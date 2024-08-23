Key Takeaways Analyzing firmware dumps can reveal vulnerabilities in consoles

Input and protocol fuzzing can lead to significant exploits

Voltage glitching disrupts devices to gain unauthorized access

Consoles like the Nintendo Switch have been blown open fairly early in their lifecycle, while others like the PlayStation 4 took their time but were eventually, too. However, how are these console exploits actually discovered? Given that consoles tend to be pretty locked down, the method in which attackers manage to gain elevated access to the software running on them can be quite complicated, while differing from console to console.

Software reverse engineering

Analyzing firmware

A typical starting point for a would-be attacker is to analyze a firmware dump from a console to understand how the software on it works. In the case of the Nintendo Switch, the Switch's Horizon is a successor to the 3DS operating system, also called Horizon. This gave hackers a leg-up in working with the Switch, because the Switch's operating system, according to prominent hackers plutoo and yellows8, was very similar in many ways to the Nintendo 3DS.

As for how developers managed to analyze the firmware in the first place, there are a few ways that they may be able to do so. Sometimes, companies will straight up publish it for download, so that you can install it yourself. Other times, those companies may be required to publish or even open source parts of it under a license agreement. This is also the case with the Nintendo Switch, as it uses various components from other open-source projects.

There are a ton of other ways that someone may be able to dump the firmware too, including using a JTAG interface, UART, firmware recovery features, network capturing, and so much more. Once you have a copy of the firmware, it can teach hackers how the system works under the hood and can reveal critical vulnerabilities. This happened with the Nintendo 3DS, where a mechanism for unbricking consoles was discovered by disassembling the boot ROM after the handheld had been hacked, and this mechanism's signature check was flawed.

Input and protocol fuzzing

The PlayStation 3 and the Nintendo Wii are great examples of this

Input fuzzing is a technique used to discover vulnerabilities in software by providing it with invalid, unexpected, or random data as input. The idea behind fuzzing is to explore how the software handles inputs that are outside the norm—inputs that a typical user might not provide. When it comes to console hacking, input fuzzing is used to test how the console’s software, including games and system-level processes, handles various types of data. This could include anything from corrupted game files, unusual button combinations, unexpected network packets, or incorrect data in saved game files.

As an example, if a console’s game loader is designed to process game saves from a memory card or internal storage, a hacker might create a specially crafted game save with unexpected data structures or excessive data lengths. When the console attempts to load this game save, it could encounter an error, potentially leading to a crash or an unintended behavior, such as executing unintended code. This type of vulnerability, usually a buffer overflow, could then be exploited to execute custom code on the console.

A pretty well-known example of input fuzzing leading to a significant exploit is the Twilight Hack on the Nintendo Wii. In this case, hackers discovered that by modifying a save file for the game The Legend of Zelda: Twilight Princess, they could cause the game to execute arbitrary code. This was achieved by creating a malformed save file with a long name for Epona, Link's horse, that when loaded by the game, caused a buffer overflow, allowing the hackers to run custom code and ultimately gain control over the system.

As for protocol fuzzing, it's a similar concept but refers to attacking the communication protocols a console uses instead. With the PlayStation 3, by fuzzing controller communication protocols, hackers discovered vulnerabilities that allowed them to gain unauthorized access to the console’s operating system, leading to the ability to run unsigned code and eventually the development of custom firmware.

Voltage glitching

Processors don't like when you drop their voltage too much

Voltage glitching is a technique often used in order to exploit vulnerabilities in devices by disrupting the power supply or clock signal from the processor. The idea behind voltage glitching is to create a temporary fault in the device’s processing, causing it to skip or alter instructions in its execution, which can sometimes bypass security mechanism or cause it to behave in weird ways.

If you want to see an example of voltage glitching in action, LiveOverflow has a demonstration of this kind of attack to break out of an infinite loop on an Arduino board, where he shows how temporarily dipping the power going to the Arduino CPU causes it to break out of the loop as the processor miscalculates what instruction it's meant to jump to next.

In a console, this can lead to all kinds of unpredictable behaviour, including leaking important keys or other information that help to protect its security. While voltage glitching is not something that is typically reproducible in order to get the same results everytime, it's yet another tool that can be used to try and gain unauthorized access to a console.

Using known bugs

WebKit is the bane of any developer's existence

When an exploit is discovered in WebKit, chances are that the exploit has ramifications for consoles, too. It's a pretty common renderer used by Safari (just like Chrome has its own renderer, and so does Firefox, Safari has one too), but even the 3DS, PlayStation 4, Wii U, and more devices use it as well. An exploit published for the PlayStation 4 just a few months ago (PSFree) utilizes a WebKit exploit to give the user access to everything that the web browser has. While that's not often much (as the web browsers on consoles don't tend to have a lot of access), it gives more attack surface to a hacker trying to gain more access to the machine, allowing them to attack from a more internal starting point.

On top of that, a console or its predecessor being hacked in the past can be helpful in the future. With the PlayStation 3 and the OtherOS vulnerabilities, hackers could use the information gained to poke around the system, and while Sony eventually removed that feature, that feature made it so that researchers on older systems could still keep poking and prodding. Likewise, with the 3DS, insights gained from the original 3DS helped hackers find ways to break open the New 3DS.

These are some of the ways hackers break into consoles

There are many, many more

These are some of the most common ways that hackers begin with trying to break into consoles, but there are many, many more ways they can try, too. Consoles are still just computers at the end of the day, just locked down to try and prevent someone from doing something they shouldn't. With that said, new exploits are always being found in software and in hardware, and it's no wonder that pretty much every console falls eventually.

If you want to learn more about console hacking, I highly recommend checking out the likes of the Chaos Communication Congress, an annual hacking show where developers will often give talks on topics like these. There are many talks that have been given in the past from the likes of Nintendo 3DS hackers, Nintendo Wii hackers, and PlayStation hackers. You can learn a lot, and it's a deeply fascinating topic that really opens your eyes to just how delicate computers can be!