A9VG电玩部落论坛

 找回密码
 注册
搜索
查看: 3403|回复: 21

最新的3.3 更新内容情报-- 外国黑客分析【陆续更新最新分析结果】

[复制链接]

精华
0
帖子
265
威望
0 点
积分
498 点
种子
5 点
注册时间
2007-12-6
最后登录
2022-4-13
 楼主| 发表于 2008-6-17 13:32  ·  北京 | 显示全部楼层 |阅读模式
Breaking news (har har har)! Check back for updates.

Several pieces of Nintendo system software have been updated:

====== Titles Changed ======

SystemMenu
Title ID: 00000001-00000002
Version: 0x 161
Size: 23511040
Contents: 9 (of which 6 are shared)

IOS30
Title ID: 00000001-0000001e
Version: 0x a10
Size: 1933312
Contents: 15 (of which 14 are shared)

IOS31
Title ID: 00000001-0000001f
Version: 0x a10
Size: 1933312
Contents: 15 (of which 14 are shared)

bc
Title ID: 00000001-00000100
Version: 0x 4
Size: 98304
Contents: 2 (of which 0 are shared)

mios
Title ID: 00000001-00000101
Version: 0x 8
Size: 262144
Contents: 2 (of which 0 are shared)

Channel 'HACA'
Title ID: 00010002-48414341
Version: 0x 5
Size: 8290304
Contents: 7 (of which 3 are shared)I’m currently disassembling these to see what has changed. Please do not pester me about this or ask what our response will be; this isn’t exactly easy or quick. Comments will be enabled once i’ve completed my analysis.

Update 1: IOS30 and IOS31 have been changed — specifically, the kernel. The old timestamps read:

$IOSVersion: FFS: 06/08/07 18:10:10 64M $
$IOSVersion: ES: 07/10/07 18:11:26 64M $
$IOSVersion: IOSP: 06/25/07 14:17:16 64M $
The new timestamps read

$IOSVersion: FFS: 06/08/07 18:10:10 64M $
$IOSVersion: ES: 07/10/07 18:11:26 64M $
$IOSVersion: IOSP: 04/03/08 19:37:33 64M $
It’s interesting that Nintendo bothered to update the IOSP timestamp, because the only change I see in IOSP is that the version reported changed (there’s a variable that stores the value “040308″). They’re trying to be clever; the actual bug fix was in ES, where the encryption code lives.

The strncmp signing bug has been fixed in IOS30, which is what the system menu uses. (The new signature-checking code is identical to that in IOS37.) This probably means that it will no longer boot Trucha-signed discs, but I have not yet tried it. Early reports on IRC indicate that the Homebrew Channel still works; this is consistent with my understanding that the system menu does not verify the content of already-installed content.

I don’t know why IOS31 was patched.


Update 2: Okay, now this is just silly. Two functions have been added to the system menu. Guess what they do:

ipl::utility::ESMisc::DeleteSavedata( (unsigned long long, EGG::Heap *))
ipl::utility::ESMisc::VerifySavedataZD( (unsigned long long, EGG::Heap *))
WADCheckSavedataZD
We Are Not Impressed.


Update 3: They wrote a special-purpose function to try to check for the exact exploit we used — specifically, if a savegame is for Zelda, it checks the length of 6 strings inside the savefile (two of which are the player name and horse name). It repeats this check for all 3 saveslots, and then another three times for all 3 backup slots.

No, we do not have a response to this yet; we will probably take a few days to formulate one. I predicted Nintendo would *not* do this; I’m disappointed. This was the first bug we found, in the first game we tried. We’ll find others, and they’ll have to try to catch up to each.

I’ll open up comments, but please only post if you have something constructive to say.



Update 4: It’s interesting to look at the timestamps here. The System Menu has a build marker of “systemmenu.rvl.0803060727″ – yes, that’s March 6, 2008, 07:27. This update to the menu only accomplished one thing, as far as I can tell — the blocking of the TP hack. (I guess we can count the IOS30 patch together with it.) They spent 3 months testing it — this isn’t actually that surprising, when you consider the potential financial damage if they roll an update out that bricks Wiis.

Congrats to tmbinc and tehpola for finding a combination of two bugs in the code that Nintendo added that — when combined — allow us to fool their check into ignoring the TP hack. More info will be forthcoming — I still wouldn’t rush to update my system, anyway.

This still leaves the issue of how to deal with IOS30; there are several different ways to deal with this — some of which have already been released by people — and we’ll need to take some time to decide on the best one to use and test it thoroughly. There’s no urgency here, no need to rush into something..

悟道者

公元2008年7月9日,登记了

精华
2
帖子
32678
威望
14 点
积分
36269 点
种子
5 点
注册时间
2007-8-15
最后登录
2016-6-19
发表于 2008-6-17 13:43  ·  上海 | 显示全部楼层
甲骨文...........................................

精华
0
帖子
4184
威望
0 点
积分
4270 点
种子
120 点
注册时间
2006-5-21
最后登录
2025-1-23
发表于 2008-6-17 13:46  ·  上海 | 显示全部楼层
太古文...........................................

战士

FAST-980小队队员

精华
0
帖子
316
威望
0 点
积分
1456 点
种子
0 点
注册时间
2007-4-14
最后登录
2012-2-21
发表于 2008-6-17 13:50  ·  江苏 | 显示全部楼层
外星文字.............................................

精华
0
帖子
123
威望
0 点
积分
193 点
种子
0 点
注册时间
2005-4-1
最后登录
2025-1-27
发表于 2008-6-17 14:07  ·  北京 | 显示全部楼层
异次元文字.............................................

精华
0
帖子
1060
威望
0 点
积分
1217 点
种子
5 点
注册时间
2007-1-8
最后登录
2022-4-5
发表于 2008-6-17 14:16  ·  广东 | 显示全部楼层
未知文明文字......

精华
2
帖子
2320
威望
7 点
积分
2930 点
种子
0 点
注册时间
2007-7-19
最后登录
2012-8-19
发表于 2008-6-17 14:24  ·  上海 | 显示全部楼层
标准火星文字…………

战士

自定义头衔

精华
0
帖子
378
威望
0 点
积分
1112 点
种子
5 点
注册时间
2004-12-17
最后登录
2024-11-25
发表于 2008-6-17 14:36  ·  未知 | 显示全部楼层
IOS31补上,分析未完成。。
IOSP里变化的只有报告的版本。。。
修复了ES中的BUG。。。。
IOS30 strncmp signing bug修复

可能意味着不能再启动Trucha-signed 碟, 但我还没试. 早些IRC 报告说Homebrew频道OK; 这和我理解的系统菜单不检验已安装的内容相符。。。。

云云~

圣骑士

アマガミ 本命ー咲ー

精华
0
帖子
3643
威望
0 点
积分
4800 点
种子
5 点
注册时间
2004-8-9
最后登录
2017-2-5
发表于 2008-6-17 15:51  ·  浙江 | 显示全部楼层
E文 哈哈 原来 LS的 几位和偶一样都 看不懂外星文..

审判者

あゆみ女王様

精华
4
帖子
10895
威望
6 点
积分
12716 点
种子
5 点
注册时间
2005-8-10
最后登录
2022-2-5
发表于 2008-6-17 16:49  ·  上海 | 显示全部楼层
1楼-6楼~全部禁言6天!!!!!!!!!!!
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|A9VG电玩部落 川公网安备 51019002005286号

GMT+8, 2025-2-2 04:52 , Processed in 0.238114 second(s), 19 queries , Redis On.

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

返回顶部