Question How does one start with console hacking?

Discussion in 'Switch - Hacking & Homebrew' started by Tybus, Mar 10, 2017.

  1. Tybus
    OP

    Tybus Advanced Member

    Newcomer
    57
    7
    Nov 24, 2013
    Hello guys!.

    I've been on the hacking scene as an expectator since long time ago (I think my first experience was with the Nintendo Wii).

    Back with the 3ds I tried to be more active and made a homebrew game (It's ugly coded, but still some progress https://github.com/Tybus/3Dfrogr if you want to check it out)... But still nothing that made me feel like really doing anything (That's why it didn't took me long to get out of the developing comunity)

    But right now it's like a new chance to start again. Bought my Nintendo switch, played with it for a while... and ofc I don't think I could be the first one to hacking (Because my lack of experience, and because all the amazing hackers doing their effort atm). But maybe I could go back to an older console and try to hack it.

    Here you can find a bit of my backgroud:

    Electrical Engineering student (Computers and networks emphasis) (Currently on my last year)
    Knowledge in computer organization and design
    Knowledge in programing (C, C++, Java, Python, TCL, (Maybe some others that I'm missing), mips assembly, Motorola S12 assembly)
    Knowledge in hadware design (Both structural and logical design) (I do even know how to Verilog) -> In fact, I even work at a semiconductor company (Working on layout but still)

    I feel like I have the capabilities to learn some reverse engineering (I know I still have a lot to learn, but I really dont know how)

    if someone could really help me out and teach me how can I start that'll be lovely
     
    Moomba likes this.
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,361
    9,153
    Nov 21, 2005
    Most of the old consoles are already hacked. That said a lot of things made for them were made with chips for the day and a lot of the designs carried through (prior to everdrive the designs for flash carts still resembled ones from the time).
    If you wanted to remake them for all the nice chips we have today (I don't want to say an arduino could beat an FPGA from 1992 but I would not be surprised if it could) then that might be nice.

    If you want to make a nice pinout of all the controllers and some open source libraries that would be nice.

    A lot of the video out mods that do RGB do odd things like r2r ladders as a poor man's DAC (see the N64 RGB mods), make a design using a real dac that is likely to be manufactured for the next 12 years or so and it will be appreciated rather than trying to find close pairs in high tolerance resistors. Going a bit further if you wanted to make screen capture devices for the handhelds then many would enjoy that.

    On the switch and co then while I can sit here and tell people about debug/bed of nails pads for control inputs I have done very little. If you take the time to wire up your scope or function generator into one and make it do something cool (we have seen whole game screens be decoded in real time on consumer hardware and then used to make robot players) then fantastic. Equally while the dock has a nice HDMI out if you wanted to make a screen capture for the tablet then you might make some friends as side by side shots for things would be an interesting one.

    For something like a macbook I have a nice schematic I can look at to find that I need to replace this resistor/inductor/trace. For consoles you have a few things (see something like fuses on the DS, or the megadrive/genesis audio capacitors) but for the most part we fire the parts cannon or get a donor board. This is getting harder as the years go on, and things become retro and cool/expensive as a result. If you want to buy a bunch of broken ones, or do obvious modes of failure (someone wires up a power adapter wrong and of course there is no diode protection in most things) and accelerated failure.

    Most modern hacking does seem to need heavy OS stuff. That said someone that knows their way around a high frequency scope probe is a rare person.

    Some of those aren't hacking per se but they will allow you to flex your reverse engineering and failure analysis muscles, not to mention do some things that are going to be very much welcomed by the community.
     
  3. Tybus
    OP

    Tybus Advanced Member

    Newcomer
    57
    7
    Nov 24, 2013
    Thanks for your reply... I get what you are saying, but as you say, replicating a modchip for older consoles won't help me at all with newer ones because the hacking nowadays seem to be heavy OS stuff. I would also like to learn how to find vulns in software, for example, I could try to replicate the Twilight Princess hack, but how do I start in that way?, is Wiibrew info to get started?

    Btw, the video capture device sounded like a very intersting proyect.
     
  4. starfox5194

    starfox5194 Member

    Newcomer
    26
    7
    Oct 13, 2014
    United States
    New Britain, Connecticut
    I'm more of a hobbyist coder and had similar questions you had. I have never had my hand at hacking, but I've picked up some things in my research. I would reccomed two things.

    First: learn assembly and how "the stack" works. There are lots of YouTube videos.

    Second and more importantly: get the source code for the twilight princess hack or the smash bros brawl hack. I think there are both overflow exploits that could be better understood by learning about "the stack".

    After that, start basic. Make sure you can compile the twilight princess hack from source. Read all the code comments. Maybe you can optimize a step? Try reducing the code for the hack down to the bare necessities. I would try all of this using a dolphin emulator to avoid the frustration of potentially killing a Wii.
     
  5. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,361
    9,153
    Nov 21, 2005
    Hackmii (same peeps responsible at some level for wiibrew) had a source release and discussion of the various ways the hacks worked. https://hackmii.com/2010/01/the-stm-release-exploit/ is one such thing. The Wii is not a great option though for while it is OS based... there is a reason not every game supports voice chat, why there are but a handful of game updates and they are all launched from the menu, why most things involve a reset to get back to the menu and so forth.

    Find the C3 presentations on the PS3, the 3ds and also more general current PC stuff (return oriented programming is a good one), there was an old one on the 360 but that notably ignored the thing that led to various later hacks.
    I also like things like


    https://vvvv.org/blog/17-mistakes-microsoft-made-in-the-xbox-security-system was a fascinating read.

    Follow through enough of those and you start to learn the things to look for. You want to get the OS called to analyse, most of the time they will be encrypted but maybe not in RAM so build a RAM dumper, maybe it is encrypted in RAM so force a key (amusingly the 360 had a randomness checker), find a key, find a side channel... or maybe find that it is based on an already written OS, but now you have a hypervisor to get past.
    Equally when you are watching those then especially for the the PS3 and 3ds ones watch when the people hand off to others. A lot of things are like that these days. Or if you prefer in your electronics stuff how often do you want to use some kind of radio/antenna only to remember that radio is its own world unto itself, you then take the reference design/suggested design, say thank you to the people that know how to make all that and use that rather than making your own?
    Don't let me discourage you though. For this sort of thing running into and getting over your own walls is how a lot of it gets done.
     
  6. Tybus
    OP

    Tybus Advanced Member

    Newcomer
    57
    7
    Nov 24, 2013
    Okey. Thanks for your help. I think I'll have a look to the sources of the twilight hack. Perhaps any other sources I could review for that matter?
     
  7. ChaosRipple

    ChaosRipple GBAtemp Regular

    Member
    260
    66
    Oct 1, 2015
    United States
    Well, first you need to attach some wires to your console, extract the internal nand data, and then use IDA Pro to reverse engineer the code. Also knowing how general operating systems work would be a requirement. Then, after you know exactly how the operating system on the console works, you come up with a flaw and write code to execute it. Not only does reverse engineering take a lot of time (especially if it's something an operating system), it also takes a lot of thought and creativity to discover something no one else has, at least publicly.

    Edit:
    Also, the concept of memory is important too.
     
    Last edited by ChaosRipple, Mar 13, 2017
  8. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,361
    9,153
    Nov 21, 2005
    What if the NAND is encrypted (most is these days, and even when not it is probably signed), what if IDA does not have the instruction set for the console in question (memory addresses are one thing and you can ignore that to an extent, also there are other reverse engineering tools out there), while NAND might be nice do you want to go there before figuring out the boot chain?
     
  9. ChaosRipple

    ChaosRipple GBAtemp Regular

    Member
    260
    66
    Oct 1, 2015
    United States
    Yes you're right on that part. The idea is that you follow the console as close as you can, from when you push the power button. If the NAND is encrypted, it will be decrypted somehow and then you'd need to find out where and how it's decrypted. There's going to be a lot of reverse engineering - hardware or software, the former which will cost you at least one console. I mentioned the concept of memory, not just the addresses but how software would organize memory, etc.
     
    Last edited by ChaosRipple, Mar 13, 2017