If you subscribe to my YouTube account, or are in a channel that I am also in, you have probably been linked to my Homebrew PoC videos. If you haven’t, here they are:
First code run (PoC Ver.1):
KING BG display (PoC Ver.2):
Hello World (PoC Ver.3):
This fantastic work could not have been possible without many people, especially Arikado and Ryphecha, who have given me both the motivation and means to accomplish this goal.
I am pleased to announce that liberis is now live on my Git repositories page (available at http://git.daifukkat.su/?p=liberis.git) and contains the source for my Hello World demonstration (the other demonstrations are technically available through the Git repository history, but will not be present due to the fact that they were intermediary steps). liberis currently does work, though many subsystems are untested. Obviously enough subsystems work to have my Hello World demonstration work though, and I feel that it is time to show this to the world.
I have also updated pcfxtools.git with a tool that creates a set of .bin and .cue from a .bin generated by a proper objcopy command. This tool is called pcfx-cdlink, and the information required to run it is available in the repository. It currently uses a large portion of data (0x7F0 bytes) ripped from a commercial game, however, and therefore may not be legal in your jurisdiction. I aim to eventually reverse engineer what this data is (it won’t boot the CD if it’s all 0s), but for now this shall do.
hulib is a small tool that extracts HuLIB format archives (generated by the official PC-FX SDK) similar would happen from using ar x on a regular GCC archive. This is useful for getting object files out of the SDK for reverse engineering, though these object files are also unfortunately in a custom format (see huobj)
huobj currently takes a HuOBJ object file (as generated by the official PC-FX SDK) and spits out all the contents of the segments into separate files in a specified directory. This tool will eventually take the original object file and convert it directly into a compatible ELF object suitable for GCC. Until then, this tool tends to work decently for reverse engineering.
The other day I purchased a NEC PC-FX off of eBay, along with a few games. You probably don’t know what the PC-FX is, so here’s a brief overview, courtesy of Wackypedia:
The PC-FX (ピーシー エフエックス Pī Shī Efu Ekkusu) is a video game console released in Japan on December 23, 1994 by NEC Corporation. It is the 32-bit successor to NEC’s PC Engine (known in the US as the TurboGrafx-16).
The PC-FX uses CD-ROMs as its storage medium, following on from the expansion released for its predecessor, which originally used HuCards. The game controller resembles that of the Sega Genesis in shape, only with more buttons and it is virtually identical to a DUO-RX controller except for the fact that the rapid fire switches have been changed into mode A/B switches.
The PC-FX’s computer-like design was unusual for consoles at the time. It stands upright like a tower computer while other contemporary consoles lay flat. Another interesting feature is its three expansion ports, as expansion ports are relatively underused in consoles and therefore their inclusion increased the price without offering a great deal to the end user. However it was one of the first consoles to feature an optional mouse which made strategy games like Farland Story FX and Power Dolls FX more accessible to play on TV.
Unlike nearly any other console (except for the 3DO), the PC-FX was also available as an internal PC card for NEC PC-98 and AT/IBM PC compatibles. This PC card came with two CDs of software to help the user program games for the PC-FX. However, compatibility issues prevented games developed with this software from actually running on the console.
Anyways, I bought this console not really for the games (the PC-FX was notable for having crappy games, mostly consisting of dating sims), but for the hardware specifications, which made me drool. A NEC V810 at 21.5 MHz, a 300KB/s CD-ROM drive, 3 MB RAM, 16 million colors, 4 Video Display Processors (2 of which are the VDP used in the PC-Engine), a 3D video chip (only on PC-FXGA), 30fps full screen FMV display (thanks to the RAINBOW chip), 5 channels of PSG sound (very similar to the one in the PC-Engine), 2 channels of 32kHz ADPCM with stereo (2 channels with stereo panning), RedBook Audio, and a 6-button control pad. Sounds fun, doesn’t it?
In my quest for code, I looked up the development environment used for the PC-FX, and found that every is used patched versions of GCC 2.95 with Binutils 2.10 (YUCK!), so I set about to compile this toolchain. Unfortunately, it seems that the developers of GCC 2.x suck, and there were several issues that caused it to not build on a modern GCC (4.4 for me), including a typo that I would have presumed to cause more damage than it probably did. I have made patches that fix these issues, and they will uploaded shortly.
Also, in my quest for code, I decided that I don’t want to utilize closed-source libraries (specifically the ones provided by GMAKER, which are probably under restrictive licenses), and as such I am writing my own set of libraries to interact with the PC-FX hardware. The name of this new library is liberis, which contains a few references. eris is the (very very kind) person hosting my website, and is also one of the main characters of Asobi Ni Iku Yo!, a decent anime (not sure if I’d recommend it to others), who goes to a department store with the other main character, who points out a PC-FX in a display window. The library will be released to the public once I see it fit (I will not release any software without the library being with it, so don’t fear that I might hoard it forever).
I will put all the links relevant to PC-FX development in a page to help any newcomers join in the fun. The patches, as well as hardware documentation links will be up there shortly.
I don’t know who made this bootleg, nor how they could make such horrible renditions of decent music, but whoever they are should be strapped down into a very uncomfortable wooden chair, and forced to listen to nothing but this music for hours on end.
Today while I was at school, Galaxy|, a good friend of mine (sent me this jesusmachine that I’m currently using, among many other things), sent me a few titles he had managed to rip out of the Nintendo 3DS SOAP. Great work getting the SOAP to spit out 3DS titles, and thanks for getting us a little closer to some hax
Anyways, he pointed out the the .TMD files were different from the Wii’s, so I decided I should take a look. They are similar, but they do have differences. First off, the boot content is no longer specified. One of the biggest changes is in the contents. The content data has been stripped to almost nothing; it’s just the Content ID and some 32 byte hash (algorithm still needs to be found). Also, the version field has been upgraded from 0 to 1.
Another big change is the addition of 3 mysterious u32′s (possibly 2 u32s and a u16), which are almost the same among all 3DS TMD files. There is also a hash, likely using the same algorithm as the contents.
Galaxy| has provided his SOAP information to Team Twiizers, and hopefully something useful will come of it
UPDATE: The 3 unknown 32bit values have been figured out. The first is the boot content (so they just moved it instead of removing it), the second is the banner content, and the third is the banner size.
UPDATE2: The new signature types have been determined to be RSA with SHA-256 hashes, rather than the old RSA with SHA-1 hashes.
I just got these messages from a friend of mine. All information that could be used to identify him have been removed from this log to protect him. I commend him for his skill and perseverance in the face of adversity.
<friend> I was tapped on the shoulder and pulled out of the middle of it by my sysadmin boss. (I still havent finished the midterm)
<friend> A third of our network (called the “lisa network”) had been compromised and was DDOSing servers in Iran run by a pro-democracy group.
<friend> Said group was retaliating and DDOSing our servers back.
<friend> My job was to first stop Lisa from attacking them and then to stop them from attacking us. Afterward, I should figure out how Lisa was penetrated and how she should be fixed.
I got into the serever room and basically just let out a loud “FFFFFFFFFFFFFUUUUUUUUUUUUU”
<friend> I had no idea what to do. I was the only one there and the other sysadmins wouldnt be there for several hours. Furthermore the state department investigators and “specialists” would be down several hours after that.
<friend> I sat down in front of the main server for lisa and hooked up a monitor and keyboard to log into it directly. However I could not. The keyboard would not input anything. Lisa had no PS2 ports so and the several USB keyboards would not work.
<friend> Is it really possible they could have disabled USB keyboard access? (Im still not sure tbh)
<friend> Next I tried logging into Lisa remotely which I could do. Furthermore I still had sudo access (miraculously) so it was time to kick some terrorist ass.
<friend> I ran ps and killed the processes which were sending endless amounts of pings. Then I went through the iptables on all of our networks and blocked the servers which were attacking us.
<friend> Having finally put an end to the “cyber war” (God, I hate the word cyber. Makes me think of webcam sex) I had to figure out how Lisa was broken into.
<friend> Lisa is as secure a network as you get. We have restricted shell access for all users.
<friend> We have fail2ban setup to ban anyone who mistypes their password twice for 10 hours.
<friend> This lead me to believe that it must have been an inside job. Now the other sysadmins arrived along with my boss.
<friend> I shared my idea with them and they laughed at me. They told me not to say shit like that and it would be dangerous to do so.
<friend> The other sysadmins played on Lisa with me. We discovered that all the logs had been wiped from Lisa. We discovered that someone had installed all the packages which needed to be installed (there were >30 that needed to be updated/installed on the other networks).
<friend> I was still stuck on the idea that it was an inside job. They still didnt believe me.
<friend> At this point I did something truly genius. I got a list of all files edited in the last 24 hours and who they were edited by.
<friend> I discovered our hacker created a new user “adm” which wiped the logs. It was impossible to tell who last edited the sudoers file though as it just read “root”.
<friend> By this time the state department investigators arrived and we began filling out reports. I was still being laughed at for thinking it was an inside job and still being warned not to say anything.
<friend> I cd’d through /var/log/ opening and reading every file I could. I found /var/log/kernel which revealed kernel segmentation faults occuring shortly before the DDOS attacks began.
<friend> I then found /var/log/syslog which showed me something even more interesting.
<friend> A professor logged in and out of the server about 30 times in rapid succession.
<friend> This professor then sent an email.
<friend> This professor then sent an email.
<friend> The mail server program crashed.
<friend> Packages began downloading.
<friend> The packages were installed.
<friend> The professor logged in and out about 30 times again.
<friend> The professor sent an e-mail again.
<friend> The mail server program crashed again.
<friend> A kernel segmentation faul occurred at the same time as the one in /var/log/kernel .
<friend> Root logged in.
<friend> Root and the professor logged out at the same time.
<friend> Then adm logged in.
<friend> This I presume is when the attacks began.
<friend> Reading the bash history of the professor gave me the nail in the coffin for him.
<friend> I shared all this with the people from the state department. An investigation began to find the professor.
<friend> The professors friends say he is currently visiting Turkey and has been there for several days now.
<friend> So yes, god mother fucking damnit, I was right. It was an inside job. And I was laughed at. And I figured it out all on my own.
<friend> Later I browsed our exploit sites but could find no mention of the exploits he used. I can only assume that the kernel bugs have been patched though and it was our fault for not keeping Lisa up to date. Crashing the mail server program still worries me though.
<friend> In case of back doors (he did update these pakcages for us :/) we’ll be reinstalling Lisa and returning relevent information to it from our backup server.
A few days ago, out of boredom, I asked for a random driver to work on in MESS on #messdev (EFnet), and I was quickly responded to with hp9k.c. hp9k.c is a skeleton driver for the HP 98×6 series of computers, which were a series of computers from Hewlett Packard based upon the Motorola 68000 (my favorite processor). The driver was completely bare upon the start of my work (hence skeleton driver), but so far I have been able to expand it to the point where the screen actually works (not properly yet, but I’m getting there).
It turns out that the BIOS ROM is actually located at 0×000000, which prevents the vectors from being overwritten (however, most of the vectors point to addresses in RAM, thus you can change most vectors from software).
I know that this “exploit” has been decried in several other places, but I’ll talk about it anyways.
Here’s the original post on PSGroove.com (I DON’T RECOMMEND THAT SITE, BY THE WAY)
CPU Exploit – one step closer to METLDR this is a release of the hidden Cell Exploit found a while ago and one of the step taken to the metldr exploit im going to release the because i fell people should have the right to do as they wish and the information should be free to the public
i know by releasing this exploit ill probably be taken to court or sued but **** sony they can go to hell all i care for what there doing to us hackers ill fight until the last min i got of my life if i have to for the right of the people
for this exploit your going need a leaked service pdf (not posted on PSGroove.com files can be found at source link below)
time to explain this now listen up
i know you all remember the exploit with ram and so on back in 3.15 well your going look for the ‘CELL RESET LINE’ and that going be where the exploit is you know how the small 60ms or ns i dont remember thing sent to ps3 for the read and write of the ram ?
well use line send that and connect it to the cell reset line. ( FIND IT IN DOC ) and ground on outside of case and the example of what can be done with this is a cold reset which still has acess to the memory from gameos – dont let this die out people im taking a big risk by giving you all this information
There are so many things wrong with this post. Let’s go in order from least technical to most:
He can’t even tell the difference between milliseconds and nanoseconds? Obviously not qualified for an actual hack. By the way, there is no need for timing on this. You can hold the line as long as you want and it still works.
Probably be taken to court for exposing an “exploit” that does nothing? Fat chance. You just want to make it sound like you’re more “1337″.
What kind of a name is “DarkHacker”. That’s the sort of cheesy name I’d expect out of CSI or Numb3rs or something, not a legitimate hacker.
Cell reset line can only be found in a sekrit SDK doc? Bull-fucking-shit. Go get the Cell datasheet and you can easily find it.
One more step closer to METLDR? Ahahahaha, I can’t even begin to say how wrong that is. Just look below
Hidden Cell exploit? My ass. This isn’t hidden at all. It’s hardly even an exploit; all it says is that the CPU doesn’t reset RAM upon reset (which, although is a security risk, means nothing if your own code isn’t running on boot)
Hopefully you’re all aware now that this “exploit” is complete bullshit, and you should completely disregard it.
Also, to all the people who have commented on this story on “news sites” that posted it: you’re fucking morons. Either learn what you’re talking about or don’t orgasm over it because it’ll “ALLOW MY BACKUPZ FROM THE INTERBUTTZ HURPADERPA“.
Since right now I’m just wasting time in my horribly basic computers class, I figure I could/should write up what I’ve been up to for the past year (wow, it’s really been almost a year since my last update D:).
Raiden II Project
Back around May last year, austere and I initiated the Raiden II Project, a project dedicated to bringing Raiden II emulation to MAME. A great deal of time was put into this project, which led to a few developments being made, and myself becoming the proud owner of a Raiden II PCB.
Unfortunately, our drive didn’t last. We went months without any real work being done about a month after our initial push. However, I became interested in the IGS PGM arcade system, and started playing around with it. This would pay off a bit later. I made a patch to add reading of NeoGeo tiles to MAME, which helped very few people (Was NFG the only person that it helped? haha).
Back in December, a skeleton driver for Cave PGM, a slightly modified PGM board, was added to MAME. austere and I quickly noticed many flaws in the driver, so we set about to work on this. We enlisted the help of nimitz for our project, as we knew him to be trustworthy and helpful. Within a few days, I had converted Haze’s buggy ASIC27a simulation code to real ARM code (see ASick72 on http://git.daifukkat.su/) and added in the proper ARM emulation to the board description. During this time, austere and nimitz (and a little bit of myself) had begun working on improving the audio emulation; by far one of the worst parts of the emulation.
At first we had believed the old ICS2115 core to be salvageable. We had fixed many issues with the core within just a few days. However, we soon realized it was a lost cause and would need to be completely scrapped. After doing much research into the ICS2115 chip, I had discovered that ICS, the company that developed the ICS2115, had also manufactured the Gravis GF-1 (used in the Gravis UltraSound), and it seemed that it would be worth a look to see if ICS had decided to steal from Gravis for their own chip. This search was not fruitless. The chip was almost identical, even, and shared many, many similarities. I began work on a completely new core, which resulted in, although dismal sound quality, proper playback. In the meantime, austere had started writing a new core using the new C++ interface, also basing upon the GF-1.
In the end, austere’s core was far superior to my own, mostly due to my own inactivity. austere’s core resulted in almost 100% accuracy (there are indeed still a few very minor issues left), and thus was submitted to MAMEdev for inclusion in MAME 0.141. There was a small crashing bug for Virtua Bowling resulting from austere’s core, but I quickly fixed it upon notification.
I believe I did mention mini-broadway at least once before, but I don’t think I ever really went in-depth about it. mini-broadway is an SDK for the Nintendo Wii which creates software runnable under BootMii (boot2 or IOS, doesn’t matter). It’s been my pet project for almost as long as Raiden II Project, and been at least as fun. It was built off of the basic ppcskel released not too long after the release of BootMii. My first order of business was to break out all of the functions into a separate library (now known as libbroadway) so that they could be reused instead of being monolithically included into every application.
After this, I started working on a library for disk accesses (NANDFS and SD card), which was fairly quick to develop. I called this new library libdiskmii. At that point there was still no libc, so it used non-standard functions. After that bit of work, I went back to fixing the IRQ handlers, imported from the ppcskel work done by lewurm and theStack for their hextwelve project, which were not working due to the exception handler being incorrect.
Once I had fixed IRQs, I started working on functionality for the various parts of Wii hardware that were not supported in ppcskel (AI, DI, DSP, an interface to EXI, MI, etc.). While I was doing that, I decided that I needed to start documenting, so I began to tag up the existing headers with doxygen (really great tool, by the way), which worked really well.
After that I was mostly doing cleanup work, making things more efficient, making the interfaces similar across all subsystems, etc. Eventually I got fed up with having no libc, so I added Newlib to the toolchain builder, and created a new library called libnewintf. This new library acts as the supporting tools for Newlib (expands upon all the crap) and also handles file I/O stuff. Thanks to this, I was able to create an equivalent of devoptabs (of devkitpro infamy) for stdio access to files and stdout/err. I set video and usbgecko output to stdout and usbgecko output to stderr.
After this I started working on lower-level interfacing again. I modified MINI more and added a slaving interface, which allows the PowerPC to slave the ARM and run your own code along-side MINI. After this, I took a long hiatus in which no work was done. I believe this was around the same time as the PGM work began with the Raiden II Project.
After the hiatus (which ended about 3 or 4 days ago), I began work upon a preemptive threading interface for the PowerPC. This has been quite rewarding, leading to me learning about the low-level implementation of locks and threading for PowerPC machines. I am still working on mini-broadway as we speak, even!
Alright, this is going to be a big section (even bigger than the others, haha) because I’ve got a ton of things to talk about here. I guess I should try to do somewhat chronological order.
Zerstören is a MML toolkit for the internal PC speaker. It compiles and plays back MML files using either a physical PC speaker (only available on Linux) or an emulated PC speaker. I made a few songs with Zerstören and put them in a separate repository (pcspkrmus). Quite a fun tool, uses arpeggios for 2 channel output.
SPARK was a small project between TheLemonMan and I to rip apart Dead or Alive Paradise (horrible game, by the way) and steal all the datafiles. We pretty much succeeded, and we can unarchive all the files.
OpenMem was an aside of mine to write a virtual memory manager. Quite a fun project, and useful enough.
No, not crediar’s twitter This was the first public tool for mini-broadway that wasn’t just an example. It’s a simple ELF loader for BootMii with reload support.
I know I’ve mentioned Jouhou before, but I finally added a real polygon renderer written by myself with the assistance of austere. Runs pretty well
Over my period of no blog posts, a friend of mine introduced me to a doujin shmup called ring^-27. I greatly enjoyed this game, and set to rip out the music files. The format was quite simple, and so I wrote an archive extractor for it and called it ring^-3^3 (hurr math).
After we had finished our work on the ICS2115, I felt more in the mood for sample-based synthesis, so I decided to create my own synthesizer using samples. The end result was BSampler, a simple synth with envelopes written in C++ and licensed under the MIT License.
I was bored one day and asked the folks in #HACKERCHANNEL what I should code/reverse engineer. TheLemonMan pointed me at some noob on GBAFail who wanted a tool for the .gtd format. Seeing as none existed, I looked at it a bit and determined it was a very simple palette-based image format and wrote a tool that extracted it to PNG.
sooparse is a parser for a C subset called SOO (Simple Object Orientation for C). I designed the language and the parser is quite simple. It uses both vtables and regular functions for a combination of speed and versatility. I used this tool for CR2010 and my upcoming STG.
toolchaingen takes a simple script’s input and transforms it into a bash shell script that can be used to build a toolchain. It was based upon the original buildit.sh by segher.
PSPRoad is currently an old-skool 2D road effect demonstration for the Sony PSP. It is planned to eventually become a full game, but this won’t happen until I figure out how I should properly handle hills…
This tool is currently just an extractor for the archive files used in the soul calibur games (.olk and .pkg files), and a converter from CriWare ADX files to WAV. Not much interesting here…
Unfinished STG #4
Yet another STG! This one has more emphasis on having a well thought-out design and being as close to a commercial STG as possible. Design has been stalled due to a lack of competent artist.
And now I’m out of stuff to talk about. Hopefully I’ll update more now that it’s so easy to do so! I hope you enjoyed this post, as it took days to write
As you can see I’ve got a shiny new domain name, and I’ve finally trashed the ugly old text blog for WordPress. If you want to see the old entries, they’re still available at http://daifukkat.su/oldblog.txt. Hopefully WordPress will motivate me to update this a bit more, haha. I’ll probably write up what I’ve been up to over the next few days.