Shuriken Attack

New Design

I decided to have another go at designing something that would inject my code into the IPL bit stream at startup, the first attempt (see Code Injection page) was ok but I didn't like the following

1) The serial flash chip took up Slot B of the gamecube with only two slots on the front this was inconvenient.

2) The split area for an initial small boot loader which then loaded the bigger code segment was not really the best design.

3) Only 512k of flash storage space.

so I wanted to create a newer attack method that combined the CPLD and serial flash onto one PCB and only needed one image to be loaded into the serial flash device.

As before the CPLD sits between the flipper and the gamecube bios (U10) however this time instead of placing a small amount of code within the CPLD to inject into the IPL bit stream. I would put a serial flash device into read mode just before the code injection point and then at the right time switch the bit stream going into the flipper from the bios chip over to the output of the serial flash device. For this to work I needed to correctly time serial flash read mode setup and output switch over. Also the image / code I want to run will need to be xor'ed with the gamecube key otherwise the flipper will try and decrypt a plain text image and end up scrambling my code.

CPLD injection timing

The initial boot loader BL1 which loads before IPL is approx 0x700 bytes in size, BL1 is loaded 8 bytes (64 bits) at a time into the flipper. Actually its 12 bytes flipper sends 4 bytes of address data to bios chip and it sends 8 bytes back. So if you sniffed the output data line of the bios chip you would see 12 bytes (96 bits) getting shifted into the flipper whilst the chip select line is low. However IPL is loaded 1024 bytes (plus 4 byte address data so 1028 bytes in total) at a time so we can setup the CPLD to ignore any data transfer below 96 bits. In fact IPL executable data starts to get loaded into memory after the first 32 bytes of the first 1028 chunk. Therefore we can setup the CPLD to ignore any data transfers below 32 bytes (256 bits).

If the CPLD sees a data transaction that is longer then 32 bytes it starts to setup the serial flash to be in read mode, I used a M25P80 serial flash device to store my payload. This device takes a 4 byte command before it starts sending data, one byte is the actual command in this case 0x03 (read command) followed by three address bytes. After sending out the 4 bytes to setup the serial flash the CPLD then switches the input to the flipper from the bios chip to the output of the serial flash chip.                 

VHDL code

The following VHDL code will setup the serial flash device and inject its output at the right time into the IPL bit stream. Again I used a Xilinx XL9572XL CPLD within is design.

Update 20/11/2016

Wanted to add a switch that bypassed the loading of the code from the serial flash chip (sometimes its good just to see the stock IPL) and I also wanted to make the code a little smaller so it fitted into the xc9536xl as this is approx half the cost of the xc9572xl so I updated the vhdl code. Whilst I was changing the vhdl code I started to wonder if the shuriken attack can actually boot something other than my homebrew loader so I downloaded GCOS and started playing around. Got it to load GCOS 1.5 and 1.X beta by loading the viper vgc files into the serial flash. Below is the updated code with gcos viper bin files.

This is a bit pointless as it requires the bigger xc9572xl but below is the vhdl code to run tmbinc bios running GCOS 1.5

Note: I take no credit for any part of gcos, all credits go to emu_kidid and ShadowSwan.

Flashing the M25P80 / M25P40

I modified PC parallel port program I used on my first attempt at injecting code. It first xor's the binary image passed by the user and then serially flashes this encrypted image into the M25P80 / M25P40 device here's the new code.

Update 17/2/2016

My old PC with a parallel port finally died so I had to find another way to program the serial flash device. If you have one of these Lcsoft CY7C68013A Mini Board (cypress FX2LP)

which I found on ebay for 10. Application note AN58764 from cypress turns the board into a USB to serial port, I modified this application note (modified code here) to flash the receive data from the PC into the M25P80. Download the modified application note into the board and then connect the board to the M25P80 / M25P40 as follows

M25P80         CY7C68013A

CLK                 PA0
MOSI               PA1
MISO               PA2
SS                   PA3
GND                GND

Finally connect the CY7C68013A Mini Board to the PC via a USB cable, the board should show up as an extra comm port then use this PC program I created like this

new_serial_flash.exe    COM1     program.bin

Where COM1 is the name of the new com port on your PC and program.bin is the program you want to flash into the M25P80 / M25P40 device. If you want to flash GCOS into the M25P80 / M25P40 you will need this program instead as the files are already xor'ed with the gamecubes key.

Shuriken Attack PCB design

This time I actually created a small PCB using design sparks that actually holds the CPLD and serial flash on one board this freed up slot B on the front of the gamecube for other devices (SD card etc). Here is the complete design package schematic / PCB and gerbers.

Note: Please add a 470 ohm resistor into the clock track going into the serial flash device from the gc otherwise there is a danger of killing your cube if you try and flash the serial device whilst the gc is connected and powered.

Update 20/11/2016

I have not had time to create another board yet but here is a picture of a modified 0.1 PCB with 470 ohms resistor fitted and bypass switch connected to pin 2.

Part numbers / BOM

Here is the BOM for the shuriken attack board.

Install guide / pics

Colour key for the wires:

Top side GC connections:

Note: Its no clear from this picture but Pin 9 of U10 needs to lifted the same as tmbincs original mod chip install.  

Under side GC connections:

Shuriken attack connections: