 |
WiiLi.org
a new revolution
|
| View previous topic :: View next topic |
| Author |
Message |
tuxido
Site Admin
Joined: 05 Nov 2006
Posts: 150
Digg It |
 Posted: Wed Jan 30, 2008 7:13 pm Post subject: Wii hacked! |
|
|
| Quote: | After bushing had shown the first homebrew exploit, a lot of stuff has happened in the Wii-world. The exploit was based on a hole in the disc hashing&verification, but the original finder (segher) decided that he doesn’t want the bug to be published. While this caused some controversy, the reason behind this was that the hole could be patched very easily in a future firmware version, as no original function relies on it. The next goal was to find a bug which could not be patched so easily, for example a savegame exploit. Patching such game exploits is considerable harder. Of course you could patch the game code when it is loaded (like some gamecube games are fixed in compatibility mode by the “gamecube compatibility IPL”), but we could just move on to another game. We wouldn’t lose that much power if a game bug is fixed, vs. a critical system bug. I can totally understand that people are annoyed by us not doing full disclosure. Nevertheless we try our best to balance our different interests. It’s not always easy, even inside a team. Still, the rule is: If you find a bug, it’s your choice what you do with it. If you don’t like that, find your own bug.
I’ve concentrated less on the high-level things, I’m generally more interested in the system design and security architecture. So I’ve digged into the bootloader.
What we knew before was that there is a fixed block of code called “boot1″, which is supposed to be the first code executed from flash. It’s ARM (”Starlet”) code, btw, the powerpc (Broadway) is booted much later. We didn’t knew how boot1 is encrypted (rumours ranged from an LFSR-based streamcipher to AES), nor if and how it was hashed. But what we had was a program called “BC” (title id: 1-100), extracted out of a system update. We are absolutely not sure why BC does even exist (it might be used to return from GC mode to Wii mode, but why would you want to do so?), but what BC is doing matches what boot1 could be doing: Reading a bunch of sectors from flash, decrypting them, and checking a signature against a previously decoded cert chain, then jumping there. Once we re-coded the algorithm, it was clear that this in fact decrypts boot2. Encrypting a new boot2 requires signing the new hash. Now it turned out that “BC” also contains “the bug” (well, a similar one), so chances were big that boot1 also does. But flashing a new boot2 is dangerous if you have no return - there is a backup mechanism to boot another copy of boot2, but we cannot count on that for several reasons (for example, if our new boot2 code hangs, the backup would not be tried, as boot1 thinks that everything is right). |
....
Please go to http://debugmo.de//?p=59 , for the full article.
Congratulations guys!!
 |
|
| Back to top |
|
 |
Wickett
Joined: 20 Jan 2008
Posts: 52
Location: East Central U.S.
Digg It |
| Posted: Wed Jan 30, 2008 7:36 pm Post subject: |
|
|
So am I right in saying they gave a Wii a virus?
_________________
 |
|
| Back to top |
|
|
meowimakittycat
Joined: 23 Dec 2007
Posts: 33
Digg It |
| Posted: Wed Jan 30, 2008 8:13 pm Post subject: |
|
|
| OMG OMG OMG w00000000000000000000t! great job |
|
| Back to top |
|
|
Link_of_Hyrule
Joined: 30 Nov 2006
Posts: 23
Digg It |
| Posted: Wed Jan 30, 2008 10:06 pm Post subject: |
|
|
| Wickett wrote: | | So am I right in saying they gave a Wii a virus? |
No they did not give the wii a virus.
Anyways yeh it looks awesome I hope they release the zelda save exploit soon so wii owners can enjoy a Wii Softmod. |
|
| Back to top |
|
|
Untitled
Joined: 09 Nov 2006
Posts: 7
Digg It |
| Posted: Wed Jan 30, 2008 11:27 pm Post subject: Re: |
|
|
| How long until linux is running with this hack |
|
| Back to top |
|
|
para
Joined: 20 Aug 2007
Posts: 89
Digg It |
| Posted: Thu Jan 31, 2008 12:01 am Post subject: Re: |
|
|
| Untitled wrote: | | How long until linux is running with this hack |
Being able to run your own code on the Wii is a major accomplishment, yes, but you still have to reverse engineer it. Unless whoever decides they want to figure out how to interface with the hardware is as proficient as these guys were in bypassing the security, it could (and probably will) take a while before running Linux on the Wii can even be considered to be viable. Of course I could be wrong...
I've never been part of any of these sorts of projects (although I'd like to get into Wiili when it gets started), but I'd imagine the process goes something like this:
- Bypass console security to run custom code on
- Reverse engineer the system to learn how to interface with hardware
- Use what you've learned from #2 to build a dev toolkit (this is probably the most interesting to me actually)
- Use the dev toolkit to port Linux
- Build custom games/apps with dev toolkit and Linux
_________________
wiiuse C wiimote library - http://wiiuse.net/ |
|
| Back to top |
|
|
Link_of_Hyrule
Joined: 30 Nov 2006
Posts: 23
Digg It |
| Posted: Thu Jan 31, 2008 1:45 am Post subject: |
|
|
| code on the wii is so similar to that of the gamecube i am sure that it wont be too long after the files are released before development speeds up and we get linux |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
