Revision as of 16:33, 15 March 2006 editManueld64 (talk | contribs)3 edits →External links← Previous edit | Latest revision as of 08:16, 25 November 2024 edit undoGalaxyDoge72 (talk | contribs)101 edits →Nintendo DSi/DS XLTag: Visual edit | ||
(304 intermediate revisions by more than 100 users not shown) | |||
Line 1: | Line 1: | ||
{{short description|Method of using software to modify the intended behavior of hardware}} | |||
A '''Softmod''' is the act of using software to modify hardware such as a video card or sound card in a way that can unlock or enable disabled features, usually pipelines. Cards that can be modified using software to faster versions (without regard to clock speed) usually contain much of the same hardware. Softmodding a card should not include changing the video card's bios, as that's considered a bios flash. There are only 4 current softmods that can be done, a Radeon 9500 NP to a 9500 Pro (128 bit) or 9700 (256 bit), a Radeon 9800SE (with 256-bit L-shaped memory layout on the PCB) to a Radeon 9800 Pro, a GeForce 6200 to a 6600, and a GeForce 6800NU to a 6800GT. The act of a softmod usually enables pixel rendering pipelines, though may also include other enhancements. A softmodded card may not always reach the same performance as the real card it has been changed to, but the difference should be very little; and generally not noticeable. The softmodding is not guaranteed to always work, sometimes the pipelines have been disabled for a reason, e.g., a defect that produces ]s when enabled. | |||
{{More citations needed|date=March 2008}} | |||
{{use dmy dates|date=January 2023}} | |||
A '''softmod''' (short for '''software modification''') is a method of using software to modify the intended behavior of hardware, such as ], or ]s in a way that can overcome restrictions of the ], or install custom firmware.<ref name="PSP Forensics">{{cite book|title=Information Security and Digital Forensics: First International Conference, ISDF 2009|year=2010|publisher=Springer Berlin Heidelberg|isbn=978-3-642-11530-1|pages=50–56 |url=https://books.google.com/books?id=g5YC6-sPS5gC&dq=Forensic+Investigation+of+the+Soft-Modded+PlayStation+Portable+%28PSP%29&pg=PA50|author=Qin Zhou|authorlink=Forensic Investigation of the Soft-Modded Playstation Portable (PSP)|author2=Nigel Poole |editor=Dasun Weerasinghe|accessdate=14 July 2010}}</ref> | |||
==Softmod in terms of the Xbox== | |||
Softmod is also a term used to refer to modifying a ] without the use of a ]. | |||
==Function== | |||
Softmods for Xbox used to include a font exploit installed through exploits in savegame code for '''', '']'', and '']'' which allows an additional option to be added to the Xbox Dashboard, usually for booting ]. The Font-hack works by exploiting a buffer overflow in the Xbox font loader which is part of the dashboard. However, since the Xbox requires the clock to be valid and the dashboard itself is where you set the clock there is problem if the RTC backup capacitor discharges. The Xbox will detect that the clock isn't set and therefore force the dashboard to be loaded which then promptly reboots due to the buffer overflow exploit. Upon restarting, the Xbox detects the clock is invalid and the process repeats. Later font exploits, Über Xbe Exploit (UXE) and nDure do not suffer from the clock loop problem.but this time in an index file used in the custom soundtrack system. The exploit is triggered by going into the audio menu which avoids the problem with the font exploit. However, there are rumors that certain audio hacks may cause the custom sound track function in some Xbox games to no longer be usable, and there are rumors to the contrary. Audio Hacks are mostly outdated as Microsoft has made efforts to obsolete such exploits, the version of dashboard that was used for the audio-hack will not even load on newer Xboxes. The Audio hack is also vulnerable to dashboard updates from Xbox Live or original Xbox Games. | |||
Many softmods are ] chained together. The first requirement is executing ], known as userland exploits. Internet Browsers are very common vectors for this, as ] is open-source and as a result, vulnerabilities are widely known. The second requirement is ], known as ] exploits, unlocking secure parts of the system. Depending on the security architecture, additional privilege escalation may be required, such as defeating a ]. | |||
Other examples of softmods are maliciously signed firmware, such as custom firmware on the ], which was made possible due to the master key being released, or gaining control of a process that is very early in the boot cycle, such as the Fusée Gelée ] vulnerability for the ]. This allowed for arbitrary code execution and also gaining control of every process on the system after it. | |||
With new technology and installers (mostly thanks to 'Krayzie' and his installers Krayzies UXE and nDure), softmodding has become an easy and reliable way to mod an xbox. It is now considered an everyman's solution to a modded xbox. | |||
Softmods may be permanent (e.g. custom firmware) or temporary (e.g. homebrew enabler) that persist until reboot. Softmods are especially popular among video game consoles, in which they usually enable a ] that allow execution of ]. Compared to installing a ], a softmod is usually preferred (if available) due to not requiring having to open up the device and perform ], which could damage the device hardware. However, attempting to softmod can still cause damage to the device especially if instructions are not followed correctly, potentially leading to ]. | |||
An alternative to softmodding is to actually reprogram the onboard flash chip in older revisions of the have been shorted, it is possible to overwrite the stock BIOS with a modified one by using one of the gamesave exploits. However, Microsoft is more easily able to detect such softmodding due to the inability to disable the modified BIOS and also will ban the user's Xboxes (not their accounts) from ]. | |||
Softmods may be used to install an alternative operating system (e.g. a ]) on a device, as well as reinstate functionality that was removed from the official firmware, such as "OtherOS" on the PlayStation 3. | |||
All softmodding of Xboxes is considered a violation of warranty and runs the risk of rendering an Xbox almost unusable, if not performed properly. There are still lingering questions of legality. | |||
Softmods void warranty due to tampering with device function and as a result, vendors will not honour any existing warranty policy if sent in for repair. | |||
==External links== | |||
* | |||
* | |||
* | |||
* | |||
* | |||
* | |||
==Legality== | |||
] | |||
Due to commonly being used to circumvent ], softmodding is seen as a tool to enable ], although the act of softmodding in itself may not be illegal. | |||
] | |||
In January 2011, security researcher ] and associates of the hacking group known as ''fail0verflow'' were ].<ref>{{Cite news|url=https://www.engadget.com/2011/01/12/sony-follows-up-officially-sues-geohot-and-fail0verflow-over-ps/|title=Sony follows up, officially sues Geohot and fail0verflow over PS3 jailbreak|website=]|date=12 January 2011|access-date=12 September 2024|archive-date=|archive-url=}}</ref> Sony and Geohot later settled the case out of court, with Geohot agreeing not to reverse engineer any Sony product in the future.<ref>{{cite web |url=http://www.joystiq.com/2011/04/11/sony-and-playstation-3-jailbreaker-george-hotz-settle-out-of-cou/|title=Sony and PlayStation 3 jailbreaker George Hotz settle out of court}}</ref> | |||
] | |||
In Japan, softmods were outlawed as part of new legislation in 2018 which made savegame editing and console modding illegal.<ref>{{Cite news|url=https://www.gamespot.com/articles/japan-makes-it-illegal-to-mod-consoles/1100-6464178/|title=Japan Makes It Illegal To Mod Consoles|website=]|date=10 January 2019|access-date=1 September 2024|archive-date=|archive-url=}}</ref> | |||
==Softmods for video game consoles== | |||
===PlayStation/PSOne=== | |||
The original ] can be softmodded with the TonyHax exploit.<ref>{{cite web |last1=Del Sol Vives |first1=Marcos |title=TonyHax |url=https://orca.pet/tonyhax/ |website=Orca.pet |access-date=12 March 2023}}</ref> The exploit is compatible with all North American and European consoles except the launch model (SCPH-100x), but is not compatible with Japanese consoles. It is also compatible with early versions of the PlayStation 2 (SCPH-3900x or older), although only for booting PS1 discs. TonyHax can be booted either with a gamesave exploit (usually ], ], or ], hence the name, but several other games are also supported), or except on the PS2, directly from a specially-flashed memory card. The exploit allows the console to boot homebrew, foreign-region games, and ] copies. Some PlayStation models are partially incompatible (slow load times, skipping audio and video) with phthalocyanine CD-Rs, preferring the older standard ] discs. TonyHax is not a permanent exploit; the drive is re-locked when the console is powered off or rebooted, requiring the user to re-load the exploit every time a CD-R or foreign game is booted. | |||
An older method was to boot an original legitimate disc with the lid close sense button held down, quickly swap the disc with a CD-R copy or foreign disc, remove that disc and reinsert the original, and then swap for the CD-R or foreign disc again. This had to be carefully timed, and if done incorrectly could damage the drive or disc(s). | |||
===PlayStation 2=== | |||
The ] has various methods of achieving a softmod. | |||
Disc swapping was used early on to bypass the PlayStation 2 copy protection, by taking advantage of certain trigger discs such as ''007: Agent Under Fire'' or Swap Magic, homebrew could be loaded. This was done by inserting the trigger disc, blocking the lid open sensor then hotswapping with a homebrew disc. Although difficult to execute correctly, the universality of the method was often used in order to softmod. | |||
One of the earliest softmods developed — the Independence Exploit — allows the PlayStation 2 to run homebrew by exploiting a buffer overflow in the BIOS code responsible for loading original PlayStation games. This method, however, only works on models V10 and lower, excluding the PlayStation 2 slim, while still requiring a disc to be burned.<ref>{{cite web|url=http://forums.afterdawn.com/thread_view.cfm/109289|title=How to make your own Memory Card Exploit using the Independence Installer|accessdate=April 24, 2013}}</ref> | |||
FreeMcBoot is an exploit that works on all models except the SCPH-9000x series with BIOS v2.30 and up.<ref>{{cite web|last=|first=|date=|title=PS2 Softmod Install Tutorial|url=http://freemcboot.info/ps2%20ohje/indexe.html|url-status=live|archive-url=https://web.archive.org/web/20130321045221/http://freemcboot.info/ps2%20ohje/indexe.html|archive-date=March 21, 2013|accessdate=April 24, 2013|website=}}</ref> It requires no trigger disc and is able to directly load ELFs from the memory card. | |||
Fortuna, Funtuna, and Opentuna are another form of memory card exploit. Unlike FreeMcBoot, they will work on the SCPH-9000x model, and they are compatible with third-party memory cards that do not support ]. | |||
] is an exploit for PS2 models with the hard drive peripheral. | |||
FreeDVDBoot is an exploit discovered in 2020 that requires burning a disc image loaded with a payload onto a DVD-R. It is compatible with a range of PlayStation 2 models and works by exploiting a buffer overflow in the PS2's DVD video functionality.<ref>{{Cite web|last=Orland|first=Kyle|date=2020-06-29|title=New hack runs homebrew code from DVD-R on unmodified PlayStation 2|url=https://arstechnica.com/gaming/2020/06/new-hack-runs-homebrew-code-from-dvd-r-on-unmodified-playstation-2/|access-date=2020-12-29|website=Ars Technica|language=en-us}}</ref> | |||
MechaPwn<ref>{{cite web |title=MechaPwn |url=https://github.com/MechaResearch/MechaPwn |website=Github |access-date=12 March 2023}}</ref> is an exploit that permanently unlocks the DVD drive of the slim PS2 (and some later revisions of the fat PS2), allowing PS1 and PS2 discs from any region to be booted. PS1 CD-R copies can be booted directly from the PS2's built-in menu; PS2 CD-R/DVD-R copies require additional software to bypass the PlayStation 2 logo check. | |||
In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy">{{cite web|title=grimdoomer/TonyHawksProStrcpy|website=]|url=https://github.com/grimdoomer/TonyHawksProStrcpy|accessdate=3 September 2024}}</ref> was released, which is present in multiple ] titles for the PlayStation 2. It can be used to execute unsigned code. | |||
===PlayStation 3=== | |||
The ] has a couple of methods to achieve a softmod. All models of PS3 can be softmodded. | |||
Consoles that have factory installed (minimum firmware) version 3.55 or lower can install CFW (]) which is unofficial firmware. This includes: all fat models, slim 20xx and 21xx models, and 25xx models - the latter only if the console was manufactured before December 2010 (date code 0D or less). These guidelines assume a console has not been taken to Sony to be serviced, as Sony may update the factory installed firmware. Slim 30xx and all super slim models cannot currently install CFW. | |||
Installing CFW was made possible with ] after the PS3's master key was leaked.<ref>{{Cite news|url=https://www.bbc.co.uk/news/technology-20067289|title=PlayStation 'master key' leaked online|website=]|date=24 October 2012|access-date=29 August 2024|archive-date=|archive-url=}}</ref> Sony changed the key with firmware 3.56. If a vulnerable console has official firmware above 3.55 installed, the flash can be patched via a WebKit exploit which enables a CFW install. Should the patching process be interrupted (e.g. ]), it can ] the console. | |||
CFW grants complete control over the console, having access to LV0 (bootloader), LV1 (hypervisor), and LV2 (kernel/GameOS). This allows the running of homebrew, load game backups, bypass region checks, enter Factory Service Mode, change fan and RSX (GPU) speeds, overclock the RSX, grant access to root keys, as well as run PS2 ISOs on unsupported backwards compatible models (via software emulation). Some CFW implementations reinstate features Sony removed such as "OtherOS". | |||
The most supported PS3 CFW is ''Evilnat Cobra''.<ref>{{cite web|title=Evilnat/Cobra-PS3|website=]|url=https://github.com/Evilnat/Cobra-PS3|accessdate=12 September 2024}}</ref> | |||
The other softmod is ''PS3HEN''<ref>{{cite web|title=PS3Xploit/PS3HEN|website=]|url=https://github.com/PS3Xploit/PS3HEN|accessdate=12 September 2024}}</ref> (HEN). HEN is supported by all PS3 models. In order to use HEN, it is required to install HFW (hybrid firmware), another kind of unofficial firmware. During the HEN setup process, a WebKit exploit is used to install a signed file through the PS3 Web Browser which sets up HEN on the PS3's storage. This adds a shortcut to enable HEN whenever the console is powered on, which leverages additional exploits to grant LV2 kernel/GameOS access. As such, this is a tether softmod, meaning HEN has to be activated every time the console is powered on. This softmod shares core CFW features - running homebrew, load backups of games, bypass region checks, change fan speeds, and play installed PS2 Classics PKGs. The unofficial PS2 backwards compatibility is diminished as users can only run PS2 Classics encrypted PKGs instead of ISOs. | |||
With HEN, the hypervisor is still active and periodically checks if the current code being executed is unsigned; there is a small chance it can lead to the console becoming unresponsive or shutting down, making HEN less stable than CFW. | |||
===PlayStation 4=== | |||
The ] has ways to achieve a softmod. Most rely on WebKit vulnerabilities in the PS4 Web Browser combined with a kernel exploit. All models of PS4 can be softmodded. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode. | |||
Softmodding a PS4 allows users to run homebrew, load game backups, bypass region checks, and change fan and CPU/GPU speeds. Some payloads can boot the PS4 into a ], although this is not permanent and the console will revert to Orbis OS on reboot. | |||
Notable firmware revisions that result in a softmod are: 1.76,<ref>{{Cite news|url=https://thehackernews.com/2015/12/sony-ps4-playstation-jailbreak.html|title=Hacker Confirms PlayStation 4 Jailbreak! Exploit Could Open Doors for Pirated Games|website=The Hacker News|date=14 December 2015|access-date=29 August 2024|archive-date=|archive-url=}}</ref> 4.05,<ref>{{Cite news|url=https://thehackernews.com/2017/12/ps4-jailbreak-kernel-exploit.html|title=Kernel Exploit for Sony PS4 Firmware 4.05 Released, Jailbreak Coming Soon|website=The Hacker News|date=27 December 2017|access-date=29 August 2024|archive-date=|archive-url=}}</ref><ref>{{cite web|title=Cryptogenic/PS4-4.05-Kernel-Exploit|website=]|url=https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit|accessdate=29 August 2024}}</ref> 4.74, 5.05/5.07,<ref>{{cite web|title=Cryptogenic/PS4-5.05-Kernel-Exploit|website=]|url=https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit|accessdate=29 August 2024}}</ref> 6.72,<ref name="ps4jb-6.72">{{cite web|title=sleirsgoevy/ps4jb|website=]|url=https://github.com/sleirsgoevy/ps4jb|accessdate=29 August 2024}}</ref> 7.02,<ref>{{cite web|title=sleirsgoevy/PS4-webkit-exploit-7.02|website=]|url=https://github.com/sleirsgoevy/PS4-webkit-exploit-7.02|accessdate=29 August 2024}}</ref> 7.55,<ref>{{cite web|title=sleirsgoevy/ps4jb2 at 75x|website=]|url=https://github.com/sleirsgoevy/ps4jb2/tree/75x|accessdate=29 August 2024}}</ref> 9.00,<ref name="ps4jb-9.00">{{cite web|title=ChendoChap/pOOBs4|website=]|url=https://github.com/ChendoChap/pOOBs4|accessdate=29 August 2024}}</ref> 11.00,<ref name="ps4jb-11.00">{{cite web|title=TheOfficialFloW/PPPwn|website=]|url=https://github.com/TheOfficialFloW/PPPwn|accessdate=29 August 2024}}</ref> with 5.05/5.07 being the most stable and 9.00 the most stable after that. It is worth noting the 9.00 exploit requires inserting a specially crafted ] into the console, and the 11.00 exploit to connect to a malicious ] server over the ]. | |||
===PlayStation 5=== | |||
The ] has ways to achieve a softmod. They rely on a userland exploit, which can be either ] vulnerabilities in the PS5 Web Browser, a specially crafted ] disc, or a savegame exploit, that is combined with a kernel (and optionally ]) exploit. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode. | |||
Softmodding a PS5 allows running homebrew, load game backups, modify the PS4 backwards compatibility blacklist, install and run PS4 "FPKGs" (including PS4 homebrew and PS1/PS2/PS4 game backups), change fan speeds, and spoof firmware (which allows the install of games that require an update patch, and can also block updates). However, firmware spoofing will not allow games above the console's true firmware revision to load without the required update patch. The PS5 is also capable of playing patched PS4 titles above the PS4 ] cap of 60 FPS, such as ], at higher frame rates e.g. 120 FPS. | |||
Compared to its predecessor the PS4, a userland and kernel exploit would have been enough to accomplish what is generally regarded as a true jailbreak by patching the kernel, however the PS5 has added security measures in comparison, mainly a hypervisor (HV) and eXecute Only Memory (XOM) which do not allow kernel patching - as a result not all kernel exploits on the PS5 can be leveraged due to these additional measures, and makes reverse engineering much more difficult. Despite this, several HENs (Homebrew ENablers) have been made that operate within the constraints of the HV and XOM to defeat enough security to enable a homebrew environment. After the first public HV exploit, HENs were adjusted to operate with the HV compromised (including the XOM being deactivated), providing better stability and functionality than HENs that don't leverage a HV exploit since kernel patching is now possible. | |||
Firmware up to 2.50<ref name="ps5jb-hv-2.50">{{cite web|title=PS5Dev/Byepervisor|website=]|url=https://github.com/PS5Dev/Byepervisor|accessdate=26 October 2024}}</ref> is vulnerable to a userland, kernel, and hypervisor exploit chain. Firmware up to 7.61<ref name="ps5jb-7.61">{{cite web|title=PS5Dev/PS5-UMTX-Jailbreak|website=]|url=https://github.com/PS5Dev/PS5-UMTX-Jailbreak|accessdate=22 September 2024}}</ref><ref>{{cite web|title=Cryptogenic/PS5-IPV6-Kernel-Exploit|website=]|url=https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit|accessdate=29 August 2024}}</ref><ref>{{cite web|title=john-tornblom/bdj-sdk|website=]|url=https://github.com/john-tornblom/bdj-sdk|accessdate=29 August 2024}}</ref> is vulnerable to a userland and kernel exploit chain. | |||
The IPv6 kernel exploit on the PS4 that led to the 6.72 jailbreak<ref name="ps4jb-6.72"/> was patched a few months prior to the release of the PS5, which was reintroduced on the PS5 with 3.00 firmware and affected up to 4.51 firmware. The exFAT filesystem kernel exploit that led to the 9.00 jailbreak<ref name="ps4jb-9.00"/> also affected PS5 firmware up to 4.03, however due to additional protections on the PS5 it is not possible to use this to softmod the PS5. The ] kernel exploit that led to the PS4 11.00 jailbreak<ref name="ps4jb-11.00"/> also affected PS5 firmware up to 8.20, and is not known to softmod the PS5. | |||
In June 2023, a payload called ''libhijacker''<ref>{{cite web|title=astrelsky/libhijacker|website=]|url=https://github.com/astrelsky/libhijacker|accessdate=24 June 2023}}</ref> was disclosed, becoming a reliable method of running homebrew and partially circumvents the HV, which works by creating a new, separate process by interacting with the PS5's ], effectively acting as a background ELF loader. This is notable over previous ELF loaders such as the WebKit or Blu-ray methods since those ELF loaders were terminated when the corresponding process was stopped. Another advantage of this new method is that the newly separate process is not confined to the fixed maximum resource allocation of the WebKit or BD-J processes. | |||
In July 2023, security researcher ''Flat_z'' disclosed<ref>{{cite web|title=Aleksei Kulaev on Twitter: finally... hello, PS5 PSP :)|website=]|url=https://twitter.com/flat_z/status/1684554194366107650|accessdate=30 July 2023}}</ref> that they had read access to the PS5's Platform Secure Processor (PSP) which is one of the most protected parts of the system and contains crucial keys for decryption. In addition, they also confirmed they had successfully exploited the HV via a save game exploit chain. ''Flat_z'' said he does not intend to disclose his findings publicly, however he is using these exploits to further reverse engineer the PS5 now that he is able to decrypt more parts of the system. | |||
In November 2023, scene developer ''LightningMods'' disclosed<ref>{{cite web|title=LM on Twitter: First ever PS5 Game Back up to be played, PPSA03527|website=]|url=https://twitter.com/LightningMods_/status/1721713975929209075|accessdate=7 November 2023}}</ref> that they had managed to load and play a retail PS5 game backup. | |||
In December 2023, scene developer ''LightningMods'' updated his ''Itemzflow''<ref>{{cite web|title=LightningMods/Itemzflow|website=]|url=https://github.com/LightningMods/Itemzflow|accessdate=12 September 2024}}</ref> homebrew to support loading PS5 game backups. | |||
In September 2024, a kernel exploit was disclosed for ] 11, which the PS5 software is based on. It can be leveraged on the PS5, which affects all firmware versions up to 7.61.<ref name="ps5jb-7.61"/> The bug is not present in FreeBSD 9 and as such the PS4 is unaffected. | |||
In October 2024, security researcher ''SpecterDev'' disclosed<ref name="ps5jb-hv-2.50"/> two exploit chains that compromise the hypervisor, which affect all firmware versions up to 2.50. | |||
===PlayStation Portable=== | |||
Much like the Xbox, it is possible to softmod almost any PSP. Using various exploits (such as the ] exploit or specially crafted savegames from games such as '']'', '']'', and later '']'') or original unprotected firmware, the user can run a modified version of the PSPs updater, that will install custom firmware. This newer firmware allows the booting of ISOs, as well as running unauthorized (]) code. A popular way of running homebrew code to softmod the PSP is by using the Infinity method. | |||
===PlayStation Vita=== | |||
{{Empty section|date=December 2023}} | |||
The PlayStation Vita can also be softmodded, with the most notorious methods being using: HENkaku Web Exploit, h-encore and h-encore². | |||
===Xbox=== | |||
Xbox used to include a font exploit installed through exploits in savegame code for '']'', '']'', '']'', and '']''. Usage of the ''Splinter Cell'' or ''Tony Hawk's Pro Skater 4'' disc is generally recommended as any version of the game will run the exploit, whereas certain production runs of Mechassault and ''Agent Under Fire'' are needed to use the exploit. Originally, via a piece of software called "MechInstaller" created by members of the Xbox-linux team, an additional option could be added to the Xbox Dashboard for booting ]. | |||
The font hack works by exploiting a buffer underflow in the Xbox font loader which is part of the dashboard. Unfortunately, since the Xbox requires the clock to be valid, and the dashboard itself is where one sets the clock, there is a problem if the ] ] discharges. The Xbox will detect that the clock is not set and therefore force the dashboard to be loaded; the dashboard then reboots due to the buffer overflow exploit. Upon restarting, the Xbox detects the clock is invalid and the process repeats. This problem became known as the "clockloop".<ref>{{cite web|title=The Official Clock Loop Thread|url=http://forums.xbox-scene.com/index.php?/topic/200248-the-official-clock-loop-thread/|accessdate=26 April 2016}}</ref> | |||
In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy"/> was released, which is present in multiple ] titles for the Xbox. It can be used to execute unsigned code. | |||
===Xbox 360=== | |||
Shortly after the release of the ], ways were found to modify the firmware of the ] of the console. This allows the system to play games from "backup" (non-original) game discs. This requires opening of the console but no additional hardware such as a ] is permanently installed into the system. Microsoft responded by introducing console ] system. If the data stream from the DVD drive indicated signs of unauthorized use, Microsoft would permanently ban the console from using ] service. The ban never expires and can only be fixed by purchasing another console. Other measures, such as introducing new hardware revisions to prevent modifications and checking/updating the drive firmware during dashboard updates, have been made too. | |||
In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy"/> was released, which is present in ] for the Xbox 360. It can be used to execute unsigned code. If used on a console with a dashboard version of 2.0.4548.0 or lower, it is possible to also chain a known hypervisor exploit and gain full control over the console. However, this is a very old update dating back to November 2006 and not readily available for most users, usually requiring downgrading which is not a simple process. | |||
===Xbox One=== | |||
The ] went through its lifecycle without having its security compromised. However, in June 2024, a userland exploit was disclosed for a ] app called Game Script that had a bug which allowed for arbitrary code execution. Microsoft removed the app from the store a few days after disclosure, effectively patching the vulnerability for those who did not have it downloaded already. | |||
A couple of weeks later, the same developer who published the userland exploit released a follow-up release which achieves kernel access while in Retail mode. This is roughly equivalent in functionality if the console was in Developer mode. Due to the Xbox One's security architecture, the console security is still mostly intact and further mitigations are necessary in order to become a HEN (homebrew enabler). | |||
A payload exists that starts a ] on the console over the network, which for example can be used to browse the console's filesystem and create directories. | |||
===Xbox Series X and Series S=== | |||
The ] are vulnerable to the same exploits for the Xbox One, and similarly have security measures where the console security is still mostly intact and further mitigations are necessary in order to become a HEN (homebrew enabler). | |||
===GameCube=== | |||
In August 2024, a savegame exploit affecting multiple consoles and generations called ''TonyHawksProStrcpy''<ref name="TonyHawksProStrcpy"/> was released, which is present in multiple ] titles for the ]. It can be used to execute unsigned code. | |||
===Wii=== | |||
The first known softmod for the ] is known as the Twilight hack,<ref>{{cite web|title=lewurm/savezelda|website=]|url=https://github.com/lewurm/savezelda|accessdate=12 September 2024}}</ref> a savegame exploit for the Wii version of ]. This allowed users to run ] {{Not a typo|.dol}}/] files. | |||
The Twilight hack was superseded by the development of Bannerbomb, which allowed for executing unsigned code without relying on an exploit within a game. Bannerbomb worked by using a malformed banner to ] a loader program into the ] program in ]. As the Wii Menu crashed, an unsigned executable was executed. | |||
Bannerbomb was superseded by Letterbomb,<ref>{{cite web|title=fail0verflow/letterbomb|website=]|url=https://github.com/fail0verflow/letterbomb|accessdate=12 September 2024}}</ref> which used a glitch in the ] to crash the Wii Menu. | |||
FlashHax<ref>{{cite web|title=Fullmetal5/FlashHax|website=]|url=https://github.com/Fullmetal5/FlashHax|accessdate=12 September 2024}}</ref> superseded Letterbomb, which used an exploit in the Wii's ] to run unsigned code, requiring the Internet Channel to be installed. | |||
str2hax<ref>{{cite web|title=Fullmetal5/str2hax|website=]|url=https://github.com/Fullmetal5/str2hax|accessdate=12 September 2024}}</ref> superseded FlashHax, which simplified the process even further. str2hax uses a custom DNS server to redirect the Wii's End-user license agreement page to a modified page that executes unsigned code, without the need for the Internet Channel. | |||
BlueBomb<ref>{{cite web|title=Fullmetal5/bluebomb|website=]|url=https://github.com/Fullmetal5/bluebomb|accessdate=12 September 2024}}</ref> was later released that leveraged a ] exploit, in particular used to softmod the Wii Mini which could not use the Internet Browser as an exploit entry point. | |||
Exploits typically allowed the install of the ], an unofficial Wii channel which acted as a gateway to run unofficial Wii applications. | |||
A large ] community emerged for the Wii, leading to developments such as the Homebrew Channel, third-party games, media players, and the loading of Wii and ] game backups. | |||
===Wii U=== | |||
The ] can be softmodded with various exploits. As of February 2024 the easiest way to softmod a Wii U is by using the DNSpresso exploit which leverages several bugs in the network stack, and achieves kernel access, in addition to having a specially crafted ] inserted. This works on the latest firmware revisions. This in turn can be used to install CFW (custom firmware). Currently the most supported CFW is Aroma. Other choices of CFW are Mocha, Haxchi, and Tiramisu. | |||
Softmodding a Wii U allows users to run homebrew, load game backups, bypass region checks, and change fan and CPU/GPU speeds. Notably, the Wii U is backwards compatible with Wii games (vWii), however softmodding also unlocks backwards compatibility with GameCube games like its predecessor, as the hardware required to emulate is present on the motherboard - despite this, Nintendo did not implement GameCube disc reading for the Wii U, effectively disabling this backwards compatibility. | |||
USB storage can be used to store games; this is the only way to store and play Wii U games outside of the internal memory. Wii and GameCube games can be played if stored on the specially crafted SD card used to softmod the Wii U, or if they are stored on USB storage. | |||
Previously, a few ''Virtual DS'' games could be exploited with specially crafted savegames to install a permanent CFW which is active as soon as the console powers on. However, after the eShop closure this method is now impossible to do unless the game was downloaded pre closure. | |||
===Nintendo DS/DS Lite=== | |||
All versions of the ] as well as the ] can be softmodded using FlashMe: an exploit that can be installed using any PassMe compatible ]. The exploit consists of shorting two pins with any metallic object to make the NAND containing the firmware writable. The custom firmware looks and acts exactly the same as the original DS firmware except for the fact you will not need a PassMe or Passcard to boot DS roms from Slot-2 flashcarts anymore. The standard version of FlashMe removes the DS intro screen (including the Warning screen) when booting up. | |||
<ref> ''FlashMe.''</ref> | |||
===Nintendo DSi/DSi XL=== | |||
The ] made it easier to softmod the console with the introduction of an ] slot. The easiest method method was the Memory Pit exploit released in 2019. When the ] application is used to take a photo, it creates a file called <code>pit.bin</code> to store ] information. This file is always located at <code>sd:/private/ds/app/484E494A</code> on the ].<ref>{{Cite web |title=Nintendo DSi Camera - DSiBrew |url=https://dsibrew.org/Nintendo_DSi_Camera#pit.bin |access-date=2024-11-25 |website=dsibrew.org}}</ref> By modifying this file, a ] is created, crashing the system.<ref>{{Cite web |title=Memory Pit - DSiBrew |url=https://dsibrew.org/Memory_Pit |access-date=2024-11-25 |website=dsibrew.org}}</ref> External tools like Unlaunch write directly to the ] storage of the DSi and creates a cold-boot scenario (i.e. the console can directly launch into the custom firmware without having to use other apps). Custom UI environments have been created, most notably TWiLight Menu++ which facilitates other programs like nds-bootstrap to launch homebrew software. | |||
===Nintendo 2DS/3DS=== | |||
The ] (and its ] sibling) have become some of the most popular console platforms to softmod, as the procedure requires only the 2DS/3DS itself, and modifying its ]. All models of 3DS and 2DS can be softmodded, including the 'New' refresh models. Since the closure of the ] for the 2DS/3DS, softmodding has become popular in order to reinstate features that are now officially defunct. | |||
The most well developed and commonly used CFW (Custom Firmware) is known as Luma3DS. It contains features such as EmuNAND (NAND redirection), running non-system menu payloads on boot, and installing homebrew titles to the main menu. A popular homebrew app used for piracy, known as Freeshop,<ref> ''Freeshop Taken Down By Nintendo''</ref> was shut down by Nintendo with firmware 11.8 by requiring a title key authorization on the Eshop download servers, thus making all NUS downloaders<ref> ''NUS Downloaders''</ref> for the 2DS/3DS to no longer function. | |||
===Nintendo Switch=== | |||
Early versions of the ] known as "V1 Unpatched" are vulnerable to a ReCovery Mode (RCM) hardware exploit<ref>{{Cite news|url=https://thehackernews.com/2018/04/nintendo-switch-linux-hack.html|title=Nintendo Switches Hacked to Run Linux—Unpatchable Exploit Released|website=The Hacker News|date=24 April 2018|access-date=1 September 2024|archive-date=|archive-url=}}</ref> by holding the Volume Up button, Power button, and Tegra home button (not usually accessible to consumers), which boots the device into RCM, then connecting via USB to another device which is able to push payloads. Tegra refers to the chip the Nintendo Switch uses, the ]. This was an oversight as RCM was intended to be used by Nintendo to service consoles and not the consumer themselves. It was discovered the Tegra home button could be emulated by ] pin 10 on the right JoyCon rail, initializing RCM. Once in this mode, an additional exploit in the Switch USB drivers can be leveraged to push payloads via USB to a Switch while in RCM to execute ], such as install CFW (custom firmware). The RCM exploit is hardware based and cannot be patched by software fixes. | |||
Some firmware revisions have had a limited number of softmods emerge, although if updated the exploits will have been patched. | |||
The softmods allow running homebrew, installing CFW (RCM exploit), bypass region checks, load game backups, and change fan and CPU/GPU speeds. With the RCM exploit it is also possible to install an ] as an additional boot option, in which the device becomes much more versatile for cross platform play (such as the ]), allowing games from other platforms to be played. The JoyCons are fully functional in an Android environment, making it a strong competitor for tablet gaming. | |||
The most supported Nintendo Switch CFW is Atmosphère.<ref>{{cite web|title=Atmosphere-NX/Atmosphere|website=]|url=https://github.com/Atmosphere-NX/Atmosphere|accessdate=1 September 2024}}</ref> | |||
Nintendo has put safeguards in place where if a console tries to connect to a Nintendo server with a modified bootloader, or an unauthorised copy of a game is currently loaded, the device will be either bricked instantly, or eventually bricked after sending telemetry data to Nintendo servers. Once bricked, the console will be fingerprinted by Nintendo and will never be able to access a Nintendo server again, blocking access to the eShop, online play, amongst other features. | |||
In December 2023, a group of hackers unveiled the first ] for the Switch, dubbed the Mig Switch. This cartridge accepts a ] card that contains game backups, and the user can alternate between the loaded game by re-inserting the cartridge. It is not currently known if backup games loaded via the cartridge will risk the console being banned if the user is online. Mig Switch works on all models and firmware, partially defeating some of the security in order to play game backups, and also run homebrew. | |||
==Computer DVD drives== | |||
Some DVD drives, such as those made by Lite-on, can be softmodded to ignore ], allow clearing of the drive's learned media calibration data, and enable DVD+R to DVD-ROM ] coding that is persistent across reboots. This is distinct from cross-flashing the drive or installing unofficial firmware, and does not modify the drive's firmware.<ref> ''Myce.''</ref> | |||
==References== | |||
{{Reflist}} | |||
] | |||
] | |||
] |
Latest revision as of 08:16, 25 November 2024
Method of using software to modify the intended behavior of hardwareThis article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Softmod" – news · newspapers · books · scholar · JSTOR (March 2008) (Learn how and when to remove this message) |
A softmod (short for software modification) is a method of using software to modify the intended behavior of hardware, such as computer hardware, or video game consoles in a way that can overcome restrictions of the firmware, or install custom firmware.
Function
Many softmods are exploits chained together. The first requirement is executing unsigned code, known as userland exploits. Internet Browsers are very common vectors for this, as WebKit is open-source and as a result, vulnerabilities are widely known. The second requirement is privilege escalation, known as kernel exploits, unlocking secure parts of the system. Depending on the security architecture, additional privilege escalation may be required, such as defeating a hypervisor.
Other examples of softmods are maliciously signed firmware, such as custom firmware on the PlayStation 3, which was made possible due to the master key being released, or gaining control of a process that is very early in the boot cycle, such as the Fusée Gelée Boot ROM vulnerability for the Nintendo Switch. This allowed for arbitrary code execution and also gaining control of every process on the system after it.
Softmods may be permanent (e.g. custom firmware) or temporary (e.g. homebrew enabler) that persist until reboot. Softmods are especially popular among video game consoles, in which they usually enable a homebrew environment that allow execution of unsigned code. Compared to installing a modchip, a softmod is usually preferred (if available) due to not requiring having to open up the device and perform soldering, which could damage the device hardware. However, attempting to softmod can still cause damage to the device especially if instructions are not followed correctly, potentially leading to bricking.
Softmods may be used to install an alternative operating system (e.g. a Linux distribution) on a device, as well as reinstate functionality that was removed from the official firmware, such as "OtherOS" on the PlayStation 3.
Softmods void warranty due to tampering with device function and as a result, vendors will not honour any existing warranty policy if sent in for repair.
Legality
Due to commonly being used to circumvent digital rights management, softmodding is seen as a tool to enable piracy, although the act of softmodding in itself may not be illegal.
In January 2011, security researcher Geohot and associates of the hacking group known as fail0verflow were sued by Sony for jailbreaking the PlayStation 3. Sony and Geohot later settled the case out of court, with Geohot agreeing not to reverse engineer any Sony product in the future.
In Japan, softmods were outlawed as part of new legislation in 2018 which made savegame editing and console modding illegal.
Softmods for video game consoles
PlayStation/PSOne
The original PlayStation can be softmodded with the TonyHax exploit. The exploit is compatible with all North American and European consoles except the launch model (SCPH-100x), but is not compatible with Japanese consoles. It is also compatible with early versions of the PlayStation 2 (SCPH-3900x or older), although only for booting PS1 discs. TonyHax can be booted either with a gamesave exploit (usually Tony Hawk's Pro Skater 2, 3, or 4, hence the name, but several other games are also supported), or except on the PS2, directly from a specially-flashed memory card. The exploit allows the console to boot homebrew, foreign-region games, and CD-R copies. Some PlayStation models are partially incompatible (slow load times, skipping audio and video) with phthalocyanine CD-Rs, preferring the older standard cyanine discs. TonyHax is not a permanent exploit; the drive is re-locked when the console is powered off or rebooted, requiring the user to re-load the exploit every time a CD-R or foreign game is booted.
An older method was to boot an original legitimate disc with the lid close sense button held down, quickly swap the disc with a CD-R copy or foreign disc, remove that disc and reinsert the original, and then swap for the CD-R or foreign disc again. This had to be carefully timed, and if done incorrectly could damage the drive or disc(s).
PlayStation 2
The PlayStation 2 has various methods of achieving a softmod.
Disc swapping was used early on to bypass the PlayStation 2 copy protection, by taking advantage of certain trigger discs such as 007: Agent Under Fire or Swap Magic, homebrew could be loaded. This was done by inserting the trigger disc, blocking the lid open sensor then hotswapping with a homebrew disc. Although difficult to execute correctly, the universality of the method was often used in order to softmod.
One of the earliest softmods developed — the Independence Exploit — allows the PlayStation 2 to run homebrew by exploiting a buffer overflow in the BIOS code responsible for loading original PlayStation games. This method, however, only works on models V10 and lower, excluding the PlayStation 2 slim, while still requiring a disc to be burned.
FreeMcBoot is an exploit that works on all models except the SCPH-9000x series with BIOS v2.30 and up. It requires no trigger disc and is able to directly load ELFs from the memory card.
Fortuna, Funtuna, and Opentuna are another form of memory card exploit. Unlike FreeMcBoot, they will work on the SCPH-9000x model, and they are compatible with third-party memory cards that do not support MagicGate.
HD Loader is an exploit for PS2 models with the hard drive peripheral.
FreeDVDBoot is an exploit discovered in 2020 that requires burning a disc image loaded with a payload onto a DVD-R. It is compatible with a range of PlayStation 2 models and works by exploiting a buffer overflow in the PS2's DVD video functionality.
MechaPwn is an exploit that permanently unlocks the DVD drive of the slim PS2 (and some later revisions of the fat PS2), allowing PS1 and PS2 discs from any region to be booted. PS1 CD-R copies can be booted directly from the PS2's built-in menu; PS2 CD-R/DVD-R copies require additional software to bypass the PlayStation 2 logo check.
In August 2024, a savegame exploit affecting multiple consoles and generations called TonyHawksProStrcpy was released, which is present in multiple Tony Hawk's titles for the PlayStation 2. It can be used to execute unsigned code.
PlayStation 3
The PlayStation 3 has a couple of methods to achieve a softmod. All models of PS3 can be softmodded.
Consoles that have factory installed (minimum firmware) version 3.55 or lower can install CFW (custom firmware) which is unofficial firmware. This includes: all fat models, slim 20xx and 21xx models, and 25xx models - the latter only if the console was manufactured before December 2010 (date code 0D or less). These guidelines assume a console has not been taken to Sony to be serviced, as Sony may update the factory installed firmware. Slim 30xx and all super slim models cannot currently install CFW.
Installing CFW was made possible with code signing after the PS3's master key was leaked. Sony changed the key with firmware 3.56. If a vulnerable console has official firmware above 3.55 installed, the flash can be patched via a WebKit exploit which enables a CFW install. Should the patching process be interrupted (e.g. power outage), it can brick the console.
CFW grants complete control over the console, having access to LV0 (bootloader), LV1 (hypervisor), and LV2 (kernel/GameOS). This allows the running of homebrew, load game backups, bypass region checks, enter Factory Service Mode, change fan and RSX (GPU) speeds, overclock the RSX, grant access to root keys, as well as run PS2 ISOs on unsupported backwards compatible models (via software emulation). Some CFW implementations reinstate features Sony removed such as "OtherOS".
The most supported PS3 CFW is Evilnat Cobra.
The other softmod is PS3HEN (HEN). HEN is supported by all PS3 models. In order to use HEN, it is required to install HFW (hybrid firmware), another kind of unofficial firmware. During the HEN setup process, a WebKit exploit is used to install a signed file through the PS3 Web Browser which sets up HEN on the PS3's storage. This adds a shortcut to enable HEN whenever the console is powered on, which leverages additional exploits to grant LV2 kernel/GameOS access. As such, this is a tether softmod, meaning HEN has to be activated every time the console is powered on. This softmod shares core CFW features - running homebrew, load backups of games, bypass region checks, change fan speeds, and play installed PS2 Classics PKGs. The unofficial PS2 backwards compatibility is diminished as users can only run PS2 Classics encrypted PKGs instead of ISOs.
With HEN, the hypervisor is still active and periodically checks if the current code being executed is unsigned; there is a small chance it can lead to the console becoming unresponsive or shutting down, making HEN less stable than CFW.
PlayStation 4
The PlayStation 4 has ways to achieve a softmod. Most rely on WebKit vulnerabilities in the PS4 Web Browser combined with a kernel exploit. All models of PS4 can be softmodded. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode.
Softmodding a PS4 allows users to run homebrew, load game backups, bypass region checks, and change fan and CPU/GPU speeds. Some payloads can boot the PS4 into a Linux distribution, although this is not permanent and the console will revert to Orbis OS on reboot.
Notable firmware revisions that result in a softmod are: 1.76, 4.05, 4.74, 5.05/5.07, 6.72, 7.02, 7.55, 9.00, 11.00, with 5.05/5.07 being the most stable and 9.00 the most stable after that. It is worth noting the 9.00 exploit requires inserting a specially crafted USB flash drive into the console, and the 11.00 exploit to connect to a malicious PPPoE server over the network.
PlayStation 5
The PlayStation 5 has ways to achieve a softmod. They rely on a userland exploit, which can be either WebKit vulnerabilities in the PS5 Web Browser, a specially crafted Blu-ray disc, or a savegame exploit, that is combined with a kernel (and optionally hypervisor) exploit. They are all tether exploits meaning they have to be performed every time the console is powered on, although some exploits may be persisted using rest mode.
Softmodding a PS5 allows running homebrew, load game backups, modify the PS4 backwards compatibility blacklist, install and run PS4 "FPKGs" (including PS4 homebrew and PS1/PS2/PS4 game backups), change fan speeds, and spoof firmware (which allows the install of games that require an update patch, and can also block updates). However, firmware spoofing will not allow games above the console's true firmware revision to load without the required update patch. The PS5 is also capable of playing patched PS4 titles above the PS4 frame rate cap of 60 FPS, such as Bloodborne, at higher frame rates e.g. 120 FPS.
Compared to its predecessor the PS4, a userland and kernel exploit would have been enough to accomplish what is generally regarded as a true jailbreak by patching the kernel, however the PS5 has added security measures in comparison, mainly a hypervisor (HV) and eXecute Only Memory (XOM) which do not allow kernel patching - as a result not all kernel exploits on the PS5 can be leveraged due to these additional measures, and makes reverse engineering much more difficult. Despite this, several HENs (Homebrew ENablers) have been made that operate within the constraints of the HV and XOM to defeat enough security to enable a homebrew environment. After the first public HV exploit, HENs were adjusted to operate with the HV compromised (including the XOM being deactivated), providing better stability and functionality than HENs that don't leverage a HV exploit since kernel patching is now possible.
Firmware up to 2.50 is vulnerable to a userland, kernel, and hypervisor exploit chain. Firmware up to 7.61 is vulnerable to a userland and kernel exploit chain.
The IPv6 kernel exploit on the PS4 that led to the 6.72 jailbreak was patched a few months prior to the release of the PS5, which was reintroduced on the PS5 with 3.00 firmware and affected up to 4.51 firmware. The exFAT filesystem kernel exploit that led to the 9.00 jailbreak also affected PS5 firmware up to 4.03, however due to additional protections on the PS5 it is not possible to use this to softmod the PS5. The PPPoE kernel exploit that led to the PS4 11.00 jailbreak also affected PS5 firmware up to 8.20, and is not known to softmod the PS5.
In June 2023, a payload called libhijacker was disclosed, becoming a reliable method of running homebrew and partially circumvents the HV, which works by creating a new, separate process by interacting with the PS5's Daemon, effectively acting as a background ELF loader. This is notable over previous ELF loaders such as the WebKit or Blu-ray methods since those ELF loaders were terminated when the corresponding process was stopped. Another advantage of this new method is that the newly separate process is not confined to the fixed maximum resource allocation of the WebKit or BD-J processes.
In July 2023, security researcher Flat_z disclosed that they had read access to the PS5's Platform Secure Processor (PSP) which is one of the most protected parts of the system and contains crucial keys for decryption. In addition, they also confirmed they had successfully exploited the HV via a save game exploit chain. Flat_z said he does not intend to disclose his findings publicly, however he is using these exploits to further reverse engineer the PS5 now that he is able to decrypt more parts of the system.
In November 2023, scene developer LightningMods disclosed that they had managed to load and play a retail PS5 game backup.
In December 2023, scene developer LightningMods updated his Itemzflow homebrew to support loading PS5 game backups.
In September 2024, a kernel exploit was disclosed for FreeBSD 11, which the PS5 software is based on. It can be leveraged on the PS5, which affects all firmware versions up to 7.61. The bug is not present in FreeBSD 9 and as such the PS4 is unaffected.
In October 2024, security researcher SpecterDev disclosed two exploit chains that compromise the hypervisor, which affect all firmware versions up to 2.50.
PlayStation Portable
Much like the Xbox, it is possible to softmod almost any PSP. Using various exploits (such as the TIFF exploit or specially crafted savegames from games such as Grand Theft Auto: Liberty City Stories, Lumines, and later GripShift) or original unprotected firmware, the user can run a modified version of the PSPs updater, that will install custom firmware. This newer firmware allows the booting of ISOs, as well as running unauthorized (homebrew) code. A popular way of running homebrew code to softmod the PSP is by using the Infinity method.
PlayStation Vita
This section is empty. You can help by adding to it. (December 2023) |
The PlayStation Vita can also be softmodded, with the most notorious methods being using: HENkaku Web Exploit, h-encore and h-encore².
Xbox
Xbox used to include a font exploit installed through exploits in savegame code for MechAssault, Splinter Cell, 007: Agent Under Fire, and Tony Hawk's Pro Skater 4. Usage of the Splinter Cell or Tony Hawk's Pro Skater 4 disc is generally recommended as any version of the game will run the exploit, whereas certain production runs of Mechassault and Agent Under Fire are needed to use the exploit. Originally, via a piece of software called "MechInstaller" created by members of the Xbox-linux team, an additional option could be added to the Xbox Dashboard for booting Linux.
The font hack works by exploiting a buffer underflow in the Xbox font loader which is part of the dashboard. Unfortunately, since the Xbox requires the clock to be valid, and the dashboard itself is where one sets the clock, there is a problem if the RTC backup capacitor discharges. The Xbox will detect that the clock is not set and therefore force the dashboard to be loaded; the dashboard then reboots due to the buffer overflow exploit. Upon restarting, the Xbox detects the clock is invalid and the process repeats. This problem became known as the "clockloop".
In August 2024, a savegame exploit affecting multiple consoles and generations called TonyHawksProStrcpy was released, which is present in multiple Tony Hawk's titles for the Xbox. It can be used to execute unsigned code.
Xbox 360
Shortly after the release of the Xbox 360, ways were found to modify the firmware of the DVD drive of the console. This allows the system to play games from "backup" (non-original) game discs. This requires opening of the console but no additional hardware such as a modchip is permanently installed into the system. Microsoft responded by introducing console ban system. If the data stream from the DVD drive indicated signs of unauthorized use, Microsoft would permanently ban the console from using Xbox Live service. The ban never expires and can only be fixed by purchasing another console. Other measures, such as introducing new hardware revisions to prevent modifications and checking/updating the drive firmware during dashboard updates, have been made too.
In August 2024, a savegame exploit affecting multiple consoles and generations called TonyHawksProStrcpy was released, which is present in Tony Hawk's American Wasteland for the Xbox 360. It can be used to execute unsigned code. If used on a console with a dashboard version of 2.0.4548.0 or lower, it is possible to also chain a known hypervisor exploit and gain full control over the console. However, this is a very old update dating back to November 2006 and not readily available for most users, usually requiring downgrading which is not a simple process.
Xbox One
The Xbox One went through its lifecycle without having its security compromised. However, in June 2024, a userland exploit was disclosed for a Microsoft Store app called Game Script that had a bug which allowed for arbitrary code execution. Microsoft removed the app from the store a few days after disclosure, effectively patching the vulnerability for those who did not have it downloaded already.
A couple of weeks later, the same developer who published the userland exploit released a follow-up release which achieves kernel access while in Retail mode. This is roughly equivalent in functionality if the console was in Developer mode. Due to the Xbox One's security architecture, the console security is still mostly intact and further mitigations are necessary in order to become a HEN (homebrew enabler).
A payload exists that starts a reverse shell on the console over the network, which for example can be used to browse the console's filesystem and create directories.
Xbox Series X and Series S
The Xbox Series X and Series S are vulnerable to the same exploits for the Xbox One, and similarly have security measures where the console security is still mostly intact and further mitigations are necessary in order to become a HEN (homebrew enabler).
GameCube
In August 2024, a savegame exploit affecting multiple consoles and generations called TonyHawksProStrcpy was released, which is present in multiple Tony Hawk's titles for the GameCube. It can be used to execute unsigned code.
Wii
The first known softmod for the Wii is known as the Twilight hack, a savegame exploit for the Wii version of The Legend of Zelda: Twilight Princess. This allowed users to run unsigned code .dol/.elf files.
The Twilight hack was superseded by the development of Bannerbomb, which allowed for executing unsigned code without relying on an exploit within a game. Bannerbomb worked by using a malformed banner to inject a loader program into the Wii Menu program in memory. As the Wii Menu crashed, an unsigned executable was executed.
Bannerbomb was superseded by Letterbomb, which used a glitch in the Wii Message Board to crash the Wii Menu.
FlashHax superseded Letterbomb, which used an exploit in the Wii's End-user license agreement to run unsigned code, requiring the Internet Channel to be installed.
str2hax superseded FlashHax, which simplified the process even further. str2hax uses a custom DNS server to redirect the Wii's End-user license agreement page to a modified page that executes unsigned code, without the need for the Internet Channel.
BlueBomb was later released that leveraged a Bluetooth exploit, in particular used to softmod the Wii Mini which could not use the Internet Browser as an exploit entry point.
Exploits typically allowed the install of the Homebrew Channel, an unofficial Wii channel which acted as a gateway to run unofficial Wii applications.
A large homebrew community emerged for the Wii, leading to developments such as the Homebrew Channel, third-party games, media players, and the loading of Wii and GameCube game backups.
Wii U
The Wii U can be softmodded with various exploits. As of February 2024 the easiest way to softmod a Wii U is by using the DNSpresso exploit which leverages several bugs in the network stack, and achieves kernel access, in addition to having a specially crafted SD card inserted. This works on the latest firmware revisions. This in turn can be used to install CFW (custom firmware). Currently the most supported CFW is Aroma. Other choices of CFW are Mocha, Haxchi, and Tiramisu.
Softmodding a Wii U allows users to run homebrew, load game backups, bypass region checks, and change fan and CPU/GPU speeds. Notably, the Wii U is backwards compatible with Wii games (vWii), however softmodding also unlocks backwards compatibility with GameCube games like its predecessor, as the hardware required to emulate is present on the motherboard - despite this, Nintendo did not implement GameCube disc reading for the Wii U, effectively disabling this backwards compatibility.
USB storage can be used to store games; this is the only way to store and play Wii U games outside of the internal memory. Wii and GameCube games can be played if stored on the specially crafted SD card used to softmod the Wii U, or if they are stored on USB storage.
Previously, a few Virtual DS games could be exploited with specially crafted savegames to install a permanent CFW which is active as soon as the console powers on. However, after the eShop closure this method is now impossible to do unless the game was downloaded pre closure.
Nintendo DS/DS Lite
All versions of the Nintendo DS as well as the Nintendo DS Lite can be softmodded using FlashMe: an exploit that can be installed using any PassMe compatible flashcart. The exploit consists of shorting two pins with any metallic object to make the NAND containing the firmware writable. The custom firmware looks and acts exactly the same as the original DS firmware except for the fact you will not need a PassMe or Passcard to boot DS roms from Slot-2 flashcarts anymore. The standard version of FlashMe removes the DS intro screen (including the Warning screen) when booting up.
Nintendo DSi/DSi XL
The Nintendo DSi made it easier to softmod the console with the introduction of an SD card slot. The easiest method method was the Memory Pit exploit released in 2019. When the camera application is used to take a photo, it creates a file called pit.bin
to store metadata information. This file is always located at sd:/private/ds/app/484E494A
on the SD card. By modifying this file, a buffer overflow is created, crashing the system. External tools like Unlaunch write directly to the NAND storage of the DSi and creates a cold-boot scenario (i.e. the console can directly launch into the custom firmware without having to use other apps). Custom UI environments have been created, most notably TWiLight Menu++ which facilitates other programs like nds-bootstrap to launch homebrew software.
Nintendo 2DS/3DS
The Nintendo 3DS (and its Nintendo 2DS sibling) have become some of the most popular console platforms to softmod, as the procedure requires only the 2DS/3DS itself, and modifying its microSD card. All models of 3DS and 2DS can be softmodded, including the 'New' refresh models. Since the closure of the Nintendo eShop for the 2DS/3DS, softmodding has become popular in order to reinstate features that are now officially defunct.
The most well developed and commonly used CFW (Custom Firmware) is known as Luma3DS. It contains features such as EmuNAND (NAND redirection), running non-system menu payloads on boot, and installing homebrew titles to the main menu. A popular homebrew app used for piracy, known as Freeshop, was shut down by Nintendo with firmware 11.8 by requiring a title key authorization on the Eshop download servers, thus making all NUS downloaders for the 2DS/3DS to no longer function.
Nintendo Switch
Early versions of the Nintendo Switch known as "V1 Unpatched" are vulnerable to a ReCovery Mode (RCM) hardware exploit by holding the Volume Up button, Power button, and Tegra home button (not usually accessible to consumers), which boots the device into RCM, then connecting via USB to another device which is able to push payloads. Tegra refers to the chip the Nintendo Switch uses, the Tegra X1. This was an oversight as RCM was intended to be used by Nintendo to service consoles and not the consumer themselves. It was discovered the Tegra home button could be emulated by shorting pin 10 on the right JoyCon rail, initializing RCM. Once in this mode, an additional exploit in the Switch USB drivers can be leveraged to push payloads via USB to a Switch while in RCM to execute unsigned code, such as install CFW (custom firmware). The RCM exploit is hardware based and cannot be patched by software fixes.
Some firmware revisions have had a limited number of softmods emerge, although if updated the exploits will have been patched.
The softmods allow running homebrew, installing CFW (RCM exploit), bypass region checks, load game backups, and change fan and CPU/GPU speeds. With the RCM exploit it is also possible to install an Android distribution as an additional boot option, in which the device becomes much more versatile for cross platform play (such as the Xbox Game Pass), allowing games from other platforms to be played. The JoyCons are fully functional in an Android environment, making it a strong competitor for tablet gaming.
The most supported Nintendo Switch CFW is Atmosphère.
Nintendo has put safeguards in place where if a console tries to connect to a Nintendo server with a modified bootloader, or an unauthorised copy of a game is currently loaded, the device will be either bricked instantly, or eventually bricked after sending telemetry data to Nintendo servers. Once bricked, the console will be fingerprinted by Nintendo and will never be able to access a Nintendo server again, blocking access to the eShop, online play, amongst other features.
In December 2023, a group of hackers unveiled the first flash cartridge for the Switch, dubbed the Mig Switch. This cartridge accepts a microSD card that contains game backups, and the user can alternate between the loaded game by re-inserting the cartridge. It is not currently known if backup games loaded via the cartridge will risk the console being banned if the user is online. Mig Switch works on all models and firmware, partially defeating some of the security in order to play game backups, and also run homebrew.
Computer DVD drives
Some DVD drives, such as those made by Lite-on, can be softmodded to ignore region coding, allow clearing of the drive's learned media calibration data, and enable DVD+R to DVD-ROM book type coding that is persistent across reboots. This is distinct from cross-flashing the drive or installing unofficial firmware, and does not modify the drive's firmware.
References
- Qin Zhou; Nigel Poole (2010). Dasun Weerasinghe (ed.). Information Security and Digital Forensics: First International Conference, ISDF 2009. Springer Berlin Heidelberg. pp. 50–56 . ISBN 978-3-642-11530-1. Retrieved 14 July 2010.
- "Sony follows up, officially sues Geohot and fail0verflow over PS3 jailbreak". Engadget. 12 January 2011. Retrieved 12 September 2024.
- "Sony and PlayStation 3 jailbreaker George Hotz settle out of court".
- "Japan Makes It Illegal To Mod Consoles". GameSpot. 10 January 2019. Retrieved 1 September 2024.
- Del Sol Vives, Marcos. "TonyHax". Orca.pet. Retrieved 12 March 2023.
- "How to make your own Memory Card Exploit using the Independence Installer". Retrieved 24 April 2013.
- "PS2 Softmod Install Tutorial". Archived from the original on 21 March 2013. Retrieved 24 April 2013.
- Orland, Kyle (29 June 2020). "New hack runs homebrew code from DVD-R on unmodified PlayStation 2". Ars Technica. Retrieved 29 December 2020.
- "MechaPwn". Github. Retrieved 12 March 2023.
- ^ "grimdoomer/TonyHawksProStrcpy". GitHub. Retrieved 3 September 2024.
- "PlayStation 'master key' leaked online". BBC UK. 24 October 2012. Retrieved 29 August 2024.
- "Evilnat/Cobra-PS3". GitHub. Retrieved 12 September 2024.
- "PS3Xploit/PS3HEN". GitHub. Retrieved 12 September 2024.
- "Hacker Confirms PlayStation 4 Jailbreak! Exploit Could Open Doors for Pirated Games". The Hacker News. 14 December 2015. Retrieved 29 August 2024.
- "Kernel Exploit for Sony PS4 Firmware 4.05 Released, Jailbreak Coming Soon". The Hacker News. 27 December 2017. Retrieved 29 August 2024.
- "Cryptogenic/PS4-4.05-Kernel-Exploit". GitHub. Retrieved 29 August 2024.
- "Cryptogenic/PS4-5.05-Kernel-Exploit". GitHub. Retrieved 29 August 2024.
- ^ "sleirsgoevy/ps4jb". GitHub. Retrieved 29 August 2024.
- "sleirsgoevy/PS4-webkit-exploit-7.02". GitHub. Retrieved 29 August 2024.
- "sleirsgoevy/ps4jb2 at 75x". GitHub. Retrieved 29 August 2024.
- ^ "ChendoChap/pOOBs4". GitHub. Retrieved 29 August 2024.
- ^ "TheOfficialFloW/PPPwn". GitHub. Retrieved 29 August 2024.
- ^ "PS5Dev/Byepervisor". GitHub. Retrieved 26 October 2024.
- ^ "PS5Dev/PS5-UMTX-Jailbreak". GitHub. Retrieved 22 September 2024.
- "Cryptogenic/PS5-IPV6-Kernel-Exploit". GitHub. Retrieved 29 August 2024.
- "john-tornblom/bdj-sdk". GitHub. Retrieved 29 August 2024.
- "astrelsky/libhijacker". GitHub. Retrieved 24 June 2023.
- "Aleksei Kulaev on Twitter: finally... hello, PS5 PSP :)". Twitter. Retrieved 30 July 2023.
- "LM on Twitter: First ever PS5 Game Back up to be played, PPSA03527". Twitter. Retrieved 7 November 2023.
- "LightningMods/Itemzflow". GitHub. Retrieved 12 September 2024.
- "The Official Clock Loop Thread". Retrieved 26 April 2016.
- "lewurm/savezelda". GitHub. Retrieved 12 September 2024.
- "fail0verflow/letterbomb". GitHub. Retrieved 12 September 2024.
- "Fullmetal5/FlashHax". GitHub. Retrieved 12 September 2024.
- "Fullmetal5/str2hax". GitHub. Retrieved 12 September 2024.
- "Fullmetal5/bluebomb". GitHub. Retrieved 12 September 2024.
- GBATemp Wiki FlashMe.
- "Nintendo DSi Camera - DSiBrew". dsibrew.org. Retrieved 25 November 2024.
- "Memory Pit - DSiBrew". dsibrew.org. Retrieved 25 November 2024.
- Freeshop Taken Down By Nintendo
- NUS Downloaders
- "Nintendo Switches Hacked to Run Linux—Unpatchable Exploit Released". The Hacker News. 24 April 2018. Retrieved 1 September 2024.
- "Atmosphere-NX/Atmosphere". GitHub. Retrieved 1 September 2024.
- EEPROM Utility Myce.