Hacking Systems Weblog

Found that videos from the 25th annual Chaos Computer Congress are making their way to people via Bittorrent feeds - w00t!  It’s great news for those of us who could not afford to fly out there and experience the CCC this year.  (sigh) One day….

As soon as I get some of the vids that really grab my attention, I’ll post a few here for download- just like last year ; ).

Check the Pirate Bay for a good selection of those vids: HERE

Here’s the official 25C3 links:
Events Blog entries
PDF copy of the events (presentations) list
Official page on 25C3 video streaming

We all know that there’s tons of fake “proof” vids posted on YouTube.  So, when you see a video showing something that looks plausable (or too incredible) you can’t just blindly press that “I Believe” button - just because it’s “recorded” via video.

Alrighty… I’ll admit it.  Sometimes I see stuff on YouTube that makes me go - hmmmm… and I wonder if that’s really, ya know, REAL or not.  Well, I had to check out the facts presented in the video titled, “Menorah as Wii Sensor Bar” (YouTube).  It shows someone claiming to show that their Chanukah menorah (Note: Any rabbi worth his/her salt would rule the usage of the chanukiah as a sensor bar as unkosher for the season of Chanukah) acted as a sensor bar for their Wii.  I checked around for other videos and saw others reporting successes, but still thought it might be a prank.  However, my curiosity got the better of me.

I snapped up two small tea candles and set them on top of my TV.  I lit both and backed up with a Wiimote in hand - and guess what… It works - sorta.  It turns out that the “sensor” bar the Wii comes with is not really a sensor.  It sends no data down that little cord - the cord just provides power to the 10 infrared light sources in the bar.  Wheras the Wiimote reads it’s relative position from any given (and strong enough) infrared (IR) source in front of it and transmits it’s coordinates in space directly to the Wii.  The only trick with your chosen IR source is that you need something with a little power to it.  Two (or even one) tea candle will work from a short (roughly 5 feet) distance.  But for better results get a candle that will give you a nice strong flame.  That way, you can back up a bit due to the larger flame / IR source.

Another thing I noticed was that the aim was a little off, but was consistent, when I used candles.  It’s still playable tho - you just need to calibrate your play to take into account any oddball angles your Wiimote reports back to the Wii.

With the recent update of my two modded Classic Xbox systems to the newest versions of XBMC, I’ve noticed a couple of old bugs creeping back into the T3CH distro.

Last month I downloaded the “Atlantis” (XBMC-8.10-FINAL-T3CH-PROPER) installation and tried it out on one of my old modded Xboxen.  Everything seemed to work fine, but then I noticed a problem when I tried playing any video file - everything froze.  The issue seems to be with the codec pack included with this specific distribution and I didn’t have the time to bugger about with replacing them and recompiling the whole package - so I upgraded to “XBMC-SVN_2008-12-07_rev16491-T3CH.”  It fixed the video playback problem, but came with it’s own glitch - the inability to let the user change the locations in the weather application.  While I didn’t exactly discover WHY this bug keeps reappearing every few versions, I did figure out a “quick” work-around:

Caveat: My installation is the typical softmod install where C: holds all the boot items and E: holds all of my applications.  Modify the drive addresses according to your installation.

1. Go to /E/Apps/XBMC/UserData
2. Download “guisettings.xml” to a machine you can edit it with.
3. Use your favorite text editor (I use Notepad++, another good one is NoteTab) and scroll down until you hit the <weather> area.
4. Manually change the three <areacodeX> entries, obey the format provided or your weather locations will not work.
5. To find your Weather.com code use Google:

YOURCITY site:weather.com
Usually you’ll find the right code in the first page of hits, ie: “virginia beach site:weather.com” popped up with over 6,000 hits.  The URL for number three had the code: www.weather.com/weather/tenday/USVA0797

6. Save the edited file and upload back to the same location you snagged it from.
7. The changes should work immediately, but if not check your DNS settings (set it to an OpenDNS server: 208.67.222.222) and try a reboot.

Who knows, I might get off my duff and merge portions of the two previously mentioned distributions and create one good stable one ;P.

Previous entry on XBMC issues and my personal fix: HERE
My “Mod This Old XBOX” PDF: HERE

A couple of days ago a hardware hacker, known as Royginald (old alias “rOyg1nald”), “hacked” a PSP-3000.  The thing is, the hack is not something that you would just run out and try - he performed his modification by removing the CPU from a PSP-3000 and replacing it with the CPU snagged from a PSP-2000.  Note, it also appears that he’s done this trick before. This unorthodox method for modifying a PSP has a disadvantage: the “Brite” screen do not seem to work with the older CPU.  One forum entry I read blamed the screen problem on a lack of support (drivers) in the 5.00 M33 custom firmware we was running.  But wait, I want to know how he got a custom firmware on that “FrankenPSP.”  Sure, he solders the older CPU on there but the F-ROM still had OFW 4.20 already flashed on it.  And to my knowledge 4.20 is not a flipable firmware (unlike OFW 2.01~2.60 - see GTA Liberty Cities hack).

According to his first video, despite the swappage of the CPU, Royginold shows that the Pandora trick still does not work.  Riddle me this, if Pandora is a non-starter then how did he get CFW 5.00 M33 on there…?  Also, since Pandora does not work (despite the older CPU) this leads me to believe that there is something else other than just the IPL (that segment of code mentioned in an earlier post, first characterized and discussed by Dark_AleX) at work here.  Royginald appears to believe that there may be another IC on the motherboard that interferes with the service mode boot that the Pandora causes.  If this pans out, then I might be right in my earlier thoughts concerning a difference in how a regular PSP battery and a modified Pandora Battery work - and that difference being the reason why the new motherboard can tell which is inserted at any given time.  Who knows, I might also be waaaaaay off ; ).  Gotta love the challenge though.  Ah, I just found a link detailing someone else’s ideas about the batteries at SCENERS.ORG.

Despite the lack of video on the “Brite” screen you can still use the component out cable to connect one of these modded PSPs to a TV and sound system - strangely, audio does not sound using the built in speakers after the CPU swap but it works via the component cable.  And thanks to some earlier work (late 2007) by TyRaNiD you can also use RemoteJoy to plug the modded PSP-3000 into a Windows box and pass the video on to your monitor.  Royginald used both methods to verify that his “FrankenPSP” works perfectly well (outside of the audio quirk noted previously).

To see Royginald at work, check the following YouTube videos (chrono order):
#1 - PSP Battery Hardware Modded <– Don’t get excited, the unit is a PSP Slim, not a PSP Brite.  This video was originally shot in October 2007, but it’s still pretty interesting.
#2 - PSP-3000 Hacking
#3 - PSP3K Hacked
#4 - PSP3000 CFW RemoteJoy

I was curious as to why the Pandora battery does not work on the PSP-3000 and PSP-2000s with the TA-88v3 motherboard.  And once again, Dark_AleX was there to provide a piece of the puzzle.  His article, linked HERE, is the only document that actually breaks down the processes that the PSP firmware and hardware go through during the early portion of the system boot.  Here’s the quickie version:

When you turn on a PSP the POST process checks for information in two locations - either on the small amount of memory found on the inserted battery, or on an inserted memory stick (if there is one).  Some of this boot data is ignored by older motherboards, but on the newer motherboards that same previously ignored segment is meaningful, to the CPU.  The trick is, without the correct information in that tiny bit of data the system will enter into an infinite loop and be useless…

The write up is cool and all, but I still am pondering how the new motherboards sense the altered Pandora battery without the system being properly booted.  For a video of what I mean check out FreePlay’s Pandora Battery Video.  Also, the write up does not address when a system is booted without a battery or memory stick inserted (system boots from wall power).  The lack of the data from the memory stick and battery says to me that the required information is either ignored completely (can’t find it, oh well) or is stored at a third location (mobo ROM?)…  Does anyone know if the Pandora Battery alters the signal / power flow on one of the three copper battery contacts?  I have a trusty Fluke multimeter - but don’t have thin enough leads to read from a loaded battery : /.  Wonder if an oscilloscope might be useful at this point - but that would require me to break open my virginial PSP-3000.  Hmmmm…

For those who might be bored enough with life to wonder about all the various custom PSP firmwares, someone was nice enough to post THIS article in Wikipedia (note, it does not include the latest firmwares).

I decided to update my trusty 3.40OE Phat PSP.  The part that I did not realize was that you can’t directly upgrade from 3.40OE to 5.00 M33-3 (sadhat).  I had to whip out my homemade Pandora battery (updated last with 3.71 M33-2) and do it old-skewl.

Then I installed 5.00 M33-3 [Full version available HERE] and added Dark AleX’s 1.50 Kernel Add-On for the PSP Phat.  Sadly, some of the old homebrews that worked perfectly in 3.40OE are not working, despite the 1.50 kernel add-on.  Will see if there is a step that I missed… Don’t think so tho…

I have owned my “Phat” PlayStation 2 since the console came out, so I have no issues with modding it (no reasonable warranty to worry about here).  Yesterday, I was lucky enoughto find a copy of Action Replay MAX for the PS2 (whoohoooo!) at the same place I picked up that PSP-3000 (see earlier entry).  Figured I would attempt the PS2 softmod I have been hearing about recently.  Check out these three YouTube links to see the instructions I will be relying on: YouTube 1, YouTube 2, YouTube 3 - or - Download a higher quality episode of Infinity Exists Full Disclosure # 22 HERE (268M).

Needed Hardware:
- A classic “Phat” PS2 system
- An old PS1 game (I will be using WipeOut XL)
- PS2 memory card (One was included with Action Replay Max)
- A USB thumb drive

Needed Software:
- PS2 Memroy Card Exploit & Codebreaker tools - Local or at MegaUpload (2.6M)
- Lord Bogami’s HDL Dump GUI 2.1 - Local or at McBeth.sksapps.com (781K)
- HDL Server 0.8.5 - Local or at McBeth.sksapps.com (57K)
- IDGet - Local or at Admiral.net (5K)
- Titleman FrontEnd - Local or at Admiral.net (118K)
- PS2Save Builder - Local or at Admiral.net (127K)

[EDIT]
It seems the choice of using WipeOut XL may have been a bad one.  Will see if I can dig up some of my other old PS1 games… from somewhere ; P.  Oh, and joy upon joy, the one list of compatible games seems to have disappeared : /.  Might give up on this one in a day or so.  All I want to do it load images of my games onto the 40G HD I have in my Phat PS2 - my optical drive is getting flakey in it’s old age.

Good Related Links:
PS2-Compatible HDs - http://ps2drives.x-pec.com/?p=list
Using Action Replay MAX - http://ashholt.googlepages.com/ps2softmod

I finally got around to installing the free version of Yellow Dog Linux 6.0 on my PS3.  Looks pretty good.  Some of the issues I had with my display clipping the bottoms off of some of the install screens has been fixed.  And installation may now run without the use of a specially loaded MemoryStick - all you need is now on the YDL disk.  W00t!  No more searching for the “otheros.self” file and other tidbits for n00b installers!!

If you are interested in installing YDL 6.0 on your PS3, check out the following links…

Mirror repository (I used a very zippy Oregon State link):
http://www.terrasoftsolutions.com/support/downloads/

Terra Soft Solutions’ Official Install Guide:
http://www.terrasoftsolutions.com/support/installation/ydl6.0_ps3_guide.pdf

Alright…  I went out and bought a PSP-3000 (aka: PSP Brite) - against my better judgment.  It’s a nice enough system but it seems to have an issue with visible interlacing - which seems to be most noticeable when the system has to rapidly move graphics around (ie: games and movies).  Opinion on the street is mixed whether there will be a fix for the new screen.  Some believe that it can be fixed with a firmware update, others think that it is a hardware issue which will plague the system for all time.  Seems Sony is reporting the annoying flicker as a “feature.”  This really sucks…  Sony really can’t afford to put out a buggy product - especially since the PSP-3000 is it’s third time out with the console.

My opinion of the PSP-3000 is “feh.”  I had hoped against hope that the new version would finally allow me to connect to the internet via WPA2 (and very long passphrase - wardrive me, please), but no (le sigh).  So, if you are looking to pick up a PSP - grab a different model.

The good news is, there are already a slew of (cheaper) PSP-2000 units already out there.  Grabbing an older model will mean that you don’t have to deal with the extra baggage of a year old game (Ratchet & Clank) and (IMO) a crappy UMD movie (National Treasure 2).  Plus, many of the PSP-2000s are still hackable.  The PSP-3000 units appear to have a “new” motherboard which has, so far, dodged successful hacking (no, the Pandora Battery does NOT work).   I don’t believe that the Japanese PSP-3000s with the “TA-090″ motherboard are hackable (see the link below for a picture of one such motherboard), since there have been no reliable accounts of modification of those specific units.  And, sadly, you can’t see the motherboard version without cracking it open : /.

Have to see if anyone wrote any deep technical articles on why the Pandora Battery worked in the first place. I’d like to know if the PSP-3000 looks for a voltage on one of the three contacts, but does not get one on a modified battery…  (/me casting about)

For those who would like to look at some detailed shots of the PSP-3000’s guts - check the link below:
http://pc.watch.impress.co.jp/docs/2008/1016/psp.htm

Dark Alex’s write-up on the problem with the TA-088 v3 motherboard (may relate to the PSP-3000 motherboard):
http://www.qj.net/Dark-AleX-explains-why-PSP-TA-088-v3-cannot-be-hacked-yet/pg/49/aid/124620

[EDIT]
I just tried using Dark Alex’s TA-088 v3 identifier on the PSP-3000 and it does not work-around the Pandora failure.  I was kinda hoping that it might have an effect, but it doesn’t.  For those who are using DA’s program to check their PSP-2000 motherboards and are wondering if their usage of “msinst.exe” worked, check this:

X:\>msinst.exe k k:\ipl390.bin
PSP MS IPL Installer
Load IPL code k:\ipl390.bin
151552 bytes(37 block) readed

Target DRIVE is 8
Check partation Sector
boot status        0×80
start head         0×01
start sec/cyl    0×0012
partation type     0×06
last head          0×3F
last sec/cyl     0xB7E0
abs sector   0×00000810
ttl sector   0×001DB7F0
signature        0xAA55
Check BPB Sector
signature        AA55
Check free reserved sector:OK
Write ABS Sector 0×10 to 0×137
Are You Sure ?[Y]y
Write MS BOOT CODE

The items in bold will have another value if you were not successful.  If everything looks the same, you should be good.

W00t!  While I was participating in the latest Sploitcast episode recording the topic of the latest PSP firmware being hacked came up (thanks Walcy).  Took a couple of minutes to grab the needed files and get the update started.  I chose my Slim as the guinea pig and updated from a hacked 3.95.  I ran a couple of small (older) homebrews and everything appears good to go.  Will post anything odd.

For everything you need, download THIS RAR file (26 megs).

Oh, I’ll be trying the latest PS2 softmod sometime this week.  Details laters ; ).