Custom firmware

Last updated

Custom firmware, also known as aftermarket firmware, is an unofficial new or modified version of firmware created by third parties on devices such as video game consoles, mobile phones, and various embedded device types to provide new features or to unlock hidden functionality. In the video game console community, the term is often written as custom firmware or simply CFW, referring to an altered version of the original system software (also known as the official firmware or simply OFW) inside a video game console such as the PlayStation Portable, PlayStation 3, PlayStation Vita/PlayStation TV, PlayStation 4, Nintendo 3DS ,Wii U and Nintendo Switch. Installing custom firmware on some devices requires bootloader unlocking.

Contents

Video game consoles

Custom firmware often allow homebrew applications or ROM image backups to run directly within the game console, unlike official firmware, which usually only allow signed or retailed copies of software to run. Because custom firmware is often associated with software piracy, console manufacturers such as Nintendo and Sony have put significant effort into blocking custom firmware and other third party devices and content from their game consoles.

PlayStation Portable, PlayStation 3 and PlayStation Vita/PlayStation TV

Custom firmware is commonly seen in the PlayStation Portable handhelds released by Sony. Notable custom firmware include M33 by Dark_AleX as well as those made by others such as the 5.50GEN series, Minimum Edition (ME/LME) and PRO.

Custom firmware is also seen in the PlayStation 3 console. Only early "Fat" and Slim (CECH-20xx until early CECH-25xx) models are able to run custom firmware. Slim (late CECH-25xx and CECH-30xx) and Super Slim models can only run HEN (Homebrew Enabler), which has functionality similar to a custom firmware. There is also ODE (Optical Drive Emulator), HAN (etHANol) and HFW (Hybrid Firmware) for the PS3.

The PlayStation Vita/PlayStation TV has eCFW, meaning custom firmware for PSP running in the PSP emulator of the PS Vita/PS TV. These eCFWs include ARK, TN-V and more recently, Adrenaline, which includes more features since it was hacked from the native side. In 2016 a Team called Molecule released HENkaku (a HomeBrew Enabler, which has functionality similar to a custom firmware) for PlayStation Vita/PlayStation TV, which alters the PS Vita's/PS TV's firmware on version 3.60, which allows creating a custom firmware on the console. The team behind the original HENkaku has also released taiHEN. taiHEN is a framework on which the newest version of HENkaku runs. It is a way to load plugins at the system level like the user was used to on the PSP allowing them to change/add function to their console.[ citation needed ] Enso is a bootloader vulnerability of the PS Vita/PS TV that makes HENkaku permanent and allows to run it on the boot so the PS Vita/PS TV has a full CFW with HENkaku Enso. Users on 3.60 can also update to 3.65 without losing HENkaku Enso.

Nintendo 3DS

The modding scene of the Nintendo 3DS primarily involve custom firmware (software which patches the official firmware "on the fly"), which requires an exploit to obtain control of the ARM9, the 3DS' security coprocessor, and, secondarily, flash cartridges, which emulate an original game cart (which can be solely used to play untouched game cart ROM backups). The current most widely used CFW is Luma3DS, developed by Aurora Wright and TuxSH, which allows unsigned CIA (CTR Importable Archives) installation, includes open-source rewritten system firmware modules, and exception handling for homebrew software developers.

Other past and abandoned CFWs included Gateway (a proprietary CFW locked to a flash cartridge via DRM and the first publicly available one), Pasta, RxTools (the first free and widely used one), Cakes CFW [1] (the first open source CFW, which used a modularized approach for patches and was the inspiration for the following ones), ReiNAND, which Luma3DS was originally based on, and Corbenik; [2] as of now the only custom firmware still currently being developed is Luma3DS, and its plugin loader edition Luma3GX(previously known as AuReiNAND). 3DS CFWs used to rely on "EmuNAND"/"RedNAND", a feature that boots the system from an unpartitioned space of the SD card containing a copy of the 3DS' NAND memory. These EmuNANDs could protect the 3DS system from bricking, as the usual system NAND was unaffected if the emuNAND is no longer functioned properly or was otherwise unusable. EmuNANDs could also be updated separately from the usual system NAND, allowing users to have the latest system version on the EmuNAND while retaining the vulnerable version on the system NAND; thus making online play and Nintendo eShop access possible on outdated 3DS system versions.

EmuNANDs were obsoleted by the release of arm9loaderhax, a boot-time ARM9 exploit that allowed people to safely use SysNAND and update it, as CFWs started patching the OS' update code so that official updates wouldn't remove the exploit. However, this exploit required a downgrade to a very early system version to get the console's unique OTP, necessary for the installation. On May 19, 2017, a new exploit basis called sighax was released, replacing arm9loaderhax and allowing users to get even earlier control of the system, granting code execution in the context of the bootROM and thus a cleaner environment, with no downgrades or OTP required. Boot9Strap, a user-friendly version of sighax, was released.

At the same time, another bootROM exploit called ntrboot was announced, which allows people to use a backdoor present in the bootROM to get full system control on any 3DS console regardless of the firmware version (as the bootROM can't be updated), only requiring a modified DS flash cartridge and a magnet. The initial release was on August 12, supporting the AceKard 2i and R4i Gold 3DS RTS cartridges.

Nintendo Switch

Page11 louarn indictment.png
Page12 louarn indictment.png
Pages 11 and 12 of indictment of SX OS developers (Team Xecuter), regarding their software used on Nintendo Switch. [3]

Currently, several custom firmwares for the Nintendo Switch console exist: Atmosphère, ReiNX and SX OS. The differences between them are largely inconsequential; Atmosphère remains in active development and is free and open-source software. ReiNX bases much of its code off Atmosphère [4] but with some modifications to runtime components and a different bootloader, while SX OS is closed source and paid, but largely based on Atmosphère code despite assertions to the contrary. [5]

Nintendo has made the Switch environment much more secure than previous consoles. Despite this, there exist notable bugs which lead to user exploits. Of these, the Nvidia Tegra stack bug (CVE - 2018-6242) [6] is the most well-exploited. It leverages the Recovery Mode (RCM) of the Switch unit in order to push unsigned/unverified payloads, [7] in turn granting the user access to arbitrary code execution. This vulnerability has been further leveraged by users within the Switch hacking scene to reverse-engineer the firmware, leading to two other notable exploits: Nereba and Caffeine. While RCM is a hardware exploit, Nereba and Caffeine are software exploits and rely on the console being at or below specific firmware versions in order to make use of the exploits. RCM, being hardware related, merely relies on the console being vulnerable to that particular exploit and does not have a firmware requirement or range.

Due to Nvidia's disclosure of CVE-2018-6242, Nintendo was forced to address the vulnerability, [8] and during late 2018 began manufacturing and distributing units which have been hardware patched and are unable to access the RCM vulnerability. Any unit manufactured during or after this time is likely to be hardware patched, including the Switch Lite and the newer "red box" Switches, and any unit which is hardware patched and running a relatively recent firmware is unlikely to be able to access custom firmware at this time or in the future due to the unusually secure software environment of the Switch. These Switches are commonly referred to as "patched" Switches within the Switch modding community. While they cannot be modded by normal means ("softmodding"), a modchip can be soldered onto where the Switch's USB-C port would be after it is removed ("hardmodding"), thus circumventing the need to enter into RCM mode.

Android

In Android, installing custom firmware, colloquially known as installing a custom ROM or Android ROM, is the practice of replacing the system partition of the Android operating system, usually mounted as read-only, [9] [10] with a modified version of Android, also known as "flashing a ROM". [11] The procedure requires unlocking the bootloader, which in the past was generally not supported by device manufacturers, and hence, typically requiring some expertise in exploiting vulnerabilities in the operating system. However, since about 2015 [12] several manufacturers, including Motorola, [13] OnePlus, [14] Google [15] Xiaomi, and Sony [16] support unlocking the bootloader (except on models that are locked by some carriers). This bypasses secure boot, without the need for exploits. The custom ROMs installed may include different features, require less power, or offer other benefits to the user; devices no longer receiving official Android version updates can continue to be updated. However, not all features of a phone may be properly supported by some custom ROMs.

Other devices

Various other devices, such as digital cameras, wireless routers and smart TVs, may also run custom firmware. [17] Examples of such custom firmware include:

Related Research Articles

<span class="mw-page-title-main">Firmware</span> Low-level computer software

In computing, firmware is software that provides low-level control of computing device hardware. For a relatively simple device, firmware may perform all control, monitoring and data manipulation functionality. For a more complex device, firmware may provide relatively low-level control as well as hardware abstraction services to higher-level software such as an operating system.

System software is software designed to provide a platform for other software. Examples of system software include operating systems (OS).

A regional lockout is a class of digital rights management preventing the use of a certain product or service, such as multimedia or a hardware device, outside a certain region or territory. A regional lockout may be enforced through physical means, through technological means such as detecting the user's IP address or using an identifying code, or through unintentional means introduced by devices only supporting certain regional technologies.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

A softmod is a method of using software to modify the intended behavior of hardware, such as video cards, sound cards, or game consoles in a way that can overcome restrictions of the firmware, or install custom firmware.

Homebrew, when applied to video games, refers to software produced by hobbyists for proprietary video game consoles which are not intended to be user-programmable. The official documentation is often only available to licensed developers, and these systems may use storage formats that make distribution difficult, such as ROM cartridges or encrypted CD-ROMs. Many consoles have hardware restrictions to prevent unauthorized development.

<span class="mw-page-title-main">PlayStation Portable homebrew</span> Executing unsigned code on PlayStation Portable

PlayStation Portable homebrew refers to the process of using exploits and hacks to execute unsigned code on the PlayStation Portable (PSP).

Free60 is the successor to the Xbox Linux Project that aims to put Linux, BSD, or Darwin on the Microsoft Xbox 360 using a software or hardware based "hack". The Xbox 360 uses hardware encryption and will not run unsigned code out of the box.

The boot ROM is a type of ROM that is used for booting a computer system. There are two types: a mask boot ROM that cannot be changed afterwards and a boot EEPROM, which can contain an UEFI implementation.

The Linux booting process involves multiple stages and is in many ways similar to the BSD and other Unix-style boot processes, from which it derives. Although the Linux booting process depends very much on the computer architecture, those architectures share similar stages and software components, including system startup, bootloader execution, loading and startup of a Linux kernel image, and execution of various startup scripts and daemons. Those are grouped into 4 steps: system startup, bootloader stage, kernel stage, and init process. When a Linux system is powered up or reset, its processor will execute a specific firmware/program for system initialization, such as Power-on self-test, invoking the reset vector to start a program at a known address in flash/ROM, then load the bootloader into RAM for later execution. In personal computer (PC), not only limited to Linux-distro PC, this firmware/program is called BIOS, which is stored in the mainboard. In embedded Linux system, this firmware/program is called boot ROM. After being loaded into RAM, bootloader will execute to load the second-stage bootloader. The second-stage bootloader will load the kernel image into memory, decompress and initialize it then pass control to this kernel image. Second-stage bootloader also performs several operation on the system such as system hardware check, mounting the root device, loading the necessary kernel modules, etc. Finally, the first user-space process starts, and other high-level system initializations are performed.

The PlayStation Portable system software is the official firmware for the PlayStation Portable (PSP). It uses the XrossMediaBar (XMB) as its user interface, similar to the PlayStation 3 console.

Rooting is the process by which users of Android devices can attain privileged control over various subsystems of the device, usually smartphones and tablets. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

<span class="mw-page-title-main">Fastboot</span> Recovery mode included in Android mobile operating system

Fastboot is a communication protocol used primarily with Android devices. It is implemented in a command-line interface tool of the same name and as a mode of the bootloader of Android devices. The tool is included with the Android SDK package and used primarily to modify the flash filesystem via a USB connection from a host computer. It requires that the device be started in Fastboot mode. If the mode is enabled, it will accept a specific set of commands, sent through USB bulk transfers. Fastboot on some devices allows unlocking the bootloader, and subsequently, enables installing custom recovery image and custom ROM on the device. Fastboot does not require USB debugging to be enabled on the device. To use fastboot, a specific combination of keys must be held during boot.

<span class="mw-page-title-main">Hacking of consumer electronics</span>

The hacking of consumer electronics is a common practice that users perform to customize and modify their devices beyond what is typically possible. This activity has a long history, dating from the days of early computer, programming, and electronics hobbyists.

Samsung Knox is a proprietary security and management framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. Samsung Galaxy hardware, as well as software such as Secure Folder and Samsung Wallet, make use of the Knox framework.

<span class="mw-page-title-main">R4 cartridge</span> Flash cartridge for the Nintendo DS

The R4 is an unlicensed flash cartridge for the Nintendo DS handheld system. It allows ROMs and homebrew to be booted on the Nintendo DS handheld system from a microSD card. This allows the user to run homebrew applications, to store multiple games and MP3 music files on a single memory card, and to play games that have been backed up by the user.

<span class="mw-page-title-main">Nintendo Switch system software</span> Operating system for the Nintendo Switch video game console

The Nintendo Switch system software is an updatable firmware and operating system used by the Nintendo Switch video game console. It is based on a proprietary microkernel. The UI includes a HOME screen, consisting of the top bar, the screenshot viewer ("Album") Icons, and shortcuts to the Nintendo eShop, News, and Settings.

<span class="mw-page-title-main">Evil maid attack</span> Type of computer security breach

An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.

<span class="mw-page-title-main">Bootloader unlocking</span> Process of disabling secure device booting

Bootloader unlocking is the process of disabling the bootloader security that makes secure boot possible. It can make advanced customizations possible, such as installing a custom firmware. On smartphones this can be a custom Android distribution or another mobile operating system. Some bootloaders are not locked at all, others can be unlocked using a standard command, others need assistance from the manufacturer. Some do not include an unlocking method and can only be unlocked through a software exploit.

The booting process of Android devices starts at the power-on of the SoC and ends at the visibility of the home screen, or special modes like recovery and fastboot. The boot process of devices that run Android is influenced by the firmware design of the SoC manufacturers.

References

  1. "Cakes CFW Developer Announces the dropping of the Project". GitHub .
  2. "Corbenik's author and maintainer announces his retirement from the project". 4 June 2016.
  3. United States of America vs Max Louran, Yuanning Chen, and Gary Bowser, 2:20-cr-00127-RSL, pages 11–12(United States District Court for the Western District of Washington at Seattle20 August 2020).
  4. "ReiNX removing Atmosphere name from Atmosphere code". GitHub .
  5. "Prominent scene developers and a snippet of SX OS reverse engineered code".
  6. "CVE entry for Tegra bug".
  7. "Switchbrew list of public vulnerabilities".
  8. "FCC filing for hardware revision".
  9. "Non-A/B System Updates".
  10. Raja, Haroon Q. (May 19, 2011). "Android Partitions Explained: boot, system, recovery, data, cache & misc". Addictivetips. Addictivetips.com. Archived from the original on September 22, 2012. Retrieved September 15, 2012.
  11. "Android ROM". PCMAG Encyclopedia. Retrieved 26 May 2023.
  12. "Unlock Bootloader - Supported Devices". LG Developer. Retrieved 29 January 2021. Example: the 2015 G4 is the first LG phone for which the bootloader can be unlocked.
  13. "Unlocking the Bootloader | MOTOROLA Android Phones | Motorola Mobility LLC".
  14. "After-sales - Will rooting or unlocking the bootloader void my warranty? - OnePlus". Archived from the original on 2016-12-31.
  15. "Factory Images for Nexus and Pixel Devices | Google APIs for Android". Google Developers. Retrieved 2018-09-18.
  16. "Unlock Bootloader - Open Devices - Sony Developer World".
  17. How hackers are outsmarting smart TVs and why it matters to you
  18. 1 2 3 "Custom Firmware Rocks!". Pcgamer. 2009-08-05. Retrieved 2009-08-13.
  19. "Hardware Support". LibreWRT.org. Archived from the original on 2015-04-23. Retrieved 2015-07-21.
  20. Poulsen, Kevin (2009-01-12). "Hardware Hacker Charged With Selling Cable Modems That Get Free Broadband — Update". Wired . Condé Nast . Retrieved 2016-06-15.
  21. Poulsen, Kevin (2004-02-05). "Cable Modem Hackers Conquer the Co-Ax". SecurityFocus.com. SecurityFocus . Retrieved 2016-06-16.
  22. "SamyGO: replacing television firmware". LWN.net . 2009-11-14. Retrieved 2009-12-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.