• Home
• About Us
• Services
• > Bespoke Engineering
• > Reverse Engineering
• Blog
• Contact Us

Blog: Stories from recent history...

A Japanese based multinational made a CD based console once

 

Even today, plenty of disinformation still abounds regarding the WIZ code. A 22.050Khz wobble that was used to identify legitimate CD's. Maybe one day we'll put them to rest... :)

 

Then later, they made another DVD based one

 

Note the pit-art watermark on the upper portion of the pressed disc...

 

...which was supposed to be impossible to replicate onto a recordable disc.

 

Then later still, they made another BD based one

 

They tried harder to protect it that time, but they still got schooled...

 

If you use COTS components, it doesn't matter what you do, you're doomed to fail.

 

They initially used an obfuscated ATAPI interface...

 

Then they progressed to an obfuscated SATA interface...

 

Against an opponent with the resources and talent, all of your defenses are ultimately useless.

 

The first ODD chipset was spun out of a Toshiba/Sony fab

 

Rolling your own custom silicon is damn expensive, isn't it?

 

...albeit, it is still ultimately futile.

 

No matter what tricks you try...

 

 

...or the measures your fab recommends as being 'secure'...

 

You'll fail. Points here for the laughs, though. :)

 

GAME OVER: Contents decrypted and SuperMario beats BlackCell.

 

They hedged their bets by using another fab for a second chipset

 

Never be reliant on a fab with no real skill in securing silicon; it's a recipe for disaster

 

Attempting to rely on a SoC being huge is not a viable defense strategy.

 

An interesting aside: The SW2 bootstrap (on the left) was actually just a COTS NEC MCU.

 

We extract, back-cut, laser grind and can re-wirebond transplanted dies from SoCs/MCMs...

 

Which we then probe, extract and decrypt. Lesson: You can hide no secrets in hardware.

 

Renesas R8J series, we know it well, we'd previously RE'd the entire series.

 

The R8J32810...

 

...was exactly the same as the R8J32820. Two versions, but the exact same die internally, I sure hope that SCE didn't pay that invoice for a new spin. :)

 

GAME OVER: Contents decrypted and SuperMario wins again. Unless you know exactly what you're doing, expect to get your ass handed to you.

 

Other things that may be of interest, depending on who you are...

 

Extraction of flash KGD's and re-transplantation from SoCs/MCMs. Contact us if you have a target you need assistance with.

 

Some of our previous work on the Renesas BD writer chipsets

 

R8J32710 series SoC, decapsulated for live-probe work.

 

MTK: Security and crypto LOL's since they started 'borrowing' IP in 1997...

 

No comment.

 

If you need our assistance with a target, contacting us is free.