Actually, I think the answers in this thread were astonishing helpful already (what's wrong with you guys, this is gbatemp!), so I have not that much to add to it; one thing I want to point out is, what an vulnerability really is - on a specific example, or at least something which is already the essence, the summary of an example.
It might be a benefit to know how it was done before, as the Wii U is a system based upon the Wii, which was based on the GameCube. But don't be greenish, as developers at least try not to make an error twice (there are already automated systems to point out such known faults, or 'regressions')
No one out there is stupid and therefore, no one at Nintendo would write code like
Code:
searchForHomebrew();
if (homebrewIsOnSDCard()) {
executeHomebrew();
}
I really doubt this, as Nintendo has high interest in providing content they think is valuable and high-quality, like Apple does (in its own way). But probably, its common knowledge it wouldn't be easy.
Therefore, as already stated, modern gaming devices usually use cryptography, as they now know that "we" are able to create hardware devices (referencing to for example the USB Gecko, which docks on the EXI Bus on the Gamecube / Wii, providing full access to the hardware via USB. Or early flashcards on consoles before) which may be able to break their closed environment concept - and cryptography is way harder to break than some plain wires.
On the Wii, Nintendo combined several aspects, as each console contains an unique id / key, as a hardware secret. To give some background:
The custom made Hollywood GPU Chip contained an ARM-Co-Processor called Starlet (supporting the PowerPC main cpu in a way like an operating system would, providing interfaces for hardware and so on - the so called IOS) - and this custom made ARM 'starlet' for itself contained an one-time-programmable (OTP) storage chip, which doesn't contain much but 128 byte (4x32), that the security system relies on.
Those 128 byte are enough to contain
- Encryption Keys for storing Software from Wii Shop
- A random number generation seed (→ each systems rand()-functionality can behave differently)
- A hash for the bootloader (boot1 on NAND, NAND = Flash storage in the console, the Wii does have 512MB of it)
and is written on production. As it is an OTP, it is only one time writeable and after that readonly.
The boot sequence of the Wii is divided into several stages - boot0 to boot2; boot0 is contained inside of starlet on a different chip - a ROM (readonly memory) - and is the first code the system runs on powerup.
This code does not really more than pulling boot1 from the first pages of the NAND. As the code of boot0 needed to be very compact - it had to fit into 4 Kilobytes of storage - Nintendo's developer couldn't integrate everything they might need for a "proper" boot. It doesn't know anything about filesystems, network or software updates, nothing. It only contains everything needed for accessing the NAND Storage and initializing the PowerPC main cpu environment, so that boot1 could continue - but wait, there's more.
As Nintendo needed to harden their hardware against "us", they put a barrier in there to hinder us just flashing a "Pr0 Piracy and Homebrew Custom ROM", as already happened on other systems. They knew, if anybody would be able to put anything of the NAND, the system would be able to execute anything. This is something Nintendo wouldn't want, as they are a company.
Therefore, they used a cryptographic hash function to *check* if the loaded code is "in summary" something around the expected value - a kind of checksum.
You can imagine that - strongly simplified - like if I would add every byte I read to a 32-bit-Counter, like
I - the programmer - know that the sum must be 10 and this is my checksum for the code I read. This provides me the advantage that the storage needed to ensure the correct data is a minimum, as I can reconstruct the correctness by a specific formula. If I got anything else than '10' as a result, its pretty sure not the code I expected. Unfortunately, this genius trick has some flaws - as
also gives the right checksum, but has completely different data. This is an attack we call "hash collision". But this kind of attack is way too hard to achieve, because Nintendo of course doesn't use a simple math operation but more complex - like RSA and SHA-1. The wii system even comes with a cryptographic hardware support unit, which allows it to easily use cryptography for nearly everything.
This unit is also used at a later point to check if the code which is coming from game discs is cryptographicly signed by Nintendo - such a sign is loosely comparable to such a checksum described before.
Unfortunately, and here is where the magic of vulnerability comes in, the developers at Nintendo probably relied too much on the un-break-able hardware encryption unit - well, there's not that much to do wrong. You (as a Nintendo EAD Technology Hardware Developer) have your reference checksum (cryptographic hash, cryptographic sign, whatever) and some data you want to verify. You initialize that hardware unit (setup the keys you have, which should be used by Nintendo to create the signage / hash), stream the data you want to verify (like the binary you want to execute) and the hardware unit returns a checksum.
Now, everything you have to do is compare the actual checksum returned by the chip to the one you have and believe to be valid ("the reference").
And if those two checksums don't match, do everything but DONT execute the code, as it isn't validated by Nintendo.
Therefore, someone may come to the code
Code:
if (strncmp(payload_hash, sig_hash, SHA1_LENGTH) != 0) {
// GOTO FAIL
}
as the c-stdlib 'strncmp' -
http://www.cplusplus.com/reference/cstring/strncmp/?kw=strncmp - returns if there is at least one difference in between both supplied strings with a maximum length of the specified SHA1_LENGTH (which should be 20 or 40 then). And every hash coming from the cryptographic engine has the same length, those 20/40 bytes.
Everything seems to be okay, doesn't it?
Well... actually, nope, it doesn't.
strncmp has *also* the characteristic - as it should compare C-STRINGS - that it stops comparing, when it finds an '0'-Byte, which is a standard for termination in C-Strings. And if you are able to manipulate *one* of the two checksums - like the one you read from NAND, Disc or anywhere else - you also are able to set the first byte to exactly this '0'-Byte termination mark.
strncmp compares the first character, sees there's a '0'-Byte, ends abruptly (hello, string ending!) - and returns 'no differences!', as there were no differences yet in the sequence - we just started comparing.
This is some sort of summary of the wii bug we know nowadays as 'trucha bug'.
Nintendo soon fixed it, as the fix was trivial (use memcmp -
http://www.cplusplus.com/reference/cstring/memcmp/ - instead of strncmp, as it checks exactly the specified length, not more and not less) - but this kind of bug was wide-spread.
It allowed us many things to do - create the homebrew channel, but also make the wii semi-unbrickable via 'BootMii' as custom boot2-replacement / custom bootloader, as we were able to run unsigned code.
Of course, knowledge of trucha may not help on the Wii U, but this was just an example of an actual exploitable vulnerability. It shows up what could be expected *at least* from the Wii U in terms of security and hardening.
Other possibilities to look at are DMA-Components (like breaking out of modern virtual machines by using GPUs DMA-Abilities, which requires to execute own shader programs; imagine this like your program is unable to overwrite the operating system as it detects this and stops your program because of simple memory protection; but the GPU has the ability to write to RAM, designed to return results or status fields independently from the OS - and might be able to actually overwrite it via a custom shader program [i don't say this works on wii u, this is an example what could be!] - usually, a DMA Controller Chip should block such operations, but you never know if you don't try that out) or the already stated known flaws of an opensourced but outdated browser engine (webkit, which is used by Nintendo on the Wii U) as an initial entrance door to the Wii U, like it was done before already on System Software < 5.4.0 / 5.5.0. It allows you to get own data to the Wii U easily by setting up a local webserver. If your own webserver transfers data to the Wii U Webbrowser (as requested by the user via entering the URL of the local webserver), which is then not correctly handled by webkit rendering engine (for example a buffer overflow whilst javascript execution), you might be able to execute some native code, which then could be used to break out of the virtual machine environment (if the wii u uses something like that) and pewpew, you mastered the system.
Someone may correct me if I got something wrong, as I wasn't involved breaking the Wii, I currently feel more homelike in the mobile department (GB/GBA/DS/3DS). Its just my understanding and interpretation of what happened on the Wii.
You might notice, to understand, whats going on, you need to go beyond what an usual programmer does. If you want to find an vulnerability, you not only need to know vaguely that you got a wii u in front of you and it runs some software like a pc would; you need to master the system, tame its software and find a way to get own code running by poking the code it runs already until it does something you want - its kind of detective work, but in a more technical, engineering way - as it is reverse engineering gone further. You need to be simply better than the developers of the original system - or at least the faulty parts.
Just visiting courses on computer science and studying books about 'this and that does work this way' isn't enough, as it takes you only to the 'usual programmer level', even if it is the base requirement for anything beyond. You might then be able to create homebrews, but you will be still unable to find and use vulnerabilities, as it requires you to know - or guess - what others did and what they could have improved on that. And, as already stated before in this thread, the good knowledge of C and C++ AND the assembly language of the platform you want to study (there isn't 'the one assembler'! The Wii already has at least 3 different assembly languages involved: PowerPC Assembler, ARM Assembler (starlet) and the shader assembler for the GPU) is an essential advantage.
I wish you good luck and stay strong - its never wrong to learn, but don't be disappointed if you are not done learning when the next console generation starts - who knows, maybe you are the one who breaks nx, nobody knows.
You said it already, at least you try; this is good. And I think, its important to have a dream which seems to be impossible to reach for most ones out there - as it gives you a target, a direction. This helped me much to learn, what I learned in all the past years and allowed me to get the job I do today.
--
I'd added some detail information.
In terms of Wii U, there were talks on the chaos communication congress a few years ago, they may be of interest for you:
- Wii U Gamepad (as it is an independent system)
- Console Hacking
This year, smea is present on the chaos communication congress (according to the
Fahrplan), talking about what happened to the 3DS and how they broke its security.
I bet, this year there will be also livestreams of that event, like the years before - and it gives good opportunity to learn how to achive such things.