How a pair of tweezers were used to defeat the Nintendo Wii’s security

If you ever had a Nintendo Wii, you may have heard of how prolific the console modding scene for it was. While piracy ran rampant on the Nintendo DS, the Wii itself wasn’t too far off shortly after its release. The Wii had a very similar makeup to the GameCube, using a more powerful but similar processor and even a very similar DVD drive. This meant that modchips for the GameCube were quickly ported over to the Wii, enabling piracy, and GameCube homebrew was able to run very early on in the Wii’s lifecycle, too. However, what you may not know is that to take things a step further, it was a pair of tweezers that managed to to truly break open the Wii.

If you’ve ever heard of fail0verflow, that team was once known as Team Twiizers. This story is why they were originally called Team Twiizers.

Nintendo was smart when it came to running GameCube games on the Wii

…sort of

First and foremost, it’s important to understand how the Nintendo Wii functioned when it came to playing GameCube games. Essentially, when you launched a GameCube game on the Wii, the console would reboot into a GameCube sandbox mode that didn’t have access to the rest of the Wii’s system. In this mode, the Wii was more or less identical to a true GameCube, meaning that games retained complete compatibility, and Nintendo could safeguard the rest of the system from whatever was running in GameCube mode.

In GameCube mode, the Wii could still use both of its memory banks, but the external chip (known as MEM2) of 64MB was only used by the Wii in GameCube mode as Audio RAM (ARAM). While you can read the lower 16MB of this memory in GameCube mode, the other 48MB is protected and, according to Ben ‘Bushing’ Byer at 25c3 in 2008, will return “random garbage.” However, this 48MB is never cleared, and with careful manipulation, a technique known as “bit-banging” can be used to move data between address lines so that it can be shifted toward the accessible 16MB of memory. This was achieved using a pair of tweezers, and as it turned out, all of the console’s encryption keys were stored in that memory.

Each console had its own set of independent keys, including an ECC private key and an ECC public key. ECC is a public key cryptosystem similar to RSA. The NAND storage was encrypted using AES and was also signed to ensure it couldn’t be modified. The discovery of the Wii’s common key—the root encryption key used to encrypt everything on the Wii—was essentially the holy grail at that point. While you couldn’t change anything with it, you could see everything.

This eventually led to the Twilight Hack

The Legend of Zelda: Twilight Princess was the final piece of the puzzle

To launch a game on the Wii, the Wii would go through the following steps:

1. Check the RSA signature against the SHA-1 hash of the title being launched
2. If the SHA-1 is signed by Nintendo, launch the game
3. Otherwise, cancel execution

However, Nintendo’s implementation of this system was deeply flawed. Developers used the C function strncmp to compare signatures, but this function terminates when it encounters a null byte. This means that if the hash contains ’00’ anywhere in it, the comparison will stop prematurely. This bug existed throughout most layers of the Wii. An all-zero input results in an all-zero output, and if the SHA-1 hash being compared is interpreted as all zeros, it will be deemed equal to anything. As a result, anything can be fake-signed to launch on the Wii as long as the hash starts with 00.

To ensure that the hash starts with 00, you can manipulate the data within the file being signed until the SHA-1 hash begins with 00. Once it does, you can then use that file on any Wii, and it will be accepted. This meant that not only could you launch unsigned games, but you could also install your own system menu, individual IOS modules, and your own boot2 bootloader, all of which would be trusted by the system.

However, Team Twiizers still needed a way to get modded software onto someone’s Wii. The gathering of keys and understanding how the system verified signatures made this relatively simple. They crafted a buffer overflow exploit that took advantage of a bug in The Legend of Zelda: Twilight Princess. The bug was related to how the game did not verify the length of Epona’s name. While the game would prevent you from entering a name that was too long manually, a specially crafted save file with an excessively long name could push instructions to load a file into a memory region that handled execution, causing the game to crash while following those instructions.

In this instance, you would need to launch the game, load your save file, walk backward, and the game would then launch “boot.elf” from the root of the SD card. This file would typically be the Hackmii installer, which would install both the Homebrew Channel and BootMii, a boot2 replacement, on your Wii. Like the save file, the Homebrew Channel and BootMii could be signed in a way that they would be trusted by the system.

The Twilight Hack was the first public hack for the Nintendo Wii that anyone could use on a modded system, and it took Nintendo quite some time to patch this bug. While the Twilight Hack became obsolete a few years later and was replaced by other methods like Bannerbomb, the work done by Team Twiizers got the ball rolling. It all started with a pair of tweezers. Their efforts enabled other developers to follow suit, finding new ways to mod the system. Once initial access was gained, it became easier to analyze the console and identify other potential security vulnerabilities.

Related

It’s hard to build a console-killer gaming PC, but you can come pretty close for $600

Consoles are great at what they do but I tried to build a gaming PC that beats it for the same price. Here’s how it went

Nowadays, consoles are significantly more complex

Jailbreaking and modding is a lot harder nowadays

While Nintendo’s consoles have been hilariously blown open multiple times in the past, modern consoles are significantly more secure than ever before. Although the Nintendo Switch was initially compromised due to a Tegra exploit, more recent versions of the Switch require a modchip to run unauthorized software. As for the PlayStation 5 and Xbox Series S and X, both consoles have had security issues in the past, but Sony and Microsoft have largely kept these consoles secure through ongoing updates and patches.

While console modding can be a lot of fun and an incredibly educational experience, stories like these highlight just how fascinating the world of computer security can be. With something as simple as a pair of tweezers, an entire console—like the Wii—was compromised by physically manipulating address lines inside a chip, allowing for later data dumping. There are countless strange and intriguing tales in the world of technology, but the story of the Nintendo Wii remains one of the most captivating to me.