Wii security

From WiiBrew
Jump to navigation Jump to search

The Wii has four basic ways of communicating with the environment -- games on DVDs, savegames on SD card, channels/VCs on SD card and updates downloaded from Internet. All of them need to be protected, for the Wii security model to hold up integrity. Different solutions are in place for all of the ways, even if there are similarities between them.

DVD discs

The DVDs are encrypted to avoid analysis, and signed to avoid modifications.

The encryption is a symmetric crypto, 128 bit AES-CBC. Symmetric means that the same key is used for both encryption and decryption. The Wii DVD contains of several partitions. Each partition has its own AES key. This key is stored on the disc, in the partition information, but it is encrypted with the master AES key. So, with the master AES key you can decrypt the partition keys, and with the partition keys you can decrypt the partitions. Lucky for us, the master AES key was extracted by the Tweezer hack.

The disc is signed by building SHA-1 hashes of small parts of the disc, then aggregating these hashes into a hierarchical structure, which is finally signed with a asymmetric crypto. This solution is chosen for efficiency, since asymmetric cryptos are extremely slow.

For more details, see Partition Data info on the Wiidisc page.

Typically, the first partition contains system updates, in the form of WAD files. The data content of the WAD files themselves are encrypted and signed, as well. It is encrypted by 128 bit AES-CBC, by a title key. The title key is encrypted with the master AES key, and is stored in the WAD.

Savegames on SD cards

bushing writes the following at MaxConsole: (http://forums.maxconsole.net/showpost.php?p=845262&postcount=82)

"When you copy a savegame from your Wii system memory to an SD card (in "Data Management"), it encrypts it with an AES key known to all consoles (SD-key). This is just to keep prying eyes from reading a savegame file.

The encrypted data is then signed with the private (ECC) key for your console. This is to prevent anyone from modifying the save file.

If I then give you a copy of my savefile, your Wii can decrypt it because it knows the shared secret. However, it has no way of checking this signature, because it doesn't know who I am nor my console's public key. To solve this problem, the savegame also contains a copy of the public half of my ECC key.

Now your Wii can verify that I signed it, but it has no way of knowing whether it was really a Wii that signed it, or if I just made up a new random ECC key to try to fool it. To solve this problem, the copy of my Wii's public key stored inside of the savegame is then signed with Nintendo's private key. So, the console now knows that the savegame came from a Wii, using a key that was assigned by Nintendo.

We solved the chicken-and-egg problem with our original memory-dumping hack. We got the private key from that Wii. Since any Wii can read any savefile, we only need to have one key -- it doesn't need to be re-encrypted / re-signed every time."

Channels on SD cards

(Need to add text here)

Internet updates

(Need to add text here)