gbadev.org forum archive

This is a read-only mirror of the content originally found on forum.gbadev.org (now offline), salvaged from Wayback machine copies. A new forum can be found here.

OffTopic > Hacking A Console

#170503 - the-anonymous-coward - Tue Sep 29, 2009 8:43 pm

Hi. I was reading through the tepples topic and was intrigued by a post stating the the ds dev community would pick up if the dsi was hacked.

(Irrelevant Note: It would be nice if it did; I am not a regular and know little of this stuff; this is a hobby and I don't have much spare time, but I love that the resources are hear when I need them; as a kid playing my gamboy, from Link's Awakening (I was obsessed with this game for ages) to the final fantasy remakes for the DS, I always fantasized about writing something for one of nintendos handhelds; there is something that feels like magic about making a game (until you are ready to explode from learning all the complicated C++ stuff and then, when you are finally starting to get it, you find you don't really know how to organize your classes or separate them into many files and what not in the most effective manner, etc)).

(Irrelevant Observation: with the way I write "notes" maybe lisp is the language for me :-) )

Anyhoo, I've never really thought about it much, but how is a new system hacked? What are the processes? I assume reverse engineering is the key term here, but know nothing about it? Just curious.

#170515 - sgeos - Wed Sep 30, 2009 3:00 am

Well, you start with a really smart guy who has too much free time, and... =)

#170570 - ScottLininger - Fri Oct 02, 2009 9:36 pm

I'm pretty ignorant of it, but by watching the chatter when the DS came out, it looks like it's a mix of leaks from industry insiders and people cracking the case to look at the hardware. Since most of the hardware you'll see if off-the-shelf stuff, it becomes possible to trace pins and figure out what's going on under the covers.

There's also a culture of bragging rights... everyone wants to be the first person to figure something out.
_________________
Some of my GBA projects

#170579 - yellowstar - Sat Oct 03, 2009 6:23 pm

The process goes something like this:
1) Reverse engineers buy the console, then open the case.
2) Observe the components, and find the CPU rom mask.(Chip containing the BIOS and bootrom.)
3) Dump the rom mask. If the rom mask could not be found, other vectors are used, usually RAM dumping/sniffing.
4) Disassemble the dump and RE how the binary works, ect.(Reverse engineering code basically means dissassembling a binary, then figuring out what it does and how it works. The dissassembly is basically what the CPU executes, except in a human-readable form.)
5) Once NAND encryption is reverse engineered, dump the NAND, and decrypt it.
6) Then, RE the software in NAND.
7) While reverse engineering all software, look for bugs which could be exploited to boot homebrew. Also, RE how a storage medium is accessed, in this case SD.
8) Once a hole is found, and storage medium access is reverse engineered, write an exploit for the hole.
9) Then homebrew can be booted on the system, but much more hw has yet to be reverse engineered so it's usable.

Many bugs are bugs that allow arbitrary amounts of data to be copied to the stack/local variables. A common bug is strcpy to the stack, without any checks comparing the size of the string and the destination buffer. An exploit could copy enough data(non-zero data with strcpy) to overwrite the stack upto the return address stored on the stack, which then gets overwritten with the address of homebrew code. If there's enough space for the code in the loaded savedata buffer, the code is usually placed there, and the address would be set to that. That code would then load the rest of the exploit code, if the software didn't load the whole savedata in RAM, then the code would load homebrew from SD/ect.

#170580 - sonny_jim - Sat Oct 03, 2009 7:48 pm

I found this thread very interesting, goes on about how they skimmed the surface of a SNES DSP1 chip, doped it with a chemical and then took photo's to recreate it bit by bit :
http://www.cherryroms.com/forums/copier-and-hardware-forum/manually-extracting-rom.html?page=2
_________________
Quote:

Would that be the internet driver for the program?

#170582 - the-anonymous-coward - Sun Oct 04, 2009 8:41 am

This is interesting. Thanks for the replies. I think it is a neat culture and somewhat mysterious.