CPS2 encryption unique for each ROM?

[NeoBahamut]

Hi!

Does anyone know if the CPS2 encryption is unique for each and every (game) ROM on a B cart? For obvious reasons it would of course not be possible to switch ROMs between different games, but could I for example switch ROMs between two Mars Matrix carts?

Thanks,
Jon

[Ex-Cyber]

AFAIK, the key is per-game and per-region (e.g. Mars Matrix USA has a different key than Mars Matrix Japan, but one Mars Matrix USA board will have the same key as another Mars Matrix USA board). That only applies to 68K ROMs, though.

[NeoBahamut]

Thanks for your answer

68K ROMs? What games fall under this cathegory?

Also, it would be safe to remove the ROMs, right? As far as I know the key is not in them, but on an onboard chip somewhere, meaning no battery power will not harm them...

[Ex-Cyber]

68K ROMs? What games fall under this cathegory?

All of them. Some of the ROMs on each game board contain program code for the 68000 CPU; that's what I meant by "68K ROMs".

Also, it would be safe to remove the ROMs, right? As far as I know the key is not in them, but on an onboard chip somewhere, meaning no battery power will not harm them...

I haven't specifically heard of results from removing ROMs, but as far as I know your understanding is correct. The actual decryption key is stored inside some SRAM behind a PLD. There's a page on CPS2Shock pointing out the components involved. If removing the ROMs did cause some kind of damage, it seems like it would have been mentioned in connection with the effort to dump the games. More to the point, I doubt that those ROMs get a backup supply in the first place, which you could pretty easily test with a voltmeter.

[antron]

a little off topic, but: what about CPS3. is it possible to re-encrypt a game to match a security cart of a different (and more common) game? then burn it to a cd? or how about make a security cart that performs no operation and will allow an un-encrypted cd to load?

[Ex-Cyber]

a little off topic, but: what about CPS3. is it possible to re-encrypt a game to match a security cart of a different (and more common) game? then burn it to a cd? or how about make a security cart that performs no operation and will allow an un-encrypted cd to load?

It's an interesting problem, so I looked into it a little bit. There are multiple checks that happen in the flashing process. I've found these via MAME, which AFAIK is running "real" (genuine but pre-decrypted/pre-loaded) BIOS code but not emulating the security cart processor:

1) The data is hashed somehow; just changing one bit of a file on the CD will make the process error out at the end. So far I've been unable to determine whether this is connected to the specific security cart in use.

2) There are at least two separate checks before starting the flashing process to determine whether the inserted CD is "valid" (one aspect of which is that it matches the security cart). One of these is merely checking the volume name, which is easily patched. I haven't yet found any of the other checks, but it errors out later with the same "Invalid CD-ROM" error message if a different CD is inserted with the correct volume name.

From what's mentioned in the MAME driver comments it seems like making a replacement security cart should be possible in principle, but I haven't seen any detailed information on the boot process. MAME decrypts the per-game BIOS from the security cart and loads it into the main CPU address space, but that decryption involves a per-game key that is apparently stored in the security cartridge. This presumably means that either the decryption key is sent to the main CPU somehow (e.g. via communication carried out by an internal ROM bootloader), or the security cart somehow decrypts/re-encrypts the BIOS program with a standard key and copies that version onto the mainboard.