Abstract
This article surveys protection and attacks on various game consoles. Game consoles are a special kind of embedded system that are used primarily for entertainment. Virtually all game consoles include means for digital rights management (DRM) and virtually all have been attacked. The chapter describes the various motivations behind these attacks, the way the console manufacturer acted, and the way the hacking community reacted. This article is designed based on lectures published by the actual hackers of the machine describing their efforts. The article summarizes the hackers' activities on multiple consoles over the last 20 years and does not focus on specific bug or exploit.
TopBackground
Consoles are a type of embedded system. Consoles offer processing capacities similar to a high-end PC.
However, unlike PCs, consoles hardware is geared entirely to run video games. At the time of release, consoles offer CPU, RAM, graphics capabilities and hard drive capacity comparable to a gaming PC. Furthermore, most consoles are cheaper than a comparable PC as the consoles’ manufacturers subsidize consoles. The manufacturers sell the game consoles at a loss. Instead of profiting on console sales, the consoles’ manufacturers profit when the users buy games.
Tools to attack the copy protection on consoles are as old as consoles themselves. However, the rising popularity of recent consoles has transferred the manufacturing modchips and tools to break the game console copyright protection is a flourishing business. As piracy is illegal, there are no official figures. However, the market size is significant. Console modchips cost roughly 50 USD apiece. Console sales often reach quantities of 40M to 100M units per model or even more in some cases. Most of these consoles are fitted with modchip at some point. These figures suggest that the modchip industry is a multibillion USD industry.
Legality
It is off course illegal to pirate games. However, it is legal for the end-user to modify equipment that he (the end-user) owns. (fair use) Such modification can be, for example, installing modchips or software, provided the goal is not running pirated software but running homebrew code or Linux. It is also legal for the end-user to create backups of CDs that the end-user owns. (Playing backup CD is identical from a technology standpoint to playing a copied CD)
Installing modchips creates a loophole because, in the united states and other jurisdictions, thanks to the Digital Millenium Copyright Act (DMCA) it is also illegal to create devices whose sole purpose is to break DRM (such as modchips) even if no piracy is committed. So, in the united states, selling modchips designed to copy games is also illegal. Other countries have different laws and, in some jurisdictions, selling modchips may be legal. This chapter focus on the technology of attacks and defenses. The complicated international legal aspects of DMCA and game consoles are beyond the scope of this chapter.
Usually, modern console attacks no longer require modchips. However, it is worth noting that in 2011, Sony sued George Hotz (geohot) over DMCA violations regarding published PS3 attacks without using any modchip or hardware modifications.
The case was settled outside court, and Hotz committed not to hack another Sony product.
However, even software only attacks (i.e. running code that the user has coded on an embedded device that the user own) may result in legal action, in the USA.
Key Terms in this Chapter
Digital Rights Management (DRM): A software subsystem designed to allow rightful users to use contents (games, media) they paid for and disallow illegal use of contents the user has not paid for. DRM is mainly designed to limit the end-user, and as such, DRM software is not liked by the users.
Trusted Computing (Trusted Systems): Trusted systems are systems that are supposed to behave in a certain predefined way (for example, verify DRM). Local and remote software can attest that the system is indeed a trusted system before executing code.
Digital Millennium Copyright Act (DMCA): A united state law that defines what constitute of fair use by the end-user and what constitutes as piracy or DRM violation. The DMCA criminalizes production of devices whose sole perhaps is breaking DRM.
Chain of Trust: Group of computer components that starts at a trust nexus. Through a series of operations, each component in the chain adds functionality and verifies the next component. Thus, if the nexus can indeed be trusted then the final component can be trusted as well.
Homebrew: Software that the end-user codes and/or compiles for his own (and his friends) device. This software is not suctioned by the device manufacturer who receives no royalties.
Console: An entertainment system designed to play video games (e.g., Microsoft’s Xbox or Sony’s PlayStation).
Modchip: A hardware device that is soldered on top of existing product PCB replacing some chip. Usually, the modchip is designed to remove or disable the chip that handles copy protection.
Data Execution Prevention (DEP or W^X): A paradigm that dictates that memory pages can have either execute or write permission but not both. Data execution prevention prevents self-modifying code and also attacks on the code that runs by itself (by exploiting buffer overflows and similar attack forcing the code to rewrite itself). DEP is a critical feature in almost all modern operating systems.
Hypervisor: Software package and hardware support for running multiple operating systems on the same hardware (e.g., VMWare ESXi, Microsoft Hyper-V, etc.).
Boot Loader: A small piece of code that provides minimal functions. The boot loader is executed prior to booting the operating system. The boot loader typically provides minimal hardware drivers, file system support etc. that are required for reading the operating system code.