Console Hacking

Nintendo DS Homebrew
Many people consider Nintendo’s DS to be the current top dog in the homebrew scene. Through the use of Dynamically Linked Device for libfat (DLDI: http://dldi.drunkencoders.com/index.php?title=Main_Page), it is very easy to gain R/W access to a local filesystem and shared memory in the pocket rocket. Using DLDI, we can easily manipulate anything we put onto a flash cart. Many flash carts exist, such as the M3, R4, ACESuperCard and CycloDS. Some of the more advanced carts such as the Cyclo series support automatic DLDI, in that you don’t need to load patches or install the DLDI loader in order to use the majority of homebrew applications. The ability to read and write into any memory space also opens up other possibilities, inasmuch as we can run entirely different operating systems on the NDS. DSLinux is a prime example.



This of course is only the tip of the iceberg. We’ve already seen other tools and emulators eventuate for the device, such as SNemulDS (SNES emulator for DS) and SCUMMvm DS. We expect Nintendo 64 emulation/capability shortly.



PSP Homebrew
PSP homebrew had a strange start to life. The first exploit for the system wasn’t discovered through buffer overflows or unsigned code execution, but through a game with some slightly lax network security. WipeOut Pure allowed the end user (with a little bit of imagination) to spawn a web browser and then navigate practically anywhere on the PSP’s filesystem. This in itself allowed us to ‘see’ for the first time the UMD format structure, as well as the native bootloader the PSP used, EBOOT. Once the EBOOT binary (EBOOT.bin) was extracted from the WipeOut Pure UMD, it was loaded onto a memory stick, made executable, then run atop some demo code (a simple ‘Hello World’ style application). Because Sony’s PSP v1.0 firmware had no code signing checks, this unsigned code ran without problems. The PSP brew was then available on tap.

As of firmware 1.50, there were two obvious ways to run homebrew. One was through Swaploit and one was through the now infamous KXploit. The Swaploit was phased out fairly quickly as it was unsafe, in favour of the KXploit. None of this went unnoticed however. On June 25th 2005, Sony released its 2.0x series firmware. As expected, nobody wanted to update their fully customised/hacked/modified PSP’s, as the 2.0x firmware implemented code signing. Sony realised people would not want to upgrade for this reason, so they gave them some wonderful incentives. Sony released a full web browser and HTML parser for PSP. Was it enough to stop the modders? No. What followed was a game of cat and mouse, most of which involved the now beloved TIFF-based image binary exploits in order to ‘crash’ the PSP into a vulnerable state for unsigned code to run.

As time progressed, the 3.0 firmware made an appearance. Again, ways were found to run some favoured ScummVM, browsers... even abandon ware/ROM’s from other consoles, one of the best known being Daedalus, the Nintendo 64 emulator for PSP!



More and more effort has been put into porting every possible environment and engine to the PSP. MAME, Neo Geo Pocket, NES, SNES, Sega Saturn, Wonderswan et al were all cross-ported to PSP for abandoned/retro gaming pleasure. It hasn’t stopped there however, with a host of productivity software still being written for the system.

This, however, is where it all gets sad. As of firmware v3.51+, we have no known methods of running homebrew or unsigned code on the PSP without physical persuasion. What, then, is required to run a homebrew app on your shiny new PSP or PSP-Slim with v3.51+ firmware? Pandora’s Battery.



A Pandora’s Battery is a PSP battery that has the first logical byte offset in EEPROM set to 0xFFFFFFFF. When the PSP initialises with this EEPROM value implanted on the battery, the service/diagnostic mode of the PSP is entered. From the service mode (think of it like safe mode, for the NT kernel!), driver signing, let alone code signing, isn’t taking place. It doesn’t matter what firmware you are running at this point. You can do what you like. This is as much a physical mod as it is a software mod.

Of course, if you don’t feel like destroying your PSP battery, there is an easier way to put a PSP with v3.51+ firmware into recovery/service mode. Datel provide a pre-modified battery for just such a task.