[Segmentation Fault]
As you might have already guessed based on some of my previous posts, I love dealing with the GBA and all of the hardware that goes into it. But one of the most interesting and perhaps underused...| Tumblr
As you might have already guessed based on some of my previous posts, I love dealing with the GBA and all of the hardware that goes into it. But one of the most interesting and perhaps underused...| Tumblr
Preface This article is a partial-rebuttal/partial-confirmation to KGOnTech’s Apple Vision Pro’s Optics Blurrier & Lower Contrast than Meta Quest 3, prompted by RoadToVR’s Quest 3 Has Higher Effective Resolution, So Why Does Everyone Think Vision Pro Looks Best? which cites KGOnTech. I suppose it’s a bit late, but it’s taken me a while to really get a good intuition for how visionOS renders frames, because there is a metric shitton of nuance and it’s unfortunately very, very easy ...| [Segmentation Fault]
Background - Why Wii U? The Wii U has had a fairly small homebrew scene, I believe in part because it currently has no commercial nor open-source modchips for facilitating early-boot code execution. While there exists a coldboot boot1 vulnerability, isfshax, it leaves a lot to be desired, and it is unfortunately not useful for recovering consoles from an unknown state, since NAND is encrypted per-console based on an OTP key. Additionally, certain SEEPROM corruptions can cause consoles to neve...| [Segmentation Fault]
Last year I detailed a secure EL3 vulnerability which affected (and still affects, for devices with discontinued updates) LG Android devices. However, this vulnerability alone isn’t actually all that useful for a number of reasons, the more immediate being that many phones simply do not allow writing to eMMC without root or a custom recovery. Additionally, gaining full control over all privilege levels requires draining the battery to below 0%, which while it would be possible to create a m...| [Segmentation Fault]
I should probably preface all of this by saying that I’m not really a security professional in the sense that I don’t actually do security stuff for a living; I reported this vulnerability in March and gave a 90 day delay on releasing specific details mostly just because that’s A Thing That Security Researchers Do. Also the vulnerability doesn’t require user interaction from coldboot so it’s a bit nasty in that regard. But also this vulnerability sat around for 7 years so it could b...| [Segmentation Fault]
Ever since shofEL2 was released earlier this year it’s been interesting to watch how different custom firmwares have tackled the prospect of modifying Nintendo’s firmware for both homebrew and piracy applications, and as someone who hasn’t really had much stake in that race I feel like it’s interesting to watch how different solutions tackle different problems, but at the same time since I do have a stake in a few places (namely, Smash Bros modding, vulnerability hunting, personal pro...| [Segmentation Fault]
Edit (Nov 2 2022): This article contains some prior speculation and grumbling about Cemu, which is no longer closed source. Even prior to open sourcing, Cemu aided in documentation efforts for decaf. At the time though, contributions to WUT were solely done by decaf-emu and others. While hanging around in the Citra and yuzu Discord servers this question (or some variant of it) has arisen several times, “Why was Cemu/yuzu able to develop so quickly?”, and while there’s some fairly obviou...| [Segmentation Fault]
Coming from our last post, we left off with the conclusion that the only real way to figure out Bluetooth would probably be to leak the at-runtime firmware being executed. From there I initially set out to attempt fishing out some data by using SPI writes to modify the firmware patches, however I was disappointed to discover some things: When writing to SPI, the firmware itself actually limits writes from 0x6000 to 0x10000, anywhere else will unfortunately be ignored entirely. My attempts to ...| [Segmentation Fault]
It’s been a little while since I last continued this series of posts, and since I’ve made quite a bit of progress since I figured I’d do a quick post on some things. With my hidtest utilities out in the open, getting results from other’s Pro Controllers took very little time. Initially, Pro Controllers worked out of the box except they disconnected after a short bit. Additionally, sending commands to only one Joy-Con would cause the other to eventually disconnect sometimes. The soluti...| [Segmentation Fault]
Earlier this week I made a short post detailing some of my endeavors towards talking to Joy-Con and getting their firmware. However, as fun as it is to have my Joy-Con in pieces talking to my ESP32, I wanted a better way to conduct research with my Joy-Con. To do this, I ended up buying a charging Joy-Con grip for about $30, a little bit costly but worthwhile if it happened to have the rail connectors I could tap into for UART (though I also had hoped when buying it, at least a little, that I...| [Segmentation Fault]
For the past few days I’ve poked around a bit with the fancy new controllers that ship with the Nintendo Switch, the Joy-Con. My primary motivation in looking at these devices mostly come back to the fact that they’re almost everything I wanted in my VR controller project: analog joysticks, four buttons, and grip buttons (to a degree). Position tracking aside, I think they’re basically perfect for VR and have huge potential as a standard Bluetooth controller as well, with some interesti...| [Segmentation Fault]
Given the recent topic of OTPless k9lhax installation on N3DS, I felt it would be interesting to mention the original hardware method of executing non-enhanced k9lhax on an N3DS. For the sake of documentation, this exploit was conducted in May 2015 cooperatively between myself, WulfyStylez and Dazzozo. I ended up being the one to conduct the actual hardware exploit and bruteforce while the 3DS software process was almost entirely done by WulfyStylez and Dazzozo. The original k9lhax method was...| [Segmentation Fault]
Foreword Just as a foreword, this is a project I worked on for my senior project for my final year of high school. And yes, it does look very similar to the PS Move, however the goal of the project was not to have usable controllers for VR, but rather to build a solution from the ground-up. Admittedly, the quality of the final result could have been much better, however I did accomplish my goal and I ended up learning quite a bit. It should also be noted that this project was completed in Mar...| [Segmentation Fault]
Introduction Since the beginning of the 3DS hacking scene, Gateway provided probably, for the time, the best method (or uh, gateway) into modifying one’s 3DS. I’d dare say they probably were the sole reason homebrew existed at all for the public prior to 9.2 and the release of ninjhax. Following 9.2 and their Gateway 3.0 Ultra release, while having an initially successful release and userbase influx, eventually led to their downfall due to how easily their ARM11 and ARM9 kernel exploits w...| [Segmentation Fault]
In Pokemon Omega Ruby and Alpha Sapphire, Super Secret Bases were introduced as a step up from the Ruby/Sapphire/Emerald Secret Bases for a new hardware generation, able to take advantage of the new 3DS features which did not exist with the GameBoy Advance. One of these features happened to be the front and back facing cameras, which yielded a vector for sharing secret bases via QR code. However despite the game having been released quite some time ago, it seems nobody has figured out their d...| [Segmentation Fault]
This blog post details another savegame exploit found in VVVVVV, affectionately named (v*)hax. This post is purely for documentation, to download the exploit you can look here and for the exploit code you can check here. The Save The save files in VVVVVV are especially easy to pick apart, since the save files themselves are actually just XML files with a cool .vvv extension. Because of this, there are no checksums or other security measures used on them, and for the most part they are fairly ...| [Segmentation Fault]
This blog post details a savegame exploit found in Pokemon Super Mystery Dungeon, known as supermysterychunkhax. To start, I’ll go ahead and say that this is purely for documentation and if you want the actual exploit itself you can look here for the code and here for a save installer 3dsx. The Save On an initial inspection of the save, it has four files: dungeon, game_data, game_system, and game_header. While dungeon was legible, the other files appear to be either encrypted or otherwise o...| [Segmentation Fault]
A long while back I posted a video demonstrating an experiment I had done purely as a proof of concept for redirecting the 3DS input entirely over wireless. While I originally intended to port to NTR, I found myself losing interest in doing so, and unfortunately it was put on the backburner for a long while. It seemed though that every time I looked at NTR’s plugin documentation I just simply lost interest because actually going about doing it would end up taking a substantial amount of tim...| [Segmentation Fault]
So for Christmas a few days ago I ended up getting a 1080p, 144Hz monitor, partially because I just needed a new monitor in general, but also because I wished to mirror my DK2 to it since I planned on using it as a part of my senior project product I am working on for my school. However, I came to be extremely disappointed due to the fact that, for some reason, ovrd (the background daemon which manages the Rift and ultimately provides a lot of functionality to the SDK itself) segfaulted short...| [Segmentation Fault]
So over the last week or so I was bored and decided to poke around and see how exactly the Mystery Gift protocol worked for Gen VI Pokemon games. My motivation actually came primarily from some of the findings that you could actually spoof a Hoopa by changing your SSID to “McDonalds Free Wifi”, and this made me somewhat curious as to how the differences in SSIDs were determined in finding a Mystery Gift. As a forewarning to how I conducted this research, this was all done using MITM as o...| [Segmentation Fault]
