Ironically, criminal damage has its origins in the Frame-Breaking
Act of 1812, carrying the death penalty, and designed to stem the
rising tide of Luddites. Today companies like Nintendo, Microsoft and
Sony are the Luddites.
Because the damage is permanent, to "tangible property", and "without
lawful excuse" (and please don't knee-jerk to arguing "they can do
what they want because you agreed to it" - you didn't and they
can't), I'd think there's a very good case for criminal damage as
distinct action from any computer misuse recourse.
The argument needs to made, not on behalf of the users as a class
action, but on behalf of another stakeholder - the environment. Every
time a company makes and sells products that can be "bricked" they
contribute to e-waste (see [1][2] if this issue isn't yet on your
radar - it's something every hacker should be aware of).
I have faith that smart people in European politics genuinely get
this merging problem, and we have the courage, time and willingness to
bring new legislation or trade restrictions that would make it
impossible to sell such products in Europe. Even better I would like
to see Microsoft made to pay the cleanup costs.
Like if you want to sell illicit XBoxes, it's on you to ensure that the thing can't be rendered inoperable by a third-party software update, it's not the third-party's responsibility to account for your hardware when they do software updates.
Doing software updates that brick tampered hardware is harder to make a sarcastic argument about.
I have a condition that I cannot listen to media about things I know too much about.
For this reason, I cannot watch/listen to darknet diaries, or a host of other topics. The physical cringe of wanting to correct the record is unbearable, but from what I heard, they are very accurate and have done their research.
It's crazy to hear that story told back to me. I wasn't part of the core of it, but everything as intense as xbox-underground has a huge fringe. I was in that fringe. Listening to the background of all that stuff i was a part of is very cool. I remember the leaks, the return scams, the carding, and the circulation of password dumps. It was a crazy time.
That they built a working Xbox One (before it had even been announced) just by looking at the spec sheets etc. and buying the parts on Newegg is incredible.
I fondly remember flashing my DVD drive on my 360 when I was 15 to play Saints Row (I had an ITCH for a GTA like game). Back then I was scared shitless of possibly bricking it. Now looking back, I laugh because of how trivial the mod was. Pretty sure this was a major contributing factor to me eventually perusing tech in my career.
I have my bricked retail sitting on my desk, it's my second favorite paperweight.
After CON files were being resigned with 00000' keys, they tried and failed to maintain a "known bad" list of RSA private keypairs that were known to be resigning modified content.
after that patchwork hack failed, because of the spread of CON resigners, they gave up on that effort. You can still find blacklisted keypairs in the NAND, if you looked around.
but my retail was't exactly unmodified, so I was bending the definition of "retail", here...
but yes, they bricked retail consoles posing as xDev and pNET kits.
There are things called fuses on AVRs that cannot be changed by running code but can be set and unset multiple times by an external programmer. These are apparently different.
https://en.wikipedia.org/wiki/Efuse describes the mechanism of action: "eFuses can be made out of silicon or metal traces. In both cases, they work (blow) by electromigration, the phenomenon that electric flow causes the conductor material to move."
Aha, I was under the impression that it was simply and literally a question of passing too much current through a conducting trace internally, causing the internal resistance to overheat it, thus melting it. Perhaps that would be a method too unreliable or something. Perhaps I should read the wikipedia entry before speculating :).
You're not wrong, this was how fuses were originally implemented in their earliest forms in the early days of integrated circuits.
A common technique was using diodes. Zener diodes are normally used to suppress overvoltage, but they're only useful for transients, and easily destroyed by a sustained, constant overvoltage due to excessive power dissipation. This is a serious problem in surge protector designs. "If life gives you lemons, make lemonade". Since they fail as a short circuit, early chip designers exploited this property as a one-time programmable fuse for factory calibration.
Quote Troubleshooting Analog Circuits by Robert A. Pease.
> As mentioned earlier, a diode tends to fail by becoming a short circuit when overpowered, and zeners cannot absorb as much power as you would expect from short pulses. How dreadful; but, can IC designers serendipitously take advantage of this situation? Yes!
> The Vos of an op amp usually depends on the ratio of its first-stage load resistors. IC designers can connect several zeners across various small fractions of the load resistor. When they measure the Vos, they can decide which zener to short out - or zap - with a 5-ms, 0.3- to 1.8-A pulse. The zener quickly turns into a low-impedance (= 1 Ω short), so that part of the resistive network shorts out, and the Vos is improved.
> In its LM108, National Semiconductor first used zener zapping, although Precision Monolithics (Santa Clara, CA) wrote about zener zapping first and used it extensively later on. Although zener zapping is a useful technique, you have to be sure that nobody discharges a large electrostatic charge into any of the pins that are connected to the zener zaps. If you like to zap zeners for fun and profit, you probably know that they really do make a cute lightning flash in the dark when you zap them. Otherwise, be careful not to hit zeners hard, if you don’t want them to zap and short out.
> These zener zaps are also becoming popular in digital ICs under the name of “vertical fuses” or, more correctly, “anti-fuses.” If an IC designer uses platinum silicide instead of aluminum metallization for internal connections, the diode resists zapping.
Nowadays they are implemented as a write-only EEPROM or Flash memory (and can even be overwritten in some designs using a special programmer), but the name "fuse" is still used for historical reasons, and to reflect their software-irreversible nature.
Also, fun fact: since fuses are EEPROMs, they're vulnerable to potential data corruption just like any other EEPROMs. If a fuse bit ever "gets loose", it can brick many chips since their boot configurations are no longer correct. It's especially problematic for space applications. This is also used for chip cracking - you can remove the "program read-protection" bit in some microcontrollers by exposing the fuse portion of the decapped silicon die under UV light. BTW, if you ever see a computer that reports an "Intel Core i6" processor model, it's likely a corrupted fuse bit (yes, this was a real incident).
Correct. It's a pain in the bum. I might add that Fairphone has an official procedure to flash the original rom and re-lock the bootloader, I tried it with the FP3 at least and that worked on the first try.
I unintentionally blow the eFuse on the Qualcomm chips I'm developing for, all the time .. its very frustrating and surprisingly easy to do with their tools.
I'm ideologically opposed to using this feature 'productively', but it definitely makes it simpler (cheaper) for the company to maintain installed base versions...
Why and how does it make stuff easier for the company? Can't the company just... not support older versions of the software?
What's the difference in burden on the company between a user who just declines updates for years and a user who installs upgrades but then downgrades again? Surely the customer support response in all cases is "install the latest version"?
The cability provides for a lot more than blocking software downgrades e.g. setting the boot signing key and then locking it with an efuse so only matching signed images can be booted or the inverse, enable unsigned custom firmware but blow a fuse to mark the device has been allowed to run custom software (which may impact hardware DRM systems during boot).
> There are 256 bits in the set of ODM_RESERVED fuses, and there are 8 ODM_RESERVED. This allows for 32 fuses, or 32 future FW versions (provided they burn a fuse on every major release).
32? Is that it? So if Nintendo want to push more than 32 updates, they either need to not blow any more fuses, or stop using the fuses when they've all gone? Wouldn't they be totally useless then?
Not a console player, can someone explain why consumers want to downgrade their console(s)? I Googled a bit and it seems people would like to have more vulnerable to hack their devices, but why did they upgrade in the first place? Is it forced upgrade?
Nearly forced. once the console downloads the update, it will be applied automatically upon reboot.
The alternative is to never connect to WiFi, ever, and some do that.
Generally, consumers would want to downgrade because older versions have vulnerabilities that are fixed in newer versions. these vulnerabilities allow console owners to do what they want with their hardware, and gaming communities have shown Nintendo time and time again that if it is possible to use game hardware for game piracy, it will be widely used for that purpose.
Those of us who want a neat standardized hardware platform to hack on without pirating anything are in the noise floor for companies like Nintendo, so we have no representation among neither pirates nor the console manufacturer.
I've been out of "the scene" for many years now, but back in the day, I had a Flash Cart[0][1] so that I could have all (literally all...) the Nintendo DS games at hand. I was a naughty naughty pirate.
The flash cart also added some really neat features that were missing, such as: the ability to take screenshots, ability to save and restore a game at any point, ability to load cheats like infinite ammo and such.
Nintendo was/is at war with cart users and any update to a DS with a flash cart stood a good chance of either killing the flash cart or rendering it inoperable until a new firmware was released for the flash cart (which may never happen). There's a long and great history here. And if you want to know more, the GBATemp wiki[3] is a great starting point.
The Amazon kindle os does not allow downgrades, not sure if it’s using fuses or not.
In that case it isn’t about access to pirated content either—people want to be able to modify it for basic features the company has neglected to provide.
Not about a console, but sometimes manufacturers or developers change the UI of the system or valued apps.
Examples:
Sony removed Linux OtherOS from the Playstation 3 firmware because even though it didn't have a GPU driver, they were worried it could be leveraged to do whatever. There is no value in running Linux on a PS3 today, but there was once.
Apple notably between iOS 6 and 7 changed their design language from skeuomorphic to flat white "metro" style. If you don't like staring at a glaring white screen, too bad. But more importantly, when it comes to drivers, esp. graphics, they can introduce eyestrain if something isn't as good. Issues with sound, networking, etc. for all sorts of platforms. The Intel Management Engine which is inside your PC (AMD has a counterpart) is a another CPU and another OS that you're not allowed to shut off (or access). Sometimes firmware updates will come out preventing you from rolling back to a previous version that didn't have a bug with the hardware in this or that because of the precious Intel ME backdoor.
This also applies to routers with custom firmware. Sometimes models manufactured after a certain date will already contain the patches from the factory.
Typically a vulnerability is found on an older version of the software that can be used to attain kernel level access, and a very simple hack is needed in later versions to force an upgrade to an older version of the software.
To prevent the use of older versions of the software, later versions of the software will burn fuses as they surpass versions, preventing them from ever being used again on that device.
Thanks, yeah this is pretty much forced play. I guess it is also possible (technically) to modify the code of the game to remove the firmware requirement, if it is just a version check?
If you think burnable fuses to prevent downgrading is interesting, wait until you see the black magic that Apple cooked up to prevent iPhone downgrades.
No fuses there - just an incredibly complex mess of nonces, digitally signed tickets, and secret generator keys.
Apple internal iOS devices used by engineers are "dev-fused".
This hardware configuration opens up the device to some extent, allowing Apple engineers more latitude when developing software.
There have been articles saying that Apple lets some third party security people use these devices.
I can see how giving that access that might make sense, but I don't know if that article is true.
Dev-fused devices would also be very useful to Apple adversaries like NSO in developing hacks so I would actually expect Apple to continue to keep tight control over them.
Correct me if I'm wrong but those require an internet connection, right? I think Nintendo can't use online codesigning because (certain?) game carts have firmware upgrades that the game itself requires. Nintendo wants the user to be able to install those firmware upgrades offline, like if some kid plays a game for the first time on a road trip or plane ride.
Gads, don't get me started on SPI software upgrades on the Mac Book Pro. Serious cramp in the calvins. Forced non-down-gradable (sp?) OS because of that.
Could you expand on how this causes problems? As far as I'm aware, this has never prevented e.g. downgrading to an older version of macOS. (I assume I would know because I downgrade everything to OS X 10.9.)
Hackers eventually found a way to downgrade but you would not be able to connect to Xbox live. It did allow you to hack the Xbox and play pirated games and homebrew.
You could connect, you would just instantly be banned because the challenge/response pair didn't match, starting with the bright-white dashboard in Feb of '11.
the discovery of the RGH, reset glitch hack, aided in the reversing the early stages of the bootloader, allowing a small, incredibly talented, incredibly missed individuals to reverse the firmware/NAND challenges and correctly respond to the challenge.
You could connect to Xbox live if you had one of the undetectable modchips with a switch that allowed you to flop between regular and modded firmware. Even with modded firmware you could go on live for a while, even cheat at multiplayer games flying around and stuff until you got banned.
Well this might not be entirely true. Hackers found a way to downgrade the Xbox 360 after fuses were blown but you would not be able to use online functions with your home brew or pirated games unless they developed a dual kernel boot and used a normal kernel and no home brew to go back online. https://www.engadget.com/2007-08-25-efuse-successfully-blown...
Readit News
Microsoft bricked thousands of illicit China-developer xbox360 kits one spring morning, in the winter of 2010.
they also have bricked retail xbox360 consoles of nefarious (teenage) actors. cannot go into more detail on that one. maybe after a few more years.
Because the damage is permanent, to "tangible property", and "without lawful excuse" (and please don't knee-jerk to arguing "they can do what they want because you agreed to it" - you didn't and they can't), I'd think there's a very good case for criminal damage as distinct action from any computer misuse recourse.
The argument needs to made, not on behalf of the users as a class action, but on behalf of another stakeholder - the environment. Every time a company makes and sells products that can be "bricked" they contribute to e-waste (see [1][2] if this issue isn't yet on your radar - it's something every hacker should be aware of).
I have faith that smart people in European politics genuinely get this merging problem, and we have the courage, time and willingness to bring new legislation or trade restrictions that would make it impossible to sell such products in Europe. Even better I would like to see Microsoft made to pay the cleanup costs.
[1] https://digitalvegan.net/digital-vegan-print-sample.pdf (ch 17 Wasteland)
[2] https://www.fathom.pro/blog/2020/09/world-wide-waste-an-inte...
Like if you want to sell illicit XBoxes, it's on you to ensure that the thing can't be rendered inoperable by a third-party software update, it's not the third-party's responsibility to account for your hardware when they do software updates.
Doing software updates that brick tampered hardware is harder to make a sarcastic argument about.
I believe these two podcast episodes cover that in depth.
https://darknetdiaries.com/episode/45/
https://darknetdiaries.com/episode/46/
For this reason, I cannot watch/listen to darknet diaries, or a host of other topics. The physical cringe of wanting to correct the record is unbearable, but from what I heard, they are very accurate and have done their research.
RIP anthony
Thanks for sharing.
We've all been there...
Deleted Comment
I was in the "xbox underground" group and later worked at Microsoft. they never bricked retails, lol.
After CON files were being resigned with 00000' keys, they tried and failed to maintain a "known bad" list of RSA private keypairs that were known to be resigning modified content.
after that patchwork hack failed, because of the spread of CON resigners, they gave up on that effort. You can still find blacklisted keypairs in the NAND, if you looked around.
but my retail was't exactly unmodified, so I was bending the definition of "retail", here...
but yes, they bricked retail consoles posing as xDev and pNET kits.
dont blame them. we were bad kids.
https://en.wikipedia.org/wiki/Efuse describes the mechanism of action: "eFuses can be made out of silicon or metal traces. In both cases, they work (blow) by electromigration, the phenomenon that electric flow causes the conductor material to move."
A common technique was using diodes. Zener diodes are normally used to suppress overvoltage, but they're only useful for transients, and easily destroyed by a sustained, constant overvoltage due to excessive power dissipation. This is a serious problem in surge protector designs. "If life gives you lemons, make lemonade". Since they fail as a short circuit, early chip designers exploited this property as a one-time programmable fuse for factory calibration.
Quote Troubleshooting Analog Circuits by Robert A. Pease.
> As mentioned earlier, a diode tends to fail by becoming a short circuit when overpowered, and zeners cannot absorb as much power as you would expect from short pulses. How dreadful; but, can IC designers serendipitously take advantage of this situation? Yes!
> The Vos of an op amp usually depends on the ratio of its first-stage load resistors. IC designers can connect several zeners across various small fractions of the load resistor. When they measure the Vos, they can decide which zener to short out - or zap - with a 5-ms, 0.3- to 1.8-A pulse. The zener quickly turns into a low-impedance (= 1 Ω short), so that part of the resistive network shorts out, and the Vos is improved.
> In its LM108, National Semiconductor first used zener zapping, although Precision Monolithics (Santa Clara, CA) wrote about zener zapping first and used it extensively later on. Although zener zapping is a useful technique, you have to be sure that nobody discharges a large electrostatic charge into any of the pins that are connected to the zener zaps. If you like to zap zeners for fun and profit, you probably know that they really do make a cute lightning flash in the dark when you zap them. Otherwise, be careful not to hit zeners hard, if you don’t want them to zap and short out.
> These zener zaps are also becoming popular in digital ICs under the name of “vertical fuses” or, more correctly, “anti-fuses.” If an IC designer uses platinum silicide instead of aluminum metallization for internal connections, the diode resists zapping.
Nowadays they are implemented as a write-only EEPROM or Flash memory (and can even be overwritten in some designs using a special programmer), but the name "fuse" is still used for historical reasons, and to reflect their software-irreversible nature.
Also, fun fact: since fuses are EEPROMs, they're vulnerable to potential data corruption just like any other EEPROMs. If a fuse bit ever "gets loose", it can brick many chips since their boot configurations are no longer correct. It's especially problematic for space applications. This is also used for chip cracking - you can remove the "program read-protection" bit in some microcontrollers by exposing the fuse portion of the decapped silicon die under UV light. BTW, if you ever see a computer that reports an "Intel Core i6" processor model, it's likely a corrupted fuse bit (yes, this was a real incident).
Modern ones are typically flash memory that simply doesn't have the circuitry for erasure.
I'm ideologically opposed to using this feature 'productively', but it definitely makes it simpler (cheaper) for the company to maintain installed base versions...
What's the difference in burden on the company between a user who just declines updates for years and a user who installs upgrades but then downgrades again? Surely the customer support response in all cases is "install the latest version"?
32? Is that it? So if Nintendo want to push more than 32 updates, they either need to not blow any more fuses, or stop using the fuses when they've all gone? Wouldn't they be totally useless then?
So they must have some guidelines for what kind of features are worth burning a fuse.
But yeah, 32 sounds low. Let's just hope number 32 has an easy exploit :)
Remember, Ninty doesn’t need to burn one for each update, just for the ones they consider important enough.
Deleted Comment
The alternative is to never connect to WiFi, ever, and some do that.
Generally, consumers would want to downgrade because older versions have vulnerabilities that are fixed in newer versions. these vulnerabilities allow console owners to do what they want with their hardware, and gaming communities have shown Nintendo time and time again that if it is possible to use game hardware for game piracy, it will be widely used for that purpose.
Those of us who want a neat standardized hardware platform to hack on without pirating anything are in the noise floor for companies like Nintendo, so we have no representation among neither pirates nor the console manufacturer.
The flash cart also added some really neat features that were missing, such as: the ability to take screenshots, ability to save and restore a game at any point, ability to load cheats like infinite ammo and such.
Nintendo was/is at war with cart users and any update to a DS with a flash cart stood a good chance of either killing the flash cart or rendering it inoperable until a new firmware was released for the flash cart (which may never happen). There's a long and great history here. And if you want to know more, the GBATemp wiki[3] is a great starting point.
[0] https://en.wikipedia.org/wiki/Flash_cartridge [1] https://wiki.gbatemp.net/wiki/3DS_Flashcart_Comparison [3] https://wiki.gbatemp.net/wiki/Category:Nintendo_DS
In that case it isn’t about access to pirated content either—people want to be able to modify it for basic features the company has neglected to provide.
Examples:
Sony removed Linux OtherOS from the Playstation 3 firmware because even though it didn't have a GPU driver, they were worried it could be leveraged to do whatever. There is no value in running Linux on a PS3 today, but there was once.
Apple notably between iOS 6 and 7 changed their design language from skeuomorphic to flat white "metro" style. If you don't like staring at a glaring white screen, too bad. But more importantly, when it comes to drivers, esp. graphics, they can introduce eyestrain if something isn't as good. Issues with sound, networking, etc. for all sorts of platforms. The Intel Management Engine which is inside your PC (AMD has a counterpart) is a another CPU and another OS that you're not allowed to shut off (or access). Sometimes firmware updates will come out preventing you from rolling back to a previous version that didn't have a bug with the hardware in this or that because of the precious Intel ME backdoor.
The most famous example from my point of view:
https://www.win.tue.nl/hashclash/rogue-ca/
Or to get back the features you had originally paid for but got removed, like Linux OS installs on PS3s.
Often you also first use stock before you learn about/want to start hacking it.
New games and game updates often require Switch system updates. Two examples:
Animal Crossing DLC requires a system update.
Rocket League seasons usually require a game update.
To prevent the use of older versions of the software, later versions of the software will burn fuses as they surpass versions, preventing them from ever being used again on that device.
No fuses there - just an incredibly complex mess of nonces, digitally signed tickets, and secret generator keys.
[0]: https://www.theiphonewiki.com/wiki/Security_Fusings [1]: https://www.theiphonewiki.com/wiki/ECID
There have been articles saying that Apple lets some third party security people use these devices.
E.G. https://macdailynews.com/2019/08/06/apple-hands-hackers-secr...
I can see how giving that access that might make sense, but I don't know if that article is true.
Dev-fused devices would also be very useful to Apple adversaries like NSO in developing hacks so I would actually expect Apple to continue to keep tight control over them.
the discovery of the RGH, reset glitch hack, aided in the reversing the early stages of the bootloader, allowing a small, incredibly talented, incredibly missed individuals to reverse the firmware/NAND challenges and correctly respond to the challenge.