HackMii

Notes from inside your Wii

HackMii header image 2

26c3 wrap up

January 4th, 2010 by bushing · 7 Comments

The annual Chaos Communication Congress (CCC) is always a bittersweet experience for me — I always go there with projects that I hope to work on (this year: SPMP, a TV Plug’n’Play version of Bejeweled with an SPG chip inside, a couple of DSis + TWLFPGA boards, SD cards and a logic analyzer to work on BootMii/SD card fail), and I almost never get a chance to work on any of them.  This year was no different, so I really should know better at this point.

We once again managed to snag a couple of tables in the Hackcenter for console hacking, and we did actually have a few consoles — mainly some Wiis and DSis in pieces.  Hardware was exchanged, and we looked at soldering the 50+ wires needed to connect up a twlfpga board to a DSi and just sort of gave up due to lack of lighting and the chaotic environment.   No, CCC is more of an occasion to meet old friends and make new ones.  I was also selling Proxmark3s that I had made for the occasion, and had the chance to meet some of the people behind that project.

There were plenty of interesting talks, and the nice thing about CCC (compared to the American conferences I’ve been to) is that you can watch them from home, either live via streaming video, or download the video in a variety of formats after the conference.  Here are some of the ones I considered to be personal highlights:

All presentation links contain a further description and slides or a video torrent.

  • GSM: SRSLY? was a talk on how it’s now possible to launch passive and active attacks on GSM calls with <$10K of equipment (depending on the setup).  Fascinating and scary stuff — they were supposed to give the world’s first public live demo of this on the fourth day of the conference, but were threatened and backed out of it at the last minute. 🙁
  • Building a Debugger was one of the more personally interesting and useful ones; Travis Goodspeed talked about his neighborly open-source “universal” hardware debugger interface / serial interface, GoodFET.  It currently supports a couple of JTAG-based protocols (mainly TI products, but there’s no reason you couldn’t add support for other processor families) and SPI-based protocols (SPI flash, AVR ISP).  It also supports voltage-glitching, and Travis explained how you can use that to read out the code from locked AVR chips.  It’s free as in speech, and about as close to free as in beer as you can get — if you can solder a couple of surface-mount parts, Travis will be neighborly enough to send you a free PCB if you email him and ask nicely (see the project webpage for his email address), and you can sample one of the chips for free from TI and then order the other one from DigiKey, etc.  Neat stuff — I used the SPI flash client to dump the SPI flash chip on the DSi’s Wifi dongle.   He also introduced a new “FYN-FYTN protocol“, which was unfortunately cut from the final, archived video — fortunately, I preserved it for posterity.
  • Finding the key in the haystack was a great introduction to Differential Power Analysis, a side-channel attack on AES which shows a lot of promise for use on things like the DSi (if you can wade through the math, at least :))
  • Blackbox JTAG Reverse Engineering (by our very own tmbinc!) gave a great insight into how JTAG actually works and how it can be used on random devices.  We’re still looking for it on the Hollywood and the DSi’s CPU…

There are too many presentations for me to list, so I suggest you go look at the full schedule yourself.

Afterwards, we went to the traditional c-base afterparty, where we gave marcan a couple of drinks and watched him code up a rotating cube on the spot on some random computer.

Sadly, I can’t say that we have any new breakthroughs from the event — work still is underway on the DSi front.  If nothing else, it was a lot of fun to see everyone — I believe we had the majority of Team Twiizers in attendance.

Tags: Wii

7 responses so far ↓

  • 1 SquidMan // Jan 4, 2010 at 4:14 pm

    First!
    Nice writeup, I totally missed that AES one. Gonna watch that one later. Wish I could’ve been there though 🙁
    That 3D cube is neat, too! :]

  • 2 Arikado // Jan 4, 2010 at 6:30 pm

    I’m really surprised they didn’t leave the FYN-FYTN protocol segment in the beginning of Building a Debugger. It makes the beginning of the video hard to understand unless you’ve seen the joke. Thanks for putting it on youtube so I didn’t get left in the dark bushing!

  • 3 me.yahoo.com/thegamefrea… // Jan 4, 2010 at 11:05 pm

    gasp! Yay! I’m *not* the only one who’s coded a rotating cube in the command line! I suddenly feel slightly more normal. Or, since I now have something in common with marcan, I guess that makes me slightly more godly. Either way, that’s awesome. ^_^

  • 4 tech3475 // Jan 5, 2010 at 8:38 am

    cheers for the wrap up. I always like to see C3 presentations.

  • 5 christian.remboldt // Jan 5, 2010 at 10:57 pm

    Props for the intentional or not MC Lars lyrics, in the building a debugger writeup.

  • 6 DCX2 // Jan 7, 2010 at 9:39 am

    Aw man that sounds like it was great fun to attend. The JTAG stuff is extra yummy…I’ll have to watch those videos. Thanks!

  • 7 fahhem // Jan 8, 2010 at 5:20 am

    Too bad the GSM demo got canceled, that would have been worth the trip.

    Btw, do you have any more proxmark3s? I was looking into them recently but making one is out of reach for my skill and equipment.

You must log in to post a comment.