Hacking Super Street Fighter II Turbo (Part 2)

In today’s post I will try to illustrate the difference between a RAM cheat and a ROM cheat. RAM cheats usually change the data the game has in RAM, for example the previous post showed how to change the value in a fixed memory address to adjust the game difficulty during gameplay. ROM cheats patch the game’s program code to force the game engine take a different path.

One thing I’ve always wanted to see is the combo messages that appear on the side of the screen when you do a multiple hit combo, but for the combos that the CPU does, which for some reason don’t appear. So, that’s what I’ll show you how to do today: hack the ST rom to see the CPU combo messages, plus some other bonus cheats we’ll discover while getting there :)

ssf2xj-cpu-combo-msg

First thing we want to do is locate the memory region or address where the game stores who controls a character, the CPU or a human player. From there, we’ll see where in the code this memory region is accessed, and that should lead us to some point where the game engine decides “it’s a human player so I will show the combo message, or it’s a computer so I will not show it”. What we will try to do is patch that part of the code to make the game engine always show it!

We can start working on the “CPU Combo Messages” cheat using the memdump & diff method we used in the previous example, but we’ll use a different method now just for the purpose of illustrating the possibilities of MAME’s built in debugger: the “cheat” commands.

Start the game with the debugger enabled, and start playing with 2 human controlled characters (P1 & P2). When the “Round 1″ message disappears press ENTER in the debugger screen to break, and type the command cheatinit. This will start a new cheat search in memory by remembering the state of all memory addresses at that point. Now return into the game, and start playing with one human player (P1) against the CPU (P2). Ideally that match should have the same characters as the one before, with the same colors, etc… to produce the lesser variations possible in the game’s memory. Now when the “Round 1″ message disappears, press ENTER again in the debugger screen and type the command cheatnext decrease,1: this will search for all bytes that have decreased by one since we did the cheatinit. Now we can do a cheatlist to see all the possible memory locations that have changed:
Continue reading

Posted in SuperTurbo | Tagged , , , , | Leave a comment

Hacking Super Street Fighter II Turbo (Part 1)

In this post I will show how to debug the Super Street Fighter II Turbo ROM in MAME, to create a simple cheat. This will (hopefully) be the first post of a series that will show more advanced use of the MAME debugger and dig deeper into reverse engineering Super Turbo.

First we need to launch MAME using the ‘-debug‘ parameter, this will launch the MAME debugger. You can use the ‘help‘ command in the debugger to see the help.

mame debugger
Continue reading

Posted in SuperTurbo | Tagged , , , , | Leave a comment

ZTE Open FirefoxOS Phone, root and first impressions

zte openZTE Open is the first non-developer FirefoxOS phone, sold commercially in Spain by Movistar.

It can be rooted using CVE-2012-4220 aka Qualcomm DIAG root discovered by Giantpune. This security advisory was released by Qualcomm on November 15, 2012. The ZTE Open has been launched commercially 7 months later and neither ZTE nor Movistar have bothered to patch this security hole, shame on them for selling vulnerable devices to customers.

The ZTE Open comes with kernel 3.0.8 which is also vulnerable to CVE-2013-2094 (perf_event) exploit.

Root

I took the exploit by Hiroyuki Ikezoe and adapted it to work on the ZTE Open. The source code is available here, and a redy-to-use compiled exploit is here: DOWNLOAD.

These are the details of the original firmware, as hopefully ZTE will patch the security hole and this exploit might not work in future versions:

ro.build.display.id=OPEN_FFOS_V1.0.0B04_TME
ro.build.sw_internal_version=B2G_P752D04V1.0.0B08_TME
ro.build.firmware_revision=V1.01.00.01.019.120
ro.build.date=Fri May 31 23:10:17 CST 2013

To run the exploit connect your phone to your computer using the USB cable, and make sure ‘Remote debugging‘ is enabled on your phone in Settings -> Device information -> More Information -> Developer.
You need to have the adb binary in your computer’s path, (if you don’t know what ADB is don’t bother rooting your phone) then execute “run.sh” on Linux or OS X, or “run.bat” on Windows.
If the exploit fails, reboot your ZTE Open and try again (the linux/MAC version will attempt to do that automatically). Once the exploit is successful it will remount the system partition in read/write mode and copy a setuid “su” binary into /system/xbin/su.

Custom ROMs

The bootloader on the ZTE Open does not allow to flash or boot unsigned code through fastboot protocol. The stock recovery image will verify the signature of update packages and not allow you to flash self-signed updates. To overcome that limitation you can flash a custom recovery image that will allow you to backup your current ROM to SD card and flash your customized build of FirefoxOS (or if you want, your own Android port).

You can download ClockWorkMod recovery for ZTE Open here: recovery-clockwork-6.0.3.3-roamer2.img.
To flash it:

# first backup your existing recovery
adb shell dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
adb pull /sdcard/stock-recovery.img
	
# then flash clockworkmod recovery
adb push recovery-clockwork-6.0.3.3-roamer2.img /sdcard/cwm.img
adb shell flash_image recovery /sdcard/cwm.img

To boot into recovery mode, hold both volume down up and the power button while powering on the phone.

Enjoy! :)

Posted in FirefoxOS | Tagged , , , , , , , | 110 Comments

Fortifying a Galaxy Nexus with stock-ish image and root access

galaxy nexusIn this post I will describe my recipe to have a Samsung Galaxy Nexus (codename “maguro”) using a rooted factory image, capable of getting OTA updates without loosing root access and with a locked bootloader, keeping the user data safe in case it gets lost or stolen, in the sense that the person getting it will not be able to extract personal details from it like Google accounts, settings, downloaded apps and their data, media, etc.

I assume the reader starts with a stock unmodified factory image, and knows how to use fastboot.

Continue reading

Posted in android, linux, security | Tagged , , , , , , , , | Leave a comment

Why Broadcom 802.11 Linux STA driver sucks, and how to fix it

TL;DR – the broadcom sta linux driver always fails in the first scan request after the interface is brought up, this produces a long delay when connecting to a wireless network. There’s an open source driver which does not have this problem, but is not good with power management. In this post I describe the steps I took to pinpoint the problem in the proprietary driver and to fix it.

The story begins when I updated Ubuntu from 11.10 to 12.04 on my MacBook Air, everything worked fine after upgrading except one thing that bothered me a lot: when resuming the laptop after suspending it, it took around 30 seconds to connect to my wireless network. It wouldn’t have bothered me if it had been the same in 11.10, but in 11.10 the time to connect was barely 5 or 6 seconds, so having to wait 30 seconds was totally unacceptable.

Initially I thought it was a bug in NetworkManager, and increased the debug level in the config file to finally come out to the conclusion that I was using a different driver in 12.04 than in 11.10.

There are two drivers available for the Broadcom BCM4353 802.11 Wireless Controller:

Continue reading

Posted in linux, wireless | Tagged , , , , , , , , , , , , , | 19 Comments

Getting started on Android Development from Command Line

As a quick reference, here’s a list of useful and most commonly used commands if you want to do Android development from command line (for example, without using eclipse or any other bloated IDE). You must have installed the Android SDK on your system, and make sure the tools and platform-tools folders from the android SDK are available in your PATH environment variable:

ANDROID_SDK="/home/user/android-sdk-linux_x86"
export PATH="${PATH}:${ANDROID_SDK}/tools:${ANDROID_SDK}/platform-tools"

Continue reading

Posted in android | Tagged , , , , , , , , , , , , | 1 Comment

lightum: auto adjust keyboard brightness on Linux MacBook

If you are running Linux on your MacBookAir and want the keyboard light brightness changed automatically depending on the ambient light (just as OS X does), continue reading.

I’ve written a small daemon named lightum, source is on github and licensed under GPL-2+.

Usage:  lightum [-m value] [-p value] [-f]
        -m 0..255 : maximum brightness value between 1 and 255 (default=255)
        -p num    : number of seconds between light sensor polls (default=8)
        -f        : run in foreground (do not daemonize)
        -v        : verbose mode, useful for debugging with -f

For it to work you need dbus installed, and your MacBook should have the light sensor located in /sys/devices/platform/applesmc.768/light (should be available on all MacBookAir and MacBookPro versions which have a backlight on keyboard, as far as I know).

If you are running Ubuntu, you can install it by adding lightum-mba ppa to your system:

sudo add-apt-repository ppa:poliva/lightum-mba
sudo apt-get update
sudo apt-get install lightum

Otherwise, you can build it from source.

Posted in linux | Tagged , , , , | 46 Comments

Motorola Xoom: Review from an early adopter

Motorola Xoom
Yesterday morning I received the wifi-only version of the 10.1-inch Android tablet Motorola Xoom. I bought it in USA because it wasn’t yet available in Europe when I purchased it. I choose the wifi-only version because of the following main reasons:

  • the 3G/4G version available from Verizon USA uses CDMA technology and is not compatible with European GSM carriers.
  • I didn’t want to wait more time to have an Android 3 tablet
  • I don’t want to pay for another 3G data connection, because I already have one in my phone’s SIM card, which I can tether over wifi or bluetooth to give internet connectivity to the Xoom when there’s no wi-fi available.

Out of the box, the device comes with Android Honeycomb version 3.0.1, and no support for microSD card yet (it is advised in the manuals that microSD card support will be available trough a future system update).

The Xoom ships with an “unlockable” bootloader, that means you can connect via fastboot and issue the command ‘fastboot oem unlock‘ to be able to flash unsigned code at the expense of voiding your warranty, and that’s what you should do if you want support for microSD card today, because there’s an unofficial kernel with microSD support already available: Tiamat AOSP kernel Version 1.3.0.

Continue reading

Posted in android, gadgets, linux | Tagged , , , , , | 2 Comments

WiFite patch for WLAN/JAZZTEL networks WEP & WPA cracking

I have made a quick patch for wifite r67, which adds support to crack WLAN and JAZZTEL networks in Spain, both WEP and WPA versions.

The WPA keys are computed statically using the already known algorithms and the guessed key is shown at start, when wifite shows the available networks.

The WEP keys are cracked using a dictionary attack, generated automatically using wlandecrypter and jazzteldecrypter, so you only need 4 IVs to start cracking using the dictionary.

The patch is available here, and it’s agains revision r67 (latest at the moment of writing this). You can see it in action in these youtube videos I have uploaded:
Continue reading

Posted in linux, security, wireless | Tagged , , , , , , , | 12 Comments

From APK to readable java source code in 3 easy steps

Android applications are packed inside a APK file, which is just a ZIP file containing among other things a compact Dalvik Executable (.dex) file.
First step is to extract the “classes.dex” file from the APK:

$ unzip program.apk classes.dex
Archive:  program.apk
  inflating: classes.dex

Now, we use the tool dex2jar to convert the classes.dex file to Java .class files:

$ bash dex2jar/dex2jar.sh ./classes.dex
version:0.0.7.8-SNAPSHOT
2 [main] INFO pxb.android.dex2jar.v3.Main - dex2jar ./classes.dex -> ./classes.dex.dex2jar.jar
Done.

From here we obtain the file “classes.dex.dex2jar.jar”, now we can use the java decompiler JD-GUI to extract the source code:

$ ./jd-gui classes.dex.dex2jar.jar

Now just go to “File -> Save all sources” and it will generate the zip file “classes.dex.dex2jar.src.zip” containing all the decompiled Java source code :)

Posted in android, linux, security | Tagged , , , , , , , , , | 24 Comments