GCN Possible GameCube IPL exploit vector?

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
125
Country
United States
I'm new to security researching but have always been interested, so I recently dove in to try to reverse-engineer the GameCube's IPL and see if a gameless softmod is possible. Even though I don't have much experience in this, I managed to find something that could be exploitable, though I don't know how.

There's a function at 0x8131BE7C that returns the total size of the icon graphics for a save file. It does this by looping over all the icon formats for the frames, which is stored in the directory entry for a file. It does a bitwise AND with 3 for each icon, then sets a size based on that format's expected length. However, the switch statement only checks for formats 0, 1, and 2, leaving 3 to skip right past it, and leaving the icon size untouched! If done for the first frame of an icon, then it uses an uninitialized value for the size of that frame, which happens to be a pointer that was loaded earlier (0x81466B60). This could lead to a buffer overflow!

Unfortunately, that's as far as I got, as upon returning from this function, the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card. But maybe someone smarter than me can use this oversight as an exploit vector for something similar to FreePSXBoot?
 

Shadow#1

Wii, 3DS Softmod & Dumpster Diving Expert
Member
Joined
Nov 21, 2005
Messages
11,698
Trophies
1
XP
7,125
Country
United States
I'm new to security researching but have always been interested, so I recently dove in to try to reverse-engineer the GameCube's IPL and see if a gameless softmod is possible. Even though I don't have much experience in this, I managed to find something that could be exploitable, though I don't know how.

There's a function at 0x8131BE7C that returns the total size of the icon graphics for a save file. It does this by looping over all the icon formats for the frames, which is stored in the directory entry for a file. It does a bitwise AND with 3 for each icon, then sets a size based on that format's expected length. However, the switch statement only checks for formats 0, 1, and 2, leaving 3 to skip right past it, and leaving the icon size untouched! If done for the first frame of an icon, then it uses an uninitialized value for the size of that frame, which happens to be a pointer that was loaded earlier (0x81466B60). This could lead to a buffer overflow!

Unfortunately, that's as far as I got, as upon returning from this function, the size is checked for sanity in order to ensure the icon read doesn't go outside the bounds of the memory card. But maybe someone smarter than me can use this oversight as an exploit vector for something similar to FreePSXBoot?
It is already possible

 
  • Like
Reactions: torrent_get

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
125
Country
United States
I'm talking about softmodding here, where you can run homebrew and everything without having to open up the console or solder anything. I know that installing modchips and such is fairly easy but softmodding has always been of interest to me.
 

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
125
Country
United States
What I presume they’re hoping for is that you can put a hacked ‘game save’ on the MC and the BIOS/IPL will execute homebrew when it tries to read it in the MC manager.

This has happened with the PS1.
Exactly, this is the kind of exploit I was searching for. Unfortunately, most of the memory card reading code seems to be quite robust and I couldn't figure out a way to exploit it besides that one switch case oversight.
 
D

Deleted member 575334

Guest
Exactly, this is the kind of exploit I was searching for. Unfortunately, most of the memory card reading code seems to be quite robust and I couldn't figure out a way to exploit it besides that one switch case oversight.
Is there any benefit from that now that we have a couple exploits already? Also. The Dude that made the PicoBoot thing was talking about some new solusions
 
Last edited by ,

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
125
Country
United States
Is there any benefit from that now that we have a couple exploits already? Also. The Dude that made the PicoBoot thing was talking about and making plans for a solderless version.
I'm just a fan of the idea of softmods in general, where anyone can hack a system without actually physically modifying anything and it's completely easily reversible if you want to sell it on later. Stuff like the GCLoader is neat since it's easily reversible, but there's just something cool about not even having to disassemble the system. Can you point me at the discussion about the solderless version?
 

Shadow#1

Wii, 3DS Softmod & Dumpster Diving Expert
Member
Joined
Nov 21, 2005
Messages
11,698
Trophies
1
XP
7,125
Country
United States
Exactly, this is the kind of exploit I was searching for. Unfortunately, most of the memory card reading code seems to be quite robust and I couldn't figure out a way to exploit it besides that one switch case oversight.
Well switch was not Nintendo's fault its all Nvidia's fault
 

Shadow#1

Wii, 3DS Softmod & Dumpster Diving Expert
Member
Joined
Nov 21, 2005
Messages
11,698
Trophies
1
XP
7,125
Country
United States
I'm talking about softmodding here, where you can run homebrew and everything without having to open up the console or solder anything. I know that installing modchips and such is fairly easy but softmodding has always been of interest to me.
U can always do the softmod method via a exploited save files
 
D

Deleted member 575334

Guest
I'm just a fan of the idea of softmods in general, where anyone can hack a system without actually physically modifying anything and it's completely easily reversible if you want to sell it on later. Stuff like the GCLoader is neat since it's easily reversible, but there's just something cool about not even having to disassemble the system. Can you point me at the discussion about the solderless version?
Look at the Video Shadow#1 Sended you. Tito from Macho Nacho Productions explains that the Creator (a guy from Poland) is working on a special thing. Its in the end of the video.
 

hdx

Active Member
Newcomer
Joined
Jun 9, 2007
Messages
40
Trophies
0
XP
541
Country
Poland
My M.2 SSD adapter has nothing to do with exploits. It's just a storage device. In order to use it you need a way to boot into Swiss. PicoBoot is a perfect match for M.2 Loader and this is the reason why I created PicoBoot in the first place.

I don't have enough knowledge to figure out software exploits myself but I'd love someone to make GC IPL exploit one day. PicoBoot is great and quite easy to install but there are still people who aren't able to install it themselves. A software exploit would be the best method for everyone, even if we have to create a new device connected to memory card slot it'd be still truly plug and play solution.
 
General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: Lol maybe