I recently noticed the above relationship between posts-per-year and family size.
This is Paul Matti, born 2012-03-05 (07:01am). He turned one today, and his sister also thinks that he is awesome.
Vulnerabilities are like good ideas - you’re rarely the first one dealing with it. Some vulnerabilities are almost classic, so I’ll proudly present: 7 old but surprisingly useful bugs that might also affect YOUR device.
(With “you” either being the designer or attacker.)
Just to be clear: none of these exploits are rocket science. This is kind of the “low tech” hacking approach - no fancy oscilloscopes required, no DPA involved, no FIB to rent.
Some hackers say Sony wants to deter customers from modifying the PlayStation3. Is that true? No, there’s a real misnomer there, we embrace independent game development; if you call that hacking, then we embrace that. We give people tools that let them create new experiences. What I don’t think we are in support of is someone trying to hack our device to pirate software and possibly collapse the platform.
As described in this post on ASSEMblergames.com and in this post, there is still a secret left that needs to be lifted for the newer “Type 3” triforces.
As a short summary, the new type triforce is probably a cost reduction of the old hardware. As part of this cost reduction, handling of the GDROM and security PIC, which was previously implemented in an SH-4 CPU, was “removed”. The network stuff was now handled separately on a MIPS cpu, but several strings that are proven to exist do not exist anymore in the flash rom, at least not as plaintext.
Remember 10years ago? I do!
Recently mist came up with an update of his 2005 slide summarizing the effects of a number of hacks that started benign and ended up, well, not so benign. While I this kind of meta-discussions are not really my métier, an interesting discussion was started in the comments.
I don’t want to re-start this discussion. The major points have been made, from both sides. One of my points, though, that is an important foundation for this discussion, is my belief that most hacks, regardless of being benign or not, have not been made by a commercial party.
The WhatsInside post from January was not an incidental post. It is actually snapshot of a much longer forensic investigation to find the ground truth behind some of the technology behind Tektronix’ scope accessories.
Pun aside - In October 2009, I’ve got a new scope, a Tektronix DPO4034. It’s a scope in the $8k range, so while not exactly low-cost, you don’t need a mortgage on your home to buy it.
I mean - it was a really cool thing, until it failed. The low price tag most certainly wasn’t the reason for the ultimate failure of this gadget, it was me, mis-operating. Raw force is usually a solution - this time, it wasn’t.
I’m cheap. Most of my switches aren’t manageable. I know that they are cheap now. My switches are still cheaper.
On the other hand, I recently required a device on a separate network. Having just one NIC on my linux machine, I naturally wanted to use VLANs for that; all it needs is a switch in VLAN mode, where each of the ports (except for one, the “master” port) is on a separate VLAN.
On Tuesday, Microsoft has released an Xbox 360 software update that overwrites the first stage bootloader of the system. Although there have been numerous software updates for Microsoft’s gaming console in the past, this is the first one to overwrite the vital boot block. Any failure while updating this will break the Xbox 360 beyond repair. Statistics from other systems have shown that about one in a thousand bootloader updates goes wrong, and unless Microsoft has a novel solution to this problem, this puts tens of thousands of Xboxes at risk.
07: ffff000000000f00 08: 000f000000000f00 09: 00ffff0ffff00ff0 10: 000f000f0f0f0f0f 11: 0000ff0f0f0f0ff0
I’m sitting on this for a while now, and it didn’t change a lot. That means it’s either 100% finished or completely useless. It’s a python script which talks to the NetDIMM board on a Triforce/Naomi/Chihiro, and implements the “Satellite” protocol for uploading and running games. I dunno if it really works.
Here it is:triforcetools.py
Introduction Abstract In this series of articles, I will talk about the design, implementation and fall of an optical media authentication used on a popular, but past, gaming console. I will show that it’s possible to reverse engineer such stuff without access to expensive equipment or insider information.While I will not talk about practical implementation of attacks against the discussed scheme, I will show that this has been done, and I will analyze how this has been done.
[I’ve started writing this a few days after the last post. I was still waiting for some things to develop, but I’m a bit out reach at the moment, so this might take some time. So this post isn’t as finished as I hoped it it would be. But these “news” already started to smell funny.]
In the first 3 parts I explained how I could modify the Gamecube board inside the Triforce to dump the plain game images.
Step 1: $40k overpriced LA (could be replaced easily with a $150 FPGA board), some wires
Step 2: 20 lines of python code
Difference between those? Just some simple XOR and ADD.
Ok, now a better step-for-step description what’s this all about.
As you might have seen, GDROM-games for the Naomi/Triforce/Chihiro come with a security chip, which has to be plugged into the “DIMM Board”. The “DIMM board” is, as previously explained, in charge for loading and decrypting the GDROM data.
I’ve spent some time on understanding the exact protocol spoken to the baseboard. Thanks to dolphin, I could run the software (for example, media board bios) and log all EXI/SI transfers. More details later, but I could replay them on the Triforce, thus grabbing the right responses, and emulating them properly in dolphin.
There is still a lot left to do, of course. :) The media board emulation is more than incomplete (it only emulates reads, so far), and there is no JVS IO yet.
I almost forgot to write about the successful execution of Task 3:
I basically patched the SegaLoader (i.e. the Media Board payload) to break after initializing the GD-ROM, i.e. after reading the GD-ROM into Dimm-Board’s memory. Then I just repeated the steps I did for dumping the Media Board (after the Media Board is switched into “Dimm Board”-mode, the same read commands will read the data from the DIMM Board instead of the onboard flash).
The Media Board contains an FPGA which interfaces to the DI bus, i.e. replaces the DVD-ROM. However, A quick test shows that the original DVD commands don’t work. Here the modchip’ed triforce comes handy again: The qoob bios leaves the original bootrom (i.e. the triforce IPL) at 0x81300000. I could then upload my own test tool via network, patch the IPL (for example I’ve redirected OSReport to the screen and to the USBGecko), and let it run.
I’ve already described that the heart of the beast is a basically unmodified retail Gamecube board. Rumors tell it has 48MB of (MEM1-)RAM, but based on the memory chip quantity and description, I cannot confirm that - they exactly match a retail Gamecube. As a side note, games seem to be 512MB max. I won’t give any further comment about the possible implications of these facts ;).
However what is modified versus a retail Gamecube board is that a different IPL is installed.
What is “The Beast”? Other than what you find on wikipedia, the Triforce can be described as a tweaked Gamecube.
The heart is a standard, retail Gamecube board, allegedly with twice the amount of MEM1, and a custom IPL. Instead of the DVD drive, the Triforce has a Sega-developed “media board” which interfaces to a “DIMM board”. The “DIMM board” is an embedded computer running VxWorks. It has a large amount of buffer RAM (my unit has 512MB), and interfaces to a NAOMI GD-ROM.
EDIT: This post was - seriously - posted before I’ve read “<Ch0p> the owner of datel electronics just made a $1000 donation to wiibrew“. However, I still believe my objections are valid. Anyway, Datel, thank you (a LOT) for supporting wiibrew.
Thank you, Datel, for all your precious hacker tools. You call them “videogame enhancement products”, which is probably as what most people see them, but I call them “hacker tools”, and that’s a compliment.
After bushing had shown the first homebrew exploit, a lot of stuff has happened in the Wii-world. The exploit was based on a hole in the disc hashing&verification, but the original finder (segher) decided that he doesn’t want the bug to be published. While this caused some controversy, the reason behind this was that the hole could be patched very easily in a future firmware version, as no original function relies on it.
The 24c3 is over now, and we really had a lot of fun. We brought 6 of our Xboxes, which allowed us to grab attention from quite a lot of people in the hackcenter :).
bushing showed a nice Wii hack we had been developing in the last few weeks (though I mostly did watch the show). Ben has been burning like 50 DVDs or so, which all did different things from doing nothing at all to immediately freezing the system, but like 30 min before our lecture, he made it working!