6. mxkeychip
mxkeychip is responsible for interfacing between the physical keychip, and anything that needs to talk to it (the system services and the game). It does this by means of the mxparallel driver. I have not yet documented the parallel protocol.
Owners wishing to start a system without a legitimate keychip need only replace this binary with a custom binary.
6.1 PCP Service
mxkeychip runs a PCP service on port 40106 (data port 40107).
6.1.1 keychip.version
Return the keychip version, as two bytes. 0104 is the current keychip version, representing 1.4. An optional parameter device can be added to retrieve a specific version. The only allowed value for this however is n2.
6.1.2 keychip.ds.compute
Perform a query-response challenge. The query is the command argument, and the page is passed as a parameter with name page. TODO: Details of how to calculate responses!
6.1.3 keychip.ssd.proof
Perform a query-response challenge. The query is the command argument, and the page is passed as a parameter with name page. TODO: Details of how to calculate responses!
6.1.4 keychip.ssd.hostproof
6.1.5 keychip.status
Get the current keychip status. Reponses should be either init to indicate mxkeychip is still performing setup, available to indicate the keychip is ready to use, or error to indicate the keychip is not present, or unusuable.
6.1.6 keychip.encrypt
6.1.7 keychip.decrypt
6.1.8 keychip.setiv
6.1.9 keychip.appboot.*
Request one of a number of variables from the keychip regarding the authorised game configuration:
| Name | Content |
|---|---|
formattype |
Data format. mxsegaboot will only support version 1. |
platformid |
The hardware platform ID. AAL or AAM. ___ is sent if this is unavailable. |
gameid |
The four-character game ID. ____ is sent if this is unavailable. |
systemflag |
A single byte containing a number of system flags. |
modeltype |
01 = RingEdge, 02 = RingEdge2 |
region |
Region bitmask. 1 = Japan, 2 = USA, 4 = Export, 8 = China |
networkaddr |
The subnet IP address for this machine |
dvdflag |
Is installation from DVD allowed? 00 or 01 |
seed |
16 byte value that is passed to keychip.decrypt to generate the game keyfile. |
6.1.9.1 system flags
| Bit | Value |
|---|---|
| 0 (LSB) | Development keychip |
| 1 | Reserved |
| 2 | ALL.Net enable |
| 3 | Net delivery enable |
| 4 | Binding |
| 5 | Billing enable |
| 6 | Rental |
| 7 (MSB) | Reserved |
6.1.10 keychip.billing.*
As with appboot, billing contains a number of values stored on the keychip, however some of these are also writiable.
| Name | Content |
|---|---|
keyid |
The keychip ID. For example, A72E-0123456. Write-once. |
mainid |
The mainboard ID. Write-once. |
playcount |
The number of plays that have been performed. This value can be incremented by providing 1. |
playlimit |
The number of plays that are allowed until the game must next check in with a billing server. |
nearfull |
Get the ‘nearfull’ value stored from the billing server. |
signaturepubkey |
Retrieve the public key for the billing server signing service. |
cacertification |
Retrieve the authorative certiciate for the billing server, used in place of the system CA chain. |
Danger
keychip.billing.mainid is WRITE-ONCE. Keychips typically do not have this value provisioned, and writing it to a keychip locks that keychip to the mainboard you wrote to it. If an invalid value is written, the keychip is as good as bricked.
Note
nearfull is a 32-bit value. The lower 16 bits contain the number of plays remaining before a game is expected to check in with the billing server. The upper 16 bits contain the accounting mode.
Note
Writing to keychip.billing.playlimit and keychip.billing.nearfull requires a 128-byte signature to be transmitted over a data transfer. This signature is validated against a public key stored on the keychip.