HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 31 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Hardwarearrow The Wii Has been Hacked
EH-Net
May 22, 2013, 05:00:25 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: The Wii Has been Hacked  (Read 10200 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 4167


Editor-In-Chief


View Profile WWW
« on: January 29, 2008, 05:15:59 PM »
Fun stuff from Alex Bradner of Atomic:

Quote
The Wii has been hacked. While we were sleeping, a team of dedicated hackers finally got the homebrew ball rolling on Nintendo’s latest console. The trick, which was perfected last night, lets anyone execute their own code by utilising a savegame hack on a modified console. There’s no reason why it won’t work on an un-modded console, it just hasn’t been tested: unsurprisingly, none of the hackers own an unmodified Wii console.

It all started about a month ago with a pair of tweezers and a heavily modified Wii. The tweezer attack involves bridging pins of the Wii’s memory module whilst in Gamecube mode in order to access chunks of isolated Wii system memory. During Gamecube mode, the Wii’s 64MB of memory is split into two chunks: a 16MB chunk is allocated for Gamecube operation. The hack, however, tricks the system into allocating the Gamecube memory over the top of the restricted Wii memory. The memory is then dumped through a controller port, and it was this data dump that made what you’re about to read possible.

Inside this data dump was Nintendo’s public key, which is used to decrypt all of Nintendo’s game releases. Then another major discovery was made: It became apparent that an undocumented processor, nicknamed ‘Starlet’ by its discoverers, is located inside the graphics chip. This processor controls the Wii’s memory, security and cryptography, as well as almost all the peripherals. With the public key and some information on how Wii cryptography works, the Wii game discs can be decrypted and their contents harvested.

The holy grail of Wii hacking is a system exploit: finding where code can be injected into the system to gain low level access. We’re not there yet, although an alternative software based exploit where you examine existing game code for vulnerabilities and inject your own code into them has been written.

For full story:
http://www.atomicmpc.com.au/article.asp?SCID=14&CIID=102072

Don
Logged
CISSP, MCSE, CSTA, Security+ SME
themadhatter
Newbie
*
Offline Offline

Posts: 30


View Profile
« Reply #1 on: January 29, 2008, 09:26:22 PM »
Quote from: don on January 29, 2008, 05:15:59 PM
Fun stuff from Alex Bradner of Atomic:

Quote
Inside this data dump was Nintendo’s public key, which is used to decrypt all of Nintendo’s game releases.


Don

Wouldn't the public key be used to encrypt things as opposed to decrypt?
Logged
Bane
Guest
« Reply #2 on: January 31, 2008, 09:14:48 AM »
The story is correct as far as keys are concerned. If I want to send a message to you, that only you can decrypt, I encrypt the message with your public key. Your private key is then required to decrypt it. If you want to send an encrypted message to me, you would encrypt with your private key and I would decrypt with your public key.

Basically Nintendo is using a private key during manufacturing to encrypt the games, then decrypting at the console with the public key embedded in the console memory.
Logged
themadhatter
Newbie
*
Offline Offline

Posts: 30


View Profile
« Reply #3 on: January 31, 2008, 11:18:53 AM »
Quote from: Bane on January 31, 2008, 09:14:48 AM
If I want to send a message to you, that only you can decrypt, I encrypt the message with your public key. Your private key is then required to decrypt it. If you want to send an encrypted message to me, you would encrypt with your private key and I would decrypt with your public key.

You have the first part right but using the if I wanted to send you a message I would use your public key to encrypt it not my own private key.  If I use my own private key anyone in the world would be able to decrypt it via my public key.  On the other hand if I used the recipient of the message's public key to encrypt only the person with his private key can encrypt (which is hopefully them).

Go to http://en.wikipedia.org/wiki/Public-key_cryptography to brush up on your public key cryptography  Grin

Quote from: Bane on January 31, 2008, 09:14:48 AM

Basically Nintendo is using a private key during manufacturing to encrypt the games, then decrypting at the console with the public key embedded in the console memory.


If this is true its the stupidest way of doing things ever.
Logged
Bane
Guest
« Reply #4 on: January 31, 2008, 03:48:03 PM »
Yes I am well aware of that. I was trying to simplify it. If you want to get really complex. You can encrypt a message to me using my public key, then you could encrypt it again using your private key. This would ensure that only I could decrypt it (using my private key), I could validate that you sent the message by using your public key to decrypt the second round you setup with your private key. Again, this is a simplification.

My post wasn't meant to be complete instruction in public key cryptography  Tongue , just to point out that you don't only use a private key for decryption, the key or keys you use depend on what you are trying to accomplish. I haven't read the wiki article, but if you are saying that you always use my public key to send me an encrypted message than your understanding or the wiki's description is flawed. 

What nintnedo is essentially doing by encrypting using their private key and then decrypting on the wii using their stored public key is essentially encrypt once, decrypt many. So they encrypt a game one time, and any wii can decrypt. This is not a dumb way to do it all.
« Last Edit: January 31, 2008, 05:44:45 PM by Bane » Logged
themadhatter
Newbie
*
Offline Offline

Posts: 30


View Profile
« Reply #5 on: January 31, 2008, 08:07:27 PM »
If their using a private key to encrypt something all they are doing is verifying that the data came from them thus protecting the data's integrity much like a digital signature.  This is due to that fact that anyone with the public key, which is everyone since its public, can decrypt it.  This does not work and makes no sense at all if their trying to protect the confidentiality of the data in order to prevent people from playing the games or w/e. 

I could be thinking about what they are using the key for wrong but thats the way asymmetric cryptography works.  If you use your private key to decrypt something you'r not actaully hiding anything because anyone can decrypt it.  Thats all I'm trying to say.
« Last Edit: January 31, 2008, 08:11:22 PM by themadhatter » Logged
Bane
Guest
« Reply #6 on: February 01, 2008, 11:25:22 PM »
I think what nintendo is trying to do is two fold, prevent non authorized code from running on the WII and prevent piracy of the data on the discs. 

To get code to run on the wii I would have to have the secret key to encrypt my code, as teh wii unit appears to only have the public key. Conversely, to decrypt the code on the wii optical game disc, I would need the public key. They obviously knew the weakness of having only two keys which is why they tried to hide the public key in what they though was a secret area of memory.

The only way to really make this secure would be to have each wii have its own key pair in addition to the pair nintendo is using now... Can you figure out what the issue is with each wii having its own unique pair?  Grin
Logged
jimbob
Guest
« Reply #7 on: February 04, 2008, 04:37:29 AM »
Having one key pair is probably sufficient in that Nintendo's aim is to raise the barrier to running copied game disks beyond the reach of most customers. It appears to have worked.

Jimbob
Logged
Bane
Guest
« Reply #8 on: February 04, 2008, 09:19:37 AM »
Quote from: jimbob on February 04, 2008, 04:37:29 AM
Having one key pair is probably sufficient in that Nintendo's aim is to raise the barrier to running copied game disks beyond the reach of most customers. It appears to have worked.

Jimbob

I agree with you, they primarily wanted to make hacking the wii more difficult. to that end they succeeded. They made it as complex as they could, without being ridiculous, which is the point I was trying to make by giving the descriptions I did.

Having each Wii have its own key pair in addition to the pair that nintendo is using would be an insane level of complexity that would be pretty much impossible to maanage as more and more consoles are made. 
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.07 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.