Interview with a Wii hacker

Atomic: Earlier you mentioned code. I take it you're dealing with assembly code, is this right?
Bushing: Yeah, sorry. We use disassemblers, which take raw binary data and produce assembly-language code, which is not very readable, but more readable than just looking at hex dumps.

Atomic: You mentioned earlier that you're in the process of pulling something apart now. Is that work on the system software, or something else that you've found?
Bushing: Sort of. It's hard to really stay focused while working on these things.

None of this stuff is documented, so often the only way we can determine what something does is by inference. I can take a bit of the PowerPC (aka "Broadway") code, and it will be sending a message to the Starlet.

Only by taking that code, the Starlet code, and a game disc together can I figure out that when the Broadway sends the message "0x1384956" to the Starlet, it's asking it to read the name of the game off the disc.

Even at a more basic level, we see little bits of code repeated throughout the whole system, often in unexpected places. If I can figure out that some particular bit of code resets the system in Wii Sports, it can help me "get my bearings in Zelda" (which is what I'm working on now).

As I said, this can get awfully tedious, and quite frequently I find myself running into a wall. It helps to be able to put one piece down and pick up somewhere else.

Atomic: What sort of headway have you made so far? I hear you've found an interesting vulnerability in the zelda savegame code, can you go into detail on that, or are you keeping that to yourself for now?
Bushing: Yes. We did our first public demo at 24C3, right after Christmas. There, we showed a really crude demo that we made by taking a game disc and modifying it -- just enough to prove that we'd modified it. (The proof here is a big deal because so many people make this shit up -- there have been at least 4 fake demos of people claiming to do similar things in the past month.)

Still, that required some pretty ugly hacks to pull off, but it was still the first time anyone had even gotten that far. Recently, we've been leveraging that experience to try to find cleaner hacks that we can release.

We're working on a special savegame for Zelda: Twilight Princess that will exploit a bug in the way it handles character names, and eventually let you boot code from an SD card. Hopefully.

Atomic: Is this the savegame exploit, using an original zelda disk, your hacked save file which triggers the crash, allowing 4 lines of code to be executed?
Bushing: Close -- your description of the savegame hack is correct; we started out with 4 lines of code and are trying to grow that. I think we're currently at twice that.

Atomic: I'm guessing your experiment at 24C3 where you modified the original disk doesn't actually relate to this exploit, it was merely a learning tool.
Bushing: The demo at 24C3 used an unrelated attack, and it's one we're not disclosing details on to try to keep Nintendo from fixing it. Instead, we're trying to leverage it to make developing other hacks like this (the Zelda one) faster / easier.


Atomic: At this stage, custom code execution is only possible on your modified Wii. What mods to you actually have installed, and will the SD hack require a modded Wii?
Bushing: I just have your plain old "backup"-running modchip right now -- actually, an OpenWii -- and I've been using an SD card in a home-made SD card adapter.

No, the SD hack will *not* require a modded wii. That's the big deal.

Atomic: So the demo at 24C3 didn't require all of the serial port hackery?
Bushing: No, it did -- the part you missed is just that we have multiple people doing multiple things. tmbinc is the one that pulled the hardware hack stunt on his Wii, but it was the kind of thing that really only has to happen once.

Atomic: How did you get from disassembling your data dumps to running your own code, and is this related to the discovery of the public key?
Bushing: Getting the key allowed use to decrypt disks and read them, and then figure out how to modify them such that the system would still boot off them.

Atomic: So at this stage you haven't been able to execute anything non-trivial from the SD slot, but you have been able to execute useful things from hacked proprietary Nintendo software?
Bushing: Well, I don't know if I'd even say we've ever been able to execute anything useful or non-trivial :) But yes, we started with hacked versions of games that we (of course) legally bought, because that's far easier from starting from scratch. The system has many safeguards in place to keep people from modifying code.