[HUN] Hackersuli - Console and arcade game hacking – history, present, future
hackersuli
163 views
49 slides
Sep 11, 2020
Slide 1 of 49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
About This Presentation
[HUN] Hackersuli - Console and arcade game hacking – history, present, future
Slide Content
Hackersuli
Console and arcade game hacking –history,
present, future
●Zoltan (Balazs|Madarassy)
Console and arcade game hacking –history,
present, future
●Zoltan (Balazs|Madarassy)
Don’t be stupid
Always contact your lawyer before jailbreaking your console
Don’t be stupid
Read about DMCA
Always contact your lawyer before jailbreaking your console
Don’t be stupid
Read about DMCA
What is a console?
Why even
consoles
though?
consoles
though?
Easier access to games
MONEY and PROFIT!
Copy protection
Easier game development/support
MONEY and PROFIT!
Copy protection
Easier game development/support
Being the first on the scoreboard
Piracy
Homebrew –“run software not authorized by
$$$VENDOR$$$”
Game preservation
Because we can(?)
Why do we want to hack game consoles?
Piracy
Homebrew –“run software not authorized by
$$$VENDOR$$$”
Game preservation
Because we can(?)
Why do we want to hack game consoles?
Region lock bypasses
Mod chips
Software exploits
Overview of console hacking trends
Mod chips
Software exploits
Overview of console hacking trends
Small detour:
Arcade games
Arcade games
What is an arcade?
Unique game console
running only one game
on unique HW
Why hack arcades?
Mostly preservation
Unique game console
running only one game
on unique HW
Why hack arcades?
Mostly preservation
1. No security
2. Extra “security” hardware
3. Encryption, suicide chips, obfuscation
History of arcade game security
2. Extra “security” hardware
3. Encryption, suicide chips, obfuscation
History of arcade game security
Generic board
Most famous game: Street Fighter 2
Continuous development (incl. security)
...thoroughly hacked.
Capcom Play System 1 (1988 -1995)
Most famous game: Street Fighter 2
Continuous development (incl. security)
...thoroughly hacked.
Capcom Play System 1 (1988 -1995)
To address bootleg: CPS-2
Encrypted code and clear-text data
Completely unhacked for 6 years!
Capcom Play System 2 (1993 -2003)
Encrypted code and clear-text data
Completely unhacked for 6 years!
Capcom Play System 2 (1993 -2003)
1995: Street Fighter Zero
November 1999: First CPS-2 patch (Razoola)
Spring 2000: First shellcode execution and memory dump
(Razoola)
December 2000: Automated dump (Razoola)
Capcom Play System 2 (1993 -2003)
November 1999: First CPS-2 patch (Razoola)
Spring 2000: First shellcode execution and memory dump
(Razoola)
December 2000: Automated dump (Razoola)
Capcom Play System 2 (1993 -2003)
January 2001: First CPS-2 emulation (Razoola)
2005: With custom hardware control over memory mappings
achieved (Charles MacDonald)
Capcom Play System 2 (1993 -2003)
2005: With custom hardware control over memory mappings
achieved (Charles MacDonald)
Capcom Play System 2 (1993 -2003)
2007: Encryption algorithm reversed (Nicola Salmoriaand
Andreas Naive)
sometime later: Determine key from only an encrypted game
2016: Full reverse engineering of the CPS-2’s security
programming
All in only 13 years!
Capcom Play System 2 (1993 -2003)
Andreas Naive)
sometime later: Determine key from only an encrypted game
2016: Full reverse engineering of the CPS-2’s security
programming
All in only 13 years!
Capcom Play System 2 (1993 -2003)
1994 -2 generic CPU, 1 CPU for sound, 1 CPU for CD
subsystem, video acceleration
games came on CDs -now the CD drives are failing
Dr Abrasive -he wanted to write software for Sega Saturn
Was unhacked for 20+ years
CD controller firmware dumped
video CD port for external addon card
push "CD data" through this expansion port
Saturn CD disks are not read protected
Hacking Sega Saturn
subsystem, video acceleration
games came on CDs -now the CD drives are failing
Dr Abrasive -he wanted to write software for Sega Saturn
Was unhacked for 20+ years
CD controller firmware dumped
video CD port for external addon card
push "CD data" through this expansion port
Saturn CD disks are not read protected
Hacking Sega Saturn
The not too
distant past
distant past
Watermark printed on the CD
This watermark cannot be burned via
regular CD writer
Trick to defeat the protection
Step 1: Insert original CD, PS1 reads
watermark
Step 2: Remove original CD
Step 3: Insert copied CD
Step 4: PROFIT!
Playstation1
This watermark cannot be burned via
regular CD writer
Trick to defeat the protection
Step 1: Insert original CD, PS1 reads
watermark
Step 2: Remove original CD
Step 3: Insert copied CD
Step 4: PROFIT!
Playstation1
Ugly modchip hacks . . .
Swapmagic. . .
But Free McBootmemory card is the thing
tricks the system into think this is an
official update, execute code directly from
memory card
multi-session discs, first session
video, second game data
OPL …
Playstation2
Swapmagic. . .
But Free McBootmemory card is the thing
tricks the system into think this is an
official update, execute code directly from
memory card
multi-session discs, first session
video, second game data
OPL …
Playstation2
State of the art
in 2012
Things are getting
harder
in 2012
Things are getting
harder
Darknet
diaries
XBOX
underground
part 1-2
2003: Bunnie: Spy on a specific bus line to
extract the SECRET KEY from Xbox
2006: Rowdy: Grab XBOX 360 DEV devices from
recycling factory
You can access Partnernet, where all the beta
releases are
diaries
XBOX
underground
part 1-2
2003: Bunnie: Spy on a specific bus line to
extract the SECRET KEY from Xbox
2006: Rowdy: Grab XBOX 360 DEV devices from
recycling factory
You can access Partnernet, where all the beta
releases are
Darknet
diaries
XBOX
underground
part 1-2
1.Find random leaked database
2.Find Epic employee in the dump
3.Access Epic employee’s Gmail –Admin060606
4.Access Epic’s network via VPN
5.Acces Epic’s Unreal Developer Network
database
6.Crack hashes
7.Access to other networks like Activision,
Microsoft, Steam, Zombie Networks, etc
8.Zombie networks had access US military,
simulator for Apache
diaries
XBOX
underground
part 1-2
1.Find random leaked database
2.Find Epic employee in the dump
3.Access Epic employee’s Gmail –Admin060606
4.Access Epic’s network via VPN
5.Acces Epic’s Unreal Developer Network
database
6.Crack hashes
7.Access to other networks like Activision,
Microsoft, Steam, Zombie Networks, etc
8.Zombie networks had access US military,
simulator for Apache
Present state of
game console
hacking
game console
hacking
2015 –PS4 FW 1.76 hacked
this means mostly games from 2014
As it is common nowadays, there is no way to
downgrade FW version –old consoles have
increased value
As of today, if you have FW 6.72 (or sooner),
released in July 17, you can jailbreak your
PS4
Console hacking –PS4
this means mostly games from 2014
As it is common nowadays, there is no way to
downgrade FW version –old consoles have
increased value
As of today, if you have FW 6.72 (or sooner),
released in July 17, you can jailbreak your
PS4
Console hacking –PS4
You have to chain 2 exploits together
One to achieve code execution
One to privelege escalation to kernel
mode code execution
Fire30 –Webkit exploit, works up to 6.72,
CVE-2018-4386, Type confusion
TheFlow –Kernel exploit, works up to 7.02,
Use-after-free IPV6 modul
How to exploit PS4 FW 6.72(July 2019)?
One to achieve code execution
One to privelege escalation to kernel
mode code execution
Fire30 –Webkit exploit, works up to 6.72,
CVE-2018-4386, Type confusion
TheFlow –Kernel exploit, works up to 7.02,
Use-after-free IPV6 modul
How to exploit PS4 FW 6.72(July 2019)?
Pirate games
Play old PS2 and PS3 games on PS4
Custom ROM
Debug usermode / kernel
Decrypt and modify game saves . . .
Cheat in LOCAL games –like Cheatengine
Bug bounty! Ranges from $100 for a low end
threat on PSN, up to $50,000 for a critical
vulnerability.
What to do with jailbroken PS4?
Play old PS2 and PS3 games on PS4
Custom ROM
Debug usermode / kernel
Decrypt and modify game saves . . .
Cheat in LOCAL games –like Cheatengine
Bug bounty! Ranges from $100 for a low end
threat on PSN, up to $50,000 for a critical
vulnerability.
What to do with jailbroken PS4?
Disadvanteges
No more online games
Losing warranty
No more new games
No more Playstation Network
What NOT to do with jailbroken PS4?
No more online games
Losing warranty
No more new games
No more Playstation Network
What NOT to do with jailbroken PS4?
Usermodeexploit only . . .
Microsoft Edge Browser (CVE-2016-7200
and CVE-2016-7241)
No Homebrew, no jailbreak, only scams like
“XBOX One JTAG jailbreak”
Run signed code only
Apps and games are in sandboxes
Virtualization –app VM and game VM
But you can still use game glitches for fun
Console hacking –present XBOXOne
Microsoft Edge Browser (CVE-2016-7200
and CVE-2016-7241)
No Homebrew, no jailbreak, only scams like
“XBOX One JTAG jailbreak”
Run signed code only
Apps and games are in sandboxes
Virtualization –app VM and game VM
But you can still use game glitches for fun
Console hacking –present XBOXOne
The generation of people who broke PS1-2,
Xbox, etc were all hired by M$ to create the
security (including HW) for the Xbox One.
Let that sink in: Microsoft created a gaming
console based on Windows10 which is still
unhacked. PS4 is based on FreeBSD, multiple
hacks were discovered.
Console hacking –present XBOX One
Xbox, etc were all hired by M$ to create the
security (including HW) for the Xbox One.
Let that sink in: Microsoft created a gaming
console based on Windows10 which is still
unhacked. PS4 is based on FreeBSD, multiple
hacks were discovered.
Console hacking –present XBOX One
FuséeGelée, ShofEL2 or CVE-2018-6242
tethered, non persistent exploit!
This means you won’t break your console forever!
Bootromexploit on NVIDIA TegraRecovery Mode
You have to push a non existenthome button on the
controller to get into Recovery mode
USB module stack overflow
Similar tocheckra1n on iOS
Can’t software patch it, as it is in ROM
Console hacking –present Nintendo Switch
tethered, non persistent exploit!
This means you won’t break your console forever!
Bootromexploit on NVIDIA TegraRecovery Mode
You have to push a non existenthome button on the
controller to get into Recovery mode
USB module stack overflow
Similar tocheckra1n on iOS
Can’t software patch it, as it is in ROM
Console hacking –present Nintendo Switch
Backwards compatibility with the DS
A lot of exploits throughout its lifecycle
Gateway
For-profit piracy flash cart
Lots of nasty tricks
Kids, don’t be like Gateway!
Nintendo 3DS
A lot of exploits throughout its lifecycle
Gateway
For-profit piracy flash cart
Lots of nasty tricks
Kids, don’t be like Gateway!
Nintendo 3DS
PowerPC main CPU + ARMv9 security chip
GameCube backwards compatibility
Special boot process
Encryption on everything
Nintendo Wii -security
GameCube backwards compatibility
Special boot process
Encryption on everything
Nintendo Wii -security
Similar tothe X360 DVD FW hacks
Unsigned code still can’t run
Nintendo Wii -WiiKey
Unsigned code still can’t run
Nintendo Wii -WiiKey
GameCube mode -> first reboot into Wii
GC mode memory layout
Sup3r 31337 h4ck
Nintendo Wii –Team Twiizer
GC mode memory layout
Sup3r 31337 h4ck
Nintendo Wii –Team Twiizer
Two bugs:
1. Partial signature check
2. strcnmp() on a bytestream
Twilight Hack
Homebrew achieved
Nintendo Wii –full homebrew
1. Partial signature check
2. strcnmp() on a bytestream
Twilight Hack
Homebrew achieved
Nintendo Wii –full homebrew
Exploits and jailbreaks will stay with us
If you want to get into this scene
Remove your console from the Internet now
Block the update process (custom DNS server)
And wait for a jailbreak
What about the future?
If you want to get into this scene
Remove your console from the Internet now
Block the update process (custom DNS server)
And wait for a jailbreak
What about the future?
Bonus
Pokemonplays Twitch
Pokemonplays Twitch
WHAT?!
Stage 0 –corrupting a save (3-7 bytes/minute)
Stage 1–Writing Z80 assembly (30 bytes/second
Stage 2 –Creating command packets (1 nibble/frame)
Stage 3 -Escape SGB (60 payload bytes/second)
Stage 1–Writing Z80 assembly (30 bytes/second
Stage 2 –Creating command packets (1 nibble/frame)
Stage 3 -Escape SGB (60 payload bytes/second)
Stage 4 –Further increasing speed (3840 bytes/second)
Stage 5 -Transfer data in blocks with headers
Stage 6 -Twitch Chat Interface
In summary
Stage 5 -Transfer data in blocks with headers
Stage 6 -Twitch Chat Interface
In summary
Questions?
Join Hackersulion Facebook
Join Hackersulion Meetup
Join Hackersulion Twitch
Join Hackersulion YouTube
Join Hackersulion Slideshare
Join Hackersulion Facebook
Join Hackersulion Meetup
Join Hackersulion Twitch
Join Hackersulion YouTube
Join Hackersulion Slideshare
Categories
SportsDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 163
- Slides 49
- Age 1908 days
Related Slideshows
32
figurative-language power point.pptththtrht
acecamero20
19 views
22
Figurative-Language-powerpoint.pptgttgth
acecamero20
21 views
44
Plasma proteins functions electroforesis - Copy.pptx
DratoshKatiyar
20 views
2
FORMATO 4. PLANTEAMIENTO DEL PROBLEMA. 4 Oct. 2022.ppt
LuisLopez350618
17 views
4
Cristiano Ronaldo jugador portugués, la leyenda
laparchizacorp
17 views
10
🎮✨ Top 10 Most Used Software Tools by Indie Game Developers (2025 Edition)
cheapersgamecomcare
17 views