lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <oprzn3cupy3rzlee@mail.sangberg.se>
Date: Thu, 04 Dec 2003 18:39:56 +0100
From: Troed SĂ„ngberg <troed@...gberg.se>
To: bugtraq@...urityfocus.com
Subject: Re: [ANNOUNCE] glibc heap protection patch


On Thu, 04 Dec 2003 12:10:05 +0100, Stefan Esser <se@...iracy.de> wrote:

> Just an example: The gamecube was hacked by an information leak exploit. 
> A crc feature the Phantasy Star Online game allows to request checksums 
> of arbitrary memory positions (and sizes).
> So it was possible for the smart guy who did it, to create a complete 
> memory dump from
> remote. In that case your magic values are worthless...

Which hack? The PSO-upload hack on the Gamecube is vastly different from 
tmbinc's truly embarrassing (for Nintendo) hack on the so-called crypto.

In short: All communication between the serial chip holding the BIOS and 
the Gamecube's flipper-chip is two-way. Naturally, if a chip is only 
interested in receiving data it will shift out garbage. What tmbinc found 
out was that when the encrypted data was shifted to the Flipper (for 
decryption) the _decrypted data_ was shifted back.

Since the encryption was nothing more than a XOR-seed from a PNRG it was 
trivial to XOR the encrypted BIOS image with the decrypted data and get 
access to the whole XOR-key (starting seed always the same) and thus it's 
trivial to produce BIOS replacements.

I agree that this is an information leak, but PSO has very little to do 
with it. I do not consider the PSO-upload hack to be a hack of the 
Gamecube, but tmbinc's retrieval of the BIOS encryption "key" certainly is.

We're straying off topic. Further off-topic discussions in mail.

regards,
Troed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ