JP5502181B2 - Download security system - Google Patents

Description

  The present invention relates to a download security system, and more particularly to a download security system that writes only intended download data into a predetermined storage area. The present invention also relates to an information processing apparatus, a server, a memory controller, and a security method used in a download security system.

An example of a technique for downloading data from a server to an IC card of a mobile terminal is disclosed in Patent Document 1, for example. Specifically, in the technique of Patent Document 1, the IC card has a file structure protected by an access key for each file, and read and write when reading and rewriting the contents of the file by accessing the IC card. -Writable keys are managed only by the host server. The addition / change of the contents written on the IC card can be performed only by a write command from the host server after online connection with the host server through the portable terminal, that is, a read sent in addition to the command. The key is collated on the IC card side, and the file can be accessed only when the collation matches.
JP 2002-281181 A

  However, in the technique of Patent Document 1, it is only attempted to control writing to a file on an IC card from a server by a write command with an access key added to the file. Since there was no idea of making a transition, there was a risk of writing invalid data.

Therefore, one of the main objects of the present invention is to provide a novel download security system, and an information processing apparatus, server, memory controller and security method used therefor.

  Another object of the present invention is to provide a download security system capable of preventing unintended data from being written, and an information processing apparatus, server, memory controller and security method used therefor.

In order to solve the above problems, the present invention employs the following configuration as an example . Note that reference numerals in parentheses, supplementary explanations, and the like indicate correspondence with embodiments to be described later in order to help understanding of the present invention, and do not limit the present invention.

An example of the present invention is an information processing system including a server and a storage unit, and an information processing apparatus that downloads data from the server and writes the data in the storage unit,
The server that sends the first transition command for transitioning the information processing apparatus to a writable writable mode storage unit encrypting means for encrypting the first transition command is encrypted information processing apparatus Qian A transition command transmission means and a data transmission means for transmitting data to the information processing device, wherein the first transition command includes an address of a storage means designated for writing the data;
The information processing apparatus decrypts the encrypted first transition command transmitted from the server, and the information processing apparatus transitions to the writable mode in response to the first transition command decrypted by the decryption means. In this case , the download security system further includes a write enabling unit that enables data to be written only to a designated address in the storage unit, and a writing unit that writes the writable data to the designated address.

In one example of the present invention, the download security system (100) includes a server (102) and an information processing device (10). The information processing apparatus, Ru storage means (64) is provided for storing data downloaded from the server. Servers may include, for example, generated by the generation means (S29), encryption means for encrypting the first transition command for transitioning the information processing apparatus to a writable writable mode storing means (S31), The encrypted first transition command is transmitted to the information processing apparatus by the transition command transmitting means (S33, S323) . The server also includes data transmission means (S67, S341), and transmits data for download to the information processing apparatus. The decryption means (S37) of the information processing apparatus decrypts the received encrypted first transition command, and the write enable means (S45, S237) in the storage means according to the decrypted first transition command . Transitions to a mode in which only the specified address can be written. Also includes writing included means (S83, S 267), the writable mode, and writes the data transmitted from the server to the designated address of the memory means.

According to one example of the present invention, it is possible to transition in the book included possible modes in response to a first transition command from the server, then the first transition command storage means data from the server in the writable mode Can be written only to the address specified by . That is, since mode transition is required for data writing, stepwise security can be applied and the security level can be increased. In addition, since the first transition command can be encrypted and transmitted, the degree of security against mode transition can be increased.

An example of the present invention, there is provided a down load security system, write enable means enables writing a predetermined range from the specified address.

In an example of the present invention , the mode can be changed to a writable mode by the first transition command, and a certain range can be written from a specified address.

An example of the present invention, there is provided a down load the security system, the server stores the second key for the first key, and the first key and different data encryption for the first transition command encryption. The encryption means encrypts the first transition command using the first key, and the data transmission means transmits the encrypted data using the second key. The storage means stores the first key and the second key. The decrypting means decrypts the encrypted first transition command using the first key. The writing means decrypts the data using the second key in the writable mode and writes the data to the storage means.

In an example of the present invention, a first key for encryption of the first transition command and a second key for encryption of data to be downloaded unlike the first key are stored in the server and the storage means. That is, the server and the control means have a common key (first key) for the first transition command and a common key (second key) for data to be downloaded. The first transition command encrypted and transmitted with the first key by the server is decrypted with the first key by the control means, and the control means transits to a writable mode by the first transition command. The download data encrypted and transmitted by the server with the second key is decrypted by the control means with the second key and written in the storage means in the writable mode.

According to an example of the present invention, separate security can be applied to mode transition and download data, and the degree of security can be further increased.

An example of the present invention, there is provided a down load the security system, the server further stores a third key message digest for authentication data. The data transmission means encrypts the data to which the authentication symbol generated using the third key is added using the second key, and transmits the encrypted data. The storage means further stores a third key. In the writable mode, the control means decrypts the encrypted data using the second key. When the decrypted data is authenticated using the third key, the writing means writes the data.

In an example of the present invention, a third key for message digest authentication of data to be downloaded is stored in the server and storage means. The server encrypts the data to which the authentication symbol (MIC) generated using the third key is added with the second key and transmits the encrypted data. The control means decrypts the encrypted data with the second key in the writable mode. When the decrypted data is authenticated using the third key, the data is written into the storage means.

According to an example of the present invention, message digest authentication can be performed on data to be downloaded.

An example of the present invention, there is provided a down load security system, third key is obtained by replacing a part of the second key.

In an example of the present invention, the third key for message digest authentication is a key obtained by partial replacement of the second key for encryption of data to be downloaded. Therefore, if the same part is shared by the second key and the third key, the size of the area for storing the key can be suppressed, and the cost can be reduced.

An example of the present invention is a download security system, and the information processing apparatus further includes a normal encryption unit that encrypts a command for accessing the storage unit in an ordinary mode using an algorithm different from the encryption unit. .
An example of the present invention is a download system, and the information processing apparatus further includes a normal encryption unit that encrypts a command for accessing the storage unit with an algorithm different from the encryption unit in the application execution mode. .

In an example of the present invention, the normal encryption unit can encrypt a command for accessing the storage unit in the normal mode or the application execution mode according to an algorithm with a relatively light processing load.

An example of the present invention, there is provided a down load the security system, the information processing apparatus further includes a writing issuing means for issuing a write command for instructing writing to the control means. The control means writes data to the storage means in response to the write command in the writable mode.

In an example of the present invention , the information processing apparatus further includes write issuing means (S73, S143), and issues a write command to the control means. The control means writes data in response to a write command in a writable mode.

According to an example of the present invention, data downloaded from a server can be written in a storage unit in accordance with a write instruction from an information processing apparatus. Since data transmission and writing are processed separately, data disappearance can be made difficult to occur.

An example of the present invention, there is provided a down load security system, storage means stores the identification information of the storage means. The information processing apparatus includes identification information transmitting means for transmitting the identification information stored in the storage means to the server. The server stores a plurality of first keys for encryption of the first transition command associated with a plurality of pieces of identification information. The encryption unit encrypts the first transition command using the first key corresponding to the identification information of the storage unit.

In one example of the present invention , the storage means stores identification information of the storage means. This identification information is transmitted to the server by the identification information transmitting means (S5, S105). On the other hand, the server stores a plurality of first keys associated with a plurality of identification information. That is, the first key for encryption of the first transition command is prepared for each storage unit and stored in the storage unit and the server. The first transition command is encrypted by the encryption means using the first key corresponding to the received identification information.

According to an example of the present invention, the first transition command can be encrypted by the first key for each storage unit, and the control unit can be shifted to a writable mode by the first transition command. The degree can be increased.

An example of the present invention, there is provided a down load security system, storage means stores identification information of the application program stored in the storage means. The information processing apparatus includes identification information transmitting means for transmitting the identification information stored in the storage means to the server. The server stores a plurality of first keys for encryption of the first transition command associated with a plurality of pieces of identification information. The encryption means encrypts the first transition command using the first key corresponding to the received identification information of the application program.

In an example of the present invention , the storage unit stores identification information of an application program stored in the storage unit. This identification information is transmitted to the server by the identification information transmitting means (S105). On the other hand, the server stores a plurality of first keys associated with a plurality of identification information. That is, the first key for encryption of the first transition command is prepared for each application (game) and stored in the storage means and the server. The first transition command is encrypted by the encryption means using the first key corresponding to the received identification information.

According to an example of the present invention, the first transition command can be encrypted by the first key for each application, and the control unit can be shifted to a writable mode by the first transition command. Can be increased.

An example of the present invention, there is provided a down load security system, storage means comprises a first region and a second region. The control means performs writing by the writing means in the writable mode that has transitioned according to the first transition command only to the first area, and performs writing different from the writing by the writing means in the second area. .

In one example of the present invention , the storage means has a first area (204) and a second area (206). The control means performs writing by the writing means only on the first area. That is, the control means writes the download data to the first area in the writable mode that is changed according to the first transition command. On the other hand, the control means performs writing different from writing to the first area in the second area.

According to an example of the present invention, it is possible to perform security-enhanced writing only by changing to a writable mode according to the first transition command in a predetermined area of the storage unit, and to other areas. In other words, other writing that does not provide security by mode transition can be performed. Therefore, appropriate writing can be performed using different write areas depending on the purpose of writing.

An example of the present invention, there is provided a down load security system, storage means stores boundary data of the first and second regions.

In an example of the present invention , the storage unit stores boundary data of the first area and the second area. The control means can grasp and access each of the first area and the second area by referring to the boundary data of the first area and the boundary data of the second area, respectively.

An example of the present invention, there is provided a down load security system, storage means and control means are provided in the storage medium mounted on the information processing apparatus.

In one example of the present invention , the storage means and the control means are provided in a storage medium (28) that can be attached to the information processing apparatus. Therefore, stepwise security can be applied to the writing of download data to the storage means provided in the storage medium.

An example of the present invention is a memory controller that controls writing to storage means for storing downloaded data in a download security system including a server and an information processing apparatus that downloads data from the server. The memory controller can write to the storage means according to the first transition command decrypted by the decryption means for decrypting the encrypted first transition command transmitted from the server to the information processing apparatus. Transition means for transitioning to a different mode, and writing means for writing the data transmitted from the server to the storage means in the writable mode.

In one example of the present invention, the memory controller (62) is used in the download security system (100) and controls writing to the storage means (64) that stores data downloaded from the server (102). Specifically, the memory controller includes transition means (S43, S235), and stores in the storage means according to the first transition command transmitted from the server to the information processing device (10) and decrypted by the decryption means. Transition to writable mode. By changing to this writable mode, writing to the storage means becomes possible. The memory controller further includes writing means (S83, S267), and writes the data downloaded from the server to the storage means in the writable mode.

An example of the present invention is a server used in a download security system that includes an information processing apparatus that downloads data, a storage unit that stores data, and a control unit that controls writing to the storage unit. The server that sends the first transition command for transitioning the information processing apparatus to a writable writable mode storage unit encrypting means for encrypting the first transition command is encrypted information processing apparatus Qian Transfer command transmitting means and data transmitting means for transmitting data to the information processing apparatus are provided.

In one example of the present invention, the server (102) is used in the download security system (100) and provides data to be downloaded to the information processing apparatus (10). The system further includes storage means (64 ) for storing downloaded data. The server includes, for example, an encryption unit (S31) that encrypts a first transition command for transitioning the information processing device generated by the generation unit (S29) to a writable mode in which the storage unit can be written. The first transition command is transmitted to the information processing apparatus by the transition command transmitting means (S33, S323) . With this first transition command , the information processing apparatus transitions to a writable mode. The server further includes data transmission means (S67, S341), and transmits data to the information processing apparatus. Data is given from the information processing apparatus to the control means, and is written into the storage means by the control means in a writable mode.

An example of the present invention is an information processing apparatus used in a download security system including a server, storage means for writing data downloaded from the server, and control means for controlling writing of the storage means. When the information processing apparatus receives from the server an encrypted first transition command for causing the control means to transition to a mode writable to the storage means, the information processing apparatus decrypts the first transition command and gives it to the control means A provision means, a data provision means for giving the data to the control means when data is received from the server, and a write issuing means for issuing a data write command to the control means.

In an example of the present invention, the information processing apparatus (10) is used in the download security system (100) to download data from the server (102). The system includes storage means (64) for writing downloaded data and control means (62) for controlling writing. The information processing apparatus includes transition command providing means (S35, S125), and when receiving an encrypted first transition command for causing the control means to transition to a writable mode from the server, the information processing apparatus receives the first transition command. Decrypt and give to control means. In response to the first transition command, the control means transits to a writable mode. The information processing apparatus further includes data providing means (S69, S141). When data is received from the server, the information processing apparatus gives the data to the control means. Further, the information processing apparatus further includes write issuing means (S73, S143), and issues a data write command to the control means. In response to this write command, the control means writes the received data to the storage means.

An example of the present invention is a security method in a download security system including a server, an information processing apparatus for downloading data from the server, and a storage unit for storing the data. The security method includes: an encryption step for encrypting a first transition command for causing the server to transition the information processing apparatus to a writable mode in which the information processing apparatus can be written to the storage unit; steps, the server is decoding step, decoding for decoding a first transition command encrypted contains the address of the specified memory means to write the step of transmitting the data to the information processing apparatus, data When the information processing apparatus transitions to the writable mode in response to one transition command, the method includes a step of allowing data to be written only to a designated address, and a step of writing the data that has become writable to a designated address.

In one example of the present invention, the security method is performed when the download security system (100) writes data downloaded from the server (102) to the information processing device (10) into the storage means (64) by the control means (62). It is a security method. In this method, the server encrypts a first transition command for causing the control unit to transition to a writable mode in the encryption step, and transmits the first transition command encrypted in the transmission step to the information processing apparatus. (S33, S323). The first transition command is decoded, in response to a first transition command decoded, a transition in the book included possible modes (S43, S235). In addition, the server transmits data for download to the information processing apparatus (S67, S341). In the writing step, in the writable mode, the data given from the information processing apparatus is written in the storage means (S83, S267).

According to an example of the present invention, in order to write the data to be downloaded to the storage means, the control means is shifted to a writable mode by a transition command from the server, so that stepwise security can be applied, The degree of security can be increased. Therefore, safety against illegal writing can be ensured and unintended data can be prevented from being written.

  The above object, other objects, features and advantages of the present invention will become more apparent from the following detailed description of embodiments with reference to the drawings.

FIG. 1 is an illustrative view showing one embodiment of a security system of the present invention. FIG. 2 is an illustrative view showing the game apparatus shown in FIG. FIG. 3 is a block diagram showing an example of the electrical configuration of the game apparatus shown in FIG. FIG. 4 is an illustrative view showing one example of a memory map of the flash memory shown in FIG. FIG. 5 is an illustrative view showing an outline of mode transition of the memory controller shown in FIG. FIG. 6 is an illustrative view showing a change in the memory map of the flash memory when transitioning to the download mode. FIG. 7 is an illustrative view showing a change in the memory map of the flash memory when transitioning to the backup mode. FIG. 8 is an illustrative view showing one example of a memory map of the information area shown in FIG. FIG. 9 is an illustrative view showing one example of a memory map of the internal RAM of the memory controller. FIG. 10 is an illustrative view showing a change in the memory map of the key storage area shown in FIG. FIG. 11 is an illustrative view showing one example of a database of the server shown in FIG. FIG. 12 is an illustrative view showing one example of a memory map of the RAM of the server. FIG. 13 is an illustrative view showing one example of a memory map of the RAM of the game device at the time of download processing. FIG. 14 is an illustrative view showing one example of a memory map of the RAM of the game device at the time of backup processing. FIG. 15 is an illustrative view showing one example of data with parity written in the backup area. FIG. 16 is a flowchart showing a part of an example of the operation of the system during the download process. FIG. 17 is a flowchart showing part of the continuation of FIG. FIG. 18 is a flowchart showing a part of the continuation of FIG. FIG. 19 is a flowchart showing the continuation of FIG. FIG. 20 is a flowchart showing a part of an example of the operation of the game device during the download process. FIG. 21 is a flowchart showing part of the continuation of FIG. FIG. 22 is a flowchart showing the continuation of FIG. FIG. 23 is a flowchart showing a part of an example of the operation of the memory controller during the download process. FIG. 24 is a flowchart showing part of the continuation of FIG. FIG. 25 is a flowchart showing part of the continuation of FIG. FIG. 26 is a flowchart showing the continuation of FIG. FIG. 27 is a flowchart showing a part of an example of the operation of the server during download processing. FIG. 28 is a flowchart showing part of the continuation of FIG. FIG. 29 is a flowchart showing the continuation of FIG. FIG. 30 is a flowchart showing an example of the operation of the game device during backup writing. FIG. 31 is a flowchart showing an example of the operation of the game apparatus during backup reading. FIG. 32 is a flowchart showing a part of an example of the operation of the memory controller in the backup mode. FIG. 33 is a flowchart showing the continuation of FIG.

  Referring to FIG. 1, a security system (hereinafter simply referred to as “system”) 100 according to an embodiment of the present invention includes an information processing apparatus 10 and a server 102. The information processing apparatus 10 downloads data from the server 102 and saves the data in a predetermined storage area. The system 100 of this embodiment is a download security system, and is intended to prevent a predetermined storage area for writing downloaded data from being used by unauthorized download. The information processing apparatus 10 also functions as a write area security system for backup data and prevents unauthorized use of a predetermined storage area for writing backup data. Note that the system 100 may function as a write area security system for backup data.

  The information processing apparatus 10 is realized in the form of a portable game device in this embodiment, but in other embodiments, other information such as a portable information terminal, a mobile phone, a personal computer, or a stationary game device is used. It may be a computer in the form. The server 102 is a computer, and includes a CPU, a RAM, a ROM, an HDD, a communication device, and the like (not shown).

  The information processing apparatus, that is, the game apparatus 10 can be connected to the server 102 via the access point 104 and the network 106. The network 106 is, for example, a wide area network (WAN), the Internet, etc., or may be a local area network (LAN). When the game apparatus 10 downloads data from the server 102, the game apparatus 10 is connected to the access point 104 by wireless (or wired), and communicates with the server 102 on the network 106 via the access point 104. Note that the game apparatus 10 acquires the IP addresses of the access point 104 and the server 102 by user input or list selection.

  Referring to FIG. 2, game device 10 includes a first liquid crystal display (LCD) 12 and a second LCD 14. The LCD 12 and the LCD 14 are accommodated in the housing 16 so as to be in a predetermined arrangement position. In this embodiment, the housing 16 includes an upper housing 16a and a lower housing 16b. The LCD 12 is stored in the upper housing 16a, and the LCD 14 is stored in the lower housing 16b. Therefore, the LCD 12 and the LCD 14 are arranged close to each other so as to be arranged vertically (up and down).

In this embodiment, an LCD is used as the display. However, instead of the LCD, an EL (Electronic Electronic) is used.
A Luminescence) display or a plasma display may be used.

  As can be seen from FIG. 2, the upper housing 16a has a planar shape slightly larger than the planar shape of the LCD 12, and an opening is formed so as to expose the display surface of the LCD 12 from one main surface. On the other hand, the planar shape and size of the lower housing 16b are also selected to be the same as the upper housing 16a, and an opening is formed so as to expose the display surface of the LCD 14 at a substantially central portion in the horizontal direction. A power switch 18 is provided on the right side surface of the lower housing 16b.

  In addition, sound release holes 20a and 20b for speakers 36a and 36b (see FIG. 3) are formed in the upper housing 16a on the left and right sides of the LCD 12.

  In the upper housing 16a and the lower housing 16b, a lower side (lower end) of the upper housing 16a and a part of an upper side (upper end) of the lower housing 16b are rotatably connected. Therefore, for example, when the game is not played, if the upper housing 16a is rotated and folded so that the display surface of the LCD 12 and the display surface of the LCD 14 face each other, the display surface of the LCD 12 and the display surface of the LCD 14 are displayed. Damage such as scratches can be prevented. However, the upper housing 16a and the lower housing 16b may be formed as a housing 16 in which they are integrally (fixed) provided without being rotatably connected.

  A microphone hole 20c for a microphone (not shown) is formed in the center of the connecting portion between the upper housing 16a and the lower housing 16b. It is possible to perform game processing based on sound signals taken from a microphone, sound or breath signals.

  The lower housing 16b is provided with operation switches 22 (22a, 22b, 22c, 22d, 22e, 22L and 22R). The operation switch 22 includes a direction switch (cross switch) 22a, a start switch 22b, a select switch 22c, an operation switch (A button) 22d, an operation switch (B button) 22e, an operation switch (X button) 22f, and an operation switch (Y Button) 22g, an operation switch (L button) 22L, and an operation switch (R button) 22R.

  The switch 22 a is one main surface of the lower housing 16 b and is disposed on the left side of the LCD 14. The other switches 22b-22g are disposed on the right side of the LCD 14 on one main surface of the lower housing 16b. Further, the operation switches 22L and 22R are respectively arranged at the left and right corners of the upper end surface of the lower housing 16b. Note that the operation switches 22L and 22R are provided on the back surface of the lower housing 16b, and are hidden behind the connecting portion in a front view as shown in FIG.

  The direction indicating switch 22a functions as a digital joystick and operates one of the four pressing portions to indicate the traveling direction (moving direction) of the player object (or player character) that can be operated by the user or the player. It is used to indicate the direction of cursor movement. Moreover, a specific role can be assigned to each pressing part, and the assigned role can be instructed (designated) by operating one of the four pressing parts.

  The start switch 22b includes a push button, and is used to start (resume) a game, pause (pause), and the like. The select switch 22c is formed of a push button and is used for selecting a game mode.

  The action switch 22d, that is, the A button is configured by a push button, and can cause an action other than a direction instruction, that is, an arbitrary action such as hitting (punching), throwing, grabbing (obtaining), riding, jumping, etc. it can. For example, in an action game, it is possible to instruct to jump, punch, move a weapon, and the like. In the role playing game (RPG) and the simulation RPG, it is possible to instruct acquisition of items, selection and determination of weapons and commands, and the like. The operation switch 22e, that is, the B button is constituted by a push button, and is used for changing the game mode selected by the select switch 22c, canceling the action determined by the A button 22d, or the like.

  The operation switch 22f, that is, the X button, and the operation switch 22g, that is, the Y button are configured by push buttons, and are used for auxiliary operations when the game cannot be progressed with only the A button 22d and the B button 22e. However, the X button 22f and the Y button 22g can be used for the same operation as the A button 22d and the B button 22e. Of course, the X button 22f and the Y button 22g are not necessarily used in the game play.

  The operation switch 22L (left push button) and the operation switch 22R (right push button) are configured by push buttons, and the left push button (L button) 22L and the right push button (R button) 22R are an A button 22d and a B button. It can be used for the same operation as 22e, and can be used for an auxiliary operation of the A button 22d and the B button 22e. Further, the L button 22L and the R button 22R can change the roles assigned to the direction switch 22a, the A button 22d, the B button 22e, the X button 22f, and the Y button 22g to other roles.

  A touch panel 24 is attached to the upper surface of the LCD 14. As the touch panel 24, for example, any of a resistive film type, an optical type (infrared type), and a capacitive coupling type can be used. The touch panel 24 is operated by pressing, stroking, or touching the upper surface of the touch panel 24 with a stick 26 or a pen (stylus pen) or a finger (hereinafter, these may be referred to as “stick 26 etc.”). When (touch input) is performed, the coordinates of the operation position of the stick 26 and the like are detected, and coordinate data corresponding to the detected coordinates is output.

  In this embodiment, the resolution of the display surface of the LCD 14 (the LCD 12 is the same or substantially the same) is 256 dots × 192 dots. Although the detection accuracy of the touch panel 24 is also 256 dots × 192 dots corresponding to the display screen, the detection accuracy of the touch panel 24 may be lower or higher than the resolution of the display screen.

  Different game screens can be displayed on the LCD 12 and the LCD 14. For example, in a racing game, a screen from the viewpoint of the driver's seat can be displayed on one LCD, and the entire race (course) screen can be displayed on the other LCD. In RPG, a character such as a map or a player object can be displayed on one LCD, and an item owned by the player object can be displayed on the other LCD. Further, a game screen including a player object or a non-player object is displayed on one LCD, and another game screen including information on the player object or the non-player object or an operation for operating the player object is displayed on the other LCD. A screen can be displayed. Furthermore, by using the two LCDs 12 and 14 together as one screen, it is possible to display a huge monster (enemy object) that the player object must defeat.

  Therefore, when the player operates the touch panel 24 with the stick 26 or the like, the player designates (operates) images such as player objects, enemy objects, item objects, and operation objects displayed on the screen of the LCD 14, and selects (inputs) commands. ). Also, the direction of the virtual camera (viewpoint) provided in the virtual game space (three-dimensional game space) (the direction of the line of sight) is changed, and the direction of scrolling (gradual movement display) of the game screen (map) is indicated. You can also.

  Depending on the type of game, other input instructions can be given by using the touch panel 24. For example, characters, numbers, symbols, and the like can be input by handwriting on the touch panel 24 on the LCD 14.

  As described above, the game apparatus 10 includes the LCD 12 and the LCD 14 serving as a display unit for two screens, and the touch panel 24 is provided on the upper surface of either one (in this embodiment, the LCD 14). 14) and two operation units (22, 24).

  In this embodiment, the first LCD 12 and the second LCD 14 are arranged side by side in the vertical direction, but the arrangement of the two LCDs can be changed as appropriate. In another embodiment, the first LCD 12 and the second LCD 14 may be arranged side by side in the horizontal direction.

  In this embodiment, two LCDs are provided, but the number of LCDs as display means can be changed as appropriate. In another embodiment, a vertically long LCD may be provided so that the display area is divided into upper and lower parts and two game screens are displayed in the respective display areas. An LCD may be provided so that the display area is divided into left and right, and two game screens are displayed in the respective display areas.

  Further, the stick 26 can be housed in a housing portion (not shown) provided in the lower housing 16b, for example, and taken out as necessary. However, when the stick 26 is not provided, it is not necessary to provide the storage portion.

  Furthermore, the game apparatus 10 includes a memory card (or cartridge) 28. The memory card 28 is a storage medium that can be attached to the game apparatus 10, and an insertion portion 30 (in FIG. 2) provided on the upper end surface of the lower housing 16b. (Shown by dotted line). A connector 32 (see FIG. 3) for joining to the connector 60 provided at the distal end in the insertion direction of the memory card 28 is provided at the back of the insertion unit 30, so that the memory card 28 is connected to the insertion unit 30. When inserted, the connectors are joined together, and the CPU 34 (see FIG. 3) of the game apparatus 10 can access the memory card 28.

  Although not shown in FIG. 1, for example, in the lower housing 16b, a battery storage box is provided on the back surface thereof, and a volume switch and an earphone jack are provided on the lower end surface (bottom surface). Surface) is provided with an external expansion connector or the like.

  FIG. 3 is a block diagram showing an electrical configuration of the game apparatus 10. Referring to FIG. 3, game device 10 includes an electronic circuit board 38 on which circuit components such as CPU 34 described above are mounted. The CPU 34 is connected to the above-described connector 32 via the bus 40, and also includes a RAM 42, a first graphic processing unit (GPU) 44, a second GPU 46, an input / output interface circuit (hereinafter referred to as “I / F circuit”). 48), connected to the LCD controller 50 and the wireless communication unit 58.

  As described above, the memory card 28 is detachably connected to the connector 32. The memory card 28 includes a memory controller 62 and a flash memory 64, and the memory controller 62 is connected to the flash memory 64 and the connector 60 via a bus. Therefore, as described above, the CPU 34 can access the flash memory 64 via the memory controller 62.

  The memory controller 62 is a control device that controls writing and reading of the flash memory 64. The memory controller 66 has a RAM 66 as an internal memory.

  The flash memory 64 is a game program for a game to be executed on the game apparatus 10, image data (character or object image, background image, item image, icon (button) image, message image, etc.), and sound necessary for the game. (Music) data (sound data) and the like are stored in advance. Further, as will be described later, the flash memory 64 is provided with an area for storing downloaded data and an area for storing backup data such as mid-game data and game result data. In this embodiment, a NAND flash memory is applied as the flash memory 64. In other embodiments, other non-volatile memories may be applied.

  The RAM 42 of the game apparatus 10 is used as a buffer memory or a working memory. That is, the CPU 34 loads the game program, image data, sound data, and the like stored in the memory card 28 into the RAM 42 and executes the loaded game program. Further, the CPU 34 executes the game process while storing in the RAM 42 data (game data and flag data) that is temporarily generated in accordance with the progress of the game.

  Note that the game program, image data, sound data, and the like are read from the memory card 28 all at once or partially and sequentially and stored in the RAM 42.

  However, the game apparatus 10 may execute an application other than the game. In this case, the flash memory 64 of the memory card 28 may store necessary data such as a program and image data for the application. Further, sound (music) data may be stored as necessary.

  Each of the GPU 44 and the GPU 46 forms part of a drawing unit, and is composed of, for example, a single chip ASIC, receives a graphics command (drawing command) from the CPU 34, and generates image data according to the graphics command. However, the CPU 34 gives each of the GPU 44 and the GPU 46 an image generation program (included in the game program) necessary for generating image data in addition to the graphics command.

  The GPU 44 is connected to a first video RAM (hereinafter referred to as “VRAM”) 52, and the GPU 46 is connected to a second VRAM 54. Data (image data: data such as polygons and textures) necessary for the GPU 44 and the GPU 46 to execute the drawing command is obtained by the GPU 44 and the GPU 46 accessing the first VRAM 52 and the second VRAM 54, respectively.

  Note that the CPU 34 writes image data necessary for drawing into the first VRAM 52 and the second VRAM 54 via the GPU 44 and the GPU 46. The GPU 44 accesses the VRAM 52 to create image data for drawing, and stores the image data in the drawing buffer of the VRAM 52. The GPU 46 accesses the VRAM 54 to create image data for drawing, and stores the image data in the drawing buffer of the VRAM 54. A frame buffer or a line buffer may be employed as the drawing buffer.

  The VRAM 52 and VRAM 54 are connected to the LCD controller 50. The LCD controller 50 includes a register 56. The register 56 is composed of, for example, 1 bit, and stores a value (data value) of “0” or “1” according to an instruction from the CPU 34. When the data value of the register 56 is “0”, the LCD controller 50 outputs the image data created by the GPU 44 to the LCD 12, and outputs the image data created by the GPU 46 to the LCD 14. When the data value of the register 56 is “1”, the LCD controller 50 outputs the image data created by the GPU 44 to the LCD 14 and the image data created by the GPU 46 to the LCD 12.

  The LCD controller 50 reads image data directly from the VRAM 52 and VRAM 54, and reads image data from the VRAM 52 and VRAM 54 via the GPU 44 and GPU 46.

  The VRAM 52 and the VRAM 54 may be provided in the RAM 42, or the drawing buffer and the Z buffer may be provided in the RAM 42.

  The operation switch 22, the touch panel 24, and the speakers 36a and 36b are connected to the I / F circuit 48. Here, the operation switch 22 is the above-described switches 22a, 22b, 22c, 22d, 22e, 22g, 22L and 22R. When the operation switch 22 is operated, a corresponding operation signal (operation data) is I / F. This is input to the CPU 34 via the circuit 48. In addition, coordinate data from the touch panel 24 is input to the CPU 34 via the I / F circuit 48. Further, the CPU 34 reads out sound data necessary for the game, such as game music (BGM), sound effects or sound of the game character (pseudo-sound), from the RAM 42, and outputs the sound from the speakers 36 a and 36 b via the I / F circuit 48. Is output.

  The wireless communication unit 58 is a communication means for transmitting and receiving data wirelessly with other game apparatuses 10 and communication devices. Note that the weak radio wave transmitted and received by the game apparatus 10 is set to an intensity that is not restricted by the Radio Law. When the CPU 34 gives game data or data such as a command to the wireless communication unit 58, the wireless communication unit 58 modulates data to the other party into a wireless signal and transmits it from the antenna. The wireless communication unit 58 receives a radio signal from the other party with the same antenna, demodulates it into data, and gives the data to the CPU 34. Using the wireless communication unit 58, the game apparatus 10 can execute a communication game while communicating data with other game apparatuses 10. In addition, as described above, the game apparatus 10 can be connected to the access point 104 and the network 106 via the wireless communication unit 58, and can download programs and data from the server 102 on the network 106, It is possible to communicate with other game apparatuses 10 through the network.

  In this system 10, a predetermined area for writing data downloaded from the server 102 is provided in the flash memory 64 of the memory card 28. In addition, a predetermined area for writing backup data generated during the execution of the game (application) is provided in the flash memory 64. FIG. 4 shows an example of a memory map of the flash memory 64. The flash memory 64 is provided with an information area 200, a game area 202, a download area 204, a backup area 206, and the like. FIG. 4 shows a part of the memory map, and other areas can be provided.

  The download area 204 is an area for writing data downloaded from the server 102, and the backup area 206 is an area for writing backup data. In the information area 200, header information and predetermined data of the flash memory 64 are stored in advance as shown in FIG. The game area 202 stores game programs and data in advance. The game program includes, for example, a game processing program, a download processing program, a backup processing program, and the like.

  The operation of the memory controller 62 is controlled according to the mode so that stepwise security can be applied to the write area provided in the flash memory 64. In each mode, the executable operation of the memory controller 62 is limited, and the mode needs to be switched in order to execute a necessary operation. An outline of mode transition of the memory controller 62 is shown in FIG. In this embodiment, the memory controller 62 has a game mode, a DL (Download) secure mode, a download mode, a backup mode, and the like. The memory controller 62 shifts its mode in accordance with various transition commands given from the outside (the CPU 34 as the host or the server 102 on the network 106). The CPU 34 issues a transition command by executing an application program stored in the memory card 28 (or a program stored in the game apparatus 10).

  The game mode is a normal mode. For example, when the power of the game apparatus 10 is turned on, the memory controller 62 is powered by the game apparatus 10 and the memory controller 62 is activated. When activated, the memory controller 62 is placed in this game mode, and is basically in this game mode even during game execution (more specifically, when there is no need to write data to the flash memory). Since it is necessary to read the program and data from the flash memory 64 as necessary during the execution of the game, it is desirable that reading from the flash memory 64 can be performed at high speed in this game mode. Therefore, in this game mode, the command given to the memory controller 62 does not have to be encrypted. However, even when the command is encrypted, it is sufficient if the security to the extent that it is encrypted with an algorithm with a light processing burden is applied. Good. In the game mode, even if the host (CPU 34) issues a data write command to the flash memory 64, the memory controller 62 does not accept the command and therefore cannot write data to the flash memory 64.

  In order to download data from the server 102 according to the player's selection or program during game execution, the flash memory 64 is provided with a download area 204 for writing the downloaded data. When downloading, it is necessary to increase the security level in order to protect the flash memory 64 from unauthorized access. Therefore, the memory controller 62 is shifted from a game mode in which access to the flash memory 64 is easy to a mode with a high security level.

  Also, instead of sudden transition from the game mode to the download mode in which the download data can be written, in this embodiment, another mode, ie, DL, is provided so that two levels of security can be applied at the time of download. Secure mode is interposed.

  Specifically, when a gCHG_DL_MODE command is given to the memory controller 62 in the game mode, the memory controller 62 transitions from the game mode to the DL secure mode. The gCHG_DL_MODE command is a transition command for making a transition from the game mode to the DL secure mode, and is issued by the CPU 34 of the game apparatus 10.

  The DL secure mode is a mode provided to increase the security level at the time of downloading. In this DL secure mode, the command given to the memory controller 62 is encrypted. Specifically, an encrypted dsCHG_MODE command is given to the memory controller 62. The dsCHG_MODE command is a transition command for transitioning from the DL secure mode to the download mode. The transition command to the download mode is not issued from the CPU 34 of the game apparatus 10 but is encrypted by the server 102 and transmitted from the server 102. Note that the CPU 34 of the game apparatus 10 cannot generate the dsCHG_MODE command. This is because the dsCHG_MODE command is to be given to the memory controller 62 in an encrypted state, and the CPU 34 of the game apparatus 10 does not have key data for the encryption. The memory controller 62 decrypts the command received in the DL secure mode, and transitions to the download mode if the command is a dsCHG_MODE command. For encryption of the transition command, the server 102 and the memory card 28 store a common key.

  In this way, security can be applied to the transition from the DL secure mode to the download mode. In addition, a transition command to the DL secure mode is issued from the host CPU 34, and a transition command to the download mode is issued from the server 102. That is, the transition to the download mode is performed by the cooperation of the CPU 34 and the server 102. This makes it possible to further increase the security level.

  In the download mode, data downloaded from the server is written to the download area 204. The downloaded data is transmitted after being encrypted by the server, and the received data is decrypted by the memory controller 62. Thus, security can be applied to the data to be downloaded. In addition, since the encryption key in the DL secure mode and the encryption key in the download mode are changed, there are two levels of security, and it is possible to apply different security to the transition command and data.

  The download data is encrypted by the server as described above, and the CPU 34 transfers the encrypted data to the memory controller 62 when receiving the encrypted data. In order to write this data, the CPU 34 issues a write command (dWR_PAGE command). In response to the write command, the memory controller 62 executes a process for writing data, such as data decoding. If the received data is authenticated as valid data, the memory controller 62 writes the data in the download area 204. Writing to the download area 204 is possible only in the download mode. The memory controller 62 accepts a write command issued by the CPU 34 only in the download mode, and therefore cannot write to the download area 204 in other modes.

  After writing predetermined data, the memory controller 62 shifts to the game mode in response to the dlCHG_MODE command. The dlCHG_MODE command is a transition command for making a transition from the download mode to the game mode, and is issued from the CPU 34.

  In such a mode transition in the case of download, the accessibility state of the flash memory 64 is changed. FIG. 6 shows a change in the memory map of the flash memory 64 when transitioning to the download mode. First, in the game mode, the game area 202 and the download area 204 can only be read. Then, when the mode transits to the DL secure mode in response to the gCHG_DL_MODE command, the entire area is made in a state where reading and writing are impossible. The encrypted dsCHG_MODE command is processed in such a state that access to the entire area of the flash memory 64 is disabled. When the transition to the download mode is made in response to the dsCHG_MODE command, the download area 202 is made accessible. In addition, in this embodiment, only the block specified by the dsCHG_MODE command in the download area 202 is made accessible. As described above, according to the mode transition, the readable / writable state is changed for each area of the flash memory 64, that is, the memory map is changed for each mode, so that the degree of security is increased. be able to.

  On the other hand, during the game execution, the CPU 34 generates game backup data. A backup area 206 for writing the backup data is provided in the flash memory 64. Although the writing to the backup area 206 itself is local in nature, there is a possibility that program data obtained illegally from the network 106 may be written to the backup area 206, for example. In order to prevent unauthorized use of the backup area 206, the security level of the backup area 206 is increased.

  As shown in FIG. 5, in order to write to or read from the backup area 206, the memory controller 62 transitions from the game mode to the backup mode in response to the gCHG_BK_MODE command. The gCHG_BK_MODE command is a transition command for making a transition from the game mode to the backup mode, and is issued to the memory controller 62 by the CPU 34 as the host. Further, in response to the bCHG_MODE command, the memory controller 62 transitions to the game mode. The bCHG_MODE command is a transition command for making a transition from the backup mode to the game mode, and is issued to the memory controller 62 by the CPU 34 as the host.

  In the backup mode, when data is written, the write data is converted into a predetermined format by the CPU 34, and the data in the predetermined format is written into the backup area 206 by the memory controller 62. On the other hand, when reading data, the memory controller 62 determines whether or not the read data is in a predetermined format. When it is determined that the data has a predetermined format, the data is output to the CPU 34.

  However, if it is determined that the data is not in a predetermined format, the data is regarded as data that has been illegally written in the backup area, and the memory controller 62 transitions to the illegal mode. When the transition to the illegal mode is made, the data is not output, and therefore, unauthorized use of the backup area can be prevented.

  In this embodiment, when it is determined that the written data is not in a predetermined format, the memory controller 62 does not output any data. In other embodiments, the memory controller 62 Predetermined data indicating that the data is illegal may be output to the CPU 34 so that the CPU 34 can recognize that the data is illegal. Also in this case, since the written data is not normally output, the backup area 206 can be protected from unauthorized use.

  Even in such a mode transition in the case of backup, the access permission / inhibition state of the flash memory 64 is changed. FIG. 7 shows a change in the memory map of the flash memory 64 when transitioning to the backup mode. In the game mode, the game area 202 is in a state where only reading is possible, and the backup area 206 is in a state where reading and writing are impossible. Then, in response to the gCHG_BK_MODE command, only the backup area 206 is made accessible when transitioning to the backup mode. In addition, in this embodiment, only the block specified by the gCHG_BK_MODE command in the backup area 206 is made accessible. As in the case of downloading, the read / write state is changed for each area of the flash memory 64 according to the mode transition, that is, the memory map is changed for each mode. The degree can be increased.

  In this embodiment, it is possible to write to the backup area 206 only after the transition to the backup mode. This is to prevent data written once at the time of factory shipment from being overwritten by mistake. However, as a modification, the backup area 206 of the flash memory 64 may be writable even in the game mode.

  FIG. 8 shows an example of a memory map of the information area 200 of the flash memory 64. FIG. 8 is a part of the information area 200, and other necessary data such as the start address of the game area 202 is also stored.

  The storage area 210 stores the start address of the download area 204 in advance, and the storage area 212 stores the start address of the backup area 206 in advance. In addition, the sizes or end addresses of the download area 204 and the backup area 206 may be stored. As the header information, data that can distinguish each of the download area 204 and the backup area 206 from other areas, that is, boundary data of each area may be stored. The memory controller 62 can grasp and access each area by referring to the boundary data of each area.

  In the storage area 214, the encrypted key 1 is stored in advance. The key 1 is a DL secure mode key (encryption key), that is, a key used in the DL secure mode. With this key 1, the dsCHG_MODE command encrypted by the server 102 is decrypted.

  Since the encrypted key is stored in the flash memory 64, even if the flash memory 64 is extracted from the memory card 28 and the data is read illegally, the contents of the key cannot be read. Can be.

  In the storage area 216, the encrypted key 2 is stored in advance. Key 2 is a key for download mode (encryption key), that is, a key used in download mode. With this key 2, the download data encrypted by the server 102 is decrypted.

  In the storage area 218, the encrypted key 3 is stored in advance. The key 3 is a key (encryption key) for message digest authentication of download data, that is, a key for calculating a message integrity code (MIC) as an authentication symbol of download data. . However, in this embodiment, a configuration in which a part of the key 3 is the same as a part of the key 2 is adopted. That is, the key 3 is a key obtained by replacing a part of the key 2 (a part excluding the same part). In the storage area 218, only the remaining portion of the key 3 as described above (the portion excluding the same portion as the key 2) is encrypted and stored. When the complete key 3 is required for the MIC calculation, the key 3 in the storage area 218 and the same part of the key 2 are used.

  In the storage area 220, a unique ID indicating identification information of the memory card 28 (flash memory 64) is stored. The storage area 222 stores a game ID indicating identification information of a game or application in the memory card 28. The game ID may be a game title or type.

  In this embodiment, a key specific to the memory card 28 is stored in the flash memory 64. That is, keys 1, 2, and 3 corresponding to the unique ID are stored. In another embodiment, keys unique to the game title, that is, keys 1, 2 and 3 corresponding to the game ID may be stored.

  FIG. 9 shows an example of a memory map of the internal RAM 66 of the memory controller 62. FIG. 9 is a part of the memory map of the internal RAM 66.

  The storage area 300 stores the current mode. From this mode data, the memory controller 62 can grasp the current mode. When the command is received, the memory controller 62 may determine, for example, whether or not the command is specified to be issued in the current mode before the execution of the command. This makes it possible to determine a command that has been issued normally.

  The storage area 302 is a key storage area. The key corresponding to the current mode is stored. As described above, in this embodiment, since each key is encrypted and stored in the information area 200 of the flash memory 64, the memory controller 62 reads and decrypts the key in the work area of the internal RAM 66, and The decrypted key is stored in the storage area 302. Each key may be expanded in this storage area 302 when transitioning to each mode in accordance with each transition command.

  Specifically, as shown in FIG. 10, in the DL secure mode, the key storage area 302 has the decrypted key 1 and the decrypted key 3 (in this embodiment, strictly speaking, the key 3 Part) is memorized. The key 1 is a key for the DL secure mode, but in this embodiment, the key 1 is used to encrypt predetermined data (random number and unique ID or game ID) even in the game mode. Therefore, the key 1 has already been stored in the storage area 302 since the game mode. The key 3 remains resident until the power is turned off. Since a part of the key 3 is smaller than the part shared with the key 2, it is developed in advance. When the game mode is changed to the DL secure mode, the key 1 is read again from the flash memory 64, decrypted, and then expanded in the storage area 302. This is a re-development to make sure that the data on the internal RAM 66 is rewritten due to some accident.

  When transitioning to the download mode, key 1 is replaced with key 2. That is, the key 1 is erased from the storage area 302, the key 2 is read from the flash memory 64 into the work area and decrypted, and the decrypted key is stored in the storage area 302. The key 3 is stored as it is. As described above, the key 2 is used for encrypting download data in the download mode, while the key 3 is used for calculating the MIC of the download data. As in this embodiment, by sharing a part between the key 2 and the key 3, the size of the area to be secured for the key storage area 302 can be suppressed, and as a result, the capacity of the internal RAM 66 is suppressed. Thus, the cost can be reduced.

  In another embodiment, the complete key 3 may be stored in advance, and the key 3 may be expanded in the key storage area 302.

  Returning to FIG. 9, random numbers are stored in the storage area 304. The random number is a pseudo-random number and is generated when a predetermined process is executed by the memory controller 62. The storage area 306 stores a flag indicating write protection. When this write protection is on, writing to the download area 204 of the flash memory 64 is prohibited.

  FIG. 11 shows an example of data stored in the database of the server 102. The database is stored in the HDD or ROM of the server 102.

  Download data is stored in the database. The download data is data to be stored in the download area 204 of the memory card 28. For example, for each game title, that is, a download file associated with the game ID may be prepared.

  In addition, key data is stored in the database. In this embodiment, since a unique key is prepared for each memory card 28 as described above, key 1, key 2 and key 3 are stored in association with the unique ID. As with the memory card 28, since the key 3 is partially shared with the key 2, only the remaining part may be stored, or the complete key 3 may be stored. Good.

  In another embodiment, a key for each game title may be prepared, that is, keys 1, 2, and 3 may be stored in association with the game ID.

  FIG. 12 shows an example of a memory map of the RAM of the server 102. Note that this memory map shows a part, and other necessary programs and data are also stored.

  The storage area 400 is a program storage area, and stores a program for executing download processing of the server 102. The program is read from a ROM or HDD.

  A storage area 402 is a data storage area, and stores data read from a ROM or HDD, data generated by a CPU, data received from the game apparatus 10, and the like.

  The storage area 404 stores the first received unique ID, and the storage area 406 stores the game ID. Specifically, when the download process is started, a unique ID and a game ID are first transmitted from the game apparatus 10, so that the unique ID and the game ID are stored in the storage areas 404 and 406.

  The storage area 408 stores a key read from the database. In this embodiment, keys 1, 2 and 3 corresponding to the unique ID are stored.

  The storage area 410 stores a random number and a unique ID. Specifically, after the first unique ID is transmitted from the game apparatus 10, data obtained by encrypting the random number and the unique ID with the key 1 is transmitted from the game apparatus 10, so that the received data is obtained by decrypting with the key 1. The random number and the unique ID are stored in the storage area 410.

  A block address is stored in the storage area 412. Specifically, since the block address for writing is transmitted from the game apparatus 10 after the random number and the unique ID, the block address is stored in the storage area 412. In this embodiment, the server 102 transmits a transition command designating a block address to the memory controller 62 via the game apparatus 10 and instructs a block address for writing a file to be downloaded.

  A write file is stored in the storage area 414. Specifically, a download data file read from the database is stored. When download data is prepared for each game title, data corresponding to the game ID is stored. Data corresponding to the unique ID, that is, data for each memory card 28 may be read, or predetermined data may be read regardless of the game ID or the unique ID. A predetermined amount of data is sequentially extracted from the write file and transmitted to the game apparatus 10.

  FIG. 13 shows an example of a memory map of the RAM 42 of the game apparatus 10 when executing the download process. FIG. 13 shows a part of the memory map, and other necessary data is stored.

  The storage area 500 is a program storage area, and a program for executing processing of the game apparatus 10 is read from the memory card 28 and stored. The program includes a game processing program, a download processing program, and the like.

  A storage area 502 is a data storage area in which data acquired from the memory card 28, data generated by the CPU 34, data received from the server 102, and the like are stored.

  A storage area 504 stores a game ID. For example, when the power is turned on, the game ID is read and output from the storage area 222 of the information area 200 of the flash memory 64 by the memory controller 62, and is given to the CPU 34 via the connector 60, the connector 32, and the like. This game ID is transmitted together when the unique ID is transmitted to the server 102 for the first time.

  A storage area 506 stores a block address to which downloaded data is written. In the game apparatus 10, a free area in the download area 204 is secured, and a block address to be written is determined from the free area. This block address is transmitted to the server 102.

  A storage area 508 stores the amount of file data downloaded from the server 102. Since the file data amount of the file to be downloaded is transmitted from the server 102, the received file data amount is stored in the storage area 508. Based on this data file amount, the CPU 34 can determine whether or not all of the write files have been written.

  FIG. 14 shows an example of a memory map of the RAM 42 of the game apparatus 10 during the backup process. FIG. 14 also shows only a part of the memory map as in FIG.

  A storage area 500 is a program storage area in which a game processing program, a backup processing program, and the like read from the memory card 28 are stored.

  In the storage area 504 of the data storage area 502, the game ID read from the memory card 28 is stored as in the download process of FIG.

  Data to be written is stored in the storage area 510. That is, the backup data generated by the CPU 34 during execution of the game (application) is stored.

  Data with parity is stored in the storage area 512. Data to be written is converted into a predetermined format by the CPU 34 and written in the backup area 206. In this embodiment, a parity bit is added to the backup data. This data with parity is written to the backup area 206.

  FIG. 15 shows an example of data with parity. FIG. 15 shows a configuration example of page data (512 bytes) in the backup area 206. In this embodiment, the configuration of each byte data is “7-bit data” + “7-bit data parity (1 bit). ) ”. That is, for data to be written, data with parity is generated by adding one parity bit for every 7 bits. For example, if there is an even number of “1” in the bit string of bits 0-6, “1” is written in bit 7, while if there is an odd number of “1” in the bit string, “0” Is written.

  The storage area 514 stores a block address to be written. The CPU 34 of the game apparatus 10 secures a free area in the backup area 206, determines a block address for writing data with parity, and stores it in the storage area 514. This block address to be written is specified in the transition command for transitioning to the backup mode.

  The storage area 516 stores a block address to be read. The CPU 34 confirms the storage location of the data to be read from the backup area 206, determines the block address to be read, and stores it in the storage area 516. This block address to be read is specified in a transition command for transitioning to the backup mode.

  Data read from the backup area 206 of the memory card 28 is stored in the storage area 518. Whether the data to be read from the backup area 206 is data with parity is checked by the memory controller 62 when reading. If the data is read from the backup area 206, the data is the data that has been written to the backup area 206 in a regular manner. Therefore, the CPU 34 removes the parity from the read data and converts it to the original data. Can be used. On the other hand, if it is determined that the data in the backup area 206 is illegally written as a result of the parity check, the memory controller 62 shifts to the illegal mode and does not output the data. Therefore, the backup data reading process is not completed and normal operation is not performed.

  The overall operation of the system 10 during the download process will be briefly described with reference to FIGS. Note that the operations of the game apparatus 10, the memory controller 62, and the server 102 during the download process will be described later with reference to individual flowcharts.

  The download process is started when the memory controller 62 of the memory card 28 is in the game mode. Referring to FIG. 16, when the download process is started, first, CPU 34 of game device 10 issues a gRD_UID command to memory card 28 in step S1. This gRD_UID command is a command for reading a unique ID from the memory card 28. In response to this, the memory controller 62 reads the unique ID from the flash memory 64 and outputs it to the game apparatus 10 in step S3. The CPU 34 transfers the received unique ID to the server 102 in step S5, and the CPU of the server 102 stores the received unique ID in the RAM. In this way, the unique ID of the memory card 28 is transmitted to the server 102. This unique ID is compared with a unique ID received later for authentication of the memory card 28.

  Subsequently, the CPU 34 of the game apparatus 10 issues a gRD_IF command to the memory card 28 in step S9. This gRD_IF command is a command for reading the random number and unique ID of the memory card 28. In response to this, the memory controller 62 outputs the generated random number and the unique ID read from the flash memory 64 to the game apparatus 10 in step S11. However, the random number and the unique ID are encrypted with the key 1 developed in the internal RAM 66. In step S <b> 13, the CPU 34 transfers the received data to the server 102. The CPU of the server 102 decrypts the received data with the key 1 in step S15. The key 1 used is the key 1 corresponding to the unique ID. In step S17, the CPU of the server 102 determines whether or not the unique ID decrypted in step S15 matches the unique ID first received in step S7. If “NO” in the step S17, that is, if the unique ID is different from the first received unique ID, the memory card 28 is not recognized as a legitimate card, and the CPU of the server 102 in step S19. The download writing process is terminated.

  On the other hand, if “YES” in the step S17, that is, if the server 102 determines that the memory card 28 is a legitimate card, the CPU 34 of the game apparatus 10 in the download area 204 in the step S21. Determine the block address where the data to be downloaded is written. The CPU 34 issues a gCHG_DL_MODE command to the memory card 28 in step S23. This gCHG_DL_MODE command is a transition command for making a transition from the game mode to the DL secure mode. In response to this, the memory controller 62 transitions to the DL secure mode in step S25.

  In step S <b> 27, the CPU 34 of the game apparatus 10 transmits the block address determined in step S <b> 21 to the server 102. In response to this, the CPU of the server 102 generates a dsCHG_MODE command in step S29. This dsCHG_MODE command is a transition command for making a transition from the DL secure mode to the download mode. This transition command is generated using the random number and unique ID acquired in step S15 and the block address received in step S29. The random number and the unique ID are used for authentication in the memory controller 62, and the block address to which the download data is written is specified by the block address.

  Subsequently, in step S31 of FIG. 17, the CPU of the server 102 encrypts the generated dsCHG_MODE command with the key 1. Then, in step S <b> 33, the CPU of the server 102 transmits the encrypted dsCHG_MODE command to the game apparatus 10. CPU 34 of game device 10 transfers the received data to memory card 28 in step S35. The memory controller 62 receives the data, and decrypts the received data with the key 1 in step S37. Therefore, a random number and a unique ID can be acquired from the dsCHG_MODE command, and a designated block address can also be acquired.

  In step S39, the memory controller 62 determines whether or not the unique ID and random number acquired from the command match the random number and unique ID in the memory card 28. If “NO” in the step S39, that is, if the received command is not a valid command, the memory controller 62 shifts to the illegal mode in a step S41. This prevents the download process from proceeding and prevents unauthorized downloads.

  On the other hand, if “YES” in the step S39, that is, if the received command is a valid command, the memory controller 62 shifts to the download mode in the step S43, and only the designated block can be accessed in the step S45. To do. As a result, writing to the block designated by the transition command to the download mode becomes possible. At this time, the key 2 for download mode is decrypted and expanded in the internal RAM 66.

  In step S <b> 47, the CPU 34 of the game apparatus 10 issues a dlRD_IF command to the memory card 28. The dlRD_IF command is a command for reading a random number and a unique ID. In response to this command, the memory controller 62 encrypts the random number and the unique ID with the key 2 and outputs them to the game apparatus 10 in step S49. The CPU 34 of the game apparatus 10 receives this data and transfers the received data to the server 102 in step S51. In response to this, the CPU of the server 102 receives the data and decrypts the data using the key 2 in step S53. As a result, the server 102 acquires a random number and a unique ID from the memory card 28. This random number and unique ID are used as an initial value when calculating the MIC of data to be downloaded thereafter, and also as an initial value for encrypting data transmitted from the server 102.

  Furthermore, the CPU 34 of the game apparatus 10 issues a dlPRT_OFF command to the memory card 28 in step S55 of FIG. The dlPRT_OFF command is a command for releasing write protection. In response to this command, the memory controller 62 turns off write protection, thereby enabling writing to a designated block in the download area 204.

  Subsequently, in step S59, the CPU of the server 102 prepares data to be downloaded, that is, a write file. In step S61, the CPU of the server 102 extracts data of a predetermined size (2 Kbytes in this embodiment) from the write file. The writing file is transmitted from the server 102 to the game apparatus 10 (memory card 28) for each predetermined size.

  In step S63, the CPU of the server 102 calculates a MIC having a predetermined size (8 bytes in this embodiment) from the 2 KB data using the key 3. Note that the random number and the unique ID acquired in step S53 are used as initial values for MIC calculation. Further, in step S65, the CPU of the server 102 generates data obtained by adding 8 bytes of MIC to 2 KB data, and encrypts the generated data with the key 2. Note that the random number and the unique ID acquired in step S53 are used as initial values for this encryption. In step S <b> 67, the CPU of the server 102 transmits the encrypted data to the game apparatus 10.

  In response to this, in step S69, the CPU 34 of the game apparatus 10 transmits a page address to be written together with the received data to the memory card 28. In response, in step S71, the memory controller 62 receives data.

  Subsequently, in step S <b> 73, the CPU 34 of the game apparatus 10 issues a dWR_PAGE command to the memory card 28. The dWR_PAGE command is a command for writing the data transmitted to the memory card 28 in the download area 204. In response to this command, in step S75, the memory controller 62 decrypts the data received in step S71 with the key 2. As a result, data obtained by adding 8 bytes of MIC to 2 Kbytes of data can be acquired.

  Further, in step S77, the memory controller 62 calculates an 8-byte MIC with the key 3 for the acquired 2 KB data. When calculating the MIC, the random number and unique ID transmitted in step S49 are used as initial values.

  In step S79, the memory controller 62 determines whether or not the calculated MIC matches the MIC acquired by decoding. If “NO” in the step S79, that is, if valid download data is not received, the memory controller 62 does not perform writing in a step S81. As a result, illegal data is not written in the download area 204.

  On the other hand, if “YES” in the step S79, that is, if valid data is received, the memory controller 62 writes the received 2 Kbyte data in the designated block of the download area 204 in a step S83.

  Subsequently, in step S85, the CPU 34 of the game apparatus 10 determines whether the writing of the file has been completed or the writing of one block has been completed. In the download mode of this embodiment, data can be written without a transition command from the server 102 as long as it is within a certain range of designated block addresses (one block in this embodiment). Therefore, until the writing of one block is completed or until the writing of the file of less than one block is completed, the CPU of the server 102 transmits the encrypted data, and the memory controller 62 decrypts and writes the data. Repeat. That is, if “NO” in the step S85, the process returns to the step S61 in FIG. 18 to repeat the process. Thus, by eliminating the need for a transition command from the server 102 in writing within a certain range, there is an advantage that the load on the server 102 can be reduced and the processing on the game apparatus 10 side can be shortened.

  On the other hand, when it is necessary to write a file of one block or more, the download mode is temporarily ended and the game mode is entered. Then, a transition command is transmitted from the server 102 again, the mode of the memory controller 62 is changed to the download mode, and data is downloaded.

  That is, if “YES” in the step S85, the CPU 34 of the game apparatus 10 issues a dlCHG_MODE command to the memory card 28 in a step S87. This dlCHG_MODE command is a transition command for making a transition from the download mode to the game mode. In response to this, the memory controller 62 shifts to the game mode in step S89.

  Further, the CPU 34 of the game apparatus 10 determines whether or not the writing of the file is completed in step S91. If “NO” in the step S91, that is, if unwritten data remains in the write file, the process returns to the step S9 in FIG. 16 to repeat the process from the game mode. On the other hand, if “YES” in the step S91, that is, if all the data of the write file is written, the download process is ended.

  Next, individual operations of the game apparatus 10, the memory controller 62, and the server 102 in the download process will be described.

  20 to 22 show an example of the operation of the game apparatus 10 in the download process. When the download process is started, the CPU 34 issues a gRD_UID command to the memory card 28 in step S101 of FIG. The gRD_UID command is a command for reading a unique ID. Further, since the gRD_UID command is issued when the memory controller 62 is in the game mode, the gRD_UID command may be encrypted and output to the memory card 28 with an algorithm with a relatively light processing load (for example, scramble).

  When a command or data is transmitted from the game apparatus 10 to the memory card 28, the CPU 34 gives the command or data to the connector 32. Therefore, the command or data is given to the memory controller 62 via the connector 60. It is done.

  Next, in step S103, the CPU 34 determines whether or not a unique ID has been received from the memory card 28. In response to the gRD_UID command, the memory controller 62 returns a unique ID, and thus waits for reception of data from the memory controller 62 via the connector 32.

  If “YES” in the step S103, that is, if a unique ID is received from the memory controller 62, the CPU 34 transmits the unique ID and the game ID to the server 102 in a step S105. Specifically, the received unique ID is stored in the data storage area 502 of the RAM 42, the game ID stored in the storage area 504 is read, and data including the unique ID and the game ID is transmitted.

  When transmitting data from the game apparatus 10 to the server 102, the CPU 34 gives the data to the wireless communication unit 58. Therefore, the data is transmitted from the wireless communication unit 58 via the access point 104 and the network 106. It is given to the server 102.

  Subsequently, the CPU 34 issues a gRD_IF command to the memory card 28 in step S107. The gRD_IF command is a command for reading a random number and a unique ID. The gRD_IF command may also be transmitted after being encrypted with an algorithm with a relatively light processing load such as scramble. In step S <b> 109, the CPU 34 determines whether data (encrypted random number and unique ID) has been received from the memory card 28. In response to the gRD_IF command, the memory controller 62 returns the data, so that the reception of the data is awaited.

  If “YES” in the step S109, that is, if data is received from the memory controller 62, the CPU 34 transmits the received data (encrypted random number and unique ID) to the server 102 in a step S111. To do.

  Subsequently, in steps S113 and S115, it is determined whether or not the result of whether or not the memory card 28 is a valid card is received from the server 102 via the wireless communication unit 58. In response to the transmission of data in step S111, the server 102 returns the result of authentication of the memory card 28, so that the reception of the data from the server 102 is waited. Specifically, in step S113, the CPU 34 determines whether or not the memory card 28 has been received from the server 102 as a regular card. If “NO” in the step S113, the CPU 34 determines whether or not the memory card 28 is received in a step S115 that the memory card 28 is not a regular card. If “NO” in the step S115, the process returns to the step S113.

  If “YES” in the step S115, that is, if it is considered that an unauthorized memory card 28 is mounted, the download process is ended. Therefore, illegal downloading to the memory card 28 can be avoided.

  On the other hand, if “YES” in the step S113, that is, if the regular memory card 28 is mounted, the CPU 34 secures a free area in the download area 204 and determines a block address to be written in a step S117. . Information such as which area is used in the storage area of the flash memory 64 or which area is an empty area is stored as header information in the information area 200, for example. The management data of the flash memory 64 is generated based on the above, and a free area is secured based on the management data and the block address to be written is determined. The determined block address is stored in the storage area 506. When step S117 ends, the process proceeds to step S119 in FIG.

  In step S119 of FIG. 21, the CPU 34 issues a gCHG_DL_MODE command to the memory card 28. This gCHG_DL_MODE command is a transition command for making a transition to the DL secure mode. Note that this gCHG_DL_MODE command may be transmitted after being encrypted according to a relatively light processing algorithm such as scramble. Subsequently, in step S <b> 121, the CPU 34 transmits the block address determined in step S <b> 117 to the server 102.

  In step S <b> 123, the CPU 34 determines whether data (encrypted dsCHG_MODE command) is received from the server 102. In response to the transmission in step S121, the server 102 returns data, and waits for reception of the data.

  If “YES” in the step S123, that is, if the above data is received, the CPU 34 transmits the received data (encrypted dsCHG_MODE command) to the memory card 28 in a step S125. As a result, the memory controller 62 shifts to the download mode.

  Further, in step S127, the CPU 34 issues a dlRD_IF command to the memory card 28. The dlRD_IF command is a command for reading a random number and a unique ID. In step S129, the CPU 34 determines whether data (encrypted random number and unique ID) has been received from the memory card 28 or not. In response to the dlRD_IF command, the memory controller 62 returns the encrypted random number and the unique ID, and waits for reception of the data.

  If “YES” in the step S129, that is, if the above data is received, the CPU 34 transmits the received data (encrypted random number and unique ID) to the server 102 in a step S131.

  Subsequently, in step S133, the CPU 34 issues a dlPRT_OFF command to the memory card 28. This dlPRT_OFF command is a command for canceling the write protection. When step S133 ends, the process proceeds to step S135 in FIG.

  In step S135 of FIG. 22, the CPU 34 determines whether data relating to the file data amount has been received from the server 102. In response to the data transmission in step S131, the server 102 prepares data to be downloaded (write file) and first transmits the file data amount. In step S135, the server 102 waits for reception of the file data amount. If “YES” in the step S135, the CPU 34 stores the file data amount received in the step S137 in the storage area 508.

  Subsequently, in step S <b> 139, the CPU 34 determines whether data (encrypted 2 KByte + 8 Byte data) has been received from the server 102. Note that after transmitting the amount of file data, the server 102 transmits data from the write file by a predetermined size. Specifically, since the server 102 encrypts and transmits data obtained by adding 8 bytes of MIC to 2 KB data, in this step S139, the server 102 waits for reception of the data.

  If “YES” in the step S139, that is, if the data is received, the CPU 34 transmits a page address to be written together with the received data to the memory card 28 in a step S141. Since data of a predetermined size is transmitted from the server 102, the CPU 34 determines a page address for writing the data every time data is received based on the management data, block address, etc. of the flash memory 64. can do. In subsequent step S <b> 143, the CPU 34 issues a dWR_PAGE command to the memory card 28. This dWR_PAGE command is an instruction to write the data transmitted in step S141 to a specified page address.

  In step S145, the CPU 34 determines whether the writing of the file is completed or the writing of one block is completed. Since data is transmitted from the server 102 for each predetermined size as described above, the CPU 34 can calculate the amount of data written (the amount of data transmitted to the memory card 28). Therefore, the CPU 34 can determine whether the written data amount has reached the file data amount or has reached one block. If “NO” in the step S145, the process returns to the step S139, and the data writing is repeated until the file writing is completed or one block writing is completed.

  On the other hand, if “YES” in the step S145, the CPU 34 issues a dlCHG_MODE command to the memory card 28 in a step S147. This dlCHG_MODE command is a transition command for making a transition from the download mode to the game mode. In step S149, the CPU 34 determines whether the writing of the file is completed. If “NO” in the step S149, that is, if writing of one block has been completed but not all of the writing file has been written, the process returns to the step S107 in FIG. 20 to write the remaining data. The process from step S107 in the game mode is performed again. On the other hand, if “YES” in the step S 149, the download process is ended.

  23 to 26 show an example of the operation of the memory controller 62 in the download process. Since the download process is started in the game mode as described above, in FIG. 23, the process from when the power is turned on until the memory controller 62 is placed in the game mode is described as steps S201 to S205. .

  When the process is started, the memory controller 62 sets the mode to the game mode in step S201 in FIG. Data indicating the game mode is stored in the mode storage area 300 of the internal RAM 66.

  Next, in step S203, the memory controller 62 makes the download area 204 and the game area 202 readable only. For example, the memory controller 62 generates data indicating the state of access to each area of the flash memory 64 in the internal RAM 66. In the data, data indicating that the download area 204 and the game area 202 can only be read is set.

  Subsequently, in step S205, the memory controller 62 reads the key 1 and key 3 from the information area 200 of the flash memory 64 into the work area of the internal RAM 66 and decrypts them, and expands the key 1 and key 3 in the key storage area 302. .

  The subsequent processing from step S207 corresponds to the download processing of the memory controller 62. The memory controller 62 determines whether or not the gRD_UID command has been received via the connector 60 in step S207. If “YES” in the step S207, that is, if a command for reading the unique ID is received, the memory controller 62 reads the unique ID from the storage area 220 of the information area 200 in the step S209, and The ID is output to the connector 60. When the gRD_UID command is encrypted and transmitted by scramble or the like, the received data is decrypted to determine whether or not the data is a gRD_UID command. Data output from the memory controller 62 to the connector 60 is given to the CPU 34 via the connector 32 or the like.

  If step S209 ends or if “NO” in the step S207, the memory controller 62 determines whether or not the gRD_IF command is received in a step S211. When the gRD_IF command is encrypted by scrambling or the like, the received data is decrypted to determine whether or not the data is a gRD_IF command. If “NO” in the step S211, the process returns to the step S207.

  On the other hand, if “YES” in the step S211, that is, if a command for reading a random number and a unique ID is received, the memory controller 62 encrypts the random number and the unique ID with the key 1 in a step S213. The memory controller 62 generates a random number in the storage area 304, and the memory controller 62 reads the unique ID from the storage area 220 of the information area 200 to the work area. Also, the key 1 used for encryption has already been expanded in the storage area 302. In subsequent step S215, the memory controller 62 outputs the encrypted random number and unique ID.

  Subsequently, in step S217, the memory controller 62 determines whether a gCHG_DL_MODE command has been received. Since this gCHG_DL_MODE command is issued from the CPU 34 when the server 102 determines that the memory card 28 is a legitimate card, it waits for reception of the command in step S217. When the gCHG_DL_MODE command is encrypted by scrambling or the like, the received data is decrypted to determine whether the data is a gCHG_DL_MODE command.

  If “YES” in the step S217, that is, if a transition command for transition to the DL secure mode is received, the memory controller 62 transitions from the game mode to the DL secure mode in a step S219. The mode storage area 300 stores data indicating the DL secure mode.

  Subsequently, in step S <b> 221 of FIG. 24, the memory controller 62 reads and decodes the key 1 from the storage area 214 of the information area 200 and expands it in the storage area 302 of the internal RAM 66. Note that the key 1 has already been expanded in the key storage area 302, but the key 1 is expanded again in the process of step S221 in order to avoid data replacement due to an accident.

  In step S224, the memory controller 62 makes the entire area of the flash memory 64 inaccessible. For example, the memory controller 62 sets data indicating that access is not possible for all areas in the data indicating the status of access to each area of the flash memory 64.

  In step S225, the memory controller 62 determines whether data (encrypted dsCHG_MODE command) has been received. After the transition to the DL secure mode, the encrypted dsCHG_MODE command is transmitted from the server 102, so that reception of the data is awaited in this step S225.

  If “YES” in the step S225, that is, if data (encrypted dsCHG_MODE command) is received, the memory controller 62 decrypts the received data with the key 1 in a step S227. Since the dsCHG_MODE command is encrypted in the server 102 using the key 1 corresponding to the unique ID of the memory card 28, the dsCHG_MODE command is decrypted using the key 1 in the storage area 302.

  Subsequently, in step S229, the memory controller 62 acquires a block address, a unique ID, and a random number from the dsCHG_MODE command. In the dsCHG_MODE command, the block address to which the downloaded data is written is specified, and the random number and the unique ID output in step S215 are embedded.

  In step S231, the memory controller 62 determines that the acquired unique ID and random number are the unique ID and random number in the memory card 28, that is, the unique ID stored in the internal RAM 66 and the random number stored in the storage area 304. To determine whether or not.

  If “NO” in the step S231, that is, if the transition command to the download mode is not a valid command, the memory controller 62 transitions to the illegal mode in a step S233. The mode storage area 300 stores data indicating the illegal mode. When the transition to the illegal mode is made, the memory controller 62 does not perform the download process, so that unauthorized writing can be prevented.

  On the other hand, if “YES” in the step S231, that is, if the transition command to the download mode is a valid command, the memory controller 62 transitions from the DL secure mode to the download mode in a step S235. The mode storage area 300 stores data indicating the download mode.

  In step S237, the memory controller 62 makes only the block designated by the dsCHG_MODE command accessible. For example, the memory controller 62 changes the memory map of the download area to only the designated block in the data indicating the access status to each area of the flash memory 64, and indicates that only the download area is accessible. Set the data.

  Further, in step S239, the memory controller 62 reads and decodes the key 2 from the storage area 216 of the information area 200, and expands it in the storage area 302 of the internal RAM 66 instead of the key 1. Note that the key 1 is deleted from the key storage area 302 before the key 2 is expanded.

  Subsequently, in step S241 in FIG. 25, the memory controller 62 determines whether a dlRD_IF command has been received. Since this dlRD_IF command is issued by the CPU 34 after transfer of the encrypted dsCHG_MODE command, reception of the dlRD_IF command is awaited in step S241.

  If “YES” in the step S241, that is, if a command for reading a random number and a unique ID is received, the memory controller 62 encrypts the random number and the unique ID with the key 2 in a step S243. The memory controller 62 generates a random number in the storage area 304 and reads the unique ID from the storage area 220 of the information area 200. Then, the random number and the unique ID are encrypted with the key 2 developed in the storage area 302. In step S245, the memory controller 62 outputs the encrypted random number and unique ID.

  Subsequently, in step S247, the memory controller 62 determines whether or not a dlPRT_OFF command has been received. Since the CPU 34 issues the dlPRT_OFF command after transferring the encrypted random number and unique ID output in step S245 to the server 102, the CPU 34 waits for reception of the command in step S247.

  If “YES” in the step S247, that is, if a command for canceling the write protection is received, the memory controller 62 turns off the write protection for the download area 204 of the flash memory 64 in a step S249. Specifically, the memory controller 62 turns off a flag indicating write protection stored in the storage area 306 of the internal RAM 66.

  Subsequently, in step S251, the memory controller 62 determines whether data (encrypted data of 2 KB + 8 bytes) has been received. This data is download data transmitted from the server 102. In addition, a page address to be written by the CPU 34 of the game apparatus 10 is added to the received data.

  If “YES” in the step S251, the memory controller 62 stores the received data and page address in the work area of the internal RAM 66 in a step S253. On the other hand, if “NO” in the step S251, the process proceeds to a step S269 in FIG.

  In step S255, the memory controller 62 determines whether a dWR_PAGE command has been received. Since the dWR_PAGE command is issued by the CPU 34 of the game apparatus 10 after the download data is transferred, the dWR_PAGE command waits for reception of the dWR_PAGE command in step S255.

  If “YES” in the step S255, that is, if a write command is received, the process proceeds to a step S257 in FIG. In step S257, the memory controller 62 determines whether or not the write protection of the storage area 306 is off.

  If “YES” in the step S257, that is, if writing of the downloaded data is permitted, the memory controller 62 uses the key 2 to receive the received data (encrypted 2 KByte + 8 Byte data) in the step S259. Decrypt. The received data is encrypted in the server 102 with the key 2 corresponding to the unique ID of the memory card 28. By this decryption, it is possible to acquire 2 Kbytes of download data and 8 bytes of MIC.

  Subsequently, in step S <b> 261, the memory controller 62 calculates an 8-byte MIC with the key 3 for the decrypted 2 KB data. In this MIC calculation, the unique ID and random number stored in the internal RAM 66 are used as initial values. The calculation key 3 includes a part (shared part) of the key 2 stored in the storage area 302 and the key 3.

  In step S263, the memory controller 62 determines whether or not the calculated MIC matches the decrypted MIC. If “NO” in the step S263, that is, if the downloaded data is recognized as invalid data, the process proceeds to a step S265. In step S265, the memory controller 62 does not execute writing. Therefore, it is possible to prevent illegal data from being written in the download area 204. When step S265 ends, this download process ends.

  On the other hand, if “YES” in the step S263, that is, if the downloaded data is regular data, the memory controller 62 writes the decrypted 2 KByte data in the designated page in a step S267.

  Subsequently, in step S269, the memory controller 62 determines whether a dlCHG_MODE command has been received. This dlCHG_MODE command is issued by the CPU 34 when the writing of the file is completed or when the writing of one block is completed. If “NO” in the step S269, the process returns to the step S251 in FIG. Therefore, the writing of the downloaded data of a predetermined size (2 KB) to the download area 204 is repeated until the writing of the file is finished or the writing of one block is finished.

  On the other hand, if “YES” in the step S269, that is, if a transition command for transition to the game mode is received, the memory controller 62 transitions from the download mode to the game mode in a step S271. The mode storage area 300 stores data indicating the game mode. Further, in step S273, the memory controller 62 makes the download area 204 and the game area 202 in a read-only state in the same manner as in step S203. Since the memory map of the download area is changed to the designated block, the download area 204 is restored based on the boundary data (start address) of each area defined in the information area 200, and the download area 204 is changed to the download area 204. On the other hand, data indicating a state in which only reading is possible is set.

  Further, in step S275, the memory controller 62 decrypts the key 1 read from the storage area 214 of the information area 200, and expands the key 1 in the key storage area 302 of the internal RAM 66 instead of the key 2. When step S275 ends, the process returns to step S207. If writing of the file to be downloaded has not been completed, the download process is executed again from the game mode, and the remaining data is written.

  27 to 29 show an example of the operation of the server 102 in the download process. When the download process is started, the CPU of the server 102 determines whether or not a unique ID and a game ID are received in step S301. In the download process, first, the unique ID and the game ID of the memory card 28 are transmitted from the game apparatus 10 via the network 106, and the reception is awaited in this step S301.

  If “YES” in the step S301, the CPU of the server 102 stores the received unique ID and game ID in the storage area 404 and the storage area 406 of the RAM in a step S303.

  Subsequently, in step S305, the CPU of the server 102 determines whether data (encrypted random number and unique ID) has been received. For the authentication of the memory card 28, the data is transmitted from the game apparatus 10 after the transmission of the first unique ID, so that the reception is awaited in this step S305.

  If “YES” in the step S305, the CPU of the server 102 decrypts the received data (encrypted random number and unique ID) with the key 1 corresponding to the unique ID in a step S307. Specifically, since the received data is encrypted with the key 1 by the memory controller 62 of the memory card 28, the CPU uses the keys 1, 2, and 3 corresponding to the unique ID received first in the storage area 404. The data is read from the database and stored in the storage area 408. Then, the received data is decrypted with the key 1. Thereby, a random number and a unique ID can be acquired, and the acquired random number and unique ID are stored in the storage area 410.

  In step S 309, the CPU of the server 102 determines whether the decrypted unique ID stored in the storage area 410 matches the initial unique ID stored in the storage area 404.

  If “YES” in the step S309, that is, if the memory card 28 is recognized as a regular card, the CPU of the server 102 transmits data indicating that the memory card 28 is a regular card in step S311 to the network. It is transmitted to the game apparatus 10 via 106. When step S311 is completed, the process proceeds to step S315 in FIG.

  On the other hand, if “NO” in the step S309, that is, if the memory card 28 is not recognized as a regular card, the CPU of the server 102 confirms that the memory card 28 is not a regular card in a step S313. The data shown is transmitted to the game apparatus 10. Then, this download process is terminated.

  In step S315 of FIG. 28, the CPU of the server 102 determines whether or not a block address has been received in step S315. Since the block address is transmitted from the game apparatus 10 in response to the transmission in step S311, the reception is awaited in step S315.

  If “YES” in the step S315, the CPU of the server 102 stores the block address received in the step S317 in the storage area 412. Subsequently, in step S319, the CPU of the server 102 generates a dsCHG_MODE command using the block address, the unique ID, and the random number. This dsCHG_MODE command is a transition command for shifting to the download mode. In the dsCHG_MODE command, a block address is specified, and in the download mode, writing to the specified block address is enabled. The dsCHG_MODE command includes the random number and the unique ID stored in the storage area 410.

  In step S321, the CPU of the server 102 encrypts the generated dsCHG_MODE command using the key 1 corresponding to the unique ID. Then, in step S323, the CPU of the server 102 transmits the encrypted dsCHG_MODE command to the game apparatus 10.

  Subsequently, in step S325, the CPU of the server 102 determines whether data (encrypted random number and unique ID) has been received from the game apparatus 10. When the memory controller 62 transitions to the download mode, the random number and the unique ID are encrypted with the key 2 and transmitted to the server 102, so that the reception is awaited in step S325.

  If “YES” in the step S325, that is, if the data (encrypted random number and unique ID) is received, the CPU of the server 102, in step S327, receives the received data (encrypted random number and The unique ID) is decrypted with the key 2 corresponding to the unique ID. The random number and the unique ID acquired in this way are stored in the storage area 410. When step S327 ends, the process proceeds to step S329 in FIG.

  In step S329 in FIG. 29, the CPU of the server 102 prepares a write file. Specifically, predetermined data is read from the download data stored in the database and stored in the storage area 414 of the RAM. The write file may be, for example, a file corresponding to a unique ID, a file corresponding to a game ID, or a predetermined file that does not depend on a unique ID or a game ID. In step S <b> 331, the CPU of the server 102 transmits the file data amount of the write file to the game apparatus 10.

  Subsequently, in step S333, the CPU of the server 102 takes out data of a predetermined size (2 KB in this embodiment) from the write file. The write file data is transmitted separately for each predetermined size.

  In step S335, the CPU of the server 102 calculates an 8-byte MIC for the 2 KB data using the key 3 corresponding to the unique ID. A random number and a unique ID stored in the storage area 410 are used as initial values for MIC calculation. In the subsequent step S337, the CPU of the server 102 adds an 8-byte MIC to the 2 KB data. In step S339, the CPU of the server 102 encrypts the data of 2 KB + 8 bytes with the key 2 corresponding to the unique ID. Note that the unique ID and random number in the storage area 410 are used as initial values for encryption. In step S <b> 341, the CPU of the server 102 transmits the encrypted 2 Kbyte + 8 bytes data to the game apparatus 10.

  In subsequent step S343, the CPU of the server 102 determines whether the transmission of the file is completed or the transmission of one block is completed. Whether the file transmission has been completed or not can be determined based on the data amount of the write file and the accumulated data transmission amount. If “NO” in the step S343, that is, if the transmission of one block is not completed or the transmission of the file is not completed, the process returns to the step S333 to transmit data of a predetermined size. Repeat the process for.

  On the other hand, if “YES” in the step S343, the CPU of the server 102 determines whether or not the file transmission is ended in a step S345. If “NO” in the step S345, that is, if transmission of data in units of one block has been completed but transmission of all data in the write file has not been completed, the process returns to the step S305 in FIG. By repeating the download process when the memory controller 62 is in the game mode, the file is written to the next block. On the other hand, if “YES” in the step S345, the writing of the file is finished, and thus the download process is finished.

  The operation of the backup process of the game apparatus 10 as the security system for the backup area 206 will be described with reference to the flowcharts of FIGS.

  FIG. 30 shows an example of the operation of the game apparatus 10 in the backup writing process. When the writing process to the backup area 206 is started, the CPU 34 prepares data to be written in the RAM 42 in step S401. The data to be written is backup data generated by the CPU 34 in the game process, and is stored in the storage area 510.

  Next, in step S403, the CPU 34 adds parity to the data to be written. As shown in FIG. 15, in this embodiment, data with parity is generated such that each byte data has a format of “7-bit data” + “parity bit (1 bit)”. That is, the first 7 bits of each byte are the generated backup data, and the parity of the first 7 bits is added to the last bit. The generated data with parity is stored in the storage area 512.

  Subsequently, in step S405, the CPU 34 confirms a free area in the backup area 206 and determines a block address to be written. Information such as which area is used in the storage area of the flash memory 64 or which area is an empty area is stored as header information in the information area 200, for example. The management data of the flash memory 64 is generated based on the above, and a free area in the backup area 206 is secured based on the management data, and the block address to be written is determined. The determined block address is stored in the storage area 514.

  In step S407, the CPU 34 issues a gCHG_BK_MODE command to the memory card 28. This gCHG_BK_MODE command is a transition command for making a transition to the backup mode. In this transition command, the block address to be written is specified. The memory controller 62 shifts to the backup mode in response to this transition command, and only the designated block in the backup area 206 can be accessed.

  In subsequent step S409, the CPU 34 issues a write command for writing data with parity to the memory card 28. This write command includes data with parity to be written. For example, data of a predetermined size is attached to the write command so that the data is written by a predetermined size as in the case of writing to the download area 204 described above. In response to this write command, the memory controller 62 writes the data to the designated block in the backup area 206.

  In step S411, the CPU 34 determines whether all of the prepared data has been written or one block of data has been written. Whether the prepared data (data with parity) has been written or not can be determined based on the data amount of the data with parity stored in the storage area 512 and the accumulated data transmission amount by the write command. If “NO” in the step S411, the process returns to the step S409 to repeat the writing by the write command.

  On the other hand, if “YES” in the step S411, the CPU 34 issues a bCHG_MODE command to the memory card 28 in a step S413. This bCHG_MODE command is a transition command for transitioning from the backup mode to the game mode. In response to this transition command, the memory controller 62 transitions to the game mode.

  In step S415, the CPU 34 determines whether all the prepared data (data with parity) has been written. If “NO” in the step S45, that is, if one block of data has been written but data with parity that has not been written remains, the process returns to the step S405 to transfer to the next block. Execute processing for writing. On the other hand, if “YES” in the step S415, the backup writing process is ended.

  FIG. 31 shows an example of the operation of the game apparatus 10 in the backup read process. When the reading process from the backup area 206 is started, the CPU 34 confirms the storage location of the backup data to be read in step S501. Note that the backup data to be read is selected according to a user operation or a program. Information regarding the storage location of each backup data is included in the header information of the flash memory 64, for example.

  Next, in step S503, the CPU 34 determines a block address to be read. The block address to be read is determined from the storage location of the backup data to be read and stored in the storage area 516.

  Subsequently, in step S505, the CPU 34 issues a gCHG_BK_MODE command to the memory card 28. This gCHG_BK_MODE command is a transition command for transitioning to the backup mode. In this transition command, the block address to be read determined in step S503 is designated. In response to this transition command, the memory controller 62 transitions to the backup mode, and only the designated block can be accessed.

  In step S507, the CPU 34 designates a page address to be read and issues a read command to the memory card 28. This read command is a command for instructing reading of data. For example, it is possible to instruct reading of data of a specified page. In response to this read command, the memory controller 62 reads the data of the specified page from the backup area 206. If the read data is valid data, the data is output to the CPU 34.

  In step S509, the CPU 34 determines whether data is received from the memory card 28 or not. As described above, if the read data is valid, the data is output. In step S509, reception is awaited. If it is determined that the data read by the memory controller 62 is not valid, the data is not output after the transition to the illegal mode, so that the backup read processing does not operate normally.

  If “YES” in the step S509, the CPU 34 stores the received data, that is, the read data in the storage area 518 of the RAM 42 in a step S511. In step S513, the CPU 34 determines whether all the data to be read has been read or whether one block has been read. Whether all the data to be read has been read can be determined based on the data amount of the read data and the accumulation of the read data amount by the read command. If “NO” in the step S513, the process returns to the step S507, and the reading process by the read command is repeated.

  On the other hand, if “YES” in the step S513, the CPU 34 issues a bCHG_MODE command to the memory card 28 in a step S515. This bCHG_MODE command is a transition command for transitioning to the game mode. In response to this transition command, the memory controller 62 transitions to the game mode.

  In step S517, the CPU 34 determines whether all data to be read has been read. If “NO” in the step S517, that is, if reading of one block is completed but data to be read remains, the process returns to the step S503 to execute a process for reading the next block. . On the other hand, if “YES” in the step S517, the backup reading process is ended.

  32 and 33 show an example of the operation of the memory controller 62 in the backup process. In step S601 in FIG. 32, the memory controller 62 determines whether or not a gCHG_BK_MODE command has been received. This gCHG_BK_MODE command is a transition command to the backup mode. If “NO” in the step S601, the backup process is ended.

  On the other hand, if “YES” in the step S601, the memory controller 62 transits from the game mode to the backup mode in a step S603. Data indicating the backup mode is stored in the mode storage area 300 of the internal RAM 66. In subsequent step S605, the memory controller 62 makes only the block designated by the gCHG_BK_MODE command in the backup area 206 accessible. For example, the memory controller 62 stores data indicating the state of access to each area of the flash memory 64 in the internal RAM 66, changes the memory map of the backup area 206 to only the designated block in the data, and Only the area is set with data indicating that it can be accessed.

  Then, the memory controller 62 executes processing according to the command received in the backup mode. That is, in step S607, the memory controller 62 determines whether a write command has been received. If “YES” in the step S607, the memory controller 62 writes the data received together with the write command in the block of the backup area 206 designated by the transition command in a step S609.

  In step S611, the memory controller 62 determines whether or not the bCHG_MODE command has been received if step S609 is ended or if “NO” in the step S607. If “YES” in the step S611, that is, if a transition command to the game mode is received, the memory controller 62 transitions from the backup mode to the game mode in a step S613. The mode storage area 300 stores data indicating the game mode. Subsequently, in step S615, the memory controller 62 makes the backup area 206 inaccessible. For example, in the data indicating the access status to each area of the flash memory 64, the memory map of the backup area is restored and data indicating that the backup area 206 is inaccessible is set. When step S615 ends, the backup process ends.

  On the other hand, if “NO” in the step S611, the memory controller 62 determines whether or not a read command is received in a step S617 in FIG. If “YES” in the step S617, the memory controller 62 determines whether or not the page specified by the read command is in an accessible block in a step S619. The accessible block is a block in the backup area 206 specified by the transition command to the backup mode. By this determination, it is possible to perform a parity check only on data for which appropriate read designation has been performed, and it is possible to eliminate an illegal read command.

  If “YES” in the step S619, the memory controller 62 checks the parity of the page designated by the read command in a step S621. Specifically, the memory controller 62 reads the designated page data into the work area of the internal RAM 66, calculates the first 7 bits of parity of each byte, and compares the calculation result with the last bit of each byte.

  In step S623, the memory controller 62 determines whether the parity check result is correct. If “YES” in the step S623, that is, if the calculated parity bit and the final bit are equal for all bytes, the memory controller 62 outputs the data of the designated page to the CPU 34 in a step S625. .

  On the other hand, if “NO” in the step S623, that is, if even one byte in which the calculated parity bit and the final bit are not equal is detected, it is recognized that the data to be read is illegal. Therefore, the memory controller 62 transitions to the illegal mode in step S627. The mode storage area 300 stores data indicating the illegal mode. When transitioning to the illegal mode, the memory controller 62 does not output the read data. Therefore, illegal data can be prevented from being read and used.

  If “NO” in the step S617, if “NO” in the step S619, or if the step S625 is ended, the process returns to the step S607 in FIG.

  In the above-described embodiment, the download area 204 is provided in the flash memory 64 of the memory card 28 that can be attached to the game apparatus 10. In other embodiments, the flash memory 64 is provided in the housing 16 of the game apparatus 10. And the download area 204 may be provided in the flash memory 64. In that case, the memory controller 62 is also provided in the housing 16. Similarly, the backup area 206 may be provided in the flash memory 64 in the housing 16 of the game apparatus 10. When the flash memory 64 is built in the housing 16 of the game apparatus 10, the unique ID may be identification information of the game apparatus 10.

  In each of the above-described embodiments, the keys 1, 2 and 3 corresponding to the unique ID of the memory card 28 are prepared and stored in the flash memory 64 and the server 12 in advance in order to use encryption for each memory card 28. I did it. However, in another embodiment, encryption for each game title (game program) or application type (application program) may be used, in which case the key 1 corresponding to the game ID (application ID), 2 and 3 are prepared and stored in the flash memory 64 and the server 12 in advance. Then, at the time of encryption and decryption, a key corresponding to the game ID is used.

  Further, in each of the above-described embodiments, the flash memory 64 is provided with two write areas, the download area 204 and the backup area 206, and the stepwise security by mode transition and write data encryption for one of the download areas 204. The other backup area 206 is protected by the write data format. However, in other embodiments, only one of the write areas may be provided in the flash memory 64.

  Although the present invention has been described and illustrated in detail, it is clear that it has been used merely as an illustration and example and should not be construed as limiting, and the spirit and scope of the present invention are attached Limited only by the wording of the claims.

DESCRIPTION OF SYMBOLS 10 ... Information processing apparatus 62 ... Memory controller 64 ... Flash memory 100 ... Download security system 102 ... Server 106 ... Network

Claims (17)

An information processing system including a server and a storage unit, and an information processing apparatus that downloads data from the server and writes the data to the storage unit,
The server
Encryption means for encrypting a first transition command for making the information processing apparatus transition to a writable mode in which the storage means can be written ;
Includes data transmission means for transmitting transition command transmitting unit that sends the first transition command encrypted to the information processing apparatus, and the data to the information processing apparatus,
The first transition command includes an address of the storage means designated for writing the data,
The information processing apparatus includes:
Decryption means for decrypting the encrypted first transition command transmitted from the server;
When the information processing apparatus transitions to the writable mode in response to the first transition command decrypted by the decryption means, the data can be written so that only the designated address in the storage means can be written. And a download security system further comprising: writing means, and writing means for writing the writable data to the designated address. The write enable means, said to from the specified address in the writable certain range, downloading security system of claim 1, wherein. The server stores a first key for encryption of the first transition command and a second key for encryption of the data different from the first key;
The encryption means encrypts the first transition command using the first key,
The data transmission means transmits the data encrypted using the second key;
The storage means stores the first key and the second key;
It said decoding means, the first transition command, which is the encrypted decrypted by using the first key,
3. The download security system according to claim 1, wherein the writing unit decrypts the data using the second key in the writable mode and writes the data into the storage unit. 4. The server further stores a third key for message digest authentication of the data;
The data transmission means encrypts the data with the authentication symbol generated using the third key added using the second key, and transmits the encrypted data.
The storage means further stores the third key,
The writing means decrypts the encrypted data using the second key in the writable mode, and writes the data when the decrypted data is authenticated using the third key. The download security system according to claim 3 . The download security system according to claim 4 , wherein the third key is a key obtained by replacing a part of the second key. The information processing apparatus in the normal mode, a command for accessing said storage means, further comprising a normal encryption means for encrypting a different algorithm from the encryption means, to any one of claims 1 to 5 The download security system described. The information processing apparatus causes the application execution mode, a command for accessing said storage means, further comprising a normal encryption means for encrypting a different algorithm from the encryption means, any one of claims 1 to 5 Download security system described in. The information processing apparatus further includes a write issuing unit that issues a write command for instructing the writing unit to write,
The download security system according to any one of claims 1 to 7 , wherein the writing unit writes the data into the storage unit in response to the write command in the writable mode. The storage means stores identification information of the storage means,
The information processing apparatus includes identification information transmitting means for transmitting the identification information stored in the storage means to the server,
The server stores a plurality of first keys for encryption of the first transition command associated with a plurality of the identification information,
Said encryption means, the first using a key, the first transition command to encrypt, downloading security system of claim 1, wherein corresponding to the identification information of the storage means. The storage means stores identification information of an application program stored in the storage means,
The information processing apparatus includes identification information transmitting means for transmitting the identification information stored in the storage means to the server,
The server stores a plurality of first keys for encryption of the first transition command associated with a plurality of the identification information,
It said encryption means uses the first key corresponding to the identification information of the application program received, the first transition command to encrypt, downloading security system of claim 1, wherein. The storage means has a first area and a second area,
The writing means performs writing by the writing means in the writable mode that has transitioned according to the first transition command only to the first area, and writing by the writing means to the second area. The download security system according to any one of claims 1 to 10 , wherein writing different from that is performed. The download security system according to claim 11 , wherein the storage unit stores boundary data of the first area and the second area. It said storage means and said writing means, provided in the storage medium mounted on the information processing apparatus, downloads a security system according to any one of claims 1 to 12. In a download security system including a server and an information processing device that downloads data from the server, a memory controller that controls writing to storage means for storing the downloaded data,
The sent from the server to the information processing apparatus, decoding means for decoding the first transition command encrypted including an address of said storage means designated for writing the data,
Transition means for transitioning to a writable mode writable in the storage means in response to the first transition command decoded by the decoding means;
Write enable means for enabling writing of the data only to the specified address when transitioning to the writable mode in response to the first transition command, and the data that has become writable A memory controller comprising writing means for writing to an address. A server connectable to an information processing device including a storage means for storing downloaded data;
Encryption means for encrypting a first transition command for making the information processing apparatus transition to a writable mode in which the storage means can be written ;
A data transmission means for transmitting transition command transmitting unit that sends the first transition command encrypted to the information processing apparatus, and the data to the information processing apparatus,
The server, wherein the first transition command includes an address of the storage means to which the data is written in the information processing apparatus that has transitioned to the writable mode. An information processing apparatus used in a download security system including a server, storage means for writing data downloaded from the server, and control means for controlling writing of the storage means,
When the encrypted first transition command for transitioning the control means to a writable mode writable to the storage means is received from the server, the first transition command is decrypted and given to the control means Command providing means,
A data providing means for giving the data to the control means when the data is received from the server; and a write issuing means for issuing a write command for the data to the control means,
The first transition command includes an address of the storage means designated for writing the data,
Write enabling means for enabling writing of the data only to the designated address when the information processing apparatus transitions to the writable mode in response to the first transition command, and the data that has become writable An information processing apparatus including writing means for writing the address to the designated address. A security method in an information processing system including a server and a storage unit, and an information processing apparatus that downloads data from the server and writes the data in the storage unit,
An encryption step of encrypting a first transition command for causing the server to transition the information processing apparatus to a writable mode in which the storage means can be written ;
Transmitting an encrypted first transition command to the information processing apparatus;
The server transmitting the data to the information processing apparatus;
Decoding step for decoding a first transition command encrypted contains the address of the the said storage means designated for writing the data,
When the information processing apparatus transitions to the writable mode in response to the decrypted first transition command, the step of allowing the data to be written only to the designated address, and the writable A security method comprising writing data to the designated address.

Images