10 Days Of Hacking, Day 6: The Wii


After Sega’s strong competition in the 16-bit era of gaming and later Sony overshadowing Nintendo with the PS1, Nintendo had been struggling to regain dominance in the gaming industry, but all that ended with the huge popularity and momentum Nintendo’s Wii got, but I’m not here to discuss console history, there’s another 8 Days feature for that, I’m here to discuss why some of the design choices for the Wii led to an early full blown hack of the system.

There are a lot of key factors that we must understand to know why the Wii was hacked, and more importantly: why it was so easy to hack, and we’re gonna go one by one.

WII? MORE LIKE GAMECUBE 1.5

It’s no secret to anyone that the Wii is 100% backwards compatible with GameCube software, but do you know how Nintendo pulled it off? Well it’s simple, the Wii sports an upgraded version of the GameCube’s PowerPC named Broadway CPU and an ATI GPU named Hollywood similar to the one found on the GameCube, it only takes the Wii’s CPU to drop down its clock speed to be able to execute GameCube code just like in the real GameCube, there’s no need for software emulation, the hardware is the same.
To put it into perspective, comparing a Wii to a GameCube is like comparing a PC with an i5 CPU and a GeForce 9800 with another PC that has an i3 CPU and a GeForce 9200, the former one will be able to execute the same code as the later one, but it will do it faster and with better overall performance. Matter of fact all intel CPUs are fully capable of executing code for 16-bit CPUs like the 8086, provided there’s no problems with the underlying OS, but in the case of the Wii, there’s no OS, and we’ll talk about that later.

This isn’t exactly a bad idea, you ensure backwards compatibility and you save development costs as you already have a base to work with. The problem comes when you BARELY do any changes to security and how the overall machine works, and you BARELY do a good sandbox when in legacy mode (in this case, GameCube mode), and we’re gonna talk about the problem this lead to later.

Another thing to know is that, just like the GameCube, the Wii has no Operating System, there’s no Kernel running in the background when games run, games essentially run on the raw device and have to do all memory and device management themselves.

Aside from having a basically overclocked GameCube CPU, the Wii has an ATI GPU, also similar to the one found in the GameCube, but with some differences. The most important difference is the fact that the GPU is also an IO Bridge device, which is controlled by another, smaller, ARM CPU found in the GPU itself.
This ARM CPU is in charge of all the security found on the Wii, it verifies everything that has to be executed (games, software, etc) and is also in charge of the entire boot sequence. Although the Wii itself doesn’t have an actual Operating System, not even a kernel, this ARM CPU does have a microkernel called IOS (not to be confused with Apple’s iOS). Just like the ARM is for, this microkernel is fully in charged of security, running at the same time as the main PPC CPU.

Now that we know more or less what the Wii is composed of, let’s take a look at some clever hacks that allowed this machine to be opened widely to the homebrew scene.

DUMP THAT RANDOM ACCESS MEMORY!

One of the first things we want to do when it comes to hacking a console is being able to dump the RAM.
This is normally initially done by hardware, and the Wii is no different.

When you turn on your Wii the first thing you do is enter the Wii Menu. You pop in a GameCube disc, it recognizes it as such and it reboots the Broadway into GameCube mode. All fun for now, but this is where it gets interesting.
The GameCube originally only had 16MB of RAM named MEM1 for sound and 24MB of RAM named MEM2 for games, with the Wii we also have the 16MB of MEM1 but MEM2 now has 64MB, of course when in GameCube mode you only have 24MB available, with the other 48MB not used. The funny thing is, when the Wii reboots the Broadway into GameCube mode it doesn’t really clear up the MEM2 RAM, so all the data from the Wii Menu is still there. Problem is we only have access to 24MB, so how do we dump the other part of RAM? well, this is where Team Tweezers (now known as fail0verflow) came in, and just like their name implies, they used tweezers to bridge the data bus of the Wii’s RAM while in GameCube mode to change which part of RAM they were accessing. So you still could only access 24MB, but you could move around on which range of the Wii’s MEM2 those 24MB were allocated, and as I said before, Nintendo foolishly didn’t cleared out RAM, so you could essentially dump the entire Wii RAM from inside GameCube mode.

But that’s not all folks, it so happens that in those previously unaccessible 48MB of RAM is where they used to store all the keys!

LETS COMPARE TWO BLOCKS OF DATA AS IF THEY WERE A STRING!

I have said this a lot times already, at the lowest level, a machine can’t make a difference between an int, an unsigned int, a float, a char, an unsigned char, or any other type of data. For the machine they are just a bunch of 0′s and 1′s that either have a meaning as an instruction, or it doesn’t have any meaning: a data. What the machine really cares for is the length of the data, 8-bits, 16-bits, 32-bits and 64-bits, and it is up to humans to interpret what that data is outside of a bunch of 1′s and 0′s and tell the machine what to do with it. The C compiler has defined specific data types for this sole purpose: to tell the machine the size of the data and how to use it properly, for example, the hex number 0×61 can be interpreted as the integer 97, or as the character ‘a’, the number 0xFFFFFFFF can be interpreted as the signed number -1 or as the color white or as a pointer (although rarely). The importance of knowing what the next set of data that will come to us is is huge, so huge that C forces you to tell it what each data means, but it still doesn’t stop programmers from misusing the data.

The Wii uses hardware to verify the SHA-1 signatures, which is much more effecient than software, but uses software to verify the RSA signatures. When validating content, be it games or other software, the Wii decrypts the RSA signature to produce what should be the software’s hash, then it calculates the real software’s hash and compares both the one generated by the RSA and the one generated by calculations done on the software, this is how they compare both hashes:

strncmp(RSAhash, CalculatedHash, n)

For those not knowing what this is, it’s a standard C function that takes two arrays of chars and compares them until either it finds a null byte (0×00), which is the standard array terminating char, on either of them or it reaches the number specified in the function, the number specified is used to tell the functions that neither of the two strings should have a size bigger than n, this is mostly done to prevent reading data that shouldn’t be read, or going outside the range of accessible RAM.
Now pay close attention to what I said: one of the reasons for this function to exit is if it finds a null byte (0×00), if we take into consideration that the software hash is calculated, in other words, it’s generated by being treated as integers, there can be 00′s in there, which when treated as an integer it doesn’t matter, but when treated as a string it means everything. So if both the RSA hash and the calculated hash have a 0×00, it doesn’t matter what ever comes after that, as it is not checked, imagine we have these two hashes:

1a 0b 88 9e 00 5c
1a 0b 88 9e 00 6c

Of course they are not the same, but since strncmp will stop comparing them when it reaches the null byte, it will report that they are the same, as strncmp only “sees” the first part before the 0×00, which actually matches.
Of course we don’t want to take any risk, so what we want to do is create an RSA key that will generate a hash that simply starts with the null byte and create software that, when hashed, will generate another hash that starts with 0×00, which can easily be done by bruteforcing, just change some bytes of the software (without breaking it) until the generated hash starts with 0×00, so you can fakely sign your own homebrews, system menu, IOS’s and even some parts of the boot sequence of the Wii.

This is what I like to call, epic fail.

EASIER THAN THE PSP!

I mentioned this earlier, other than the microkernel IOS running on the ARM Chip, the Wii has no actual Operating System, games run in bare metal on the Broadway, just like they did on the PS2 and consoles before it. Not even the PSP was like this, and we have to remember that the PSP was released in 2004 while the Wii was released in 2006, why Nintendo decided not to do this I have no idea, but I guess they wanted to cut as many costs as possible to have the maximum profit.
If you remember what I said with the PS2, we really didn’t need to hack any kernel or do any other thing than being able to run our own code, once we can run our code, we got full control of the system. This is not true of the PSP where we have usermode and kernelmode exploits, even if you hack a game and are able to run your own code, this code will run with some privileges level, as opposed to doing whatever you want, if you wanted full access you have to hack the kernel.
This is not true of the Wii, once you hack a game and gain the ability to execute code, you pretty much have the whole system hacked. This was shown by fail0verflow with their Twilight hack, where they hacked The Legend of Zelda: The Twilight Princess with simple buffer overflows like the ones we use on the PSP, it is also worth noting that the first PSP exploit I found, Pool Hall Pro, also existed on the Wii, but while the PSP version only allowed you to use VHBL, the Wii version granted you full access, cause there was no more barriers to defeat.

But this is not all of it, when installing software, the Wii only checks the package it’s going to install, if it’s authentic, it’ll install it, and once installed, it no longer checks it anymore, so any piece of software installed on the Wii’s NAND can be ran easily as it is not checked at all, the problem is getting it in there, but as I said, since games run in bare metal, once you hack a game or other software and are able to execute your own code, all you have to do is copy your software to the NAND and the Wii will have no problem loading it, that is how the Homebrew Channel came into existence, once again, by fail0verflow.

So we are now fully capable of running our own code and homebrews and are even able to make it permanent by installing onto NAND, what’s next? what is there that we haven’t done yet? oh that’s right! burning our own DVD’s!
Which brings me to my next point

GOD? WOD? WHAT ABOUT DVD?

The last nail in the coffin that was actually bad for the Wii as it is mainly used for piracy.
GameCube Optical Discs and their successors, Wii Optical Discs, are a special type of proprietary discs made by Nintendo to prevent easy access to the contents of the disc outside of the game systems, so when you pop the disc in a PC, the PC will not recognize it. In actuality, these discs are modified DVD’s, and the laser used to read them are modified DVD lasers, fully capable of reading DVD’s with very little need to modify the hardware.
But even so, the motherboard on the WOD drive has DVD playback disabled, so it will refuse to even read anything that is not a Wii game.

Nintendo originally planned for DVD-Video playback but scratched it in the last minute, instead of removing the code and all DVD commands from the drive, they simply disabled it.
IOS by default will not let you enable the DVD commands, unless told by software, and as we already know, we can run our own software. Eventually it was possible to play DVD-Video and other DVD formats with mplayer, but being able to play DVD-Video implies also being able to play burned DVD-Video which also implies being able to play pirated games, which is the really sad side effect of all this hacking.

CONCLUSION

Although I try to hide it, it is no secret that I dislike the Wii, a lot, I consider it a terrible successor to my beloved GameCube, but I did love all the clever hacking behind it and had a great laugh with all the stupid mistakes made by Nintendo. I recently bought a Wii not long ago for the sole purpose of playing Super Smash Bros, and when I was done I didn’t want the system to gather dust so I decided to see what I could do with it, and came across with the work of some of my favorite hackers, the fail0verflow team, hermes, waninkoko, and others, there’s a lot the Wii has to offer in terms of homebrews and hacking, and we can all learn from it, that’s why it deserves a spot in my 10 Days of Hacking.

  1. jayturns’s avatar

    nice article, but wtf? I read the article, went to another and this was gone, then back 20 secs later. Did you update it?

    Reply

  2. Arash Andalib’s avatar

    Ahh the memories … I used to be in love with my Wii just because of the homebrew channel i would run emulators like gameboy color and advanced and play kingdom hearts and Pokemon :D It was the only thing keeping me busy while my leg was broken :P I wish hackers from every scene would come together and create a Hacking dream team Like the Evad3rs that hack the IOS and just work towards hacking next gen but not for piracy as piracy so early in a consoles lifetime is like a nail in its coffin … But i would love to get my hands on some next gen homebrew :D but alas people are giving up on the whole hacking for homebrew idea because just like the guy who created dynamite and wanted it to be used for construction yet it was used for war and destruction there are some bad people in this world who’d use it differently to damage the companies and developers just for 10 minutes of fame … :(

    Reply

  3. Netrix’s avatar

    “strncmp(RSAhash, CalculatedHash, n)”

    Just wow…

    So that’s the workaround for the RSA signature, but what about the SHA-1 signature? Does it work if only one of the two is present?

    Reply

    1. Acid_Snake’s avatar

      The RSA signature is used to verify content that is going to be executed, so you only need to get around that one to use your own homebrews.

      Reply

      1. Netrix’s avatar

        Ah, thanks for the reply and for these articles. They are very interesting. Ever since being involved the Microsoft Zune “hacking scene”, I’ve been wondering how the console hacks work.

        For the Zune, Microsoft made two stupid mistakes that allowed us to run native homebrews on them. For the original Zunes, all we had to do was replace the .NET Compact Framework that the Zunes came with with the regular .NET Compact Framework for Windows CE. Then when we ran our XNA app, we would have all of the features of the .NET CF, such as P/Invoke, so we could just call any native method in the firmware right from the XNA app, such as CreateProcess to start our own homebrew.

        Of course, they fixed this vulnerability in the Zune HD (by signing the .NET assemblies), so something more clever had to be done. The way the Zune HD was hacked was by using Reflection to invoke a function within the XNA assemblies called something like “zune_memcpy”, which was a .NET wrapper to the native “memcpy”, so we had the ability to overwrite memory wherever we wanted. So all that had to be done was overwrite the address to jump to at the end of the current function to be the address of a payload which launches an executable of our choosing.

        Reply

        1. Acid_Snake’s avatar

          the Zune HD one works pretty much the same as PSP kernel exploits.

          Reply

  4. jlo138’s avatar

    I have a hacked Wii too. Although it can read burned Wii, GC, and DVDs I prefer USB loading for that. Also it’s little known that if your Wii can’t be hacked to read DVDs, that if you do hack it, it can if you use a USB DVD Drive such as an LG specific model using Uloader. I believe that’s the only app which allows external DVD drives for games. It doesn’t work with GC games as the loader isn’t updated for that. On the other hand, you can use a basic external DVD USB drive ( any brand) and WiiMC to read burned or legit DVD movies on newer Wiis that won’t read those discs even when hacked. It’s a workaround but does work. I’ve made a video showing it.

    Reply

    1. Blueprint88’s avatar

      Hey thanks for the good info. My Wii is an older model so has working DVD drive but I didn’t know you could use a USB one. Doesn’t surprise me though.

      Reply

  5. David’s avatar

    I’m afraid I didn’t got it. When you’ve found a game-exploit, how do you run your own code and copy your files to the system? Can you easily say “copy the files from the sd-card”?

    Reply

    1. Acid_Snake’s avatar

      pretty much, the Wii doesn’t really have a kernel to protect important system stuff so once you are able to execute your own code by means of simple buffer overflows, you are able to tinker with the system.

      Reply

  6. romain337’s avatar

    You can’t dislike the WII once you start to code on it (Did you know anything on the GX chip? It’s a pixel cruncher!), or once you can use homebrew because their quality is top.

    Of course, if you use only regular games, the choice is not big as the others console, but still have some great games.

    Reply

  7. romain337’s avatar

    I’m not talking to somebody in particular :) I need to say it. Re-reading my post was confusing.

    Reply

  8. faiz’s avatar

    On school laptop :P

    Reply

  9. Zix’s avatar

    Next to the PSP, Wii was the greatest console for running homebrews and emulators.

    But I also loved many of its official titles however almost all of those where Ninty-only titles, but Xenoblade Chronicles and Last Story were among some brilliant 3rd party ones.

    What I loved about this console was that it showed that you dont need next gen gfx to be succesfull!

    Reply

  10. Blueprint88’s avatar

    I love the hacked Wii but if it wasn’t for hacking it wouldn’t have been nearly as good a platform. I have said this about wii and also psp. Unhacked PSP with games from UMD is a total POS, a hacked PSP with 333hmz and games from MS is a dream.

    Wii was much the same way. It has a lot of good games but most people never played them because of all the shovel ware. A hacked Wii can give you USB loader with the entire library on a portable hdd, you can have just about the entire wiiwawre/vc library on a 32gb SD. I used a tool and dumped all my GC discs to SD and then made multi-iso on full sized DVD. All the hacks/homebrew on the Wii are just so well cooked and elegantly implemented now. The Wii had so much shovel ware but still had more than 100 good or better games across all genres. Add that to the WiiWare and VC and you really have one of the most versatile little boxes ever made. You can run Wii,GC,N64,SNES,NES and then all those other VC….to date no one has assembled as complete a legal emulated library as Nintendo did with the Wii.

    To date the PSP and Wii homebrew scenes are the best ever as far as development accomplishment and information sharing. Systems were generally to0 basic to run any serious homebrew on before psp/wii. I wonder what the future holds as the Vita is generally a market failure but as an ‘open’ system the Vita would be as incredible as the ‘open’ psp was back in the day!

    Reply

  11. BlackFire27’s avatar

    I personally love the Wii. Picked up a nice black BC one from a pawn shop for 30 bucks, load up a hard drive full of all my old gamecube games and it they look better on it too. However I still have to carry around Starfox Adventures because of the audio streaming bug ;~;

    Reply

  12. SonicTH’s avatar

    Great entry; but I was expecting read more info about why the black/blue/red wii’s was more secure despite the white ones; and now it can be emulate the NAND and run gamecube isos directly. I’m not so technic (and my english sucks) but I just wanted the read an explain for dummies here about it :D

    Reply

  13. Frezzno’s avatar

    This is great! 6 of 10 days, 4 days of joy left, but it makes my wonder. What’s that “another 8 Days feature” Acid_Snake mentioned? So after 4 days there are another 8 days of reading pleasure? Keep them coming Acid_Snake.

    Reply

    1. Acid_Snake’s avatar

      The other 8 days is the next feature, 8 Days of Gaming, where I cover the history of each console generation.

      Reply

      1. Frezzno’s avatar

        You’re on fire!

        Reply

  14. SmurfyD’s avatar

    I wonder though. Did they ever get gamecube iso support working without need for additional hardware or the need to burn to a disc?

    Reply

    1. jlo138’s avatar

      DIOS MIOS and DIOS MIOS Lite. Allows USB loading and Lite for SD loading.

      Reply

  15. Kazuya101’s avatar

    This may sound naive
    but wasnt hermes the guy who used android phones to get the first exploit/hack the ps3?

    Reply

    1. VinsCool’s avatar

      Yes, he is the same guy.

      Reply

  16. Thrawn’s avatar

    AND in the end, you became good friends with the wii, and they lived happily ever after :)

    I also like my gamecube, infact, the gamecube is my favorite device of gaming, it has a moderate library, an awesome controller (my opinion), is really really small and packs a lot of power for its size, compared to bloatstation 2 and fatbox, only rivaled by the ps2 slim. It also is a very silent device, it only has ONE yeah you read right,ONE 52 x 52 x 10 mm fan, which I never heard running in its full glory speed.
    The gamecube also makes this very humble zirrping noise when you power it on just as it wants to tell you: “Hi how’s it been? I’m ready to play!”.
    BUT…
    I have also embraced the wii, as it is a full compatible step up of my beloved gamecube, featuring its own library as well as ALL the good stuff from it predecessor including the gameboy advance gamecube link games (Metroid prime to Metroid fusion and Zelda four swords).
    At the end of the day, the wii leaves a very good and solid impression on me, and it wiill always have a place besides my pc monitor, as my gamecube and ps2 slim have, while my fatbox rots in my cellar until the day I will die XD.

    Reply

  17. Charles Fasano’s avatar

    I love my Wii. I use it to play so many of my old GameCube games since I can’t find my GameCube. If only the Wii U played GameCube games natively.

    Every time I see the movie Ghostbusters I have this uncontrollable urge to play Luigi’s Mansion. Don’t know why.

    I like that the Wii can not only play GameCube games but it is smaller than the GameCube too. Makes it easier to take with me.

    One time I bought a used Wii to mod for someone and not only did the idiots at GameStop leave Super Smash Bros. Brawl in the disc drive, they didn’t erase the Nand and left the Homebrew Channel installed. Made my job easier.

    What I find funny is how and how many times Nintendo tried to patch that darn Twilight hack. All they did was check the Twilight Princess game save at system boot up and erase it if it was modded.

    Reply

  18. Techni’s avatar

    I too hate the Wii/loved Gamecube. You left out another horrible screwup from Nintendo

    http://www.vooks.net/forums/index.php?/topic/3924-ahoy-pirates-talk-wii/

    Nintendo changed the DVD drive password for the Wii, they made it lower case instead

    Reply

  19. Quade321’s avatar

    Ah, Nintendo. Great company, need to step up the security.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>