A repo for preparing a payload to run on a GameShark Pro running the latest firmware.
cargo xtask build
The GameShark Pro has the ability to connect to a PC using a parallel port. The firmware implements a protocol with a few commands to do various things on the GameShark, like updating the code list.
When in a game, this functionality is expanded somewhat with commands to write memory directly. This has been exploited by @ppcasm and others to allow running homebrew (see the gsuploader project). However, while in the GameShark's main menu, the command for writing to memory is not available, and so gsuploader won't work.
While reverse engineering the firmware, I noticed that the command for upgrading the firmware on the device has a trivial buffer overflow (the data size for the upgrade is read from the PC and is not checked), which provides an arbitrary write to all memory >= 0x80180000. Combined with the fact that there's another command located lower in memory than the upgrade function, and it's simple to overflow the buffer up until that other command, send some code to be run, and then run that other command to get code execution from within the menu.
I had some initial success writing payloads in assembly, but to be frank, I'm not very good at MIPS assembly, so I wanted to try and get a higher-level language working, so I could have a nicer environment to write more complex programs. I certainly don't want to, say, write an ELF loader in C, so I decided to give it a go in Rust. This repo is the result.
The project is set up to create two binaries: payload.bin and entry.bin. payload.bin contains the majority of the code and should be written starting at 0x80180000 as part of the data used to overflow the buffer. entry.bin is a small loader that flushes the cache and jumps to the function called __main. If you want to try writing a payload using this repo, it should be fairly simple - any code you write should work as normal, since the .text, .data and .rodata sections of the binary are included in payload.bin. Anything particularly advanced may require tweaking the linker script (linker.ld). To call functions in the GameShark firmware, add them to symbols.ld and add an extern declaration. Make sure that any code you write does actually end up in .text (i.e. make sure it doesn't get inlined into .entry) - you may wish to disassemble payload.bin to make sure. Setting __main to #[inline(never)] (as in the repo) should work fine for this purpose.
This repo does not include a tool to send payload.bin and entry.bin to a GameShark and trigger the exploit.
Many thanks to @bigbass1997 and @xSetech for their help with code and examples, and to @RWeick for help testing.
The contents of this repo are licensed under the GNU GPL v3.0. See LICENSE for more information.
Some parts of this repo are modified from other projects licensed under the GNU GPL v3.0, such as @xSetech's Raku.