I recently noticed the above relationship between posts-per-year and family size.This is Paul Matti, born 2012-03-05 (07:01am). He turned one today, and his sister also thinks that he is awesome.
Vulnerabilities are like good ideas - you’re rarely the first one dealing with it. Some vulnerabilities are almost classic, so I’ll proudly present: 7 old but surprisingly useful bugs that might also affect YOUR device.
(With “you” either being the designer or attacker.)Just to be clear: none of these exploits are rocket science. This is kind of the “low tech” hacking approach - no fancy oscilloscopes required, no DPA involved, no FIB to rent.
From nyt:
No, you fucking don’t. Instead, you call them pirates and sue them:
Obviously, the people in this class are the people who downloaded, or claim they downloaded the Linux operating system onto their other OS. It is beyond dispute now that there in is an ongoing effort to hack the PS3. In fact, most recently, there was an effort to hack around for update 3.21.
And these people, as members of the class, are engaged in activity that is not only prohibited under Sony’s agreements, but is illegal.
As described in this post on ASSEMblergames.comand in this post, there is still a secret left that needs to be lifted for the newer “Type 3” triforces.
As a short summary, the new type triforce is probably a cost reduction of the old hardware. As part of this cost reduction, handling of the GDROM and security PIC, which was previously implemented in an SH-4 CPU, was “removed”. The network stuff was now handled separately on a MIPS cpu, but several strings that are proven to existdo not exist anymore in the flash rom, at least not as plaintext.
Remember 10years ago? I do!
Recently mistcame up with an updateof his 2005 slide summarizing the effects of a number of hacks that started benign and ended up, well, not so benign. While I this kind of meta-discussions are not really my métier, an interesting discussion was started in the comments.
I don’t want to re-start this discussion. The major points have been made, from both sides. One of my points, though, that is an important foundation for this discussion, is my belief that most hacks, regardless of being benign or not, have not been made by a commercial party.
The WhatsInside post from January was not an incidental post. It is actually snapshot of a much longer forensic investigation to find the ground truth behind some of the technology behind Tektronix' scope accessories.
Pun aside- In October 2009, I’ve got a new scope, a Tektronix DPO4034. It’s a scope in the $8k range, so while not exactly low-cost, you don’t need a mortgage on your home to buy it. The raw specs are nice, but not awesome - 2.
I mean - it was a really cool thing, until it failed. The low price tag most certainly wasn’t the reason for the ultimate failure of this gadget, it was me, mis-operating. Raw force is usually a solution - this time, it wasn’t.
I’m cheap. Most of my switches aren’t manageable. I know that they are cheap now. My switches are still cheaper.
On the other hand, I recently required a device on a separate network. Having just one NIC on my linux machine, I naturally wanted to use VLANsfor that; all it needs is a switch in VLAN mode, where each of the ports (except for one, the “master” port) is on a separate VLAN.
07: ffff000000000f00 08: 000f000000000f00 09: 00ffff0ffff00ff0 10: 000f000f0f0f0f0f 11: 0000ff0f0f0f0ff0
I’m sitting on this for a while now, and it didn’t change a lot. That means it’s either 100% finished or completely useless. It’s a python script which talks to the NetDIMM board on a Triforce/Naomi/Chihiro, and implements the “Satellite” protocol for uploading and running games. I dunno if it really works.Have fun!Here it is:triforcetools.
Each data frame has a size of 2064 bytes; 16 bytes more than the payload. The first 4 bytes of each data frame is called ID, and contains, next to some flags, the Physical Sector Number (PSN). Each data frame, and, as we see later, all other frames, have an associated, hopefully unique, PSN. Several ranges of PSNs are reserved for special data (more about that… yes, later), but let’s just say that the data frame containing the first user sector has the PSN 0x30000, the second one 0x30001 etc.
[I’ve started writing this a few days after the last post. I was still waiting for some things to develop, but I’m a bit out reach at the moment, so this might take some time. So this post isn’t as finished as I hoped it it would be. But these “news” already started to smell funny.]
In the first 3 parts I explained how I could modify the Gamecube board inside the Triforce to dump the plain game images.
Step 1: $40k overpriced LA (could be replaced easily with a $150 FPGA board), some wires
<Step 2: 20 lines of python code
Difference between those? Just some simple XOR and ADD.
Ok, now a better step-for-step description what’s this all about.
As you might have seen, GDROM-games for the Naomi/Triforce/Chihiro come with a security chip, which has to be plugged into the “DIMM Board”. The “DIMM board” is, as previously explained, in charge for loading and decrypting the GDROM data.
I’ve spent some time on understanding the exact protocol spoken to the baseboard. Thanks to dolphin, I could run the software (for example, media board bios) and log all EXI/SI transfers. More details later, but I could replay them on the Triforce, thus grabbing the right responses, and emulating them properly in dolphin.
There is still a lot left to do, of course. :) The media board emulation is more than incomplete (it only emulates reads, so far), and there is no JVS IO yet.
I almost forgot to write about the successful execution of Task 3:
I basically patched the SegaLoader (i.e. the Media Board payload) to break after initializing the GD-ROM, i.e. after reading the GD-ROM into Dimm-Board’s memory. Then I just repeated the steps I did for dumping the Media Board (after the Media Board is switched into “Dimm Board”-mode, the same read commands will read the data from the DIMM Board instead of the onboard flash).
The Media Board contains an FPGA which interfaces to the DI bus, i.e. replaces the DVD-ROM. However, A quick test shows that the original DVD commands don’t work. Here the modchip’ed triforce comes handy again: The qoob bios leaves the original bootrom (i.e. the triforce IPL) at 0x81300000. I could then upload my own test tool via network, patch the IPL (for example I’ve redirected OSReport to the screen and to the USBGecko), and let it run.
I’ve already describedthat the heart of the beast is a basically unmodified retail Gamecube board. Rumors tell it has 48MB of (MEM1-)RAM, but based on the memory chip quantity and description, I cannot confirm that - they exactly match a retail Gamecube. As a side note, games seem to be 512MB max. I won’t give any further comment about the possible implications of these facts ;).
However what ismodified versus a retail Gamecube board is that a different IPL is installed.
What is “The Beast”? Other than what you find on wikipedia, the Triforce can be described as a tweaked Gamecube.
The heart is a standard, retail Gamecube board, allegedly with twice the amount of MEM1, and a custom IPL. Instead of the DVD drive, the Triforce has a Sega-developed “media board” which interfaces to a “DIMM board”. The “DIMM board” is an embedded computer running VxWorks. It has a large amount of buffer RAM (my unit has 512MB), and interfaces to a NAOMI GD-ROM.
EDIT: This post was - seriously - posted before I’ve read “<Ch0p> the owner of datel electronics just made a $1000 donation to wiibrew". However, I still believe my objections are valid. Anyway, Datel, thank you (a LOT) for supporting wiibrew. Thank you, Datel, for all your precious hacker tools. You call them “videogame enhancement products”, which is probably as what most people see them, but I call them “hacker tools”, and that’s a compliment.
After bushing had shownthe first homebrew exploit, a lot of stuff has happened in the Wii-world. The exploit was based on a hole in the disc hashing&verification, but the original finder (segher) decided that he doesn’t want the bug to be published. While this caused some controversy, the reason behind this was that the hole could be patched very easily in a future firmware version, as no original function relies on it.
The 24c3is over now, and we really had a lot of fun. We brought 6 of our Xboxes, which allowed us to grab attention from quite a lot of people in the hackcenter :).
bushing showeda nice Wii hack we had been developing in the last few weeks (though I mostly did watch the show). Ben has been burning like 50 DVDs or so, which all did different things from doing nothing at all to immediately freezing the system, but like 30 min before our lecture,he made it working!