Opening pAMDora's box and unleashing a thousand paths on the journey to play Beatsaber custom songs (39c3) episode artwork

EPISODE · Dec 27, 2025 · 44 MIN

Opening pAMDora's box and unleashing a thousand paths on the journey to play Beatsaber custom songs (39c3)

from Chaos Computer Club - recent audio-only feed · host tihmstar

While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then accidentally discovering several bugs and getting a good look inside the target, before returning to trying to hammer it with novel physical strategies. # BACKSTORY --------------- So here is the backstory of how it all started: - I bought a commercial gaming console - Then bought a VR headset (for this console) because of exclusive game - But also wanted to play beatsaber - I could, but builtin song selection was very limited - Custom songs exist (for example on steam), but not for this console - I didn't want to buy a second headset for steam That's when i decided i want to hack this console so that i can port community created customs songs to the console and play them there with the VR headset i already have. Initially starting with an approach similar to the usual "entrypoint through browser", then go for kernel and call it a day, but quickly annoying hurdles blocked my way. For one, the Hypervisor makes your live just miserable with it's execute only kernel text blind exploitation. Other issues were that one needs to be on latest version to download the game, which exists only as digital purchase title, preventing me to share my efforts with others even if i can get it working on my console. Though, what finally put the nail in the coffin was when porting a kernel zeroday to the console failed because of heavy sandboxing, unreachable syscalls or even entirely stripped kernel functions. Some may call it "skill issue". Anyways, that's when i was full of it and decided to bring this thing down for good. Everybody does glitching nowadays and according to rumors people did have success on this thing with glitching before, so how hard can it really be, right? So the question became: Is it possible to build a modchip, which glitches the board and lets me play beatsaber custom songs? Stuff like that has been done on other consoles before (minus the beatsaber part :P) Turns out that when manufacturing produces chips with broken GPUs, they are sold as spinoff desktop mainboards (with disabled GPU) rather than thrown away. Which is great, because those mainboards are much cheaper, especially if you buy broken spinoff mainboards on ebay. So on the journey to beatsaber custom songs, breaking this desktop mainboard became a huge chunk of the road. Because if i can glitch this and build a modchip for it, surely i can also do it for the console, right? I mean it's the exact same SoC afterall! Back when i started i didn't know i would be about to open pAMDoras box and discover so many bugs and hacks. # Actual talk description --------------- **Disclaimer: This is not a console hacking talk!** This talk is gonna be about breaking nearly every aspect of the AMD Platform Security Processor of the desktop mainboard with the same SoC as the console. While certainly usefuly for _several_ other AMD targets, unfortunately not every finding can directly be ported to the console. Still, it remains very useful nonetheless! Note: The final goal of custom songs on beatsaber has not been reached yet, this talk is presenting the current state of things. In this talk you'll be taken on a ride on how everything started and how almost every aspect of the chip was broken. How bugs were discovered, what strategies were used to move along. Not only will several novel techniques be presented for applying existing physical attacks to targets where those couldn't really be applied before, but also completely new approaches are shared which bring a whole different perspective on glitching despite having lots of capacitors (which we don't really want to remove) and extremely powerfull mosfets (which smooth out crowbar attempts in a blink of an eye). But that's not all! While trying to perform physical attacks on the hardware, the software would just start falling apart by itself. Which means, at least **6 unpatchable\* bugs** were discovered, which are gonna be presented in the talk alongside with **5 zero-day exploits**. Getting EL3 code execution on the most secure core inside AMDs SoC? No Problem! Apart from just bugs and exploits, many useful techniques and discovery strategies are shared which will provide an excellent knowedgle base and attack inspiration for following along or going for other targets. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/opening-pamdora-s-box-and-unleashing-a-thousand-paths-on-the-journey-to-play-beatsaber-custom-songs

While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then accidentally discovering several bugs and getting a good look inside the target, before returning to trying to hammer it with novel physical strategies. # BACKSTORY --------------- So here is the backstory of how it all started: - I bought a commercial gaming console - Then bought a VR headset (for this console) because of exclusive game - But also wanted to play beatsaber - I could, but builtin song selection was very limited - Custom songs exist (for example on steam), but not for this console - I didn't want to buy a second headset for steam That's when i decided i want to hack this console so that i can port community created customs songs to the console and play them there with the VR headset i already have. Initially starting with an approach similar to the usual "entrypoint through browser", then go for kernel and call it a day, but quickly annoying hurdles blocked my way. For one, the Hypervisor makes your live just miserable with it's execute only kernel text blind exploitation. Other issues were that one needs to be on latest version to download the game, which exists only as digital purchase title, preventing me to share my efforts with others even if i can get it working on my console. Though, what finally put the nail in the coffin was when porting a kernel zeroday to the console failed because of heavy sandboxing, unreachable syscalls or even entirely stripped kernel functions. Some may call it "skill issue". Anyways, that's when i was full of it and decided to bring this thing down for good. Everybody does glitching nowadays and according to rumors people did have success on this thing with glitching before, so how hard can it really be, right? So the question became: Is it possible to build a modchip, which glitches the board and lets me play beatsaber custom songs? Stuff like that has been done on other consoles before (minus the beatsaber part :P) Turns out that when manufacturing produces chips with broken GPUs, they are sold as spinoff desktop mainboards (with disabled GPU) rather than thrown away. Which is great, because those mainboards are much cheaper, especially if you buy broken spinoff mainboards on ebay. So on the journey to beatsaber custom songs, breaking this desktop mainboard became a huge chunk of the road. Because if i can glitch this and build a modchip for it, surely i can also do it for the console, right? I mean it's the exact same SoC afterall! Back when i started i didn't know i would be about to open pAMDoras box and discover so many bugs and hacks. # Actual talk description --------------- **Disclaimer: This is not a console hacking talk!** This talk is gonna be about breaking nearly every aspect of the AMD Platform Security Processor of the desktop mainboard with the same SoC as the console. While certainly usefuly for _several_ other AMD targets, unfortunately not every finding can directly be ported to the console. Still, it remains very useful nonetheless! Note: The final goal of custom songs on beatsaber has not been reached yet, this talk is presenting the current state of things. In this talk you'll be taken on a ride on how everything started and how almost every aspect of the chip was broken. How bugs were discovered, what strategies were used to move along. Not only will several novel techniques be presented for applying existing physical attacks to targets where those couldn't really be applied before, but also completely new approaches are shared which bring a whole different perspective on glitching despite having lots of capacitors (which we don't really want to remove) and extremely powerfull mosfets (which smooth out crowbar attempts in a blink of an eye). But that's not all! While trying to perform physical attacks on the hardware, the software would just start falling apart by itself. Which means, at least **6 unpatchable\* bugs** were discovered, which are gonna be presented in the talk alongside with **5 zero-day exploits**. Getting EL3 code execution on the most secure core inside AMDs SoC? No Problem! Apart from just bugs and exploits, many useful techniques and discovery strategies are shared which will provide an excellent knowedgle base and attack inspiration for following along or going for other targets. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/opening-pamdora-s-box-and-unleashing-a-thousand-paths-on-the-journey-to-play-beatsaber-custom-songs

NOW PLAYING

Opening pAMDora's box and unleashing a thousand paths on the journey to play Beatsaber custom songs (39c3)

0:00 44:53

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Breaking News Show | eTurboNews Juergen Thomas Steinmetz News is relevant to the global travel and tourism industry, human rights and global issues.Breaking news when it happens and only from the source. That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. HOMELAND HOMELAND The Church is a body not a building. It's the bride of Jesus Christ! Jesus is coming back for a mature bride. That means it's time for the church of Jesus Christ to move from milk to meat. This is the hour of maturity!HOMELAND is an announcement that the church is being set free. Only the church has the ability to transform the world. The kingdom's of this world will become the kingdoms of our Lord and Savior!All of creation has been waiting for this moment! Sons and daughters of God are rising up and taking their seat! LIGHTS, CAMERA, SMILE! Creatives Club Media Lights, Camera, Smile, is a podcast for anyone with a dream to share something with the world, out of the overflow of themselves - be it their mind, their heart, their personalities, and much more. Each of us are alive in this moment in time, with an innate ability to have ideas and create various things to benefit both ourselves and the people around us for a reason, and here, you will find the encouragement, the inspiration, and the motivation to do just that. Hosted by Cicily, founder of Creatives Club, she dives into various topics surrounding creativity and business. Exploring entrepreneurship for creatives in a corporate reality, sharing tips and tricks in a media centered company, answering questions regarding what a creative actually is are just a few of the things discussed on this podcast. Be encouraged to create for yourself as Cicily gets vulnerable by pivoting the camera to herself for the first time.To submit questions for Cicily to answer, or have her address certain t

Frequently Asked Questions

How long is this episode of Chaos Computer Club - recent audio-only feed?

This episode is 44 minutes long.

When was this Chaos Computer Club - recent audio-only feed episode published?

This episode was published on December 27, 2025.

What is this episode about?

While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an...

Can I download this Chaos Computer Club - recent audio-only feed episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!