How a pair of Tweezers defeated security on the Nintendo Wii | MVG

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I still remember watching the "25C3: Console Hacking 2008: Wii Fail" presentation at that time. I was hooked, didn't understand everything, but it was very entertaining! The homebrew scene got strong after that and Wii emulation on Dolphin came right after it, if memory serves.

👍︎︎ 71 👤︎︎ u/ladyhell 📅︎︎ Oct 28 2019 🗫︎ replies

Nintendo: Tweezers on Wii, Tinfoil on Switch and Magnet on 3DS. One does not simply hardmod a Nintendo device by a regular way.

Sony: Webkit on Vita, Webkit on Playstation 3, Webkit on Playstation 4, Playstation 5 ... you know the deal.

MS: Everything you can imagine on XBOX, JTAG/RGH on 360 and NobodyCaresAboutXBOXOneHax on XBOX One.

Sega: Hey Utopia Team, let me introduce you the MilCD..

Just joking, of course 3DS has some software exploits (like SoundHax) and Switch has another software exploit (PegaSwitch+Caffeine).

👍︎︎ 55 👤︎︎ u/stranno_ 📅︎︎ Oct 28 2019 🗫︎ replies

I enjoy MVGs videos, I am a software development manager and these days I only spend half the time gaming and the half I would be playing hacking and modding consoles. I find it just as fun as actually playing games.

I still remember the Twilight Hack, that was how I got on board with Wii Hacking back in the day

👍︎︎ 11 👤︎︎ u/JamesSDK 📅︎︎ Oct 28 2019 🗫︎ replies

If your interested in further work from team tweezers / fail overflow you should check out how they hacked the PS3. I suspect that MVG will cover it soon enough in a future video but for anybody interested in a VERY technical description of how the PS3 was bested you should watch the following presentation.

https://www.youtube.com/watch?v=LuIlbmn-4A4

You should pay attention to Part 3 of the video as that explains the epic fail that led to them getting the private keys.

👍︎︎ 21 👤︎︎ u/t0xicshadow 📅︎︎ Oct 28 2019 🗫︎ replies

13 year old me bought a copy of the twilight princess specifically for the twilight hack. I was never a fan of the Zelda games but that was possibly the best 40$ I ever spent. I used that Wii as a DVD player at first, wild that it had the ability to do so but Nintendo locked it for licensing reasons.

I can definitely also credit the wii Homebrew scene for getting me into software development as well, really just a good time all around!

Thanks for sharing, brings me back!

👍︎︎ 18 👤︎︎ u/nihlius 📅︎︎ Oct 28 2019 🗫︎ replies

RIP Bushing he was a great hacker and a really nice guy!

👍︎︎ 7 👤︎︎ u/L3fty420 📅︎︎ Oct 28 2019 🗫︎ replies

MISTAKES WERE MADE

👍︎︎ 12 👤︎︎ u/Deltabeard 📅︎︎ Oct 28 2019 🗫︎ replies

MVG is da MVP

👍︎︎ 10 👤︎︎ u/OdinsPlayground 📅︎︎ Oct 28 2019 🗫︎ replies

I remember the twilight hack, but I didn't know most of this.

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Oct 28 2019 🗫︎ replies
Captions
[Music] when we think about the Nintendo Wii and its security the first thought is how easy it is to hack copy a few files to the SD card run an exploit and literally in minutes you are up and running with the homebrew channel and all the emulators and apps at your disposal but initially hacking the Wii was very very difficult after the GameCube Nintendo learned a thing or two and stepped up their efforts to tighten security the system was released in 2006 one year after the PlayStation 3 and Xbox 360 and with it's much broader demographic it was a smash hit selling over 100 million units and still holding the sales record for the most console sold in a single month way back in 2009 the Wii was the successor to the Nintendo GameCube and was fully backward-compatible with the Gamecube on the RVL 0:01 large bubble but the first revision the RVL 101 and then the RVL 201 also known as the way mini had GameCube backward compatibility removed the CPU inside the Wii was a 740 mega Hertz PowerPC chip known as Broadway but this was just for all intents and purposes a PowerPC 750 chip the GPU codenamed Hollywood was designed by ATI and runs at 240 megahertz the Wii also has 88 megabytes of total main memory with 64 megabytes of this as external G ddr3 RAM the system has 512 megabytes of built-in flash NAND memory and is also expandable via SD card and of course contains a slot loading disk drive which is compatible with Wii and GameCube discs assuming that you have the backward-compatible revision at launch the Wii was a target for hackers after all its new hardware and has untapped potential it's backward compatibility with the Gamecube made that feature the first obvious weak point the Gamecube did not require code signing so if code had managed to be installed into the gamekeepers main memory it could be easily executed with full privileges the GameCubes disk drive could also easily be modified by setting it into debug mode and changing some drive settings to allow for backup and region-free games to boot now the DVD drive found in the Nintendo Wii is very similar to the one in the Gamecube it's the same manufacturer and the board itself the controller board is very very similar and because the Nintendo Wii has backward compatibility with GameCube games it was the first area where hackers decided to focus their attention on in theory this same DVD debug hack found on the Gamecube could be applied to the Nintendo Wii it was first discovered by researchers Felix donkey and Michael style in 2006 just a few weeks after the Lords of the Nintendo Wii but in practice things were a little trickier than this at the end of 2007 and early we hack was demonstrated by Felix donkey and security researcher Ben buyer that allowed for homebrew on the system that ran outside of Gamecube mode this hack required extraction of the signing keys for the way but there was no simple way to do this without hardware modification this was still a very early work in progress and under research it wasn't certain if this method would ever be released to the public it was clear that Nintendo took many steps to tighten security on the Wii the Gamecube mode runs in its own sandbox which means there is no access to any wave features at all this means no SD cards no wiimotes no Wi-Fi and no Bluetooth so even if there was a way to boot homebrew it would be confined to gamecube mode only the earliest mod shift were released in 2007 known as the Wii key it took a similar approach to the xbox360 DVD firmware hacks at around the same time the Wiis DVD drive was not encrypted at all so a simple circuit to trick the drive into thinking that it was loading legitimate games would work but this did not allow for any homebrew or unsigned code to run breaking into the Wii was going to be tough games were encrypted signed and identified by a unique title ID and in order to decrypt these titles a license key is required initially snooping around to figure out where this key lived came up chaud it was assumed to live in the NAND flash but this turned out to be incorrect during some investigations of a system update file on a Wii disk it became apparent that the system update was not using PowerPC code at all rather it was using arm code but how remember the Wii is a PowerPC based device it turns out that the Hollywood GPU chip houses an additional arm9 processor that's used to handle IO security and much much more this arm9 processor was nicknamed starlet by security researcher who went by the name Sega the master key used to decrypt game titles was unique to each console and was burned into the one-time programmable ROM or OTP at the manufacturing plant the key lived inside the stolid chip and there was no easy way to extract it oh and the key can never be altered in fact the Wiis entire boot process does not touch any PowerPC code at all the main PowerPC chip is completely inactive until the Wiis operating system known as iOS is loaded and ready to take user commands iOS interacts with the broad way only through high-level API calls and there is never any direct access and everything is encrypted iOS runs on internal SRAM and the Broadway PowerPC chip can't use this area is completely protected this time around Nintendo secured their hardware extremely well also they thought I mentioned earlier that the earliest attacks on the Wii hardware was utilized in the Gamecube sandbox mode now there are a couple of discoveries that were made here but ultimately they could run GameCube homebrew but they were still confined in the sandbox itself there was no easy way or no known way at the time to bridge those perimeters and start accessing the Wii mode itself but as it turns out the Gamecube mode was ultimately what caused the failure of the security system found in the Nintendo Wii when you insert a GameCube disk into the way it will first boot into Wii mode and then reboot into Gamecube sandbox mode and while it's in this mode it allocates and uses the first 16 megabytes of the entire 64 megabytes of RAM no as mem - and of course iOS is completely disabled the upper 48 bytes is not readable because the stolid chip protects against it however because the ram is just external off-the-shelf gddr3 memory chips with address and data lines by using a pair of tweezers to set some pins low when they should have been high exposed the upper 48 megabytes of data but it gets better by building memory dumping hardware that exploited the GameCube controller port circuit the entire 64 megabytes of memo could be dumped and examined it turns out that the upper 48 megabytes of memory was not cleared out while in Gamecube mode and contained leftover code from iOS so by using a pair of tweezers bridging points across different address lines on the chip it was possible to slide the 16 megabytes of GameCube memory throughout the entire 64 megabytes of memory space which exposed more of the leftover iOS code and from here was easily able to reconstruct the entire iOS dump and as an added bonus when examining memory dumps all the global and per console keys that were hidden away in the starlet were discovered there for the taking including the one used to decrypt game titles with a full iOS dump and access to keys the researchers who had now called themselves team tweezers went into full swing examining iOS in great detail the goal was to brittany's on the Wii however even with the discovery of the keys Nintendo must still approve all software that runs on the way itself before running any code iOS checks the RSA one signature against the sha-1 hash of the content itself which is digitally signed by Nintendo and execution will fail if there's no match Nintendo's RSA implementation contained a critical flaw they use the C string compare function that has the side-effect of terminating when null is found Nintendo was passing in byte values to the string compare so in the event of null bytes found early in the hash meant that brute forcing the sha-1 hash could be performed in minutes and that in turn allowed for digital signatures to be easily faked this meant that all software could be signed and installed on iOS that was not approved but remember team tweezers motivation was to come up with a way to run Linux on the way they could fake sign but they still needed a method to install code on the Wii without resorting to modding so they decided to look up save game exploits unlike the original Xbox the Nintendo Wii digitally signed save files utilizing the console specific key on the Wii this meant that you couldn't tamper with the save files to hack them for say extra lives or unlimited energy but since team tweezers had discovered all per console kids when they dumped iOS from m2 they were able to modify and re sign any save game they discovered a buffer overflow exploit in the Legend of Zelda Twilight Princess by modifying the save file and adding a small loader that would execute PowerPC Broadway code it was easy enough to execute a custom loader this was known as the Twilight hack which was the first public way of enabling homebrew all the way without any modification to hardware it was released in 2008 and it took Nintendo two revisions and around twelve months to ultimately patch the Twilight hack these days the Twilight hack is obsolete and no longer works in favor of newer and easier methods such as benebalm but if it wasn't for a single pair of tweezers and the brilliant work done by team tweezers who now go by fail overflow the Nintendo Wii may have stayed secure for a lot longer so there you have it guys that's the story of how team tweezers now known as fail overflow managed to defeat security on the Nintendo Wii it's a fascinating story to go back and revisit and one that I really enjoyed researching and revisiting for you guys I hope you enjoyed this video guys and I do have a lot of links to reference material below I do suggest you check it out if you are interested in more information from a technical standpoint about how this hack had gone down and the presentation that the team tweezers team had done at the CCC conference in and eight I believe so check that out there's some really cool links that is really worth checking out if you want to know more about the history of we're hacking on the Nintendo Wii well guys that will do it for this video I hope you enjoyed it if you liked it you know to do leave me a thumbs up as always don't forget to Like and subscribe and I'll catch you guys in the next video bye for now [Music]
Info
Channel: Modern Vintage Gamer
Views: 3,838,546
Rating: 4.8994799 out of 5
Keywords: nintendo, wii, team twiizers, fail0verflow, tmbinc, bushing, marcan, michael steil, modding, hacking, wii homebrew channel, linux, mvg, modern vintage gamer, mistakes were made, play nintendo, legend of zelda, twilight princess, twilight hack, nintendo wii, nintendo wii games, wii games, wii nintendo, gaming
Id: 4BlpONgj74A
Channel Id: undefined
Length: 11min 39sec (699 seconds)
Published: Mon Oct 28 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.