The Bandai Pippin has finally been cracked.
They say a picture is worth a thousand words. So I put together a fun proof-of-concept demo, and made a video to summarize these last few months.
For an in-depth technical explanation of what’s happening here, here’s some further reading:
- Exploring the Pippin ROM(s), in which I do my best to briefly explain what the Pippin is and why I set out to crack it
- Exploring the Pippin ROM(s), part 2, in which I discover that the Pippin’s boot process loads an ‘rvpr’ resource of ID 0 during the Start Manager’s phase of locating a bootable volume from the Pippin’s internal CD-ROM drive
- Exploring the Pippin ROM(s), part 3, in which I skim ‘rvpr’ 0, question its multitude of seemingly similar subroutines, and show how it patches itself in place before jumping to
- Exploring the Pippin ROM(s), part 6: Back in the ‘rvpr’, in which I do a surface dive of ‘rvpr’ 0’s
mainloop, all the while deriving the overall structure, purpose, and usage of the PippinAuthenticationFile
- Exploring the Pippin ROM(s), part 7: A lot to digest, in which I deep dive into the guts of ‘rvpr’ 0’s
mainloop, completely reverse-engineering the format of the PippinAuthenticationFile and the Pippin’s public/private RSA keys