Some like to garden in their spare time, while others prefer to smoke cigars or fold complicated origami figurines. Security researcher [grifter] [CTurt] seems to enjoy cracking consoles instead, and had a go at exploiting the Nintendo 64 over an obscure modem interface.
The 1990s were a wild time, where games shipped in cartridges. This format opened up crazy possibilities to add additional hardware to the cartridge itself. Perhaps most famously, Nintendo packed in the SuperFX chip to enable 3D graphics on the Super Nintendo. Later on, the N64 game Morita Shogi 64 shipped with an entire telephone modem in the cartridge itself. The resulting exploit is therefore dubbed “shogihax”.
Armed with a dodgy GameShark and a decompiler, [CTurt] set to work. Through careful parsing of the code, they were able to find a suitable overflow bug in the game when using the modem. Unlike more pedestrian savegame hacks, this not only allowed for the execution of arbitrary code but also the modem interface means that it’s possible to continually stream more data to the console on an ad-hoc basis.
It’s a great hack that takes advantage of a relatively accessible cartridge, rather than relying on more obscure hardware such as the N64DD modem or other rarities. We’ve seen other N64 homebrew hacks before, too. Video after the break.
Thanks to [grifter] for the tip!
Am I Missing something or is the second time Grifter has got credit for Cturts work?
Yup this is the second time (first time is here: https://hackaday.com/2020/06/30/freedvdboot-opens-up-the-playstation-2-like-never-before/#comment-6259526).
Looks like Lewin got them confused somehow. I’ll go fix it.
Seriously epic hack. I’ve written staged bootloaders before, but for well-documented platforms that are designed for custom code. This is phenomenal work, especially considering the limited nature of the debugging tools available and zero ability to develop from an emulator.