Hacking Megatouch Bartop Games - Mark Baseggio

bar top video game cabinets uh actually just curious curiosity of me i want to know how many of you know what that is awesome awesome i guess you probably wouldn't be here otherwise favorite game erotic photo hunt everyone yeah okay good so just a little background about me i'm an offensive security consultant by day i work as a contractor now my favorite things to work on there are probably net pan and physical penetration tests my last job is with acuvent labs but now i'm indie so if you want to hire me let me know in my spare time i love to hack hardware i found it like very fun and rewarding to learn about how these

things work under the hood last year i did a presentation at black hat about the ble key which is a device that uh my co-creator and i created to interface bluetooth low energy with wiegand which is the access control protocol used to let people into most commercial buildings nowadays and office spaces and basically with that device you can uh use your cell phone to open doors and get the data needed to clone cards so i found and and i mentioned that because that's also a technology that's from like the apollo moon landing era and these megatouch bar units are not that old i will switch out my mic one second okay can you hear me okay great uh but

they are from around 1997. i found that this kind of stuff i really like hacking on it because it's a lot simpler than the technology today less complex the core concepts are the same uh so it's pretty easy to understand and then apply to technologies you know that are in use today so this is what my desk looks like most of the time and i feature this photo because the saily logic probe there which is uh this guy obviously it's right there and then the bus pirate is used prominently in this work so one night i was at the bar with a friend playing some photo hunt and uh the machine had to be rebooted

and i saw this screen which uh i was really excited about uh everyone knows that's linux right right away uh so at the time those units were still like widely in bars and i couldn't afford one but fast forward a couple years to a couple of months ago and i'm trolling kijiji and the rest is history i have two of them in my basement now the one i got running was a dos-based one but uh functionally it's very similar they just kind of at one point decided to use linux because they realized that dos was probably gonna go the way of the dodo so uh i found the best way for me to get engaged with the project if you're

getting into hardware hacking is anyone new to it or never done it cool is to find something like this that you kind of know and love and you'll care about it when you play with it you'll feel it's it's like more rewarding so for those that that haven't seen it this is like a typical screen of a of the the video game once it boots up and you can choose your game and there's probably a hundred different games or so on on the device so as i said i'm into cheesy games i once had a cat-themed birthday party uh i grew up in the 80s and my first pc was a commodore 64. uh first game system sega master system

and my favorite game of all time is galaga so i'm a bit fascinated with the 8-bit stuff not that's what this that's not what this is but anything that's uh kind of generally obsolete gives me a little bit of nostalgia so i didn't really think this would be a good talk when i started because i was like this is just something i'm interested in but then i got going along and realizing what i was doing i'm like hey this this would be kind of cool to describe to someone to that really wants to get into hardware hacking because it's really as i said accessible stuff that can help you understand the basics so i'm going to go

over today basic poking and prodding of the mega touch hardware in which we'll find the custom isa io card that they designed or they had design for them and then there's a hardware key inside each megatouch that when a new version of the software came out they would they would replace they would send it out with this hardware key and you needed that to make the software run and so that's going to be part of what we're talking about of course because i wanted to to to copy those keys essentially because the systems are no longer supported but i'll get into that later so from there for those keys we go into protocol sniffing with the logic analyzer that i showed

you and then looking at the stream of bytes from the protocol and reversing that to find the password that we password that we need to copy the keys and then we do some development of custom python code for interfacing with the bus pirate that i mentioned which is a universal serial device what kind of universal it's kind of like a swiss army knife for dumping the keys and potentially then writing them to new keys if we wanted to do that and this all seemed appropriate because uh this is vegas kind of land of cheesy games so i was going doing some research for this and i came up with this quote an arcade-like game cabinet for sad lonely

men who don't have iphones and this guy goes on to say the good news is megatouch went out of business in january the bad news is that doesn't mean they cease to exist so this guy's a comedian i think he's like tongue-in-cheek with this stuff but this guy i looked him up he was born in 2005. he spent two years in the bars without an iphone which means he was drunk because those are the first two years you spent really drunk in bars and the rest of the time so he doesn't understand what the novelty of this was uh and i certainly do because i was way too scared to approach you know women in bars so i hid

behind these screens playing these stupid games so uh anyway he goes on again and says the machines offer a bizarre mix of smartphone game rip-offs which i don't understand because these were created way before smartphones um and bizarrely outdated laggy interfaces which great of course they are because they're from 97. uh so about two years ago merits bar top business ceased production uh putting these cabinets firmly in the class of uh antiquated video games and i guess i looked it up they're called it's called abandonware so they just kind of said hey we're not supporting it anymore do what you will but you're you're on your own so that's what really piqued my interest here i should clarify what i'm doing

here is an effort to preserve these games not to skirt copyright law there's a provision that was actually added to the dmca a little while ago you probably heard of it for for online games that required a license server to run that they would and and they made a provision for preservationists to allow to circumvent those measures i think this is kind of in the same vein at least i hope there's no one in here that thinks otherwise so uh when i first got the game of course i went right into the there's a little button on the inside of the unit that allows you to go in the menu because i've never seen that before and there

was some pretty funky funny features in there but that's not what we're we're looking at today i just thought i'd show you that here's the inside of the unit it's turns out it's just a big 150 pound computer maybe more i didn't actually weigh it but i carried it up the stairs from where i bought it and i almost killed myself as you can see it's pretty thick heavy gauge metal so most of the space is taken up by the old crt so be careful if you try to probe around these things high voltage uh in those old crts but the rest of it is a run-of-the-mill pentium along with a proprietary isa card that i mentioned

that handles the i o and there's some funky connectors and stuff like this centronics connector i believe that's what it's called that was used for updates to plug into cd-rom easier and the imac came out a year after this which makes this thing look pretty funny if you think about that so uh smoking is bad i learned this was in a bar for like 10 years and it stank really badly so i had to give it a good a good cleaning uh i had some acetone lying around for when i thought i was gonna etch pcbs on my own and it came in handy for cleaning uh the crap from like the contacts from the edge

connectors and stuff on this on this unit so this is really kind of the centerpiece of of the only custom hardware in in the whole megatouch uh unit and uh it's pretty simple actually how did i figure out this was the an io card well first the internet told me because i googled it but then i also took a closer look myself at the components on the board to see what they were so this guy right here is a pc card connector and i wasn't sure what it was at the time but you can very clean clearly see the cirrus logic badge on it and then and the etching on the chip so pretty simple just google

and there we go we have the data sheet it's usually the first hit when when you're googling things like that if not maybe go onto the second line these parts are very commonly used they're not going to invent their own parts so chances are it's on the internet already and pretty easy to understand given its age so next found a sound blaster on board by doing the same thing and next to it a little amplifier because the speaker was built in so they didn't want to have an external lamp so they put an amp on board as well cool we're getting through this board pretty quickly i was confused by this one at first because i didn't know where all this was

going i thought maybe it was a expansion but this is actually just a isa bus debug from the old pentium days and i found out about that by turning the board right over and you can see all the traces go to the pcb edge connector which uh it's just common sense from there uh the board looks like it was probably used in like all of their machines these guys do more than just bar top gaming some there's so many unpopulated uh headers and whatnot on this board that could have been used for all kinds of things okay and this is the i button key the focus on most of this research and what was required as i said to make each version

of the software work so the keys are somewhat broken already i should mention that one of my kind of heroes uh joe grand did a talk on them at i believe it was defcon or blackout a long time ago and uh joe found a password uh guessing a dictionary attack against these things because when uh you supply i should mention actually first they have encrypted information on them and when you supply them with a password they're supposed to spit out the encrypted information if the password's not correct they send out random data so the thing is the data is not random it's calculated with a mathematical equation so unknowns you can you know the output based on the

input so you can basically tell if it's the wrong password or not using one guess but i wasn't really interested in doing that because there's like a trillion possible combinations the only feasible attack against that is kind of a dictionary attack and if it's not a dictionary word you're out of luck so let's move on uh what else can we do with it well we look up the data sheet again and uh we see that it uses the one wire protocol so they have a secure rom for their key but a completely clear text protocol communicating with the rom i'm not quite sure why they use the secure rom but they did so cool it stores

uh 1 152 bits of data and three separate storage areas they're called sub keys the secure memory cannot be deciphered without the matching 64-bit password passwords can be different for each area and there's also a 512-bit scratch pad which is stored in the clear on this rom and accessible without any key and the ids of each of the sub keys they can give them names are also accessible so we need all that we need a lot of that information when we're doing the duplication so i figured i'd mention it there's only two contacts to hook up one of these guys and i'll pull it out right now because i have it here bottom of my bag

sorry about that so it's pretty simple you've probably seen these things before they're used for other purposes as well but yeah two contacts parasitically powered which means that there's ground and power and data in the same line so when we boot up we see some information about the key the mega touch i bought had intermittent problems reading the key even after i cleaned it with the acetone i it boots sometimes it says the key is fine and other times it just goes in a continual loop which is one of the reasons why i wanted to do this work because we need to preserve these things whether that's arguable but i think we need to preserve these things

so the lifespan of this ibutton or ds1991 was reported to be over 10 years so right now this one's 20 years old and it's still working which is pretty cool but in order to get if we want these things to remain around working we probably either need to hack the software which is kind of complex and messy because there's so many versions or just come up with a way to circumvent this key so as you see there's there's even still a market on ebay for these things lots of them end up being about 30 bucks canadian shipped and hopefully the aim that i wanted to to do here was build a repository of them so if you legitimately have one of

these things and your your machine is broken you can just go and download it and uh write it to a new i button and you're good to go so uh this is how i started with uh sniffing this bus and right here you know here's the i button i just kind of jammed a a a jumper in in between jumper cable in between both contacts and then i used is anyone familiar with logic analyzers cool okay so i use salee which is a really cool little device 100 bucks and it does it'll decipher all kinds of protocols and what it does is it will plot voltage over time in like ones and zeros because it's not analog so it doesn't

have a curve but as you can see up there that's what we have and if you tell it this on this line it's i squared c or or spy or one wire it will try to decipher based on the data that it's got on that line so i want to show you actually the logic capture now so this is the oh and i need to turn this off all right awesome so this is what it looks like and the i believe it's the the long pulses where there's it's it's high it's a high signal is a one is it turns out to be there's eight bits here at each one of these turns out to

be a one and the uh the short pulses here the the low the mostly lows is zero so then you have like you have like five ones and two zeros there that make up the the hex uh over there and i'm cut off but anyway as you can see we have a ton of data from that that i read when i turned on the device here it's not super useful in this format but we've properly decoded it now and we can save it and do whatever cool thing is we can export it to excel which is what i did next so let me get back to if you have any questions feel free to jump in while i'm

doing this here please cool okay so on the other side that was cut off what you didn't see there's also like a display of commands because there's built-in commands in the language that are standard so it'll say like oh this is a read rom command which which it knows and uh but but the proprietary commands of the 1991 we had to figure out ourselves so again we have to go back to the data sheet and that's what a lot of uh you know this hardware hacking stuff i found is it's just like pretty common sense go to the internet read the data sheet a lot read that issue again because it's confusing and so on and repeat

so here's the memory map i said it has three regions uh in the knight ds 1991 obviously there's a password id and unsecured data that's they call that the scratch this data sheet is actually quite easy to read it's a pleasure most of them kind of suck and for the more modern technologies are really difficult to understand i'm not an engineer so i have to lean on my friends who are this is a walk in the park by comparison so what now we have a visual representation we know we want to dump those areas we have the data now let's get familiar with the command set so because we need to know that in order to

decipher the data so they've provided a really detailed flowchart for how to use this thing and let's look at the first example megatouch does in the the command capture that i took uh if you were playing paying close attention when i showed you the logic dump uh you saw that the first real commands that were sent to the i button from the machine was hex 33 which is up there 33h that's what that means you send there's a master and a slave the the megatouch acts as the master this little guy acts as the slave so the master sends the read rob command the ds 1991 sends the family code back and then six bytes for the serial number and then it

sends a crc okay so i wanted to go through the excel first of all to make sure that things were saying i got a good data capture and that um and that i understood this properly and turns out i actually did so here on the left you see this the the data sheet on the right you can see my excel that i was just marking up so we've got a tx transmit from the master and then we've got the rx so we know that the serial number is that we know that the the family code is is correct and they probably do this on the mega touch side because they want to make sure that things are

saying on the bus and they want to see that you're using a rom with the correct serial number so what's next we know the columns are captured correctly well we have to get familiar with more of the commands and commands are pretty easy to understand actually so if you wanted to read the scratch pad you send 69 in hex and then you send um one one plus the start address so if you want to start at the beginning of the scratch pad you send zero if you want to start one bit in you start zero one right pretty cool and then one's complement of of that guy which is the opposite binary of the zeros and

ones okay so at this point we know kind of roughly what the command structure is so i wanted to show you the one wire the actual analysis excuse me i got to switch back again to my spreadsheet

awesome okay so we got a bunch of rant this is this is the whole dump of the communications so we've got a bunch of random reset conditions at the beginning because you're just powering on and then sure enough we see the read rom it reads the family and then it goes and reads the scratch pad so it's checking the i button to make sure that the data on the scratch pad is as expected so we can see the address here the ones complement the reach and then it just sends back a bunch of zeros because there's nothing on this scratch pad so okay great go down all right now here's where it gets more interesting they're

starting to read the encrypted memory now and we've deciphered because now we know the read sub key command is 66 they start with the first sub key do the ones complement and then they the the slave the i button sends back the sub keys id which is actually the software version and then we get the password and the clear pretty cool so that's the password right there that we need to read the whole thing we just sniffed it right off the bus and then obviously then now we have key data which is there and then it goes on it reads the second one and surprise surprise they reused the same password and the second id is the date published

99 and then it goes and it reads the third one and again we use the same password and we have some like clear text data that was on this boot up screen canadian version 2. so we're in canada all right so we understand now that we understand the protocol and we have the actual password we can do some fun things

awesome so i have all this information and i'm like where do i go next i obviously can't do this with excel every time and you can't send this out to the world and make it easy for people with excel so um i have a ton of tools around my house got an arduino got a bus pirate like what do i use so the bus pirate i googled it bus pirate eye button of course the first image that comes up is someone's already done this for me awesome so it's really easy to wire up here it is on my breadboard and it's only two wires so the bus part getting into a little bit more it's a swiss army knife for

talking to things via serial protocols and you'll find in anything any hardware hacking you do you're going to use this a lot you know everything speaks like most chips probably speak spire uh which is serial peripheral interface or i squared c nowadays but one wire is used for like temperature sensors and stuff like that as well uh and on their website they call it an open source hacker multi-tool that talks to electronic stuff you can do a lot of cool things with it like you can if you're into cplds complex logic you can program those you can shift data out to a shift register and light up a bunch of leds or whatever you want to do

so here's a movie i actually didn't want to do live demos and temp the demo gods uh so isn't just a movie of uh this this the bus pirate in action uh reading the scratch pad and then writing to the scratch pad because i wanted to make sure okay does communication actually work in the real world now that i have all this all these uh passwords and stuff so it's first in disconnected mode that's what high z means then you switch the mode over to one wire and so it's ready and it's got a bunch of sub commands in the one wire mode so we want to give it power over to the i button so we tell it give it five

volts and then all these commands are documented as well you can check them out on the on the website pull up resistors because this device is parasitically powered and we only want to use two cables to hook it up and we turn the power on and we look at the saved shortcut commands in the in the bus pirate and one of them happens to be search for a rom so i issue the search for a rom command and sure enough it finds it on the bus cool and after that we want to read the scratch pad so if you notice in the excel you always have to reset the bus before reading so that that curly brace resets the bus then we

tell it there's only one device on the bus so i'm talking to you that's that skip rom command then we give the actual hex 69 start address once complement and then read back 64 bytes so red i had another i button in there that i wrote dead that i wrote dead beef to so that's cool it's working and then just to prove that it's working we we can write some more data to the scratch pad so i'll write a little bit more here

just change the command to 96 and we change the start address that we want to write to to the end of the dead beef and then we put in the data which is bad food

everything looks okay but we go recheck and sure enough it's written properly all right we have we're making real progress now and well in my mind anyway i'm really excited by this time because everything's working i'm able to communicate with these i buttons i know the password cool so the next step is to make it even easier we put the bus pirate into bitbang mode which then we can write a python script and instead of doing all of this with type by typing and commands we can make it reproducible use pi serial and just you know there's all these commands here you want to do a search macro you send this these bytes you want to send data you

send these bytes preceded by the number of bytes of data you want to send and so on and so forth so it makes it a lot easier all right so i also wrote a python script to dump the key and this is the key it's mega dump and this will actually automatically dump the key this password is stored in the in the script now so you don't have to you don't have to actually put type it in but there's there's an option to add your own password turns out that the passwords are different for each version of the actual mega touch so that presents a complication that we'll talk about later but we have all the correct data here

and if you looked at the spreadsheet you know that you know can version two is in there and this is not random data that it's sending back to us so we've essentially owned their their i button at this point uh so future uh at this point as i said it's thoroughly owned uh we can make copies of them uh we can back them up so the bits required to uh to run these games don't go away forever and i prefer this method to the hardware method rather than you know editing or hacking the software so it you know you skip the test because there's like i said there's so many versions of the software out there that

it would get messy after a while but there is one problem and that is apparently uh the megatouch units check the i button serial number uh to make sure that it's in the right range uh or and then it won't work if it's not the right range because they the merit the company bought like i don't know a million eye buttons at once to themselves and they said you know if it's not within this range then you could probably patch that in software too but again getting messy so i didn't bother implementing the right function because once i talked to people and learned about this i'm like well it's not really worth it to write this but it would be

pretty simple to just implement those extra commands in there and when i say simple i mean like there's only probably uh three bytes of commands that it would take to re rewrite this to the to the actual i button also they're out of production these things are out of production now that that pauses posit that that's another problem uh so it would be easier probably just to emulate them uh because one wire is a really well known protocol so and as you saw there's only a few bytes in a command so you just have to teach whatever your whatever you're using to emulate it those few commands respond to reset anything any uh library that's available

will have the one wire protocol stuff in there already like presence condition and all of that so you just have to emu emulate the actual extra proprietary stuff that's in there so arduino actually has a one wire slave library so what i thought was all right we'll get a teensy lc 10 bucks or maybe an added fruit huzzah which is based on the 8266 little micro that's a two dollar wireless micro and you can maybe even upload buttons wirelessly that would be pretty cool or just by usb even that would still be okay and uh and then you're you're good to go you can up upload new keys maybe you could put in a web monitor for

the one wire bus to see to debug in case you know in later versions of the software they changed how things worked and i know they did when they got to like the 2005 versions they used a different eye button completely so that would take a little bit more time to to implement but also you could easily use you could easily add to this a sniffer function where if you just flick a switch on the board hook it up in between the probes like i did it would just copy the current key then you can take the key out switch it back into the other mode it's got its personality there that's what it's gonna

that's what it's gonna emulate clone mode so to speak so i didn't get to this point yet because all this other stuff took up a lot of my time and i also have a real job and my wife would be mad if i didn't get paid so i'm moving there but all of the software you saw is on my github already so you can take a look at what i did i am going to do this because i've actually had a few aficionados reach out to me and say this is cool stuff i my megatouches were broken i always thought that you know they said that there's no way to copy these things they're encrypted

and it's like okay well let's let's fix that so i did do a little bit of work on the software side too because of course when when you're doing this hardware stuff it's really hard to work kind of in isolation because these things interact really closely so sometimes you need to answer questions about what the heck's going on and for that my buddy jer here helped me out a little bit on the software side i'm not so hot with ida so i got him to load it up and take a look at stuff but what i did do was i can use grep that's for sure and i looked for the key inside of all of

the mega touch files and there was like 2 000 references to the key in clear text in uh in the hard drive so that's pretty cool i was like why are they putting the key in in there and the actual payload like the encrypted stuff was in the dlls as well uh so we found and if you can't that that function there calls fudge security so it's linux based but there are games so there's two versions there's dos and that's the one we were playing with and then they moved over linux uh 90 maybe 2000 at some point so we were looking at the dos stuff because that's the the box i had and the

hardware is kind of flaky and i didn't want to screw around with trying to update it and it all takes a lot of time so uh yeah we found this and we realized i think they didn't want to go back and do a key read or they didn't know what what key it was so they they stored the key for when they're at storing i think high scores on this guy and so they just fake security then so in this particular version you could you could pretty easily circumvent the copy protection by just reading the key out of the files but that's changed in in later versions they don't fudge security in every file i don't think but

that was kind of funny and i really i want to do some more research into the software side as i said but i haven't just haven't got there yet so that's all i have for today on hacking the mega touch i want to thank all of you for your attention and for coming and the stuff is on github my github is there but it's under heavy construction but if you have any questions like file a ticket or whatever and we'll we'll chat about it i'll put the i button cloning stuff up there too when i'm done and happy hacking everyone

does anyone have any questions all right thanks very much

thanks for the talk um did you do like with your own device that you'd bought did you have a look at any uh sort of hardware bypasses for the coin mechanism to so you don't have to constantly drop in coins in your own machine i didn't play around without any i think i think it was broke actually so yeah i was really hoping they had a build collector on it so i could take a look at the bill collectors too and how that thing worked but uh i haven't got there yet yep but at least the later firmware have a setting for free play in the menu so no hacking required yeah so you know

them pretty well eh yeah nice anything else all right thanks again everyone it was a blast