Revealing Capcom’s Custom Silicon Security

Ask any security professional and they’ll tell you, when an attacker has hardware access it’s game over. You would think this easily applies to arcade games too — the very nature of placing the hardware in the wild means you’ve let all your secrets out. Capcom is the exception to this scenario. They developed their arcade boards to die with their secrets through a “suicide” system. All these decades later we’re beginning to get a clear look at the custom silicon that went into Capcom’s coin-op security.

Alas, this is a “part 1” article and like petulant children, we want all of our presents right now! But have patience, [Eduardo Cruz] over at ArcadeHacker is the storyteller you want to listen to on this topic. He is part of the team that figured out how to “de-suicide” the CP2 protections on old arcade games. We learned of that process last September when the guide was put out. [Eduardo] is now going through all the amazing things they learned while figuring out that process.

These machines — which had numerous titles like Super Street Fighter II and Marvel vs. Capcom — used battery-backed ram to store an encryption key. If someone tampered with the system the key would be lost and the code stored within undecipherable thanks to “two four-round Feistel ciphers with a 64-bit key”. The other scenario is that battery’s shelf life simply expires and the code is also lost. This was the real motivation behind the desuicide project.

An overview of the hardware shows that Capcom employed at least 11 types of custom silicon. As the board revisions became more eloquent, the number of chips dropped, but they continued to employ the trick of supplying each with battery power, hiding the actual location of the encryption key, and even the 68000 processor core itself. There is a 6-pin header that also suicides the boards; this has been a head-scratcher for those doing the reverse engineering. We assume it’s for an optional case-switch, a digital way to ensure you void the warranty for looking under the hood.

Thanks for walking us through this hardware [Eduardo], we can’t wait for the next installment in the series!

Friday Hack Chat: Audio Amplifier Design

Join [Jørgen Kragh Jakobsen], Analog/digital Design Engineer at Merus-Audio, for this week’s Hack Chat.

Every week, we find a few interesting people making the things that make the things that make all the things, sit them down in front of a computer, and get them to spill the beans on how modern manufacturing and technology actually happens. This is the Hack Chat, and it’s happening this Friday, March 31, at noon PDT (20:00 UTC).

Jørgen’s company has developed a line of multi level Class D amplifiers that focus on power reduction to save battery life in mobile application without losing audio quality.

There are a lot of tricks to bring down power consumption, some on core technologies on transistor switching, others based on input level where modulation type and frequency is dynamically changed to fit everything from background audio level to party mode.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

We’ve got a lot on the table when it comes to our Hack Chats. On April 7th, our host will be [Samy Kamkar], hacker extraordinaire, to talk reverse engineering.

Safe Cracking is [Nate’s] Latest R&D Project

We love taking on new and awesome builds, but finding that second part (the “awesome”) of each project is usually the challenge. Looks like [Nathan Seidle] is making awesome the focus of the R&D push he’s driving at Sparkfun. They just put up this safe cracking project which includes a little gamification.

The origin story of the safe itself is excellent. [Nate’s] wife picked it up on Craig’s List cheap since the previous owner had forgotten the combination. We’ve seen enough reddit/imgur threads to not care at all what’s inside of it, but we’re all about cracking the code.

The SparkX (the new rapid prototyping endeavor at Sparkfun) approach was to design an Arduino safe cracking shield. It has a motor driver for spinning the dial and can drive a servo that pulls the lever to open the door. There is a piezo buzzer to indicate success, and the board as a display header labeled but not in use, presumably to show the combination currently under test. We say “presumably” because they’re not publishing all the details until after it’s cracked, a process that will be live streamed starting Wednesday. This will keep us guessing on the use of that INA169 current sensor that plugs into the safecracking shield. There is what appears to be a reflectance sensor above the dial to keep precise track of the spinning dial.

Electrically this is what we’d expect, but mechanically we’re in love with the build. The dial and lever both have 3D printed adapters to interface with the rest of the system. The overall framework is built out of aluminum channel which is affixed to the safe with rare earth magnets — a very slick application of this gear.

The gamification of the project has to do with a pair of $100 giveaways they’re doing for the closest guess on how long it’ll take to crack (we hope it’s a fairly fast cracker) and what the actual combination may be. For now, we want to hear from you on two things. First, what is the role of that current sensor in the circuit? Second, is there a good trick for optimizing a brute force approach like this? We’ve seen mechanical peculiarities of Master locks exploited for fast cracking. But for this, we’re more interested in hearing any mathematical tricks to test likely combinations first. Sound off in the comments below

[Joe Grand’s] Toothbrush Plays Music That Doesn’t Suck

It’s not too exciting that [Joe Grand] has a toothbrush that plays music inside your head. That’s actually a trick that the manufacturer pulled off. It’s that [Joe] gave his toothbrush an SD card slot for music that doesn’t suck.

The victim donor hardware for this project is a toothbrush meant for kids called Tooth Tunes. They’ve been around for years, but unless you’re a kid (or a parent of one) you’ve never heard of them. That’s because they generally play the saccharine sounds of Hannah Montana and the Jonas Brothers which make adults choose cavities over dental health. However, we’re inclined to brush the enamel right off of our teeth if we can listen to The Amp Hour, Embedded FM, or the Spark Gap while doing so. Yes, we’re advocating for a bone-conducting, podcasting toothbrush.

[Joe’s] hack starts by cracking open the neck of the brush to cut the wires going to a transducer behind the brushes (his first attempt is ugly but the final process is clean and minimal). This allows him to pull out the guts from the sealed battery compartment in the handle. In true [Grand] fashion he rolled a replacement PCB that fits in the original footprint, adding an SD card and replacing the original microcontroller with an ATtiny85. He goes the extra mile of making this hack a polished work by also designing in an On/Off controller (MAX16054) which delivers the tiny standby current needed to prevent the batteries from going flat in the medicine cabinet.

Check out his video showcasing the hack below. You don’t get an audio demo because you have to press the thing against the bones in your skull to hear it. The OEM meant for this to press against your teeth, but now we want to play with them for our own hacks. Baseball cap headphones via bone conduction? Maybe.

Update: [Joe] wrote in to tell us he published a demonstration of the audio. It uses a metal box as a sounding chamber in place of the bones in our head.

Continue reading “[Joe Grand’s] Toothbrush Plays Music That Doesn’t Suck”

We’re Hiring

Hackaday has been expanding into all kinds of new areas. We find ourselves stretched a bit thin and it’s time to ask for help. Want to lend a hand while making some extra dough to plow back into your projects? These are work-from-home (or wherever you like) positions and we’re looking for awesome, motivated people to help guide Hackaday forward!

Contributors are hired as private contractors and paid for each post. You should have the technical expertise to understand the projects you write about, and a passion for the wide range of topics we feature. If you’re interested, please email our jobs line, and include:

  • Details about your background (education, employment, etc.) that make you a valuable addition to the team
  • Links to your blog/project posts/etc. which have been published on the Internet
  • One example post written in the voice of Hackaday. Include a banner image, at least 150 words, the link to the project, and any in-links to related and relevant Hackaday features

What are you waiting for? Ladies and Gentlemen, start your applications!

The Think Tank at the Chicago Unconference

On Saturday the Hackaday community turned out in force to try something new. The first Hackaday Unconference was held in three places at the same time, and I was in Chicago and was amazed at the turnout and variety of presentations. The image above sums up the concept quite well, everyone shows up ready to give an eight minute talk, but as a whole, no one knows what to expect. Well, we should have known to expect awesome and that’s what we got.

As usual, people are excellent… to one another and in adapting to the fluid nature of the day. Pumping Station: One, a renowned Hackerspace in the Avondale neighborhood near downtown Chicago, opened their doors for us. Not knowing how many people to expect we set up two presentation rooms with a third on deck just in case it was needed.

We just barely squeezed everyone in one room for the first track but ended up splitting into two for part of the day. Here you can see that second room filling up. Even so we still had a handful of presentations that didn’t get a chance to shine — we simply must do this again so they can have the chance and because I had such a great time!

Continue reading “The Think Tank at the Chicago Unconference”

Your VR Doesn’t Stink (Yet)

What does it smell like when the wheels heat up on that Formula 1 car you drive at night and on the weekends? You have no idea because the Virtual Reality experience that lets you do so doesn’t come with a nasal component. Yet.

Shown here is an olfactory device that works with Oculus Rift and other head-mounted displays. The proof of concept is hte work of [Kazuki Hashimoto], [Yosuke Maruno], and [Takamichi Nakamoto] and was shown of at last year’s IEEE VR conference. It lets the wearer smell the oranges when approaching a tree in a virtual environment. In other words, it makes your immersive experience smelly.

As it stands this a pretty cool little device which atomizes odor droplets while a tiny fan wafts them to the wearer’s nose. There is a paper which presumably has more detail but it’s behind a pay wall so for now check out the brief demo video below. Traditionally an issue with scent systems is the substance stuck in the lines, which this prototype overcomes with direct application from the reservoir. Yet to be solved is the availability for numerous different scents.

This build came to our attention via an UploadVR article that does a good job of covering some of the scent-based experiments over the years. They see some of the same hurdles we do: odors linger and there is a limited palette that can be produced. We assume the massive revenue of the gaming industry is going to drive research in this field, but we won’t be lining up to smell gunpowder and dead bodies (or rotting zombies) anytime soon.

The more noble effort is in VR applications like taking the elderly and immobile back for another tour of places they’ll never again be able to visit in their lives. Adding the sense of smell, which has the power to unlock so many memories, makes that use case so much more powerful. We think that’s something everyone can be hopeful about!

Continue reading “Your VR Doesn’t Stink (Yet)”