Reminder, if you like these repos, fork them so they don’t disappear https://github.com/ArcadeHustle/WatermelonPapriumDump/fork
Big thanks to Fonzie for allowing this to be published.
- written by hostile, with supporting information from the community at large!
Project Little Man
This project details the active efforts to dump the contents of the Watermelon Games Paprium cart.
The Paprium Press Release from 03/16/2017 brought many promises that simply never manifested into reality. At this point many people have recieved their Paprium cart, where as many others have not. Some of those that have carts in hand, happen to have broken, unusable carts. There is no replacement path, there are no support options, you simply have the pleasure of owning a brick. What can you do? Shitpost? Bellyache, and whine? Quit being a “little man”, and take matters into your own hands? “Rule, Be Ruled, or Die”!
The goal of this project is to empower Paprium cart owners to ensure that their investment is protected well into the future. Design flaws in the cartridge manufacturing process make it succeptible to failure. It is literally a ticking timebomb, and it will likely fail eventually.
Additional text relevant to this document can be found below:
Exemptions to Prohibition against Circumvention of Technological Measures Protecting Copyrighted Works
Seventh Triennial Section 1201 Final Rule, Effective October 28, 2018
“Video games in the form of computer programs, where outside server support has been discontinued, to allow individual play and preservation by an eligible library, archive, or museum”
“Video games in the form of computer programs, lawfully acquired as complete games 37”
“For personal, local gameplay; or To allow preservation in a playable format…”
“Computer programs protected by dongles that prevent access due to malfunction or damage and which are obsolete. A dongle shall be considered obsolete if it is no longer manufactured or if a replacement or repair is no longer reasonably available in the commercial marketplace.”
“The final rule allows eligible libraries, archives, and museums to circumvent technological protection measures on certain lawfully acquired computer programs (including video games) to preserve computer programs and computer program-dependent materials.”
“Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies”
Please note that the following text is considered “for purposes of good-faith security research”. This write up will give you all the knowledge, and access you need to backup and preserve your Genesis MegaDrive Paprium cart as supplied by Watermelon Games. It will also serve as an academic tome on the security ramification of Voltage Glitching the STM32F4 MCU, FPGA security through obscurity, physical protection methods, and anti tamper techniques.
President Joe Biden’s latest executive order is a huge win for right to repair because it specifically calls out “unfair anticompetitive restrictions on third-party repair or self-repair of items”, just like the DT128M16VA1LT concept in Paprium imposes on any end user lucky enough to acutally obtain the game. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/07/09/executive-order-on-promoting-competition-in-the-american-economy/
The DT128M16VA1LT is supposedly a “custom” chip made by Daten Semiconductor, that is really just a bunch of commodity parts covered in black epoxy glob top encapsulant. Never mind that it has been proven that “Datenmeister DT128M16VA1LT chipset is fake”, or that the website of the company that “makes” it, was originally registered to Fonzie.
The Datenmeister serves as the central piece of technology driving the Paprium cart. The only problem is, that it does not exist, at all. In reality, it is just handful of common components.
Any Paprium ROM archival efforts would have to revolve around exploiting weaknesses in the “DT128M16VA1LT” components.
DT128M16VA1LT parts related to data storage, and game logic.
The actual technology in the ficticious “DT128M16VA1LT” from the Paprium cart is made up of known ICs that are succeptable to known weaknesses, and potential attacks. Being beneath black goop does not at all make the chips impervious to attack.
It should in practice be trivial to interface with each of the major componets. The major hurdle right now is physical access to each component, or it’s pinout due to the black epoxy.
Intel® MAX 10 FPGAs
Altera 10M02SCU169C8G FPGA (UBGA169)
The Intel FPGA on the Paprium cart “may allow an authenticated user to potentially enable escalation of privilege and information disclosure via physical access”. The vulnerability has been assigned CVE-2020-0574. Dr. Sergei Skorobogatov of the Dept of Computer Science and Technology, University of Cambridge, Cambridge, UK, has been credited with reporting this issue. His papers and persentations on the subject are linked below:
Sergei’s research outlines several weaknesses that can aid in archival of Paprium’s FPGA contents:
“Verify Protect fuse only protects the configuration Flash memory (CFM) but leaves user Flash memory (UFM) fully accessible”
“Encrypted POF Only fuse on its own does not protect JTAG access to the Flash memory”
“Write access to both user Flash and configuration Flash is still possible. This can be used for modification attacks, for example, to extract the encrypted bitstream”
“AES decryption always leaves distinctive power traces clearly distinguishable for different keys and different data. In combination with Flash modification attacks this can be used for encrypted bitstream extraction.”
“Semi-invasive attacks in the form of laser fault injection were found to be capable of bypassing all security protection fuses in MAX 10 devices.”
All of these vulnerabilities can in theory be used to dump the FPGA that is present on the Paprium cartridge.
ST STM32F446ZEJ6 MCU (UFBGA144)
Similar to the Intel FPGA, the STM32F4 inside the Paprium cart is known to be vulnerable to voltage glitching attacks that should aid in archival of Paprium’s data. The attacks have moved from theory, and manual one off demonstrations to now being available in ready made productized form with tools like ChipWhisperer. Various exploitation demonstrations have occured outside common lab constraints, and SDK kit based testing.
Real, actual products have been attacked at this point. The exploitation techniques are reliable:
TheHpman appears to have done some basic reversing of the Paprium cart, but did not fully disclose which chips he worked with. The logic used by the STM32 is explictly mentioned on his Twitter account:
Commerical RE company BreakIC aka Mikatech will dump the STM32 for a fee of $6500 USD, claiming that “The tools needed to read it costs USD2million”. We have reliably used Mikatech in the past for less costly extractions, we originally found them because their marketing claims that they are “World first mcu cloning company”. Worst case scenario, we could in theory pay to have the Paprium STM32 chip dumped via their expensive machine.
Alternatively practicing on STM32F4 dev boards using a standard ChipWhisperer setup should set the stage for dumping the Paprium STM32F4 using standard community accessible tools.
Similarly starting with the standard STM43F4 “UFO” target board is a great way to practice before moving on attempting to attack the Paprium cart.
Spansion GL064N Series Flash (BGA48)
Reading the Spansion flash should be possible with a standard Universal Programmer, and the appropriate adapter. https://www.aliexpress.com/item/32820731419.html
24C64WP EEprom (SO8)
Similarly reading the i2c EEPROM should be possible with standard EEPROM readers, or even an Arduino. It is sitting outside the black epoxy, making it easy to examine.
The standard tool for voltage glitching is the Chip Whisperer, STM32 is a default target in the “level 1” kit, so this seems like a natural fit for anyone wanting to play along:
Before the ChipWisperer came along you often saw FeelTech FY3200S used in academic papers about voltage glitching STM32 MCUs. This device contains a USB API that can be used to script voltage changes. A Python API makes scripting easy.
Cart Specific detail
The Paprium cart is a special unicorn. If you don’t pay attention, you may perhaps miss some notable “features”.
Megawire 4.0 (MW4.0)
Described in the manual as being used to “Connect to PAPRIUM’s NXT network and enable the game’s online services”. It can also be used because “Some game updates may be available for download. Nobody’s perfect…”, or for DLC that “can be purchased with GEMS”.
“Megawire 4.0 is a special connector that has 4 segments to it. There are 2 segments for data transfer & 2 for are for power & ground.” https://warosu.org/vr/thread/7319474
Exposed vias on rear of cart
There is a 9 pin header at the top of the cart labeled “DT”, there is also an 8 pin header just below the STM32 above the cart connector. The functionality is not known for either connector at this time.
These are random related backstory items that make for good reading, or listening.
Failure to deliver
Need for Change!
An amazing Paprium troll, ahead of their time
Fonzie ranting on Twitter calling everyone “little man”, and complaining about PayPal. https://twitter.com/watermelongames/status/1365356392022966278
Youtube Interviews & Documentaries
st1ka: “A ROM dump will always happen, I believe Paprium has already Been dumped, if I’m not mistaken”
Fonzie: “no no no no no no no no no no I don’t think so I don’t think so, I don’t encourage anyone to dump anything”
“What about the customer”
“These guys are lucky we don’t have very strong lawyers”
st1ka: “the fpga is primarily used as a copy protection”
Fonzie: “… what ever is said is just some ideas, it is true it serves in some way as copy protection”
“It has a memory interface”
“the game is going realtime decompression, and this decompression algorithem is inside the one IC”
Fonzie: “I chose component from the market, because I can not make my own IC”.
“I chose the IC from the market that fits the requirements, of course becuase it is not custom”.
Fonzie: “The final state of testing we modified something on the game, but we could not test again”
“We have to trust everybody to not put the cartridge on eBay. the problem is it was very big risk”
“for sure someone with alot of money will try to take the cartridge and dump it”