Cubase Audio Dongle Clone

Somewhere to chat about MIDI music creation, sequencers and related hardware

Moderators: Mug UK, lotek_style, Moderator Team

User avatar
matt
Captain Atari
Captain Atari
Posts: 311
Joined: Tue Jan 04, 2005 5:11 pm
Location: Cornwall, UK
Contact:

Re: Cubase Audio Dongle Clone

Postby matt » Sun Feb 07, 2016 1:45 am

I have a dongle I'm willing to donate. But it's in storage so I won't get to it for a couple of months.
Atari 1040STE 4MB, TOS 2.06 patched, C-LAB Notator SL 3.21, Cubeat 2, EIZO FlexScan L565 17", Supera Color HD video converter

User avatar
exxos
Hardware Guru
Hardware Guru
Posts: 4933
Joined: Fri Mar 28, 2003 8:36 pm
Location: England
Contact:

Re: Cubase Audio Dongle Clone

Postby exxos » Sun Feb 07, 2016 11:37 am

I'm sure I saw a floppy the other day saying "cubase cracked" ?!
4MB STFM 1.44 FD- VELOCE+ 020 STE - Falcon 030 CT60 - Atari 2600 - Atari 7800 - Gigafile - SD Floppy Emulator - PeST - various clutter

http://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
http://www.exxoshost.co.uk/atari/last/storenew/ - All my hardware mods for sale - Please help support by making a purchase.
http://ataristeven.exxoshost.co.uk/Steem.htm Latest Steem Emulator

Dal
Administrator
Administrator
Posts: 4079
Joined: Tue Jan 18, 2011 12:31 am
Location: Cheltenham, UK
Contact:

Re: Cubase Audio Dongle Clone

Postby Dal » Sun Feb 07, 2016 11:49 am

I think most Cubase users would prefer to use an un-cracked version for stability reasons. The whole premise of this thread was to look into whether the hardware dongle could somehow be 100% replicated or preserved.
TT030: 4MB/16MB + Crazy Dots, Mega"SST" 12, MegaSTE, STE: Desktopper case, IDE interface, UltraSatan (8GB + 512Mb) + HXC floppy emulator. Plus some STE's/STFM's

dbsys
Captain Atari
Captain Atari
Posts: 280
Joined: Fri Aug 31, 2012 6:11 am
Location: Germany

Re: Cubase Audio Dongle Clone

Postby dbsys » Thu Feb 11, 2016 8:49 am

Dal wrote:I think most Cubase users would prefer to use an un-cracked version for stability reasons. The whole premise of this thread was to look into whether the hardware dongle could somehow be 100% replicated or preserved.


Well said, Dal. I agree.

User avatar
edingacic
Atari maniac
Atari maniac
Posts: 76
Joined: Mon Sep 07, 2015 5:16 pm
Location: Austria
Contact:

Re: Cubase Audio Dongle Clone

Postby edingacic » Sun Jul 31, 2016 1:03 pm

so what is the status now can we clone it?

User avatar
AmigoMexicano
Atarian
Atarian
Posts: 6
Joined: Fri Sep 02, 2016 6:41 pm
Location: Mexico City
Contact:

Re: Cubase Audio Dongle Clone

Postby AmigoMexicano » Fri Sep 02, 2016 9:18 pm

I also wanna know the status on this, I hope there are good news!
--
From Mexico City... AmigoMexicano!
Atari 2600 || 5200 || Flashback 2 || Lynx || Lynx II || Jaguar CD || Portfolio || 600XL || 800XL || 65XE || XE Game System || 520 STfm || 1040 STe || Satandisk

Malekko
Atari User
Atari User
Posts: 31
Joined: Sun Oct 30, 2016 6:28 pm

Re: Cubase Audio Dongle Clone

Postby Malekko » Wed Nov 16, 2016 4:48 am

If this project ever gets completed i have an SMT facility in Portland Oregon i can run PCBs and assemble them!

User avatar
edingacic
Atari maniac
Atari maniac
Posts: 76
Joined: Mon Sep 07, 2015 5:16 pm
Location: Austria
Contact:

Re: Cubase Audio Dongle Clone

Postby edingacic » Thu Oct 26, 2017 1:17 am

I think this project might be dead ?

User avatar
crashman
Captain Atari
Captain Atari
Posts: 160
Joined: Sat May 29, 2010 2:23 am
Location: Vilanova i la Geltrú - Barcelona
Contact:

Re: Cubase Audio Dongle Clone

Postby crashman » Fri Oct 27, 2017 6:53 am

Hi,

I've just received a logic analyzer and I'm preparing some cart extender to get the signals from within the cart and the ST.
I know my timings, so it would be long, but I'll try to work on it.
No promises here, not false expectations.I'm just a guy trying to look at it.
I'll post here as soon as I start.

Regards.
260ST, 520ST, 520ST+, 520STFM, 1040STE, 4160STE, STACY 2, MEGA ST2, MEGA ST4, MEGA STE, TT030, FALCON030, FALCON030 with Centurbo 2rB, Firebee
SH204, Megafile 30, Megafile 60, Megafile 44
SM124, SM125, SM146, SC1224, SC1435
Satandisk, Ultrasatan, HxC SD, Hxc SD Slim, NetUSBee, CosmosEX, Gotek HxC, MicroCosmos
2600VCS, LYNX, LYNX II, JAGUAR

User avatar
CodeKiller
Atari User
Atari User
Posts: 30
Joined: Mon Jan 12, 2015 6:48 pm

Re: Cubase Audio Dongle Clone

Postby CodeKiller » Fri Oct 27, 2017 7:52 am

Logic analyzer won't help you as the combination logic designed to take too long to brute-force it.

As i said earlier, a non-invasive method would be the side-channel attack (monitoring the power consumption with arbitrary pattern)
Decapping would be even better but requires more tools and destroys the device under test.

beel1
Retro freak
Retro freak
Posts: 16
Joined: Sat Oct 31, 2015 10:53 pm

Re: Cubase Audio Dongle Clone

Postby beel1 » Fri Oct 27, 2017 11:32 pm

You're right, it won't help to clone the PAL but it might help to mimic its behaviour.
Assuming the schematic is this one:
1. The PAL is clocked by the UDS signal, which toggles even if there is no activity on the cartridge port, inputing address bus data to the PAL
2. The PAL outputs will be enabled only during cartridge port readings (ROM Select 3 signal)

Because of 2., a logic analyzer between the ST and the cartridge won't capture the outputs at every UDS cycles, missing a lot of information to help guessing the PAL configuration (I doubt it would be possible with a PAL that big anyway).
But what I found during my experiments with Synthworks dongle almost 2 years ago is that because of 1., the software has to be very specific to access to the dongle using always the same pattern:
- mask all interrupts
- switch a small dongle access routine code with the data at the begining of the RAM (the interrupt vectors table)
- call the routine at the beginning of the RAM with a parameter giving the number of iterations. There are different routines with different initial data
- at each iteration the cartridge port is read but the value is discarded (only the last one is kept) and the address is increased (or decreased, depending on the routine used). There may be up to 64 iterations.
- switch back the dongle access routine code with the data at the begining of the RAM (restoring the interrupts vectors table)
- unmask the interrupts
- use the last value read from the dongle in the protection routine

So I made a software in Omikron inlining those routines' code that writes the last dongle value to disk for each parameter values, making tables.
Then I was able to mimic the dongle in a modified Steem that includes those tables (and writes to trace.txt all accesses to the cartridge port with the number of CPU cycles between them). By using Synthworks under Steem, I can check the trace to see if there are accesses to the dongle that are not covered by the tables.

My goal wasn't to make a clone of the dongle but to run Synthworks in emulator, but maybe the tables can be embbeded in a MCU or programable logic in a cartridge which behaviour would be the same as the original dongle. This wouldn't be an exact copy of the dongle but could be enough to use the protected software.

havok1919
Atarian
Atarian
Posts: 3
Joined: Wed Jun 05, 2013 6:53 am

Re: Cubase Audio Dongle Clone

Postby havok1919 » Sat Nov 04, 2017 10:52 pm

beel1 wrote:You're right, it won't help to clone the PAL but it might help to mimic its behaviour.
Assuming the schematic is this one:
1. The PAL is clocked by the UDS signal, which toggles even if there is no activity on the cartridge port, inputing address bus data to the PAL
2. The PAL outputs will be enabled only during cartridge port readings (ROM Select 3 signal)


Did you create that wiring diagram based off an actual dongle? I'm curious if the part was actually a 10L8? An 'L' series PAL has no internal registers (hence no internal state) and it purely combinatorial-- they're rather easily brute-forced. If it was a 10R8 that'd have (up to) eight registers (one per output cell). Again though, the 10x8 series was pretty old/early tech and I don't know for sure that it even had the ability to do a 'buried' register (that the internal state couldn't be observed).

Newer parts like the 22V10 or early CPLD's had buried node capabilities though.

Still, all this stuff was done in the late 80's/early 90's and the protection wasn't expecting people to have access to incredibly deep (and fast) logic analyzers and ICE, so I suspect it's all pretty vulnerable to just stimulus/observation of results to come up with an equivalent.

beel1
Retro freak
Retro freak
Posts: 16
Joined: Sat Oct 31, 2015 10:53 pm

Re: Cubase Audio Dongle Clone

Postby beel1 » Sun Nov 05, 2017 8:35 am

havok1919 wrote:Did you create that wiring diagram based off an actual dongle? I'm curious if the part was actually a 10L8?

This is a schematic I found in the forum, not mine: viewtopic.php?p=111369#p111369
The wiring is the same as a dongle I found on the internet: http://www.nightfallcrew.com/19/08/2011 ... -hardware/
(this one: http://www.nightfallcrew.com/wp-content ... G_9830.jpg ) but the chip is a ST's GAL16V8

Unfortunately I cannot open my dongle without totally breaking it...

havok1919
Atarian
Atarian
Posts: 3
Joined: Wed Jun 05, 2013 6:53 am

Re: Cubase Audio Dongle Clone

Postby havok1919 » Sun Nov 05, 2017 9:50 am

Ah, makes sense. Thanks. I'm still just brooding over these dongles. I'm going to have to find/buy some to poke at. As MasterOfGizmo mentioned, it's probably just an LFSR with the data line XOR'ing something in along the way and if the (earlier?) dongles were implemented in 22V10's or 16V8's then there's at most 10 or 8 registers. Along those lines, I don't *think* that you can have a registered macrocell in a 22V10 that's buried (not connected to a pin)-- if that's the case, then the internal state of the registers should be probe-able. (That would seem to be a pretty big vulnerability, so I may be wrong about that, but it might also explain why they'd go to a gate array instead since I can't imagine they were worried about a couple of dollars for the GALs given how much they seemed to spend on everything else...)

Some 22V10 PAL/GALs are also vulnerable to external attack allowing the fuse array to be read, so since the pictures earlier in this thread showed a variety of different manufacturers it's possible that we might get lucky and get a 'weakly' protected GAL used at some point.


Return to “MIDI Software and Hardware”

Who is online

Users browsing this forum: No registered users and 1 guest