Hacking Reimaged Retro Computers - David Lodge

hi I'm Dave I'm gonna do a talk about hacking retro games machines so what do I mean by retro games machines who amongst us many of us when we were younger we had lots of different computers like the BBC micro commodore 64 ZX Spectrum even the old humble auric and some of you a bit a wee bit older than that may have had consoles you know my first different console machines like these of course I didn't my parents were had no idea about computers and we had something called a shop and jet 700 which was absolutely useless no games at all so 20 30 years after these machines because the prevents of emulators every key and we decided to go full wasn't the

spectrum good let's help reality to replace in these games in the spectrum that c64 so people did and the machines being bought out and its reminders basically how a motion works so I mean I must admit at some points I spent literally days pay later squad on an emulator so I'm probably in that geeky section so oh yeah this is an interesting tweet that I that came out a couple of days ago which means they're officially the Xbox 360s retro which is quite scary so what am I going to talk about so these are some of the machines that have come out so there's a set setting swagger at the top the mini c64 planks a PlayStation classic so I'm just

this talks basically about an investigation of how these work what sort of things you can do with them and and sort of it basically just a little story about how I went around exits in them why is it important it's not really there's gonna be no game break in security vulnerabilities here not other internet-connected I did this just was fun to see where I could get and you know where I could stop and what sort of interesting thoughts there were in these sort of things so I'm going to start off with is EDX Vega which is where all this came from so I was talking with a mate of mine and we just wondered how they would be

implemented so first rule of reverse engineering is think how you do like yourself so the theory we use is it'd be like some form of Linux on embedded Linux and it we're in an emulator I'm not going to get into the politics behind this because there are lots of politics behind as that let's where you go if anybody's actually read anything about Vega the Vega plus I'm not going to get into that because in everybody's wrong as far as I'm concerned so I'm going to have a quick demonstration here here's a video that I recorded it through an HDMI to RCA feed so it's a bit flaky on some of the images I'm just going to demonstrate sort of what the

vaguer looks like so they did a good job making it look a bit inspect oh sorry sorry no no I'm sorry that there should have been new there should not to be music on that when I recorded I ended up with my actual music played in the background so there's bits where I sped up the video and the music speeds up and slows down night I should have muted it I do apologize imagine a chip tune in the background sounds like it's playing of the ZX spectrum I'll say oh you know it really helped if I actually put that on the screen right there that you can tell unreal tanks but of this Kony is the

first time I put figures in my in my talk so this is something um I've not tried before right let's just play that so they've sort of matched it you've got a twink little spectrum like chiptune in the background I'm currently pressing this using a pair of tweezers which is because I've taken it apart so if you go through you can load up the game select your controls and here's 1994 is the first in the list and Here I am potentially trying to play it Natick chains really so let's just reset that one of the other features it's got is you can load custom games from an SD card so here I am just loading from the

SD card and here's a little bit of code I made in advance and I'm just going to load this up that before bloody hours - right I could only get in the memory five frames from the actual from a gift that I stole so I'm sorry that was a gratuitous joke so anyway how do we sort of investigate these we can look at those different areas we can look at the firmware and look at the hardware we can look at the software around it so normally before I even buy one of these probably start off by looking somewhere Riven are going to reverse engineering here I hope you like headstones because I love hex domes so

the first thing you can see from this this is a hex dump of the header we can see a copyright statement with version number and what was to be a danger release and we look a bit further in we can see a magic number which says Vega we can see you know that that's the date in binary format so obviously it can McNees check version number check and basically the size of - the size of the header and we go oh yeah and that's basically the rough structure in the see like fashion so go a bit further down we have what's called Ness men header so this is based on IMX - 3 3 and that's

directly from the date sheet it doesn't tell us anything it's basically what it uses when he boots the system from SBI also we've got the sinkhole Dan Esty MP header which is specific to the IMX 233 and is there's at all-around called sv tour which allows you to dump the important thing to see from that one and here's a default key is not volley fits encrypted boot image it's encrypted hooker I can't actually read the damn thing by default I have to go a bit further in it so let's have a quick look at the hardware here is the whole board where our main components we have a head we have a pair CPU which years and I'm

expert 233 which is very complicated device and it's cheaply expensive but it does audio it does graphics it is a whole work is basically computer on a chip bit of external RAM and SPI flash which is worked as long-term storage on the back we have three lots of headers so first thing you obviously try to do is read read the spi flash so here's an attempt to me trying to read it it's I wrote some scripts to write spi flash ROM will not read this would you normal technique so this is me just dumping the SPI odd the idea which is you all read identifiers and that's my chip reader trying to read the data I

had to sort of mangle it because it's not quite right and we dumped it it's exactly the same as we saw earlier and won't meet so it's encrypted okay so next thing we've got to do is try and map these out so I don't know whether we've tried mapping out test points before do some of these use a multimeter it goes on to basic you can use continuity test and you see where pins go we know roughly where the ground pins are and just map those out onto the actual chip and we can map those outputs of all the various points I don't know what how well you can see that yeah and also we've got a 5 volt one which

interesting only goes to the top header so let's have a look for Junction for sorry Junction test pad for I'm not sitting well the J stands for jumper Cooper so in there we have ground what we already knew about then beeping around we have come on show up we have basically you are transmitted and you are received that's a UART header that's something I'm going to come back to later because it's going to be really useful general rule of thumb always look after you arcs is generally an easy way in junction that jumper 3 Junction why don't you say Junction we can map again ground out we can map out the map system call the D book which is an SJ tag

header which I'll go into later and basically a voltage reference just so that it can work our to do so e so overall oh yeah final one we already mark out list now there might be some similarity of anyways done any hardware looking that header is very from the yeah in fact it's very similar to a USB micro-b connector so presumably it's second USB port that's being used and it's they're just not sold it to so we can sort of sorry my words are gone that we can again do a continuity test map blows out and we can see USB date 2 + USB date - -8 C USB header yeah so here we are this is how everything's backed

out so we have all our tests pass known roughly I don't know what the top two ones in USB header is and the ones meant to be deliberately meant to be floating it says it's long ago pin to access is just a host or a or an actual central bit so that's not looking you up this is what you got on the UART that is not what I was expecting to be honest it must be a little sort of internal joke with the developer but it took me home it's actually quite useful because even though I got no shell from it error messages were dumped to that screen which I use later so that's a look a USB

I didn't have a micro USB header and I could water warm from Farnell but I'm lazy so I just sold on my own that's sort of the high quality I used unfortunately that USB was not active so I couldn't do anything but it was a secondary word power in it so the next one to go for was yes jsj tag is a weird weird system it's if you've JTAG is away basically offering it's a way of talking directly to the CPU and you can do various different things read the memory free potentially read flash you there's a cut-down version called SWT this is SJ tag which runs a horn line and it's got a lot of custom things in so the only

board I could find that would read SJ tag is this Halim export here this this red thing but it fortunately work quite well so this is what my desk looked like while testing this I'm ignoring lis food the drinks kind of the background behind the monitor but so essentially I've halted the whole thing there unless you trying to read everything you run off for USB hubs like these turn things on and off as I needed to so you can connect to it with a program called open OCD it's do you know jato connecting thing connecting thing program which we'll just walk JTAG and it will pass anything down and we'll do all the hard work for me you so I can tell it in

there I can hold the device and I can read the registers and it might not seem anything to it but PC register 50 on the bottom that's something that's roughly in the right area of memory so I know it's really something so that zero hex 4000 is wrap in the memory map I don't know what to call dirty but maybe should wash so we can start dumping stuff from here this is on chip SRAM which is static RAM that is thought of in the chip itself and I can read information from here what I can also see are these what I've highlighted in red are basically showing this is on code EA is e is the code for always execute so I

know that's 32-bit arm doing and that's a familiar string which is starting to get really hot irritating now seeing that everywhere going a bit further we have on chip Rama at the top which is basically the bootloader I found an interesting little string in there the last thing sentence no pickings were harmed during testing really so somebody in Sigma time was to find themselves really funny so I cannot I can dump the on kick RAM and now we've got sorry that's yeah my notes are wrong here so it can out-jump the RAM and what I've done the RAM I can load it into in this closely zebra to actually try and disassemble it and read it I can see

that it's roughly right it looks ok so I've got full access to Ram the problem is I can't access flash because it's not memory matches you can look on the memory map on the left side it's not moming that there's a whole set of way of doing this in registers I can plenty map it out go full weight on it and actually try and decrypt everything but I took the lazy way I made sure on emulations running than I don't RAM so in theory of emulator and must being run to run or wise things go a bit pear-shaped as I said it's so it's actually through just to see what whether it was running so here's a head

stem of the 48k spectrum ROM and here's a hex dumpling memory so as you can see the bikes match up this is basically as a whole the whole ROM my notes in there definitely so my son killed was is to make see what emulator is now I couldn't work out what this was there's no artifact in there to take views give you a hint when we sort of like look at these other things wrong say artifactory these strings because we're lazy we'd grep for those I could not find anything to do this so anytime look at the software so first thing is try a few Linux breakout tricks so try inserting commands and so on so again not the

other thing this suggests it's not brilliant Linux to me it's a written Aurora on device and they've got some sort of mapping of all file names so we need to go wee bit more in depth can we actually find information within the emulator itself like a debug mode or anything like this or anywhere fingerprint the emulator so let's go back in time here is a died shot of a z80 CPU this is the physical silicon that it is based on there's one important bit here which I'm going to concentrate on these the register so that are within variety and this is the physical bit of silicon that is those registers so again back in history's l80

has many registers it's got a whole load of different registers a f b c d e HL which music middle 16-bit don't ask why it goes from f 2h i have no idea so we made that decision so it's accumulated flags and then the rest of us pursuit units there's a clutch set of clone registers they can swap between and we have the index registers that we can use to load do you look up tables program counter into a register and there's something interest in here so the zenyk team OC emulated will return as threatening relates to have existed since like 1990 but in about 2000 and a teeth taken out mid-2000s I think his

2003 there was some evidence that working on the die and it's found out there so if there's a hidden register called W said then so degrees ed register is is if you so as a name the setting is an 8-bit machine if you try and load so your junk you need to load that jump address into somewhere temporarily that's what the degrees a greatest is useful but what we can know is if that degrees that registers implementing the emulator then we can date the emulator and can roughly work out when it was written so here is a Benedetti code which will attempt to read bits of laptop easy register so there's a bit of a beginners at 80s at

the flags register will have bit three and five which are unallocated will be pop bits 11 and 13 of the degrees egg register so what i'm doing here is i'm priming w said by doing the load bc and then I'm trying to read bits of it back from the HL into the flag register which are pushing the stack and do all sorts of weird or wonderful things so that's a code you've written in spectrum basic again that's the first zegs you have written in like 25 years too far too long to write and here is it running on ZX spectrum net which doesn't render degrees at register for around that's on a real spectrum that's also what you'd

also get here is it running on fuse which didn't at the time in front of easy so what i'm see if we run in the vega so we're going to get something similar now that's crappy code that was just lazy and written out there's a load of test suites for this one of which is called rack soft this weight which test was we called men for men pointillism never named 4wz so running this on a real spectrum would get a list of tests and they will all pass Rene Donna Vega I get all fails so these are consistent with degrees had not been implemented what does that mean does it run fuse don't know it might use

the same date décor that's exactly what happens on Jess babe that's right Jess Jess spectrum which is a spectrum version everyone's a JavaScript that's what it happens on fuse so yeah about 90% certain many days so unfortunately that's as far as IKEA on the vago I can potentially Eddie the RAM but I've got better things to do so there's any so fight you know before we spent far too much effort on something that's not really not important let's go on to the mini c64 so this has got his sold a lot better than FX way good because he went to the US market as well it's done by the same guys just in a different company name because politics

so again let's go into the firmware and we can see oh look another hex done first thing that jumps out to anybody who's done reverse engineering is that elf so that's that's the header for a Linux executable there and also 28 tells its arm so all useful information we can see a pointer to that and a potential size of file and of course a header which I didn't see at first but of course a c64 a c64 I literally hit myself when I saw that so we got a we got again something that's roughly that's the size of the file don't know what to repeat you twice because I'm trying to guess all this I've got something else that we like

pointers to other chunks in the of data and that big chunk there's a 16 bytes of data which I have no idea what it is but it looks very much like a sha-256 hash so I'm assuming that it is and therefore if there's some form signing or check in so any let's throw that into a into a dissembler and we're cheating when reverse-engineering look at the strings so we found this great g cried spy for set IV which is function call within lip G crypt which gave a bit of hint so I could actually look through for the different things followed through and map out various different function definitions and we can see here it's

encrypt the data and we can see that it sets a key and sets an IV so it's obviously decrypting it and that's a bit of code that sort of works out the key I sort of looked at that this is that giedrius decompiler it's not brilliant but it sort of works ish and what I can't be bothered with all that mass so I'll do it the easy way there is an easy way of doing this we can just run the executable of course I don't have an arm development system you probably do it's like I'm feeling too lazy but there's a lovely little hat called Q so Q is a multi emulator of various different

things it's free and open source and the nice thing about it is you can run a command in the Cure new work starts with its own little sandbox run the command and then drop your out and it looks like it's a normal command so this is roughly then it's cipher is where we know the key is we have a start address which is your address within memory and we see these two parameters which are lengthy an IV so we store those in register term rates t3 so I've another video here I do apologize I have typing errors in this and I'm not very good at typing on when I'm being recorded so I'm just gonna run

erm you here you just realize how small that is up there so I'm going to run it where a gdb sessions and actually do a debug on it single a single step through so it doesn't just run it and now I'm just gonna run my excusable then in the window I'm just going to run gdb connect back to it on put 9000 so it's now pause I'm going to put a great point in at that remember that address run the program right now and now I'm just gonna dump both to your registers my way this was about my tenth effort to record this so and there we have we have basically the key and the IV that we used to decrypt

content now it's silly I could use up to decrypt it but at this point I did what I should've done before undo the internet so you can see whether anybody else could have done anything like this yeah nobody actually looked for the firmware people have looked at the hardware and there was an easier route in so here's the board and it's a header down there which is a forehand header which I unfortunately didn't take a photo before I sold with some headers on so that just some head as I just sold it on and those are headers for you are so oh yeah and these are there's two buttons here which would reset and fell which is so he's

got a running allwinner chip in the center and those are certain Tomoko fell which basically accesses a bootloader so if we gone to UART oh look we have a linux shell and it's still X I which is an all winner basically version of Linux it's all set up to run from Linux but we don't know the password with no idea what creds are so can we get a bit further in if you notice there's a button hit any key stop auto button so let's do that and we're now into what into the base of the bootloader and we had the boot command there and we can go in there and we can basically by by putting Ram FS on

the end of it we can boot using a ram disk so it just boots into a ram disk there's no password on it so we've got a rough shell here it's not really the full operating system is not mounted it's just another run disk what we can't do is mount that mountain the actual operating system improperly and we can see the root password there I don't know what that password is I've tried cracking it I gave up after two days to search just nothing's coming out so there is a lazy way of doing this you can just change it with that little liner said there I changed the password that password because I'm not very

creative and I forget eat difficult passwords so I just did a bit of said just change the password for me and now I've got full access at this point it was yeah around the time I was suggested I should put a BBC micro emulator on here just fit from but yeah it's one of those is actually quite difficult to do the cross-compiling chains and get everything working so that's sort of it there is that's a URL to my blog there is some articles about this which relates some of the work on it in a bit more detail and some of a random stuff but I'm not very good probably so it's like 2018 I think was the last one I uploaded any

questions yeah that came up just before Christmas and I couldn't get hold of one I've seen a few videos with the bean tear downs of it the board is similar but not same so I wouldn't say that it's probably going to be the same they might be fixed yeah I don't know yeah that they're all rubber ones I mean the that's that there's a saying you are console hack for the PlayStation Classic which I just wanted once I didn't actually have time to do there's also a hidden escape menu though he knew from the emulator if you plug in a USB keyboard you can actually get the on press escape you can actually get the

console but only certain USB keyboards work and not mine dead because and I'm not paying 90 quid to buy a keyboard just to test one thing out is there any common denominators between all the lords right though no there is it just you see what's there yeah so the vague one is pretty much a reference design for the owner next two three three that all winner one is pretty much it's is a tablet board basically the PlayStation Classic is a tablet when an Android so that there's a load of them and that those levels of because people are rushing to get them out for Christmas to get the retro craze which is currently in every they just

they just put these things out they do lot sort of like the minimum things and trying it out yeah basically so there's not really anything everybody's doing it the wrong way it's so easy to buy a single board computer put limit time for an emulator off then you can just do it however you want or whatever you design your guys know the best yes but I wouldn't require me to copy it over to my pi it might everything as well as it might have done is it may have worked it may not have done because depends on exactly what lives were linked and more of course and I just like that qmu technique diathesis it is brilliant so I just

wanted to show that as a demonstration like I said technique itself because you can run that with any of the CPU you want so there's mips as how pc this even like pa-risc and stuff wait a wonderful alright how much passion around that you have to do together yeah not yeah what i missed there is the story of we get unique work unite and that includes a six-month gap as i were angry threw the ball away and then found it reasonably probably ought to retry this because anybody ever actually flipped it to a JTAG header and how it work that's not ideal so sure i do this professionally and yeah that's still no it's like pastor

time it's like JTAG test or I discussed that but no it does why this work right yes yeah or you can't hold it that's it so it's raised everything so you can't actually debug the CPU unless to halt CPU so you can't get loads of things like registers and don't memory but sometimes you can get into the JTAG you're all successfully character you can't hold see gift oh just time to rope says from our safe downstairs