Changes

The Tweezer Attack was an exploit that involved the use of a pair of tweezers to bridge areas of memory, allowing homebrew code running in Gamecube mode to have access to limited sections of Wii memory in order to map out the rest of the console a small piece at at time.

The '''Tweezer Attack''' was an exploit that involved the use of a pair of tweezers to bridge areas of memory, allowing homebrew code running in Gamecube mode to have access to limited sections of Wii memory (MEM2) in order to map out the rest of the console a small piece at at time.

The Tweezer Attack has been patched against by Nintendo in order to prevent people from reproducing it and obtaining their Wii's private encryption keys.

In [[MIOS]], only the bottom 16MB (of 64MB) of MEM2 could be used; this was used to emulate ARAM. Because of this, Nintendo never bothered to clear out the other 48MB, which resulted in some of the higher addresses still having data from [[IOS]], [[BC]], and [[boot2]], all of which happily store the encryption keys in memory. As a result, by reconnecting the address lines to other 16MB windows of MEM2, it becomes possible to read these other bytes.

 

 

Prior to the fix, tmbinc had suggested an "anti-tweezer attack" where the lines were shorted into the bottom 16MB, where the emulated ARAM normally was. Nintendo seems to have attempted to patch that out by writing random data and verifying it, however, this would only be effective if the hash was verified after the memory was written, so the anti-tweezer hack probably still works.

 

The purpose of patching this hack is also unknown; it was initially suspected that it was to protect the Korean common key, although the Korean Wii turned out to not allow GameCube discs anyway (also, it did not even have the patched MIOS version at launch, or even the one that blocks Action Replay).

 

// 0x0D408000.  This resides in the on-chip SRAM.

 

From this, [[Team Twiizers]] was able to extract all of [[MIOS]]. After failing to disassemble it as PowerPC code, they discovered that it was actually ARM code. MIOS also includes the common key, which Team Twiizers now had.

aes_set_key(0x2B7E1516, 0x28AED2A6, 0xABF71588, 0x09CF4F3C);

== Technical explanation ==

for (i=0; i<1024; i++) {

In MIOS, only the bottom 25% of memory could be used. MIOS simply made sure not to keep any important things in that range. However, by modifying the wires, it was possible to manipulate the PowerPC into using other parts of memory as the bottom 25%, allowing the rest of memory to be seen. The data extracted is then sent out through a GameCube controller port, which tmbinc set up to be receiving in a computer. When this procedure was repeated for all regions of memory, the entire memory was known.

 

if (hash1[0] == hash2[0] && hash1[1] == hash2[1] && hash1[2] == hash2[2] &&

do_log_message("%s shaHash: %x %x %x %x %x [%u ticks]\n",

NULL, hash1[0], hash1[1], hash1[2], hash1[3], hash1[4], 0);

 

do_log_message("Hash comparison failed. Halting boot!\n");

== External Links ==

== External Links ==

 

* [http://web.archive.org/web/20090505005003/www.atomicmpc.com.au/Tools/Print.aspx?CIID=102079 Interview with bushing where he explains some of the details of the attack]

[http://web.archive.org/web/20090505005003/www.atomicmpc.com.au/Tools/Print.aspx?CIID=102079 Interview with bushing where he explains some of the details of the attack]

* [https://hackmii.com/2008/06/genie-into-bottle-mios/ HackMii post on the fix]

{{Stub}}

{{Stub}}