Re: [ANNOUNCE] glibc heap protection patch

[Troed Sångberg <troed () sangberg se>]

On Thu, 04 Dec 2003 12:10:05 +0100, Stefan Esser <se () nopiracy de> wrote:

> Just an example: The gamecube was hacked by an information leak exploit. 
> A crc feature the Phantasy Star Online game allows to request checksums 
> of arbitrary memory positions (and sizes).
> So it was possible for the smart guy who did it, to create a complete 
> memory dump from
> remote. In that case your magic values are worthless...

Which hack? The PSO-upload hack on the Gamecube is vastly different from 
tmbinc's truly embarrassing (for Nintendo) hack on the so-called crypto.

In short: All communication between the serial chip holding the BIOS and 
the Gamecube's flipper-chip is two-way. Naturally, if a chip is only 
interested in receiving data it will shift out garbage. What tmbinc found 
out was that when the encrypted data was shifted to the Flipper (for 
decryption) the _decrypted data_ was shifted back.

Since the encryption was nothing more than a XOR-seed from a PNRG it was 
trivial to XOR the encrypted BIOS image with the decrypted data and get 
access to the whole XOR-key (starting seed always the same) and thus it's 
trivial to produce BIOS replacements.

I agree that this is an information leak, but PSO has very little to do 
with it. I do not consider the PSO-upload hack to be a hack of the 
Gamecube, but tmbinc's retrieval of the BIOS encryption "key" certainly is.

We're straying off topic. Further off-topic discussions in mail.

regards,
Troed