Notes from inside your Wii

HackMii header image 2

of homebrew and “trusted computing” / antipiracy

May 15th, 2010 by bushing · 52 Comments

Matthew Braga’s article article prompted our good friend Nate to post some thoughts about how homebrew developers might be able to foil piracy on our favorite platforms. I had a few things to say on this subject — some of which I’ve gone over here in the past and a little bit of which I haven’t bothered to mention. It got to be pretty long and Nate suggested that I post it here instead of as a comment on his blog, so here we go.

(tl;dr version: We tried to avoid helping pirates on the Wii, we had varying degrees of success. In the end, it doesn’t really seem to have mattered and with the way that Nintendo has treated us, I don’t have a lot of interest in trying anymore.)

So, go read the root labs post before reading the rest of this one, or else it won’t make much sense.

Putting a software exploit in a modchip is difficult to do, depending on the actual nature of the exploit — on the Wii, it made sense to use a device to bypass the drive authentication because you really were attacking a specific chip on the drive; in all cases, the exploits there involve injecting commands and code into one of a couple different serial ports on the drive’s MN102 controller chip, optionally with some clock glitching.

We did what we could to limit the usefulness of the work we did on the Wii to pirates; as for “why”, I guess I’d say it was some combination of wanting to not contribute to the piracy problem that already existed a vain hope that Nintendo would see a difference between the homebrew work we did and what modchip makers were doing, and the desire to simply set a good example.

Our original release was the Twilight Hack, which was just a savegame exploit in Zelda. The Wii’s architecture is somewhat unique — leaving aside the processor in the drive, you have a PowerPC chip used to actually run the games, and an ARM core that actually implements security policy (encryption, authentication, etc). Our exploit merely let you run code on the PowerPC — this was enough to allow you to run whatever you want on the PowerPC (simple homebrew games, Linux, etc). It would have been difficult to use this to play pirated games, due to the fact that you would have had to reinitialize the ARM security context to get it to look “normal” for a retail game. We did not release the ARM exploit (strncmp bug) we had discovered at the time, but it was eventually independently rediscovered.

We eventually used that ARM exploit to develop a channel you could install without booting Zelda each time — the Homebrew Channel. For a while, we had plans of making some sort of “App Store” to go with it — much like the one present with Installer.app on the iPhone at the time — but those never made it off the ground. One thing that would go along with that would have been signature verification — one thing we could have done would have been to set up our own PKI and start signing “good” apps, but that would put us into the position of being a gatekeeper and deciding what was good and what wasn’t, and that wasn’t something I ever really wanted to be responsible for. (It was slightly amusing when, a year later, someone put up a troll blog and claimed we were going to do this.) Part of the problem there would have been deciding what we want to allow — sure, 100% homebrew games would have been pretty easy to allow and ISOloaders would have been easy to reject, but what of all of the things in between? There’s a whole gray area out there of software — emulators, WAD extraction / installation utilities, system file patchers, updaters — we have a hard enough time agreeing on what software we like, much less deciding what everyone else “should” be using. (It also goes a bit against the spirit of the whole thing.)

The strncmp() bug we used for installing our channel was eventually patched, and we eventually had to go and find new exploits to use to install our channel — this put us into the position where we would be the only ones able to install channels, and people would not be able to install pirated WiiWare content; this was just fine with us! We obfuscated our installer, partially to frustrate attempts by Nintendo to find our exploit and partially to prevent people from using our code to install arbitrary pirated content. As far as I know, only one person ever reversed it (The STM Release Exploit), and we believe Nintendo only found it using a hardware debugger. We eventually moved on to other exploits, and we continue to obfuscate them; pirates have had to make do with mix-and-match attacks by selectively upgrading their systems and some of them find different exploits to use.

Not much we do seems to really deter pirates, and Nintendo has generally moved to fix the exploits we use more quickly than anything else — trying to keep the moral high ground hasn’t really done us much good. It’s made our work harder, it’s cut down on the amount of code we might release (only to have others release their own versions…) and Nintendo never seemed to appreciate it. They’ve pretty much burned through all the good will they’ll ever get on my part, at least.

Tags: Wii

52 responses so far ↓

  • 1 copb.phoenix // Aug 11, 2010 at 5:12 pm

    I’d hesitate to argue with most of what is in the article… I’d say that you should have, somewhere on this side of them only responding to a public message, been either a bit more public or else a bit more pressing. That is not a call for you to move to do anything you wouldn’t do; they clearly want, as in the past and even now with several projects, to always have an upper hand, even in cases where one shouldn’t necessarily be had by anyone at all. Or everyone.

    Confusing brain is confusing. You’d have to know me; I apologize.

    Beyond all that, I don’t believe, according to what I know of you, that you did anything wrong. Most of us do homebrew as a past time hobby, as something to get the boredom out of our lives. I’m not any exception to that rule – I de-“engrish” localizations for a hobby. I find the phrase “All your base are belong to us” to be both amusing in small doses, and unneeded in the context it originally appeared in.

    I don’t believe that it should be wrong to say “Oh, well, here is a device with several half decent processors, and capable of more than it is used for, so why can’t we use it for that?” It is not a novel feature to put something like NetFlix on the Wii when the device is technically capable of playing normal rental DVDs. Artificial limitations should never exist beyond protecting commercial interests; what I mean is: There is a severe lack of balance between consumer interests and commercial interests right now.

    However, that leaves me with a point of contention: There are a few things that have at least appeared successful at taking the fun out of piracy, from what I’ve seen. Riivolution, if at times troublesome, is still pretty neat. Why this can’t be done on a wider basis puzzles me. I’m working on my degree, but the more I look, the more puzzled I get. The greater fault lies with Nintendo for all of this – not for creating a device capable of being hacked, but for picking at the people working on age old questions and age old systems. If the plan is to push that creativity towards WiiWare or something like that, they clearly missed the point of all this.

    But, really, I do appreciate all you guys have done. I don’t have much, but one thing I do have is a file server and a way to play almost anything I own on demand anywhere in the apartment – something that I should be able to do without such nonsense, anyway.

    Actually, thank you for putting the features that should have been there in the first place into our systems. Don’t be ashamed of your work; be ashamed of the people who want to mislabel it as a threat before it becomes one.

    Rambles on. As I say, Sorry. Even my English is struggling right now.

  • 2 Daemon4232 // Oct 30, 2010 at 9:29 pm

    Love the article, and to it I say this: ” I would like to praize you for your commitment, I knock only once before I kick down doors.. Meaning basicly I tell whatever ‘higher power’ I have an issue, I wait it out a bit and then if nothing I let my bullets fly gunz blazeing… That’s just how I work I guess. I’ve made alot of people look bad doing it too… Can’t say I regret it though, if they can’t work with me I won’t “bend” to work with them I’m John Doe down the street they are working for a company… I try to help em out but when that fails.. we’ll now it’s really their problem” I’m going to end this off with I play the wii, don’t love it and I’m not major into homebrew… ok maybe I could get attached to my wii if it wasn’t a cash cow trying to get you to update, buy this new attachment, not to mention the batteries for the controllers, EXPENSIVE GAMES *cough cough* … problems like such… even so Sony has the Playstation move out and Wii has lost alot of rep in my eyes… if Nintendo dies, they did it to themselves IMO

You must log in to post a comment.