>The disc drive can receive commands to read conventional DVDs and some IOS contained hidden calls to send those commands. This was particularly worrying for piracy reasons.
AFAIK this was worrying enough for someone from Team Twiizers to try actually contacting Nintendo about it. I don't remember if it was bushing or marcan that tried to reach out, but Nintendo's response was to... ignore them, then cyberstalk them and call their employer. As a "two can play at that game" move, when Nintendo blocked the first title ID the Homebrew Channel used (HAXX), they changed it to JODI instead, referencing the name of Nintendo's current head of antipiracy operations.
I'd add a citation to HackMii but I wasn't able to find the actual post. Though I did see a lot of callout posts against various idiots trying to resell the Homebrew Channel. And callout posts against one particular idiot building really terrible piracy tools that would install a bunch of modified firmwares to your system, which risked bricking it... because Nintendo's system engineering was actually not that much better.
Yeah, one thing this article didn't quite get across is how fragile the Wii system software is. strcmp on hashes is just the tip of the iceberg. In fact, Team Twiizers would regularly dissuade people from playing around with custom channel banners because it was very, very, very easy to make one that would brick your System Menu if installed. And if you did that there was no recovery (at least, not until bootmii/boot2).
Here’s the post where they tried contacting Nintendo (and just heard from a bunch of pirates and trolls trying to prank them), but I can’t find Nintendo’s actual response: https://hackmii.com/2008/07/dear-nintendo/
Author here! Surprised to see it shared! This article was the first one where I studied how a cryptography-based system worked and how it was subsequently broken, back in late 2019. Lot of things in the website have changed since then.
For this reason I humbly ask, if you find any mistakes, please report them here:
What I think is crazy is there is a modding community that cuts up the Wii board. Specifically this guy GingerOfOz [1] that can fit a Wii in about the size of a GameBoy Color.
I always love these articles. I hadn't read this one yet even though it looks like it came out in early 2020.
I think it might be worth a paragraph or two about the innovative use of MEMS gyros and accelerometers in the Wiimote, Motion Plus, and Nunchuk. There's a reasonably good writeup about them here: https://arduino-projects4u.com/wii-motion-plus/ .
For a time, these were one of the easiest and most cost effective sources of small IMUs, giving birth to projects like the early drone flight control system MultiWiiCopter.
He returned to Microsoft (where he had been a research intern before) to work on a project that eventually became the Kinect for Xbox 360. Right after we joined Google, and currently leads AR Devices & Experiences [1].
Not sure if it's related to Johnny's work at Google, but there's some cool experiences being built on top of AR Core and Geospatial Creator, with stark resemblance to the ideas and visuals of those early wiimote demos [2][3].
(disclaimer: Googler, but on a different team; no relationship to the things mentioned here other than being a fan of Johnny's wiimote hacks :)
> For people unfamiliar with C, strcmp is a routine used for checking if two strings are equal. This method receives three parameters: two strings and an integer, the latter states the number of characters to be compared. Afterwards, strcmp starts comparing each character until the end of any string is reached. Strings in C are just a chain of characters terminated by a \0 character, this means that strcmp stops comparing once any string reaches \0. Hence, by composing a Wii title in a way that its hash contains zeroes at the beginning, Starlet RSA computations will feed a string starting with \0 to strcmp. Thus, the comparison will always return equal… Title is signed!
This doesn't make sense. strcmp only needs two parameters (the two strings). Perhaps the article is talking about strncmp which takes a third "length" parameter which stops comparison after N characters. But in neither case would it behave as described in the article.
The only way to make it behave that way is if the code first did a strlen() on the channel's hash and then passed that in as the third parameter to strncmp(), which seems bizarre when you're comparing the fixed length output of a hash function...
You're right -- it's strncmp, not strcmp. The other missing piece is a property of RSA signatures: given message m, signature s, and public key (e, n), you verify the signature by checking that H(m) = s^e mod n. Normally, this is not reversible without knowing the private factors of n, thanks to the discrete logarithm problem. But if s is zero, then s^e mod n will always be zero.
So, if you brute-force m such that its hash starts with a zero byte, and change s to all zeroes, then the Wii computes strncmp(H(m) = '\0.....', s^e mod n = '\0\0\0\0...', length). Since both hashes start with null bytes, they are treated as empty strings and compare equal.
The proprietary Nunchuk port speaks the standard I2C protocol, which is probably how they made the MotionPlus pass through extension controllers (as a kid I thought the MotionPlus and Nunchuk used separate sets of pins). I hear all extension communications were encrypted (which is causing problems for Dolphin Nunchuk TAS recordings), but evidently third parties were able to figure it out, since third-party/knockoff Nunchuks appeared fairly quickly (including the Nyko Kama).
One thing I was never clear on is: does boot0, boot1 happen on power button? Or on power? I can't think of any other way a wii remote button press would start the system.
If I remember correctly it actually depends on if the system is in standby or not. If you plug in a Wii it starts off with no power (red light) so Wii Remotes won't turn it on. Once you turn it on however, turning it off kicks it into standby mode (yellow light), where paired Wiimotes will turn it on.
I can't verify this with my Wii right now because it's standby behavior is... strange. I don't know if it's because I have bootmii/boot2 on it or what, but when it's supposed to be in standby, it instead constantly runs the fan as if it were still on. At some point in the past it worked as I described above though.
IIRC the powering on by WiiMote is handled by the BT chipset which stays powered in all power states and in the normal standby mode wakes Starlet with dedicated GPIO line. Also, while the WiiMote is more or less an compliant BT HID peripheral with custom report protocol, the power button is handled in different somewhat weird proprietary way.
Another thing is that there are two different standby modes for wii once first booted (can be configured in settings), in one the Starlet is completely powered down (red LED) and in the other it stays on and runs scheduled tasks (orange LED). In early hardware revisions the fan is stopped in the orange mode, while in the later revisions it is temperature controlled (the first revisions will overheat and degrade/destroy the GPU if left in this standby mode for too long).
AFAIK this was worrying enough for someone from Team Twiizers to try actually contacting Nintendo about it. I don't remember if it was bushing or marcan that tried to reach out, but Nintendo's response was to... ignore them, then cyberstalk them and call their employer. As a "two can play at that game" move, when Nintendo blocked the first title ID the Homebrew Channel used (HAXX), they changed it to JODI instead, referencing the name of Nintendo's current head of antipiracy operations.
I'd add a citation to HackMii but I wasn't able to find the actual post. Though I did see a lot of callout posts against various idiots trying to resell the Homebrew Channel. And callout posts against one particular idiot building really terrible piracy tools that would install a bunch of modified firmwares to your system, which risked bricking it... because Nintendo's system engineering was actually not that much better.
Yeah, one thing this article didn't quite get across is how fragile the Wii system software is. strcmp on hashes is just the tip of the iceberg. In fact, Team Twiizers would regularly dissuade people from playing around with custom channel banners because it was very, very, very easy to make one that would brick your System Menu if installed. And if you did that there was no recovery (at least, not until bootmii/boot2).