First LibCrypt CDROM Discovered!

[nocash]

Until today, the oldest known LibCrypt'ed CDROM appears to have been MediEvil. But there's another older title...
http://redump.org/disc/45854/ SLED-01340 (EXE date 03 Jun 1998) Net Yaroze Demo Disc (EUR)
http://redump.org/disc/592/ SCES-00311 (EXE date 05 Aug 1998) MediEvil (EUR)
The Yaroze demo disc is clearly reading from the usual LibCrypt sectors, but not exactly as how one might think...

The standard LibCrypt 16bit keys are read using the following sector list:

Code: Select all

                 libcrypt_msf_list:   ;standard libcrypt list
                 ;(seek addr at MM:SS:FF-3, and verify addr at MM:SS:FF)
                 ;        MM, SS ,FF-3,FF
800C124C 05020803 db      03h,08h,02h,05h  ;bit15
800C1250 56530903 db      03h,09h,53h,56h  ;bit14
800C1254 10071303 db      03h,13h,07h,10h  ;bit13
800C1258 29261403 db      03h,14h,26h,29h  ;bit12
800C125C 24211503 db      03h,15h,21h,24h  ;bit11
800C1260 49461803 db      03h,18h,46h,49h  ;bit10
800C1264 56532003 db      03h,20h,53h,56h  ;bit9
800C1268 55522103 db      03h,21h,52h,55h  ;bit8
800C126C 17142303 db      03h,23h,14h,17h  ;bit7
800C1270 12092403 db      03h,24h,09h,12h  ;bit6
800C1274 03002503 db      03h,25h,00h,03h  ;bit5
800C1278 28252803 db      03h,28h,25h,28h  ;bit4
800C127C 19163203 db      03h,32h,16h,19h  ;bit3
800C1280 56533303 db      03h,33h,53h,56h  ;bit2
800C1284 51483403 db      03h,34h,48h,51h  ;bit1
800C1288 42393503 db      03h,35h,39h,42h  ;bit0

The Yaroze LibCrypt 16bit key is read using this unusual sector list:

Code: Select all

                 libcrypt_msf_list:  ;special net yaroze list
                 ;(seek addr at MM:SS:FF-3, and verify addr at MM:SS:FF)
                 ;        MM, SS ,FF-3,FF
80015D94 05020803 db      03h,08h,02h,05h  ;bit15 (would be usually bit15)
80015D98 04010803 db      03h,08h,01h,04h  ;bit14 (would be usually N/A)
80015D9C 56530903 db      03h,09h,53h,56h  ;bit13 (would be usually bit14)
80015DA0 55520903 db      03h,09h,52h,55h  ;bit12 (would be usually N/A)
80015DA4 10071303 db      03h,13h,07h,10h  ;bit11 (would be usually bit13)
80015DA8 09061303 db      03h,13h,06h,09h  ;bit10 (would be usually N/A)
80015DAC 29261403 db      03h,14h,26h,29h  ;bit9  (would be usually bit12)
80015DB0 28251403 db      03h,14h,25h,28h  ;bit8  (would be usually N/A)
80015DB4 24211503 db      03h,15h,21h,24h  ;bit7  (would be usually bit11)
80015DB8 23201503 db      03h,15h,20h,23h  ;bit6  (would be usually N/A)
80015DBC 49461803 db      03h,18h,46h,49h  ;bit5  (would be usually bit10)
80015DC0 48451803 db      03h,18h,45h,48h  ;bit4  (would be usually N/A)
80015DC4 10071303 db      03h,13h,07h,10h  ;bit3  (would be usually bit13) ;'.
80015DC8 09061303 db      03h,13h,06h,09h  ;bit2  (would be usually N/A)   ; again, same as above
80015DCC 29261403 db      03h,14h,26h,29h  ;bit1  (would be usually bit12) ;
80015DD0 28251403 db      03h,14h,25h,28h  ;bit0  (would be usually N/A)   ;/

The key seems to be then used to decrypt another EXE file on the Yaroze disc. To get the correct key, it wants subchannel errors on all six sectors that "would be usually bit15..bit12", and intact subchannel data on all six other sectors. Four sectors are checked twice, giving a total of 16 bits.

Within the yaroze code the 16bit key is simply AAAAh. Or, in stanard LibCrypt notation it would be FC00h (or anything in range FC00h..FFFFh if it should contain further read errors in the "usually bit11..bit0" range).

Alongsides it's storing the 4th letter of the SCEX region code in bit23-16 of the key (but it doesn't actually seem to use those bits for anything, other than displaying them in the "Final key" TTY message).

Running that disc on retail consoles
The Net Yaroze Demo Disc is reportedly working only on Net Yaroze consoles. But I think that's a misconception.
The real problem is that it won't work when burned on CDRs (without taking care of the LibCrypt stuff).

Another problem might be the SCEX region code, if it's the wrong region then it won't work (without modchip).
I don't known which region code is used on the Yaroze Demo disc. The Yaroze console would accept the usual three regions SCEi, SCEA, SCEE, and the special Yaroze-only region code SCEW, in the latter case it would be really not working on any retail consoles (but again, a modchip should fix that problem).

PS.
If there are any further "mysteriously not working" discs from 1998 then it might worth checking if they do also contain similar LibCrypt sectors.

PPS.
Also posted about the yaroze disc on http://forum.redump.org/post/117282/#p117282 I guess they'll be interested in preserving the changed LibCrypt sectors, but I don't know if they'll get around to rev-engineer which sectors are changed on that disc (theoretically 6 out of 12 sectors, plus possible backup copies).
Does somebody else have the original european net yaroze demo disc, and a good cdrom drive for dumping the whole disc's subchannel data, including uncorrected subchannel errors?

[gwald]

I don't have one... but I uploaded the patch @brill made to archive:
https://archive.org/details/net-yaroze- ... sled-01340

It looks like it was both, SCEW and encrypted, this is from his comment in the video:
https://www.youtube.com/watch?v=833ZrPGDXtY

This disc is protected and should run only on NET YAROZE consoles. It is not about the access card, the disc does not check its presence/absence. Instead the game (disc) checks the code returned by the CD-ROM controller (MECHANISM CONTROL aka MECON) and based on this information, if the controller from NET YAROZE, decrypts correctly the code block (2048 bytes) in the beginning of the executable menu file and/or decrypts incorrectly in cases of other consoles.
The fact that the game is run with OPL demo discs, it is an oversight of the developers, because the OPL demo disc runs an unencrypted executable, and the list of games it already separately loads from this disc, if of course in time to do the trick with the swap disc.

In any case, I provided ways to run on retail consoles: as a cheat for an existing original/copy disc; as a patch - to pre-patch the image before burning it to a disc.

P.S.: The cheat code simply injects the correct encryption key and the decryption of the menu executable file is correct in any case, regardless of the console type (retail/dev/netyaroze).

In the other comment he links to 2 pages for more info.


I don't known which region code is used on the Yaroze Demo disc.
These were pressed PSX CD's so they had to press a region, I guess they were sending them internationally, so maybe that explains why it was SCEW... I dont know if it would have worked on the debug units, I think the press had debug units to try games in development, I'm not sure though.

The disc came with a printed listing of the apps on the disc, it can be seen here:
https://strefapsx.pl/najlepsze-gry-stwo ... et-yaroze/

[nocash]

What happened?
From what I've gathered, the Yaroze consoles were sold via mail order, with only 1000 consoles sold in europe, but more were sold in usa and japan.

Apparently Sony did then produce 1000 cdroms with yaroze games, and mailed them to the european Yaroze owners, and people in usa or japan didn't receive such gifts.

Oddly enough, now it seems that that free gift was actually a test-run to see if the european Yaroze owners could break the new LibCrypt protection. Whatever that'd be good for.

Hard to tell if that test was successful. It looks as if everyone just shrugged it off and thought that the disc does probably only work on Yaroze consoles. Which, maybe it led some people into buying a Yaroze console.

It looks like it was both, SCEW and encrypted, this is from his comment in the video:
"the game (disc) checks the code returned by the CD-ROM controller (MECHANISM CONTROL aka MECON)"

Well, no. The Yaroze CD controller has that weird feature where it replaces the last letter of the SCEX code by SPACE character. So no matter if the disc or modchip has "SCEI" or "SCEE" or "SCEW", the yaroze would only see "SCE ".
Of course the protection could insist on receiving that SPACE character (or insist on the Yaroze's "for NETNA" string). But it doesn't do such things: The uncracked disc is booting fine in emulators (it does only require the correct libcrypt key to be provided).

[gwald]

What happened?
From what I've gathered, the Yaroze consoles were sold via mail order, with only 1000 consoles sold in europe, but more were sold in usa and japan.

Apparently Sony did then produce 1000 cdroms with yaroze games, and mailed them to the european Yaroze owners, and people in usa or japan didn't receive such gifts.

SCEE made the disc, not Sony Japan, it's pressed in Austria, it says "Made in Austria." on the disc.
You can see a high res image of it here: https://strefapsx.pl/najlepsze-gry-stwo ... et-yaroze/


SCEE also includes parts of Australasia and Africa and Net Yaroze did go out there, I think SCEE sold and gave away to press and educational institutes, a lot more than just 1k.

Japan started Net Yaroze mid 1996 I think it was well supported in universities there, I'm not sure how much media coverage it got, but I think after a year (mid 1997) it wasnt as popular, I dont know why, but I would guess Sony moved on to PS2 and put everything there towards it... and hey they did get LightWave 3D with RSD plugins included in the price (a great gift!)... something other regions struggled with.


I'm not in the US, but I think the same thing happened, including a few Net Yaroze advocates moved to VM Labs to work on the Nuon: Mike Fulton, Greg LaBrec and Bill Rehbock seen in the SCEA NY B Roll video: https://www.youtube.com/watch?v=YP2ptr0U08w

But SCEA region's TMK didnt have a cover disc on their OPSM until later and I'm not sure how often they covered NY, instead they got PS underground a subscription based PS1 cdrom which had a few Japaness games in a few of them.... so SCEA region really didn't get much Net Yaroze love like the SCEE region and I think still relatively obscure and miss understood there.


SCEE London was very special, they hung on to it and they promoted it heavily through to the end in mid 2009.
Currently, from what I've read, my theory is this, SCEE often would ask people to upload their games their site, and they would make a pressed CD with them for events and sent to press, from the NY usenet:

Subject: Re: Yaroze showcase demos
Date: Fri, 01 Aug 1997 13:30:52 +0100
From: Developer Support <[email protected]>
Newsgroups: scee.yaroze.mydemos

Developer Support wrote:
>
> Yaroze demo discs
>
> At SCEE we are making Yaroze demo discs of samples
> from the European Yaroze website. These discs will be shown
> to press, retailers and marketing people to showcase the
> Yaroze and what it can do.
>
> If you fancy showing off your demo or game,
> post it to the website and make a posting to the 'mydemos'
> newsgroup.
>
> Nothing will infringe authors' ownership of programs.
> Everyone will be fully credited.
>
> Post your programs soon so that we can show them at ECTS .....

NOTE: we will be making 2 demo discs over the next month or two.

The first will be for the press, the second will be shown at ECTS
itself throughout the show.

Deadline for the first disc is 12th August,
deadline for the second is 4th September.

I think the Net Yaroze Demo disc was maybe the same discs above, but with more added to it over the year.
But by 1998, Net Yaroze wasn't that interesting anymore in SCEI/SCEA regions and maybe they had a surplus of CD's. So they used them to reward the small NY scene by offering them as a prize in their fame game competition, but I think if you were active in the newsgroup and asked for it via email, they would have posted it for free... and I think they were open to members from other regions... but nobody talked about this disc after getting it.

Oddly enough, now it seems that that free gift was actually a test-run to see if the european Yaroze owners could break the new LibCrypt protection. Whatever that'd be good for.

Hahaha, that's funny, don't get me wrong, there were a few, very smart people that picked up Net Yaroze, but I think by mid 1998 they did their NY thing, and moved on, leaving programmers that could barely program libGS (I include myself here)
Interesting theory, but I doubt it.

Hard to tell if that test was successful. It looks as if everyone just shrugged it off and thought that the disc does probably only work on Yaroze consoles. Which, maybe it led some people into buying a Yaroze console.

The public didn't know about this disc, even active members didn't know about.
I think it had to be won by submitting a game... then you would get it.

The uncracked disc is booting fine in emulators (it does only require the correct libcrypt key to be provided).

I see, it booted into the encrypted program and stopped.


Do we know what the SCEX wobble is on this disc?

I'm guessing the test/debug units would just ignore the SCEX region check and boot correctly into the brick menu?