N64 PIF/CIC-NUS-6105 Algorithm Finally Reversed
Recently, LaC challanged us to find a small and concise algorithm that would emulate the behaviour of PIF/CIC-NUS-6105 challenge/response (C/R) protection scheme. This would allow the replacement of 'pif2.dat' file of Project 64, that contains all the 268 C/R pairs used by 'Jet Force Gemini' and 'Banjo Tooie', with a concise algorithm. After many hours of careful, exhaustive and detailed analysis of 'pif2.dat' C/R pairs, I'm pleased to announce that I've finally found a very concise algorithmic representation of the C/R process, which emulates the desired behaviour of the PIF/CIC-NUS-6105. This is the actual C source of the algorithm:
void n64_cic_nus_6105(char chl[], char rsp[], int len)
{
static char lut0[0x10] = {
0x4, 0x7, 0xA, 0x7, 0xE, 0x5, 0xE, 0x1,
0xC, 0xF, 0x8, 0xF, 0x6, 0x3, 0x6, 0x9
};
static char lut1[0x10] = {
0x4, 0x1, 0xA, 0x7, 0xE, 0x5, 0xE, 0x1,
0xC, 0x9, 0x8, 0x5, 0x6, 0x3, 0xC, 0x9
};
char key, *lut;
int i, sgn, mag, mod;
for (key = 0xB, lut = lut0, i = 0; i < len; i++) {
rsp[i] = (key + 5 * chl[i]) & 0xF;
key = lut[rsp[i]];
sgn = (rsp[i] >> 3) & 0x1;
mag = ((sgn == 1) ? ~rsp[i] : rsp[i]) & 0x7;
mod = (mag % 3 == 1) ? sgn : 1 - sgn;
if (lut == lut1 && (rsp[i] == 0x1 || rsp[i] == 0x9))
mod = 1;
if (lut == lut1 && (rsp[i] == 0xB || rsp[i] == 0xE))
mod = 0;
lut = (mod == 1) ? lut1 : lut0;
}
}
The complete software package is available online at: http://goo.gl/wNRPY
You should read the 'README' file as it contains a complete explanation of the whole package, the purpose of each file, and the explanation of the four typos that where found in the 'pif2.dat' file during the research process. These 'pif2.dat' challenge/response pairs were the only resource I've used during this project. There was no kind of physical access to N64 hardware.
I truly hope this contribution helps the N64 community keeping the magical spirit of this console alive for a long time.
Finally, this project would have never been possible without the contribuitions of the following individuals and organizations:
- Oman: For being at the right place at the right time and being brave enough to pay a personal price so we could understand in a much deeper way how this magical console really works. We owe you so much.
- Jovis: For all the positive energy and impressive hacking spirit that you shared with the N64 community. You were absolutely instrumental in several key events that shaped the N64 community in the last 14 years. Even if you're not physically with us anymore, your heritage, your knowledge and your attitude will never be forgotten.
'The candle that burns twice as bright burns half as long.'
- LaC: For the endless contributions that you've given to the N64 community since the early days, when N64 was the next big thing. I've always admired the deep knowledge that you've gathered about the most little hardware details. Recently, you challanged us to find a small and concise algorithm that would emulate the behaviour of CIC-NUS-6105 challenge/response protection scheme and here is the final result. LaC, Oman and Jovis were definitly the dream team of N64 reversing in the late 90's. Without your contributions, we would be much poorer.
- marshall: For keeping the N64 scene alive during the last decade, when most people lost interest and moved along to different projects. You are the force that has been keeping us all together in the later years. When almost nobody cared about N64 anymore, you were always there, spreading the word, developing in the console, and lately, making impressive advances on the hardware side. I wish the best success to your new 64drive project.
- hcs: For your contributions to the better understanding of the inner workings of the Reality Co-Processor (RCP). Your skills have impressed me for a long time now. And without your precious help by sharing your kownledge, I would have never understood the immense importance of Oman, Jovis and LaC achievements. Thank you !
- Azimer & Tooie: For sharing with the N64 community your findings about the challenge/response pair used in 'Jet Force Gemini' and the 267 challenge/response pairs used in 'Banjo Tooie', all stored in the 'pif2.dat' file of Project 64. They were instrumental to the final success of this endeavour.
- Silicon Graphics, Inc. (SGI): For creating MIPS R4000, MIPS R4300 and Reality Co-Processor (RCP). You were the ultimate dream creator during the late 80's and early 90's. A very special word of gratitude goes to the two teams that during those years created RCP and MIPS R4300. They were technological breakthroughs back then.
On a personal note, I would like to show my deepest gratitude to _Bijou_, for being always a source of endless hope and inspiration.
-= X-Scale =- (#n64dev@EFnet)
source: http:/www.emutalk.net/threads/53217-N64-PIF-CIC-NUS-6105-Algorithm-Finally-Reversed
