Today we were able to successfully execute code on the iQue player! This is the first publically known code execution.
Technical details: we were able to implement a known attack on the encryption scheme used with the iQue (AES-CBC) to inject custom data into the game data stored on the iQue NAND. This data is unchecked (but encrypted with keys we don't know) once it has been converted to ".rec" format. We also took advantage of a save file; they're unchecked and mapped to a certain region of RAM, so it's basically free space for us.
The CBC attack: AES-CBC uses the previous encrypted block and XORs it against the next block, after it has been decrypted, to produce the final plaintext decryption. XOR is deterministically modifiable, if you know the plaintext (which we do, thankfully ). This attack does sacrifice a block of data (which will decrypt to random garbage) but it gains us control over arbitrary sections of code in the next block, and ultimately doesn't matter; we were able to sacrifice an unused section to control exactly the code we wanted. (see here for AES-CBC decryption procedure: image)
very first successful result:
In action:
Shoutouts: Marshallh, Normmatt, and Riley/ROL
Technical details: we were able to implement a known attack on the encryption scheme used with the iQue (AES-CBC) to inject custom data into the game data stored on the iQue NAND. This data is unchecked (but encrypted with keys we don't know) once it has been converted to ".rec" format. We also took advantage of a save file; they're unchecked and mapped to a certain region of RAM, so it's basically free space for us.
The CBC attack: AES-CBC uses the previous encrypted block and XORs it against the next block, after it has been decrypted, to produce the final plaintext decryption. XOR is deterministically modifiable, if you know the plaintext (which we do, thankfully ). This attack does sacrifice a block of data (which will decrypt to random garbage) but it gains us control over arbitrary sections of code in the next block, and ultimately doesn't matter; we were able to sacrifice an unused section to control exactly the code we wanted. (see here for AES-CBC decryption procedure: image)
very first successful result:
In action:
Shoutouts: Marshallh, Normmatt, and Riley/ROL
Last edited by dark_samus3,