The Nintendo GameCube, codename Dolphin, was released in Japan in late 2001 and represented the first Nintendo system that utilized an optical drive as its storage medium. It was also the first Nintendo console to use the PowerPC architecture, something that Nintendo stuck with all the way up to the Nintendo Wii U. Microsoft and Sony also transitioned to PowerPC, with the Xbox 360 and Sony PlayStation 3 respectively. The GameCube CPU processor was a variant of the PowerPC 730 chip, which was nicknamed Gecko, which ran at a very respectable 486 MHz. The GPU was known as the Flipper chip and was developed by Art X, now known as ATI. It contained 2.5 MB of frame buffer, which was plenty for rendering 480p progressive-scan scenes. Nintendo focused much of its efforts on the hardware, packing quite a lot of power and performance into a small cube form factor. Games like Star Wars Rogue Squadron were capable of pushing an average of twelve million polygons per second – a very impressive feat. Nintendo was no stranger to software piracy, with the Super Nintendo and Nintendo 64 utilizing disc-based copiers, and they knew [with?] the optical drive on the GameCube would be one of the target areas for hackers, so they implemented copy protection and obfuscated the disc media. Attempting to insert an original game disc into a PC drive won't even see that a new disc has been inserted. And if this copy protection was not present on the disc, the GameCube's firmware would refuse to read the disc. Nintendo implemented copy protection to thwart pirates and any unauthorized booting of backup copies. And its DVD firmware ensured that any illegal backups were locked out of the system. In other words, they didn't even boot at all. But the Nintendo GameCube had no concept of key signing – in other words, if a hacker somehow figured out how to upload code to the GameCube, the system was perfectly capable of executing it. And as it turns out, in 2003, this is exactly what happened. Phantasy Star Online or PSO was a popular online RPG developed by the Sonic Team for the Sega Dreamcast in 2001. When the Gamecube launched, Sonic Team announced that a version of PSO was in development for the GameCube. It was also one of the first GameCube titles to take advantage of the broadband adapter for online play. The GameCube port of PSO was able to keep itself updated by downloading new patches or versions of its game executable from central PSO servers. Hackers determined, by changing the DNS and IP address, it was easy to trick the game to connect to a simple program running on a PC. This program essentially masquerades itself as a PSO server that's listening for a connection and allows the user to push a GameCube executable, or a DOL file, to the Gamecube and execute it. The PSO exploit was also used to develop homebrew tools to rip original discs. As mentioned, these were 1.2 GB in size and the exploit in turn could be used to stream the content of the disc over the network. This was the earliest attempt to run backups on the GameCube. This exploit was known as "PSOLoad" and it was the earliest attempt at soft modding on the Nintendo GameCube. The PSO exploit worked very well at the time, but its main issue was you needed to boot into PSO every time you want to launch homebrew. And it was quite fiddly to do. And while the hacking community was busy loading homebrew over the network with PSO and a broadband adapter, the company known as Datel were researching the GameCube DVD format and its copy protection. In 2003 they released a tool known as the "Freeloader", which allowed you to boot into any region GameCube disc. They quickly followed this up with the Action Replay, a disc full of cheat codes for many different GameCube games. What's interesting about both of these discs are they are not licensed by Nintendo and therefore do not contain any copy protection at all. So then how does Datel manage to boot unlicensed discs on GameCube hardware? To understand this better, let's take a look at a typical GameCube game DVD. The disk itself is nothing more than a mini DVD with 1.2 GB of storage on it, like we said previously, but its data format is obfuscated. When you attempt to insert a Gamecube disc into a PC, the disc doesn't even appear to be located. So what's going on here? Each individual GameCube disc has a unique identifier burnt onto the disc. This is done during mastering with a special laser, which is not found on consumer DVD burners. This identifier is known as BCA, or the Burst Cutting Area. Each GameCube disc has six unique marks of equal distance burnt on to the disc. This is also part of the mastering process. The BCA data is encrypted, but with a simple homebrew program to read the contents of the drive's memory after a disk has been authenticated, means that the decrypted BCA data can be captured. The decrypted BCA data references the physical sector locations of each of the six marks on the disk, and this formed the basis of the copy protection found on the GameCube. Nintendo's plan here was that they knew that it would be difficult, if not impossible, to replicate those six marks, and even if you had the precision hardware to do so, the BCA verifies the exact place where these marks should be, and you would need to mark all six in the same exact position as an original disc. So with all this information discovery, Datel obviously were not able to burn the BCA and six unique marks on the Action Replay and Freeloader disks. So how did they pull this off? Quite simply, they took the BCA data that the GameCube expects and burnt it onto the first few sectors of the disc, complete with the same stream of bytes after the GameCube has read data from all six of the marks, to fool the DVD reader into thinking that the marks are in the right place. The copy protection has no concept if there were actual physical markings on the disc; it just cares if the response data after reading the markings is correct. Datel simply applied their own BCA data that contained the correct bitstream to simulate these markings. Now the question now becomes why wasn't the Datel method of running backups and defeating the copy protection used in the scene? The simple answer is because there were a lot of people that weren't really sure how Datel managed to pull this off, and by the time people did figure it out, there was already other more advanced methods of running GameCube backups and homebrew on the Nintendo GameCube. While Datel had cracked the DVD copy protection, hackers found a new method of booting into homebrew that did not require a broadband adapter. The Datel Action Replay disc, as we will quickly understand, became a very important tool for all things homebrew on the GameCube. Entering a 29-line code would patch the GameCube's memory and allow for an SD card to read from the first sector. If this sector contained a DOL executable or a homebrew loader, the Action Replay with this unique code could launch homebrew without the need of a broadband adapter and PSO. This method had different names, but it was originally known as the "Samson AR loader" or "SD load". This method was refined to what it is today. Later on, Datel released the SD media launcher, while it takes the same method but makes it much more user-friendly enough so you don't have to worry about entering Action Replay codes. Now all these soft modding techniques work quite well, but all of them were based around the Action Replay. So in other words you'd have to install the Action Replay disc in order to run homebrew on the Nintendo GameCube. But the Gamecube hacking scene was just getting started with the next level of exploits starting to be released that involved the Gamecube BIOS, or IPL. The Gamecube BIOS, known as the IPL or Initial Program Loader was encrypted on the GameCube. By simply replacing this BIOS via hardware modding techniques with a customized version, it could patch and open up many features of the GameCube, including the removal of the DVD copy protection, booting into homebrew from memory cards and over the network, USB loaders and much much more. But how was this accomplished? The boot process was connected to the GameCube's EXternal Interface bus, or EXI bus. The EXI bus has a major flaw in that whatever data is sent into the bus is sent out shifted right, but the shift register was never cleared once the decrypted data was in. Therefore, with the right hardware, it was possible to recover the key stream and extract the decrypted IPL. The first open source IPL replacement was released in 2004. It did not allow for booting of backup games, but allowed for homebrew. But it wasn't long before modchips started to appear. The Viper GC was the first IPL replacement modchip released in 2004 that had many unique features, including unlocking the DVD drive. So regular sized DVD discs could boot backups and more. Other IPL replacement modchips came later, including the Qoob and the Ripper3. These chips only needed 7 wires to replace the existing IPL and they were popular for many years. Following the IPL-based modchips, [one of] the more recent methods of modding the GameCube was to use a simple device to communicate with the GameCube's DVD drive debug port and put it into debug mode. From here, commands can be sent to patch the drive to accept regular DVD media, and bypass these protection methods. The popular chip known as the Xeno GC utilizes this method. Known as a drive chip, the Xeno GC is completely open-source and there are hundreds of clones on the market today. This is by far the easiest and cheapest way to hardmod your Nintendo GameCube. But keep in mind, unless you boot homebrew from the DVD drive, you'll still need an IPL based modchip or an Action Replay-based SD loader to boot into your homebrew. And finally, there is the WODE, or the Wii Optical Drive Emulator, a total replacement for the Nintendo Wii and GameCube to play backups from mass storage. This also comes with a replacement IPL to enable disc-ripping and USB support. Like the original Xbox, the GameCube also suffers from savegame exploits, and as of the making of this video, there are 12 titles that are exploitable to boot into homebrew. These exploits are still being discovered and used today. Nintendo certainly learned much from the GameCube and the security around it. They made a concerted effort to greatly increase the security of their follow-up: the Nintendo Wii. But with the Nintendo Wii supporting GameCube backward compatibility and hardware, It was only a matter of time before security on that system would be defeated too, but that's another story for another day. So that's the story of the Nintendo GameCube and how its security was ultimately defeated by both utilizing softmodding and hardmodding techniques to get into the system to be able to run homebrew, backups and all sorts of things like that. The Gamecube is an awesome system, it definitely has a big place in my heart, Nintendo learned a lot of lessons of the security of the Nintendo GameCube and they utilized some more modern techniques in the Nintendo Wii, but unfortunately because the Nintendo Wii has backward compatibility via hardware to the Nintendo GameCube, it meant that some of the legacy issues of the GameCube were brought forward to the Nintendo Wii and that's definitely something that we are going to cover in a future episode of this particular series. Well guys, we're going to leave it here for this video, If you like this video, you know what to do, give me a thumbs up and let me know what you thought about it in the comments below as always; don't forget to like and subscribe and I'll catch you guys in the next video. Bye for now. [Outro music]
Consistent quality output from MVG! A shame he doesn't cover Switch anymore, that homebrew scene is really exciting and making fast progress.