(Topic ID: 242384)

Modding JJP software, changing assets and music


By clonetwin26

9 months ago



Topic Stats

  • 53 posts
  • 21 Pinsiders participating
  • Latest reply 35 days ago by gandalfnet
  • Topic is favorited by 26 Pinsiders

You

Linked Games

Topic Gallery

There have been 8 images uploaded to this topic. (View topic image gallery).

20190525_143600 (resized).jpg
70B48D62-A023-4976-B02A-719FF43F0977 (resized).png
Screen Shot 2019-08-30 at 1.56.23 AM (resized).png
music (resized).png
ramp (resized).png
pattern1 (resized).png
files (resized).png
JJP_install_complete (resized).png

There are 53 posts in this topic. You are on page 1 of 2.
#1 9 months ago

Hi all,
New here so can't post in JJP sub forum. I have been on a quest to change the background music and assets of a JJP machine. Specifically I want the actual music from Pirates of the Caribbean. I have gotten really close to building a custom image and I am hoping someone here can finish the last step.

You can download the vanilla installer here:

http://marketing.jerseyjackpinball.com/potc/PiratesOfTheCaribbean-v00.97.iso

This can be mounted and it turns out this is a clonezilla image. The image can actually be restored via partclone:

https://serverfault.com/questions/35639/extracting-files-from-clonezilla-images

1. Mount the pirates image from the Jersey Jack website

2. Extract its contents with:
cat /media/ryan/CDROM/home/partimag/potc/sda1.ext4-ptcl-img.gz* | gzip -d -c | partclone.ntfs -r -C --restore_raw_file -s - -o pirates.img

3. Mount the new image and make changes to it:
sudo mount -o loop pirates.img piratesOS/

4. The last step is unknown to recreate the image but the hint I have at the moment is from the original jersey jack image:

cat /Volumes/CDROM/Clonezilla-Live-Version

clonezilla-live-2.4.2-61-amd64

This Clonezilla live iso file was created by this command:

ocs-iso -s --extra-boot-param quiet -y 6.03 -i 2.4.2-61-amd64

If anyone can figure out how to recreate the clonezilla image this whole category of tables can be greatly improved with new assets, music and if someone was very brave new source code.

Best of luck, would be huge if someone can work out the last part.

#2 9 months ago

Isn’t the drive encrypted?

#3 9 months ago

Not sure but you can open and restore the original image with
cat /media/ryan/CDROM/home/partimag/potc/sda1.ext4-ptcl-img.gz* | gzip -d -c | partclone.ntfs -r -C --restore_raw_file -s - -o pirates.img

#4 9 months ago

This has me very intrigued. Going to mess with this later today.

3 months later
#5 5 months ago

This is the first time I'm seeing this. Has anyone figured this out? I'll take a look when I have moment tomorrow. Shouldn't be too hard to pack the iso back up.

#6 5 months ago

Some new videoclips with Jack Sparrow would be nice - looking forward to seeing what the community will accomplish.

#7 5 months ago

The assets have been encrypted with Sentinel License Manager since an update to WOZ a few years back. However, you may be able to generate your own update ZIP file and overwrite encrypted asset files with new unencrypted ones. Last I checked there are no integrity checks when importing update ZIP files.

https://pinside.com/pinball/forum/topic/wizard-of-oz-new-code-coming-soon#post-2718492

#8 5 months ago

Game changer for Wonka if this can be done. Hell even pirates. Fingers crossed.

Well I guess code can't be updated for Wonka so maybe not game changer but would be awesome!

#9 5 months ago

Not possible. Even if you could generate your own update zip you'd have no idea what asset to replace, the format, the audio format, etc.

Quoted from delt31:

Game changer for Wonka if this can be done. Hell even pirates. Fingers crossed.
Well I guess code can't be updated for Wonka so maybe not game changer but would be awesome!

#10 5 months ago
Quoted from luvthatapex2:

Not possible. Even if you could generate your own update zip you'd have no idea what asset to replace, the format, the audio format, etc.

It’s possible with WOZ (I and others have done it). Various videos are stored in FLV format, the audio is stored in uncompressed WAV PCM format at 44100Hz. And I believe images are in PNG format. The file hierarchy should be viewable, the files themselves are just encrypted.

#11 5 months ago

I tried earlier this year but was hit with the encryption. If anyone figures it out I'd be crazy excited. I just need some original music...

#12 5 months ago

How far did you get? How did you mount the volume?

#13 5 months ago

Aound 15 years ago there was a lawsuit filed against satellite companies. People were hacking the cards to get free service. The companies started pushing out their code to stop this. A Federal judge ruled that once you buy the product, it is yours and you have the freedom to do as you wish with it and the company has no right to stop you.
I suggest submitting a ticket asking for an image where ONLY the video and audio library files are not encrypted. They could easily leave the OS files encrypted and you wouldnt brick the machine. Explain what you're wanting to accomplish.
I cant see any reason why JJP couldn't do this for "developers".

#14 5 months ago

Last night I downloaded the ISO mounted it and force extracted the install package. I don't think it's encrypted because I saw file names float through like JackSparrow.wav etc. I think this works the same was as imaging an SD card for installation on a Raspberry PI.
I only spentlike 15 minutes on it last night because it was late, but I'm going to dive in hard tonight and see where I can get.

It might be simpler than that though... the game itself is run off of a regular Motherboard with a Solid State Drive. You might just be able to just go straight to the games drive and find the files. (My machine won't be here until next week so I can't test the theory until then.)

I'll keep everyone posted.

#15 5 months ago
Quoted from javagrind888:

I tried earlier this year but was hit with the encryption. If anyone figures it out I'd be crazy excited. I just need some original music...

If you're just looking for music check this out... amazon.com link »

It is powered by the Aux USB port and hooks right into your speakers, or another 15$ speaker if you like. It's a 6$ board that Marc Chytracek
on the Facebook group "Pinball Enthusiasts" posted about. He rigged it to play sea and ship sounds through play and the theme song when the game boots up.

#16 5 months ago
Quoted from Crash:

It’s possible with WOZ (I and others have done it). Various videos are stored in FLV format, the audio is stored in uncompressed WAV PCM format at 44100Hz. And I believe images are in PNG format. The file hierarchy should be viewable, the files themselves are just encrypted.

I am VERY interested in learning how to do that on WOZ. Is there a tutorial somewhere, or any chance to get the infos on how to do that ?

I dont want to change too many things, all I want is to change the no lyrics musics, sotr typically. I really miss Judy Garland’s voice.

#17 5 months ago
Quoted from Crash:

It’s possible with WOZ (I and others have done it). Various videos are stored in FLV format, the audio is stored in uncompressed WAV PCM format at 44100Hz. And I believe images are in PNG format. The file hierarchy should be viewable, the files themselves are just encrypted.

i can confirm this. This is also true for Hobbit, and I do not believe there are encryption integrity checks.

I’ve totally forgotten how to drop to the CLI on boot up for Pirates

#18 5 months ago

Ok Folks.... it was complicated but I was able to extract out all of the data in the package. It's not encrypted, and easily modded. I'll post my process when I get a chance. Next steps are modding the files and packing the .iso back up to be installed. Modding looks like just swapping out current files with new ones.

Basically you need a linux machine to unpack all the data... and the process is complicated, but not too bad if you're familiar with this sort of thing.

Good news is I cracked it with a raspberry pi - so anyone should be able to do what I did.

I'll write up a doc this weekend and post it once I've completed the process.

JJP_install_complete (resized).png
#19 5 months ago
Quoted from Patrickkrebs:

Ok Folks.... it was complicated but I was able to extract out all of the data in the package. It's not encrypted, and easily modded. I'll post my process when I get a chance. Next steps are modding the files and packing the .iso back up to be installed. Modding looks like just swapping out current files with new ones.
Basically you need a linux machine to unpack all the data... and the process is complicated, but not too bad if you're familiar with this sort of thing.
Good news is I cracked it with a raspberry pi - so anyone should be able to do what I did.
I'll write up a doc this weekend and post it once I've completed the process.[quoted image]

KILLER! we can put some of that pirates soundtrack in the game finally..

#20 5 months ago
Quoted from Rdoyle1978:

KILLER! we can put some of that pirates soundtrack in the game finally..

And like actual voices and sound clips from the movies. I'm gonna Depp-afy the heck out of this thing.

#21 5 months ago
Quoted from adol75:

I am VERY interested in learning how to do that on WOZ. Is there a tutorial somewhere, or any chance to get the infos on how to do that ?
I dont want to change too many things, all I want is to change the no lyrics musics, sotr typically. I really miss Judy Garland’s voice.

There is no official tutorial due to the encryption, but nobody has tried this in the last few years since. Considering Patrickkrebs found JJP has reversed their decision on encryption, I will wait for his guide.

#22 5 months ago

WoZ did recently have a major update. I’ll go see what I can see.

Being able to change the software brings so much value to my machine. I wrote JJP and they said it was to protect licenses. I wrote back that I can mod the hardware and put mustaches on all the licensed characters so the excuse to encrypt comes off as that JJP just encrypts just because because because because of the wonder things he does.

Lastly, not being able to change the software played heavily into NOT buy Willy Wonka. I love working on the machines and putting my hands all over them. Changing the software takes that journey so much further.

I’ll go get the new-ish WoZ updated code. I’ll go see what I can see and will report back this weekend.

#23 5 months ago

This is huge. Awesome

#24 5 months ago

OMG....this is HUGE! I don't know Linux at all, but if you guys are able to mod out the software in this game it will make this game truly great.

#25 5 months ago

subscribed

#26 5 months ago

Ok here is where I got last night

Basically the downloaded .Iso can be mounted then all of the data sits in a spanned .gz archive.

You have to 'sudo apt install partimage' (this requires linux, couldn't find an OSX work around or a PC work around because clonezilla (which made the archive) is basically it's own linux based operating system run from a thumbdrive.

You use 'cat sda1.ext4-ptcl-img.gz.a* | gzip -d -c > sda1.img' - to turn the images into a single archive.

Then run...

partclone.extfs -r -s sda1.img -o sda1-restore.img --restore_raw_file

You'll then be able to mount the sda1-restore.img and see all of the files in the file system as they would be on the pinball machine itself. All of the game assets are in a folder called jjpe or pirates (dont have my laptop with me at work right now) There are a TON of .wav .png .flv files

That's as far as I got.... i tried transferring some of the .wav .flv and .png files over but they would not open on my Mac.

This might be where the "encryption" thing kicks in. (But I doubt it I think there is just a translation error between Linux and OSX I need to work through)

But that's currently where I'm at.
If you have questions let me know and I'd be happy to have more hands and brains on this!

#27 5 months ago
Quoted from Patrickkrebs:

That's as far as I got.... i tried transferring some of the .wav .flv and .png files over but they would not open on my Mac.
This might be where the "encryption" thing kicks in.

Unfortunately that is the Sentinel License Manager encryption. OSX can open PNG files by default. That’s as far as we can go with this. This confirms my last experience with WOZ. A known plaintext attack could work using the file headers, but the first few bytes of multiple PNG files (IE) are different. This probably means a unique private key is used for each file.

https://sentinelldk.gemalto.com/LDKdocs/SPNL/LDK_SLnP_Guide/Distributing/License_Manager/010-License_Manager-intro.htm

We really should petition JJP to open up the assets to add value to peoples’ games who want to do this. The last time I checked, CGC does not encrypt their assets. However, they may do this at the requirement of the license holders. If that’s the case, why not allow unencrypted files to replace the encrypted ones? Hobbyists don’t need to read the original files, just replace them.

On that note, please try this with Dialed In. It’s an original game and should have no real reason to use encryption of the assets.

#28 5 months ago

Damnit, I think that's where I got stuck too. I'll sign any petition on this issue, we don't have to worry about this with cheaper Sterns and we paid quite a bit more for JJ's.

We need real hackers in pinball. XD

#29 5 months ago
Quoted from Crash:

Unfortunately that is the Sentinal License Manager encryption. OSX can open PNG files by default. That’s as far as we can go with this. This confirms my last experience with WOZ. A known plaintext attack could work using the file headers, but the first few bytes of multiple PNG files (IE) are different. This probably means a unique private key is used for each file.
https://sentinelldk.gemalto.com/LDKdocs/SPNL/LDK_SLnP_Guide/Distributing/License_Manager/020-License_Manager_Type.htm
We really should petition JJP to open up the assets to add value to peoples’ games who want to do this. The last time I checked, CGC does not encrypt their assets. However, they may do this at the requirement of the license holders.
On that note, please try this with Dialed In. It’s an original game and should have no real reason to use encryption of the assets.

This is all great information Crash. Thank you. I'm going to keep cracking and updating as I go.

#30 5 months ago

Sure. You can try replacing an encrypted file with a non encrypted one and see if it works. Or, download the latest delta patch ZIP file for the game and replace one of the encrypted files. Last I checked there are no integrity checks on the contents of ZIP files.

#31 5 months ago

No kidding, I'll be checking this thread several times a day to see what you find.

#32 5 months ago

Good work guys. I'm very intrigued by this

#33 5 months ago
Quoted from Crash:

Unfortunately that is the Sentinel License Manager encryption. OSX can open PNG files by default. That’s as far as we can go with this. This confirms my last experience with WOZ. A known plaintext attack could work using the file headers, but the first few bytes of multiple PNG files (IE) are different. This probably means a unique private key is used for each file.
https://sentinelldk.gemalto.com/LDKdocs/SPNL/LDK_SLnP_Guide/Distributing/License_Manager/010-License_Manager-intro.htm
We really should petition JJP to open up the assets to add value to peoples’ games who want to do this. The last time I checked, CGC does not encrypt their assets. However, they may do this at the requirement of the license holders. If that’s the case, why not allow unencrypted files to replace the encrypted ones? Hobbyists don’t need to read the original files, just replace them.
On that note, please try this with Dialed In. It’s an original game and should have no real reason to use encryption of the assets.

Probably a license issue as all of a sudden someone's license is being represented in an inappropriate way. I could see someone putting clips from another certain Pirates series into POTC lol.

#34 5 months ago

Bad news guys.... the encryption thing was correct, none of the .png .flv or .wav files are unusable.
I don't know how they're encrypted/decrypted.
Sorry for getting everyone's hopes up.

#35 5 months ago
Quoted from Patrickkrebs:

Bad news guys.... the encryption thing was correct, none of the .png .flv or .wav files are usable.
I don't know how they're encrypted/decrypted.
Sorry for getting everyone's hopes up.

You could also rebuild new versions of the underlying audio and visual playback functions by the operating system and replace assets that way. I am guessing the source code for those are open source. Once these calls are intercepted, you can catalog the signatures of the assets and map them to their replacements to be triggered on playback.

#36 5 months ago

The encryption is protecting the licensed assets. I would suggest trying to replace them instead of modifying them. Also, the machine has to be able to decrypt the licensed assets, which means the key is somewhere. Do JJP machines have a dongle in one of the USB ports? That’s an old school way of protecting a key, and making it more difficult to clone a machine. The encrypted data is passed to the fob for decryption; the key itself is never exposed.

#37 5 months ago
Quoted from andrewket:

The encryption is protecting the licensed assets. I would suggest trying to replace them instead of modifying them. Also, the machine has to be able to decrypt the licensed assets, which means the key is somewhere. Do JJP machines have a dongle in one of the USB ports? That’s an old school way of protecting a key, and making it more difficult to clone a machine. The encrypted data is passed to the fob for decryption; the key itself is never exposed.

Yep, the games have USB keys. Any way to copy the key off of it? I don't know

https://pinside.com/pinball/forum/topic/whats-the-purpose-of-the-jjp-usb-dongle

#38 5 months ago
Quoted from PinballTilt:

Yep, the games have USB keys. Any way to copy the key off of it? I don't know
https://pinside.com/pinball/forum/topic/whats-the-purpose-of-the-jjp-usb-dongle

They’re designed to make it extremely difficult. They have an anti-tamper mechanism that zeroes out the key if you try to open the fob.

One of the techniques requires the use of liquid nitrogen to freeze the fob, giving you enough time to open it and disable the anti-tamper.

The other attack vector is going after the data after it’s been decrypted. If it’s being displayed (images, etc), it’s in RAM.

#39 5 months ago

Ok, interesting stuff. I downloaded the Dialed In 1.71 delta ZIP file and started looking at the files in a hex editor.

files (resized).png

A common approach to an attack is to look for patterns and use a frequency analysis to line up common pattern in the ciphertext with pattern in a known plaintext source, and go from there. I started with a WAV file because they have predictable patterns from the oscillating waves they are reproducing. Fortunately, no compression is used, so these repeating characteristics are easy to look for in the ciphertext. Here is the ASCII section of my hex editor viewing one of the WAV files. See the oscillating pattern in the bytes?

pattern1 (resized).png

When I saw this I thought the encryption was pretty weak, since I could see a clear pattern in the encrypted data. I loaded a couple files in Audacity and can tell you right now the encryption is pretty good, and shows no patterns in the encrypted data. However, something really surprised me. See this?

ramp (resized).png

The file is only partially encrypted! This means plaintext replacement files in theory could be used to mod these games. The encrypted portion of the sound is pure white noise. The unencrypted portion is the word "ramp" at the end of the sentence "Shoot the left ramp!" followed by this string of text:

INFOISFT8...Lavf57.25.100 (libsndfile-1.0.24);Sound Forge Pro 10.0..id3 T...ID3......JTXXX...@...Software.Lavf57.25.100 (libsndfile-1.0.24);Sound Forge Pro 10.0

Neat, the files were mastered in Sound Forge Pro. As for the encryption, now I'm wondering why the file is not fully encrypted. Actually, multiple files are not fully encrypted! Check this out. I imported the encrypted music file and compared it to "Shoot the left ramp." And look, only the same amount of data is encrypted every time!

music (resized).png

So I counted how many bytes of encrypted data we have, which is 131,072 bytes (128KB). This either means the key is 128KB long and only used once (not padded/repeated), or the key is smaller than this and only padded a few times. This leads me to believe that once the security dongle is finished decrypting the 128KB chunk of ciphertext data, it simply reads the rest of the file back to the game program unaltered. The music is the JJP logo intro audio.

Next I will try decoding one of the PNG files past the initial 128KB section of the file and post what I find.

#40 5 months ago

Here is what we found out today....
Disparate facts in no necessary order:

- Dailed in is different from the movie property games.

- Pirates is literally based on WOZ - all of the .sh script code all still even says WOZ in it. The code even gives credit to the WOZ coder from 2015 and sites a new person who changed a couple of directory names as an editor later for the pirates game.

-All of the media files have an encryption method. The encryption/decryption methods and functions are embedded in the binary that is run at game time with flags after boot-up. So if certain checks are passed the boot scripts run "./game -p"

-The file "game" is a binary c compiled executable; being such I'm not proficient enough to decompile or backwards engineer the hex code to be able to see how the media files are manipulated.

-We logic'ed the the media files were themselves hex Code that had an algorithm run on them and then shifted. <----based on crash's findings maybe we were wrong.

-The only way any of there .png files were viewable, was if you saved them out as plain text files and viewed them as hexadecimal code. We did not try to view the audio in an audio editor like crash... but we will certainly try this tomorrow to confirm or deny the existence of the same kind of header he's seeing in Dialed-in.

-Before me and my buddy broke for the night we decided the full files could not be completely encrypted - because the i3 processor with 8 gigs of ram running this thing has no way of decrypting a movie file, let alone an audio file - on the fly during game play. It just didn't make sense.

Crash's data is interesting and refreshing because it proves a method within the capacity of the hardware to actually decode the files on the fly, without having to fully decode the files, its simply having to identify the right combo of data to truncate - which would be a pretty inexpensive processing function.

Anyway.... if someone is brave enough to create a new audio file that has different audio after this mark in the audio - it looks like theoretically it should work.

Screen Shot 2019-08-30 at 1.56.23 AM (resized).png

#41 5 months ago
Quoted from Patrickkrebs:

- Dailed in is different from the movie property games.

This doesn't surprise me, as JJP would have to go to the extra cost and effort to modify their production lines to use non-encrypted PCs for Dialed In.

Quoted from Patrickkrebs:

-Before me and my buddy broke for the night we decided the full files could not be completely encrypted - because the i3 processor with 8 gigs of ram running this thing has no way of decrypting a movie file, let alone an audio file - on the fly during game play. It just didn't make sense.

The decryption is not happening in software, it is accelerated by the Sentinel HASP HL security dongle. The dongle receives the ciphertext and decrypts it in real time. Can someone with a JJP game see if their dongle is any if the below models?

https://sentinel.gemalto.com/software-monetization/sentinel-hasp-hl/

Quoted from Patrickkrebs:

its simply having to identify the right combo of data to truncate - which would be a pretty inexpensive processing function

Not even that, really. The amount of ciphertext is always 128KB at the start of the file. I figure the reason for this is to discourage the average Joe from opening the files in an image or media player. Using data carving techniques I should be able to reconstruct any of these files after removing the first 128KB of ciphertext and injecting a good file header.

Quoted from Patrickkrebs:

Anyway.... if someone is brave enough to create a new audio file that has different audio after this mark in the audio - it looks like theoretically it should work.

It should, considering JJP is likely still not using integrity checks on the files. The way to do this would be to take a 44100Hz signed 16-bit stereo WAV file, extract the section you want with a hex editor, and simply paste in the bytes after the 131072 decimal offset. A good source of audio would be ripping a CD to WAV files.

I was thinking about how JJP can resolve the encryption issue. If the amount of data in the file to be encrypted can be adjusted in software, they can simply send out an update. But if this is a hardware limitation of the Sentinel dongles it would require a new encryption solution be implemented for future games and existing games would not be upgradeable. Furthermore, if JJP could release a software fix it would be in the form of a full game ISO since every asset file would need to be re-encrypted.

#42 5 months ago

Hmmm. Ya know, since this is nothing more than a computer with a security dongle why not install whatever flavor of linux with Gnome or KDE or whatever GUI of your choice on a hard drive and then hook the hard drive up to the JJP PC. Download the ISO, mount the image. Make your changes and then create your ISO. Save it off on your thumb drive, hook up the original SSD and then update with your ISO on the thumb drive. Just a thought.

#43 5 months ago

Last year, I changed one file on my WoZ and it bricked the whole thing. I remember seeing a checksum error.

I had cloned my solid state drive in advanced. PLEASE be sure to clone your hard drive before doing anything drastic.

In these wonderful modern times of ours, a drive cloner is cheap and so is a solid state drive.

PLEASE get yourself a one touch drive cloner like this one: amazon.com link »

70B48D62-A023-4976-B02A-719FF43F0977 (resized).png
#44 5 months ago
Quoted from AckerApple:

Last year, I changed one file on my WoZ and it bricked the whole thing. I remember seeing a checksum error.
I had cloned my solid state drive in advanced. PLEASE be sure to clone your hard drive before doing anything drastic.
In these wonderful modern times of ours, a drive cloner is cheap and so is a solid state drive.
PLEASE get yourself a one touch drive cloner like this one: amazon.com link »[quoted image]

I still think it's sad that JJ would do this to their customers.

#45 5 months ago

I won't be able to reconstruct any PNG or FLV files without the correct file header since I don't know things like dimensions, frame rate, etc. I will upload a WAV file of the recovered intro audio though.

#46 5 months ago
Quoted from javagrind888:

I still think it's sad that JJ would do this to their customers.

I dont think they protected their software with the intention of bricking their clients. They have to protect the assets they invested in and tempering with an encrypted system will block it.

It is not an open platform they dont want others to use or it to become a component for others to use.

#47 5 months ago
Quoted from adol75:

I dont think they protected their software with the intention of bricking their clients. They have to protect the assets they invested in and tempering with an encrypted system will block it.
It is not an open platform they dont want others to use or it to become a component for others to use.

Agreed. It’s completely understandable why they do this. I also doubt they will care if customers modify their machines, as long as it is for personal use and no financial gain.

#48 5 months ago
Quoted from Crash:

I won't be able to reconstruct any PNG or FLV files without the correct file header since I don't know things like dimensions, frame rate, etc. I will upload a WAV file of the recovered intro audio though.

We've been testing different headers for the pngs.

One interesting thing we found is the PNGs look intact except they have their header and footer information stripped out.
There is also code in the boot scripts that assembles the manual, and it does so by adding this information into some PNGs and then by turning the bundle into a PDF.

That's why I'd be interested to see what the files on the physical drive look like.

#49 5 months ago

Here is a picture of the dongle..

20190525_143600 (resized).jpg
Promoted items from the Pinside Marketplace
7,700 (Firm)
Machine - For Sale
St. Louis, MO
There are 53 posts in this topic. You are on page 1 of 2.

Hey there! Got a moment?

Great to see you're enjoying Pinside! Did you know Pinside is able to run thanks to donations from our visitors? Please donate to Pinside, support the site and get anext to your username to show for it! Donate to Pinside