How to brick my Wii Homebrew auf der Wii Alexander Paßfall <>

SYN
Wii Basics
Hacks
Homebrew
FIN
1/26
How to brick my Wii
Homebrew auf der Wii
Alexander Paßfall
<alex@tty23.net>
UnFUG WS 09/10
Hochschule Furtwangen
5. November 2009
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
FIN
2/26
Content
Wii Basics
Hacks
Homebrew
Demo?
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
FIN
3/26
Wii Basics
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
System
FIN
4/26
Hardware
“Overclocked Gamecube”
IBM Power PC 750CL “Broadway” @ 729Mhz
ATI “Hollywood” GPU+DSP @ 243Mhz
24MB 1T-SRAM (MEM1) + 64MB GDDR3 DRAM (MEM2)
512MB NAND Flash
Modified DVD reader (DL)
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
System
FIN
5/26
Security System
2 processors
Broadway (PPC): Fast + insecure
No OS! Games run on “bare metal”
Hollywood (ATI): Graphics, peripherals, memory, “IO Bridge”
IO Bridge: NEC ARM926 SoC: “Starlet”
Custom microkernel OS (“IOS”) by BroadOn
Drivers and stuff:
Security & Software DRM
DVD, SD, WiFi, USB, . . .
HTTP, SMTP, SSL, . . .
“Always on”
All code is signed & authenticated by IOS
IOS hidden behind APIs
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
System
FIN
6/26
Boot process
boot0: 1.5k bootloader mask ROM in Hollywood
Reads first 48 pages of Flash (boot1)
Decrypt + hash (SHA1)
Compare hash with value in OTP memory
Run boot1
boot1: 2nd-stage bootloader
Runs in Mem1
initializes Mem2
loads, decrypts, verifies RSA signature of boot2
boot2: 3rd-stage (main) bootloader (mini IOS)
Verifies & runs IOS
IOS
read from flash filesystem
ARM code running on starlet
Menu: PPC code read from filesystem, pushed to Broadway
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
System
FIN
6/26
Boot process
boot0: 1.5k bootloader mask ROM in Hollywood
Reads first 48 pages of Flash (boot1)
Decrypt + hash (SHA1)
Compare hash with value in OTP memory
Run boot1
boot1: 2nd-stage bootloader
Runs in Mem1
initializes Mem2
loads, decrypts, verifies RSA signature of boot2
boot2: 3rd-stage (main) bootloader (mini IOS)
Verifies & runs IOS
IOS
read from flash filesystem
ARM code running on starlet
Menu: PPC code read from filesystem, pushed to Broadway
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
System
FIN
6/26
Boot process
boot0: 1.5k bootloader mask ROM in Hollywood
Reads first 48 pages of Flash (boot1)
Decrypt + hash (SHA1)
Compare hash with value in OTP memory
Run boot1
boot1: 2nd-stage bootloader
Runs in Mem1
initializes Mem2
loads, decrypts, verifies RSA signature of boot2
boot2: 3rd-stage (main) bootloader (mini IOS)
Verifies & runs IOS
IOS
read from flash filesystem
ARM code running on starlet
Menu: PPC code read from filesystem, pushed to Broadway
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
System
FIN
6/26
Boot process
boot0: 1.5k bootloader mask ROM in Hollywood
Reads first 48 pages of Flash (boot1)
Decrypt + hash (SHA1)
Compare hash with value in OTP memory
Run boot1
boot1: 2nd-stage bootloader
Runs in Mem1
initializes Mem2
loads, decrypts, verifies RSA signature of boot2
boot2: 3rd-stage (main) bootloader (mini IOS)
Verifies & runs IOS
IOS
read from flash filesystem
ARM code running on starlet
Menu: PPC code read from filesystem, pushed to Broadway
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
System
FIN
6/26
Boot process
boot0: 1.5k bootloader mask ROM in Hollywood
Reads first 48 pages of Flash (boot1)
Decrypt + hash (SHA1)
Compare hash with value in OTP memory
Run boot1
boot1: 2nd-stage bootloader
Runs in Mem1
initializes Mem2
loads, decrypts, verifies RSA signature of boot2
boot2: 3rd-stage (main) bootloader (mini IOS)
Verifies & runs IOS
IOS
read from flash filesystem
ARM code running on starlet
Menu: PPC code read from filesystem, pushed to Broadway
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Crypto
FIN
7/26
Software
Channels, Games, System software are “titles”
Identified by TitleID
TMD: Title MetaData
Information about content
SHA1 hashes, permissions, group IDs, region locking
eTicket: Your licence to use the title
encrypted AES key (master key in OTP ROM / hard to
extract)
optional time limits
TMD + eTicket signed using RSA-2048
Title content encrypted using AES + hashed using SHA1
hash tree structure
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Crypto
FIN
8/26
IOS
Custom micro-kernel OS by BroadOn (California)
talks to Broadway via IPC interface
high-level network API
decryption / authentication of Broadway’s code
POSIX-like FS permissions (titles = users / vendors =
groups)
Hides system files from Broadway
Modules as isolated userspace processes
Kernel in MEM1, userspace in top 12MB of MEM2 (no access
from Broadway)
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
FIN
9/26
Hacks
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Key extraction
FIN
10/26
GameCube Mode
GameCube software is totally unsigned, but runs in a sandbox
DVD drive similar to GameCube’s
Outsourced to Matshita
mod chips easy portable to Wii
GameCube homebrew possible
Sandboxed: no IOS, no Wii features
Wii always boots first into native mode, then reboots into
GameCube mode
GameCube mode uses first 16MB of MEM2
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Key extraction
FIN
11/26
Tweezer Attack
Upper 48MB not cleared on reboot to GameCube mode
Protected by hardware register
Modify address lines of DRAM chip
Move 16MB “window” throughout DRAM
Dump entire 64MB
Content:
IOS
Keystore with all the Keys!
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Key extraction
FIN
11/26
Tweezer Attack
Upper 48MB not cleared on reboot to GameCube mode
Protected by hardware register
Modify address lines of DRAM chip
Move 16MB “window” throughout DRAM
Dump entire 64MB
Content:
IOS
Keystore with all the Keys!
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Key extraction
FIN
11/26
Tweezer Attack
Upper 48MB not cleared on reboot to GameCube mode
Protected by hardware register
Modify address lines of DRAM chip
Move 16MB “window” throughout DRAM
Dump entire 64MB
Content:
IOS
Keystore with all the Keys!
How to brick my Wii
SYN
Wii Basics
Hacks
Key extraction
Homebrew
FIN
12/26
Keys
Per-console keys
ECC private key
ECC public certificate
NAND AES key
NAND HMAC key
Global keys
Common key 0
SD key
Root certificate
New common key 1 (Korean)
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Fakesigning
FIN
13/26
Signatures
All RSA signature comparison is done by one function
ES VerifySign
Hardware SHA1
Software RSA
TMD contains SHA1 signed by Nintendo
Real TMD hash is calculated, then both are compared
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Fakesigning
FIN
14/26
Nintendo-RSA
Looks kinda strange..
1C
38
99
22
4B
47
28
14
02
14
0F
98
ADDS
SUBS
LDR
MOVS
LDR
BLX
How to brick my Wii
R0 ,
R0 ,
R1 ,
R2 ,
R3 ,
R3
R5 , #0
#20
[ SP , #S H A 1 c a l c ]
#20
=( s t r n c m p +1)
;
;
;
;
R0
R0
R1
R2
= signature end
−= 20
= SHA−1
= 20
; s t r n c m p ( SHA1 sig , SHA1 in , 2 0 )
SYN
Wii Basics
Hacks
Homebrew
Fakesigning
FIN
15/26
Impact
We can somehow sign/install everything we want:
Unsigned games
Unsigned System Menu
Unsigned IOSes
Unsigned boot2 (fixed somewhere in 2008)
How to brick my Wii
SYN
Wii Basics
Hacks
Fakesigning
FIN
16/26
Demo
How to brick my Wii
Homebrew
SYN
Wii Basics
Game Hacks
Stack Smashing
How to brick my Wii
Hacks
Homebrew
FIN
17/26
SYN
Wii Basics
Game Hacks
Stack Smashing
How to brick my Wii
Hacks
Homebrew
FIN
18/26
SYN
Wii Basics
Hacks
Homebrew
Game Hacks
FIN
19/26
Twilight Hack
Savegames on SD card are signed with the console’s private
key
We can extract the keys, so we can sign any savegame
Exploit a stack buffer overflow in The Legend of Zelda:
Twilight Princess (Name of horse)
Load an ELF-Loader
Loader reads an ELF-executable from an SD card
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Other
FIN
20/26
Bannerbomb
Exploits buffer overflow while loading channels from SD cards
Malformed Channel-Banner
Use this on up-to-date Wiis
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
FIN
21/26
Homebrew
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Homebrew
FIN
22/26
HBC
Home Brew Channel
Launcher for multiple homebrew apps
How to brick my Wii
SYN
Wii Basics
Homebrew
Hacks
Homebrew
FIN
23/26
BootMii
Custom boot2
Recovery System
Runs as custom IOS, too
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Homebrew
FIN
24/26
DVDx
Wii normaly rejects non-Wii discs
Drive firmware has hidden DVD Video player functions
Blocked by IOS..
unless you set a magic bit in TMD
Homebrew can play DVD Videos
DVD-Rs look a lot like DVD Video discs..
Warez loader
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Homebrew
FIN
24/26
DVDx
Wii normaly rejects non-Wii discs
Drive firmware has hidden DVD Video player functions
Blocked by IOS..
unless you set a magic bit in TMD
Homebrew can play DVD Videos
DVD-Rs look a lot like DVD Video discs..
Warez loader
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Homebrew
FIN
24/26
DVDx
Wii normaly rejects non-Wii discs
Drive firmware has hidden DVD Video player functions
Blocked by IOS..
unless you set a magic bit in TMD
Homebrew can play DVD Videos
DVD-Rs look a lot like DVD Video discs..
Warez loader
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Homebrew
FIN
24/26
DVDx
Wii normaly rejects non-Wii discs
Drive firmware has hidden DVD Video player functions
Blocked by IOS..
unless you set a magic bit in TMD
Homebrew can play DVD Videos
DVD-Rs look a lot like DVD Video discs..
Warez loader
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
Homebrew
FIN
24/26
DVDx
Wii normaly rejects non-Wii discs
Drive firmware has hidden DVD Video player functions
Blocked by IOS..
unless you set a magic bit in TMD
Homebrew can play DVD Videos
DVD-Rs look a lot like DVD Video discs..
Warez loader
How to brick my Wii
SYN
Wii Basics
Homebrew
Hacks
Homebrew
FIN
25/26
Other
mplayer
ScummVM
Custom Games
Linux
...
How to brick my Wii
SYN
Wii Basics
Hacks
Homebrew
FIN
26/26
Fragen?
How to brick my Wii