PlayStation Unlocked With New Software Hack

March 15, 2021 by Tom Nardi 43 Comments

The original PlayStation might be pushing 30 years old now, but that doesn’t mean hackers have given up on chipping away at it. A new exploit released by [Marcos Del Sol Vives] allows users to run copied games on all but the earliest hardware revisions of this classic console, and all you need to trigger it is a copy of Tony Hawk’s Pro Skater 2.

Aptly named tonyhax, this exploit uses a classic buffer overflow found in the “Create Skater” mode in Tony Hawk 2, 3, and 4. When the game sees a custom character saved on the memory card it will automatically load the name field to show it on the screen, but it turns out the developers didn’t think to check the length of the name before loading it. Thanks to this oversight, a long and carefully crafted name can be used to load an executable payload into the console’s memory.

The name contains the memory address of the payload.

That payload could be anything, such as a homebrew game, but in this case [Marcos] went all in and developed a simple tool that unlocks the console’s optical drive so it will play games burned to CD-Rs. Once the tonyhax exploit has been loaded, you simply swap the authentic Tony Hawk disc for whatever burned title you want to play. So far every game tested has worked, even those that span across multiple discs.

[Marcos] is providing not only the save files ready to load on your PlayStation memory card (either through a PC tool, or with the help of a hacked PS2), as well as the complete source code for tonyhax. This opens the door to the exploit being used to load other tools, emulators, and indie games, but as the PlayStation homebrew scene is relatively limited when compared to newer consoles, the demand might be limited.

Compared to the traditional physical modifications used to play copied games on the PlayStation, this new software approach is far more accessible. Expect to see memory cards with this exploit preinstalled hit your favorite import site in the very near future.

Continue reading “PlayStation Unlocked With New Software Hack” →

Get Apple To Track Your Bluetooth Devices For You

March 5, 2021 by Tom Nardi 10 Comments

Apple’s “Find My” service allows users to track their missing devices by leveraging a worldwide network of location-aware iGadgets. With millions of iPhones and Macs out in the wild listening for the missing device’s Bluetooth advertisements and relaying their findings to the Cupertino Mothership, it’s a highly effective way of tracking hardware so long as it stays in relatively urban areas. Unfortunately, the system is completely proprietary and non-Apple devices aren’t invited to play.

Or at least, that used to be the case. A project recently released by the [Secure Mobile Networking Lab] called OpenHaystack demonstrates how generic devices can utilize Apple’s Find My network by mimicking the appropriate Bluetooth Low Energy (BLE) broadcasts. Currently they have a firmware image for the BBC micro:bit, as well as a Python script for Linux, that will allow you to spin up an impromptu Find My target. But the team has also published all the information required to implement similar functionality on other BLE-capable devices and microcontrollers, so expect the list of supported hardware to grow shortly.

Somewhat ironically, while OpenHaystack allows you to track non-Apple devices on the Find Me tracking network, you will need a Mac computer to actually see where your device is. The team’s software requires a computer running macOS 11 (Big Sur) to run, and judging by the fact it integrates with Apple Mail to pull the tracking data through a private API, we’re going to assume this isn’t something that can easily be recreated in a platform-agnostic way. Beyond the occasional Hackintosh that might sneak in there, it looks like Tim Cook might have the last laugh after all.

It’s not immediately clear how difficult it will be for Apple to close this loophole, but the talk of utilizing a private API makes us think there might be a built-in time limit on how long this project will be viable. After all, Big Tech doesn’t generally approve of us peons poking around inside their machinations for long. Though even if Apple finds a way to block OpenHaystack, it’s expected the company will be releasing “AirTags” sometime this year which will allow users to track whatever objects they like through the system.

Circuit Impedance Calculations Without Cumbersome Simulations

March 2, 2021 by Bryan Cockfield 11 Comments

Using circuit simulating software like SPICE can be a powerful tool for modeling the behavior of a circuit in the real world. On the other hand, it’s not always necessary to have all of the features of SPICE available all the time, and these programs tend to be quite expensive as well. To that end, [Wes Hileman] noticed an opportunity for a specific, quick method for performing impedance calculations using python without bulky, expensive software and came up with a program which he calls fastZ.

The software works on any network of passive components (resistors, capacitors, and inductors) and the user can specify parallel and series connections using special operators. Not only can the program calculate the combined impedance but it can perform frequency analysis at a specified frequency or graph the frequency response over a wide range of frequencies. It’s also running in python which makes it as simple as importing any other python package, and is also easy to implement in any other python program compared to building a simulation and hoping for the best.

If you find yourself regularly drawing Bode plots or trying to cobble together a circuit simulation to work with your python code, this sort of solution is a great way to save a lot of headache. It is possible to get the a piece of software like SPICE to to work together with other python programs though, often with some pretty interesting results.

Fixing The Only Thing That’s Slow About Grand Theft Auto V

March 2, 2021 by Jenny List 13 Comments

The driving, crime, and general mayhem game Grand Theft Auto V is something of a phenomenon that has lasted for the last seven or more years. Whether following the in-game missions, driving around like a hooligan for fun or performing crazy stunts, the depth of detail in its landscapes and the continual improvements to gameplay that have arrived over the years have assured it a massive following across multiple platforms. The game is not without its problems though, one of which is an unreasonably long loading time for its online version. This annoyed [T0st] to the extent that it was worth the effort of looking under the hood to find out where the problem lay.

It was evident that for PC users the effect varied depending on the hardware present. Furthermore AMD processors seemed worse-hit than Intel ones, and indeed they found an entire core maxed out by a couple of processes during the wait. Some diagnostics and disassembly led the trail to some string processing code which was identified as a JSON parser. This was not simply parsing the JSON but also performing a check for token uniqueness in an extremely inefficient manner, causing the whole process to be extremely slow. Sone nifty patching in a DLL containing a much more efficient function with a cache for unique values saved the day, and delivered an impressive 70% speed-up. It’s to be hoped that the game’s developers will take note, and a future GTA V update will deliver a fix.

Driving a car from a third-person viewpoint in a game like GTA V is a hoot. In real life though, not so much.

Thanks [Thanatos Erberus] for the tip.

Oddball X86 Instructions

February 25, 2021 by Al Williams 66 Comments

David Letterman made the top ten list famous. [Creel] has a top ten that should appeal to many Hackaday readers: the top 10 craziest x86 assembly language instructions. You have to admit that the percentage of assembly language programmers is decreasing every year, so this isn’t going to have mass appeal, but if you are interested in assembly or CPU architecture, this is a fun way to kill 15 minutes.

Some would say that all x86 instructions are crazy, especially if you are accustomed to reduced instruction set computers. The x86, like other non-RISC processors, has everything but the kitchen sink. Some of these instructions might help you get that last 10 nanoseconds shaved off a time-critical loop.

Continue reading “Oddball X86 Instructions” →

Software Challenge’s Solution Shows Reverse Engineering In Action

February 16, 2021 by Donald Papp 3 Comments

[0xricksanchez] participated in a software reverse-engineering challenge and recently wrote up the solution, and in so doing also documented the process used to discover it. The challenge was called Devil’s Swapper, and consisted of a small binary blob that output a short message when executed. The goal of the challenge? Discover the secret key and the secret message within. [0xricksanchez]’s writeup, originally intended just as a personal record, ended up doing an excellent job of showing how a lot of reverse engineering tools and processes get applied to software in a practical way.

What’s also great about [0xricksanchez]’s writeup is that it uses standard tools and plenty of screenshots to show what is being done, while also explaining why those actions are being chosen and what is being learned. It’s easy to follow the thought process as things progress from gathering information, to chasing leads, and finally leveraging what’s been learned. It’s a fascinating look into the process of applying the reverse engineering mindset to software, and a good demonstration of the tools. Give it a read, and see how far you can follow along before learning something new. Want more? Make sure you have checked out the Hackaday 2020 Remoticon videos on reverse engineering firmware, and doing the same for PCBs.

Ghidra Used To Patch Fahrenheit Into An Air Quality Meter

February 15, 2021 by Maya Posch 73 Comments

Even though most of the world population couldn’t tell you what room or body temperature is in Fahrenheit, there are some places on this globe where this unit is still in common use. For people in those areas, it’s therefore a real hassle when, say, a cheap Chinese air quality measurement systems only reports in degrees Celsius. Fortunately, [BSilverEagle] managed to patch such a unit to make it display temperature in Fahrenheit.

The reverse engineering begins by finding a way to dump the firmware. It’s nice to hear that [BSilverEagle] used some the skills demonstrated in [Eric Shlaepfer’s] PCB reverse engineering workshop from Hackaday Remoticon last November to trace out the debug header and the SWD pins of STM32F103C8 MCU. After that, OpenOCD could be used to dump the firmware image, with no read protection encountered. The firmware was then reverse-engineered using Ghidra, so that [BSilverEagle] could figure out where the temperature was being calculated and where the glyph for the Celsius symbol was stored. From there this it was a straight-forward rewrite of those two parts of the original firmware to calculate the temperature value in Fahrenheit, change the glyph and reflash the MCU.

So why buy this thing in the first place if it didn’t spit out units useful for your current locale? Cost. Buying this consumer(ish) device was about the same cost as buying the individual parts, designing and manufacturing the PCB, and writing the firmware for it. The only downside for their use case was the lack of Fahrenheit. Not a problem for those who demand full control of the hardware they own.

Need a boot camp for using Ghidra? Matthew Alt put together a spectacular video series on Reverse Engineering with Ghidra.