5. Easier access to games
MONEY and PROFIT!
Copy protection
Easier game development/support
6. Being the first on the scoreboard
Piracy
Homebrew – “run software not authorized by
$$$VENDOR$$$”
Game preservation
Because we can(?)
Why do we want to hack game consoles?
12. What is an arcade?
Unique game console
running only one game
on unique HW
Why hack arcades?
Mostly preservation
13. 1. No security
2. Extra “security” hardware
3. Encryption, suicide chips, obfuscation
History of arcade game security
14. Generic board
Most famous game: Street Fighter 2
Continuous development (incl. security)
...thoroughly hacked.
Capcom Play System 1 (1988 - 1995)
15. To address bootleg: CPS-2
Encrypted code and clear-text data
Completely unhacked for 6 years!
Capcom Play System 2 (1993 - 2003)
16. 1995: Street Fighter Zero
November 1999: First CPS-2 patch (Razoola)
Spring 2000: First shellcode execution and memory dump
(Razoola)
December 2000: Automated dump (Razoola)
Capcom Play System 2 (1993 - 2003)
17. January 2001: First CPS-2 emulation (Razoola)
2005: With custom hardware control over memory mappings
achieved (Charles MacDonald)
Capcom Play System 2 (1993 - 2003)
18. 2007: Encryption algorithm reversed (Nicola Salmoria and
Andreas Naive)
sometime later: Determine key from only an encrypted game
2016: Full reverse engineering of the CPS-2’s security
programming
All in only 13 years!
Capcom Play System 2 (1993 - 2003)
19.
20.
21. 1994 - 2 generic CPU, 1 CPU for sound, 1 CPU for CD
subsystem, video acceleration
games came on CDs - now the CD drives are failing
Dr Abrasive - he wanted to write software for Sega Saturn
Was unhacked for 20+ years
CD controller firmware dumped
video CD port for external addon card
push "CD data" through this expansion port
Saturn CD disks are not read protected
Hacking Sega Saturn
24. Watermark printed on the CD
This watermark cannot be burned via
regular CD writer
Trick to defeat the protection
Step 1: Insert original CD, PS1 reads
watermark
Step 2: Remove original CD
Step 3: Insert copied CD
Step 4: PROFIT!
Playstation 1
25. Ugly modchip hacks . . .
Swapmagic . . .
But Free McBoot memory card is the thing
tricks the system into think this is an
official update, execute code directly from
memory card
multi-session discs, first session
video, second game data
OPL …
Playstation 2
26. State of the art
in 2012
Things are getting
harder
27. Darknet
diaries
XBOX
underground
part 1-2
2003: Bunnie: Spy on a specific bus line to
extract the SECRET KEY from Xbox
2006: Rowdy: Grab XBOX 360 DEV devices from
recycling factory
You can access Partnernet, where all the beta
releases are
28. Darknet
diaries
XBOX
underground
part 1-2
1. Find random leaked database
2. Find Epic employee in the dump
3. Access Epic employee’s Gmail – Admin060606
4. Access Epic’s network via VPN
5. Acces Epic’s Unreal Developer Network
database
6. Crack hashes
7. Access to other networks like Activision,
Microsoft, Steam, Zombie Networks, etc
8. Zombie networks had access US military,
simulator for Apache
30. 2015 – PS4 FW 1.76 hacked
this means mostly games from 2014
As it is common nowadays, there is no way to
downgrade FW version – old consoles have
increased value
As of today, if you have FW 6.72 (or sooner),
released in July 17, you can jailbreak your
PS4
Console hacking – PS4
31. You have to chain 2 exploits together
One to achieve code execution
One to privelege escalation to kernel
mode code execution
Fire30 – Webkit exploit, works up to 6.72,
CVE-2018-4386, Type confusion
TheFlow – Kernel exploit, works up to 7.02,
Use-after-free IPV6 modul
How to exploit PS4 FW 6.72 (July 2019) ?
32. Pirate games
Play old PS2 and PS3 games on PS4
Custom ROM
Debug usermode / kernel
Decrypt and modify game saves . . .
Cheat in LOCAL games – like Cheatengine
Bug bounty! Ranges from $100 for a low end
threat on PSN, up to $50,000 for a critical
vulnerability.
What to do with jailbroken PS4?
33. Disadvanteges
No more online games
Losing warranty
No more new games
No more Playstation Network
What NOT to do with jailbroken PS4?
34. Usermode exploit only . . .
Microsoft Edge Browser (CVE-2016-7200
and CVE-2016-7241)
No Homebrew, no jailbreak, only scams like
“XBOX One JTAG jailbreak”
Run signed code only
Apps and games are in sandboxes
Virtualization – app VM and game VM
But you can still use game glitches for fun
Console hacking – present XBOX One
35. The generation of people who broke PS1-2,
Xbox, etc were all hired by M$ to create the
security (including HW) for the Xbox One.
Let that sink in: Microsoft created a gaming
console based on Windows10 which is still
unhacked. PS4 is based on FreeBSD, multiple
hacks were discovered.
Console hacking – present XBOX One
36. Fusée Gelée, ShofEL2 or CVE-2018-6242
tethered, non persistent exploit!
This means you won’t break your console forever!
Bootrom exploit on NVIDIA Tegra Recovery Mode
You have to push a non existent home button on the
controller to get into Recovery mode
USB module stack overflow
Similar to checkra1n on iOS
Can’t software patch it, as it is in ROM
Console hacking – present Nintendo Switch
37. Backwards compatibility with the DS
A lot of exploits throughout its lifecycle
Gateway
For-profit piracy flash cart
Lots of nasty tricks
Kids, don’t be like Gateway!
Nintendo 3DS
38. PowerPC main CPU + ARMv9 security chip
GameCube backwards compatibility
Special boot process
Encryption on everything
Nintendo Wii - security
39. Similar to the X360 DVD FW hacks
Unsigned code still can’t run
Nintendo Wii - WiiKey
40. GameCube mode -> first reboot into Wii
GC mode memory layout
Sup3r 31337 h4ck
Nintendo Wii – Team Twiizer
41. Two bugs:
1. Partial signature check
2. strcnmp() on a bytestream
Twilight Hack
Homebrew achieved
Nintendo Wii – full homebrew
42. Exploits and jailbreaks will stay with us
If you want to get into this scene
Remove your console from the Internet now
Block the update process (custom DNS server)
And wait for a jailbreak
What about the future?
48. Stage 4 – Further increasing speed (3840 bytes/second)
Stage 5 - Transfer data in blocks with headers
Stage 6 - Twitch Chat Interface
In summary
49. Questions?
Join Hackersuli on Facebook
Join Hackersuli on Meetup
Join Hackersuli on Twitch
Join Hackersuli on YouTube
Join Hackersuli on Slideshare