How a pair of Tweezers defeated security on the Nintendo Wii | MVG

When we think about the Nintendo Wii and its

security

, the first thing we think about is how easy it is to hack, copy some files to the SD card, run an exploit and literally in minutes you will be up and running with the Homebrew channel and all the emulators and applications. at your disposal, but initially hacking the Wii was very, very difficult after GameCube Nintendo learned a thing or two and stepped up its efforts to tighten

security

. The system was released in 2006, a year after the PlayStation 3 and Xbox 360 and with a much broader demographic. was a huge success selling over 100 million units and still holds the sales record for the largest console sold in a single month back in 2009, the Wii was the successor to the Nintendo GameCube and was fully compatible with the Gamecube in RVL. 0:01 big bubble, but the first revision, the RVL 101 and then the RVL 201, aka the way mini had GameCube backwards compatibility, the CPU inside the Wii was removed, it was a PowerPC chip from 740 mega Hertz known as Broadway, but this was just for all intents and purposes. and purposes a PowerPC 750 chip the GPU codenamed Hollywood was designed by ATI and runs at 240 megahertz the Wii also has 88 megabytes of total main memory with 64 megabytes of this as external G ddr3 RAM the system has 512 megabytes of flash memory Built-in NAND memory and can also be expanded via an SD card and of course contains a slot-loading disc drive that is compatible with Wii and GameCube discs, assuming you have the backwards compatible patch at launch, The Wii was a target for hackers after all its new hardware and has untapped potential.

Its backward compatibility with Gamecube made that feature the first obvious weak point: Gamecube didn't require code signing, so if the code would have managed to install itself into the ranger's main memory, it could easily run with full privileges, the GameCubes disk drive could run as well. It can be easily modified by setting it to debug mode and changing some drive settings to allow region-free backup and gaming to start. Now the DVD drive found in the Nintendo Wii is very similar to the one in the Gamecube. It is from the same manufacturer and the plate. The controller board itself is very similar and because the Nintendo Wii has support for GameCube games, it was the first area where hackers decided to focus their attention on, in theory, this same DVD debugging hack that found on Gamecube could apply to the Nintendo Wii.

It was first discovered by researchers Felix Burro and Michael Style in 2006, just a few weeks after the Nintendo Wii Lords, but in practice things were a little more complicated than this in late 2007 and Felix Burro and Security discovered it. They showed early. researcher Ben Buyer who enabled homebrew on the system running outside of Gamecube mode, this hack required extracting the signing keys for the path, but there was no easy way to do it without hardware modifications, this was still a work very early in progress and in process. The research was unsure if this method would ever be released to the public.

It was clear that Nintendo took a lot of steps to tighten security on the Wii. Gamecube mode runs in its own sandbox, meaning there is no access to any wave functions. This means no SD cards, no wiimotes, no Wi-Fi or Bluetooth, so even if there was a way to start Homebrew, it would be limited to Gamecube mode; Only the first mod change was released in 2007, known as the Wii Key, and took a similar approach. to xbox360 DVD firmware hacks around the same time the Wiis DVD drive was not encrypted at all, so a simple circuit to trick the drive into thinking it was loading legitimate games would work, but this did not allow no homemade or unsigned code. breaking into the Wii was going to be difficult, the games were encrypted, signed and identified by a unique title ID and to decrypt these titles requires a license key initially, snooping around to find out where this key lived, chaud emerged, it was supposed to lives on NAND flash memory, but this turned out to be incorrect during some investigation of a system update file on a Wii disk, it became apparent that the system update was not using the PowerPC code at all, but was instead using the arm code, but how does the Wii remember? a PowerPC-based device, it turns out that the Hollywood GPU chip houses an additional arm9 processor that is used to handle IO security and much more.

This arm9 processor was dubbed Star by a security researcher who called himself Sega, the master key used to decrypt game titles. It was unique to each console and was burned into the ROM or one-time programmable OTP at the manufacturing plant, the key lived inside the impassive chip and there was no easy way to extract it, and the key can never be altered, in fact , the entire Wiis. The boot process does not touch any PowerPC code at all. The main PowerPC chip is completely idle until the Wiis operating system known as iOS is loaded and ready to receive user commands. iOS interacts extensively only through high level API calls and there is never any shortcut and everything is encrypted iOS runs on internal SRAM and the Broadway PowerPC chip cannot use this area is completely protected this time Nintendo secured its hardware extremely well and you thought I mentioned before that the first attacks on the Wii hardware were used in the Gamecube sandbox mode, now a couple of discoveries were made here, but they were finally able to run GameCube homebrew, but they were still confined to the sandbox itself, no There was no easy or known way at the time to bypass those perimeters and start accessing Wii mode, but it turns out that Gamecube mode was ultimately what caused the security system found on the Nintendo Wii to fail when you insert a GameCube disk in the way that it will first boot into Wii mode and then reboot into Gamecube. sandbox mode and while in this mode it allocates and uses the first 16 megabytes of the full 64 megabytes of RAM not as memory and of course iOS is completely disabled, the top 48 bytes are not readable because the impassive chip protects against them, However, because RAM is just external GDDR3 memory chips available on the market with addresses and data lines; a

pair

of

tweezers

are used to place some pins low when the top 48 megabytes of data should have been exposed, but it improves when creating a memory dump. hardware that exploited the GameCube controller port circuit, the entire 64 megabytes of memo could be discarded and examined, it turns out that the top 48 megabytes of memory were not erased while in Gamecube mode and contained leftover iOS code, so it was They used a

pair

of pliers.

By joining dots across different address lines on the chip, it was possible to slide the GameCube's 16 megabytes of memory across the 64 megabytes of memory space, which exposed more leftover iOS code and from here was able to reconstruct easily the entire iOS dump and as An added bonus when examining the memory dumps was that all the global and per-console keys that were hidden in the star were discovered there, including the one used to decrypt game titles with a full iOS dump and access to the keys that the researchers who had now called The team's own

tweezers

went into full swing examining iOS in great detail, the target being Brittany's on the Wii, however, even with the discovery of the keys, Nintendo You still need to approve all software that runs along the way before running any code. iOS verifies the RSA one signature. against the sha-1 hash of the content itself, which is digitally signed by Nintendo and the run will fail if there is no match.

Nintendo's RSA implementation contained a critical flaw. They use the C string comparison function which has the side effect of terminating when a null value is found. Nintendo was passing byte values ​​to the comparison string, so in the event that null bytes were found at the beginning of the hash, brute forcing the sha-1 hash could be done in minutes and that, in turn, would allow for spoofing digital signatures easily. that all software could be signed and installed on iOS that was not approved, but remember that the motivation of the tweezers team was to come up with a way to run Linux in the same way that they could simulate the signing, but they still needed a method to install the code on the Wii without resorting to modding, so they decided to look for exploits to save games, unlike the original Xbox, the Nintendo Wii digitally signed save files using the console-specific key on the Wii, which meant that no save files could be altered to hack them for, say, extra lives or unlimited energy, but since the team's pincers had discovered all the kids by console when they downloaded iOS from m2, they were able to modify and re-sign any saved games, they discovered an exploit buffer overflow in Legend of Zelda Twilight Princess by modifying the save file and adding a small loader that would run the PowerPC Broadway code, it was quite easy to run a custom loader, this was known as the Twilight hack which was the first public way to enabling homebrew without any hardware modifications, it was released in 2008 and took Nintendo two revisions and around twelve months to finally patch the Twilight hack.

Today the Twilight trick is outdated and no longer works in favor of newer, easier methods like benebalm, but if it weren't for just one pair of tweezers and the brilliant work done. by Team Tweezers now using glitch overflow, the Nintendo Wii may have stayed safe for much longer, so there you have it guys, that's the story of how Team Tweezers, now known as glitch overflow, managed to beat the security on the Nintendo Wii. It's a fascinating story. to come back and revisit and one that I really enjoyed researching and reviewing for you. I hope you guys enjoyed this video, and I have lots of links to reference material below.

I suggest you check it out if you are interested in learning more. from a technical point of view, about how this trick had been done and the presentation that the tweezers team had done at the CCC conference in eight and eight, I think look, there are some really interesting links that are really worth checking out if you want know. More on the story of how we hacked the Nintendo Wii, well guys that will do it for this video. I hope you enjoyed it, if you liked it, you know, give me a thumbs up as always, don't forget to like and subscribe.

And I'll see you in the next video, bye for now.