It's too bad that the cracking scene seems so vain, though. This article presented three groups:
* One which wants to sell 'jailbreak' kits to enable piracy, while keeping the details to themselves.
* One which had planned a related disclosure window amongst the broader community for two days from now, and seems to feel somewhat vocally that this release is very similar to their work.
* One which seems like they might have flaunted that window a bit for the credit.
It's amazing and inspiring what these people manage to accomplish, but it'd be nice to see less stepping on fingers - imagine what might happen if these groups really cooperated! I guess it's a very reputation-driven scene, but still...
This has always been the case with homebrew/jailbreak scenes, from the PSP to the PS3/PS4, to iOS, etc.
There will always be squabbles among the different people and groups involved with finding exploits or developing jailbreak/"hack" "kits".
Following from that, there will also always be people who want to jailbreak only to pirate games and there will also be groups who want to disclose the exploits properly, or use them purely for research and non-piracy fun purposes.
Someone developed a exploit, packaged it in usb stick, called it the PSJailbreak, planning to sell it to as a piracy orientated tool. They sent out a few review copies to prove it worked.
One of the reviews obtained a USB trace of the exploit in action, passing it along to a few members of the homebrew scene. The homebrew scene recreated this exploit with an open source implementation (but with the ability to pirate games pirate games superficially patched out) beating the original PSJailbreak to market.
The homebrew scene then set upon developing an open source homebrew devkit.
Many manufactures released their own clone devices of the exploit, the timeframe susgests that they were also working from copies of the PSJailbreak.
It was the homebrew scene who later decimated the PS3 chain of trust, to develop installable modded firmware.
To say nothing of internecine squabbles between partisans of various home computers. C64 r00lz and Spectrum dr00lz (or vice versa). About the only platform that everyone can agree on is that the PC suxx0rz.
I remember that in part of modding the Wii, one of the tools asked if you were going to use the tool to play backups. I took it literally; my plan was to rip my game disks and run them from a USB drive. I answered "yes"...and the tool spit up a message against piracy, and set a flag somewhere in the NAND of the Wii.
I don't remember exactly how I fixed it...I think there was some undocumented way to clear the flag that you could only find by reading the tool's source. It was a good reminder of how much stupid, blind trust I tend to put into random tools from the internet.
This doesn't sound like it itself "exploits" anything, just deflates Nintendo's attempted scheme to exploit their customers by booby trapping their hardware.
If you rigged your car to destruct 30 minutes after it went out of cell service, sold it to an unsuspecting buyer, and then laughed when they got stuck in the desert, you'd be rightfully thrown in jail. But yet these companies keep attempting to pull the same shit with impunity.
I actually kind of liked the Gameboy approach. You needed to include a byte-for-byte image of the trademarked Nintendo logo in order for the boot ROM to run your cartridge. So there were no technical hurdles to running your code in it, but it just made it legally dangerous to distribute.
Holy shit. Is that why when you plugged in a cartridge a little weirdly, the nintendo logo would look all weird and the game wouldn't boot? it was a simultaneous legal protection and a harware protection? that was fucking genius!
The reason for the logo looking weird is that it did load the logo from the cartridge, and if the pins aren't reading perfectly, the data comes out wrong.
One of the first pieces of code in the startup code embedded in the GB's CPU reads the logo data, doubles it vertically and horizontally, and writes it out to the graphics tile memory. It scrolls down the screen, even if it's corrupted. Then it compares the logo with one built into the CPU and puts itself into an infinite loop if they mismatch.
So, yep. It's a combined data consistency check, and an attempt to use trademark to prevent unauthorized software.
IANAL, but the two things seem related, why is GP being down voted?
From just a reading of the wiki pages without much law knowledge it does seem like sega would win today? What I am getting wrong?
HN's algorithm to turn a URL into a clickable link can have trouble with links that end in punctuation, and your link fell victim. Here's an attempt to make it work:
That seems to deal with anti-circumvention provisions and not copyright provision and not with infringing on trademark/copyright as the GGGGP (white-flame) seems to be pointing to.
Chamberlain is cited as a rebuttal to the DMCA argument; the DMCA has nothing to do with trademarks, and therefore I took it's citation to be in reference to it's anti-circumvention clauses. For the trademark argument, see Sega v. Accolade's decision.
Interestingly, this could be circumvented - the boot rom does the logo scroll using data from cart, THEN, in a separate loop checks it vs local copy. If you can make the cart read different data at each stage, you are golden!
IIRC Argonaut/Jez San had a POC of this using a very simple hardware bodge, intended as a potential way of publishing Eclipse (What became X) without a Nintendo licence.
Fortunately - Nintendo were interested in the 3D rendering, and that started the SuperFX/Starfox/ARC journey.
> it just made it legally dangerous to distribute.
Internet and countries that don't enforce copyright exist you know? You can even get HDCP strippers on Ebay, pretty easily too. Never had any issue finding ISO and roms online, even for the Switch before this hack.
If only the legal side was a good enough security...
If you want a portable device that you can use to run your own software, then go get a tablet that run the Tegra X1, you will get the exact same thing.
In the sense of "that's how the Game Boy behaves", it's not hard to find a dump of the startup firmware (and it's just 256 bytes).
At offset 0x21 (33), it loads the offset for the bitmap data in the cartridge into one register, and the address for tile data RAM into another. Offsets 0x27-0x32 are a loop that calls out to functions at offsets 0x95-0xa7 and 0x96-0xa7 to double up the bits and scale the image to 2x its original size. After the code to scroll the logo, it plays the iconic double-ping sound.
At offset 0xE0, it loads offsets for the firmware copy of the logo and the cartridge copy of the logo. 0xe6-0xef iterate through the logo. If at any point the 2 copies don't match, there's a jump at offset 0xe9. Here's the relevant part of the loop:
LD A, (DE) ;Load a byte from the cartridge copy
INC DE ;Increment the pointer to the next byte
CP (HL) ;Compare A with the byte at (HL)
JR NZ, -2 ;If not equal, lock up by jumping back to this location
> 14. A hand-held electronic game machine in accordance with claim 9, wherein said processing means includes detecting means responsive to a connected external memory for detecting whether said connected external memory is an authorized or unauthorized memory.
> 15. A hand-held electronic game machine in accordance with claim 14 wherein the processing means includes further means responsive to said detecting means for preventing an unauthorized external memory from being used for executing a game program.
There's some good commentary on the legal situation, and its relation to Sega's similar legal theories (as regarded the Genesis/MegaDrive) on TVTropes (although it's a bit short):
Sounds kind of like a Tesla, now that you mention a car like that. They already will call and threaten you if you own a Tesla and mess around with it under the hood.
It ought to be the law that anything I can do, is fair game. If I fuckup something it shouldn't be under warranty, but only for the issues the tinkering causes. If I can connect to a port in the car I've paid for, and read something, it's not industrial espionage. That is just Tesla being lazy and trying to get security-by-obscurity, instead of a proper secure implementation.
That article is clickbait. Tesla contacted the owner out of fear that his car had been hacked (i.e. by someone else). That the owner stop was merely a "recommendation," warranty invalidation was the only threat they made, and "industrial espionage" was the owner's characterization of Tesla's concern, not an allegation it made against the owner. Lots of people have gone on to hack their Teslas without consequence in the years that followed.
There was another episode where Jason Hughes was denied firmware updates after rooting his car. Elon responded that no punitive action was intended and that he views white hat hacking as a gift, and they seemed to resolve it pretty quickly.
It will be interesting to see how Tesla responds to these cases when FSD is available.
> This evening I got a call from service center :crying:
They told me Tesla USA engineers seen a tentative of hacking on my car...
I explained it was me because I tried to connect the diagnosis port to get some useful data (speed, power, etc...). They told me it can be related to industrial espionage and advised me to stop investigation, to not void the warranty....
Don't know if they really seen something in the log, because I just sniffed the network. Or maybe they seen the port scanning with nmap ? Or maybe they just read this topic ? :eek:
It’s half and half. This scheme defeats Nintendo’s attempt to control what console owners do with their own hardware, it’s true. But it also allows console owners to be exploited by malicious hardware (say, a cheap charger).
How about an open hardware industry that would employ millions of people? Not to mention the questionable premise that we should have enough work to employ almost everyone. I mean, we're mostly programmers in here. Our primary task is to destroy jobs. Shouldn't free time be a good thing?
People seem to not understand this was a tongue in cheek reference to the NES and the recovery from the 1983 crash...
That being said, I don’t have major qualms about closed hardware. It creates the incentives that have allowed for massive investment in what is now cutting edge technology, and over time it is trickling down to more open hardware.
The number of proprietary technologies in a modern high-end GPU is staggering. Maybe one could say in an alternate timeline open hardware could have beaten companies creating GPUs with proprietary IPs, but it didn’t really happen. So I’ll take 1080tis with binary blobs over the open alternative.
1/3rd of the units sold? Or 1/3rd of the types of consoles? I know several consoles of the era also had DRM, so I’d be curious which ones youre referring to and the time period if referring to 1/3rd sold.
And if Denuovo actually helps sales is not an easy question to answer since no publisher has come out and said it (that I’ve seen).
The premise seems sound enough, sales follow an “inverse hockey stick”, so design DRM meant to delay cracking instead of stop it and you can get more time with maximum interest and sales, with no easy piracy options.
A few times it’s fallen in hours, and pirates started to write it off, but just recently Far Cry 5's implementation lasted weeks, which seems to be what they’re going for (some versions even lasted months on end).
One could argue no pirates would buy instead of wait, and one could argue all pirates would buy instead of wait, but both would be wrong and the truth is somewhere in the middle, publishers have evaluated that question and apparently the answer is something they like enough to keep shaving margins for
If I remember right, DOOM and the latest Tomb Raider used Denuvo and they weren't cracked until a few weeks after release, but they did not report sales above the norm.
Are those digital sales? Usually I see numbers quoted as tracking physical sales, which don’t tell the whole story.
And I still feel only publishers would be able to tell what the “norm” is. They have better insight into what their “norm” is in terms of returns for development and marketing based on game type, release date, and tons of other factors that can’t be correlated casually
>1/3rd of the units sold? Or 1/3rd of the types of consoles? I know several consoles of the era also had DRM, so I’d be curious which ones youre referring to and the time period if referring to 1/3rd sold.
The Famicom did not have the DRM, and accounts for about a third of the total Nintendo sales. That market did not suffer because of the presence of piracy.
As for Denuovo, why would publishers hide data showing it works? And the base capitalism answer doesn't work,continuing to use aggressive DRM gives them information and a power over users that may not directly show a profit.
The rest of your arguments ignore the sales piracy brings because more people talking about it, an effective advertising, and the people who use piracy as a true demo.
Great news for people who want to use their purchased hardware for things Nintendo won't allow... Ie watching movies on the great screen, using generic hdmi adapters, playing games they already purchased for older console versions, or backing up savegames.
Also great news for people who want to use their hardware for things that are actively against Nintendo's interests, like playing pirated games.
All around, seems like a story of us: 1, them: 0 story.
This. I decided against buying a switch because I discovered that it prevents owners from backing up save files.
I still don't plan to buy a switch until nintendo supports backing up save files officially like they do with cross-region compatibility. Having to loose 100s of hours of progress for what amounts to an arbitrary reason from a nintendo bigwig is not something I am willing to stomach.
Not sure about the carts and saves but you can at least push patches and downloaded games to SD cards and back them up. They'll only work for your console as far as I'm aware but that's fine with me.for doing a backup.
In the FAQ, Temkin says she has previously notified Nvidia and vendors like Nintendo about the existence of this exploit, providing what she considers an "adequate window [for Nvidia] to communicate with [its] downstream customers and to accomplish as much remediation as is possible for an unpatchable bootROM bug."
Why would you even want to do that...? Money? Fame? As I've heard it said memorably, "would you tell someone who takes you hostage and locks you up, that the lock is actually trivial to open?" This is just further evidence of a fact I've noticed for a long time: a lot of security researchers are pro-DRM, pro-corporatocracy authoritarians, and their vision of "more secure" is a dystopian nightmare.
I still remember the good old days, when the hacking/cracking scene was entirely composed of people doing it for the freedom, with no do-gooding snitches to worry about...
10 years ago, if you shared a way to bypass a DRM scheme in the right places, it would live on for a long time. Now, it's more likely that some bastard is going to report it and get it patched in days to weeks.
The exploit concerns most Tegra chips currently on the market, not just the Nintendo Switch. Those are used in, for example, cars. I believe that was part of the reason.
Not to mention, it's not patchable without a hardware revision, so sharing it privately before sharing it publicly, while strongly hinting at that it's not patchable without a hardware revision (which has been done) has the same effect in practice for those wanting to escape Nintendo's jail, while letting those who use the Tegra in security-sensitive environments prepare adequately.
This exploit has nothing specifically to do with DRM, and compromises the entire root of trust chain on devices impacted (including devices which aren't locked down).
Given that the DRM is precisely about stopping owners from controlling their devices fully, I'd say it's pretty relevant to this exploit being able to bypass that.
>I still remember the good old days, when the hacking/cracking scene was entirely composed of people doing it for the freedom, with no do-gooding snitches to worry about...
>10 years ago, if you shared a way to bypass a DRM scheme in the right places, it would live on for a long time. Now, it's more likely that some bastard is going to report it and get it patched in days to weeks.
From the article it looks like someone else was trying to sell it so she put it in the open for free.
>The release also seems to be partially a response to Team Xecuter, a separate team that is planning to sell a modchip exploit that can allow for similar code execution on the Switch. Temkin writes that she's opposed to Xecuter's explicit endorsement of piracy and efforts "to profit from keeping information to a few people."
If she truly wanted to make it free, why secretly tell Nintendo and nVidia first?
It's a cat-and-mouse game, and this mouse wants to tell the cat how to catch the other mice. In the old scene, you'd be branded a traitor for doing that.
"Why disclose this at all? Why not hold onto this in order to increase the number of affected Switch consoles?
Unfortunately, this bug affects a significant number of Tegra devices beyond the Switch, and beyond even the X1 included in the Switch. I can tell you, it wasn't fun to find a bug with such a broad impact; it significantly complicated the ethics involved.
In the end, given the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities, I thought it best to disclose this immediately and under terms that ensured that the vulnerability reached the public quickly."
At the end of the day Tegra is used in a lot of places. Even cars.
If there's a risk that someone could conduct a crime through through a firmware hack then that presents an ethical dilemma.
10 years ago there were few portables that you could run your own code on. Now there's things like the GPD Win.
All this homebrew stuff is a bit of fun and games at the end of the day. Calling someone a traitor because they decided to responsibly disclose a vulnerability is just childish.
Even cars. If there's a risk that someone could conduct a crime through through a firmware hack then that presents an ethical dilemma.
If it was a remote exploit, I'd certainly agree about the ethical dilemma, but everything I've read suggests that this requires physical access.
As for being used in cars... don't get me started on what manufacturers are doing these days to stop repairs and modifications... just search "John Deere tractor hacking" to get a taste of what I mean (some articles and good discussion here on HN too.)
Calling someone a traitor because they decided to responsibly disclose a vulnerability is just childish.
It shows they cannot be trusted, and that they support the actions of companies who want to lock out users from the devices they own.
Sure. But at the end of the day Nintendo aren't some bad actor company that's forcing people to spend thousands in repair fees.
They make video games.
------
Trusted by whom? Essentially it's a group of internet hackers that are doing it for internet fame. Or in the case of others to make money off selling any hardware tools required.
"actions of companies who want to lock out users from the devices they own."
This doesn't really matter. When someone buys a Nintendo Switch they are aware that you can only use software from an official channel from the manufacturer.
It's not a sneaky action by them nobody is forced to use a Switch and its primary functionality is consuming entertainment products.
It's not like a router or tv set top box that you are forced to use.
Open hardware (in the sense of OS/software) is cheap and available today. If you don't want to be locked out of doing what you want to a device, then don't buy a locked down device.
I mean, it's unpatchable in current systems, and the vendor would have it figured out quickly anyway. There's no reason not to go through responsible disclosure.
For Nintendo to fix this they need to replace the IC.
They'd need to recall all the sold switches and replace the IC. And they need to specify a new IC for all future production, with some cost implication for new drawings and getting rid of stock.
Because the plan wasn't to make it free until she saw that someone else was planning to profit from it. I doubt she wanted it free; she wanted to spite the other group.
This has reasonable parallels to the PSP "Pandora's Battery" exploit, which put the device into DFU mode using a battery that emulated the factory service mode jig, and then exploited an issue in the trust chain verification in the first-stage (mask-ROM) bootloader. Similarly fixable with hardware only, which came soon after the exploit.
This bootloader bug is much sillier (IMO) than Sony's, though. Sony's was a series of crypto mistakes in the trust chain verification: it decrypted blocks in place and there was an issue in the checksum code that left it vulnerable to a timing attack, so a very, very small valid-but-colliding block had to be constructed and the rest of the bootloader was then freely-injectable. This nVidia/Nintendo mistake is an even sillier basic protocol issue.
I think the main lesson here is not to put complex protocol code in your immutable first-stage mask ROM, and if you do, to limit the surface area as much as possible, ensure memory safety, and audit the hell out of it.
I believe this has been known for a while, even though it's just now been "made public" as far as the press is concerned. In the meantime, disassembly of OS updates for the Switch imply that they're adding support for a newer version of the Tegra processor, which many speculate to be a silent hardware upgrade on new systems to boost security, not for a new model with speed upgrades.
I wonder if this exploit would be workable on older Tegra systems, like for example a Tegra 3 int he digital cockpit on the Audi S3/R8/TT [1] or the K1 they are selling now [2] - it would be really great to be able to modify and customize those systems.
> By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.
> Nintendo may still be able to detect "hacked" systems when they sign on to Nintendo's servers. The company could then ban those systems from using the Switch's online functions.
So at least one positive then. Nintendo will be forced to improve their online services.
Switch security is a joke and it's really bad for the players, it means that people can hack online games fairly easily. fyi Microsoft > Sony > Nintendo in term of console security.
Edit: For people who down vote me do you work in security field or just down vote w/o knowledge?
People might be down voting you because "Microsoft > Sony > Nintendo" comes off as grandstanding. As someone in the "security field", you must be aware that poor communication can tarnish otherwise correct information.
It's too bad that the cracking scene seems so vain, though. This article presented three groups:
* One which wants to sell 'jailbreak' kits to enable piracy, while keeping the details to themselves.
* One which had planned a related disclosure window amongst the broader community for two days from now, and seems to feel somewhat vocally that this release is very similar to their work.
* One which seems like they might have flaunted that window a bit for the credit.
It's amazing and inspiring what these people manage to accomplish, but it'd be nice to see less stepping on fingers - imagine what might happen if these groups really cooperated! I guess it's a very reputation-driven scene, but still...