Fully decrypted IPL -- Reverse engineering

Discussion / Support for Softmods (SDML, AR, Game Hacks)
Post Reply
XAYRGA
Posts: 2
Joined: Fri Jul 15, 2016 12:16 pm

Fully decrypted IPL -- Reverse engineering

Post by XAYRGA » Fri Jul 15, 2016 12:57 pm

Was wondering if anybody knew anything about the gamecube IPL. I've managed to decrypt it and have been pulling it apart.

Here's what I know.

From 0x00-0x100 it has a DOL header which is corrupted (likely ignored, gekko boots at 0x100)

Code: Select all

(Below is DOL header contents)
<small>
0x3 - Text 256
0x7 - Text 0
. . .
--------
0x1F - Data 0
. . .
--------
--------
0x4B - Text-A 2167406592 !!!
0x4F - Text-A 0

. . .
--------
0x67 - Data-A 0
. . .
--------
--------
0x93 - Text-S 2095072
0x97 - Text-S 0
...
--------
0xAF - Data-S 0
.... ... ..
0xDF - BSS Memory at 0 size of 0
0xE3 - Entry point at 2167406592 !!!
!! Cannot dump blocks, DOL header is corrupted.
That's the contents of what the DOL header gave me, points past EOF , so it's corrupted.


I was exploring the file a bit when I found entries that look like gamecube FST, and sure enough it was, however I don't know where this FST starts. The IPL appears to setup the OS, with the main menu just being a rom that directly boots the game in the drive.

Within this filesystem are several files listed, there are gamecube stream format sounds

Code: Select all

/stream00.adp.../stream01.adp.../stream02.adp.../stream03.adp.../stream04.adp.../stream05.adp.../stream06.adp.../stream07.adp...
as well as an implementation of BMS (JAudio or whatever the sequenced audio engine is called)

Code: Select all

ipl_0.aw

/Banks/.

......Banks/ipl.bnk (Just by manually checking the data surrounding these, it is indeed sequence data)

......Banks/ipl.ws

Other files include a stream file for the opening sequence

Code: Select all

/boot_demo_base_cube.1.SH
/boot_demo_cover_cube.base32
/cube_mat1
There are various unused strings within the rom as well, one referencing at a completely unreleased pokemon game!

Code: Select all

"Pokemon Stadiummmmmm"
"Gameplay.Pokemon Stadiummmmmm"
"pokemon kingin.2000"
"The new PokeMon Stadium!"
These were likely strings to test the memory card screen , or the "GAME PLAY" screen. Following this looks like texture data.


Right, so I don't know where the filesystem in this rom is, or where to find the start of it. But here's a copy of the decrypted bios.


First, here's the XOR pad for decrypting the bios


http://xayr.ga/rom/ipl_xor.pox ( Does not include the first 0x100 bytes, if you're going to use this, remember to seek past! )

aaaand here's the bios.

http://xayr.ga/rom/ipl_decrypted.bin

If you'd like; take a crack at it, and see if you can locate the start of the filesystem. From here we should be able to locate the ROM for the IPL screen (main menu). If you'd like to find where its entry is in the FST, you can search for "iplrom.com" in the ipl_decrypted.bin

If you'd like to run this against, i've made a tool for making keys / decrypting a bios. Here's a small little tool I made called PadXOR. You can test it on another IPL.bin, but i'm not going to promise it will work.

To decrypt a bios you can use this "pxor <bios rom> ipl_xor.pox /o 256 /r"

Source code is included in the archive.

http://xayr.ga/rom/pxor.7z

I'll keep you all updated on my findings.
novenary
Posts: 1754
Joined: Mon Dec 30, 2013 7:50 am

Re: Fully decrypted IPL -- Reverse engineering

Post by novenary » Fri Jul 15, 2016 1:50 pm

XAYRGA wrote: From 0x00-0x100 it has a DOL header which is corrupted (likely ignored, gekko boots at 0x100)
Nope, it's just a copyright string then it's filled up with zeros.
XAYRGA wrote: I was exploring the file a bit when I found entries that look like gamecube FST, and sure enough it was, however I don't know where this FST starts.
Pretty sure it's just a static DOL, you can actually pack it up inside of one if you know what you're doing.
XAYRGA wrote: The IPL appears to setup the OS, with the main menu just being a rom that directly boots the game in the drive.
No fucking way ???
XAYRGA wrote: Within this filesystem are several files listed, there are gamecube stream format sounds
...
Other files include a stream file for the opening sequence
...
There are various unused strings within the rom as well, one referencing at a completely unreleased pokemon game!
Uninteresting data.
XAYRGA wrote: Right, so I don't know where the filesystem in this rom is, or where to find the start of it. But here's a copy of the decrypted bios.
I don't think you're allowed to share copyrighted stuff here.
XAYRGA wrote: First, here's the XOR pad for decrypting the bios
The algorithm to decrypt the IPL is pretty well known at this point, no need for the XOR pad.

Anyway, don't waste your time, there are several disassemblies floating around the web and even an open source implementation effort even though the project is dead.
XAYRGA
Posts: 2
Joined: Fri Jul 15, 2016 12:16 pm

Re: Fully decrypted IPL -- Reverse engineering

Post by XAYRGA » Fri Jul 15, 2016 2:07 pm

Streetwalker wrote:
XAYRGA wrote: From 0x00-0x100 it has a DOL header which is corrupted (likely ignored, gekko boots at 0x100)
Nope, it's just a copyright string then it's filled up with zeros.
Looked a lot like a DOL header, but I could have confused it with that by the fact the DOL header's are 0x100, as well as gecko booting at 0x100
Streetwalker wrote:
XAYRGA wrote: I was exploring the file a bit when I found entries that look like gamecube FST, and sure enough it was, however I don't know where this FST starts.
Pretty sure it's just a static DOL, you can actually pack it up inside of one if you know what you're doing.
Unfamiliar with packing it into a DOL, but it would be pretty cool to do so.
Streetwalker wrote:
XAYRGA wrote: The IPL appears to setup the OS, with the main menu just being a rom that directly boots the game in the drive.
No fucking way ???
What's with the sarcasm? Personally I think it's great to know this, I didn't know that the IPL menu was in the format of a game. If this is a 'No fucking way' topic, why isn't it listed publicly and easily located.
Streetwalker wrote:
XAYRGA wrote: Within this filesystem are several files listed, there are gamecube stream format sounds
...
Other files include a stream file for the opening sequence
...
There are various unused strings within the rom as well, one referencing at a completely unreleased pokemon game!
Uninteresting data.
I don't see how it's uninteresting. I think it's pretty neat that they would use a common system as used in games in here to power the main menu, that's the coolest part, actually. It'd be neat to locate the filesystem and rip its contents. "Uninteresting" is no way to approach something.
Streetwalker wrote:
XAYRGA wrote: Right, so I don't know where the filesystem in this rom is, or where to find the start of it. But here's a copy of the decrypted bios.
I don't think you're allowed to share copyrighted stuff here.
If it's a problem, i'll remove it.
Streetwalker wrote:
XAYRGA wrote: First, here's the XOR pad for decrypting the bios
The algorithm to decrypt the IPL is pretty well known at this point, no need for the XOR pad.
It's for mere convenience,
Streetwalker wrote:
XAYRGA wrote: Anyway, don't waste your time, there are several disassemblies floating around the web and even an open source implementation effort even though the project is dead.
I've been unable to locate any disassemblies other than the open source project, I'm more interested in what the FST holds to be honest, or the IPL rom. Care to share a few?
novenary
Posts: 1754
Joined: Mon Dec 30, 2013 7:50 am

Re: Fully decrypted IPL -- Reverse engineering

Post by novenary » Fri Jul 15, 2016 3:32 pm

XAYRGA wrote: I don't see how it's uninteresting. I think it's pretty neat that they would use a common system as used in games in here to power the main menu, that's the coolest part, actually. It'd be neat to locate the filesystem and rip its contents. "Uninteresting" is no way to approach something.
It makes sense really, why would they bother doing the same work twice ? The IPL is just a Dolphin SDK application like every commercial game released for the console.
XAYRGA wrote: I've been unable to locate any disassemblies other than the open source project, I'm more interested in what the FST holds to be honest, or the IPL rom. Care to share a few?
http://www.gc-forever.com/wiki/index.php?title=Bootrom
FIX94
Posts: 54
Joined: Fri Aug 05, 2011 1:55 pm

Re: Fully decrypted IPL -- Reverse engineering

Post by FIX94 » Sat Jul 16, 2016 1:27 pm

in case you didnt know the actual code to decrypt the ipl can be found online, I do use it in nintendont (wii homebrew to load gc games) in fact:
https://github.com/FIX94/Nintendont/blo ... urce/ipl.c
with this I can use the ipl on a wii and wiiu, and its really nothing special. basically its compiled the same way every other gamecube game is, no special trickery, to actually start a game it just uses the game apploader and jumps to the dol entrypoint, you can do the same with a few lines of code too. feature wise its all just standard gamecube sdk stuff.
oh yea and if you for whatever reason want it easly openable in something like IDA I wrote a basic tool to convert a ipl.bin into a ipl.dol too, had to create that tool to do some easy ipl analyzation to get it all figured out for nintendont.
https://www.mediafire.com/?v3axuameoihi5ig
User avatar
47iscool
Posts: 148
Joined: Thu Mar 07, 2013 8:50 am
Location: Imladris

Re: Fully decrypted IPL -- Reverse engineering

Post by 47iscool » Mon Jul 18, 2016 2:46 am

Speaking of Nintendont fix94, would it possible to add support for homebrew ISO's?
novenary
Posts: 1754
Joined: Mon Dec 30, 2013 7:50 am

Re: Fully decrypted IPL -- Reverse engineering

Post by novenary » Mon Jul 18, 2016 7:08 am

That is something very different. Nintendont and Swiss work by patching Dolphin SDK functions, the work would have to be done from scratch for libogc homebrew. It's more worthwhile to simply port the homebrew to the Wii instead.
User avatar
emu_kidid
Site Admin
Posts: 4927
Joined: Mon Mar 29, 2010 10:06 am
Location: Australia
Contact:

Re: Fully decrypted IPL -- Reverse engineering

Post by emu_kidid » Tue Jul 19, 2016 1:12 am

XAYRGA wrote: If it's a problem, i'll remove it.
Please do.
Image
User avatar
Sierron
Posts: 160
Joined: Mon Apr 18, 2016 11:33 pm
Location: Germany

Re: Fully decrypted IPL -- Reverse engineering

Post by Sierron » Mon Jul 25, 2016 9:33 pm

I would be kinda interesting how I can boot into the japanese rom.
Is it possible to start the DOL with an different entry point?
Own a couple PAL and JPN cubes. And three BBAs. Homeland and PSO I/II.
Post Reply