A modchip is a small PCB that mounts directly on a larger board, tapping into points on that board to make it do something it wasn’t meant to do. We’ve typically seen modchips used with gaming consoles of yore, bypassing DRM protections in a way that a software hacks couldn’t quite do. As software complexity and therefore attack surface increased on newer consoles, software hacks have taken the stage. However, on more integrated pieces of hardware, we’ll still want to return to the old methods – and that’s what this modchip-based hack of a Starlink terminal brings us.
[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below. Continue reading “A Modchip To Root Starlink User Terminals Through Voltage Glitching”→
Traditionally, a forum full of technical users trying integrate their own hardware into a game system for the purposes of gaining unfettered access to its entire software library was the kind of thing that would keep engineers at Sony and Nintendo up at night. The development and proliferation of so called “mod chips” were an existential threat to companies that made their money selling video games, and as such, sniffing out these console hackers and keeping their findings from going public for as long as possible was a top priority.
But the Arduboy is no traditional game system. Its games are distributed for free, so a chip that allows users to cram hundreds of them onto the handheld at once isn’t some shady attempt to pull a fast one on the developers, it’s a substantial usability improvement over the stock hardware. So when Arduboy creator Kevin Bates found out about the grassroots effort to expand the system’s internal storage on the official forums, he didn’t try to put a stop to it. Instead, he asked how he could help make it a reality for as many Arduboy owners as possible.
Now, a little less than three years after forum member Mr.Blinky posted his initial concept for hanging an external SPI flash chip on the system’s test pads, the official Arduboy FX Mod-Chip has arrived. Whether you go the DIY route and build your own version or buy the ready-to-go module, one thing is for sure: it’s a must-have upgrade for the Arduboy that will completely change how you use the diminutive handheld.
The original Sony PlayStation came out just in time for CD piracy to really start taking off. Aware of this threat to sales, Sony engineers included a copy protection and region locking mechanism that placated executives and annoyed end-users alike. [MattKC] explores how this copy protection worked, and how you can burn your own modchip at home for just a few dollars.
Sony’s method of copy protection relied on steps taken during the manufacturing process, pressing a special groove into the game media that regular CD burners couldn’t replicate, a topic our own [Drew Littrell] has covered in depth. This groove contained a four letter code that could be read by the console, corresponding to the region in which the game was sold. The console would read this groove on startup, and check that the code in the game matched the code in the console before booting. Modchips circumvent this by injecting a spoof code into the console that matches the local region, regardless of what is read off the disc. This has the effect of both allowing users to run bootleg CD-Rs, homebrew code, as well as games from other regions.
Today, we’re blessed with the Internet and cheap hardware. As [MattKC] demonstrates, it’s no longer necessary to mail-order a chip from a dodgy ad in the back of a games magazine; instead, one can download source code and flash it to a commodity PIC microcontroller for just a few bucks. With the chip soldered in to the relevant points of the PS1’s motherboard, you’re good to go.
Many Hackaday readers might remember the days of buying modchips from somewhat questionable sources. These little devices connect to a gaming system to circumvent security measures, allowing you to run homebrew games (and pirated games, but lets not focus on that). [Guillermo] built an open source hardware Gamecube modchip based on the XenoGC.
The XenoGC was a popular modchip back in the Gamecube days, and its source was released in a forum post. A Wiki page explains how to build a clone of the device based on an ATtiny2313. Most modchips were closed source, but this project lets you look at how they work. You can browse the XenoGC source on Google Code to learn more about the exploit itself. You’ll find the AVR code, which manipulates the DVD drive over a serial interface, in the XenoAT folder.
[Guillermo]’s hardware is available from OSHPark, so you can easily order boards. He’s also hosted the design files on Github. With one in hand, you can start building homebrew for the Gamecube, which can probably be picked up for around $25 nowadays.
It’s been a long time coming, but the video above shows a modchip circumventing the PlayStation 3 security by running a game from a hard drive. The sites Ozmodchips.com which sells the modchip, and psx-scene.com which has confirmed them as working are both unstable right now due to heavy traffic. But here’s what we know. The device is called the PS Jailbreak and can be used to dump PS3 games to the hard drive of a PlayStation3 running the most current firmware (3.41). Dumped games can then be played from the hard drive by selecting them from a menu that the modchip spawns. It’ll cost you though. The current preorder price is $169.99 AUD or $147.47 US dollars with a projected delivery date of August 27th.
Notably, the prosecution did not argue that he infringed copyrights, but merely facilitated copyright infringement by selling modchips that circumvent the Xbox’s ETM. Since the copyright infringement argument was not made, existing law continues to hold sellers of pirated games and owners of modded consoles responsible for infringing the copyrights of game developers, as they are the ones who illegally copy the software. Pirated game sellers’ violation of the law is plain to see, but owners are still held responsible the moment they place the pirated disc into the loading tray and boot it up. The infringement in these cases occurs exactly when any part of the pirated game is loaded onto the console’s RAM, as this is considered another illegal copy.
[Higgs]’s charges hinged on whether the Xbox’s piracy prevention methods were intended to completely prevent pirated games from being played or merely act as a hindrance. The court felt it was the latter, and so they reversed the charges.
[CyberPyrot] and [l0rdnic0] released their spitfire mod on acidmods for XBox 360 controllers. It involves some fine wiring, but a relatively low parts count. The heart of the mod is a PIC16F84A, a crystal for the clock and a few passive parts. It took me a little while to find it, but the code for the pic hiding under the parts list. For a lengthy demo of the mod in action, you can check out this video.