GCN Possible GameCube IPL exploit vector?

[Sierraffinity]

I'm new to security researching but have always been interested, so I recently dove in to try to reverse-engineer the GameCube's IPL and see if a gameless softmod is possible. Even though I don't have much experience in this, I managed to find something that could be exploitable, though I don't know how.

There's a function at 0x8131BE7C that returns the total size of the icon graphics for a save file. It does this by looping over all the icon formats for the frames, which is stored in the directory entry for a file. It does a bitwise AND with 3 for each icon, then sets a size based on that format's expected length. However, the switch statement only checks for formats 0, 1, and 2, leaving 3 to skip right past it, and leaving the icon size untouched! If done for the first frame of an icon, then it uses an uninitialized value for the size of that frame, which happens to be a pointer that was loaded earlier (0x81466B60). This could lead to a buffer overflow!

Unfortunately, that's as far as I got, as upon returning from this function, the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card. But maybe someone smarter than me can use this oversight as an exploit vector for something similar to FreePSXBoot?

 

[Shadow#1]

I'm new to security researching but have always been interested, so I recently dove in to try to reverse-engineer the GameCube's IPL and see if a gameless softmod is possible. Even though I don't have much experience in this, I managed to find something that could be exploitable, though I don't know how.

There's a function at 0x8131BE7C that returns the total size of the icon graphics for a save file. It does this by looping over all the icon formats for the frames, which is stored in the directory entry for a file. It does a bitwise AND with 3 for each icon, then sets a size based on that format's expected length. However, the switch statement only checks for formats 0, 1, and 2, leaving 3 to skip right past it, and leaving the icon size untouched! If done for the first frame of an icon, then it uses an uninitialized value for the size of that frame, which happens to be a pointer that was loaded earlier (0x81466B60). This could lead to a buffer overflow!

Unfortunately, that's as far as I got, as upon returning from this function, the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card. But maybe someone smarter than me can use this oversight as an exploit vector for something similar to FreePSXBoot?

It is already possible

 

[Sierraffinity]

I'm talking about softmodding here, where you can run homebrew and everything without having to open up the console or solder anything. I know that installing modchips and such is fairly easy but softmodding has always been of interest to me.

 

[tech3475]

It is already possible

What I presume they’re hoping for is that you can put a hacked ‘game save’ on the MC and the BIOS/IPL will execute homebrew when it tries to read it in the MC manager.

This has happened with the PS1.

 

[Sierraffinity]

What I presume they’re hoping for is that you can put a hacked ‘game save’ on the MC and the BIOS/IPL will execute homebrew when it tries to read it in the MC manager.

This has happened with the PS1.

Exactly, this is the kind of exploit I was searching for. Unfortunately, most of the memory card reading code seems to be quite robust and I couldn't figure out a way to exploit it besides that one switch case oversight.

 

[Deleted member 575334]

Exactly, this is the kind of exploit I was searching for. Unfortunately, most of the memory card reading code seems to be quite robust and I couldn't figure out a way to exploit it besides that one switch case oversight.

Is there any benefit from that now that we have a couple exploits already? Also. The Dude that made the PicoBoot thing was talking about some new solusions

 

[Sierraffinity]

Is there any benefit from that now that we have a couple exploits already? Also. The Dude that made the PicoBoot thing was talking about and making plans for a solderless version.

I'm just a fan of the idea of softmods in general, where anyone can hack a system without actually physically modifying anything and it's completely easily reversible if you want to sell it on later. Stuff like the GCLoader is neat since it's easily reversible, but there's just something cool about not even having to disassemble the system. Can you point me at the discussion about the solderless version?

 

[Shadow#1]

Exactly, this is the kind of exploit I was searching for. Unfortunately, most of the memory card reading code seems to be quite robust and I couldn't figure out a way to exploit it besides that one switch case oversight.

Well switch was not Nintendo's fault its all Nvidia's fault

 

[Shadow#1]

I'm talking about softmodding here, where you can run homebrew and everything without having to open up the console or solder anything. I know that installing modchips and such is fairly easy but softmodding has always been of interest to me.

U can always do the softmod method via a exploited save files

 

[Extrems]

It's potentially exploitable, but it'll require a 64 MiB memory card with 16384-byte sectors or so.

 

[Deleted member 575334]

I'm just a fan of the idea of softmods in general, where anyone can hack a system without actually physically modifying anything and it's completely easily reversible if you want to sell it on later. Stuff like the GCLoader is neat since it's easily reversible, but there's just something cool about not even having to disassemble the system. Can you point me at the discussion about the solderless version?

Look at the Video Shadow#1 Sended you. Tito from Macho Nacho Productions explains that the Creator (a guy from Poland) is working on a special thing. Its in the end of the video.

 

[hdx]

My M.2 SSD adapter has nothing to do with exploits. It's just a storage device. In order to use it you need a way to boot into Swiss. PicoBoot is a perfect match for M.2 Loader and this is the reason why I created PicoBoot in the first place.

I don't have enough knowledge to figure out software exploits myself but I'd love someone to make GC IPL exploit one day. PicoBoot is great and quite easy to install but there are still people who aren't able to install it themselves. A software exploit would be the best method for everyone, even if we have to create a new device connected to memory card slot it'd be still truly plug and play solution.