Japanese Feature Phone Preservation

From Hack Manhattan Wiki
Jump to navigation Jump to search

Japanese feature phones is a category of mobile devices that were released (almost) exclusively in Japan between approximately 1999-2015. These phones contained many features that took over a decade to reach the rest of the world: game streaming, live TV, digital wallets, virtual characters to replace you on video calls, and more. The phones offered platform-exclusive games from many beloved franchises such as Final Fantasy, Pokemon, Kingdom Hearts, Professor Layton, and Megami Tensei. Mobile devices in Japan were developed by a variety of companies, each with their own proprietary hardware and software. Because of the diversity of phone models, the restrictive copyright protections, a separate set of proprietary internet protocols, and more, these phones and their games have been extremely challenging to preserve.

Brute Force Live Stream: Cracking the Cryptomeria Cipher

General Summary

Rockman DASH: Great Adventure on 5 Islands! (image source)

The microSD cards in Japanese feature phones hide copyright protected data using a Cryptomeria Cipher, also known as a C2. Cracking the C2 requires three things: s-box, device keys, and a game-specific bind ID. Having the s-box and device keys allows us to find the bind ID. The s-box was discovered last year, but hackers are still searching for phone specific device keys. These device keys can be used across multiple game dumps, so it's not necessary to find each device's set of device keys for decryption to work.

Update: THE DEVICE KEY HAS BEEN FOUND THROUGH BRUTE FORCE. But there is still much more to do!

With that in tow, we'll now get to the games: finding the game-specific bind ID using the device key and s-box (which has already been acquired). It depends on how long that will take, but the device key will make things exponentially easier than if we didn't have it. Next is to combine the three to decrypt the game files... and nobody knows what will happen next.

One of the main goals of this brute force effort is to access a specific SD card that contains Rockman DASH: Great Adventure on Five Islands!

Hardcore Summary

Chart of the 16 MKB types used in SD cards involved in this process. Games are encrypted with MKB 11: SD Binding

An MKB on SD cards generally contains two records (except some mostly irrelevant header records): Calculate Media Key and Conditionally Calculate Media Key.

  1. A row which corresponds to our device key is looked up in Calculate Media Key record.
  2. We decrypt this row with our device key, and get another key.
  3. In the Conditionally Calculate Media Key record, there's an encrypted block with a specific (constant) value which we attempt to decrypt with the key from the previous step.
  4. If this value matches what we expected, we look up a row in the Conditionally Calculate Media Key record (same row number as in step 1) and decrypt it with the key we got in step 2, then decrypt it again with the device key - that's our key; else we are done and the key is what we got in step 2.

We've made an assumption that the condition in step 4 is always true. Which isn't extremely unreasonable - values in the Conditionally Calculate Media Key record don't seem like what you would expect according to specification (if I've interpreted it correctly, invalid values would be identical to what is in the Calculate Media Key record; and they aren't). So as long as the assumption holds true, it'll eventually succeed.

For more technical information, please look at the following official PDFs:

Mobile Device Data Extraction Projects


NEC devices enter a testing mode when plugged into a PC using a debug cable (a FOMA cable with pins 8, 9, and 10 bridged together). This cable also works with Panasonic phones. Information on creating a debug cable can be found here.

Firmware Dumped Phone Models

  • N901iS


For Panasonic phones, the debug cable triggers Panasonic IPL mode. This cable also works with NEC phones.

Some Panasonic phones have also had their firmware extracted by unsoldering the eMMC and analyzing it with a chip programmer.

Firmware Dumped Phone Models

  • 301P (eMMC)
  • 401PM (eMMC)
  • P901iS (Debug Cable)
  • P-01F (eMMC)
  • P-01H (eMMC)

Some phones have had their system data dumped but not their user data

System Only Firmware Dumps

  • P851i
  • P903i


LG DoCoMo mobile phones had their firmware dumped at least 10 years ago, though most of these files have been lost. The firmware dumping process has not been replicated since, but should be possible to figure out with some research.

Firmware Dumped Phone Models

  • L704i (Found Online)
  • L706ie (Found Online)
  • L-03A (Found Online)


The Motorola M702iG and M702iS are based upon the Motorola Razr that was released internationally. Due to the availability of information about these phones, their firmware has successfully been accessed through USB. It's possible to browse the entire file system on these phones using a RMCDA General Program, M702iS/M702iG USB Drivers, and P2K Commander.

Firmware Dumped Phone Models

  • M702iG
  • M702iS


Sharp mobile phones have not yet been dumped, but there have been specific efforts towards breaking open the Sharp SH-10C, detailed below.

Sharp SH-10C

The Sharp SH-10C is a DoCoMo phone released in 2011. Attempts have been made to read the NAND chip on this phone, in part because its schematics were made public by the FCC. Currently, there are no chip programmers that support its NAND chip (Toshiba TY00D0021211KC) by default, and attempts at using a chip programmer have not reached past the bootloader. For more information, we recommend reading the report below.

Archive Re-release Restoration Projects

This section will describe efforts to restore original DoJa game files.DoJa is a proprietary Java runtime developed by NTT Docomo to run specifically on feature phones. Games consist of two files: the .jam file (java manager file), which provides technical information to the phone about the application's install requirements, and the .jar file, which is the game itself. DoJa games use a scratchpad, which is saved as a .sp file.

Appli Archives for PlayStation Mobile

The Appli Archives are a series of feature phone re-releases. The PlayStation Mobile games contain DoJa files for each game, likely from original source. Game files and assets are drawn from a localhost server that runs within the PlayStation Mobile application. Because of use of localhost, these games cannot run directly in the DoJa SDK. However, some files have been made to run by hosting files on a localhost server on PC.

PlayStation Mobile game packages use PSSE encryption, which requires a game's original license key in order to perform decryption. Because of this, many of the Appli Archive files have not been decrypted, and their DoJa games have remained inaccessible.

Visit the Japanese Feature Phones wiki for the full list of games in this collection.

Mobile Game Deployer (MGD) and iαppli Publisher Games

Mobile Game Deployer/iαppli Publisher was a software that could easily convert i-mode applis into Android, iOS, and Windows Phone programs. A number of prominent feature phone game publishers used this tool to bring their games to the smartphone generation.

The game Flyhight Cloudia was successfully extracted from an Android APK in a fully playable version.

So far, other games have not been converted due to the difficultly in finding original application files for early smartphone games. Not only are these games approximately 10 years old, but they were often distributed in provider-specific mobile game portals, rather than common application stores such as Google Play and the App Store.

G-mode Archives

The G-mode Archives are a collection of Japanese feature phone re-releases for Nintendo Switch and Windows (Steam) published by G-mode. These games were developed in Unity, and so far no DoJa files have been discovered inside of them.

Emulating Network Protocol?

At this point, no one knows how to emulate the proprietary network protocols that were used by these mobile devices to download games. This means that no one has successfully added new applications or side-loaded applications to a Japanese feature phone. Even though a wifi enabled phone can access a website containing a game download, the wifi Full Browser does not offer the ability to download the game files. Only the proprietary browser (such as i-mode) has the capacity to download and install games.

Notable Japanese Feature Phone Games

Some notable titles from recognizable game series include: