loading ELFs), since I cannot desolder NANDs. Some (but not all) game dongles boot files seem to update from mc1 too. Never studied that, but it looks secured, with references to "securitycode" in error messages. Those boot files apparently look for : mc1:xxxCOPY (child-program which updates files ? This is the thing that'd have to be investigated) mc1:xxxLOAD (probably the "updated" second stage loader, which unpacks and run xxxGAME) mc1:xxxGAME (probably the "updated" main ELF of the game, is usually packed) The two major security loopholes IMO are : 1.) All the dongle KELFs were authored with... just guess it ? The PS2 DVD Player v1.00J DISK kbit+kc 2.) Some games load and execute IOP executables from non-secured devices (CD/DVD/HDD) [thanks Crapcom] About 1.) : - Lets us remary the boot files to the dongles, as long as we know the original boot file signature of the target dongle. In other words, twinsigning. - Content table and data blocks encryption/decryption keys were discovered with a very simple bruteforce attack. We can decrypt and unpack boot files, and reuse their KELF containers. About 2.) : - With a homemade file copier (including a twin-signer) executed in the IOP, we can replace files in the dongle. As said in my other post, the target dongle must be the one the system has booted with. One dongle auth per power cycle, nasty mechacon .
reverse encryption?, It is possible to record the data between the dongle and the ps2 for example put X game record the data send and received from the dongle, then put the data on a chart, every time A data is sended B data asnwered, so you may end with a very simple data sheet (question - response) this will result in something if possible?
We already have copies of the software modules (MCMAN, SECRMAN etc), but the actual MagicGate cryptography is implemented in the hardware. There may be tools out there that allow us to build signed files for the PS2 (given FMCB) because the PS3's PS2 emulator had the code and keys for that, but then system 246 uses different keys for this purpose. There is also one more problem, other than building a new file that the system 246 will accept: only dongles can be booted from, which were deliberately made to have a slightly different authentication mechanism from PS2 memory cards: one step in its SECRMAN is missing and the context/device number supplied to the MagicGate engine is different (it's 0xF, instead of the usual for memory cards). So you also need compatible hardware. Maybe a mod to the system 246's boot ROM could be easier LOL. I'm curious though: does anyone know if the system 246's ROM is flashable? I've got this impression that the system 246 can have a few ROM versions and the ROM version has to match the game's SDK... like on a TOOL.
Interested in this subject and have been watching myself. So the MagicGate hardware from the arcade platform (2x6) uses a different crypto key from the home ps2 consoles, correct? Once the key was discovered for the home consoles that opened the door for the USB connected PS2 memory card tools for backup/restore save games. How was the ps2 home system key recovered or discovered? Any thoughts on how to go about recover/discover this key for the arcade hardware? That seems to be the magic gate.... Also, would replay of the serial communications between host and "dongle" work, or is there challenge/responses that change session to session? A dongle emulator?
