Interview with a Wii hacker
Posted On Wednesday, January 30, 2008 at at 1/30/2008 02:48:00 AM by nullDisassembling in the dark
Over the next four pages you’ll find all the details you could ask for about the world’s first proper Wii hack: no mod chips required. It's powerful stuff.
We've also got some analysis and screenshots of the hack over here for you.
Enjoy!
Atomic: First off, what's your programming background?
Bushing: I've been programming since age 8 (on an Apple IIc); I spent a lot of time growing up, hacking on Linux. I did Electrical Engineering and Comp. Sci in college, and now I do software development professionally.
Atomic: What was the appeal in hacking the Wii?
Bushing: Mostly that it hadn't been done. I don't play many video games, but I saw one at my boss's house at a party this summer, and it was fun, so I bought one. And I like to hack everything I own, and it was a big flashing target because I knew that nobody had yet been able to do it.
Atomic: Is this your first gaming console hack?
Bushing: Yup. I'd done "mods" before -- installing chips, and stuff -- but this is the first original thing I've worked on.
Atomic: How did you get started on this particular hack?
Bushing: I mentioned to a co-worker that I was interested in Wii-hacking, and he introduced me to tmbinc and Costis, both of whom are already somewhat known for these things. We began talking online, trading code, and ideas.
Atomic: You mentioned some others, who is everyone in your team?
Bushing: Me, Segher, Tmbinc, and also Costis and Adhs have helped out.
Check out the "Hello Bushing" line. Beautiful stuff. |
Atomic: Now you’ve got your hands on a (presumably) small chunk of arbitrary code. What's its function? What can we do with it and gain from probing it?
Bushing: Well, it's not actually that small -- Nintendo includes the newest version of the system software on almost every Wii game. If you're running on an older version of the software, it will let you upgrade using the disc. So, we were able to get a (mostly) full copy of the software used to do, well, everything on the Wii.
But it was strange, because it didn't work at all when we tried to disassemble it as PowerPC code -- and then we discovered it was actually ARM code. We couldn't see this chip anywhere on the Wii board, so eventually figured out it's buried inside the graphics chip.
The graphics chip's name is "Hollywood", so one of us (segher) named it the "Starlet".
It performs all of the security for the Wii, and also controls almost all of the peripherals. It's "The Enemy".
Atomic: So how did you get at the code, and how is it being disassembled?
Bushing: I'm disassembling it using IDA Pro under VMware Fusion. tmbinc was able to use a "tweezer hack" to extract the encryption keys from the memory of his Wii, and then we were able to write software to decrypt games and firmware.
Secret silicon
Atomic: Can you tell us more about the tweezer attack? What does it bridge exactly?Bushing: With respect to the specific chips and the tweezer attack -- it might help to refer to this photo (the top one) -- you can see there U1, the Hollywood (note how it's the biggest chip - it contains the Starlet core), U2 is the Broadway (main CPU), and U3 is the RAM chip.
It's possible to run Gamecube games on the Wii, and people have long been able to run homebrew code in Gamecube mode -- unfortunately, this turns off most of the "interesting" hardware on the Wii, specifically anything that wasn't present on a Gamecube. However, this *does* allow you to see 25% of that RAM chip (U3) by shorting various address lines underneath U3 (on the opposite side of the board), we're able to fool the Hollywood into shifting that 16MB window of Gamecube memory around the 64MB space of that RAM chip.
It's notable that the Hollywood is the one that interfaces with the RAM chip, not the Broadway, because it's actually the Starlet doing this; the Starlet limits the amount of memory you can use in Gamecube mode.
The Starlet also happens to use some of that memory for its own purposes -- including storing the encryption keys. So, we tricked the Starlet into giving us part of its secret memory in Gamecube mode.
Atomic: Once you were able to access the higher memory, how did you actually get it out of the Wii?
Bushing: It involved sending it to tmbinc's computer via a serial port soldered onto the Gamecube controller connector, while he shorted the address lines.
Atomic: That's one of the more amusing hacks I've heard of.
Bushing: Yeah. It speaks well of their security that we had to go to such heroics. There have been other hacks since then, but that was the first crack in the wall that let us start prying it open.
Atomic: In a similar vein, could you tell us briefly about the disassembly process?
Bushing: Well, it's pretty tedious. Someone hands you a big blob of binary data -- first, you have to figure out what it is. Is it encrypted, or compressed? Is it a program, a picture, a savegame, a database?
From there -- okay, this is a program -- but what format? What processor?
Some of these you can answer ahead of time because you know what to expect. We knew that the Wii used a PowerPC chip, and its file formats are very much like that of the Gamecube, so that made things somewhat easier.
From there, you take a program and you load it up into your favourite disassembly program, and then you work on it for a few days, and then you can get a general idea of what the code does.
Atomic: I know your public key research is still secret, but what other interesting things did you find?
Bushing: Probably the most exciting thing was that we discovered a secret second microprocessor buried inside the graphics chip.
Look Ma, no SD card!
Atomic: Earlier you mentioned code. I take it you're dealing with assembly code, is this right?Bushing: Yeah, sorry. We use disassemblers, which take raw binary data and produce assembly-language code, which is not very readable, but more readable than just looking at hex dumps.
Atomic: You mentioned earlier that you're in the process of pulling something apart now. Is that work on the system software, or something else that you've found?
Bushing: Sort of. It's hard to really stay focused while working on these things.
None of this stuff is documented, so often the only way we can determine what something does is by inference. I can take a bit of the PowerPC (aka "Broadway") code, and it will be sending a message to the Starlet.
Only by taking that code, the Starlet code, and a game disc together can I figure out that when the Broadway sends the message "0x1384956" to the Starlet, it's asking it to read the name of the game off the disc.
Even at a more basic level, we see little bits of code repeated throughout the whole system, often in unexpected places. If I can figure out that some particular bit of code resets the system in Wii Sports, it can help me "get my bearings in Zelda" (which is what I'm working on now).
As I said, this can get awfully tedious, and quite frequently I find myself running into a wall. It helps to be able to put one piece down and pick up somewhere else.
Atomic: What sort of headway have you made so far? I hear you've found an interesting vulnerability in the zelda savegame code, can you go into detail on that, or are you keeping that to yourself for now?
Bushing: Yes. We did our first public demo at 24C3, right after Christmas. There, we showed a really crude demo that we made by taking a game disc and modifying it -- just enough to prove that we'd modified it. (The proof here is a big deal because so many people make this shit up -- there have been at least 4 fake demos of people claiming to do similar things in the past month.)
Still, that required some pretty ugly hacks to pull off, but it was still the first time anyone had even gotten that far. Recently, we've been leveraging that experience to try to find cleaner hacks that we can release.
We're working on a special savegame for Zelda: Twilight Princess that will exploit a bug in the way it handles character names, and eventually let you boot code from an SD card. Hopefully.
Atomic: Is this the savegame exploit, using an original zelda disk, your hacked save file which triggers the crash, allowing 4 lines of code to be executed?
Bushing: Close -- your description of the savegame hack is correct; we started out with 4 lines of code and are trying to grow that. I think we're currently at twice that.
Atomic: I'm guessing your experiment at 24C3 where you modified the original disk doesn't actually relate to this exploit, it was merely a learning tool.
Bushing: The demo at 24C3 used an unrelated attack, and it's one we're not disclosing details on to try to keep Nintendo from fixing it. Instead, we're trying to leverage it to make developing other hacks like this (the Zelda one) faster / easier.
Atomic: At this stage, custom code execution is only possible on your modified Wii. What mods to you actually have installed, and will the SD hack require a modded Wii?
Bushing: I just have your plain old "backup"-running modchip right now -- actually, an OpenWii -- and I've been using an SD card in a home-made SD card adapter.
No, the SD hack will *not* require a modded wii. That's the big deal.
Atomic: So the demo at 24C3 didn't require all of the serial port hackery?
Bushing: No, it did -- the part you missed is just that we have multiple people doing multiple things. tmbinc is the one that pulled the hardware hack stunt on his Wii, but it was the kind of thing that really only has to happen once.
Atomic: How did you get from disassembling your data dumps to running your own code, and is this related to the discovery of the public key?
Bushing: Getting the key allowed use to decrypt disks and read them, and then figure out how to modify them such that the system would still boot off them.
Atomic: So at this stage you haven't been able to execute anything non-trivial from the SD slot, but you have been able to execute useful things from hacked proprietary Nintendo software?
Bushing: Well, I don't know if I'd even say we've ever been able to execute anything useful or non-trivial :) But yes, we started with hacked versions of games that we (of course) legally bought, because that's far easier from starting from scratch. The system has many safeguards in place to keep people from modifying code.
It's dangerous to go alone! Take this!
Atomic: What's stopping people from writing software that can be executed from the DVD drive, and for that matter, what's your major stumbling block with the SD card exploit?Bushing: The biggest stumbling point for the Zelda hack is that we were trying to make the game crash in a very specific and predictable way. We got the crash working, but it was hard to get the specific part working without having normal software development tools like a debugger.
Atomic: Would you say it’s just a matter of time and persistence before the SD card hack works, or are you expecting another brick wall?
Bushing: There are always potential brick walls -- either ones we haven't seen, or ones that Nintendo will try to place in reaction to our efforts. However, at this point I do think it's a matter of time and persistence. We can provably run a small bit of code on an unmodified system, and we know that we can run more, so it's just a question of writing it and debugging it. Neither of those is easy, but we think we know how to do them.
Atomic: Does this mean (legalities aside and assuming everything goes to plan), we will start to see modchip-less game duplication as well?
Bushing: Hard to say. People are clever, but right now any code you run will run "as" Zelda, so you couldn't write savefiles for another game, and I'm not sure any retail game would actually run unmodified. It's not something that's particularly interesting to me.
Atomic: So at this stage, homebrew is confined to running within the game environment, rather than custom Wii Channels and booting straight from the SD?
Bushing: Right.
Atomic: Is there anything stopping the current hack from working on an unmodded Wii?
Bushing: No, it should work on unmodded wiis when it's released.
Atomic: So it's still a 'should work', not a 'will work'?
Bushing: I don't have an unmodded wii to test it on, but I know of no possible reason it wouldn't work.
Atomic: I wondered if that were the case. Am I right in thinking that the Wii as a gaming platform doesn't really interest you, rather you like it as a development platform? And once you get homebrew running, what would be your first project?
Bushing: Actually, that'll probably be my big contribution. It's been a lot of work, and there's still a lot left to be done, and I'll leave it to more-qualified people. Porting Linux will probably be one of the first things done; it's almost a tradition. I do like gaming, too, but I almost like reverse-engineering more.
Atomic: With that in mind, are you concerned about any legal response from Nintendo?
Bushing: No. I haven't broken any laws, and I think that they have a much more costly problem with modchips.
Atomic: Similarly, do you predict difficulty in keeping on top of Nintendo's software response?
Bushing: That will certainly be a challenge. It remains to be seen how much they really care, as long as it doesn't lead to more piracy. If it does, things will get more complicated.
Atomic: Are you concerned about what the modding community can potentially do with this?
Bushing: Well, I think that people need to exercise good judgement, but I also know that piracy is inevitable, so all I can do I try not to actively contribute to it. It's an indication we're on the right path.
Atomic: Wow, I just read: Hello World! (This interview was conducted as geek history was being made. –Ed.) Is this the breakthrough we've been waiting for, or is this another brick in the wall?
Bushing: :) We're still working pretty hard on this.
Atomic: We've got hello world running, are we a small step or a major leap from running our own code?
Bushing: Hmm... we’re closer to a small step from running trivial programs. It'll take hard work by many people to use that to do something interesting.
Atomic: Is there anything else you would like to tell the world?
Bushing: Right now this information is only useful to a very small number of people, but it will turn into something more interesting to the rest of the world in good time.
And they'll hear about it, don't worry. :)
Until then ... it'll be done when it's done.
Atomic: We know there are people out there who are already thanking you. Thanks for the interview!
Bushing: No problem.