A Hypothetical "Exploit" for a non-existant Game Console...?

[TheToaster]

So, I'm looking to get further into exploitation of software/hardware. I'm not exactly the best with code, but I've done a few projects with C/C++, and barely touched assembly lang. So my question is this:

Let's assume that there is a hypothetical game console that was just released. You are a hacker who wants to eventually get unsigned code running on this thing in a few months. So, you go to the store and buy the console. You come home, and you rip it apart to see all of the internal components. You figure out the type of CPU, RAM, and other important information. Now, you need to find software information like if the memory where the bootloader exists can be read. So now what do you do? You would need a way to extract the binary that is executed, right? You would need a way to dump that information. How would you go about doing that and being able to disassemble that "file" and view it on your computer? Would it require some sort of hardware modification?

I'm just trying to get a grasp on these concepts to understand how this all works.

 

[pustal]

So, I'm looking to get further into exploitation of software/hardware. I'm not exactly the best with code, but I've done a few projects with C/C++, and barely touched assembly lang. So my question is this:

Let's assume that there is a hypothetical game console that was just released. You are a hacker who wants to eventually get unsigned code running on this thing in a few months. So, you go to the store and buy the console. You come home, and you rip it apart to see all of the internal components. You figure out the type of CPU, RAM, and other important information. Now, you need to find software information like if the memory where the bootloader exists can be read. So now what do you do? You would need a way to extract the binary that is executed, right? You would need a way to dump that information. How would you go about doing that and being able to disassemble that "file" and view it on your computer? Would it require some sort of hardware modification?

I'm just trying to get a grasp on these concepts to understand how this all works.

Yes, but that may give you little to your ends, it is a binary file, and shouldn't have a weak encryption. The XOne has its NAND dumped since 2013 and progress as been little.
Another way around is to try using known (or unkown to public if you have any) vulnerabilities to software components it uses to try and dig into it. Example, say that is discovered a vulnerability in Java, and that console uses Java, between its disclosure and the console's correction you have a timeframe or a firmware version you can use to start digging into it.

 

[pustal]

[Duplicated]

 

[TheToaster]

Yes, but that may give you little to your ends, it is a binary file, and shouldn't have a weak encryption. The XOne has its NAND dumped since 2013 and progress as been little.
Another way around is to try using known (or unkown to public if you have any) vulnerabilities to software components it uses to try and dig into it. Example, say that is discovered a vulnerability in Java, and that console uses Java, between its disclosure and the console's correction you have a timeframe or a firmware version you can use to start digging into it.

Ok, but lets say that there is a software vulnerability on that console, like in Java as you mentioned. How would you go about exploiting that particular vulnerability? Obviously you would need to get your code running on that system in order to exploit that vulnerability, right? How would you do that?

 

[pustal]

Ok, but lets say that there is a software vulnerability on that console, like in Java as you mentioned. How would you go about exploiting that particular vulnerability? Obviously you would need to get your code running on that system in order to exploit that vulnerability, right? How would you do that?

I believe that is mostly left to luck to either what it uses in order for it to be usable by you. I know that are tools, for example, used to make RAM injections, such as this one, that I'm sure it can be of use.

 

[daxtsu]

Let me start with a disclaimer: I'm not an exploit writer. However, I do stash away links that I've found interesting over the years, ranging from learning assembly to practicing exploitation:

These first two links are good for learning what to look for:
https://cturt.github.io/DS-exploit-finding.html (CTurt wrote a page on exploiting original DS FIFA games)

https://www.nostarch.com/xboxfree (A book by Bunnie illustrating some stuff on how he reversed the original Xbox)

Knowing assembly for your target is more or less going to be mandatory, since you'll have to read the code they made:
https://skilldrick.github.io/easy6502/ (6502 is kind of like Latin, not exactly popular anymore, but it's probably the simplest assembly language you can learn)

https://www.coranac.com/tonc/text/asm.htm (ARM is used everywhere aside from x86 computers, so it doesn't hurt to have some knowledge)

Keeping your skills sharp helps too:
https://microcorruption.com/ (An online game that gives you a virtual microcontroller that you have to exploit in different configurations, it starts off relatively simple if you know some assembly, but it quickly turns hard)

https://picoctf.com/ (Another series of online games aimed at high school kids, but it holds a special place in my heart)

 

[DinohScene]

Basically, to sucessfully be the first in exploiting, you need logic analyzers to understand how the hardware works, then you'd need to make RAM dumps to understand how the systems work, after that you can poke around in the software to see if there's some interesting code.

It's a lot of work for once person hence most hackers work together.
Building knowledge from eachother.