Cont. from >>47594699
Last thread we discussed modern consoles. Let's continue.
This is pure tech.
Other embedded hardwares also welcome.
From last thread
There's a dual core ARM11, ARM9 and ARM7. The ARM9 and 7 also include the GBA/DS hardware in them.
3DS mode use ARM11 for OS and apps and ARM9 for security and I/O. DS(i) mode use ARM9 and 7 for games and ARM11 for some other misc. stuff. Same with GBA but the ARM9 isn't used.
The system has firmwares for each mode.
PPC does the OS while the ARM does security and some I/O.
FPGAs are convenience tools for these purposes. They're like ASIC but reprogrammable. They can be programmed to do I/O or feed data to something.
>make a thread and a second thread about error handling in Pokemon R&B
>shit gets so interesting other people start making more threads
Didn't think my thread would get such an impact.
Good to know that this fucking board isn't just about cancerous homescreen/desktop/battlestaion...etc threads
This will probably die off, unless people start making minor projects 4fun on older hardware.
Like making a GameBoy Color Mod that lets you change the colour of LED lights, like the GBC did with GB games when it booted to the Nintendo Logo.
Holy shit, that work he had to put into just to get that messagebox gone.
Even had to buy another GPS to get it done since the one he owns does not had an exposed jTAG.
Very interesting read.
I heard some guy forked the dolphin project to emulate the Wii U. Is this serious?
I used to play around a lot with gameshark as a teen, finding new cheats by searching the memory was fun, even more fun when I started opening up memory editors in emulators and was able to read which value was which just from looking at them change.
One interesting thing is that the GBA pokemon games had regular static memory while Fire red and Leaf green had some dynamic thing taht moved the memory around and made cheats almost impossible. Somebody had to find a code to make the memory stay in place before being able to start working on the addresses
Can you expand on the part you mentioned about making the memory stay in place? The same happens with computer games and I wonder how people manage to make trainers if the memory is dynamic.
I'm not an expert, all I remember was that they just set the random number generator to a fixed value and that was enough to stop the memory from jumping around.
Of course it also meant that random events weren't really random anymore as long as the code was active
The PS3 has a hypervisor on top of the running OS. The hack for it involves putting code in the USB device descriptor so when the hypervisor tries to read it the code executes on the hypervisor, which basically has access to the entire system.
The best thing, however, is that Sony fucked up on the RNG for their private keys, allowing them to be calculated. You know what happens next. Also affects the PSP.
(I think this is the gist of it. Not sure how accurate this is)
Maybe it had something to do with ASLR?
AFAIK what ASLR does is randomize the address space, and if it used a random number generator that you could change to make it always generate the same number it would render ASLR ineffective?
>Not the browser exploit
Generally we have a new webkit exploit and and a kernel exploit.
The game probably implemented something like that. The term usually refers to the kernel's implementation though.
Yes. I wonder if Metroid II used dynamic memory. Probably not.
I recall reading in one of these threads that the GB actually had virtual memory?
I wonder if the assembler used had structs or if they just used arrays like one fellow suggested.
For how long?
Well yeah. It could only access 64k at a time so it used bank switching.
DMA is Direct Memory Access, which allows hardware like a GPU to access memory without going through the CPU in order to save cycles.
Someone was talking about how controlling the GPU gives you control of the system since it doesn't do any checking on where you write.
ah here we go, found an article explaining the DMA:
>In this lesson, I'll be introducing you to the scourge of hackers everywhere: Direct Memory Access (DMA). Why? I'll explain.
>Normal RAM hacking, relies heavily on the fact - whether you realise it or not - that the data you are searching for is static (stays in the same place), at least for the duration of the search (this doesn't include games where addresses are different for each level - though this is a less drastic variation of this).
>Now, to combat hackers, some games store data in dynamic locations - i.e. it is moving constantly, e.g. whenever you open a menu. Such games are the latest in the Megaman Series, and the newly released Pokemon Fire Red and Leaf Green.
>The method is called DMA, as this is the name of the BIOS function which allows the transfer of large amounts of data with a few instructions (it is usually used for inter-device communications, or for sound data).
>This presents a huge problems to us - it can be cirumvented, by finding points in the game where data is always stored in the same place, for example in Pokemon FR there is a small weakness to their scheme - I can't go into details at the moment, however once the US version is out I will be able to release this information.
>The weakness to this scheme is thus: Somewhere in the RAM, there must be a value that tells the game where the data in question is currently stored (a pointer) . We can modify this value so that the data stays in the same place, or (the usually more reliable method) modify the ASM that affects this value to keep it in one place.
That was the flaw with the MMU on the 3DS. Regardless, GPU can only write to a small portion anyway, so they started moving things out of there.
This means DMA is used/abused to provide a ASLR-like function. DMA isn't directly related to this.
No they edit RAM or scan memory or something. There could be many methods.
I hope someone knows what I'm talking about, on a PSP there was some exploit that worked by you loading a picture, does anyone know it and how it works?
Another thing, the custom firmware you could install, how did people manage to dump the original firmware and modify it? I guess they get it because you can download the updates but how did they modify it, does it have any sort of protections?
There was a mistake in the parsing code and it's vuln to a buffer overflow I guess.
I guess the updates had signatures but once you have a kernel exploit it doesn't really matter.
What do you mean about updates having signatures? I'm talking about CFW, how did they modify it to run games or homebrew.
And yeah that's the TIFF exploit I was talking about thanks.
It was a TIFF exploit and the weaponized version was chickHEN (HEN=Homebrew ENabler). The original CFW was more or less OFW modified to give access to dev settings and adding in a few minimal modules to allow custom features.
Sony released the OFW updates as pbp files. After properly dumping them and reverse engineering they started writing code for it. As I recall they either somehow stole a dev kit or reversed the Sony official one so they could write their own CFW. As it stands currently writing code for PSP is as easy as writing it in C https://en.wikibooks.org/wiki/PSP_Programming
The firmware itself is encrypted or something?
If they had to reverse engineer it, they only had to do it to the parts they needed to change and modify it with assembly right?
Additionally you can find source code for CFW here that will give you some clue as to how they did it https://code.google.com/p/procfw/source/checkout
I don't believe so, as I recall Sony was pretty lax with the security of the firmware so it was probably just a packaged version of some compiled installer code. The original "mods" didn't actually add anything to the PSP they focused on getting it to reinstall the official 1.5 firmware that didn't didn't signature check executable code. After Sony more or less permanently got rid of 1.5 compatibility that's when CFW became attractive. Which is where the modding scene picked up and started building ontop of the already existing firmware.
So they built on top of official firmware, did they have to reverse engineer the OFW and rewrite it?
>compiled installer code
Do you mean the compiled firmware or am I misunderstanding it?
so are they just using the DMA controller to perform hardware accelerated memcpy to random areas of memory in order to obfuscate the memory contents from live debugging?
that seems rather pointless, because pointers that are pointing into the chunk of memory must be stored somewhere that's not being moved around randomly. Once you have a single pointer into a single value in the chunk, it seems to me that you'd be able to deduce relative offsets into other values that are also in that chunk.
This is all coming from some really old memories I have from being in the PSP scene ages ago, but as I recall. They kept the core firmware, but the PSP uses an init system known as the Initial Program Loader or IPL. The IPL loads a set of files on boot and then uses them for functioning. Being very clever after downgrading to 1.5 became less beneficial modders developed their own IPL and then began developing modules that their IPL could launch (ISO loader, plugin support, CPU over/underclocking).
Oh, so they only reverse engineered the core (and rewrote it I suppose?) and then wrote completely new code on top of it.
Thanks dude, since you were on the psp scene can you share some other stuff related to console hacking?
In general, is it safe to assume that most hacking/glitching can be done just by changing the pointers or values of memory addresses?
How do you ensure that the address in memory that you're targeting will be read? Doesn't it change every time it's run? For example, if I have a simple c++ program that prints a pointer to memory for a variable, it would always print different memory addresses every time I run the application.
Well the PSP scene is what I know a fair amount about. I knew a little bit about Wii's, Xbox (org) and PS2s. I can tell you that if you don't own an original modded Xbox you are missing out on one of the best consoles of all time. It's basically just a nice Pentium computer that you can plug into your TV in a nice case.
Since you know about PSP, do you know how the savegame encryption was found? How do people found out how to decrypt and encrypt save games to modify them, there are a lot of secure encryption algorithms why doesn't the PSP use those, are they too slow?
Why the need to encrypt savegames in the first place, were they already expecting people to use them on buffer overflow exploits?
My guess is that the PSP was always intended to be a portable console and this being a time before cloud services were a thing Sony opted fort the best of both worlds. They made an encryption module custom to the PSP so that the saves could only be opened by a PSP, but didn't do any user specific locking so that the saves would be portable to the user. Now most of this post is pure speculation, but I figure the way they did it was simple. They probably just monitored a game and when it dumped to the memory card look at how it differed from in memory. You can find somewhat useful information on the subject here http://www.qj.net/qjnet/psp/psp-homebrew-savegame-deemer-v111/page-2.html. I'm also assuming the encrypted the savegames to make it hard for a user to copy a save file to their computer and cheat a game. Though why anyone would do this when most of the save game things for PSP had to do with single player is completely up to your imagination. As for the encryption algorithm I'm guessing Sony (as it often does) figured security through obscurity would be fine.
Thanks dude that makes sense.
What about the PS3 >>47641127 if I understand correctly the PS3 would use signing using a private key, and they screwed the random number generator making it that using the public key people found the private key and could use it to sign anything.
Am I understanding it correctly? If so, could one instead of finding the private key just generate another key pair, use the generated key pair to sign any homebrew and just switch the public key the console used? I'm almost sure I'm making a big confusion.
Sony used a proprietary memory card so you couldn't plug it into a PC, and when you do transfer content, you use the Vita to pull data from Content Manager on the computer. AFAIK you actually can't move data to and fro the the Vita using the computer. On either the PC or Vita side or both the programs are checked for authenticity.
I know at least once, but I'm pretty sure it's been done on a few different firmwares, some project(s) got unsigned PSP software to run. To my knowledge, no actual Vita homebrew has been possible yet.
Holy shit I'm an idiot, they weren't key pairs used to sign stuff, they were simply decryption keys for firmware updates.
Anyway, any reason the guys who first got the keys didn't plan to release them?
>Anyway, any reason the guys who first got the keys didn't plan to release them?
Because Sony, http://www.engadget.com/2011/01/12/sony-follows-up-officially-sues-geohot-and-fail0verflow-over-ps/
Don't know what to post, so how about some 3DS savedata stuff?
On top of being stored in a EEPROM chip (or for some games, the main NAND chip itself) inside a cart with encrypted communications protocol, the save is encrypted and has an AES MAC in it. The key used for encryption is
Hit submit before the above is finished.
Cont. from >>47653178
is derived from the CARD ID and the keys inside the system (exact method differs between versions). What it does is take that ID then put it in a keyslot (3DS has multiple keyslots for hardware encryption/security engines), of which there already is another key there (this pair is referred to as keyx and keyy). Then , the hardware keyscrambler runs both through an unknown algorithm to generate the final normal key, which is used to encrypt and generate the AES MAC used for authentication.
The save data is a complete filesystem. Directories and files are written and read by the game after the the system mounts it. It also has another partition for redundancy.
Are companies getting more creative with their security?
Newer consoles seem to have less of a modchip scene than the old ones so that could be a sign of the end of an era.
Not that there's much content without online jewing anyway though.
xbox360? free60.org has a wealth of info.
Most of the hacks revolve around smc hacks or glitching the cpu into compliance.
After that you set up shop with hacked firmware and become master race.
The memory is always referred to as relative. The kernel gives you some memory, and all your variables have a static offset. Always. But the offset is random. This can happen on the program level and the function level.
You always need a pointer to the memory so it's doable anyway but is harder
Team xecuter work fulltime at modding the xbox one but they keep their findings secret because they profit from their work by selling mod/glitch chips and nand dumpers.
FailOverFlow had IOSU access a month after the WiiU came out but they never released their work.
smc hack is permanently installed to literally hack the system every time it turns on, same with rgh.
On jtag xboxs you can bypass a resistor to protect your efuses, on rgh you don't need to.
The hacks have virtual efuses which will take the bullet, assuming your real ones are protected.
For non hacked consoles backups are worthless.
If anyone is interested in learning about console hacking I found this:
Maybe when starting a new thread we should have a list of resources, along with maybe videos of interesting glitches?
Here are some more resources:
That website has some other interesting stuff related to console hacking, I hope someone finds these links useful.
I'd take being on a slower board if it meant higher quality posts and not having to do stuff like this to avoid the thread from dying because of all the shitpost threads on /g/.
This whole thread wouldn't fit /vr/, all of it is about newer consoles.
The other threads where more about older ones, but still, /g/ is a better place for it.
If it was on another board it wouldn't have /g/ users, and this thread wouldn't be what it is.
/vg/ has this thread, but even thought it should be about the same topic, it's a little different, since it's more about people asking for help, piracy and some homebrew discussions.
Maybe moving there could be considered.
Maybe we could be spared the wrath of /g/ mods and anons if we turned this into an "OS/Assembly Hacking/Glitches" thread that included both interesting computer software bugs and console games bugs.
I guess they banned you because they just look at some of the posts at the start of the thread, which where all "go to /vp/ this is clearly aboyt the pokemon anime :@@" or something like that. Mods just didn't know what the thread was about, and assumed it was a Pokémon thread or something
Good thing I could just restart my router :^)
But seriously banning me was completely bullshit they could've at least read some more of the thread, but that's beside the point.
What about moving this thread into /vg/ instead? Not sure if threads die quicker there though.
>The hack for it involves putting code in the USB device descriptor
I had a similar idea for an exploit but I don't have enough technical knowledge to implement it. This makes me sad.
>I can tell you that if you don't own an original modded Xbox you are missing out on one of the best consoles of all time.
This*100,000. I'm an old Xbox scenester, it's the comfiest modded console in existence.
Why is it the comfiest? Mostly because it has (had?) the biggest software scene: The most popular homebrew dashboard is _literally_ the basis for XBMC/Kodi (XBoxMediaCenter), combined with the minimal hassle of hacking and using the hacked console itself. Softmods can be implemented many ways, as simple as a savegame exploit, to hotswapping the hard drive. There are also mod chips that can be installed, AND you can just flash the BIOS by hand. After it's modded homebrew and pirate software is easily executable, as it NATIVELY supports booting software from the internal hard drive, which can be upgraded, up to a terabyte. XBMC, the most popular (and STILL DEVELOPED) dashboard, is an excellent media center for shows, movies, music, and obviously games. You can even soft reset out of running games and software back to the dash. With services like Xlink, you can play games like CoD and Halo:CE/2 online, and any official games run perfectly out of the box (unlike PS2, where you have to manually configure each game if you want to run it without burning it to a DVD, which is not only costly but also has issues which I do not feel like outlining.) The Xbox is the opus of console hacking.
can you actually connect to a xbox one with the manager in the leak?
I think the titles need to be registered in so weird way so I have no idea if you can launch application from it?
I really appreciate it but I stopped reading around those pages last time I tried a few weeks ago, but I'll start reading it again from the beggining now.
I think a big part of me not understanding some of the book is the fact I'm sometimes reading it and get distracted, and end up not understanding it well, the fact the book isn't in my native language probably doesn't help either.
Guess I just need to read with the tv off from now on.
Every nintendo game up until not long ago was the only thing running on the hardware, nintendo would have more experience than anyone writing software that does utterly everything.