Presentation is loading. Please wait.

Presentation is loading. Please wait.

A SHORT HISTORY OF VIDEO GAME CONSOLE HACKING FRED D. DAVID R.

Published byWillis Maxwell Modified over 8 years ago

Similar presentations

Presentation on theme: "A SHORT HISTORY OF VIDEO GAME CONSOLE HACKING FRED D. DAVID R."— Presentation transcript:

1 A SHORT HISTORY OF VIDEO GAME CONSOLE HACKING FRED D. DAVID R.

2 REASONS TO MOD A VIDEO GAME CONSOLE Backup original disks for preservation or to reduce disk drive failure Backup original disks for preservation or to reduce disk drive failure Allow region free (play Japanese or PAL games on a USA game system) Allow region free (play Japanese or PAL games on a USA game system) Run unsigned code (all of the below): Run unsigned code (all of the below): Homebrew and PC ports – Quake I II III, Xmugen, community built apps and games Homebrew and PC ports – Quake I II III, Xmugen, community built apps and games Emulate older systems such as Atari, Commodore 64, SNES, NES, GB, GBA, Genesis, Neo-Geo, MAME arcade, TurboGrafx-16, Playstation, dosbox, and more Emulate older systems such as Atari, Commodore 64, SNES, NES, GB, GBA, Genesis, Neo-Geo, MAME arcade, TurboGrafx-16, Playstation, dosbox, and more Game modifications (Soul Calibur Reloaded, Halo Custom Edition, DOA, GTA mods, cheats) Game modifications (Soul Calibur Reloaded, Halo Custom Edition, DOA, GTA mods, cheats) Convert to HTPC (Xbox Media Player, Xbox Media Center aka XBMC or Kodi) Convert to HTPC (Xbox Media Player, Xbox Media Center aka XBMC or Kodi) Use as a Linux PC – Yellow dog (PS3), GentooX (Xbox) Use as a Linux PC – Yellow dog (PS3), GentooX (Xbox) Convert to Development kit Convert to Development kit Piracy (unfortunate side effect of running unsigned code) Piracy (unfortunate side effect of running unsigned code)

3 TYPES OF MODS Hardmods Hardmods Modchips, DVD pass-through devices, DVD firmware flash, or motherboard firmware (TSOP or NAND) flash Modchips, DVD pass-through devices, DVD firmware flash, or motherboard firmware (TSOP or NAND) flash Requires soldering most of the time Requires soldering most of the time Dangers: Hardware damage from poor soldering skills or bricking a system due to wrong file or key flashed Dangers: Hardware damage from poor soldering skills or bricking a system due to wrong file or key flashed Softmods Softmods Software exploits – mostly using an existing exploit in a specific video game (Lumines, 007, MechAssault, etc.) Software exploits – mostly using an existing exploit in a specific video game (Lumines, 007, MechAssault, etc.) No soldering required No soldering required Dangers: Deleting the wrong file or using the wrong exploit (NTSC vs NTSC-J) can brick your system Dangers: Deleting the wrong file or using the wrong exploit (NTSC vs NTSC-J) can brick your system Flash Carts Flash Carts Retail sized game carts with Mini/MicroSD slots for GBA, DS, DSi, and 3DS. Retail sized game carts with Mini/MicroSD slots for GBA, DS, DSi, and 3DS. Able to load emulators, homebrew, and a collection of games on one cart Able to load emulators, homebrew, and a collection of games on one cart

4 CONSOLE MODIFICATION TIMELINE

5 PLAYSTATION 1 GameShark or Action Replay GameShark or Action Replay Plugged into original PS1’s parallel port. Later PS1 models had this parallel port removed Plugged into original PS1’s parallel port. Later PS1 models had this parallel port removed Originally used for codes and cheats but could be made to launch backups and imports without soldering in a modchip Originally used for codes and cheats but could be made to launch backups and imports without soldering in a modchip

6 PLAYSTATION 1 Old Crow Modchip Old Crow Modchip 4-6 wire PIC chip compatible with all versions of PS1 4-6 wire PIC chip compatible with all versions of PS1 Allowed PS1 to play imports and backups Allowed PS1 to play imports and backups

7 PLAYSTATION 2 Modchips: DMS, Matrix Infinity, Modbo Modchips: DMS, Matrix Infinity, Modbo HDLoader and USBXtreme: Software that allows the PS2 to launch game ISOs from internal IDE HDD or USB. HDLoader was originally CD only boot. OpenPS2Loader is similar to these programs but also allows loading ISOs from SMB network shares. HDLoader and USBXtreme: Software that allows the PS2 to launch game ISOs from internal IDE HDD or USB. HDLoader was originally CD only boot. OpenPS2Loader is similar to these programs but also allows loading ISOs from SMB network shares. FreeMCBOOT: Standard memory card modified to allow unsigned code on the PS2. No modchip required. FreeMCBOOT: Standard memory card modified to allow unsigned code on the PS2. No modchip required. Save and launch OpenPS2Loader, HDLoader, USBXtreme, programs and emulators on PS2 memory card or USB stick Save and launch OpenPS2Loader, HDLoader, USBXtreme, programs and emulators on PS2 memory card or USB stick

8 PLAYSTATION 2: MATRIX INFINITY SLIM PS2

9

10

11 PLAYSTATION 2: MATRIX INFINITY FAT PS2

12 PLAYSTATION 2: FAT PS2 WITH IDE HARD DRIVE Originally used for retail game caching for faster loading but eventually allowed full game launching without disc through third party programs like HD Loader and HD Advance Originally used for retail game caching for faster loading but eventually allowed full game launching without disc through third party programs like HD Loader and HD Advance 48-bit LBA with limit of 144TB but safer not to exceed 750GB so to avoid data corruption. 48-bit LBA with limit of 144TB but safer not to exceed 750GB so to avoid data corruption.

13 PLAYSTATION 2: HDCOMBO BAY FOR SLIM PS2

14 PLAYSTATION 2: HDLOADER AND OPENPS2LOADER

15 PLAYSTATION 2: MEMOR32 VS FREEMCBOOT Team Memento releases the overpriced Memor32 memory card (no modchip required). Memor32 allowed booting of custom OS, hombrew, backup loaders, and emulators. Was short lived as it was quickly reverse engineered and released for free and could be installed on any vanilla Sony PS2 memory card.

16 PLAYSTATION PORTABLE (PSP) TIFF Exploit: Buffer overrun allowing unsigned code on v1.50 stock PSP firmware. Executed by browsing photos on the memory stick or starting a slideshow. Gone after reboot. TIFF Exploit: Buffer overrun allowing unsigned code on v1.50 stock PSP firmware. Executed by browsing photos on the memory stick or starting a slideshow. Gone after reboot. UMD Game Exploits: Buffer overflow allowing unsigned code on v2.50/v2.60 stock PSP firmware. GTA Liberty City stories or Lumines were typically used. Gone after reboot. UMD Game Exploits: Buffer overflow allowing unsigned code on v2.50/v2.60 stock PSP firmware. GTA Liberty City stories or Lumines were typically used. Gone after reboot. Custom Firmware (CFW): Modified firmware that allowed homebrew and integrated CSO/ISO loading. This was flashed to the PSP replacing stock firmware. Persistent after reboot. Custom Firmware (CFW): Modified firmware that allowed homebrew and integrated CSO/ISO loading. This was flashed to the PSP replacing stock firmware. Persistent after reboot. Undiluted Platinum Modchip: Allowed PSPs to run custom firmware along stock PSP firmware. Mostly used for “unbricking” PSPs with corrupted firmware. Undiluted Platinum Modchip: Allowed PSPs to run custom firmware along stock PSP firmware. Mostly used for “unbricking” PSPs with corrupted firmware. Pandora Battery: Modified battery used in conjunction with software on memory stick that allowed that PSP to boot into a reverse-engineered factory service mode, allowing installation of custom firmware and unbricking of corrupted firmware. Pandora Battery: Modified battery used in conjunction with software on memory stick that allowed that PSP to boot into a reverse-engineered factory service mode, allowing installation of custom firmware and unbricking of corrupted firmware.

17 PLAYSTATION PORTABLE: PANDORA BATTERY

18 PLAYSTATION 3 11/2006: PS3 is released 11/2006: PS3 is released 1/2010: GeoHot hacks the PS3, gains access to the HyperVisor (after booting Linux with the help of the PS3s “OtherOS” feature) and was able to dump it’s NAND. PS3 has a hardware Hypervisor which code is located in the main CPU and one of its 7 seven cell processors. 1/2010: GeoHot hacks the PS3, gains access to the HyperVisor (after booting Linux with the help of the PS3s “OtherOS” feature) and was able to dump it’s NAND. PS3 has a hardware Hypervisor which code is located in the main CPU and one of its 7 seven cell processors.GeoHot 3/2010: Sony removes “OtherOS” from the PS3 3/2010: Sony removes “OtherOS” from the PS3 8/2010: PS Jailbreak team announces “PS Jailbreak” dongle for $130. Allows unsigned code on PS3 using a USB exploit. 8/2010: PS Jailbreak team announces “PS Jailbreak” dongle for $130. Allows unsigned code on PS3 using a USB exploit. 8/2010: PS Jailbreak is reverse engineered and PSGroove (clone) is released – a free open source version of PS Jailbreak using the Teensy++ USB development board or AT90USBKEY. 8/2010: PS Jailbreak is reverse engineered and PSGroove (clone) is released – a free open source version of PS Jailbreak using the Teensy++ USB development board or AT90USBKEY. 9/2010: Sony releases firmware update 3.42 disabling the use of PS Jailbreak and all clones. 9/2010: Sony releases firmware update 3.42 disabling the use of PS Jailbreak and all clones. 10/2010: fail0verflow group (known for the Wii Homebrew channel) obtain PS3 private cryptography keys. 10/2010: fail0verflow group (known for the Wii Homebrew channel) obtain PS3 private cryptography keys.fail0verflow 11/2010: PS Jailbreak team release “PS Downgrade” USB stick allowing firmware downgrade. This worked by using a USB factory service mode in combination with a service app which was leaked. 11/2010: PS Jailbreak team release “PS Downgrade” USB stick allowing firmware downgrade. This worked by using a USB factory service mode in combination with a service app which was leaked. 12/2010: Sony blocks downgrades with v3.55 firmware 12/2010: Sony blocks downgrades with v3.55 firmware 1/2011: First PS3 custom firmware released 1/2011: First PS3 custom firmware released

19 GAMECUBE SD Media Launcher: Gamecube memory card with SD slot built-in SD Media Launcher: Gamecube memory card with SD slot built-in Allows launching of homebrew and ISOs on up to 4GB SD card Allows launching of homebrew and ISOs on up to 4GB SD card QOOB modchip QOOB modchip Direct boot game discs (no disc swapping required) Direct boot game discs (no disc swapping required) 16Mbit flash memory for app storage (GCOS, apps, and emulators) 16Mbit flash memory for app storage (GCOS, apps, and emulators) BIOS selection/control BIOS selection/control Custom Gamecube case: Custom Gamecube case: Standard Gamecube discs were 1.5GB 8cm (3.1 inch) discs Standard Gamecube discs were 1.5GB 8cm (3.1 inch) discs A custom case would be installed to accept 12cm (4.75 inch) discs which were more widely available A custom case would be installed to accept 12cm (4.75 inch) discs which were more widely available

20 GAMECUBE: SD MEDIA LAUNCHER

21 GAMECUBE: QOOB MODCHIP

22

23

24 NINTENDO WII 729MHz PowerPC Broadway CPU 729MHz PowerPC Broadway CPU 243MHz ATI Hollywood GPU (Based on Gamecube “Flipper” GPU, just 50% faster) 243MHz ATI Hollywood GPU (Based on Gamecube “Flipper” GPU, just 50% faster) Contains an NEC ARM256 core named “Starlet” which controls I/O functions, Wireless, USB, and optical disc drive. Also handles security and encryption functions and has hardware implementations of AES and SHA-1. Contains an NEC ARM256 core named “Starlet” which controls I/O functions, Wireless, USB, and optical disc drive. Also handles security and encryption functions and has hardware implementations of AES and SHA-1.Starlet

25 NINTENDO WII: HARDMODS DVD Drive Modchips: WiiKey (direct solder), WiiFree (PIC chip), DriveKey solderless (DVD passthrough) DVD Drive Modchips: WiiKey (direct solder), WiiFree (PIC chip), DriveKey solderless (DVD passthrough) Drive emulation devices: Drive emulation devices: FlatMii (load Wii/GC ISOs from PC via USB) FlatMii (load Wii/GC ISOs from PC via USB) WODE Jukebox (load Wii/GC ISOs from HDD via USB) WODE Jukebox (load Wii/GC ISOs from HDD via USB)

26 NINTENDO WII: BOOT PROCESS ARM (“Starlet” processor – located inside ATI Hollywood GPU) ARM (“Starlet” processor – located inside ATI Hollywood GPU) boot0 A mask ROM (1.5K) which loads boot1 and verifies its SHA1 hash against that stored in OTP. If there is a mismatch, the system will halt. boot0 A mask ROM (1.5K) which loads boot1 and verifies its SHA1 hash against that stored in OTP. If there is a mismatch, the system will halt. boot0OTP boot0OTP boot1 Lives in the first block of NAND; loads one of two copies of boot2 from blocks 1-7 of NAND and verifies it using RSA / SHA1. boot1 Lives in the first block of NAND; loads one of two copies of boot2 from blocks 1-7 of NAND and verifies it using RSA / SHA1. boot1 boot2 A stripped-down version of IOS. It reads the NAND filesystem, verifies HMAC signatures, then loads the System Menu's IOS. boot2 A stripped-down version of IOS. It reads the NAND filesystem, verifies HMAC signatures, then loads the System Menu's IOS. boot2 IOS sees its being booted thanks to the writes of boot2 and bootstraps the PPC to start the System Menu. IOS sees its being booted thanks to the writes of boot2 and bootstraps the PPC to start the System Menu. IOS PPC (IBM Broadway PowerPC CPU) PPC (IBM Broadway PowerPC CPU) The System Menu is the first visible user interface since it is the first code running on the PowerPC. It has higher access privileges compared to games (e.g. it can read and write to every savegame). The System Menu is the first visible user interface since it is the first code running on the PowerPC. It has higher access privileges compared to games (e.g. it can read and write to every savegame).System Menu System Menu

27 NINTENDO WII: WIIKEY MODCHIP

28 NINTENDO WII: DVD DRIVE EPOXY Eventually Wii DVD drive PCBs started to show up with epoxy on them (likely meant to discourage modchip installation). It was easily removed with a mini heat gun and an exacto knife Eventually Wii DVD drive PCBs started to show up with epoxy on them (likely meant to discourage modchip installation). It was easily removed with a mini heat gun and an exacto knife

29 NINTENDO WII: WIIFREE MODCHIP Low cost 12F629 PIC chip. Load WiiFree Hex on it yourself with a PIC programmer: Low cost 12F629 PIC chip. Load WiiFree Hex on it yourself with a PIC programmer:

30 NINTENDO WII: DRIVEKEY MODCHIP DVD pass-through modchip. No soldering required. DVD pass-through modchip. No soldering required.

31 NINTENDO WII: FLATMII MODCHIP Allows Wii to load ISOs directly from PC via USB Allows Wii to load ISOs directly from PC via USB

32 NINTENDO WII: WODE JUKEBOX DVD drive emulator that allows you to Load Wii/GC ISOs from HDD attached via USB. DVD drive emulator that allows you to Load Wii/GC ISOs from HDD attached via USB.

33 NINTENDO WII: SOFTMODS Made hardmods obsolete. Wii softmods were capable of much more such as homebrew software, emulation, and loading games from USB hard drive, all without having to open the Wii and install a modchip. Made hardmods obsolete. Wii softmods were capable of much more such as homebrew software, emulation, and loading games from USB hard drive, all without having to open the Wii and install a modchip. Tweezer Attack: Involved using a pair of tweezers to bridge areas of memory, allowing access to limited sections of Wii. This lead to the discovery of the undocumented “Starlet” processor (located in the GPU) and the Wii public key. Tweezer Attack: Involved using a pair of tweezers to bridge areas of memory, allowing access to limited sections of Wii. This lead to the discovery of the undocumented “Starlet” processor (located in the GPU) and the Wii public key. Twilight Hack (up to v4.0): Released by “Team Twiizers”. Took advantage of a save game bug in the Legend of Zelda, Twilight Princess. You would place the modified game save on an SD card, transfer it to your Wii, load the save but instead the Wii would launch into the Homebrew Channel installer. Watch 25C3: Wii Fail for more info. Twilight Hack (up to v4.0): Released by “Team Twiizers”. Took advantage of a save game bug in the Legend of Zelda, Twilight Princess. You would place the modified game save on an SD card, transfer it to your Wii, load the save but instead the Wii would launch into the Homebrew Channel installer. Watch 25C3: Wii Fail for more info.Homebrew Channel25C3: Wii FailHomebrew Channel25C3: Wii Fail Bannerbomb (up to v4.2): Loads exploit via the channels section in the SD card management screen. Disabled by Nintendo via system menu 4.3 update. Bannerbomb (up to v4.2): Loads exploit via the channels section in the SD card management screen. Disabled by Nintendo via system menu 4.3 update.4.3 update4.3 update Letterbomb (v4.3+): Loads exploit via Wii Message Board which crashes the Wii to initiate the softmod. Letterbomb (v4.3+): Loads exploit via Wii Message Board which crashes the Wii to initiate the softmod. BootMii: Hacked version of Boot2 that allows low level access to the Wii. Boots before IOS and System Menu. Always a good idea to install along with a softmod since it allows you to backup/restore your NAND and fix your Wii in case you accidentally brick it. BootMii: Hacked version of Boot2 that allows low level access to the Wii. Boots before IOS and System Menu. Always a good idea to install along with a softmod since it allows you to backup/restore your NAND and fix your Wii in case you accidentally brick it.

34 NINTENDO WII: HOMEBREW SOFTWARE

35 FLASH CARTS FOR NINTENDO HANDHELDS Game cartidges that hold up to 8Mbit memory or contain mini or microSD slots for external memory. Game cartidges that hold up to 8Mbit memory or contain mini or microSD slots for external memory. Used to store and launch homebrew apps, music, ebooks, and games Used to store and launch homebrew apps, music, ebooks, and games R4, DSTWO, M3 for GBA, DS, DSi, DSXL, 3DS, and 3DSXL R4, DSTWO, M3 for GBA, DS, DSi, DSXL, 3DS, and 3DSXL

36 XBOX (ORIGINAL) Released November 15 th 2001. Based on DirectX technology, hence the name Xbox. Released November 15 th 2001. Based on DirectX technology, hence the name Xbox. 733MHz Pentium III x86 CPU, ATI GPU (rebranded to nVidia) 733MHz Pentium III x86 CPU, ATI GPU (rebranded to nVidia) nForce motherboard chipset nForce motherboard chipset 64MB of RAM (upgradable to 128MB) 64MB of RAM (upgradable to 128MB) LPC port used during manufacturing process to perform tests, diagnostics and burn-in for the Xbox motherboard. Perfect for modchip installation (thanks Microsoft!) LPC port used during manufacturing process to perform tests, diagnostics and burn-in for the Xbox motherboard. Perfect for modchip installation (thanks Microsoft!) 1MB TSOP flash in v1.0/v1.1 Xbox motherboards. Contains 256K stock BIOS duplicated 4 times. 1MB TSOP flash in v1.0/v1.1 Xbox motherboards. Contains 256K stock BIOS duplicated 4 times. 256K TSOP flash in v1.4 Xbox motherboards 256K TSOP flash in v1.4 Xbox motherboards Use of PC x86 architecture made it easy to port PC apps like emulators and games like Quake over to a modified Xbox Use of PC x86 architecture made it easy to port PC apps like emulators and games like Quake over to a modified Xbox

37 XBOX: LAYOUT

38

39 XBOX: INSIDE

40 XBOX: HARD DRIVE Stock 10GB HDD ATA locked or “married” to the motherboard. Cannot be used in another Xbox unless unlocked. Stock 10GB HDD ATA locked or “married” to the motherboard. Cannot be used in another Xbox unless unlocked. Stock hard drive has a C:\ partition for dashboard and system files and an E:\ partition for game saves (E:\TDATA and E:\UDATA) Stock hard drive has a C:\ partition for dashboard and system files and an E:\ partition for game saves (E:\TDATA and E:\UDATA) File system accessible via FTP post modification File system accessible via FTP post modification Upgrading the hard drive to store movies, games, and emulators was one of the main reasons to modify the Xbox. Upgrading the hard drive to store movies, games, and emulators was one of the main reasons to modify the Xbox. Up to 750GB IDE was supported. 1TB+ was possible through a SATA adapter and modification of hard drive tray. Up to 750GB IDE was supported. 1TB+ was possible through a SATA adapter and modification of hard drive tray. A non-standard F:\ partition was created for large hard drives and could also be split off into a G:\ partition A non-standard F:\ partition was created for large hard drives and could also be split off into a G:\ partition

41 XBOX: BOOT PROCESS Secret Boot ROM (first bootloader): Located in MCPX Southbridge chip Secret Boot ROM (first bootloader): Located in MCPX Southbridge chip Flash Boot Loader: Responsible for verifying digital signatures on all portions of the FLASH ROM Flash Boot Loader: Responsible for verifying digital signatures on all portions of the FLASH ROM 2BL (second bootloader): Decoded from flash into RAM by the first bootloader. Its responsibility is to decrypt and decompress the kernel image 2BL (second bootloader): Decoded from flash into RAM by the first bootloader. Its responsibility is to decrypt and decompress the kernel image Xbox Kernel: Contains hardware initialization code, and low-level hardware-access functions used by Xbox applications. Launches the Xbox Dashboard Xbox Kernel: Contains hardware initialization code, and low-level hardware-access functions used by Xbox applications. Launches the Xbox Dashboard Xbox Dashboard: C:\xboxdash.xbe Xbox Dashboard: C:\xboxdash.xbe

42 XBOX: ANDREW “BUNNIE” HUANG Godfather of game console hacking Godfather of game console hacking PHD at MIT who sniffed the HyperTransport bus of Xbox motherboard and was able to dump the Secret ROM and RC4 key. The rest is history. PHD at MIT who sniffed the HyperTransport bus of Xbox motherboard and was able to dump the Secret ROM and RC4 key. The rest is history. Bunnie’s adventures in hacking the Xbox Bunnie’s adventures in hacking the Xbox Bunnie’s adventures in hacking the Xbox Bunnie’s adventures in hacking the Xbox Hacking the Xbox eBook released for free in honor of Aaron Swartz Hacking the Xbox eBook released for free in honor of Aaron Swartz Hacking the Xbox eBook Hacking the Xbox eBook 17 mistakes Microsoft made with the Xbox security system 17 mistakes Microsoft made with the Xbox security system 17 mistakes Microsoft made with the Xbox security system 17 mistakes Microsoft made with the Xbox security system 22C3: Xbox Hacking 22C3: Xbox Hacking 22C3: Xbox Hacking 22C3: Xbox Hacking

43 XBOX: BIOS Stock Microsoft BIOS, Xecuter BIOS, Cromwell Linux BIOS Stock Microsoft BIOS, Xecuter BIOS, Cromwell Linux BIOS Initialized from onboard TSOP or from a Modchip connected to the LPC port Initialized from onboard TSOP or from a Modchip connected to the LPC port

44 XBOX: BIOS TOOL EVTool BIOS/Kernel configuration tool EVTool BIOS/Kernel configuration tool

45 XBOX: TSOP FLASHING Replaces stock MS BIOS with custom BIOS image (Xecuter or Cromwell) Replaces stock MS BIOS with custom BIOS image (Xecuter or Cromwell) Requires only two points on the motherboard to be bridged (no modchip required) Requires only two points on the motherboard to be bridged (no modchip required) Relies on save game exploits (007 Agent Under Fire, MechAssault, or Splinter Cell), where a modified save is first copied to the Xbox via memory card. Relies on save game exploits (007 Agent Under Fire, MechAssault, or Splinter Cell), where a modified save is first copied to the Xbox via memory card. Save game is launched but instead of loading a game, a minimal version of Linux is launched. Possible because all games run in Kernel mode, not user mode. Save game is launched but instead of loading a game, a minimal version of Linux is launched. Possible because all games run in Kernel mode, not user mode. You can now telnet to the Xbox and run flash commands to read and write to flash memory You can now telnet to the Xbox and run flash commands to read and write to flash memory Only possible with Xbox motherboard revisions v1.0-v1.4 (2001-2004) Only possible with Xbox motherboard revisions v1.0-v1.4 (2001-2004) Microsoft converts TSOP to ROM and moves it into video scalar chip in Xbox v1.6 (2005) Microsoft converts TSOP to ROM and moves it into video scalar chip in Xbox v1.6 (2005)

46 XBOX: TSOP FLASHING

47

48

49 XBOX: SPLIT TSOP Custom 1MB BIOS flashed to TSOP that was half Stock BIOS (512K) and half Xecuter BIOS (512K) Custom 1MB BIOS flashed to TSOP that was half Stock BIOS (512K) and half Xecuter BIOS (512K) Used to switch between BIOSes in order to avoid live detection (which Microsoft was eventually able to detect) Used to switch between BIOSes in order to avoid live detection (which Microsoft was eventually able to detect) Installed SPST switch wired to points on the motherboard that would force loading the TSOP “low” or “high” thus switching between the two images Installed SPST switch wired to points on the motherboard that would force loading the TSOP “low” or “high” thus switching between the two images

50 XBOX: LPC PORT V1.0/1.1 Xbox test port where modchips can be installed Pin header, wire, or pogo-pin install Pin header install was preferred since it was reliable and easier to upgrade your modchip

51 XBOX: LPC PORT V1.6 (LPC REBUILD) Microsoft moves test points away from LPC port to thwart modchips Microsoft moves test points away from LPC port to thwart modchips Port easily remapped by wiring them to the new vias on the motherboard Port easily remapped by wiring them to the new vias on the motherboard

52 XBOX: MODCHIPS Installed onto LPC port of Xbox Motherboard Installed onto LPC port of Xbox Motherboard Soldered: Xecuter 2, Xecuter 3, Xenium Soldered: Xecuter 2, Xecuter 3, Xenium Solderless: Xodus Matrix pogo pin modchip Solderless: Xodus Matrix pogo pin modchip

53 XBOX MODCHIPS: XECUTER 2 Xecuter 2 1MB modchip by Team Xecuter (shipped with legal Cromwell BIOS) Xecuter 2 1MB modchip by Team Xecuter (shipped with legal Cromwell BIOS) Ability to turn off modchip to avoid XBLive banning (eventually detected by Microsoft) Ability to turn off modchip to avoid XBLive banning (eventually detected by Microsoft) Came with mini PCB with 3 switches. On/Off for XBLive, write protect, and bank select 512K/512K so you can have up to 2 custom BIOS on chip Came with mini PCB with 3 switches. On/Off for XBLive, write protect, and bank select 512K/512K so you can have up to 2 custom BIOS on chip

54 XBOX MODCHIPS: XECUTER 3 Xecuter 3 2MB modchip by Team Xecuter (shipped with legal Cromwell BIOS) Xecuter 3 2MB modchip by Team Xecuter (shipped with legal Cromwell BIOS) 2MB allowed for 8x256K banks, 4x512K banks, 2x1MB banks. Dip switch to control bank config was mounted at the front of the Xbox 2MB allowed for 8x256K banks, 4x512K banks, 2x1MB banks. Dip switch to control bank config was mounted at the front of the Xbox X3 BIOS: X3 BIOS: HTTP server that allows you to flash the chip from a web browser on your computer HTTP server that allows you to flash the chip from a web browser on your computer FTP server that allows you to transfer files to the Xbox hard drive without having an OS FTP server that allows you to transfer files to the Xbox hard drive without having an OS Built in capability to format hard drives without having to use special software Built in capability to format hard drives without having to use special software Control Xbox logo color, banner, and 3D boot up animation Control Xbox logo color, banner, and 3D boot up animation

55 XBOX MODCHIPS: XECUTER 3

56

57 XBOX MODCHIPS: XECUTER 3 CP Xecuter 3 Control Panel by Team Xecuter. Complete front panel replacement integrating BIOS selection, LCD display status, and built in USB ports. Xecuter 3 Control Panel by Team Xecuter. Complete front panel replacement integrating BIOS selection, LCD display status, and built in USB ports.

58 XBOX MODCHIPS: GENOS RECOVERY CHIP 29-wire recovery modchip used to restore corrupted or incorrectly flashed TSOPs 29-wire recovery modchip used to restore corrupted or incorrectly flashed TSOPs

59 XBOX: SOFTMOD No need to open your Xbox or solder anything No need to open your Xbox or solder anything Utilizes the same save game exploits found in 007, MechAssault, and Splinter Cell which is used in TSOP flashing. Utilizes the same save game exploits found in 007, MechAssault, and Splinter Cell which is used in TSOP flashing. Instead of loading Linux, you’re booted into a custom dashboard called ULaunchX that is reworked into a softmod installer wizard. Instead of loading Linux, you’re booted into a custom dashboard called ULaunchX that is reworked into a softmod installer wizard. Softmods are possible because the font loader that the Microsoft dashboard utilizes had no checksum and had an existing exploit. Softmods are possible because the font loader that the Microsoft dashboard utilizes had no checksum and had an existing exploit. This exploit allowed the system to launch a kernel patcher. This patcher edits the kernel loaded into RAM and directs it to look for a different dashboard rather than the stock xboxdash.xbe dashboard. This exploit allowed the system to launch a kernel patcher. This patcher edits the kernel loaded into RAM and directs it to look for a different dashboard rather than the stock xboxdash.xbe dashboard.

60 XBOX: XBOX MEDIA CENTER Turns the Xbox into an HTPC Turns the Xbox into an HTPC Can also serve as the main dashboard for a modified Xbox Can also serve as the main dashboard for a modified Xbox Originally called Xbox Media Player, then renamed to XBMC Originally called Xbox Media Player, then renamed to XBMCXbox Media PlayerXbox Media Player XBMC is now called Kodi and can be installed on Windows, Linux, Mac OSX, Android, iOS, FireTV, FireStick, Chromebox, and many other devices. XBMC is now called Kodi and can be installed on Windows, Linux, Mac OSX, Android, iOS, FireTV, FireStick, Chromebox, and many other devices. Contains built-in Python interpreter that allows users to develop add-ons. Most commonly used to scrape websites for links to streaming videos Contains built-in Python interpreter that allows users to develop add-ons. Most commonly used to scrape websites for links to streaming videos The Xbox fork continues development as XBMC4Xbox The Xbox fork continues development as XBMC4XboxXBMC4Xbox

61 XBOX: XBOX MEDIA CENTER

62 XBOX: EMULATION Capable of emulating Atari, Coleco, Commodore 64, MAME Arcade, Neo Geo, Sega Master System, Genesis, Gameboy, GBA, NES, SNES, N64, PlayStation and more.

63 XBOX: QUASICADE 2 Pre-built arcade system Plug-and-play arcade stick for PS2, Xbox, 360, and Gamecube/Wii systems Able to switch between multiple consoles and even PC Perfect companion for modified Xboxs XBOX: X-ARCADE STICK

64 XBOX: PORTS PC games ported to the Xbox: Quake 1-3, Decent, Doom, Hexen, MUGEN, StepMania and more. PC games ported to the Xbox: Quake 1-3, Decent, Doom, Hexen, MUGEN, StepMania and more.MUGEN

65 XBOX: LINUX GentooX Linux for Xbox GentooX Linux for Xbox GentooX Utilizes legal Cromwell BIOS Utilizes legal Cromwell BIOS

66 XBOX 360 3.2 GHz Xenon CPU (PowerPC based triple core 64-bit processor) 3.2 GHz Xenon CPU (PowerPC based triple core 64-bit processor) 500MHz ATI Xenos GPU 500MHz ATI Xenos GPU 512MB of 700MHz GDDR3 RAM 512MB of 700MHz GDDR3 RAM DVD drive “married” to motherboard via special drive key so you can’t just swap out drives without extracting the key first DVD drive “married” to motherboard via special drive key so you can’t just swap out drives without extracting the key first Removable 2.5” SATA HDD. Able to use your own aftermarket hard drives with HDDHACKR tool. Removable 2.5” SATA HDD. Able to use your own aftermarket hard drives with HDDHACKR tool.

67 XBOX 360: BOOT PROCESS 1BL: (1 st boot loader): Located inside the Xenon CPU. Loads and decrypts “CB” into RAM 1BL: (1 st boot loader): Located inside the Xenon CPU. Loads and decrypts “CB” into RAM CB: Starts up a VM which initializes the PCI bridge, serial port, and memory. Also disables JTAG test port. Generates RROD if memory init fails. Loads and decrypts CD into RAM CB: Starts up a VM which initializes the PCI bridge, serial port, and memory. Also disables JTAG test port. Generates RROD if memory init fails. Loads and decrypts CD into RAM CD: Loads and decrypts CE into RAM which contains the compressed base kernel. If a patch exists, CD will load the CF bootloader for that patch CD: Loads and decrypts CE into RAM which contains the compressed base kernel. If a patch exists, CD will load the CF bootloader for that patch CF: Loads CG into memory which applies CF patch to base kernel and jumps back to CD. CD jumps to the Hypervisor. CF: Loads CG into memory which applies CF patch to base kernel and jumps back to CD. CD jumps to the Hypervisor.

68 XBOX 360: DRIVE MODS XBOX 360 Drive: Had to be completed via DOS using specific SATA controller cards. Had to be completed via DOS using specific SATA controller cards. Required the above and “Mode B” wire trick on the power wire which was later replaced by the Unlock CD. Required the above and “Mode B” wire trick on the power wire which was later replaced by the Unlock CD. Used application called Jungle Flasher in Windows OS. Newer drive revisions required trace cutting and some to be used with a probe to send a signal that would allow read and write to the drives flash chip. Used application called Jungle Flasher in Windows OS. Newer drive revisions required trace cutting and some to be used with a probe to send a signal that would allow read and write to the drives flash chip. XBOX 360 Slim Drive: Drives SPI was unlocked and enabled read and write. Drives SPI was unlocked and enabled read and write. Required the “Kamikaze” hack which required drilling into the drives flash chip to cut an internal trace to disable the write protection. Required the “Kamikaze” hack which required drilling into the drives flash chip to cut an internal trace to disable the write protection. Latest revisions require a reset glitch hack to obtain the DVD key and build the drives firmware from scratch. Latest revisions require a reset glitch hack to obtain the DVD key and build the drives firmware from scratch.

69 XBOX 360: KAMIKAZE HACK https://youtu.be/1gCYXb54oig

70 XBOX 360: XK3Y DVD drive emulator pass-through PCB that sits between the DVD drive and the motherboard. Allows you play ISOs off of USB HDD. Can be switched off in order to operate in normal disc mode. Unlike other mods, this is Live safe to this day. Video example | xk3y site Video examplexk3y siteVideo examplexk3y site

71 XBOX 360: JTAG HACK KingKong hack- A fatal bug in the Hypervisor's Syscall Handler, introduced in the 4532 kernel update. Allows jumping into any 32-bit address in hypervisor space. KingKong hack- A fatal bug in the Hypervisor's Syscall Handler, introduced in the 4532 kernel update. Allows jumping into any 32-bit address in hypervisor space. SMC exploit: A faster version of the KK exploit (as in, it boots faster), and allows for the running of unsigned code. The SMC exploit is limited to consoles running kernels prior to the summer 09 update (7371). There are several patched CBs, which prevent the exploit. The booting is faster almost not noticeable then the original boot time. The only Hardware require to apply the patch are 2 diodes and a NAND reader to read the NAND and patch it with exploit. SMC exploit: A faster version of the KK exploit (as in, it boots faster), and allows for the running of unsigned code. The SMC exploit is limited to consoles running kernels prior to the summer 09 update (7371). There are several patched CBs, which prevent the exploit. The booting is faster almost not noticeable then the original boot time. The only Hardware require to apply the patch are 2 diodes and a NAND reader to read the NAND and patch it with exploit.

72 XBOX 360: RESET GLITCH HACK Works by sending a tiny reset pulse to the processor. While it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp (Memory Compare) functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.

73 MOD USES IN GAME CONSOLE REPAIR 360 drive flash know-how required in order to replace defective drives 360 drive flash know-how required in order to replace defective drives Chip installation or JTAG/RGH required to restore bad NAND on motherboard or to recover lost DVD key for drive replacement Chip installation or JTAG/RGH required to restore bad NAND on motherboard or to recover lost DVD key for drive replacement Chip installation required in order to replace original Xbox hard drive or to restore corrupted OS files Chip installation required in order to replace original Xbox hard drive or to restore corrupted OS files Mod required in order to enable Wii NAND backup and restore Mod required in order to enable Wii NAND backup and restore

74 HOW DID PREVIOUS MODS CHANGE THE WAY TODAYS CONSOLES FUNCTION? Previous ConsolesPrevious ModsTodays ConsolesCommon Features PS1, PS2, PS3 PSPEmulators, Media Center, Theming, Play Backups, Return LinuxOS, Install games to HDD, Dev Kits PS4Individual emulated games, Media Center, Theming, Install games to HDD, XBOX, XBOX 360Emulators, Media Center, Theming Play Backups, Install Linux, Replace DVD/HDDs and other repairs. Install new OS, Install games to HDD, Development Kits XBOX OneIndividual emulated games, Media Center, Backup games to HDD, HDDs are now replaceable, Development apps are downloadable GC, DS, WiiPlay imports, Emulators, Backups, Media Center, Install Linux, Install games to Memory Card, Repairs. Wii UMedia Center, Backups playable from HDD/MC, Individual emulated games, iOS 2.0 or beforeInstall any other non default application, Unlock Sim, Send / Receive MMS. Development, Installer / Cydia New Gen IOS DevicesMMS, Appstore, ADT, Sim Unlockable, Most apps in Appstore started in “Installer / Cydia”

75 DIGITAL MILLENNIUM COPYRIGHT ACT The DMCA is extremely complex; for instance, the DMCA makes it unlawful to bypass “effective technical protection measures” without clearly specifying what that means The DMCA is extremely complex; for instance, the DMCA makes it unlawful to bypass “effective technical protection measures” without clearly specifying what that means DMCA exemptions relevant to reverse engineering: DMCA exemptions relevant to reverse engineering: Circumventions conducted in the course of legitimate encryption research Circumventions conducted in the course of legitimate encryption research Circumvention for purposes of computer security testing Circumvention for purposes of computer security testing Circumvention of a technical protection system when necessary to achieve interoperability among computer programs Circumvention of a technical protection system when necessary to achieve interoperability among computer programs

76 DIGITAL MILLENNIUM COPYRIGHT ACT U.S. Declares iPhone Jailbreaking Legal in 2010 U.S. Declares iPhone Jailbreaking Legal in 2010 U.S. Declares iPhone Jailbreaking Legal U.S. Declares iPhone Jailbreaking Legal Regulators agreed that “the activity of an iPhone owner who modifies his or her iPhone’s firmware/operating system in order to make it interoperable with an application that Apple has not approved, but that the iPhone owner wishes to run on the iPhone, fits comfortably within the four corners of fair use.” Regulators agreed that “the activity of an iPhone owner who modifies his or her iPhone’s firmware/operating system in order to make it interoperable with an application that Apple has not approved, but that the iPhone owner wishes to run on the iPhone, fits comfortably within the four corners of fair use.” DMCA is rarely enforced criminally: Prosecutors Dismiss Xbox-Modding Case Mid- Trial DMCA is rarely enforced criminally: Prosecutors Dismiss Xbox-Modding Case Mid- TrialProsecutors Dismiss Xbox-Modding Case Mid- TrialProsecutors Dismiss Xbox-Modding Case Mid- Trial Because this case was dismissed, the application of the DMCA to game console mods remains unclear. Because this case was dismissed, the application of the DMCA to game console mods remains unclear.

77 QUESTIONS?

78 Thanks for having us. – Fred and David

Download ppt "A SHORT HISTORY OF VIDEO GAME CONSOLE HACKING FRED D. DAVID R."

Similar presentations

Handheld TFTP Server with USB Andrew Pangborn Michael Nusinov RIT Computer Engineering – CE Design 03/20/2008.

Handheld TFTP Server with USB Andrew Pangborn Michael Nusinov RIT Computer Engineering – CE Design 03/20/2008.
11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.

11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.

MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
LECTURE 14 Operating Systems and Utility Programs

LECTURE 14 Operating Systems and Utility Programs
Troubleshooting Hardware Issues Lesson 5. Objectives 2.

Troubleshooting Hardware Issues Lesson 5. Objectives 2.
Operating Systems Basic PC Maintenance, Upgrade and Repair Mods 1 & 2.

Operating Systems Basic PC Maintenance, Upgrade and Repair Mods 1 & 2.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Introduction to Windows XP Professional Chapter 2 powered by dj.

Introduction to Windows XP Professional Chapter 2 powered by dj.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Computer Maintenance Unit Subtitle: Basic Input/Output System (BIOS) Excerpted from www.howstuffworks.com 1 Copyright © Texas Education Agency, 2011. All.

Computer Maintenance Unit Subtitle: Basic Input/Output System (BIOS) Excerpted from 1 Copyright © Texas Education Agency, All.
Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.

Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 2: Managing Hardware Devices.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 2: Managing Hardware Devices.
The Basic Input/Output System Unit objectives: Access the BIOS setup utility, change hardware configuration values, and research BIOS updates Explain the.

The Basic Input/Output System Unit objectives: Access the BIOS setup utility, change hardware configuration values, and research BIOS updates Explain the.
Computers in the real world Objectives Explain the need for secondary storage devices Understand the three main storage types – Optical – Magnetic – Solid.

Computers in the real world Objectives Explain the need for secondary storage devices Understand the three main storage types – Optical – Magnetic – Solid.
Translate the following message: 01010001 01010101 01001001 01011010 00110010 01001101 01001111 01010010 01001111.

Translate the following message:
Unit 2- Computer Hardware.  Identify system components  Describe the role of the central processing unit  Define computer memory  Identify types of.

Unit 2- Computer Hardware.  Identify system components  Describe the role of the central processing unit  Define computer memory  Identify types of.
Eng.Abed Al Ghani H. Abu Jabal Introduction to computers.

Eng.Abed Al Ghani H. Abu Jabal Introduction to computers.

Similar presentations

Ads by Google