Monthly Archives: December 2006

AACS “Cracked”, Finally

Several people have pointed me to the news that claims of cracking AACS (the content protection system protecting both Blu-Ray and HD-DVD discs) have been leveled. Here is a doom9 thread on the matter. My first reaction was, “What took so long?” Conceptually, it should have been pretty straightforward to understand the entire system and recover secret keys since technical documents on the matter are quite openly available. I always considered that rather odd since a large part of DRM’s efficacy hinges on obscurity.

Good news, nonetheless, if it’s accurate.

V.Disc Analysis

I finally got around to prying open that V.Flash V.Disc cartridge. All it required was a screwdriver acting as a chisel, a hammer, and a blood sacrifice (technical veterans will recognize that last item as a mainstay of computer repair methodology). I have to give VTech proper credit for the strength of the cartridges. Sega could have learned something from VTech when they manufactured their flimsy, oversized Sega CD and Sega Saturn jewel cases. Anyway, it is confirmed: The V.Disc is a simple CD-ROM.


V.Flash V-Disc, separated from cartridge

The particular title I have, The Amazing Spider-Man: Countdown To Doom, contains around 313 MB of data. The largest directories on the disc are labeled kw01/, kw02/, and kw03/. They contain combinations of files bearing the extensions .mjp, .ptx, and .snd. I strongly suspect that these are Motion JPEG, raw picture, and pure audio files, respectively. Various other directories on the disc also contain .mjp files with ‘cutscene’ in the filenames.

The .mjp files begin with a MIAV signature and draw influence from the AVI format in that media chunks are denoted variously by ’00dc’, ’01wb’, and ’02wb’ FourCCs. The chunk format is FourCC – chunk number within stream – chunk length – payload. The 00dc chunks contain what resemble JPEG chunks. But something seems off about them. My first clue is a FourCC ‘FJFI’. Then it comes into focus– it’s byteswapped JPEG data (the usual signature here is ‘JFIF’). In fact, the first chunk begins with the bytes 0xD8 0xFF 0xE0 0xFF– byteswapped from the standard marker bytes 0xFF 0xD8 0xFF 0xE0. The 01wb and 02wb streams, I would guess, represent 2 separate audio tracks. Perhaps this disc can be played in 2 different languages? Or perhaps there is a director’s commentary track? I think I like my first hypothesis better. I didn’t see anything on the box or cartridge to indicate that the game has more than one language. But it could be that the same media is marketed in a different region with different printed materials. If that were true, it would indicate that the game could query the region of the V.Flash to know which language it should present to the player.

I am not sure what format the audio data takes. It could be low-volume, 16-bit, little endian PCM (mono or stereo), it could be 8-bit stereo PCM that’s dominant only on one channel, or it could be some other unusual encoding. The .snd files might provide a little more insight. The .snd files turn out to be straight-up WAV files.

The .ptx files are all 262188 bytes, which is (44 + 218) bytes, so I suspect that these files have a 44-byte header followed by 218 bytes of raw image data. The first byte in the file is 0x2C = 44, so that’s a good validation sign. I’m trying to decide what the dimensions and color resolution could possibly be. The square root of 218 = 29 = 512. A 512×512 image would not make sense for a television screen. But that would assume 8-bit palettized data anyway. However, if the data was 15- or 16-bit RGB, then the image might be 512×256 which is plausible. The header encodes the number 480, which is a common image height, but does not divide evenly into 218. Plus, there is no sane parameter encoded in the area around 480 to indicate height, so I have to assume that 480 is a coincidence. Hey, Robert and Reynaldo: is that RGB recovery utility ready yet?

For program code, the disc contains a file called 0system/boot.bin. I think Ian Farquhar called it when he speculated that the V.Flash uses an ARM processor. Running ‘strings’ on this binary reveals “MORE v4.0 SDK ARM9T version”. The binary format itself I am unfamiliar with, but it is a chunked FourCC format that contains such FourCCs as ‘BOOT’, ‘REL\0’, and ‘DBG\0’. A clue regarding the toolchain, however: “GNU AS 2.13”. The string “OggSRIFFdV” also shows up.

Update: Here are some samples of the .mjp and .ptx files (the .snd files are just straight PCM WAV files).

Mini Book Review: Who Is Fourier?

This is, hands-down, the most interesting math book I have ever read:



Who Is Fourier?

Over the course of 13 chapters, the book manages to progress from “1 + 1 = 2” (in fact, you can read that particular page through Amazon’s “Look Inside” facility) through fundamentals of calculus differentiation and integration (without ever using the word ‘calculus’, at least, not that I noticed), and eventually teaches the reader how to perform a fast Fourier transform (FFT) by hand on paper. All of this is done using fairly small words, humorous illustrations, and curious storytelling. Since the FFT is so widely used in audio and video compression technology, consider this book if you don’t quite understand how the transform operates. And refer to it again everytime your knowledge lapses and you forget how the transform works.

The book is published by an entity known as the Transnational College of Lex. I realized from their Amazon listing that they also have books teaching about DNA and quantum mechanics. If I had interest in either of those areas, I imagine these would be fantastic books for getting started on the subjects.