Presentation on Hacking the MegaTouch Force 2011 to bypass security key

brzezicki

Well-known member
Joined
Nov 6, 2006
Messages
4,536
Reaction score
485
Location
Maryland
Presentation on Hacking the MegaTouch Force 2011 to bypass security key

So A few months ago on some random thread I promised that at some time in the future a presentation on how to hack the Megatouch Force 2011 would be done.

That time is NOW, from what I understand the date is now official!

So I'm posting the announcement on a few threads where I think it might be relevant and of interest.

Info is
January 10th 2017 @ Jailbreak Brewing Company in Laurel MD.

Talk is at 6PM Bar opens at 4PM.

here is the totally non-official teaser trailer.

https://youtu.be/TaEf-5JqTBA

https://youtu.be/AgYUt71BFqk

The purpose of this talk is to show how the system was bypassed to enable the key to be removed. The actual keys are battery backed and WILL fail eventually. Since Merit is out of business and the force 2011 is no longer supported this was done to stop the system from being useless once the key battery dies.
 
Last edited:
That's some good news Brian, as I have a Force 2005 that keeps coming up with the invalid security key message. Hopefully someone posts this presentation on YouTube, as I'm in New Orleans and won't be able to make it to Maryland.
 
That's some good news Brian, as I have a Force 2005 that keeps coming up with the invalid security key message. Hopefully someone posts this presentation on YouTube, as I'm in New Orleans and won't be able to make it to Maryland.

Don't get your hopes up. The methods are not one size fits all. The functions from 2005-2011 vary. Also since the main binaries are obfuscated they need to be decrypted. While the obfuscation is the same, the locations are different. Only 2009-2011 have the same location.

That's just the first hurdle.
 
There is a stupid easy way to de obfuscate the main binary with literally zero work, you don't even need to use a debugger or a disassembler or even know how to program to do that part. I'll discuss that in my talk. I'm guessing they realized how easy it was which maybe is the reason no de obfuscation is necessary in ion? (I've only seen ion 2010) but it looks like they did not bother to obfuscate in that version.

That said one you get the binary then you have to do some work. Was thinking of seeing if I could make a symbolic style analyzer/automated patcher for the different versions but I don't think I'll ever do that as it does not really hold my interest to much.
 
There is a stupid easy way to de obfuscate the main binary with literally zero work, you don't even need to use a debugger or a disassembler or even know how to program to do that part. I'll discuss that in my talk. I'm guessing they realized how easy it was which maybe is the reason no de obfuscation is necessary in ion? (I've only seen ion 2010) but it looks like they did not bother to obfuscate in that version.

That said one you get the binary then you have to do some work. Was thinking of seeing if I could make a symbolic style analyzer/automated patcher for the different versions but I don't think I'll ever do that as it does not really hold my interest to much.

Yes there is easier ways like grabbing dstart from /tmp just before it gets deleted while its being loaded into memory.

And 2009.5 (ion) to 2014 is not obfuscated.
 
That's awesome! I've been looking to upgrade my 2007 for some time now, and literally no one has the keys, or will sell one at a reasonable price. Looking forward to the release and documentation.
 
Yes there is easier ways like grabbing dstart from /tmp just before it gets deleted while its being loaded into memory.

And 2009.5 (ion) to 2014 is not obfuscated.

I'm definitely interested. Mike, the Ion 2014 key you fixed for me stopped working again...so I'm looking for a solution to get my Ion working again (right now I just boot it with my other good key, they return the key to the other machine)
 
My methods were probably wrong. I was able to patch 2010.5 for the Force platform.

I found if you just bypassed the check it unlocked everything, from there just patched the available games to always true. Took a bit but finally got it figured out.

Wish I could be there. I reversed the algorithm though for encoding the binary. They used a really odd key for that too...odd company.
 
just a reminder anyone in the Baltimore area that's interested.

My talk on hacking the megatouch force 2011 is next Tuesday Jan 10th at Jailbreak Brewing in Laurel, MD.

Jailbreak doors open at 5PM talk starts at 6PM, I believe there will be a food truck there, probably cheese steaks though don't hold me to that as I didn't make the food truck arrangements.
 
Getting close, Good luck! Will there be an iso avail for this?
 
Thx. Hope to see you there.

I won't be distributing a hacked ISO. However at 7pm
http://megatouch.arcade-cabinets.com

will be unlocked and I do have the factory install isos up there. I also have written up a very very brief summary of the ideas in the presentation and commands so you can type hack it. When typing the commands it's best to cut and paste the commands from the website. All but two steps are 100% cut and paste able. I'm not comfortable with the legality of providing pre hacked images, I'm pretty sure I'd open myself up to lawsuits if I did that. I'm not sure why merit/ami would care as they no longer support this product and you cannot even run the code without a real megatouch system due to the IO board which is required. But I don't want to take any chances either... providing my research is clearly legal so I won't extend beyond that into grey area.
 
Hey everyone I just wanted to let you know due to last minute legal issues the company sponsoring my talk has cancelled the talk portion.

The Bar will still be open and they'll be free drinks and food. but there will be no talk at this time. We are hoping to work out the issues and reschedule the talk for a later date.

My apologies for the inconvenience
-brian
 
I've been lurking on this thread, even though I wouldn't have been able to attend the talk. :)

Out of curiosity, was the legal issue that came up caused by your topic, or was it something else?
 
Presentation on Hacking the MegaTouch Force 2011 to bypass security key

Long story...there are always copyright concerns but we though we had that ironed out and solid and good to go.

But I got a strange call on Tuesday it didn't really concern me but for due diligence I wanted to get a final "we are all clear legally"

When I went to get a last double check that everything is solid found out the ball got dropped and we did not officially get a legal review even though we were told go ahead and schedule the event. And in 8 hours not enough time to get a lawyer to sign off. So myself and the sponsor decided to only sane thing would be to postpone.

Anyway I will personally be speaking with 2 lawyers (1 normal and 1 IP lawyer) Monday to make sure that I am 100% covered and legal via the dcma.

Then after that I probably will reach out to ami myself to see if I can talk to someone anyway, just to be as upfront as possible.

Ideally I'd love it if they were on board and maybe I could get permission to distribute a modified version of their ISO for those loyal customers. (Keeping in mind you still need mega touch hardware to run the games) I'm not holding my breath for that but who knows i mean if they signed off on it it costs them nothing and it helps support their customers which is always a good thing.

Once all that is done I will reschedule.

On that note if anyone has a contact at ami I can talk to directly I'd love that info.

I would like to work with them to help fix the "key of death" issue while ensure their rights and concerns are addressed.
 
Last edited:
I think it would have been better to describe your event something like "Megatouch Repair Seminar" focussing on "non-booting symptoms". That would probably have been more acceptable.

Same goes if you post a you tube video of the event. Lots of times you tube will pull a video if the term "hack" is in the title.
 
Well I don't really want to hide what i am doing to anyone... I'm upfront about that.

I know that doing the reversing is legal under DMCA, and I'm ALMOST positive that talking specifically about it (i.e. The patch details) and providing patches that users must apply themselves is legal

That said myself and the actual event sponsor that was kind enough to rent out the brewery and pay for food and drinks, just wanted to be sure a valid legal review was done first. We were both under the impression it was and what I understand a certain review apparently was done just not the copyright /IP type review I needed to have validated. As much as I believe we were good to go I don't ever take chances with legal issues, I need to know a competent lawyer has looked at it.

That said we still enjoyed the food drinks and company with those who came out anyway and we plan on rescheduling. I also put up http://megatouch.arcade-cabinets.com today with the system manuals and an explanation of what the purpose of the site is ,however I have not provided the patch information yet. I am also going to try to reach out to AMI. I would like to see if I can get them to agree to let me distribute a modified install ISO of the megatouch software to make it easy for owners to install rather than patch by hand.

I am hoping they would be amenable to that. I am hoping if they have any concerns it's that I don't plan on releasing hacks to allow the games to be played on non megatouch systems like generic Linux installs. (Or say iPads). I have no intention on patching things to allow it run on anything but original megatouch hardware. i Just want people to be able to use their systems without fear of failure (and ideally allow valid owners to upgrade to the lastest software if possible, though that's just a wish)

At the event someone already told me of their story of their ion 2014 key dying so key death is already starting to happen.
 
Presentation on Hacking the MegaTouch Force 2011 to bypass security key

Another thing I'd love to do is get an alternate megatouch network going so high scores and tournaments etc could be run. That probably will never happen but it would be awesome.

I also should have the ion 2014 patches super soon just need to actually get my centronics cable in (ordered on eBay already) so I can easily install patch and verify. I Extracted the game binary already from the iso and reversed the key encryption on 2014 everything looks good to patch and test on the actual running hardware.
 
Last edited:
Given the fact that AMI hasn't bothered to sue Zynga or any of the 100s of other companies that have blatantly ripped off Megatouch games for profit, one would think that they would be OK with allowing people who actually have the hardware to back it up and get the most out of it.
 
Presentation on Hacking the MegaTouch Force 2011 to bypass security key

Lol good point. I am hoping they'd be willing to talk and be willing to work something mutually beneficial oust. I mean in the end it helps take care of their past (and maybe future)customers. I know they don't care about the bar touchscreen game business but still some operators probably are still jukebox customers and allowing me to provide this helps those customers maximize their return on investment and costs ami nothing. Any sane business person would see this as a win win for everyone, though I find sanity and common sense are not at all common so I will hope for the best and prepare to be disappointed.
 
Last edited:
Back
Top Bottom