How Nintendo Wii security was bypassed with tweezers

Key findings

  • Due to its similarities to the GameCube, the Nintendo Wii was quickly modified, allowing for early piracy and homebrew.
  • Team Twiizers, later fail0verflow, used clever methods such as manipulating Zelda save files to hack the Wii.
  • While console modding continues to be a challenge due to increased security, the fascinating world of computer security is constantly evolving.



If you've ever had a Nintendo Wii, you might have heard how prolific the console modding scene was for it. While piracy was rampant on the Nintendo DS, the Wii itself wasn't far behind shortly after its release. The Wii was built very similarly to the GameCube, using a more powerful but similar processor and even a very similar DVD drive. This meant that modchips for the GameCube were quickly ported to the Wii, enabling piracy, and GameCube homebrew could also be run very early on in the Wii's lifecycle. What you might not know, however, is that to take it a step further, it was tweezers that managed to really break the Wii open.


If you've heard of fail0verflow, this team was once known as Team Twiizers. This story is the reason why they were originally called Team Twiizers.

Related

1760 PlayStation 3s were combined into a supercomputer in 2010, but that can never happen again

Did you know that the US Air Force once built a supercomputer out of PlayStation 3s?

Nintendo was smart when it came to running GameCube games on the Wii

…somehow

Running Animal Crossing GameCube on Batocera and displaying it on a TV

First off, it's important to understand how the Nintendo Wii worked when playing GameCube games. When you booted up a GameCube game on the Wii, the console essentially rebooted into a GameCube sandbox mode that had no access to the rest of the Wii system. In this mode, the Wii was more or less identical to a real GameCube, meaning that games remained fully compatible and Nintendo could protect the rest of the system from anything running in GameCube mode.


In GameCube mode, the Wii could still use both banks of memory, but the 64MB external chip (known as MEM2) was used by the Wii as audio RAM (ARAM) only in GameCube mode. While you can read the bottom 16MB of this memory in GameCube mode, the other 48MB is protected and returns “random garbage” according to Ben “Bushing” Byer at 25c3 in 2008. However, these 48MB are never erased, and through careful manipulation, a technique known as “bit-banging” can be used to move data between address lines so that it can be moved towards the accessible 16MB of memory. This was accomplished using tweezers, and as it turns out, all of the console's encryption keys were stored in this memory.


Each console had its own set of independent keys, including an ECC private key and an ECC public key. ECC is a public key cryptosystem similar to RSA. The NAND memory was encrypted using AES and also signed to ensure it couldn't be tampered with. The discovery of the Wii's shared key – the root encryption key used to encrypt everything on the Wii – was essentially the holy grail at the time. You couldn't change anything with it, but you could see everything.

This eventually led to the Twilight Hack

The Legend of Zelda: Twilight Princess was the last piece of the puzzle

The Homebrew Channel on the Nintendo Wii


To start a game on the Wii, the Wii goes through the following steps:

  1. Compare the RSA signature with the SHA-1 hash of the title to be launched
  2. If the SHA-1 is signed by Nintendo, start the game
  3. Otherwise abort the execution

However, Nintendo's implementation of this system was very flawed. The developers used the C function strncmp to compare signatures, but this function will terminate if it encounters a null byte. This means that if the hash contains “00” anywhere, the comparison will terminate prematurely. This bug existed in most layers of the Wii. An input consisting of all zeros will result in an output consisting of all zeros, and if the compared SHA-1 hash is interpreted as all zeros, it will be considered equivalent to anything. As a result, anything that is attempted to be launched on the Wii can be given a false signature as long as the hash begins with 00.


To ensure that the hash starts with 00, you can manipulate the data in the file you are signing so that the SHA-1 hash starts with 00. Once you do that, you can use that file on any Wii and it will be accepted. This meant that not only could you launch unsigned games, but you could also install your own system menu, individual IOS modules, and your own Boot2 bootloader, all of which would be trusted by the system.

However, Team Twiizers still needed a way to get modified software onto someone's Wii. Collecting keys and understanding how the system verified signatures made this relatively easy. They developed a buffer overflow exploit that exploited a bug in The Legend of Zelda: Twilight Princess. The bug was related to the game not checking the length of Epona's name. While the game prevented you from manually entering a name that was too long, a specially created save file with an excessively long name could send instructions to load a file into a memory area that handled execution, causing the game to crash when following those instructions.


In this case, you would need to start the game, load your save file, go back, and the game would then launch “boot.elf” from the root of the SD card. This file would normally be the Hackmii installer, which would install both the Homebrew Channel and BootMii, a Boot2 replacement, onto your Wii. Like the save file, the Homebrew Channel and BootMii could be signed in a way that would be trusted by the system.

The Twilight Hack was the first public hack for the Nintendo Wii that anyone could use on a modified system, and it took Nintendo quite a long time to fix this flaw. While the Twilight Hack became obsolete a few years later and was replaced by other methods like Bannerbomb, the work of Team Twiizers got the ball rolling. It all started with tweezers. Their efforts allowed other developers to follow their example and find new ways to modify the system. Once initial access was gained, it became easier to analyze the console and identify other potential security flaws.


Related

It's hard to build a console-killing gaming PC, but for $600 you can get pretty close

Consoles are great at what they do, but I tried to build a gaming PC that would outperform them for the same price. Here's how it went

Nowadays consoles are much more complex

Jailbreaking and modding are much more difficult these days

Sony PlayStation 5 and DualSense controller on a table

Although Nintendo's consoles have been hilariously blown up on multiple occasions in the past, modern consoles are significantly more secure than ever. Although the Nintendo Switch was originally compromised due to a Tegra exploit, newer versions of the Switch require a modchip to run unauthorized software. As for the PlayStation 5 and Xbox Series S and X, both consoles have had security issues in the past, but Sony and Microsoft have largely kept these consoles secure through ongoing updates and patches.


While modifying consoles can be a lot of fun and incredibly educational, stories like this one show just how fascinating the world of computer security can be. Using something as simple as a pair of tweezers, an entire console – like the Wii – was compromised by physically tampering with address lines in a chip, allowing for later data dumping. There are countless strange and fascinating stories in the world of technology, but the story of the Nintendo Wii remains one of the most fascinating to me.

Leave a Comment