It's too bad that the cracking scene seems so vain, though. This article presented three groups:
* One which wants to sell 'jailbreak' kits to enable piracy, while keeping the details to themselves.
* One which had planned a related disclosure window amongst the broader community for two days from now, and seems to feel somewhat vocally that this release is very similar to their work.
* One which seems like they might have flaunted that window a bit for the credit.
It's amazing and inspiring what these people manage to accomplish, but it'd be nice to see less stepping on fingers - imagine what might happen if these groups really cooperated! I guess it's a very reputation-driven scene, but still...
There will always be squabbles among the different people and groups involved with finding exploits or developing jailbreak/"hack" "kits".
Following from that, there will also always be people who want to jailbreak only to pirate games and there will also be groups who want to disclose the exploits properly, or use them purely for research and non-piracy fun purposes.
Someone developed a exploit, packaged it in usb stick, called it the PSJailbreak, planning to sell it to as a piracy orientated tool. They sent out a few review copies to prove it worked.
One of the reviews obtained a USB trace of the exploit in action, passing it along to a few members of the homebrew scene. The homebrew scene recreated this exploit with an open source implementation (but with the ability to pirate games pirate games superficially patched out) beating the original PSJailbreak to market.
The homebrew scene then set upon developing an open source homebrew devkit.
Many manufactures released their own clone devices of the exploit, the timeframe susgests that they were also working from copies of the PSJailbreak.
It was the homebrew scene who later decimated the PS3 chain of trust, to develop installable modded firmware.
Just check out the amount of name calling and whatsnot thats put into those cracktros that can be traced at least back to the C64.
If you rigged your car to destruct 30 minutes after it went out of cell service, sold it to an unsuspecting buyer, and then laughed when they got stuck in the desert, you'd be rightfully thrown in jail. But yet these companies keep attempting to pull the same shit with impunity.
Also great news for people who want to use their hardware for things that are actively against Nintendo's interests, like playing pirated games.
All around, seems like a story of us: 1, them: 0 story.
This. I decided against buying a switch because I discovered that it prevents owners from backing up save files.
I still don't plan to buy a switch until nintendo supports backing up save files officially like they do with cross-region compatibility. Having to loose 100s of hours of progress for what amounts to an arbitrary reason from a nintendo bigwig is not something I am willing to stomach.
I'll be backing up all my carts as soon as possible. Publishers lose code, assets, entire games (or decide to never re-release them).
Why would you even want to do that...? Money? Fame? As I've heard it said memorably, "would you tell someone who takes you hostage and locks you up, that the lock is actually trivial to open?" This is just further evidence of a fact I've noticed for a long time: a lot of security researchers are pro-DRM, pro-corporatocracy authoritarians, and their vision of "more secure" is a dystopian nightmare.
I still remember the good old days, when the hacking/cracking scene was entirely composed of people doing it for the freedom, with no do-gooding snitches to worry about...
10 years ago, if you shared a way to bypass a DRM scheme in the right places, it would live on for a long time. Now, it's more likely that some bastard is going to report it and get it patched in days to weeks.
This bootloader bug is much sillier (IMO) than Sony's, though. Sony's was a series of crypto mistakes in the trust chain verification: it decrypted blocks in place and there was an issue in the checksum code that left it vulnerable to a timing attack, so a very, very small valid-but-colliding block had to be constructed and the rest of the bootloader was then freely-injectable. This nVidia/Nintendo mistake is an even sillier basic protocol issue.
I think the main lesson here is not to put complex protocol code in your immutable first-stage mask ROM, and if you do, to limit the surface area as much as possible, ensure memory safety, and audit the hell out of it.
Here's a youtube video published March 13th talking about it: https://youtu.be/ZzsbDGDwg1U?t=5m17s
And here's a related reddit discussion on the nintendo switch subreddit: https://www.reddit.com/r/NintendoSwitch/comments/8588c1/50_w....
Not the first system to go down because of a boundary check failure. Though I was hoping for something more spectacular.
[1] https://blogs.nvidia.com/blog/2016/04/25/virtual-cockpit/ [2] http://www.nvidia.com/object/visual-computing-module.html
I think this is amazing news. I'm almost fully convinced to buy a Switch now.
Classic.
So at least one positive then. Nintendo will be forced to improve their online services.
Edit: For people who down vote me do you work in security field or just down vote w/o knowledge?
They lost.
IIRC Argonaut/Jez San had a POC of this using a very simple hardware bodge, intended as a potential way of publishing Eclipse (What became X) without a Nintendo licence.
Fortunately - Nintendo were interested in the 3D rendering, and that started the SuperFX/Starfox/ARC journey.
Internet and countries that don't enforce copyright exist you know? You can even get HDCP strippers on Ebay, pretty easily too. Never had any issue finding ISO and roms online, even for the Switch before this hack.
If only the legal side was a good enough security...
If you want a portable device that you can use to run your own software, then go get a tablet that run the Tegra X1, you will get the exact same thing.
https://www.slashgear.com/expect-an-irate-call-if-you-try-to...
How much further will they go? Will they remotely disable it? Or perhaps, they'll send it into "Service Needed" mode and cripple it?
Not to mention, it's not patchable without a hardware revision, so sharing it privately before sharing it publicly, while strongly hinting at that it's not patchable without a hardware revision (which has been done) has the same effect in practice for those wanting to escape Nintendo's jail, while letting those who use the Tegra in security-sensitive environments prepare adequately.
>10 years ago, if you shared a way to bypass a DRM scheme in the right places, it would live on for a long time. Now, it's more likely that some bastard is going to report it and get it patched in days to weeks.
From the article it looks like someone else was trying to sell it so she put it in the open for free.
>The release also seems to be partially a response to Team Xecuter, a separate team that is planning to sell a modchip exploit that can allow for similar code execution on the Switch. Temkin writes that she's opposed to Xecuter's explicit endorsement of piracy and efforts "to profit from keeping information to a few people."
It's a cat-and-mouse game, and this mouse wants to tell the cat how to catch the other mice. In the old scene, you'd be branded a traitor for doing that.
I don't remember exactly how I fixed it...I think there was some undocumented way to clear the flag that you could only find by reading the tool's source. It was a good reminder of how much stupid, blind trust I tend to put into random tools from the internet.
There was another episode where Jason Hughes was denied firmware updates after rooting his car. Elon responded that no punitive action was intended and that he views white hat hacking as a gift, and they seemed to resolve it pretty quickly.
It will be interesting to see how Tesla responds to these cases when FSD is available.
edit: Here's the original post: https://teslamotorsclub.com/tmc/threads/successful-connectio...
> This evening I got a call from service center :crying: They told me Tesla USA engineers seen a tentative of hacking on my car... I explained it was me because I tried to connect the diagnosis port to get some useful data (speed, power, etc...). They told me it can be related to industrial espionage and advised me to stop investigation, to not void the warranty.... Don't know if they really seen something in the log, because I just sniffed the network. Or maybe they seen the port scanning with nmap ? Or maybe they just read this topic ? :eek:
That being said, I don’t have major qualms about closed hardware. It creates the incentives that have allowed for massive investment in what is now cutting edge technology, and over time it is trickling down to more open hardware.
The number of proprietary technologies in a modern high-end GPU is staggering. Maybe one could say in an alternate timeline open hardware could have beaten companies creating GPUs with proprietary IPs, but it didn’t really happen. So I’ll take 1080tis with binary blobs over the open alternative.
One of the first pieces of code in the startup code embedded in the GB's CPU reads the logo data, doubles it vertically and horizontally, and writes it out to the graphics tile memory. It scrolls down the screen, even if it's corrupted. Then it compares the logo with one built into the CPU and puts itself into an infinite loop if they mismatch.
So, yep. It's a combined data consistency check, and an attempt to use trademark to prevent unauthorized software.
At offset 0x21 (33), it loads the offset for the bitmap data in the cartridge into one register, and the address for tile data RAM into another. Offsets 0x27-0x32 are a loop that calls out to functions at offsets 0x95-0xa7 and 0x96-0xa7 to double up the bits and scale the image to 2x its original size. After the code to scroll the logo, it plays the iconic double-ping sound.
At offset 0xE0, it loads offsets for the firmware copy of the logo and the cartridge copy of the logo. 0xe6-0xef iterate through the logo. If at any point the 2 copies don't match, there's a jump at offset 0xe9. Here's the relevant part of the loop:
LD A, (DE) ;Load a byte from the cartridge copy
INC DE ;Increment the pointer to the next byte
CP (HL) ;Compare A with the byte at (HL)
JR NZ, -2 ;If not equal, lock up by jumping back to this location
The patent actually covers this on page 7: https://patentimages.storage.googleapis.com/77/c0/90/d2c7514...
And claims 14+15 seem pertinent:
> 14. A hand-held electronic game machine in accordance with claim 9, wherein said processing means includes detecting means responsive to a connected external memory for detecting whether said connected external memory is an authorized or unauthorized memory.
> 15. A hand-held electronic game machine in accordance with claim 14 wherein the processing means includes further means responsive to said detecting means for preventing an unauthorized external memory from being used for executing a game program.
There's some good commentary on the legal situation, and its relation to Sega's similar legal theories (as regarded the Genesis/MegaDrive) on TVTropes (although it's a bit short):
http://tvtropes.org/pmwiki/pmwiki.php/CopyProtection/Nintend...
DRM (10NES) was a core part of the strategy for the console that brought a recovery from the 1983 video game crash.
And even today publishers value a platform that is able to combat privacy (see: Denuovo and the lengths AAA productions go to delay piracy in PC.
About 1/3rd of the consoles sold didn't contain the DRM, yet the Japanese market still saw similar growth.
Publishers value Denuovo, is there any proof that it helps sales?
And if Denuovo actually helps sales is not an easy question to answer since no publisher has come out and said it (that I’ve seen).
The premise seems sound enough, sales follow an “inverse hockey stick”, so design DRM meant to delay cracking instead of stop it and you can get more time with maximum interest and sales, with no easy piracy options.
A few times it’s fallen in hours, and pirates started to write it off, but just recently Far Cry 5's implementation lasted weeks, which seems to be what they’re going for (some versions even lasted months on end).
One could argue no pirates would buy instead of wait, and one could argue all pirates would buy instead of wait, but both would be wrong and the truth is somewhere in the middle, publishers have evaluated that question and apparently the answer is something they like enough to keep shaving margins for
Unfortunately, this bug affects a significant number of Tegra devices beyond the Switch, and beyond even the X1 included in the Switch. I can tell you, it wasn't fun to find a bug with such a broad impact; it significantly complicated the ethics involved.
In the end, given the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities, I thought it best to disclose this immediately and under terms that ensured that the vulnerability reached the public quickly."
At the end of the day Tegra is used in a lot of places. Even cars. If there's a risk that someone could conduct a crime through through a firmware hack then that presents an ethical dilemma.
10 years ago there were few portables that you could run your own code on. Now there's things like the GPD Win.
All this homebrew stuff is a bit of fun and games at the end of the day. Calling someone a traitor because they decided to responsibly disclose a vulnerability is just childish.
If it was a remote exploit, I'd certainly agree about the ethical dilemma, but everything I've read suggests that this requires physical access.
As for being used in cars... don't get me started on what manufacturers are doing these days to stop repairs and modifications... just search "John Deere tractor hacking" to get a taste of what I mean (some articles and good discussion here on HN too.)
Calling someone a traitor because they decided to responsibly disclose a vulnerability is just childish.
It shows they cannot be trusted, and that they support the actions of companies who want to lock out users from the devices they own.
They make video games.
------
Trusted by whom? Essentially it's a group of internet hackers that are doing it for internet fame. Or in the case of others to make money off selling any hardware tools required.
"actions of companies who want to lock out users from the devices they own."
This doesn't really matter. When someone buys a Nintendo Switch they are aware that you can only use software from an official channel from the manufacturer.
It's not a sneaky action by them nobody is forced to use a Switch and its primary functionality is consuming entertainment products.
It's not like a router or tv set top box that you are forced to use.
Open hardware (in the sense of OS/software) is cheap and available today. If you don't want to be locked out of doing what you want to a device, then don't buy a locked down device.
They'd need to recall all the sold switches and replace the IC. And they need to specify a new IC for all future production, with some cost implication for new drawings and getting rid of stock.
[0] https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...
See Chamberlain v. Skylink for a post DMCA case on the matter.
https://en.m.wikipedia.org/wiki/Chamberlain_Group,_Inc._v._S....
And I still feel only publishers would be able to tell what the “norm” is. They have better insight into what their “norm” is in terms of returns for development and marketing based on game type, release date, and tons of other factors that can’t be correlated casually
>1/3rd of the units sold? Or 1/3rd of the types of consoles? I know several consoles of the era also had DRM, so I’d be curious which ones youre referring to and the time period if referring to 1/3rd sold.
The Famicom did not have the DRM, and accounts for about a third of the total Nintendo sales. That market did not suffer because of the presence of piracy.
As for Denuovo, why would publishers hide data showing it works? And the base capitalism answer doesn't work,continuing to use aggressive DRM gives them information and a power over users that may not directly show a profit.
The rest of your arguments ignore the sales piracy brings because more people talking about it, an effective advertising, and the people who use piracy as a true demo.
https://en.m.wikipedia.org/wiki/Chamberlain_Group,_Inc._v._S...?
That's a mobile link since yours was mobile. Here's the non-mobile version:
https://en.wikipedia.org/wiki/Chamberlain_Group,_Inc._v._Sky...?