How the Nintendo GameCube Security was defeated | MVG

The Nintendo GameCube, codenamed Dolphin, was released in Japan in late 2001 and represented the first Nintendo system to use an optical drive as a storage medium. It was also the first Nintendo console to use the PowerPC architecture, something Nintendo maintained until the Nintendo Wii U. Microsoft and Sony also made the transition to PowerPC, with the Xbox 360 and Sony PlayStation 3 respectively. The GameCube's CPU processor was a variant of the PowerPC 730 chip, nicknamed Gecko, which ran at a respectable 486 MHz. The GPU was known as the Flipper chip and was developed by Art X, now known as ATI. It contained 2.5 MB of frame buffer, which was enough to render 480p progressive scan scenes.

Nintendo focused much of its efforts on hardware, packing a lot of power and performance into a small cube format. Games like Star Wars Rogue Squadron were capable of pushing an average of twelve million polygons per second, an impressive feat. Nintendo was no stranger to software piracy, as the Super Nintendo and Nintendo 64 used disc-based copiers, and they knew that the GameCube's optical drive would be one of the target areas for hackers, so they implemented copy protection and obfuscated disk media. . When trying to insert an original game disc into a PC's drive, you won't even see that a new disc has been inserted.

And if this copy protection was not present on the disk, the GameCube firmware would refuse to read the disk. Nintendo implemented copy protection to thwart hackers and any unauthorized booting of backups. And its DVD firmware ensured that any illegal backups were left out of the system. In other words, they didn't even start. But Nintendo GameCube didn't have the concept of key signing; In other words, if a hacker somehow figured out how to upload code to the GameCube, the system was perfectly capable of running it. And it turns out that in 2003 this is exactly what happened. Phantasy Star Online or PSO was a popular online role-playing game developed by Sonic Team for the Sega Dreamcast in 2001.

When the Gamecube was released, Sonic Team announced that a version of PSO was in development for the GameCube. It was also one of the first GameCube titles to take advantage of the broadband adapter for online play. PSO's GameCube port was able to stay up to date by downloading new patches or versions of its game executable from PSO's central servers. The hackers determined that by changing the DNS and IP address, it was easy to trick the game into connecting to a simple program running on a PC. Basically, this program impersonates a PSO server that listens for a connection and allows the user to send a GameCube executable, or DOL file, to the Gamecube and run it.

The PSO exploit was also used to develop homemade tools for ripping original disks. As mentioned, they were 1.2 GB in size and the exploit could, in turn, be used to transmit the contents of the drive over the network. This was the first attempt to run backups on GameCube. This exploit was known as "PSOLoad" and was the first soft modding attempt on the Nintendo GameCube. The PSO exploit worked very well at the time, but its main problem was that you needed to start PSO every time you wanted to start homebrew. And it was quite complicated to do. And while the hacking community was busy uploading homebrew over the network with PSO and a broadband adapter, the company known as Datel was investigating the GameCube DVD format and its copy protection.

In 2003, they released a tool known as "Freeloader", which allowed you to boot a GameCube disc from any region. They quickly followed this up with Action Replay, a disc full of cheat codes for many different GameCube games. The interesting thing about both discs is that they are not licensed by Nintendo and therefore do not contain any copy protection. So how does Datel manage to boot unlicensed discs on GameCube hardware? To understand this better, let's take a look at a typical DVD of a GameCube game. The disc itself is nothing more than a mini DVD with 1.2 GB of storage, as we said above, but its data format is confusing.

When you try to insert a Gamecube disc into a PC, the disc doesn't even seem to be located. So what is going on here? Each individual GameCube disc has a unique identifier etched into the disc. This is done during mastering with a special laser, which is not found in consumer DVD recorders. This identifier is known as BCA or Burst Cut Area. Each GameCube disc has six unique, equal distance markings etched into the disc. This is also part of the mastering process. The BCA data is encrypted, but with a simple homebrew program to read the contents of the drive's memory after a disk has been authenticated, the decrypted BCA data can be captured.

The decrypted BCA data references the physical sector locations of each of the six marks on the disk, and this formed the basis of the copy protection found on the GameCube. Nintendo's plan here was that they knew it would be difficult, if not impossible, to replicate those six markings, and even if you had the precision hardware to do so, the BCA verifies the exact place where these markings should be, and you need to mark the six in the exact same position as an original disc. So with all this discovery of information, Datel obviously failed to record the BCA and six unique marks on the Action Replay and Freeloader discs.

So how did they achieve this? Simply put, they took the BCA data that the GameCube expects and burned it to the first few sectors of the disk, complete with the same byte stream after the GameCube had read the data from all six brands, to fool the DVD reader. thinking that the brands are in the right place. Copy protection has no concept if there were actual physical marks on the disk; It only cares whether the response data after reading the marks is correct. Datel simply applied its own BCA data containing the correct bitstream to simulate these marks.

Now the question is why was the Datel method not used in the scene to run backups and override copy protection? The simple answer is because there were a lot of people who weren't really sure how Datel managed to achieve this, and by the time people realized it, there were already other, more advanced methods for running GameCube backups and homebrew on the Nintendo GameCube. While Datel had cracked DVD copy protection, hackers found a new boot method in homebrew that didn't require a broadband adapter. The Datel Action Replay disc, as we will quickly understand, became a very important tool for everything related to homebrewing on the GameCube.

Entering a 29-line code would patch the GameCube's memory and allow an SD card to read from the first sector. If this sector contained a DOL executable or a homebrew loader, Action Replay with this unique code could start homebrew without the need for a broadband adapter and PSO. This method had different names, but was originally known as "Samson AR loader" or "SD load." This method was perfected until it reached what it is today. Datel later released the SD Media Launcher, which uses the same method but makes it much easier to use so you don't have to worry about entering Action Replay codes.

Now, all of these soft modding techniques work pretty well, but they were all based on Action Replay. In other words, you would have to install the Action Replay disc in order to run homebrew on the Nintendo GameCube. But the Gamecube hacking scene was just getting started with the next level of exploits starting to be released involving the Gamecube BIOS, or IPL. The Gamecube BIOS, known as IPL or Initial Program Loader, was encrypted on the GameCube. By simply replacing this BIOS using hardware modification techniques with a custom version, you could patch and unlock many GameCube features, including removing DVD copy protection, booting into homebrew from memory cards and over the network, bootloaders USB and much more. much more.

But how was this achieved? The boot process connected to the GameCube's external interface bus, or EXI bus. The EXI bus has a major flaw: all data sent to the bus is sent shifted to the right, but the shift register is never cleared once the decrypted data comes in. Therefore, with the right hardware, it was possible to recover the key. transmit and extract the decrypted IPL. The first open source IPL replacement was released in 2004. It did not allow backup games to be started, but it did allow home games to be started. But it wasn't long before modchips started appearing.

The Viper GC was the first IPL replacement modchip released in 2004 that had many unique features including DVD drive unlocking. Therefore, normal size DVD discs could boot backups and more. Other IPL replacement modchips arrived later, including the Qoob and the Ripper3. These chips only needed 7 wires to replace the existing IPL and were popular for many years. Following IPL-based modchips, the most recent methods for modding the GameCube involved using a simple device to communicate with the debug port of the GameCube DVD drive and put it into debug mode. From here, commands can be sent to patch the drive to accept regular DVD media and bypass these protection methods.

The popular chip known as Xeno GC uses this method. Known as a controller chip, the Xeno GC is completely open source and there are hundreds of clones on the market today. This is by far the easiest and cheapest way to modify your Nintendo GameCube. But keep in mind that unless you boot homebrew from the DVD drive, you'll still need an IPL-based modchip or an Action Replay-based SD loader to boot your homebrew. And finally, there's WODE, or Wii Optical Drive Emulator, a total replacement for the Nintendo Wii and GameCube for playing backups from mass storage. It also comes with a replacement IPL to allow for disc removal and USB support.

Like the original Xbox, GameCube also suffers from save game exploits and, at the time of this video, there are 12 titles that can be exploited to boot into homebrew. These exploits are still being discovered and used today. Nintendo certainly learned a lot from the GameCube and the

security

surrounding it. They made a concerted effort to significantly increase the

security

of their next product: the Nintendo Wii. But since the Nintendo Wii supports backward compatibility and GameCube hardware, it was only a matter of time before security on that system was

defeated

as well, but that's another story for another day.

So that's the story of the Nintendo GameCube and how its security was finally

defeated

by using softmodding and hardmodding techniques to get into the system so it could run homebrew, backups and all sorts of things like that. Gamecube is an amazing system, it definitely has a big place in my heart, Nintendo learned a lot of safety lessons from Nintendo GameCube and used some more modern techniques on Nintendo Wii, but unfortunately because Nintendo Wii has a backward system. Hardware compatibility with the Nintendo GameCube meant that some of the legacy GameCube issues were carried over to the Nintendo Wii and that's definitely something we'll cover in a future episode of this particular series.

Well guys, we'll leave it here for this video. If you like this video, you know what to do, give me a thumbs up and tell me what you thought in the comments below, as always; Don't forget to like and subscribe and I'll see you in the next video. Goodbye for now.