Console Hacking

1
Console Hacking

• Andrew Reiter, Sean Kim

2
Why Hack a Gaming Console?

• Run Custom Apps
• Install and run a new OS
• Emulators, Media Players
• Run a server
• Take advantage of specialized graphics cards
• Write custom game code
• Customize your console
• Backup Games
• In case your original is lost or play imports

3
Wii Specs

• Main CPU PowerPC based Broadway
• 729 Mhz
• Graphics CPU ATI Hollywood
• 243 Mhz
• Memory 88 Mb System Total Memory

4
Possibilities of Hacks (Wii)

• Compatible with Gamecube Homebrewed Code (Action
  Replay)
• Cheats patch memory addresses
• Ability to play various other console games or
  any unsigned code from memory cards or network
• Opera
• Integrated Web Browser

5
PS3 Specs

• Main CPU IBM Designed PowerPC Cell Processor
• 3.2 Ghz
• 8 Synergistic Processor Elements (SPE_
• Graphics CPU NVIDIA RSX
• 1.8 TFLOPS Floating Point
• Memory 256 XDR Main RAM 256MB GDDR3 VRAM
• HDD 20-80 GB
• Full HD Support

6
PS3

• No full hacks yet.
• Option to install other OS in XMB
• Fedora, Ubuntu, Gentoo
• Hypervisor limits access to RSX (graphics chip)
  by other OSs.
• Hackers attacking this specific limitation
• Use OS to dump contents of a game (back-up
  copies)
• Sonys firmware upgrades render usage of the dump
  obsolete.

7
Possibilities of Hacks (PS3)

• XrossMediaBar(XMB)
• Main System User Interface
• Integrated Web Browser
• NetFront Browser by Access Co.
• Every browser is vulnerable.
• Shared Memory Space inside SPEs.
• Buffer Overflows..somehow..
• Leaked SDKs by fired employees.

8
XBOX 360

• CPU PowerPC-based, 3 cores _at_ 3.2Ghz
• Memory 512MB GDDR3 RAM
• Graphics 500Mhz custom ATI chip
• Hard Drive Optional 2.5 SATA
• DVD-ROM, USB 2.0, Ethernet

9
XBOX 360

• Security systems not fully understood
• Arbitrary code execution not yet accomplished
• Possible to play copied games

10
XBOX 360

• Playing backups
• Extract unique key from DVD drive firmware,
  inject into hacked firmware
• Re-flash DVD drive with new firmware
• Making backups
• Boot DVD drive with hacked firmware
• Extract Security Sectors from game
• Merge SS into game image and burn

11
XBOX

• CPU 733MHz Pentium III
• Memory 64MB SDRAM
• Graphics 233Mhz custom NVIDIA chip
• Hard Drive 10GB PATA
• DVD-ROM, USB, Ethernet

12
Security Measures

• RC4-encrypted bootloader and kernel
• Hard drive is locked
• Executables must be signed with Microsofts
  2048-bit private key
• Secret Boot ROM
• Media Flags
• High-Speed Busses

13
Hardware Topology
14
Boot Sequence
15
Types of Attacks

• Modchips
• Original chips essentially replace onboard ROM
  chips
• Later versions use LPC debug port
• Can flash onboard TSOP
• Exploits
• Gamesave exploits
• Audio exploit
• Font exploit

16
References

• Huang, Andrew. "Keeping Secrets in Hardware the
  Microsoft XBox Case Study." Massachusetts
  Institute of Technology Artificial Intelligence
  Laboratory. 26 May 2002
• Xbox-Scene. 11 Nov. 2007  
  
• XBDev. 11 Nov. 2007 http//www.xbdev.net/openxdk/i
  ndex.php
• Gamecube Hacking www.ccc.de/congress/2004/fahrpl
  an/files/307-gamecube-hacking-slides.pdf 27 Dec
  2004
• Wiki PS3 http//en.wikipedia.org/wiki/PlayStatio
  n_3
• Wiki Wii http//en.wikipedia.org/wiki/Wii

17
DEMO