Pippin authentication dongle

A Pippin authentication dongle, used by developers.

Pippin authentication (sometimes called “authentification”) uses a RSA cryptosystem in which only CD-ROMs that have been "authenticated" can be run by Pippin consoles.

Developer submission processEdit

Pippin Authentication process

The Pippin Authentication process by Apple Computer.

A software candidate was submitted by the developer to Apple Computer or one of its licensees, such as Bandai or Katz Media for official approval. Once approved, the contents of the CD-ROM were "digested" through a proprietary hashing algorithm to create a unique digital signature in the form of a "PippinAuthenticationFile" to be included on the published disc. The private key that generated it was maintained in a "safe" computer at Apple.[1] The developer paid an "Authentication Handling Charge" (AHC) to Bandai, which was shared with Apple, to cover the cost of authentication processing at the disc "Stamping House". Developers of launch titles were incentivized by having this fee 100% discounted for the first year.[2]

Disc authentication processEdit

Pippin disc loading screen

Failure of Pippin authentication will cause the disc to be ejected.

Standard consumer Pippin Atmark and @WORLD consoles contain a revision 1.0 or 1.2 ROM that authenticates the boot CD-ROM upon startup.[3] A routine stored in 'rvpr' resource 0 is loaded from the Pippin ROM and looks for an invisible "PippinAuthenticationFile" in the root directory of the boot volume of the CD-ROM. Then the first 128KB of the boot volume is read, followed by spot-checks of 128KB chunks from five random locations within the volume. The data from those six locations are hashed with a public key from the Pippin ROM and compared against corresponding portions of the complete digital signature contained in "PippinAuthenticationFile". A failure at any stage would cause the Pippin console to eject the disc before completing the boot process. The first 128KB chunk to be checked also contains the Master Directory Block of the CD-ROM. This step appears to be intended to defeat conventional attempts to modify the disc's contents after it has been authenticated by Apple.[4] This does not prevent backup copies from being made, as an exact duplicate of a disc with a valid "PippinAuthenticationFile" will boot normally under most circumstances.[5][6]

Kinka ROM 1.3

Pippin ROM revision 1.3

This process is skipped if an authentication dongle is attached, and is absent on consoles with a pre-release developer ROM, allowing non-authenticated CD-ROMs to load.[3][7][8] Revision 1.3 ROMs in the Katz Media Player 2000 contain the 'rvpr' resource,[4] but do not perform the authentication check. However, revision 1.3 ROMs do not support booting from drives other than the internal optical drive at SCSI ID #3.[3][9][10]


  1. Technical Notes: Pippin Authentication, version 003, Apple Computer. 1996-05-10.
  2. Pippin Developer Newsletter No. 3-1 (Japanese), Atmark Channel. 1995-10-25. Archived 1998-05-08.
  3. 3.0 3.1 3.2 Exploring the Pippin ROM(s) by Keith Kaisershot, 2018-06-07.
  4. 4.0 4.1 Exploring the Pippin ROM(s), part 6: Back in the ‘rvpr’ by Keith Kaisershot, 2019-02-17.
  5. Les ROMs de la Pippin (French) by Pierre Dandumont, Le Journal du Lapin. 2016-07-02.
  6. Un lecteur CD plus rapide dans la Pippin (avec la ROM 1.3) (French) by Pierre Dandumont, Le Journal du Lapin. 2016-10-22.
  7. Demystifying the Bandai Pippin Developer Dongle, Peter Wong. 2010-04-29.
  8. Dongle Rumor by Kankoba, Maison PiPPiN. Archived 2009-08-05.
  9. Hacking the Pippin by Phil Beesley, Vintage Macintosh. 2007-10-22. Archived 2017-08-17.
  10. Useful Notes / Pippin, TV Tropes. Accessed 2017-04-12.

See alsoEdit

External linksEdit