From: Troed Sångberg (troedsangberg.se)
Date: Thu Dec 04 2003 - 11:39:56 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 04 Dec 2003 12:10:05 +0100, Stefan Esser <senopiracy.de> wrote:

> Just an example: The gamecube was hacked by an information leak exploit.
> A crc feature the Phantasy Star Online game allows to request checksums
> of arbitrary memory positions (and sizes).
> So it was possible for the smart guy who did it, to create a complete
> memory dump from
> remote. In that case your magic values are worthless...

Which hack? The PSO-upload hack on the Gamecube is vastly different from
tmbinc's truly embarrassing (for Nintendo) hack on the so-called crypto.

In short: All communication between the serial chip holding the BIOS and
the Gamecube's flipper-chip is two-way. Naturally, if a chip is only
interested in receiving data it will shift out garbage. What tmbinc found
out was that when the encrypted data was shifted to the Flipper (for
decryption) the _decrypted data_ was shifted back.

Since the encryption was nothing more than a XOR-seed from a PNRG it was
trivial to XOR the encrypted BIOS image with the decrypted data and get
access to the whole XOR-key (starting seed always the same) and thus it's
trivial to produce BIOS replacements.

I agree that this is an information leak, but PSO has very little to do
with it. I do not consider the PSO-upload hack to be a hack of the
Gamecube, but tmbinc's retrieval of the BIOS encryption "key" certainly is.

We're straying off topic. Further off-topic discussions in mail.

regards,
Troed

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]