Speaker:
Transcript:
at a time when people thought video gaming was pretty dead. Some people might say during Covid or 2020, or maybe some other time. If you think video gaming is dead now, what is actually, Way back when? In 1984. So if you don't already know what was actually 1983, the great video game crash, where the video game market went from pretty good to very dead in just a few years.
This happened because, well, the main console at the time was the Atari 2600, and that cable and something there, there was very little quality control for the console. People were just publishing whatever. If you were a third party, you didn't need any, like, Atari approval, even publish or whatever. Even the first party games weren't that good.
If you know the rumor or. I guess that's confirmed now. E.T. the game for the Atari 2600, among others. It sold so poorly that they buried a bunch of copies of them in the Nevada desert in a landfill. This was originally thought to be like a pop culture rumor or something, but no, it's actually true.
And they did this because these games were so terrible. I'm sorry if anyone's favorite games is from this area, but, they weren't good because, you know, for the market. So a small indie company, which you might, not have heard of, called, Nintendo came around with their console, and their plan to, keep all the games good on their console was to enforce, you know, strict quality controls.
Keep the keys to the kingdom and, no third parties which were unsupervised or unapproved. So, only games that they explicitly allowed. And the way they did this was with the integrated circuit on, in the console publisher. So, the way this works is that, it was just a pretty simple security through security thing.
So there was a matching pair of chips on the console and the cartridge. It's just a pseudo random number generator where the console will send a state to the cartridge, and then an expected value back from the cartridge.
the ten initial got chip, integrated circuit at random, pseudo random number generator.
No actual encryption because it was 1985, and they didn't have that on consumer hardware. And it was purely just obscurity through security, through obscurity. This would later be circumvented. Because, well, I would take it quite a while, would take around ten years. So it was a success in that regard because, no one, no third parties were able to make games for the console.
The people who did want to make games for the console, it was very economically infeasible because you would have to, either steal the chip off of, like, a legitimate cartridge and put it in some fake games would shock the chip, with, like, ten hertz of, like, some voltage, and it would stop it from resetting the console.
Nintendo would try and stop this by adding some resistors. Just made the thing heat up. It was pretty bad. But ultimately as a success, this also was defeated illegally, by Atari. So, something that they did is they went through the U.S. Patent Office and they told them, hey, we need to see the design for this because we're investigating some copyright issue.
And they weren't they were just they just wanted the schematic for it. So they went to the copyright, the patent office, and they're like, okay. And they just made their own the Teng and Rabbit. And then they got sued. Actually, twice there were two lawsuits. They weren't one of them because, it was lawful for them to reverse engineer the chip, which is why, nowadays.
yeah, I went to the patent office. They're like, hey, we're investigating some copyright infringement. We need the design for this. They use that design to just make their own, which is the tangled rabbit.
That would later be decamped and reverse engineered by hobbyists. But the lawsuit that came out of that, that was only found they only lost it because they pretty much just directly ripped the microcode and design from the patent office. But they were legally allowed to reverse engineer it, which set the precedent that, hey, people are allowed to reverse engineer stuff, and it's legal.
And that's cool. So that's why we get to do that today. Yeah. It's not, for the applications on their consoles. It pretty much it's the same thing. Although at this point, third parties were it was pretty unfeasible for them to develop for consoles randomly. So it was mainly just used for stopping piracy. There are also other miscellaneous anti-piracy checks.
This is kind of a tangent, but they're pretty interesting. For example, one would be to like, say, a console would have like one megabyte of memory. It would try and write to say an address like ten megabytes in. And if it fails, which it would on a real console. And it's legit. If it succeeds, then it means it's on a copier, and then it will just kind of stop the game, and there's a bunch of cool instances of that.
Anyway, brief intermission. So encryption. As I said earlier, the NES, no encryption. It was 1985. An encryption was just a military thing. So there wasn't really any consumer usages of it yet. But in the late 90s, it was legalized by Congress. You know, people wanted to use it for signing an encryption. And this really, companies use it pretty heavily to, you know, lock down their products.
But, you know, there would still be weaknesses. One of the first major consoles that would use this for code signing, at least, was the original Xbox, which came out in 2001. It was basically just consumer hardware. I mean, if you build your own PC back then, I mean Pentium three ran on windows. The kernel was based on windows 2000, and it had, a very close to consumer Nvidia GPU.
And it was in it did use code signing. So, Microsoft would have their key back at their headquarters somewhere and then our kernel would check is it signed by Microsoft. And if it is then it would run, otherwise it wouldn't. If anyone uses Mac OS, you know, SciPy, it just only let sign stuff run, which is a huge headache if you're kind of trying to do other stuff.
Notably, it can't sign its own. It can't do its own signing. So things are dynamically generated. So like, say, files, shaders and stuff, weren't able to be verified like this, which people would exploit later. So, one of the first hacks targeting the Xbox was by Andrew Huang. And what he did was he released, he, just copied the kernel by using, like, bus sniffing because the CPU would read it from, storage, and then he could just read it while it was being transferred over.
And then he posted this, image on his website, and then he got a very, nice call from Microsoft's lawyers. But at this point, it was too late. It was out in the wild. People could, do what they wanted with it. And eventually people just patched out all of the signature checks. And whatnot. There were other attacks for the console as well.
There were some hardware based attacks. I know Chad is, he was talking about, like, the Xbox mod chips that he had, like the executor. And there were also software based hacks as well. Savegame buffer overflows, where you would just take the hard drive out, put in a custom save file. You would load it in a game and it would load that data, and then it would, overflow the buffer and then you would have access.
So at this point on like the CPU, everything was in the same space. There wasn't any like, like hypervisor or kernel like access. It's just you get control and you kind of just get everything. But yeah. Buffer overflows. Right. A cybersecurity, meetup. So I won't go too much into detail, but these really just are the bread and butter of really doing any kind of exploits.
And there are so applicable across a huge range of consoles, like just throughout time, you know, like the PlayStation two, there was, like the Tony Hawk's Pro Skater, which is an interesting one because it let you load in a save file, and then you could start up like the network play server from there, and then connect other consoles running that game to there and then hack them as well.
The Wii, I remember I did a letter bomb and when I was in like middle school, you just lo it's so easy. You just load it in, like, a file onto an SD card. And there's some other various ones, but, yeah, buffer overflow is just. You read data paths to where a program expects you to.
And then, now you have your data in memory, and then you can, potentially, you know, jump to where you want to, and if there's a return value getting overwritten or overwrite any other values. So the next console, the Xbox 360, this would be a little bit more secure. There's a hypervisor, so if you don't know, it would be.
But that is basically separates like the low level access to the console from where your games run, which is like your less privileged access. So if you gain control of, you know, a game running in that program, you would still have to break out of the hypervisor to be able to do anything else on the console.
It wasn't quite based on consumer hardware, which would which is going to be a trend you'll see in consoles. So it just makes it generally a bit harder to debug and, reverse engineer because everything will be on one chip. And yeah, less stuff to work with. It was still based on windows 2000. So, exploits that applied there would, work on the console, which one was used?
And then there was just some other dedicated security tech. They, they're taking Microsoft after seeing how quickly the Xbox, the original Xbox was hacked. They were really taking this seriously. There's Eve uses. So, and fuze is, piece of memory where it's like a you can burn it once and you can't undo it, so it's prevented you from downgrading your software because it would just read, hey, if use blown, if it is, it will refuse.
The flash was encrypted, unlike the previous console and, in her console, the components would have their own keys. So you. It was harder to swap things around, and whatnot.
One of the more interesting attacks for the Xbox 360 was called the kamikaze attack, which you can see there. The guy it's, he's drilling into, like a chip on his disk drive. So the way the Xbox 360 would work is that it would check if a disk was signed before loading the game that was on it, but the signing check was done by the disk drive, which the processor would just implicitly trust.
So if you could reflash the drive to just have it, always report back that, hey, this disk is legit. Just load the game on here, and then the, the kernel would just go ahead and do that. So a people data say, reflash it where it was patched and would always say like, yes, this assigned Microsoft SA, this was like, obviously this is no good.
So they enabled ray protection on the chip. And like you can see like the white like stuff around here. They epoxy the chip so that you couldn't turn it off. But to disable this ray protection, what people would do is they would take, like, a drill and just drill very carefully into a very specific spot on the controller.
To sever the line, keeping the, the right protection on, and then once they got this, they could just reflash it and then say whatever part of the games they want. Other attacks for the console, King Kong, King Kong, there was just a buffer overrun in this game. So you would overrun a buffer in the savegame.
And then from there, there was an exploit to break out of the hypervisor, and then you could just patch the console from there on. Let's see. Yeah. So this is a newish console. I don't really know why you would do this one, but it doesn't really have any games. But what's interesting about the PlayStation four, in addition to having zero games, is that it was based, very heavily on free and open source software.
It the kernels based on FreeBSD. There's a lot of OSS libraries in there which they use because, you know, someone who they don't have to pay for it, you know? But the downside is that any security vulnerabilities that are in those you get in your console, it would it would run on a system on a chip.
So make reverse engineering like even harder. And I mean, it made the console run faster. And as a side effect, it would, you know, make reverse engineering harder because it's very far from consumer hardware. Tooling is very specialized and consistent or like and dedicated for the hardware. And in addition, in this era, consoles would pretty much just be always online.
So, companies at once, they got any wind of really anything happening, they would just release like a hot patch. And then all your work that you do is undone. And there were actual like, modern anti, like, hacking features. So if you're familiar with like, SLR and like stack cookies and whatnot, they had those here.
This was actually like a modern ish architecture. And, you know, no more executing stuff out of memory and whatnot. But this would but because it was based on free and open source software, you know, the only real is that come with it. You know, web kit, you know, amazing library. Awesome. Yeah. It's what they used to, implement their browser on the console.
But there was a problem with this. Where with a custom JavaScript, or when it would try and run, like, a specialized JavaScript attack, it would, and then, you would have. I think I believe it was a buffer overrun, actually, in WebKit that you would exploit by visiting like a custom site. And then from there you would use, vulnerability in, FreeBSD.
There are two that were used by that I read in DL close to escape from, hypervisor jail. And at this point you can patch the system and then have unsigned code run. This is an example of like a demo website that you would go to on your console. And then you can just execute arbitrary actions from there.
At root level, they would pretty quickly patch the so because always online and whatnot. But I mean, it, it would show that it was vulnerable. And, you know, for an open source software, I mean, it's good if it comes with their vulnerabilities as well. And this would also web kit would also be used on the Nintendo Switch.
I believe there was an exploit for that console as well. So here's something a bit more modern. And by modern I mean it's still 2013. But, the, there was a talk about this where the X1 actually released was like literally two weeks ago. It's a lot of very interesting stuff. And like, a lot of low level hardware hacking.
If you're interested in that, you should go watch that guys talk. This is the SparkNotes version. But this thing is. But the Xbox One, much harder to hack than the 360, so there's no post codes, which, if you don't know, post code is just, like a, like data. Your any computer a computer emits when it's starting on to, like, communicate some state.
CPU timing attacks are harder because you can't reset or slow down the clock. There's no more obvious hardware debugging pins. For example, on the 360, there were the Jtag pins, which while they were disabled, you could still get something on them with some attacks, noisy timing attacks as well. During the boot process, they inserted around 35 randomize stalls.
So normally for a timing attack, you would power on the console and then just time out, say like, you know, 100 and whatever microseconds and then say like, do like a power attack and push up the power. And then I would try and get like, your desired, effect. No more of that because, there are so many randomized stalls, and actually half of the instructions during the boot process or the very early boot process are these randomized stalls, and in the bootloader, they're, it's very heavily tested and very full tolerant.
So there's no just like there's no really good way to insert software faults. So you'd have to you only have to result on or rely on hardware attacks. So in the boot process of this console, there's a platform security processor, which is just like an ARM cortex CPU. And that starts running at boot stages. They're not really important what they do, but they're stage zero, one and two in each, like the next one.
Stages one and two and each subsequent stage are all attachable by Microsoft just over the year. So any attack that would target them could just pretty quickly be patched out. So, attacking the first stage, SP zero would be, kind of gold, I guess, because, it's uncatchable. It's non writeable and it's just you have an Xbox and it's, it's like that.
But yeah, huge credit to Marcus Patterson. This is. Yeah. So, yeah, what? He used to attack the Xbox One or power attacks. So what you can do is on the, SoC, you can just, get the power rail. Or you can identify the power rail for, like, a specific, like, component that you want.
And then at a specific time, you can just drop the power to zero. It's called a crowbar attack. Because it's like you're just throwing a crowbar over the two leads and then dropping the power, just for a very quick moment. And then what this does is you get the CPU into some kind of weird state, maybe it fails all right, or skips some instructions or reads memory wrong.
But, when you're doing this at an exact time, you can cause some behavior that you would want. Say, if you're skipping some initialization or skipping some checks, and using this, he was able to re-enable post codes and do other stuff. So the second part of this attack, yeah. So I guess if you're familiar with page tables on a computer, they can be assigned permissions where, like this page is executable, this one is readable and readable.
The general rule is that, you never have a page table be readable and executable, because then you just write to it and then you execute from it. The platform security processor, would implement this by giving specific instruction spaces their own kind of jail, where they'd only have permissions to execute actions relating to that one. For example, like if you sensing, like reading data from like other sections of memory all get their own specialized jail because they're risky.
And, if they did get hacked, then you can't really break out of them. These jails are managed by the, Memory Protection Unit, which is basically just, enforces.
Read, write and execute permissions for each section. And this setup happens early on in the boot process. But what you can do is, if you disrupt the power at the right moment, it prevents this thing from initializing. So then, at any point in the boot process, you can just simply, execute and write or write memory from anywhere.
And the way this timing works is that even though there are these randomized stalls or the console, what he did was he read like the power, usage from these if use reads. So during the boot process, it'll, it'll read data from the if you use the term and like entitlements and permissions and configuration and whatnot.
And by reading this you determine like a good offset time from that to insert like a power attack and disrupt the MP starting. So with the NPU disabled, you can, what's the boot process? It uses mem copy to load in some data. You can pretty much just reflash the ROM at this point or the Nand flash at this point.
When it loads that you can do some buffer overflow and then you can, execute, eruption or just your own, instructions that you planted beforehand. And Xbox One attack, which is really just the. Yeah, that's the latest development in console hacks and, yeah, that's about it, I guess. So, yeah. If any questions comments?
Yeah. Actually, for, power as I do and, you know, I hear. Right? Yeah. So how did that happen that you thought you found that, well, the thing about power attacks is, because you're right, the CPU is obviously very fast and having the exact time. It's very hard. It's non-deterministic. So you're you send the power attack like, the most accurate time you can, and then it will disrupt as long as you have the timing.
Right. It will disrupt it, like, maybe like one in, like, you know, 50 times. It is random, but you can just keep resetting the console until you get it. So the thing with these is that right. Sorry. Like, yeah, it pretty much. Yeah. You just insert the timing attack at a time that you're pretty sure is right.
And then you just keep resetting the console if it doesn't work. And then once you get it and you continue.
And there's a chance you could use something like an Arduino to basically attach that to heat. How do you configure the running time into which, you know, whether a certain is high, time is high, the internal power to renewables or is that is that fairly common? Is it is it really used to brute force the power?
Oh, well, I mean, the way these are done is, through like microcontrollers. I think in the talk you talks about using like a teensy, like a Raspberry Pi to do all the timing attacks. By by, like, manually, you would be like, no way. Because you kind of have to brute force the timings in the first place.
Like, say you have a anchor and then you'll go like, you know, some offset from that, some other offset and just keep going and keep resetting until you find, behavior that you, want to exploit. Yeah. So it seems like some of these exploits can be rectified by using, different PCB like so using the traditional pins for a it's a small process if you use ballpoint pen.
So the instead of the axes either side I go across for using the, Well, as well and new hardware, I mean, that's hardware manufacturers are generally trying using like SoCs. So everything's just inside of one chip system on a chip, which makes it a lot harder. But, I feel like at some point, I guess it is probably not impossible, but it's very hard and costly to have a circuit board with absolutely zero exposed leads.
Because as long as there's something exposed people. I mean, even with the with the Xbox 360 hack, people are willing to, you know, literally drill into their, hardware. But, I mean, that would make it harder, but. Yeah. Sorry. Yeah, that was the topic. We used to do the kind of the attack, like on the, like, side of the of repair place.
Oh. It's awesome. Yeah, but the, the the things you talk about, like, I go for, the original, like very to an audience, like a jack. Yeah. Right. A brand that would actually do like how are you going to for the connector. It's like it didn't have that. There was no good Jack. Yeah. Let's look at the game.
Yeah.
So if I recall correctly what it does is when the console reads the data off of the ROM like a certain address, it will just intercept that. And if it's the certain address, it will just insert its own patched bytes. Yes. Yeah. There is, it was like.
Harder to change to make sure that the cartridge that passed through. So there's a few things. Yeah.
Yeah. Why do you have to something I think they just, they spent I don't know, I, they spent all their money and design on those, like, weird PS3 era ads where it's like, super like trippy and kind of weird and I think they blew all their budget on marketing, I guess, and they forgot to develop games.
So I game on PC anyways. Yeah. The, the history was like a loss leader and so like, if it was, they were like losing money on it, but they make money like more games. Yeah. And I think it was like they started, like making clusters. Three. That is actually a reason why it took quite a bit longer compared to the, like, Xbox 362 hack, because they had other OS, which allows you to boot, like Linux on the machine and then enabled you to do that.
So, basically people who wanted to run Linux on their PlayStation, they already could, which stem the tide of it being hacked. And it's actually a similar story for the Xbox One because, they had like the developer mode. So you could just load in like CPU apps and stuff, which really did stem the tide of people trying to hack the console, which, yeah.
I think if I recall, I think most consoles are actually like hardware wise, they are loss leaders and then they make the money on, you know, people buying $60 games. But I don't I don't know how that business strategy would work if they didn't put any games on the PlayStation, though. Just selling at a loss for no reason.
