Here are some of the ways hackers break into consoles and discover new exploits

Key findings

  • Analyzing firmware dumps can reveal vulnerabilities in consoles
  • Input and protocol fuzzing can lead to significant exploits
  • Voltage disturbances disrupt devices and thus provide unauthorized access



Consoles like the Nintendo Switch were cracked relatively early in their life cycle, while others like the PlayStation 4 took their time but were eventually cracked. But how are these console exploits actually discovered? Since consoles are usually pretty locked down, the method attackers use to gain advanced access to the software running on them can be quite complicated and differ from console to console.

Related

How a paper clip helped overcome the security of the Nintendo Switch

If you have one of the original Nintendo Switch consoles, you can hack it… with nothing more than a paperclip.

Software reverse engineering

Analyzing the firmware

A Nintendo Switch displaying a list of all software available on the device


A typical starting point for a potential attacker is to analyze a firmware dump of a console to find out how the software works on it. In the case of the Nintendo Switch, Horizon is the successor to the 3DS operating system, which is also called Horizon. This gave hackers an advantage when working with the Switch, as the Switch's operating system was very similar to the Nintendo 3DS in many ways, according to well-known hackers plutoo and yellows8.

As for how developers managed to analyze the firmware in the first place, there are several possibilities. Sometimes companies make it available for download directly so that you can install it yourself. In other cases, these companies may be required to release parts of it under a licensing agreement or even make it open source. This is also the case with the Nintendo Switch, as it uses various components from other open source projects.


There are a ton of other ways someone could copy the firmware, including using a JTAG interface, UART, firmware recovery capabilities, network capture, and more. Once you have a copy of the firmware, hackers can use it to learn how the system works under the hood and uncover critical vulnerabilities. This happened with the Nintendo 3DS, where a mechanism for unbricking consoles was discovered by disassembling the boot ROM after hacking the handheld, and the signature verification of this mechanism was flawed.

Input and protocol fuzzing

The PlayStation 3 and the Nintendo Wii are great examples of this

Nintendo Wii standing facing the camera


Input fuzzing is a technique used to discover vulnerabilities in software by providing it with invalid, unexpected, or random data as input. The idea behind fuzzing is to examine how the software handles inputs that are outside the norm – inputs that a typical user might not make. In console hacking, input fuzzing is used to test how the console's software, including games and system-level processes, handles different types of data. This can include anything from corrupted game files, unusual key combinations, unexpected network packets, to incorrect data in saved game files.


For example, if a console's game loader is designed to handle game saves from a memory card or internal storage, a hacker could create a specially crafted game save with unexpected data structures or excessive data lengths. When the console attempts to load that game save, an error could occur, potentially leading to a crash or unintended behavior, such as the execution of unintended code. This type of vulnerability, usually a buffer overflow, could then be exploited to execute custom code on the console.

A fairly well-known example of input fuzzing leading to a significant exploit is the Twilight Hack on the Nintendo Wii. In this case, hackers discovered that by modifying a save file for the game The Legend of Zelda: Twilight Princessthey were able to trick the game into executing arbitrary code. This was accomplished by creating a malformed save file with a long name for Epona, Link's horse, which, when loaded by the game, caused a buffer overflow, allowing the hackers to execute custom code and ultimately gain control of the system.


Related

How Nintendo Wii security was bypassed with tweezers

If you've ever modded your Wii, the story of how it all started is pretty interesting.

Protocol fuzzing is a similar concept, but it involves attacking the communication protocols that a console uses. On the PlayStation 3, hackers fuzzed the controller communication protocols to discover vulnerabilities that allowed them to gain unauthorized access to the console's operating system, allowing them to execute unsigned code and eventually develop custom firmware.

Voltage disturbances

Processors don’t like it when their voltage drops too much

A person holding an Arduino Uno


Voltage fluctuations are a technique commonly used to exploit vulnerabilities in devices by interrupting the power supply or the processor's clock signal. The idea behind voltage fluctuations is to cause a temporary error in the device's processing, causing instructions to be skipped or modified during execution, which can sometimes bypass security mechanisms or cause strange behavior.

If you want to see an example of voltage glitching in action, LiveOverflow provides a demonstration of this type of attack to break out of an infinite loop on an Arduino board. It shows how a momentary drop in power to the Arduino CPU causes it to break out of the loop because the processor miscalculates which instruction to jump to next.


In a console, this can lead to all sorts of unpredictable behavior, including leaking important keys or other information that helps protect the console. While power glitches are not reproducible, so they will produce the same results every time, they are another means by which someone can attempt to gain unauthorized access to a console.

Use known errors

WebKit is the bane of every developer

A Nintendo 3DS with the home menu in red design


When an exploit is discovered in WebKit, there's a chance that exploit could impact consoles as well. It's a fairly common renderer used by Safari (just as Chrome and Firefox have their own renderer, Safari has one too), but 3DS, PlayStation 4, Wii U, and other devices also use it. An exploit released just a few months ago for the PlayStation 4 (PSFree) uses a WebKit exploit to give the user access to everything the web browser has. While that's often not much (since the web browsers on consoles don't have much access), it gives a hacker trying to gain more access to the machine more surface area to attack, allowing them to attack from a more internal starting point.


Additionally, it can be helpful if a console or its predecessor has been hacked in the past. With the PlayStation 3 and OtherOS security flaws, hackers were able to use the information they gained to dig through the system. Although Sony eventually removed this feature, researchers were still able to poke around on older systems. Likewise, the knowledge they gained from the original 3DS helped hackers find ways to crack the new 3DS.

Related

1760 PlayStation 3s were combined into a supercomputer in 2010, but that can never happen again

Did you know that the US Air Force once built a supercomputer out of PlayStation 3s?

These are some of the ways hackers break into consoles

There are many, many more

A Nintendo Switch with the Joy-Con removed, showing app groups


These are some of the most common ways hackers try to break into consoles, but there are many, many more ways they can try. At the end of the day, consoles are still just computers, locked down only to prevent someone from doing something they shouldn't. Despite this, new exploits are being found all the time in software and hardware, and it's no wonder that pretty much every console crashes at some point.

If you want to learn more about console hacking, I highly recommend checking out events like the Chaos Communication Congress, an annual hacker show where developers often give talks on such topics. In the past, many talks have been given by Nintendo 3DS, Nintendo Wii and PlayStation hackers. You can learn a lot and it's an extremely fascinating subject that really opens your eyes to how delicate computers can be!


Leave a Comment