Naomi PIC security

So close, but yet a bit off. After figuring out a few ambiguities and struggling a bit with the hardware, this is what I have:

0 - 0- bsec_ver - decrypted: 62 73 65 63 5f 76 65 72 encrypted: 7b 7f 85 87 55 69 64 91
1 - 0- =VER0001 - decrypted: 3d 56 45 52 30 30 30 31 encrypted: c0 5c 65 58 ac ab b9 ce
2 - 0- bsec_ver - decrypted: 62 73 65 63 5f 76 65 72 encrypted: 7b 7f 85 87 55 69 64 91
3 - 0- =VER0001 - decrypted: 3d 56 45 52 30 30 30 31 encrypted: c0 5c 65 58 ac ab b9 ce
4 - 0- # ???K?? - decrypted: 23 9 e8 b8 a2 4b b7 9c encrypted: ba 85 a 2e 3a 66 36 23
5 - 0- ?h
-??~ - decrypted: ed 2 68 1 2d 86 c1 7e encrypted: f0 90 8a a5 c7 19 c8 85

Either the public info is obfusicated, or I'm missing something here. Possibly hardware issues, but I kind of doubt it since I'm getting consistent results - and the parity byte is always correct. The "=VER0001" should be "8VER0001", and the # command is supposed to redifine just two bytes, which should leave parts of message 5 in cleartext.

Also strange thing is that the 7 first messages are identical between 2 pics, so the redifining of the session key doesn't seem to be random at all - if that is indeed what it does.

All insights (public or not) welcome..

btw, you don't need a fancy-pants LA to get these signals, the logic tool of the pickit 2 (and a sniffer "pic") is sufficient.

 

if you search in the forum, you will see the diagrams and code for the pic dumper a friend of mine developed ad i made public some months ago

 

I am aware, but my objective is not to dump the keys.

 

and still I wait for the GDrom cables... :nod:

 

pay the shipment for the packet, and you got the cables

 

Not a problem, let me know P&P to UK via PM and I shall send it via PayPal