Xref: utzoo comp.lsi:1041 sci.crypt:3031 alt.security:703
Path: utzoo!attcan!uunet!ogicse!ucsd!usc!zaphod.mps.ohio-state.edu!mips!hal!mark
From: mark@mips.COM (Mark G. Johnson)
Newsgroups: comp.lsi,sci.crypt,alt.security
Subject: Re: A Truly Secure (tm) ROM access
Message-ID: <39146@mips.mips.COM>
Date: 30 May 90 15:57:05 GMT
References: <39144@mips.mips.COM> <21908@shamash.cdc.com>
Sender: news@mips.COM
Reply-To: mark@mips.COM (Mark G. Johnson)
Followup-To: comp.lsi
Organization: MIPS Computer Systems, Inc.
Lines: 38

In article <21908@shamash.cdc.com> mpe@shamash.cdc.com writes:
  >The simplest method to by-pass security shells on any computer (or in
  >this case an EPROM) would be to allow the target computer to present
  >itself to the EPROM at power-up and receive the necessary validation and 
  >later access the EPROM from the run-time evironment.  Some OS kernels will
  >even assist the process by copying the slower EPROM into faster SRAMS.

But remember that the EPROM is designed for use in a game cartridge,
whose host machine will apply both ends of the authentication
handshake: (1) EPROM verifies that host contains secret key; (2)
host verifies that EPROM contains secret key.  The goal is to prevent
folks from copying game cartridges.

A game cartridge must contain one of these Intel EPROM chips so that
it can perform the hardware handshake.  If you know what bits to
program into the data-store area of the ROM, that's most of the battle,
but you still need to know how to program the KEY bits so your duplicate
EPROM can perform both halves of the hardware handshake.  Otherwise the
host will refuse to talk to you.

If all you want to do is read out the contents of the datastore of
the ROM and you don't give a hoot about the key, just purchase a
legimitate cartrige, remove the plastic housing, clip a logic analyzer
onto the pins of the ROM and record the address/data pairs as they whizz by.

Aside: Pull down your Intel catalog and look for 27916.  It isn't there.
       I guess the game cartridge market might have evaporated before
       Intel was ready to deliver the part.  Or, mebbe customers decided
       they didn't like Intel's scheme (or, dare I say, Intel's price?).

Rumor has it that Nintendo game cartridges contain ROMS that are somehow
abnormal (encrypted?  wacko custom chip design that doesn't correspond
to any commercial part, e.g. 48K by 11bits?), and that this is how
they guarantee they are the only source of [highly lucrative] cartridges.
-- 
 -- Mark Johnson	
 	MIPS Computer Systems, 930 E. Arques M/S 2-02, Sunnyvale, CA 94086
	(408) 524-8308    mark@mips.com  {or ...!decwrl!mips!mark}