Opening pAMDora's box and unleashing a thousand paths on the journey to play Beatsaber custom songs

# BACKSTORY --------------- So here is the backstory of how it all started: - I bought a commercial gaming console - Then bought a VR headset (for this console) because of exclusive game - But also wanted to play beatsaber - I could, but builtin song selection was very limited - Custom songs exist (for example on steam), but not for this console - I didn't want to buy a second headset for steam That's when i decided i want to hack this console so that i can port community created customs songs to the console and play them there with the VR headset i already have. Initially starting with an approach similar to the usual "entrypoint through browser", then go for kernel and call it a day, but quickly annoying hurdles blocked my way. For one, the Hypervisor makes your live just miserable with it's execute only kernel text blind exploitation. Other issues were that one needs to be on latest version to download the game, which exists only as digital purchase title, preventing me to share my efforts with others even if i can get it working on my console. Though, what finally put the nail in the coffin was when porting a kernel zeroday to the console failed because of heavy sandboxing, unreachable syscalls or even entirely stripped kernel functions. Some may call it "skill issue". Anyways, that's when i was full of it and decided to bring this thing down for good. Everybody does glitching nowadays and according to rumors people did have success on this thing with glitching before, so how hard can it really be, right? So the question became: Is it possible to build a modchip, which glitches the board and lets me play beatsaber custom songs? Stuff like that has been done on other consoles before (minus the beatsaber part :P) Turns out that when manufacturing produces chips with broken GPUs, they are sold as spinoff desktop mainboards (with disabled GPU) rather than thrown away. Which is great, because those mainboards are much cheaper, especially if you buy broken spinoff mainboards on ebay. So on the journey to beatsaber custom songs, breaking this desktop mainboard became a huge chunk of the road. Because if i can glitch this and build a modchip for it, surely i can also do it for the console, right? I mean it's the exact same SoC afterall! Back when i started i didn't know i would be about to open pAMDoras box and discover so many bugs and hacks. # Actual talk description --------------- **Disclaimer: This is not a console hacking talk!** This talk is gonna be about breaking nearly every aspect of the AMD Platform Security Processor of the desktop mainboard with the same SoC as the console. While certainly usefuly for _several_ other AMD targets, unfortunately not every finding can directly be ported to the console. Still, it remains very useful nonetheless! Note: The final goal of custom songs on beatsaber has not been reached yet, this talk is presenting the current state of things. In this talk you'll be taken on a ride on how everything started and how almost every aspect of the chip was broken. How bugs were discovered, what strategies were used to move along. Not only will several novel techniques be presented for applying existing physical attacks to targets where those couldn't really be applied before, but also completely new approaches are shared which bring a whole different perspective on glitching despite having lots of capacitors (which we don't really want to remove) and extremely powerfull mosfets (which smooth out crowbar attempts in a blink of an eye). But that's not all! While trying to perform physical attacks on the hardware, the software would just start falling apart by itself. Which means, at least **6 unpatchable\* bugs** were discovered, which are gonna be presented in the talk alongside with **5 zero-day exploits**. Getting EL3 code execution on the most secure core inside AMDs SoC? No Problem! Apart from just bugs and exploits, many useful techniques and discovery strategies are shared which will provide an excellent knowedgle base and attack inspiration for following along or going for other targets.