Nintendo’s latest menu upgrade for the Wii, version 3.3, has broken the long standing Twilight Hack. In the past, you could load a hacked Twilight Princess save game to execute arbitrary code. After the upgrade, the Wii now deletes the hacked save game. The Homebrew Channel seems to have remained intact. So, if you’ve already added it and you upgrade, you should be fine. There’s no telling how long before homebrew code will be completely locked out though.
[photo: cibomahto]
[ChipD] successfully installed two NAND flash chips into his Wii. He can keep the stock firmware on one and then flip a switch if he wants to boot using the other chip with a modified firmware. This hack is fairly straight forward. All it took was someone with steady hands to try it out. The new NAND chip is identical to the original and was salvaged from a flash drive. The chips were soldered as a stack except for the chip enable pin. The chip enable from each chip is attached to a small switch to toggle between which is active. You could use a TSOP socket to swap the different chips, but it wouldn’t fit inside the Wii case. This little switch could be hidden easily next to the GameCube ports.
While researching the CHDK How-To, we came across the team’s instructions for porting the firmware to entirely new cameras. In theory, CHDK should work on any Canon running the DIGIC II or III processor since most of them are running the same VxWorks OS. A dump of the camera’s firmware is required before porting work can begin. On some cameras, the firmware was retrieved using software, but others required a hardware route. Pictured above is a Canon A610 that’s slowly flashing out every bit of its firmware using the built in LED. The photodiode is hooked up to a soundcard where the entire bitstream is recorded. It takes 1-7 hours to read the entire firmware. Once the sound file has been captured, it’s reverted to the original bytes and can then be decompiled with something like IDApro.
As anyone who has lusted over the technical specifications for Canon’s new Digital Rebel XSi knows, the capabilities of the average point and shoot camera are severely limited. Using the CHDK firmware hack, the features of Canon point and shoot cameras can be significantly expanded, allowing for ultra-high speed photography, very long exposures, time lapse photography, and RAW capture. This How-To provides a guide to our experiences using the CHDK firmware, and shows just how easy it is to get more out of a point and shoot than ever thought possible.
Imagine how surprised we were to discover that by accidentally bricking our router we were executing a brand new attack: Phlashing Denial Of Service (PDOS). This week at EUSecWest, researcher [Rich Smith] will present the theoretical PDOS attack. Instead of taking over control of an embedded system, the attacker turns it into a nonfunctioning brick by flashing it with a broken firmware. Anyone who has flashed a device knows the danger of interrupting the procedure.
Continue reading “Phlashing Denial Of Service Attack, The New Hype”
Figuring out the JTAG pinout on a device turns out to be the most time consuming hardware portion of many hacks. [hunz] started a project called JTAG Finder to automatically detect the JTAG pinouts on arbitrary devices using an 8bit AVR ATmega16/32L microcontroller. Check out the slides (PDF) from the talk as they break down how one finds JTAG ports on an arbitrary device, with or without a pinout detection tool. [hunz] is looking for people to pick up the project where he left off.
Once you determine the correct pinout, you will need a JTAG cable: there are two main types, buffered and unbuffered, both of which I have soldered up and tested from these circuit diagrams (image of completed buffered cable here). The software most hardware people use today are the openwince JTAG Tools. To get the JTAG Tools to compile, grab the latest source directly from their CVS repository.
The last time we featured JTAG was with regards to Linksys devices, but the tools listed above can be applied to any device with JTAG.
