Japanese Feature Phone Preservation
Japanese feature phones is a category of mobile devices that were released (almost) exclusively in Japan between approximately 1999-2015. These phones contained many features that took over a decade to reach the rest of the world: game streaming, live TV, digital wallets, virtual characters to replace you on video calls, and more. The phones offered platform-exclusive games from many beloved franchises such as Final Fantasy, Pokemon, Kingdom Hearts, Professor Layton, and Megami Tensei. Mobile devices in Japan were developed by a variety of companies, each with their own proprietary hardware and software. Because of the diversity of phone models, the restrictive copyright protections, a separate set of proprietary internet protocols, and more, these phones and their games have been extremely challenging to preserve.
Brute Force Live Stream: Cracking the Cryptomeria Cipher
General Summary
The microSD cards in Japanese feature phones hide copyright protected data using a Cryptomeria Cipher, also known as a C2. Cracking the C2 requires three things: s-box, device keys, and a game-specific bind ID. Having the s-box and device keys allows us to find the bind ID. The s-box was discovered last year, but hackers are still searching for phone specific device keys. These device keys can be used across multiple game dumps, so it's not necessary to find each device's set of device keys for decryption to work.
Update: THE DEVICE KEY HAS BEEN FOUND THROUGH BRUTE FORCE. But there is still much more to do!
With that in tow, we'll now get to the games: finding the game-specific bind ID using the device key and s-box (which has already been acquired). It depends on how long that will take, but the device key will make things exponentially easier than if we didn't have it. Next is to combine the three to decrypt the game files... and nobody knows what will happen next.
One of the main goals of this brute force effort is to access a specific SD card that contains Rockman DASH: Great Adventure on Five Islands!
- Video footage of Rockman DASH: Great Adventure on Five Islands!
- Cracking Rockman DASH: Great Adventure on Five Islands! Livestream
- Source code for MKB Bruteforce
Hardcore Summary
An MKB on SD cards generally contains two records (except some mostly irrelevant header records): Calculate Media Key and Conditionally Calculate Media Key.
- A row which corresponds to our device key is looked up in Calculate Media Key record.
- We decrypt this row with our device key, and get another key.
- In the Conditionally Calculate Media Key record, there's an encrypted block with a specific (constant) value which we attempt to decrypt with the key from the previous step.
- If this value matches what we expected, we look up a row in the Conditionally Calculate Media Key record (same row number as in step 1) and decrypt it with the key we got in step 2, then decrypt it again with the device key - that's our key; else we are done and the key is what we got in step 2.
We've made an assumption that the condition in step 4 is always true. Which isn't extremely unreasonable - values in the Conditionally Calculate Media Key record don't seem like what you would expect according to specification (if I've interpreted it correctly, invalid values would be identical to what is in the Calculate Media Key record; and they aren't). So as long as the assumption holds true, it'll eventually succeed.
For more technical information, please look at the following official PDFs:
- Content Protection for Recordable Media Specification: Introduction and Common Cryptographic Elements (PDF)
- Content Protection for Recordable Media Specification: SD Memory Card Book - Common Part (PDF)
- Content Protection for Recordable Media Specification: SD Memory Card Book - SD-Binding Part (PDF)
Mobile Device Data Extraction Projects
NEC
NEC devices enter a testing mode when plugged into a PC using a debug cable (a FOMA cable with pins 8, 9, and 10 bridged together). This cable also works with Panasonic phones. Information on creating a debug cable can be found here.
Firmware Dumped Phone Models
- N901iS
Panasonic
For Panasonic phones, the debug cable triggers Panasonic IPL mode. This cable also works with NEC phones.
Some Panasonic phones have also had their firmware extracted by unsoldering the eMMC and analyzing it with a chip programmer.
Firmware Dumped Phone Models
- 301P (eMMC)
- 401PM (eMMC)
- P901iS (Debug Cable)
- P-01F (eMMC)
- P-01H (eMMC)
Some phones have had their system data dumped but not their user data
System Only Firmware Dumps
- P851i
- P903i
LG
LG DoCoMo mobile phones had their firmware dumped at least 10 years ago, though most of these files have been lost. The firmware dumping process has not been replicated since, but should be possible to figure out with some research.
Firmware Dumped Phone Models
Motorola
The Motorola M702iG and M702iS are based upon the Motorola Razr that was released internationally. Due to the availability of information about these phones, their firmware has successfully been accessed through USB. It's possible to browse the entire file system on these phones using a RMCDA General Program, M702iS/M702iG USB Drivers, and P2K Commander.
Firmware Dumped Phone Models
- M702iG
- M702iS
Sharp
Sharp mobile phones have not yet been dumped, but there have been specific efforts towards breaking open the Sharp SH-10C, detailed below.
Sharp SH-10C
The Sharp SH-10C is a DoCoMo phone released in 2011. Attempts have been made to read the NAND chip on this phone, in part because its schematics were made public by the FCC. Currently, there are no chip programmers that support its NAND chip (Toshiba TY00D0021211KC) by default, and attempts at using a chip programmer have not reached past the bootloader. For more information, we recommend reading the report below.
- Report on Extraction of Data from DoCoMo Sharp SH-10C Mobile Phone by Kraze
- Sharp SH-10C on the Legacy Portable Computer Wiki
Archive Re-release Restoration Projects
This section will describe efforts to restore original DoJa game files.DoJa is a proprietary Java runtime developed by NTT Docomo to run specifically on feature phones. Games consist of two files: the .jam file (java manager file), which provides technical information to the phone about the application's install requirements, and the .jar file, which is the game itself. DoJa games use a scratchpad, which is saved as a .sp file.
Appli Archives for PlayStation Mobile
The Appli Archives are a series of feature phone re-releases. The PlayStation Mobile games contain DoJa files for each game, likely from original source. Game files and assets are drawn from a localhost server that runs within the PlayStation Mobile application. Because of use of localhost, these games cannot run directly in the DoJa SDK. However, some files have been made to run by hosting files on a localhost server on PC.
PlayStation Mobile game packages use PSSE encryption, which requires a game's original license key in order to perform decryption. Because of this, many of the Appli Archive files have not been decrypted, and their DoJa games have remained inaccessible.
Visit the Japanese Feature Phones wiki for the full list of games in this collection.
Mobile Game Deployer (MGD) and iαppli Publisher Games
Mobile Game Deployer/iαppli Publisher was a software that could easily convert i-mode applis into Android, iOS, and Windows Phone programs. A number of prominent feature phone game publishers used this tool to bring their games to the smartphone generation.
The game Flyhight Cloudia was successfully extracted from an Android APK in a fully playable version.
So far, other games have not been converted due to the difficultly in finding original application files for early smartphone games. Not only are these games approximately 10 years old, but they were often distributed in provider-specific mobile game portals, rather than common application stores such as Google Play and the App Store.
G-mode Archives
The G-mode Archives are a collection of Japanese feature phone re-releases for Nintendo Switch and Windows (Steam) published by G-mode. These games were developed in Unity, and so far no DoJa files have been discovered inside of them.
Emulating Network Protocol?
At this point, no one knows how to emulate the proprietary network protocols that were used by these mobile devices to download games. This means that no one has successfully added new applications or side-loaded applications to a Japanese feature phone. Even though a wifi enabled phone can access a website containing a game download, the wifi Full Browser does not offer the ability to download the game files. Only the proprietary browser (such as i-mode) has the capacity to download and install games.
Notable Japanese Feature Phone Games
Some notable titles from recognizable game series include:
- Before Crisis -Final Fantasy VII- and Dirge of Cerberus Lost Episode -Final Fantasy VII-: Games in the Final Fantasy VII metaverse that greatly expand upon its lore
- Professor Layton and the Mansion of the Deathly Mirror: A unique Professor Layton title released exclusively for Japanese mobile phones
- Kingdom Hearts coded: A story that covers events proceeding the finale of Kingdom Hearts II
- Persona Mobile Online: An entire Persona online MMORPG for cellphones
- Ni no Kuni: Hotroit Stories: A prologue to the Ni no Kuni series that takes place before Ni no Kuni: Dominion of the Dark Djinn
- Pokémate: The first Pokémon mobile game
- Nakayoshi Chao!: A Chao virtual pet game for phones
Resources
- Japan's Game Preservation Crisis by Did You Know Gaming
- Japanese Feature Phone Game Preservation: Uncovering a Forgotten Era of Gaming on HitSave.org
- Japanese Feature Phones Wiki (made by HM member Ellen!)
- Feature Phone Preservation Resources by Ellen
- Japanese Feature Phone PC Downloads posted on Archive.org