|
|
BugTraq
Re: [ANNOUNCE] glibc heap protection patch Dec 03 2003 10:19PM xenophi1e (oliver lavery sympatico ca) (1 replies) Re: [ANNOUNCE] glibc heap protection patch Dec 04 2003 11:10AM Stefan Esser (se nopiracy de) (1 replies) |
|
Privacy Statement |
> Just an example: The gamecube was hacked by an information leak exploit.
> A crc feature the Phantasy Star Online game allows to request checksums
> of arbitrary memory positions (and sizes).
> So it was possible for the smart guy who did it, to create a complete
> memory dump from
> remote. In that case your magic values are worthless...
Which hack? The PSO-upload hack on the Gamecube is vastly different from
tmbinc's truly embarrassing (for Nintendo) hack on the so-called crypto.
In short: All communication between the serial chip holding the BIOS and
the Gamecube's flipper-chip is two-way. Naturally, if a chip is only
interested in receiving data it will shift out garbage. What tmbinc found
out was that when the encrypted data was shifted to the Flipper (for
decryption) the _decrypted data_ was shifted back.
Since the encryption was nothing more than a XOR-seed from a PNRG it was
trivial to XOR the encrypted BIOS image with the decrypted data and get
access to the whole XOR-key (starting seed always the same) and thus it's
trivial to produce BIOS replacements.
I agree that this is an information leak, but PSO has very little to do
with it. I do not consider the PSO-upload hack to be a hack of the
Gamecube, but tmbinc's retrieval of the BIOS encryption "key" certainly is.
We're straying off topic. Further off-topic discussions in mail.
regards,
Troed
[ reply ]