How do People Hack Into Game Consoles?

Breaking into game consoles is no easy game. These ‘hackers’ aren’t just people that excel at using computers: they have mastered the craft of both reverse engineering computer software, and in some cases hardware, in order to search for vulnerabilities that were unintentionally created by the original developers of the game console.

When you think of all the game consoles that have been released onto the market, most if not all of them have had their security measures either bypassed or circumvented in order to run code or play game backups, both features not originally intended to be possible. Many of them have even been reverse engineered to the point in which you can play these console games on your computer, existing as emulators that have extended functionality which can even improve the experience of your game.

You might wonder where somebody would even begin to look in order to search for vulnerabilities in the console’s code, and this is the hardest part of the process. Using perceived knowledge they have of the operating system, they will make guesses as to where they will be able to make a ‘point of entry’. The end goal of a hacker is to gain access to the console’s firmware, usually stored on something called the NAND (a type of flash memory like a hard drive). Although, some things should be quickly explained first.

Sometimes there's a 'crack' in the surface of securty
Sometimes there’s a ‘crack’ in the surface of securty

Let’s pretend that you are playing games on your 3DS: all of these menus that you’re able to navigate are what’s known as the ‘userland’. This will contain the piece of software in running memory that the user is allowed to access as designed by the company that created it. Inside the userland is where a hacker will attempt to make use of a vulnerability in the code by implementing an exploit, with the exploit being a piece of code implementing said vulnerability having an attached payload in order to carry out some operation. Depending on what kind of vulnerability this hacker has found, they will be able to do different things with it and access different levels of a system.

In order to decrease the chances of having computer code tampered with, operating system developers implement something called ‘sandboxing’, which is to isolate certain parts of their software from others while it is suspended in memory, mostly in an attempt to prevent you from accessing the system’s firmware. Think of it as a sandbox in the middle of a playground. Your ability to play games and change system settings would be the same as building sand castles, which can only be done in the sandbox. Once your 3DS reboots, your ‘sandcastles’ will be zeroed out, with the rest of the playground (the firmware) dictating its control.

Sandboxing Example - Apple.com
Sandboxing prevents other programs from your device’s sensitive data

Now that you have some understanding of what a sandbox is, you can understand the two types of vulnerabilities that are usually found on consoles: one that is inside the sandbox, and one that is not. A vulnerability found inside a sandbox is useful during the run-time of a system. You’ll be able to run your own programs on the system while it is running, but you will not be able to directly access things like the SD card reader or cartridge slot since those are not explicitly allowed ‘inside the sandbox’. Plus once the system is rebooted, the memory holding a running program (such as a sandboxed game) is cleared, so any modified values or added code will be reverted meaning you will have to run this exploit again in order to continue running your code. In the cases of modified system firmwares, if the system is upgraded to a stock firmware, you will very likely have to install a new version of this modified firmware. Although when a hacker finds a vulnerability in the software that dictates how to make a sandbox, commonly known as the hypervisor, you are now free to access the rest of the kernel with the ability to change the system firmware and modify any of the system’s code, allowing for the creation of custom firmware.

Finding an iPhone’s ‘jtag’ to gain access

For a hacker to be able to search for vulnerabilities, it may sometimes require physical access to the board inside of the console. They can modify the board such that they monitor what is happening on the memory of the running system, which is usually protected but can still be tampered with. By abusing the way data is stored in program variables, hackers may also be able to find high-level vulnerabilities which can allow them to extract essential system files, performed using what are known as buffer overflows. While it is a simple mechanic, it allows execution of custom computer code. After retrieving the files they need, hackers can then analyze its low-level code (such as assembly or hexadecimal) in order to continue their search for faults in code.

An example of how a hacker may implement a technique known as 'ROP Chaining'
An example of how a hacker may implement a technique known as ‘ROP Chaining’

Breaking into a game console is no easy job, requiring many levels of experience in computer programming and a deep understanding of how computer system software interfaces directly with its hardware. With this knowledge you are only given hints as to where to look when searching for a way in. Given the many techniques that exist to bypass security measures (such as exploiting race conditions, XSS vulnerabilities and ROP chains), there is almost always a way into a console or machine despite their meticulously designed layers of anti-tamper technology.

Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Email this to someone
email

Feel free to share!