Best Console for Re-implementing Exploit?

[0xcalico]

New here and not really sure where to post, figured this would probably be a safe bet.

I am a security engineer and just getting into exploit development. I have participated in quite a few CTFs and challenge sites (exploit.education, pwnables, crackme, etc) but am just now venturing into the wild. I am fascinated by the console hacking/homebrew scene, and thus I feel a good learning opportunity for me would be to "reimplement" an exploit that is popular on the forum.

For the developers/hackers here, what is a good console to get started on? I was thinking the 3ds max, as there is a good DEFCON talk about the browser vuln and exploit, as well as other public information that points to known vulnerabilities like 3dbrew. Also, when I inevitably fuck it up, I didn't spend as much as I would on a switch. That being said, it seems the switch bootrom bug in itself may be more "user friendly", and there are some good resources out there discussing it.

I'm curious as to what those in the scene would recommend.

 

[FAST6191]

I don't know how many here are likely to be able to comment on such things meaningfully, though there are a few.

I figure you have three main "ins" as it were including what you mention

1) You do one of the fun internal coding type exploits (arbitrary execution in some circles) wherein you write a little assembly program by means of your inventory and the like and force a jump there.


2) You do a new hack with a non standard game. For years there was just a few games for the original xbox you could use to launch a softmod, though all were super popular. A while back then there became a little fad for finding more. Also same for the gamecube (which you can do things like write the memory card with a homebrewed Wii and go from there).
https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310

3) You follow along with what has been done before.
What you care to do as far as hardware is probably going to be the determining factor. If you want to keep it all software recoverable that is one thing, however if you are willing to solder to dump NAND, or solder up a simple microcontroller/FPGA dev kit then you get a lot more options available to you. Even simply installing a mod chip in some cases grants you more than you might have had as far as being able to pull things back depending upon how you screw it up (something like the original xbox might see you able to use any hard drive and boot off a DVD, where a basic softmod is a harder bet, though you could just as easily keep the original hard drive and operate from a replacement.
Generally newer devices have more options (power off the PS1 and pull the memory card and all is good, power off a 360 after you burn a bunch of efuses and... potentially far more fun to be had pulling it back, but the 360 also has USB, hard drives, DVD...) but also more security so there is that too -- buffer overflows will get you most places up to but not including the PS3/360, harder when you have encrypted memory, no execute sections and constant signing checks. Does also mean you get to more practically break out the big boy coding methods -- you can do ROP on an original gameboy I guess but you would mostly be doing it for style points.
At the same time being current space year means you have some nice oscilloscopes, FPGA dev kits and even humble microcontrollers that would have been the stuff of high end business and nation states not so many years ago. Side channel methods have also knocked out a few things that had eluded many as well https://kemenaran.winosx.com/posts/gameboy-color-boot-rom-dumped/

Links
https://nostarch.com/xboxfree
http://wiibrew.org/wiki/Signing_bug
https://debugmo.de/2008/03/thank-you-datel/
https://hackmii.com/2010/01/the-stm-release-exploit/

+ I assume you have seen most of the defcon, C3, black hat, derbycon... talks out there (including the "ultimate ? talk" series).
https://xboxdevwiki.net/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System
https://techfeatured.com/1751/expert-witness-games-console-forensics + other game console forensics talks.
Bit old and a bit basic but might have something to look at
https://gbatemp.net/threads/some-hacking-concepts-and-links.287721/
https://web.archive.org/web/20120119171132/http://www.reinerziegler.de/

Some might also suggest you write a basic emulator for a given system. Do that and a serious appreciation of assembly and hardware layout and design tends to follow. Does not have to be a fancy modern console or have feature parity with http://fceux.com/web/help/LuaScripting.html , probably make a real device rather than chip8 or y86.

 

[DinohScene]

I highly recommend watching a lot of the console security hacking talks on the CCC.
Yifanlu has some really neat write ups about Vita security on his blog and everything that FAST summed up is a great start!

 

[0xcalico]

@FAST6191

Wow, thank you so much for such an in-depth response. That is far more helpful information than I ever anticipated. I have seen almost all the related defcon, C3 etc talks, which is one of the main things that piqued my interest when looking for things to go after outside of just the "challenge" scene. I also picked up the first couple chapters of "Hacking The Xbox" after reading "The Hardware Hacker", at which point I found my way here.

I think your advice about the emulator is smart and not something I had considered all that seriously before. Writing a basic NES or GB emulator would probably give me a better understanding of the hardware (a bit outdated, but useful none the less). Also would help brush up on my C/assembly. From there, I could probably tackle some basic buffer overflows in older consoles before going after something that has required more modern techniques to bypass mitigations like ALSR, DEP etc. The "Jailbreaking the 3DS" DEFCON talk had the sexiest exploit chain and it got me excited, but I should probably start on some retro stuff to start Maybe I will overengineer a rop chain for the GB just for the style points.

--------------------- MERGED ---------------------------

I highly recommend watching a lot of the console security hacking talks on the CCC.
Yifanlu has some really neat write ups about Vita security on his blog and everything that FAST summed up is a great start!

I went down the C3 rabbit hole after stacksmashing's talk about the Nintendo Game and Watch at this year's event. So much good information and so many smart people, it amazes me. I appreciate the link to the blog, I will check it out for sure!