New! Dark mode!

Browsing Pinside at night? Getting tired of all the white? Switch to dark mode using the button in the top right (or CTRL-B)!

(Topic ID: 127117)

Now cracked: Stern's SPIKE package tool


By misentropy

5 years ago



Topic Stats

  • 95 posts
  • 37 Pinsiders participating
  • Latest reply 2 years ago by shimoda
  • Topic is favorited by 19 Pinsiders

You

Linked Games

Topic Gallery

There have been 3 images uploaded to this topic. (View topic image gallery).

Spike2.png
Spike1.png
RGB565test.jpg

There are 95 posts in this topic. You are on page 2 of 2.
#51 5 years ago

Nothing wrong with guessing. I'm just pointing out that it doesn't seem like he tested it in the way he thinks he did, because the result seems odd, so it may be too early to discount that possibility.

#52 5 years ago

I can give you a colour image, but even just looking at the raw data it's obvious that there's more to it than just straight pixel data. For example, if you look at the WWE_SHATTERLOGO_FPS20.spv, you'd expect to see a lot of repeated data as the background is mostly black, the bytes in the file just look like random data. Also looking at adjacent frames on some of the animations you'd expect them to be very similar byte patterns (as regions of the image haven't changed at all), which isn't the case.

#53 5 years ago

Have you been able to put together two color images from back to back frames yet, or just random frames?

With this weekend being memorial day, maybe I'll get a chance to poke around too.

#54 5 years ago
Quoted from Wolfmarsh:

Have you gotten any kind of usable frame data yet where you can actually make out an object?

The only file I've managed to 'decode' would be the blank one, which obviously just comes out as a 320x240 black rectangle.

#55 5 years ago

Where can I get some of the spv files? (Apologies if you linked them earlier)

#56 5 years ago
Quoted from ecurtz:

These frames are 320x240? Are they for the little LCD screen? If so they might be RGB 565 data.

I tried decoding as RGB 565 and get a colored static. I'm going to try 555 and some other schemes next.

RGB565test.jpg

#57 5 years ago

I tried a bunch of single bits and never got anything approaching an image, so I'm convinced by the not a raw format argument at this point.

#58 5 years ago

This is cool stuff, I'm excited to see where this goes.

Quoted from Wolfmarsh:

With this weekend being memorial day, maybe I'll get a chance to poke around too.

My wife will NOT love this idea, but I can think of no better way to spend my weekend than with a few Double IPAs, some RE tools and a hex editor.

-Wes

#59 5 years ago

It's going to have be some kind of simple 'encryption', as there isn't a whole lot of CPU time left over for the decryption to occur. This is why I started looking more closely at the extra bits to see if I couldn't figure it out.

I'm getting to the point where it's probably going to be easier to just disasm the game file and work it out from there.

#60 5 years ago
Quoted from RobT:

Agreed!
I would not own either TWD or Mustang if it wasn't for pinball browser. True story.

And I would not have bought my favorite Stern to date in Metallica Prem if not for the pin browser!

#61 5 years ago
Quoted from Sonny_Jim:

I'm getting to the point where it's probably going to be easier to just disasm the game file and work it out from there.

That was going to be my next step this weekend.

I've tried pulling it out as 5-6-5, 1-5-5-5, 5-5-5-1, and some others. The pixel data doesn't make sense.

Is there any kind of hardware based video processing on the spike board? Like an H.264 decoder or something?

#62 5 years ago

There are 8 "standard" RGB schemes that fit in 2 bytes, I've only tested 3 or 4 of them.

http://linuxtv.org/downloads/v4l-dvb-apis/packed-rgb.html

I'll be testing all 8 and posting my results in a day or so.

#63 5 years ago
Quoted from Sonny_Jim:

You'd think that, wouldn't you? But this is what you get when you try decoding the data as an RGB stream:
http://i.imgur.com/rzYaEGG.png

Look, a sailboat!

#64 5 years ago
Quoted from judremy:

Look, a sailboat!

Do we need to put on our 3-D Glasses now?

#65 5 years ago

Here's another anomaly;

Byte 8 of the extra bytes is always the same as byte 48 of the 1st frame data (minus the header).

So taking WWELOGO_FPS.spv as the example, at offset 0x4B (inside the first frame data) you'll find 18, looking at the extra bytes at 0x2581C you'll see:
0F 29 25 10 E7 E3 11 18

This is true for all the files I've tested so far. So to reiterate;

byte 4 of the extra frame data is the same as the 4th byte of the frame
byte 8 of the extra frame data is the same as the 48th byte of the frame

This is interesting as I have hunch that it's some kind of simple XOR and the data in that frame should be black at least for the first few rows, judging by the videos on youtube.

#66 5 years ago
Quoted from Sonny_Jim:

This is interesting as I have hunch that it's some kind of simple XOR and the data in that frame should be black at least for the first few rows, judging by the videos on youtube.

Does anyone have a wreslemania LE that can take a good video of the WWE Logo on the LCD screen?

I need some kind of reference to see what the video looks like so I can at least try to figure out if there are any hints I can go after, like two pixels that are the same color next to each other. I have yet to find something like that. I'm wanting to see the video so I can at least see the corners and maybe get lucky that there's black pixels in a corner or something.

Bonus points if you take a video in slow mo mode on your phone so I can see the individual frames in the LCD video better.

#67 5 years ago
Quoted from Wolfmarsh:

Does anyone have a wreslemania LE that can take a good video of the WWE Logo on the LCD screen?
I need some kind of reference to see what the video looks like so I can at least try to figure out if there are any hints I can go after, like two pixels that are the same color next to each other. I have yet to find something like that. I'm wanting to see the video so I can at least see the corners and maybe get lucky that there's black pixels in a corner or something.
Bonus points if you take a video in slow mo mode on your phone so I can see the individual frames in the LCD video better.

Would the Pin Browser app help any?

#68 5 years ago
Quoted from Coyote:

Would the Pin Browser app help any?

No, it doesn't currently support Spike games, which WWE is.

#69 5 years ago
Quoted from Aurich:

No, it doesn't currently support Spike games, which WWE is.

Ah okay, sorry.

#70 5 years ago
Quoted from Coyote:

Would the Pin Browser app help any?

Like Aurich said, this is new territory. The SPV video file is what Sonny_Jim, myself, and others are messing with.

When we figure out the format, that knowledge could be used to add the functionality to pinball browser to convert videos to SPV files, letting you replace them on the games.

#71 5 years ago

Start the video at 26 seconds... apparently I am not nerdy enough to know how to do that.

I am glad somebody works on this stuff... it's way beyond my understanding.

12
#72 5 years ago
Quoted from Aurich:

No, it doesn't currently support Spike games, which WWE is.

Work on progress
Spike1.png
Spike2.png

#73 5 years ago
Quoted from oga83:

Work on progress
Spike1.png (Click image to enlarge)
Spike2.png

That didn't take long.

#74 5 years ago
Quoted from oga83:

Work on progress
Spike1.png (Click image to enlarge)
Spike2.png

Hey oga, did you find anything that might help with the SPV files?

I'm going to step through the game code assembly this weekend but was hoping for a quick win with it. I've tested all of the eight RGP 2-Byte schemes I can think of, but it's possible they came up with their own.

#75 5 years ago

Hmm, I hope I'm wrong, but it looks like they are using RC4 with a hardware based key

If I had access to the hardware, it would be fairly trivial to extract the key. Another possibility is cracking the key based on that RC4 is fairly weak and I know that the output of some of the frames is going to be black (ie known plaintext).

I guess part of the licensing agreement specified that the supplied videos had to be protected by DRM or something.

http://i.imgur.com/Z9bI3rg.png
http://i.imgur.com/NeAjJnr.png

EDIT: Although it might be that the key is autogenerated based on the CPU serial and MAC address?
http://i.imgur.com/fHI3oFh.png

#76 5 years ago
Quoted from Wolfmarsh:

Hey oga, did you find anything that might help with the SPV files?

Not yet, I've been focused on dmd frames and sounds until now.
I've just seen that the video tables are in the code, that the code is written in the same style than the one used for dmd animations in the Sam firmware. The code also makes intensive use of AES encryption with informations stored into e2prom.

#77 5 years ago
Quoted from Wolfmarsh:

Hey oga, did you find anything that might help with the SPV files?

I've also spent some time to write some code that read/write the files from the .spk (I did not run the spk command and did not want to patch it because I need PB to read/write in it automatically).

#78 5 years ago

I wouldn't say it "makes intensive use" of AES encryption. It only reads the AES key twice, once on during the bus init and when setting up a video for the video player.

#79 5 years ago

Need access to the machine to read the key.
With OFB, if we know the beginning of a frame for sure, we can reverse the key.

#80 5 years ago

Who the hell downvoted your post lol?

Quoted from oga83:

With OFB, if we know the beginning of a frame for sure, we can reverse the key.

Should be pretty easy, a lot of the videos have rows of black at the top of the frames.

BTW there's also k_spv_initialization_vector:

05 94 A5 38 40 EB 8C 65 CC A9 FE 65 94 79 85 DF
AF E7 A6 55 E8 2C CA 87 66 71 BB 9E 9D 06 4D 86
3B 36 0B 2D 90 1D C8 86 CE 45 83 8F C3 9F DD 4E
34 36 09 E7 4F B7 99 F0 84 47 D7 7B 5B 00 60 52
00 00 00 00 00 00 00 00 00 00 00 00

Oh and super lols:

void sys_random_init(void)
{
rand_seed = 69696969;
}

#81 5 years ago
Quoted from Sonny_Jim:

Who the hell downvoted your post lol?

Pinballerchef. Don't know what I did wrong. First time I've been downvoted

#82 5 years ago

Also, FWIW I'm almost positive the last 8 bytes per frame are a SHA1 checksum based on hmac key that's been truncated to 8 bytes, so that clears that up for me.

#83 5 years ago
Quoted from oga83:

Pinballerchef. Don't know what I did wrong. First time I've been downvoted

I just tested (with an upvote though): all it takes is a misclick (no confirmation asked or something), so I wouldn't worry about it

#84 5 years ago
Quoted from Sonny_Jim:

Oh and super lols:
void sys_random_init(void)
{
rand_seed = 69696969;
}

Spike is NSA-tainted

#85 5 years ago

Can anyone post a WWE video starting or ending with black frames ?

[EDIT]

Quoted from Sonny_Jim:

Also, FWIW I'm almost positive the last 8 bytes per frame are a SHA1 checksum based on hmac key that's been truncated to 8 bytes, so that clears that up for me.

The video frames are RC4-encrypted and SHA1-signed.
The RC4 key is modified for each frame (to remove a well-known RC4 weakness)
The RC4 intial key is stored into e2prom.
Brut force on the RC4, even with well known video frames, is not realistic.
Which means that the content of an e2prom is needed to display the original videos.

Anyway, what would be the point of displaying these videos on a PC ?

More interesting : there is a workaround to replace the existing videos, without knowing the keys...

#86 5 years ago

Am I reading this right, or does the RC4 key form part of the AES key?
memcpy(rc4_key_addr, &aes_out + offset, keylen);

Lol, that's 128bits of a 192bit key found then.

Quoted from oga83:

Can anyone post a WWE video starting or ending with black frames ?

If you look on Youtube, there's a few videos of it being played. I think TAG_TEAM and WWE_LOGO both have a few rows of black pixels for most of the frames.

#87 5 years ago
Quoted from oga83:

More interesting : there is a workaround to replace the existing videos, without knowing the keys...

Ohhhh, do share. Are you subbing in pixel data in the file and somehow modifying the header bits to indicate that it's not encrypted using that key? Are you just bypassing the key check by using a modified game binary?

#88 5 years ago
Quoted from Wolfmarsh:

Are you just bypassing the key check by using a modified game binary?

That's what my money is on, but not even modify the binary. Remember what I said to you about the BLANK_FRAME.spv? Whether that would screw video_player_get_vblanks_per_frame is another thing though

#89 5 years ago
Quoted from Wolfmarsh:

Are you subbing in pixel data in the file and somehow modifying the header bits to indicate that it's not encrypted using that key? Are you just bypassing the key check by using a modified game binary?

The code can process spv without encryption. No need to modify the binary.

#90 5 years ago
Quoted from oga83:

The code can process spv without encryption. No need to modify the binary.

Did you uncover what RGB byte format they use?

#91 5 years ago
Quoted from oga83:

The code can process spv without encryption. No need to modify the binary.

Are you sure? Because it looks to me that it'll only play single frame files unless the binary is modified.

1 week later
#92 5 years ago
Quoted from Sonny_Jim:

Are you sure? Because it looks to me that it'll only play single frame files unless the binary is modified.

Yes, no need to modify the code, it can work without encryption.
See this post (and the previous ones) :
https://pinside.com/pinball/forum/topic/acdc-display-and-modify-dot-matrix-images/page/35#post-2500445

#93 5 years ago
Quoted from oga83:

Yes, no need to modify the code, it can work without encryption.
See this post (and the previous ones) :
https://pinside.com/pinball/forum/topic/acdc-display-and-modify-dot-matrix-images/page/35#post-2500445

Sweet! Well done guys.

#94 5 years ago
Quoted from Wolfmarsh:

Did you uncover what RGB byte format they use?

Yes, rgb565

2 years later
#95 2 years ago

I'm aware this is an old thread but I was wondering how to read dmd animations and images from the SPK file. By this I mean, how are locations in the file determined (using a hex editor) and how are they 'coded' or how they could be reconstructed (locations of pixel values, intensity, etc.). I know OGA has obviously got this figured out as the functionality to read these is in PB but I wanted to find a way to extract them manually or through means I can interpret them.

Promoted items from the Pinside Marketplace
$ 24.95
Playfield - Toys/Add-ons
ULEKstore
$ 16.00
Cabinet - Other
Pin Monk
$ 24.95
Playfield - Toys/Add-ons
ULEKstore
$ 499.95
Lighting - Led
Pin Stadium Pinball Mods
Wanted
Machine - Wanted
Wilmington, DE
$ 25.00
Cabinet - Other
Pin Monk
From: $ 18.00
Apparel - Men
Pinside Shop
4,000 (OBO)
Machine - For Sale
Schofield, WI
There are 95 posts in this topic. You are on page 2 of 2.

Hey there! Got a moment?

Great to see you're enjoying Pinside! Did you know Pinside is able to run thanks to donations from our visitors? Please donate to Pinside, support the site and get anext to your username to show for it! Donate to Pinside