Hacking Wii hacked, again!

tjas

tjas

The Gbatemp HRManager
OP
Member
Level 3
Joined
Sep 10, 2006
Messages
970
Trophies
0
Age
33
Location
BoZ
XP
311
Country
Netherlands
QUOTE said:
tmbinc has managed to "hack" a Nintendo Wii to allow him to boot his own code. He's posted a very lengthy and in depth article about it. I can smell modchips where those wires and interface are now. To sum it all up he says:

* First thing which ever executes on the Wii is the “boot0? code, which is probably stored inside the hollywood in a mask rom.

* boot0 loads the first 0×2F pages (”boot1?) from flash, decrypts them with a fixed aes key, calculates a SHA-1 hash (with some obscure bugs specialities, I still couldn’t calculate it by hand), and checks that versus the expected values, read from some internal memory.

* If the hash bytes in the “internal memory” is all-zero, the hash check is skipped. This is probably used for production, and maybe for devkits.
* boot1 then searches a certain header in flash, where it extracts specific information where to find boot2.

* At that position, some certificate chain is checked, and finally the boot2 “tmd” is verified, and the hash extracted.

* The boot2 payload is load from flash, decrypted, and hash-checked (against the hash from the boot2 tmd).

* boot2 will then load the firmware, or whatever. That’s not my region of interest at the moment.
smile.gif


Read the Entire Article w/More Pictures by http://debugmo.de//?p=59
Click to expand...

New modchips.. no drive chips! So maybe.. 100% import friendly mods comming
biggrin.gif


Source: http://www.tehskeen.com/modules.php?name=N...e&threadid=6246
 
FAST6191

FAST6191

Techromancer
Editorial Team
Level 32
Joined
Nov 21, 2005
Messages
36,194
Trophies
3
Website
trastindustries.com
XP
26,915
Country
United Kingdom
Read the article, read my electronics book (grr acronyms).
Saw the pictures: those look like hell to solder.
Starts waving flag for flashmewii

Loving all these developments over the last few weeks by the way.
 
tjas

tjas

The Gbatemp HRManager
OP
Member
Level 3
Joined
Sep 10, 2006
Messages
970
Trophies
0
Age
33
Location
BoZ
XP
311
Country
Netherlands
QUOTE(FAST6191 @ Jan 30 2008 said:
Read the article, read my electronics book (grr acronyms).
Saw the pictures: those look like hell to solder.
Starts waving flag for flashmewii

Loving all these developments over the last few weeks by the way.
Click to expand...
I can see it befor me Flashwii! Haha that would be cool no warning screens about your health blabla
biggrin.gif
 
D

Deleted User

Guest
So to sum up a bit for people a bit lost with all this technical informations :
* running code on the wii means exploiting a bug to run unsigned code
* once you can run even the tiniest bit of unsigned code you can access on the wii to all the contents of its internal memory (splitted across a lot of stuff)
* the deepest the bug is the hardest it is possible to be patched by nintendo. the CCC exploit was not leaked because it could be easily patched by a firmware update. A bug in the boot process is A LOT better as it CAN'T BE PATCHED BY AN UPDATE.
* the boot process is a long chain of processes, the strength of such chain is the same as the strength of its weakest link. Here there are many bugs in one of these links.
* Using this bug tmbinc is able to execute starlet code and dump a lot of data. As this is not the main processor of the wii, it does not allow him to use the wii hardware. To get back information he writes in the NAND (which is in fact virtually mapped to a pc file by tcp)
* Doing this means that he has to use a lot of wires. BUT making a modchip will only involve a flashing of the NAND and will require less wires.
 
tjas

tjas

The Gbatemp HRManager
OP
Member
Level 3
Joined
Sep 10, 2006
Messages
970
Trophies
0
Age
33
Location
BoZ
XP
311
Country
Netherlands
QUOTE(deufeufeu @ Jan 30 2008 said:
So to sum up a bit for people a bit lost with all this technical informations :
* running code on the wii means exploiting a bug to run unsigned code
* once you can run even the tiniest bit of unsigned code you can access on the wii to all the contents of its internal memory (splitted across a lot of stuff)
* the deepest the bug is the hardest it is possible to be patched by nintendo. the CCC exploit was not leaked because it could be easily patched by a firmware update. A bug in the boot process is A LOT better as it CAN'T BE PATCHED BY AN UPDATE.
* the boot process is a long chain of processes, the strength of such chain is the same as the strength of its weakest link. Here there are many bugs in one of these links.
* Using this bug tmbinc is able to execute starlet code and dump a lot of data. As this is not the main processor of the wii, it does not allow him to use the wii hardware. To get back information he writes in the NAND (which is in fact virtually mapped to a pc file by tcp)
* Doing this means that he has to use a lot of wires. BUT making a modchip will only involve a flashing of the NANDÂ and will require less wires.

Thanks but QUOTEthe deepest the bug is the hardest it is possible to be patched by nintendo. the CCC exploit was not leaked because it could be easily patched by a firmware update. A bug in the boot process is A LOT better as it CAN'T BE PATCHED BY AN UPDATE.
Click to expand...
Couldn't this better have been kept a secret?
 
dreadbread

dreadbread

Active Member
Newcomer
Level 1
Joined
Jan 14, 2008
Messages
39
Trophies
0
XP
36
Country
United States
ill just quote what tmbinc said in his blog
QUOTE said:
I really hoped I wouldn’t have to say this again and again, but some people still got it wrong:

No, my target is NOT to create a “drivechip-free warez solution”. IT IS NOT. GET THAT. I also won’t approve any pingbacks from (or comments containing links to) forums which don’t get this. It’s not my job to protect the vendor against piracy (and drivechips are already a dead easy method, what do you want more?! Also getting the hardware for free?), but I definitely don’t support that. Piracy is possible only because of the drive’s insecurity. Whether the wii itself is hacked or not doesn’t really matter in that point.

I still can’t understand how people are so stupid to claim that “there is a modchip in the making, source: debugmo.de”. This is not only wrong, it’s plain stupid. If they would have read (and understand) my post, they would have seen that my overly complex method to emulate the NAND chip is for *development* purposes, and nothing you want to build more than once. But what should I expect… (And if they didn’t understand my post - agreed, there is much technical stuff in it -, why did they draw some conclusions?)

Are you still wondering why #wiidev is such an unfriendly place? This is the answer.
Click to expand...
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: Ken yeah under Android and only some games.