Matthew Braga’s article article prompted our good friend Nate to post some thoughts about how homebrew developers might be able to foil piracy on our favorite platforms. I had a few things to say on this subject — some of which I’ve gone over here in the past and a little bit of which I haven’t bothered to mention. It got to be pretty long and Nate suggested that I post it here instead of as a comment on his blog, so here we go.
(tl;dr version: We tried to avoid helping pirates on the Wii, we had varying degrees of success. In the end, it doesn’t really seem to have mattered and with the way that Nintendo has treated us, I don’t have a lot of interest in trying anymore.)
So, go read the root labs post before reading the rest of this one, or else it won’t make much sense.
Putting a software exploit in a modchip is difficult to do, depending on the actual nature of the exploit — on the Wii, it made sense to use a device to bypass the drive authentication because you really were attacking a specific chip on the drive; in all cases, the exploits there involve injecting commands and code into one of a couple different serial ports on the drive’s MN102 controller chip, optionally with some clock glitching.
We did what we could to limit the usefulness of the work we did on the Wii to pirates; as for “why”, I guess I’d say it was some combination of wanting to not contribute to the piracy problem that already existed a vain hope that Nintendo would see a difference between the homebrew work we did and what modchip makers were doing, and the desire to simply set a good example.
Our original release was the Twilight Hack, which was just a savegame exploit in Zelda. The Wii’s architecture is somewhat unique — leaving aside the processor in the drive, you have a PowerPC chip used to actually run the games, and an ARM core that actually implements security policy (encryption, authentication, etc). Our exploit merely let you run code on the PowerPC — this was enough to allow you to run whatever you want on the PowerPC (simple homebrew games, Linux, etc). It would have been difficult to use this to play pirated games, due to the fact that you would have had to reinitialize the ARM security context to get it to look “normal” for a retail game. We did not release the ARM exploit (strncmp bug) we had discovered at the time, but it was eventually independently rediscovered.
We eventually used that ARM exploit to develop a channel you could install without booting Zelda each time — the Homebrew Channel. For a while, we had plans of making some sort of “App Store” to go with it — much like the one present with Installer.app on the iPhone at the time — but those never made it off the ground. One thing that would go along with that would have been signature verification — one thing we could have done would have been to set up our own PKI and start signing “good” apps, but that would put us into the position of being a gatekeeper and deciding what was good and what wasn’t, and that wasn’t something I ever really wanted to be responsible for. (It was slightly amusing when, a year later, someone put up a troll blog and claimed we were going to do this.) Part of the problem there would have been deciding what we want to allow — sure, 100% homebrew games would have been pretty easy to allow and ISOloaders would have been easy to reject, but what of all of the things in between? There’s a whole gray area out there of software — emulators, WAD extraction / installation utilities, system file patchers, updaters — we have a hard enough time agreeing on what software we like, much less deciding what everyone else “should” be using. (It also goes a bit against the spirit of the whole thing.)
The strncmp() bug we used for installing our channel was eventually patched, and we eventually had to go and find new exploits to use to install our channel — this put us into the position where we would be the only ones able to install channels, and people would not be able to install pirated WiiWare content; this was just fine with us! We obfuscated our installer, partially to frustrate attempts by Nintendo to find our exploit and partially to prevent people from using our code to install arbitrary pirated content. As far as I know, only one person ever reversed it (The STM Release Exploit), and we believe Nintendo only found it using a hardware debugger. We eventually moved on to other exploits, and we continue to obfuscate them; pirates have had to make do with mix-and-match attacks by selectively upgrading their systems and some of them find different exploits to use.
Not much we do seems to really deter pirates, and Nintendo has generally moved to fix the exploits we use more quickly than anything else — trying to keep the moral high ground hasn’t really done us much good. It’s made our work harder, it’s cut down on the amount of code we might release (only to have others release their own versions…) and Nintendo never seemed to appreciate it. They’ve pretty much burned through all the good will they’ll ever get on my part, at least.