iQue Player Code Execution achieved!

dark_samus3 · Apr 29, 2018

Today we were able to successfully execute code on the iQue player! This is the first publically known code execution.

Technical details: we were able to implement a known attack on the encryption scheme used with the iQue (AES-CBC) to inject custom data into the game data stored on the iQue NAND. This data is unchecked (but encrypted with keys we don't know) once it has been converted to ".rec" format. We also took advantage of a save file; they're unchecked and mapped to a certain region of RAM, so it's basically free space for us.

The CBC attack: AES-CBC uses the previous encrypted block and XORs it against the next block, after it has been decrypted, to produce the final plaintext decryption. XOR is deterministically modifiable, if you know the plaintext (which we do, thankfully

). This attack does sacrifice a block of data (which will decrypt to random garbage) but it gains us control over arbitrary sections of code in the next block, and ultimately doesn't matter; we were able to sacrifice an unused section to control exactly the code we wanted. (see here for AES-CBC decryption procedure: image)

very first successful result:

In action:

Shoutouts: Marshallh, Normmatt, and Riley/ROL

Jayro · Apr 29, 2018

VERY exciting stuff, good job! (I'm guessing a ROM loader is out of the question?)

Searinox · Apr 29, 2018

Woohoo! Homebrew on a new console. Or close to that? So this is what a padding oracle attack?

Jhynjhiruu · Apr 29, 2018

Searinox said:
Woohoo! Homebrew on a new console. Or close to that? So this is what a padding oracle attack?

Jayro said:
VERY exciting stuff, good job! (I'm guessing a ROM loader is out of the question?)

Still quite a long way off from proper homebrew, or a ROM loader. But we're working on it, as quickly as we can!

EdTheNerd · Apr 29, 2018

Woo! I've been eyeing iQue's for years. Time to import one.

Kevinpuerta · Apr 29, 2018

EdTheNerd said:
Woo! I've been eyeing iQue's for years. Time to import one.

Less than 5 mins later. You actually bought one lol

EdTheNerd · Apr 29, 2018

Kevinpuerta said:
Less than 5 mins later. You actually bought one lol

It was overdue

asper · Apr 29, 2018

Tested and working ! Thanks to Jynji for all the support

DarthDub · Apr 29, 2018

Brb buying an iQue.

KiiWii · Apr 29, 2018

Amazing, I definitely need to invest....

zoogie · Apr 30, 2018

Very interesting direction to take console hacking! I didn't even know about this until yesterday.
These aren't to badly priced online either, thinking about snagging one.

(SUXXORS is credited too? Isn't that a warez group? Not complaining, just a little bit of an unusual greet

)

dark_samus3 · Apr 30, 2018

zoogie said:
Very interesting direction to take console hacking! I didn't even know about this until yesterday.
These aren't to badly priced online either, thinking about snagging one.

(SUXXORS is credited too? Isn't that a warez group? Not complaining, just a little bit of an unusual greet )

It wouldn't have been possible without them; the AES-CBC attack we used required knowing the plaintext of a game, so they indirectly helped us ¯\_(ツ)_/¯

Psi-hate · Apr 30, 2018

Congrats! I've always wanted to import an iQue to get my OoT Romhacks working if there'd be a ROM loader, and it looks like that's now something I can feasibly hope for! Great job, I'm beyond excited to see what you guys manage to pull off.

MockyLock · Apr 30, 2018

I'm very intrested by this iQue scene revival.
Congratulations !

Nintendrew · Apr 30, 2018

Great work, guys. Really hoping we'll eventually see a homebrew replacement for the defunct iQue download service to inject the retail roms back onto iQue hardware (whether by rom loader or other means). Thanks for the update!

Jhynjhiruu · Apr 30, 2018

Nintendrew said:
Great work, guys. Really hoping we'll eventually see a homebrew replacement for the defunct iQue download service to inject the retail roms back onto iQue hardware (whether by rom loader or other means). Thanks for the update!

Well, for that, we would have to figure out how to sign tickets... or get psychic paper working. Something more akin to USB Loader GX is more likely, short-term.

leon315 · Apr 30, 2018

i vener heard of that iQue thing, what is it?? and what you can do with it??

Jhynjhiruu · Apr 30, 2018

leon315 said:
i vener heard of that iQue thing, what is it?? and what you can do with it??

Check the Wikipedia page for 'iQue Player'

leon315 · Apr 30, 2018

Jhynjhiruu said:
Check the Wikipedia page for 'iQue Player'

wow interesting indeed! then what has tc done so far?? did he manage to crack it?

Jhynjhiruu · Apr 30, 2018

leon315 said:
wow interesting indeed! then what has tc done so far?? did he manage to crack it?

tc?

iQue Player Code Execution achieved!

Well-Known Member

MediCat USB Dev

Dances with Dragons

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Amateur Hacker

Editorial Team

playing around in the end of life

Well-Known Member

GBATemp's Official Psi-Hater

Well-Known Member

New Member

Well-Known Member

POWERLIFTER

Well-Known Member

POWERLIFTER

Well-Known Member

Similar threads