• Neosenshi (unregistered)

    Ah, if only all consoles could run Linux, and all hardware was easily hackable.

  • (cs)

    Let's see now -- gotta find the wtf. Ah, there it is! Idiotic corporate attempts to thwart the efforts of creative and enterprising customers. WTF?

  • (cs)

    I enjoyed the read, and I'm glad it was posted here (since I wouldn't have found out about this otherwise).

  • xxx (unregistered)

    RSA-2048 is a number, moron. When you make shit up, at least make it sound realistic.

  • Emphyrio (unregistered)

    Shouldn't it be

    if (fread(data, 1, fileLength, fd) == fileLength) { // file is ok }

    since fileLength was previously set to a multiple of 32? I assume the actual code didn't have the test reversed... that would have been a WTF.

  • Ken (unregistered)

    this isn't exactly the WTF I was looking for... but they really need to hire some decent coders. Either that, or the decent coders they hired already hate locking people out of hardware they bought with their own money, and are intentionally (while retaining plausible deniability) making it easy for everyone to hack.

  • sir (unregistered)

    This is exactly why game programmers should be kept away from crypto at all costs, or even better, why they should be kept from programming at all.

  • Bob (unregistered) in reply to xxx
    xxx:
    RSA-2048 is a *number*, moron. When you make shit up, at least make it sound realistic.

    RSA-2048 can refer both to the number and to the RSA encryption algorithm using said number. Moron.

  • Nick (unregistered)

    Belive it or not it's always harder to build a hack proof system than it is to hack one. My maxim in computer security is, "Once they have your hardware, they've already won."

    I would hope that it was a corporate decision and not a developer decision for them to roll their own crypto.

  • Steve (unregistered)

    Speaking of Wii hacks, a fellow named Johnny Chung Lee has been doing some pretty cool things with Wii remotes. You can find a talk, including demo, he gave at the TED conference here.

    A head tracker for around $40 is pretty nifty. I'm trying to free up some time to build a couple of his projects for some work I'm doing here.

  • (cs)

    I don't understand console regions. I don't understand why I can't buy (yes, buy) games released on other countries. It seems sooooo stupid to me...

  • (cs) in reply to Steve

    Wii make mii need to wee...

  • Lupus.Umbrae (unregistered) in reply to xxx
    xxx:
    RSA-2048 is a *number*, moron. When you make shit up, at least make it sound realistic.

    Ehem... RSA-2048 is, like the name says, 2048 bits long... that would be... 256 bytes. 256 BYTES. Which common datatype is 256 bytes big? I mean... int is 32 bits (or 4 bytes) big...cough

  • IByte (unregistered)
    Jake Vinson:
    They gave us movies like Super Mario Bros., widely considered the greatest film in the history of filmmaking [citation needed].
    http://en.wikipedia.org/wiki/Wikipedia:Avoid_weasel_words
  • (cs) in reply to gabba
    gabba:
    Let's see now -- gotta find the wtf. Ah, there it is! Idiotic corporate attempts to thwart the efforts of creative and enterprising customers. WTF?
    What about this one?
    There's even a utility to change the Wii's region, which is now being used for buying (yes, buying) WiiWare games that haven't been made available to all regions.
    Most of the video-game hacking does not hurt the console makers' accounts in any way. The guy already bought the Wii and the Twilight Princess. He might as well destroy the console while attempting to hack it, and obviously there wiill be no refund. If he has to buy a new console to replace the one he screwed, is Nintendo going to be not-too-pleased?

    And when they buy games that aren't available for their region they are actually doing a favor to Nintendo too.

    So, there are two major WTF here. The first and all too obvious is the use of "my personal homebrewed encryption" that is as secure as a jail cell made of candy bars; the second and more discussable is, as you said, going through a lot of effort to spoil the customer's fun and creativity for little to no gain.

  • shadowphiar (unregistered)

    To be honest, it looks like the Nintendo developers are doing just enough to convince their management or company partners that they're "working hard on trying to fix this problem of the evil hackers" but, deliberately, actually trying not to get in anyone's way.

  • TraumaPony (unregistered) in reply to Lupus.Umbrae
    Lupus.Umbrae:
    xxx:
    RSA-2048 is a *number*, moron. When you make shit up, at least make it sound realistic.

    Ehem... RSA-2048 is, like the name says, 2048 bits long... that would be... 256 bytes. 256 BYTES. Which common datatype is 256 bytes big? I mean... int is 32 bits (or 4 bytes) big...cough

    RSA-2048 = 25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357

  • BK (unregistered) in reply to Ken
    Ken:
    ... or the decent coders they hired already hate locking people out of hardware they bought with their own money, and are intentionally (while retaining plausible deniability) making it easy for everyone to hack.

    I suspect this is actually the case, possibly with management's blessing

  • (cs)

    Nice article. Thank you.

  • Lupus.Umbrae (unregistered) in reply to TraumaPony
    TraumaPony:
    Lupus.Umbrae:
    xxx:
    RSA-2048 is a *number*, moron. When you make shit up, at least make it sound realistic.

    Ehem... RSA-2048 is, like the name says, 2048 bits long... that would be... 256 bytes. 256 BYTES. Which common datatype is 256 bytes big? I mean... int is 32 bits (or 4 bytes) big...cough

    RSA-2048 = 25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357

    Yeah, I know what RSA-2048 looks like.

  • Hector Martin (aka marcan) (unregistered)

    More verbosely, the problem with the Twilight Princess hack check code is that they align the file length to a multiple of 32 (due to allocation and hardware cache coherency reasons), then try to read - the aligned length. If they don't read the data that they expected to read (since they just obtained the file length), that's an error, and for a hack check routine, that means it should return "no hack" just in case. They should have tried to read the unaligned length (and compared against that), which is the real length of the file. By reading the aligned length, the read only manages to read the real length, the == check fails, and the rest of their exploit check never runs. Technically, the file size check isn't part of the "check for exploit" code. It just happens that they try to read more data than there actually is available if the file size isn't already a multiple of 32 bytes.

    Well, that and the "only checks the first file" thing. Two separate hack check pieces of code (one on copy, one on boot). Each one has critical bug that makes it trivial to work around. Yay. It does successfully break copying the hacked save off of the console and onto another one (because the double file hack doesn't persist), but no one cared about that anyway.

    But yeah, to be honest, there are more real problems to their counter attack. Such as, oh, you know, thinking that no other game out there has similar bugs.

  • JimmyVile (unregistered)

    For the most part it seems that the homebrew scene caters to the geeks who want to see what they can do with the system. Sure, there are those that use these powers for evil, but the intentions of the majority of the community are pure.

    I don't know if I should laugh or cry. This is completely false. 99% of all users use the hacks to avoid paying for games as much as possible.

    It's very nice and creative when people hack consoles "to see what it can do", "express themselves" or do it "because [s]God[/s] Mario told them to". But it is always used as a means to get free games. Always. I really can't see how people can rationalize the impact they have on piracy with their tinkering.

    \Video Game journalist \Game Developer

  • (cs)

    Now virtual genitals can be traced back to the old Pong machine where hackers replaces the two bars with full length phallic sprite. Complete with wrinkles and hair... on occasion there were a few crabs skittering along the screen.

  • bigtuna (unregistered) in reply to JimmyVile
    JimmyVile:
    For the most part it seems that the homebrew scene caters to the geeks who want to see what they can do with the system. Sure, there are those that use these powers for evil, but the intentions of the majority of the community are pure.

    I don't know if I should laugh or cry. This is completely false. 99% of all users use the hacks to avoid paying for games as much as possible.

    It's very nice and creative when people hack consoles "to see what it can do", "express themselves" or do it "because [s]God[/s] Mario told them to". But it is always used as a means to get free games. Always. I really can't see how people can rationalize the impact they have on piracy with their tinkering.

    \Video Game journalist \Game Developer

    99% eh? really? care to.. i dunno.. back that up with anything? of course not. when you're making a sweeping generalization, why bother with facts?

    impact on piracy? really? here's a 'statistic' for you, and its probably a bit more accurate than yours. i'll say 99.99999999% of people who own Wiis have never and will never attempt to hack them. I'll go further and postulate that even if you added up the dollar amount of every instance of a hacker playing a game on a Wii without purchasing it you'd come out to less money than they've spent already trying to fix these stupid little security holes.

  • Machtyn (unregistered) in reply to sir
    sir:
    This is exactly why game programmers should be kept away from crypto at all costs, or even better, why they should be kept from programming at all.

    Hey, look! I found the WTF.

  • JB (unregistered)

    Great article. I think this is a slight mistake though:

    "Reason being that a zero byte in the hash will cause strncmp to stop comparing, assuming it's the string terminator"

    I think strncmp(str1, str2, n) compares up to n characters, ignoring the string terminator

    I hate to be pedantic - unless I'm wrong, in which case, I hate to be wrong.

  • (cs) in reply to TraumaPony
    TraumaPony:
    RSA-2048 = 25,195, 908,475,657,893,494,027,183,240,048,398,571,429, 282,126,204,032,027,777,137,836,043,662,020,707, 595,556,264,018,525,880,784,406,918,290,641,249, 515,082,189,298,559,149,176,184,502,808,489,120, 072,844,992,687,392,807,287,776,735,971,418,347, 270,261,896,375,014,971,824,691,165,077,613,379, 859,095,700,097,330,459,748,808,428,401,797,429, 100,642,458,691,817,195,118,746,121,515,172,654, 632,282,216,869,987,549,182,422,433,637,259,085, 141,865,462,043,576,798,423,387,184,774,447,920, 739,934,236,584,823,824,281,198,163,815,010,674, 810,451,660,377,306,056,201,619,676,256,133,844, 143,603,833,904,414,952,634,432,190,114,657,544, 454,178,424,020,924,616,515,723,350,778,707,749, 817,125,772,467,962,926,386,356,373,289,912,154, 831,438,167,899,885,040,445,364,023,527,381,951, 378,636,564,391,212,010,397,122,822,120,720,357
    That's a big number. So, what would that be in binary? ;^)
  • me (unregistered)

    Speaking of Nintendo security fuckups, the Gamecube one is classic. They encrypt the IPL and place it on a chip external to the chipset and use a LFSR to read and decrypt it one bit at a time. The shift register they use require one bit to be shifted in and out of the register at the same time but after reading the decrypted byte they don't clear the register so while a new byte is being read in the old register contents are read out. Since the old decrypted data was in the register, guess what could read on the output line.

  • Hector Martin (aka marcan) (unregistered) in reply to JimmyVile
    JimmyVile:
    I don't know if I should laugh or cry. This is completely false. 99% of all users use the hacks to avoid paying for games as much as possible.
    If they can. Up until very recently, you couldn't load pirate games with homebrew. And currently the loader still sucks. VC piracy came earlier, because it was easier. Exactly one unscrupulous person is responsible for those two forms of piracy via homebrew.

    If it weren't for that guy and a few people like him, homebrew would have nothing to do with piracy. I think you'll find that the vast majority of the homebrew development community wants nothing to do with piracy. And typically the ones that do aren't the brightest. VC piracy came early because it was obvious (unencrypted, unsecured content stored on the console). Disc piracy had to wait until 6 or 7 different critical unrelated pieces existed in the homebrew world. Then that guy used those to cobble together a flimsy pirate copy loader. It wouldn't have been possible at all had Nintendo not included a standard-DVD-read "backdoor" into the DVD drive to be able to read unsigned, unsecured discs. Without that, there's no physical way of getting the drive to accept an unlicensed disc (the drive is an entirely different subsystem from the main board of the console, and can't be "hacked" via software).

    JimmyVile:
    I really can't see how people can rationalize the impact they have on piracy with their tinkering.
    You'd be surprised to see the lengths we've gone to to avoid catering to the piracy community. And the flamewars that have gone with that. And how much we hate piracy. There's no need to blame the entire tinkering community for the work of one or two guys.

    By the way, we don't support "backups" either, because (and we'll definitely agree on this) 99% of people who claim they want to use "backups" really want to pirate games.

    \Wii hacker \Piracy flamewar specialist

  • cod3_complete (unregistered)

    That is, until someone looked at the core function via a disassembler that performed the RSA and SHA-1 verification. I luv this sh^%. Hector really should write a book on Wii hacking. Seriously...

  • Hector Martin (aka marcan) (unregistered) in reply to JB
    JB:
    I hate to be pedantic - unless I'm wrong, in which case, I hate to be wrong.
    You're wrong. That's memcmp (memory compare, without special zero treatment). Which is what they should have used. strncmp stops on a zero.
  • ... (unregistered) in reply to JB
    JB:
    Great article. I think this is a slight mistake though:

    "Reason being that a zero byte in the hash will cause strncmp to stop comparing, assuming it's the string terminator"

    I think strncmp(str1, str2, n) compares up to n characters, ignoring the string terminator

    I hate to be pedantic - unless I'm wrong, in which case, I hate to be wrong.

    You're wrong. It compares up to n chars or a zero byte, whatever comes first.

  • anon (unregistered) in reply to konamiman
    konamiman:
    I don't understand console regions. I don't understand why I can't buy (yes, buy) games released on other countries. It seems sooooo stupid to me...

    Well, to be quite frank, regions are fairly archaic, they were originally used by Nintendo for the NES. Really, it's split up by language and TV-standard...

    And there is something to be said for country lockout, as there are certain games that are banned for sale in a country, and a publisher could be prosecuted if they sold them.

  • Mike R. (unregistered)

    I thought I was on Wired.com while reading this. It's an interesting read, but maybe it should belong on another site?

  • Capt. Obvious (unregistered) in reply to Smash King
    Smash King:
    The guy already bought the Wii and the Twilight Princess. He might as well destroy the console while attempting to hack it, and obviously there wiill be no refund. If he has to buy a new console to replace the one he screwed, is Nintendo going to be not-too-pleased?
    Well, Nintendo, like all console manufacturers, loses money on the hardware and only makes it up on the discs sold. So

    a) being able to make games that run on their hardware without giving them their cut and b) buying and discarding consoles

    are both bad for them.

  • Asiago Chow (unregistered)

    Not seeing a WTF.

    The encryption isn't for security in the "control access to this information for its useful life" sense. It is to show due dilligence. It is exactly like the cheap tumbler lock you have on your front door. It's so Nintendo (or you) can stand up in court and say, "yer honer, we were doing our part, we used locks...and these people broke them."

    Nintendo really doesn't care about homebrew hackers using their hardware...in fact they probably think it is neat...but they've got to show reasonable care. If you know your front door doesn't lock and you don't fix it in a reasonable time frame that can look bad to a judge. You must show that you are taking reasonable steps in a reasonable timeframe. Replace your busted front door lock with another Home Depot Schlage within a couple of days, fix your game code to check for file size within a year or so, it's all the same. In either case the act isn't going to stop someone or even slow them down...a Schlage tumbler lock can be opened in seconds by someone who knows how, and the file size check isn't going to stop a hacker either...but it shows that you are taking reasonable care and that strengthens your case when it comes before the courts.

    Nintendo has a long history of using technology to lock out third parties. E.g. the old 8-bit NES system hardware "key chip". The technology is just one leg of their tripod of protectionism. The other two are the courts and control of supply to retail. That is a WTF...but it wasn't much mentioned in the story.

  • James (unregistered) in reply to anon
    anon:
    konamiman:
    I don't understand console regions. I don't understand why I can't buy (yes, buy) games released on other countries. It seems sooooo stupid to me...

    Well, to be quite frank, regions are fairly archaic, they were originally used by Nintendo for the NES. Really, it's split up by language and TV-standard...

    And there is something to be said for country lockout, as there are certain games that are banned for sale in a country, and a publisher could be prosecuted if they sold them.

    AFAIK, the most commonly cited reason for region-locking is regional pricing. In some regions, games sell for more or less depending on the value of the local currency and the average wage in the area. For instance, in South America, the cost of a game (in USD) might be substantially less than in richer regions like North America or Europe. If the games in South America worked in North American consoles, it would be profitable to bulk-ship South American games northward and resell them. Likewise, when the Euro was way up, people were paying 50 or 60 Euros for a game that costs 50 or 60 dollars stateside -- it could be a premium of up to 40%, and international shipping is a lot cheaper than that.

    Granted, that doesn't explain the VC games (I think they're the same "Wii Point" cost everywhere), but it's a prime business reason behind lockout for physical media.

  • Wheee (unregistered) in reply to Capt. Obvious

    Actually, unlike the other console manufacturers, Nintendo always turns a profit on their consoles.

  • Yoda (unregistered)

    It has been a while since I last coded in C/C++, but wouldn't the following code also be valid?

    fileLength = getfilelength(savefile); if(fileLength % 32 == 0) { // The file length is a multiple of 32 return NO_EXPLOIT; }

  • Hector Martin (aka marcan) (unregistered) in reply to Capt. Obvious
    Capt. Obvious:
    Well, Nintendo, like all console manufacturers, loses money on the hardware and only makes it up on the discs sold.
    Nintendo is the only console maker this generation that is making a profit on each console, reportedly.
  • Justin Hilyard (unregistered) in reply to Capt. Obvious
    Capt. Obvious:
    Well, Nintendo, like all console manufacturers, loses money on the hardware and only makes it up on the discs sold.

    Actually Nintendo is the only one of the three manufacturers that doesn't lose money on the hardware. Their margin is paper-thin, but they do make a profit on the Wii.

  • James (unregistered) in reply to Capt. Obvious
    Capt. Obvious:
    Smash King:
    The guy already bought the Wii and the Twilight Princess. He might as well destroy the console while attempting to hack it, and obviously there wiill be no refund. If he has to buy a new console to replace the one he screwed, is Nintendo going to be not-too-pleased?
    Well, Nintendo, like all console manufacturers, loses money on the hardware and only makes it up on the discs sold. So

    a) being able to make games that run on their hardware without giving them their cut and b) buying and discarding consoles

    are both bad for them.

    Not so fast! Nintendo had the smarts to cheap out on hardware, so they actually make about 50 bucks per Wii. Why do you think a Wii has ~1/4 the horsepower of a 360 yet sells for only 50 bucks less than a comparable model? Because people are willing to pay for it!

  • Hector Martin (aka marcan) (unregistered) in reply to Yoda
    Yoda:
    It has been a while since I last coded in C/C++, but wouldn't the following code also be valid?

    fileLength = getfilelength(savefile); if(fileLength % 32 == 0) { // The file length is a multiple of 32 return NO_EXPLOIT; }

    They didn't even plan on checking the file length. They inadvertently made their code do, effectively, this:

    if(fileLength % 32 != 0) { // oops, bug! return NO_EXPLOIT; }

    While all they wanted to do is this:

    if(file read that should never fail failed) { return NO_EXPLOIT; }

    In other words: they read more data than is available if the file length isn't a multiple of 32. Then, when that fails, they consider it an impossible error and just pretend like everything is fine.

    The actual, original exploit file was a multiple of 32 bytes. Their actual exploit check comes later and involves checking the length of several strings inside the save file. Our new exploit file is exactly the same as the old one, except we added a single byte at the end of the file to cause the read check to fail, which means they never get to check the actual contents of the file.

  • cod3_complete (unregistered)

    So I wonder where the disassembled code is being recovered from though. So is Hector reading it from the ROM or something?

  • Rehevkor (unregistered) in reply to JimmyVile
    JimmyVile:
    For the most part it seems that the homebrew scene caters to the geeks who want to see what they can do with the system. Sure, there are those that use these powers for evil, but the intentions of the majority of the community are pure.

    I don't know if I should laugh or cry. This is completely false. 99% of all users use the hacks to avoid paying for games as much as possible.

    It's very nice and creative when people hack consoles "to see what it can do", "express themselves" or do it "because [s]God[/s] Mario told them to". But it is always used as a means to get free games. Always. I really can't see how people can rationalize the impact they have on piracy with their tinkering.

    \Video Game journalist \Game Developer

    I hear that 99% of statistics are made up on the spot.

  • Nikkelitous (unregistered)

    Am I the only one that knows that you can install Linux on an unmodified PS3? It even has instructions in the PS3's manual. You just can't get hardware acceleration.

  • A Gould (unregistered) in reply to Capt. Obvious
    Capt. Obvious:
    Well, Nintendo, like all console manufacturers, loses money on the hardware and only makes it up on the discs sold.

    Nope. Report: Nintendo Makes About $49 Per Wii Sold in U.S.

    You're correct that everyone else is taking a soaking on the console, but Nintendo did something right this time.

  • (cs) in reply to TraumaPony
    TraumaPony:
    RSA-2048 = 25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357

    Now, that's funny. Recently, I had to work with a lib for arbitrary large numbers. I just got a few large primes from the internet to test the lib. The product of two of them is just the same as the number you put there.

  • JD (unregistered)

    This was a quality article and I offer my thanks for printing it. Not exactly the standard TDWTF fare but a very interesting article and definitely enough WTFs here to keep the purists happy. I mean, how can you think anything other than "WTF?" when Nintendo produces a console with a DVD player that can't play DVDs - then get all surprised when enterprising hobbyists manage to implement this functionality, just like they should have done in the first place. If you don't want hobbyists getting the most out of their consoles then don't deliberately restrict their functionality!

    Further more, homebrew and piracy are absolutely not synonomous but very often the boundaries become blurred because techniques used in facilitating homebrew can very often be modified to support piracy. If Nintendo made efforts to support homebrew they would be in a much better position to ensure that legitimate homebrew applications do not provide a route to piracy.

    The last thing I ever wanted to do was make illegal modifications to my (expensive) console in order to run homebrew apps. But since I've been forced to install a mod-chip for that very purpose, I can now theoretically pirate any game I want. This is the situation that Nintendo have invited upon themselves and for this very reason, I would argue that Nintendo are actually encouraging piracy by trying to suppress the homebrew community.

    By the way, if you're reading this Hector, my hat goes off to you. Thank you very much for your fine contributions to the community.

  • Vile Jimmy (unregistered) in reply to JimmyVile
    JimmyVile:
    For the most part it seems that the homebrew scene caters to the geeks who want to see what they can do with the system. Sure, there are those that use these powers for evil, but the intentions of the majority of the community are pure.

    I don't know if I should laugh or cry. This is completely false. 99% of all users use the hacks to avoid paying for games as much as possible.

    It's very nice and creative when people hack consoles "to see what it can do", "express themselves" or do it "because [s]God[/s] Mario told them to". But it is always used as a means to get free games. Always. I really can't see how people can rationalize the impact they have on piracy with their tinkering.

    \Video Game journalist \Game Developer

    Troll or retard? I'm voting retard.

Leave a comment on “Anatomii of a Hack”

Log In or post as a guest

Replying to comment #:

« Return to Article