How to brick my Wii Homebrew auf der Wii Alexander Paßfall <>
SYN Wii Basics Hacks Homebrew FIN 1/26 How to brick my Wii Homebrew auf der Wii Alexander Paßfall <[email protected]> UnFUG WS 09/10 Hochschule Furtwangen 5. November 2009 How to brick my Wii SYN Wii Basics Hacks Homebrew FIN 2/26 Content Wii Basics Hacks Homebrew Demo? How to brick my Wii SYN Wii Basics Hacks Homebrew FIN 3/26 Wii Basics How to brick my Wii SYN Wii Basics Hacks Homebrew System FIN 4/26 Hardware “Overclocked Gamecube” IBM Power PC 750CL “Broadway” @ 729Mhz ATI “Hollywood” GPU+DSP @ 243Mhz 24MB 1T-SRAM (MEM1) + 64MB GDDR3 DRAM (MEM2) 512MB NAND Flash Modified DVD reader (DL) How to brick my Wii SYN Wii Basics Hacks Homebrew System FIN 5/26 Security System 2 processors Broadway (PPC): Fast + insecure No OS! Games run on “bare metal” Hollywood (ATI): Graphics, peripherals, memory, “IO Bridge” IO Bridge: NEC ARM926 SoC: “Starlet” Custom microkernel OS (“IOS”) by BroadOn Drivers and stuff: Security & Software DRM DVD, SD, WiFi, USB, . . . HTTP, SMTP, SSL, . . . “Always on” All code is signed & authenticated by IOS IOS hidden behind APIs How to brick my Wii SYN Wii Basics Hacks Homebrew System FIN 6/26 Boot process boot0: 1.5k bootloader mask ROM in Hollywood Reads first 48 pages of Flash (boot1) Decrypt + hash (SHA1) Compare hash with value in OTP memory Run boot1 boot1: 2nd-stage bootloader Runs in Mem1 initializes Mem2 loads, decrypts, verifies RSA signature of boot2 boot2: 3rd-stage (main) bootloader (mini IOS) Verifies & runs IOS IOS read from flash filesystem ARM code running on starlet Menu: PPC code read from filesystem, pushed to Broadway How to brick my Wii SYN Wii Basics Hacks Homebrew System FIN 6/26 Boot process boot0: 1.5k bootloader mask ROM in Hollywood Reads first 48 pages of Flash (boot1) Decrypt + hash (SHA1) Compare hash with value in OTP memory Run boot1 boot1: 2nd-stage bootloader Runs in Mem1 initializes Mem2 loads, decrypts, verifies RSA signature of boot2 boot2: 3rd-stage (main) bootloader (mini IOS) Verifies & runs IOS IOS read from flash filesystem ARM code running on starlet Menu: PPC code read from filesystem, pushed to Broadway How to brick my Wii SYN Wii Basics Hacks Homebrew System FIN 6/26 Boot process boot0: 1.5k bootloader mask ROM in Hollywood Reads first 48 pages of Flash (boot1) Decrypt + hash (SHA1) Compare hash with value in OTP memory Run boot1 boot1: 2nd-stage bootloader Runs in Mem1 initializes Mem2 loads, decrypts, verifies RSA signature of boot2 boot2: 3rd-stage (main) bootloader (mini IOS) Verifies & runs IOS IOS read from flash filesystem ARM code running on starlet Menu: PPC code read from filesystem, pushed to Broadway How to brick my Wii SYN Wii Basics Hacks Homebrew System FIN 6/26 Boot process boot0: 1.5k bootloader mask ROM in Hollywood Reads first 48 pages of Flash (boot1) Decrypt + hash (SHA1) Compare hash with value in OTP memory Run boot1 boot1: 2nd-stage bootloader Runs in Mem1 initializes Mem2 loads, decrypts, verifies RSA signature of boot2 boot2: 3rd-stage (main) bootloader (mini IOS) Verifies & runs IOS IOS read from flash filesystem ARM code running on starlet Menu: PPC code read from filesystem, pushed to Broadway How to brick my Wii SYN Wii Basics Hacks Homebrew System FIN 6/26 Boot process boot0: 1.5k bootloader mask ROM in Hollywood Reads first 48 pages of Flash (boot1) Decrypt + hash (SHA1) Compare hash with value in OTP memory Run boot1 boot1: 2nd-stage bootloader Runs in Mem1 initializes Mem2 loads, decrypts, verifies RSA signature of boot2 boot2: 3rd-stage (main) bootloader (mini IOS) Verifies & runs IOS IOS read from flash filesystem ARM code running on starlet Menu: PPC code read from filesystem, pushed to Broadway How to brick my Wii SYN Wii Basics Hacks Homebrew Crypto FIN 7/26 Software Channels, Games, System software are “titles” Identified by TitleID TMD: Title MetaData Information about content SHA1 hashes, permissions, group IDs, region locking eTicket: Your licence to use the title encrypted AES key (master key in OTP ROM / hard to extract) optional time limits TMD + eTicket signed using RSA-2048 Title content encrypted using AES + hashed using SHA1 hash tree structure How to brick my Wii SYN Wii Basics Hacks Homebrew Crypto FIN 8/26 IOS Custom micro-kernel OS by BroadOn (California) talks to Broadway via IPC interface high-level network API decryption / authentication of Broadway’s code POSIX-like FS permissions (titles = users / vendors = groups) Hides system files from Broadway Modules as isolated userspace processes Kernel in MEM1, userspace in top 12MB of MEM2 (no access from Broadway) How to brick my Wii SYN Wii Basics Hacks Homebrew FIN 9/26 Hacks How to brick my Wii SYN Wii Basics Hacks Homebrew Key extraction FIN 10/26 GameCube Mode GameCube software is totally unsigned, but runs in a sandbox DVD drive similar to GameCube’s Outsourced to Matshita mod chips easy portable to Wii GameCube homebrew possible Sandboxed: no IOS, no Wii features Wii always boots first into native mode, then reboots into GameCube mode GameCube mode uses first 16MB of MEM2 How to brick my Wii SYN Wii Basics Hacks Homebrew Key extraction FIN 11/26 Tweezer Attack Upper 48MB not cleared on reboot to GameCube mode Protected by hardware register Modify address lines of DRAM chip Move 16MB “window” throughout DRAM Dump entire 64MB Content: IOS Keystore with all the Keys! How to brick my Wii SYN Wii Basics Hacks Homebrew Key extraction FIN 11/26 Tweezer Attack Upper 48MB not cleared on reboot to GameCube mode Protected by hardware register Modify address lines of DRAM chip Move 16MB “window” throughout DRAM Dump entire 64MB Content: IOS Keystore with all the Keys! How to brick my Wii SYN Wii Basics Hacks Homebrew Key extraction FIN 11/26 Tweezer Attack Upper 48MB not cleared on reboot to GameCube mode Protected by hardware register Modify address lines of DRAM chip Move 16MB “window” throughout DRAM Dump entire 64MB Content: IOS Keystore with all the Keys! How to brick my Wii SYN Wii Basics Hacks Key extraction Homebrew FIN 12/26 Keys Per-console keys ECC private key ECC public certificate NAND AES key NAND HMAC key Global keys Common key 0 SD key Root certificate New common key 1 (Korean) How to brick my Wii SYN Wii Basics Hacks Homebrew Fakesigning FIN 13/26 Signatures All RSA signature comparison is done by one function ES VerifySign Hardware SHA1 Software RSA TMD contains SHA1 signed by Nintendo Real TMD hash is calculated, then both are compared How to brick my Wii SYN Wii Basics Hacks Homebrew Fakesigning FIN 14/26 Nintendo-RSA Looks kinda strange.. 1C 38 99 22 4B 47 28 14 02 14 0F 98 ADDS SUBS LDR MOVS LDR BLX How to brick my Wii R0 , R0 , R1 , R2 , R3 , R3 R5 , #0 #20 [ SP , #S H A 1 c a l c ] #20 =( s t r n c m p +1) ; ; ; ; R0 R0 R1 R2 = signature end −= 20 = SHA−1 = 20 ; s t r n c m p ( SHA1 sig , SHA1 in , 2 0 ) SYN Wii Basics Hacks Homebrew Fakesigning FIN 15/26 Impact We can somehow sign/install everything we want: Unsigned games Unsigned System Menu Unsigned IOSes Unsigned boot2 (fixed somewhere in 2008) How to brick my Wii SYN Wii Basics Hacks Fakesigning FIN 16/26 Demo How to brick my Wii Homebrew SYN Wii Basics Game Hacks Stack Smashing How to brick my Wii Hacks Homebrew FIN 17/26 SYN Wii Basics Game Hacks Stack Smashing How to brick my Wii Hacks Homebrew FIN 18/26 SYN Wii Basics Hacks Homebrew Game Hacks FIN 19/26 Twilight Hack Savegames on SD card are signed with the console’s private key We can extract the keys, so we can sign any savegame Exploit a stack buffer overflow in The Legend of Zelda: Twilight Princess (Name of horse) Load an ELF-Loader Loader reads an ELF-executable from an SD card How to brick my Wii SYN Wii Basics Hacks Homebrew Other FIN 20/26 Bannerbomb Exploits buffer overflow while loading channels from SD cards Malformed Channel-Banner Use this on up-to-date Wiis How to brick my Wii SYN Wii Basics Hacks Homebrew FIN 21/26 Homebrew How to brick my Wii SYN Wii Basics Hacks Homebrew Homebrew FIN 22/26 HBC Home Brew Channel Launcher for multiple homebrew apps How to brick my Wii SYN Wii Basics Homebrew Hacks Homebrew FIN 23/26 BootMii Custom boot2 Recovery System Runs as custom IOS, too How to brick my Wii SYN Wii Basics Hacks Homebrew Homebrew FIN 24/26 DVDx Wii normaly rejects non-Wii discs Drive firmware has hidden DVD Video player functions Blocked by IOS.. unless you set a magic bit in TMD Homebrew can play DVD Videos DVD-Rs look a lot like DVD Video discs.. Warez loader How to brick my Wii SYN Wii Basics Hacks Homebrew Homebrew FIN 24/26 DVDx Wii normaly rejects non-Wii discs Drive firmware has hidden DVD Video player functions Blocked by IOS.. unless you set a magic bit in TMD Homebrew can play DVD Videos DVD-Rs look a lot like DVD Video discs.. Warez loader How to brick my Wii SYN Wii Basics Hacks Homebrew Homebrew FIN 24/26 DVDx Wii normaly rejects non-Wii discs Drive firmware has hidden DVD Video player functions Blocked by IOS.. unless you set a magic bit in TMD Homebrew can play DVD Videos DVD-Rs look a lot like DVD Video discs.. Warez loader How to brick my Wii SYN Wii Basics Hacks Homebrew Homebrew FIN 24/26 DVDx Wii normaly rejects non-Wii discs Drive firmware has hidden DVD Video player functions Blocked by IOS.. unless you set a magic bit in TMD Homebrew can play DVD Videos DVD-Rs look a lot like DVD Video discs.. Warez loader How to brick my Wii SYN Wii Basics Hacks Homebrew Homebrew FIN 24/26 DVDx Wii normaly rejects non-Wii discs Drive firmware has hidden DVD Video player functions Blocked by IOS.. unless you set a magic bit in TMD Homebrew can play DVD Videos DVD-Rs look a lot like DVD Video discs.. Warez loader How to brick my Wii SYN Wii Basics Homebrew Hacks Homebrew FIN 25/26 Other mplayer ScummVM Custom Games Linux ... How to brick my Wii SYN Wii Basics Hacks Homebrew FIN 26/26 Fragen? How to brick my Wii
© Copyright 2024