I was always fascinated by people who can pull things like this off. Had a similar feeling reading about how the CarThing was cracked a couple of days ago. How do you get started with something like this? Is it just having a ton of knowledge about hardware / lower-level OSes?
Jyaif 56 days ago [-]
The process is always the same:
You start by reproducing exactly what other folks did.
Once you've done that a bunch of times, you unlock 2 skills:
* The ability to handle simple situations that do not require deviating too much from what you've seen in the past
* The ability to learn new techniques simply by reading about them, allowing you to learn much faster
Apply those 2 skills for a couple years (which is not hard at all if you are genuinely attracted to this area) and you are an expert.
What is marvelous is that you don't need to know about those steps, you just follow them naturally when you are passionate about something.
jareklupinski 56 days ago [-]
> How do you get started with something like this?
passion is an important part of it, i think almost every obstacle can be eventually overcome if you have the reason to do so
personally if i owned a CarThing, enjoyed using it, and knew it was going to be EOL'd, i would try my best to keep it from becoming e-waste
documenting it makes it even better, since then everyone can share in your passion
Retr0id 56 days ago [-]
> Is it just having a ton of knowledge about hardware / lower-level OSes?
Pretty much, yes. And knowing about common exploit strategies (the crypto engine partial overwrite for example is a classic one).
seattleeng 56 days ago [-]
You can learn things top-down or bottoms-up. I can read & understand most reverse engineering posts like this because I have a strong "bottoms-up" foundation with an EE degree and worked with microcontrollers. But when I read posts by hobbyist mechanical engineers about some 3D printed piston that uses ball bearings I have to approach it in a top-down "recreate what they did and go deep any time I'm lost" manner.
immibis 56 days ago [-]
Accumulated trial and error including that which is transferred from others
paulgerhardt 56 days ago [-]
Oh neat. That key extraction technique is very fun. Has anyone seen this this before in another major project?
Retr0id 56 days ago [-]
Yes, the general flaw/technique is alarmingly common.
(Nintendo really ought to have known better, but I suppose the security of their alarm clock product isn't exactly a top priority - and given the hardware choice it was mostly out of their control anyway)
rescbr 56 days ago [-]
It is indeed a really cool key extraction method. The code is also written in such a straightforward way that it is easy to grasp what's going on.
Now I have to find some encrypted files to play with :D
You start by reproducing exactly what other folks did. Once you've done that a bunch of times, you unlock 2 skills:
* The ability to handle simple situations that do not require deviating too much from what you've seen in the past
* The ability to learn new techniques simply by reading about them, allowing you to learn much faster
Apply those 2 skills for a couple years (which is not hard at all if you are genuinely attracted to this area) and you are an expert.
What is marvelous is that you don't need to know about those steps, you just follow them naturally when you are passionate about something.
passion is an important part of it, i think almost every obstacle can be eventually overcome if you have the reason to do so
personally if i owned a CarThing, enjoyed using it, and knew it was going to be EOL'd, i would try my best to keep it from becoming e-waste
documenting it makes it even better, since then everyone can share in your passion
Pretty much, yes. And knowing about common exploit strategies (the crypto engine partial overwrite for example is a classic one).
psvita: https://www.lolhax.org/2019/01/02/extracting-keys-f00d-crumb...
ps4: https://twitter.com/flat_z/status/1472243592815169546
nintendo switch (tegra X1): https://switchbrew.org/wiki/Switch_System_Flaws (see "Security Engine keyslots vulnerable to partial overwrite attack")
(Nintendo really ought to have known better, but I suppose the security of their alarm clock product isn't exactly a top priority - and given the hardware choice it was mostly out of their control anyway)
Now I have to find some encrypted files to play with :D
https://www.theverge.com/2024/11/3/24286842/nintendo-alarmo-...
https://github.com/GaryOderNichts/alarmo_doom