An impressive controller based SNES jail break in Super Mario World

[Raqia]

If you were the John Henry of video games, you could in theory send executable code to the SNES via the controller after performing a kind of buffer overflow exploit in Super Mario World:

http://arstechnica.com/gaming/2014/...ot-reprogrammed-super-mario-world-on-the-fly/

Suffice it to say that the first minute-and-a-half or so of this TAS is merely an effort to spawn a specific set of sprites into the game's Object Attribute Memory (OAM) buffer in a specific order. The TAS runner then uses a stun glitch to spawn an unused sprite into the game, which in turn causes the system to treat the sprites in that OAM buffer as raw executable code. In this case, that code has been arranged to jump to the memory location for controller data, in essence letting the user insert whatever executable program he or she wants into memory by converting the binary data for precisely ordered button presses into assembly code (interestingly, this data is entered more quickly by simulating the inputs of eight controllers plugged in through simulated multitaps on each controller port).

 

[archie4oz]

Minor quibble. Can't have a "jail break" if you don't have a jail.

 

[Raqia]

Minor quibble. Can't have a "jail break" if you don't have a jail.

http://en.wikipedia.org/wiki/CIC_(Nintendo)

There are other ways around this hardware security but this hack certainly is a legitimate way around it.

 

[archie4oz]

My comment still stands. It's not a jail break. There's no escalation of privileges. This is essentially a buffer overflow. While an overflow can be used to escalate a privilege and "break out of a jail" that does not apply here because there is no "jail" in use as the SNES predates the existence of BSD Jails by a good decade.

 

[Raqia]

My comment still stands. It's not a jail break. There's no escalation of privileges. This is essentially a buffer overflow. While an overflow can be used to escalate a privilege and "break out of a jail" that does not apply here because there is no "jail" in use as the SNES predates the existence of BSD Jails by a good decade.

Without atleast breaking the SNES' hardware countermeasures, it wasn't obviously possible that you could execute your own code on the SNES. Sure it's not technically a "jail" in the FreeBSD sense, but there is a meaningful sense in which that term does apply here.

 

[archie4oz]

OK, now you're confounding two different things here. The articled you linked to has nothing to do with the CIC chip. It's an input overflow exploit, and the CIC has no impact here. It's only mentioned at all because authoring your own modded-carts were simply impractical for the purpose of discovering exploits.

The CIC chip is basically just a hardware DES implementation that prevents the game code from booting if an authentication handshake is not present. It however does not prevent arbitrary code from running once the game is booted. There's no memory protection scheme, or root/userland privileges, or any such runtime security measures. There's nothing to "break out" of.

Call it an exploit, an overflow, a hack; but a "jailbreak" it is not. It may seem pedantic, but the English language give a wonderfully rich vocabulary to describe such nuance, I suggest we use it. It's one of those many things that separates us from apes.

 

[Raqia]

OK, now you're confounding two different things here. The articled you linked to has nothing to do with the CIC chip. It's an input overflow exploit, and the CIC has no impact here. It's only mentioned at all because authoring your own modded-carts were simply impractical for the purpose of discovering exploits.

The CIC chip is basically just a hardware DES implementation that prevents the game code from booting if an authentication handshake is not present. It however does not prevent arbitrary code from running once the game is booted. There's no memory protection scheme, or root/userland privileges, or any such runtime security measures. There's nothing to "break out" of.

Call it an exploit, an overflow, a hack; but a "jailbreak" it is not. It may seem pedantic, but the English language give a wonderfully rich vocabulary to describe such nuance, I suggest we use it. It's one of those many things that separates us from apes.

Point taken, and as you originally said, it is just a quibble. But I still think it's fine to use jailbreak to describe the general type of thing that is being done here. I'm perfectly okay with playful use of "jailbreak" in different contexts if it captures the spirit of the situation or is meant to give it is a kind of bridge or relevance of the general intent involved with a well known term used today. Call it metonymy, call it analogy, the more general gist of the term is what matters for this usage rather than precise technical details.

(This exploit does give the user access to the hardware he otherwise wouldn't have; the thing you need to break out of is the need as a user to get a license from Nintendo to run your own arbitrary code on the SNES. One way is to send a voltage spike to disable the CIC, another is using the SMW exploit. I'm aware that the hack mentioned has got nothing to do w/ disabling the CIC chip, but my point in mentioning it is that it's a non-trivial thing to execute your own code on the SNES. It would be a mistake to call it "unsigned" code here of course, that's a sin even I won't commit. Anyway, in some narrow definition of operating system defined "jails" and "jailbreak" it is technically false, but I think the term still aptly describes the situation in terms of the general desire of the user and the barrier presented to the user by the system.

And yes, humans can manipulate formally defined abstract systems in an inductive way but the ultimate point of these systems is to capture something meaningful about the world and to be able to do complex work with all the irrelevant details of the real situation removed. If you're not having a purely technical discussion, it is needlessly restrictive to force the world into obeying the terminology of a system for its own sake. There may even be alternative formalism that also captures the situation so the formalism itself just isn't the point sometimes. For instance: I don't claim to know if the number 1 is actually a set with the empty set in it or the set of all single objects, but I don't think this discrepancy affects what is meant by the number 1 or having a meaningful conversation about the number 1.)