Wii Uses Elliptic Curve Cryptography For Saves

An anonymous reader writes "A user at the Nintendo-Scene forums just posted a lengthy post about his discovery that the Wii savegame files are signed and encrypted with NIST B 233 bit elliptic curve cryptography. Could this be the first step for a Wii softmod the homebrew community have waited for? From the post: 'It appears a Wii savegame file ends with a certificate chain. The certificates contains a public keypair (the one that is being "certified") and a signature (another number pair) from the signing entity. The number pairs are stored as a compound 60 bit data (first 30 bytes for the first number, and the next 30 bytes for the second). Hence, the first and middle byte is always 00 or 01 for keys, and 00 for signatures. One can check that the keys are indeed NIST B 233 keys using openssls EC_KEY_check_key function (code forthcoming).'"

Re:More important than homebrew potential

[Eddi3]

Not criminals. Cheaters. They're keeping gameplay fair.

Re:More important than homebrew potential

[farkus888]

it would seem this way on the surface. but the potential for online games on the wii[see mario strikers charged or big brain academy wii degree for early efforts] means cheats for extra gold coins or whatever could have a negative affect on me. personally I am not interested in hacking my saves and would like to know people I am playing against online are not cheating, so this is something I would request. in my mind as a regular player [I own a wii console four full controllers 2 classic controllers and about 13 games, that makes me a big buyer for them compared to most] I feel that they have done me a service by trying to keep online gaming fair and I've not had anything I wanted to do on my wii hindered by this. just something to keep in mind.

for reference I am a linux user and took time out of writing a shell script for a solaris machine at work to write this response. normally your mentality is how I think but this time it doesn't stand up to a little critical thinking from the perspective of a fairly heavily vested party. [I don't know anyone who has spent more towards wii, games, and controllers than I have. though I am sure some /.er will outrank me here]

Mod parent troll

[VirusEqualsVeryYes]

Yet another case of a company treating customers like criminals.

What? Are you an idiot? How in hell does this treat customers like criminals?

Perhaps you don't understand why most /.ers think the RIAA treat their customers like criminals. The RIAA use DRM to restrict users such that their Fair Use rights are impeded. Further, they explain their actions away by claiming to thwart piracy. Further, they sue their customers with no initial proof that the defendant did anything illegal, and instead abuse the courts and demand to invade their property in order to then determine any wrongdoing. And further, they do all this solely for their own profit and not for the profit of the licensed musicians.

Nintendo does none of this. They encrypt savefiles. So what? This does not impede on your right to do anything. You can play any given game on as many Wiis as you wish. Nintendo is also not suing people to force hackers to halt breaking their savefile encryption. Game developers generally don't want players artificially advancing within games. Perhaps there are statistics stored within the savefile used online. Whatever's in the savefile is up to the game devs, and Nintendo is simply hiding that.

In other words, Nintendo is completely within their rights to encrypt savefiles. In turn, AFAIK, you are completely within your rights to attempt to break that encryption. And in turn again, Nintendo is completely within their rights to push out any updates to change or otherwise enforce their encryption. It's really that simple.

Re:More important than homebrew potential

[Anonymous Coward]

Slashdot puts passwords on its user accounts.

Just another case of Slashdot treating its visitors like criminals.

Re:More important than homebrew potential

[Josef Meixner]

No, I think there is a much more mundane reason. In the past some of the consoles were broken with manipulated save games, the games didn't properly check the data and so opened a hole. I would guess Nintendo didn't want to take that chance and so added an API which sits between the game and the saved data. As the saved data could be verified for being originally written by the game before the game would even get a chance to have a look at it, it means it is much harder to attack code not written by Nintendo to be exploited.

Disclaimer: I have never seen the API of a game console, this is only a wild guess.

Great, now about the next step.

[Neuticle]

(Assuming that this discovery allows people to write new, arbitrary yet signed data into a save file on a SD card that the Wii will recognize as a "valid" save)

The next step will be to search for an exploit in the console or in a game that allows execution of that data. The final step is to figure out how to get that newly loaded code to do something useful. I know this has been done before, but I'm under the impression that the exploit (in a 007 game) was found by chance. After that lucky break, the code-something-useful part came very fast.

Is there any way to search for such an exploit other than brute force testing of games? Are there things to look for that normal players might see, or do you have to just try to execute code over and over and over in various situations, hoping to find a hole? In short, how can I, a non-programmer, help?

I have hundreds of SNES and NES carts. I would love to be able to run those games on the Wii without having to buy them a second time or wait for N to trickle them out. Now if I can just hack together some Wii wireless SNES and NES pads, I'll be in heaven.

I for one dont have a problem with this

[kongit]

While encrypting the save files saved on the hard drive might seem like a logical step to keep people from cheating I don't think it will have much effect. I don't believe that cheating on games that you play by yourself or with friends on the same system (opening up maps for the multi player when you don't have any urge to play the solo game all the way through for one example) is in anyway wrong. However if the save file on the Wii effects online play versus people you don't know then well we have a problem. BUT I am sure that Nintendo doesn't do that since to do that would definitely make online playing a joke when the save files get hacked, and they will get hacked.

Additionally those that would of hacked the save files to install mods are not a majority of players on any system. Most people who own a console do not have the skill set or urge to install mods. While encrypting the save files will slow down the hackers it will most likely not stop them, so unless Nintendo did something stupid and made the Save files have full authority over online play encrypting the save files with elaborate means is just a waste of the players time as the games have to take longer to save.

Re:Uhh

[PhotoBoy]

There is a way to remove updates, it's a small program called Wii Brick Blocker that patches isos. It is rather ironic that Nintendo essentially force people into piracy with their updates...

Re:It seems to me...

[tpwch]

Yes, but they don't have to break it, they just have to find the public key. It must be stored somewhere on the wii, so it can do the encryption of the saves. They were able to find the keys for blu-ray and hd-dvd, so why not here?

Re:Uhh

[Volante3192]

Ironic? Only if you've modded your Wii. I've always considered a console in the realm of "no user servicable parts inside." Course, it's not like Nintendo plans to worry about every possible modding configuration available. Rather, they have a set piece of hardware and a set piece of software. Thus, designers know exactly what they have to code for.

Unlike Windows which you can get to install on damn near anything within reason.

I figure modders should get a second, control Wii if you will, that they can fall back on for games.

As much as I'm for tinkering, it's not like Nintendo's really promoting openess on their systems. Why should the modding community expect it? I feel the same way about the XBox and PS3 (although the PS3 not as much; Sony promoted the Linux part quite a bit).

Guess I'm just old fashioned in some ways. I like my consoles too much to tinker with em.

Re:Uhh

[arivanov]

No.

This means that Nintendo has a clue.

It is signing all the data with a certificate. Proper crypto, not DIY snakeoil ala most DRM schemes out there. The only way to break it is to get to the device key.

If they have done is right the key is per device and hardware protected by a crypto module. From there on breaking this at the crypto level is absolutely impossible.

The consequences are actually the opposite to what the clueless editor posted:

1. No chance for homebrew unless someone steals a cert from somewhere and even then Nintendo can simply revoke it using their online service or in a service pack.

2. All communication from the console to a server and back can be signed with strong crypto so no online game cheating.

As far as the elliptic curve cipher choice, this is a common choice for devices with very limited CPU or memory resources. That is what these ciphers are designed for.

All I can say: Applause Nintendo, applause, well done.

Re:WTF?

[Yvanhoe]

Or our votes....

It's just like Demolition Man...

[Tim Browse]

...where the police are looking for a violent killer, and then their surveillance locates him, and they all breathe a sigh of relief, as they assume that's the hard part done - all they have to do now is arrest him.

I can't help thinking that there's a wee bit more work to do than just find out what encryption method is being used.

Then again, maybe your average slashdotter thinks that 'breaking encryption' is as easy as 'guessing the algorithm used' :-).

Re:Uhh

[batkiwi]

This is a save game, not in memory. It now takes 3.4 seconds to load/save instead of the 3.33339 it took without the crypto. Yippie fucking do?

Re:Uhh

[John Betonschaar]

And why exactly would it be impossible to get the key if it's stored in hardware then? It might be impossible without a modchip, and it might be impossible with some kind of other software exploit to get to the hardware, but it's most definitely 'impossible' at all. The xbox 360 uses a similar encryption/signing mechanism (per-box key stored in the CPU, signed and encrypted kernel and savegames), and people have already found ways to get to it. Either through an exploitable kernel that enables booting linux (if you never updated your console) or through a timing attack on the boot sequence (using hardware modifications). After you have the CPU key the whole security system more or less falls apart, because it allows downgrading the kernel, and (afaik, but I'm not 100% sure) hacking/encrypting/signing modified kernels.

So although the security implemented in these savegames is definitely about as good as it gets for now, it is definitely not impossible to break.

Re:Uhh

[Lehk228]

AFAIK there is no deliberate bricking, but rather the update process and/or the newly updated system code can fail due to the presence of mods. Nintendo warns the user of this because they don't want an uproar about them sabotaging consoles if an update kills machines with a relatively common mod chip installed.

Re:Uhh

[PhotoBoy]

Actually no, I do not pirate games. I've been importing video games from the US and Japan since the days of the NES. I said it was ironic because if someone like myself had modded the system for imports and then bricked it, Nintendo would in theory have left them no choice but to pirate games or buy another Wii. Thankfully I have not bricked mine and can run imports without any problems. It simply seems odd to me that Nintendo would do something that would encourage piracy.

Next time try not to automatically assume modding = piracy, because it does not, no matter how much the hardware manufacturers like to say it does. If I could buy a mod chip that enables imports but not pirated games I gladly would. The constant erroneous association of modding with piracy by clueless people such as yourself has become extremely tiresome.

Re:Uhh

[Anonymous Coward]

Aren't Wii savegames transferable between Wii's? That would indicate that its not per device wouldn't it? Unless its reencrypted during transition which makes that a new weak point.

Re:Uhh

[AgentPaper]

The point isn't that you can make and use your own gasoline, and by extension, the point with modified consoles is not that you can physically open up the case and install the modification. The issue at hand is the conflict between two points of view: that of the hack-minded consumer, who believes that he/she is entitled to do anything he/she pleases to a product that he/she owns, and that of the product manufacturer, who believes that it is entitled to stop hack-minded consumers from using their product in a non-approved manner.

Can you modify your game console - that is, are you physically capable of altering its hardware? Sure! You can make it run imported games, homebrew games, Linux, anything you please. Heck, you can turn it into a motion-sensitive coffeepot if you want. However, the console manufacturer never sold you a motion-sensitive coffeepot, and they are under no obligation to support it if that's what you build out of it. To continue the car analogy, this would be like converting your new gasoline-powered vehicle to run on biodiesel, and then complaining to the dealer when it won't run on gasoline anymore. You're completely within your rights to do that, but the carmaker is also within its rights to make you support it yourself by taking away your warranty.

Re:It's just like Demolition Man...

[Eivind]

True, if the encryption/signing is implemented correctly, there's little hope that it'll be cracked anytime soon.

But there's another avenue for attack. Given that a wii-game is capable of creating, verifying and signing its own savefiles, this means that the encryption-keys are also stored either in the wii-console or in the game-software.

So, it's just a matter of extracting them.

Once you know *both* the method of encryption and signing, *AND* are in posession of the relevant keys, the rest really is a walk in the park.

Commodity hardware ain't terribly good at hiding encryption-keys from the owners of the hardware which can take it all apart, insert logic-probes and generally mess around with the hardware at will.