archive: Console hacking at the 23C3 in Berlin.|
Posted on Sunday, December 31 @ 21:35:04 CET by julian
I attended the 23C3 here in Berlin over the last few days and had a super time. While themed around "Who can you trust?", the 23C3 was more a hackers mecca than an ethically pointed security conference; a festival celebrating media and technology reclamation where the right to repurpose and dissect technology is considered inseparable from the right to learn from it. The 23C3 conference leaves no proverbial stone unturned, positing phones, routers, RFID tags.. even languages, bodies and minds as welcome fodder.
4500 people converged upon the Berliner Conference Center, which doesn't shut over the course of 4 days at all. Walking around the brimming hacker lounges you barely come across a single laptop without a UNIX terminal in focus. Talks and workshops run into the night and parties follow on for the duration of the festival.
On day two I attended the one hour Console hacking lecture by legendary console hacker Felix Domke. He gave an entertaining presentation to about a 1000 hackers on the current state of getting homebrew code - your own games - running on the XBox 360, the Wii and the PS3. Read on for the low down.
The XBox360: Redmond Way or No Way
Unlike it's predecessor, the XBox 360 is considered very secure in that all code run on it must be run in a hypervisor, a virtual machine of sorts that is designed to maintain system integrity through regulating what can and can't run on the thing. It doesn't allow any unsigned code, so, unless it has the official stamp from MS, you're out of luck. The 360 is the holy grail of console hacking right now.
The XBox is a juicy machine, a 3.2GHz PowerPC (think G5) with 3 cores, but so far the best you'll do is signing up for the XNA Express if you want to run your own games on the console you
rent bought from Microsoft. MS provides everything you need to get a game up and running on the 360 in just a few hours, should you be a game programmer in the first instance of course.
Sadly, alongside the $100.00 price ticket, XNA express games must be written in MS's proprietary C# language and you can't run any third party code on the device. You don't have access to the network card, nor do you have access to the DVD drive. For this reason you're out of luck if you want to make multiplayer games or make a media player to play your own burnt DVD movies etc. Also worth mentioning is that you'll have to use MS's distribution channels if you want to share your games with others;if your game is not considered tasteful/appropriate, or worth distributing by MS at all, then they are legally able to pull it from the channel entirely. Michael, the assistant presenter of Felix questioned if this is really anything near 'homebrew' at all..
There are currently no known hacks of the XBox 360 though later on in the festival, an anonymous hacker with is face completely concealed gave an unofficial 5min presentation featuring an XBox 360 booting up to a screen that had both a Penguin and an OS X logo next to the words "Coming soon". It's been suggested that he probably looks like this in the company of his own home:
We'll see what we can find out later about that...
The Wii: Knock twice to enter.
It turns out the Wii is an interesting target for running homebrew code but it's not all roses. The Wii has what the speakers consider two 'back doors', both using a strange undocumented serial port actually built into the bottom of the Wii's DVD drive.
"Backdoor 1" involves using a simple timing attack to first find the password to have access to the DVD drive interface itself - which out of interest was "MATSHITA DVD-GAME" - and then running code in RAM that tells the drive to disable authentication altogether. Once done you can put in a homebrew disc called Action Replay that was originally designed for the GC to run homebrew code or copied games which works just as it does on the GC, ie all very well if you're one of those people into pirating games, but not if you actually want to create games to run on your Wii. To automate the process a bunch of modchips came out after this hack was discovered. The crowd burst into laughter when Felix told how the backdoor had been 'fixed' by Nintendo.. by changing the password to lower case.
The second backdoor uses the same serial port to connect to the bottom of the drive and issue commands, but this time you just read and write to RAM directly resulting in there being no need to tell the drive it's authenticated in order to run custom code. This frees up the drive completely allowing you to run GC homebrew games, GC copies and also Wii copies. Sadly however it doesn't let you run homebrew Wii code, ie using the full hardware, due to the fact that all Wii games are specially encrypted and acually exchange keys between the disk and the DVD drive itself. Nintendo also apparently 'fixed' this backdoor after it was discovered by taking away the serial port and... moving it somewhere else. Interestingly enough Chad tells me that Japan has a very small consumer device hacking scene, and so it's possible Nintendo are just completely naiive about the extents European hackers will go to get what they want out of their machines. That said, as Felix points out, these hacker entry points are conspicuous to say the least. Maybe Nintendo have something in mind for homebrew content in the future?
The Wii has 88Mb of RAM and a core CPU clocking in at 729MHz, making is essentially twice as powerful as the GameCube both in the GPU and the CPU. A comparison with a PC makes it a little more powerful than a G3, although the graphics memory is apparently some of the fastest in existence.
Felix parted the dark clouds with an important (if not a little obvious in retrospect) conclusion: it is the innovative interface itself which is what attracts people to buy the thing in the first place. Given the fact the Wii remote can be purchased separately anyway for around EUR30.00 it makes more sense for the game developer to simply buy the Wii remote and develop applications for it on their PC. The Wii remote is simply a bluetooth in-air pointer device with accelerometers that provide tilt and movement data. Fixed positions can be determined on a screen surface using a simple application like this one so you can use it as a control interface for your own games. Get busy!
The PS3 is a beast. It's a 64bit PowerPC "Cell" 3.2 Ghz with 7 SPU cores (Symmetric Processing Units) that no-one really knows what to do with. It has 2 core memory units, graphics and system. It outputs HDTV, allows for playing BlueRay movies and given the current cost of standalone BR players out there, the PS3 is the cheapest at EUR600.00.
As has been mentioned here in the past, the PS3 officially supports Linux, which is easily installed after buying the console itself. While this makes it easy to run homebrew code, it's not without its limitations: no access to the GPU or graphics memory, so you wont be able to make 3D content for the PS3 and expect it to run at any worthwhile speed. All 3D rendering will be done in software, not on the card. You don't have full access to the harddisk under Linux, only the part designated for the "other OS" as Sony call it. Furthermore you only have access to the main RAM, not the graphics memory; meaning only half the total memory is exposed to you under Linux.
So, the PS3 is 'open' but not as much fun as it could be. Let's hope Sony lightens up a little bit and provides a homebrew development context than can compete with the XNA.
FYI, here's a comparison chart Felix offered between the Wii and the PS3.
More pictures of the 23c3 here
Watch the video of his talk here.
p34c3 + h4x0r1ng 2007!