After much deliberation, a winner has been picked for Phase One of the Ruckingenur Challenge. Congratulations to Fredrik of Sweden! You can view Fredrik’s submission at the end of this post.
It was tough picking a winner; while I only received 9 submissions, they were all very diverse and generally well thought out. While some seemed to be a little obscure for obscurity’s sake, it seems like most everyone who submitted has a pretty good grasp on what goes into making an interesting and complete level.
In other news, Phase Two of the Ruckingenur Challenge begins tomorrow! I will be posting rules and information then, so stay tuned!
And now, the Wee-CD!
Follow the fold for the rest of this submission!
The Wee-CD Hack
This puzzle is based on the first hacks for the Nintendo Wii console (in this puzzle, called the Wee).
Now to the challenge:
- You want to be able to run backed-up games on your Wii.
- The protection for this in the Wii is in the DVD-drive.
- If the Wii DVD-firmware says it’s a DVD-RW disc instead of an original-disc, the game won’t run.
- So the solution is to update/modify the firmware. The only problem is that the serial port for firmware update is password protected! So some clever guy used a timing-attack to figure out the password.
- A timing-attack measures the time between a sent password and the answer. The theory is that a strcmp-function inside the DVD-drive would take longer time to return the more correct letters in the password.
Example: If each letter takes 1ms (in the strcmp-function) to compare and the password is ‘FOO’, then the password ‘BAR’ will take 1ms to complete. But the password ‘FOI’ takes 3ms to complete, now we know the password starts with ‘FO’. And so on.
So that was my base for the puzzle.
You have two DVDs, one original game and backup of the same game (identical).
You have one wee DVD-drive.
You have one programmer.
- Tray Controller – controls the DVD-tray, moves the DVD in and out.
- Media Check – this chip reads the DVD and determines if its a DVD-RW or an original
- Copy Protection – this chip receives signals form the Media Check about the DVD-type. When a DVD-RW is detected it will eject the DVD.
- Programmer – Sends a copy of the EEPROM chip into the Copy Protection chip.
- Reader – When it receives a signal from the Copy Protection it starts to read the DVD, and output the contents to the serial-port.
When a DVD is inserted the Media Check will check what type of flag it has, original or DVD-RW. This information is sent to the copy protection chip. The Copy Protection chip compares the flag with its allowed types. If it’s OK a signal will be sent to the Reader, else a eject signal will be sent to the Tray Controller.
Controls the DVD-tray, moves the DVD in and out.
- EJECT-signal moves the DVD out, active +5V
- STATUS-signal signals +5V when the DVD is in, else 0V
This chip reads the DVD and determines if its a DVD-RW or an original.
- TRIGG-signal activates the chip
- SERIAL-signal sends ‘1’ When original DVD is detected, ‘0’ if DVD-RW
- DEBUG: read only, DVDFLAG = 0x000000x displays the type of flag sent
This chip receives signals form the Media Check about the DVD-type. It will compare the received flag from Media Check with it’s own Allowed flag register. The chip will send a EJECT-signal on all ‘errors’.
- DEBUG REGISTER: (read only) ALOWFLAG = default : 0x00000001
- SERIAL FROM MEDIA CHECK , Trigger chip when it receives a serial and compare it FLAGS register, if fails report ‘error’.
- SERIAL FROM PROGRAMMER ,
* phase(1): wait for password, simulate a strcmp-function send ‘error’ if wrong letter occurs. start the strcmp all over. After every say 10th try output ‘Wrong password’ on the serial. On success output ‘PASSWORD OK’. goto phase(2).
* phase(2): Receive update from serial port, the update is sent from the programmer, if there is a error, report ‘error’ and go to phase(1). (One idea is that the chip stops working if done incorrectly!)
- DONE signal, +5V when a DVD check is GOOD.
-When it receives a signal from the Copy Protection it starts to read the DVD, and output the contents to the serial-port.
- DONE signal from Copy Protection, trigger the chip if its +5V.
- SERIAL-PORT , data output, or ‘data-read-error-message’. The data output is just some random code/instructions.
A Trigger tries to read the DVD, if the DVD is not in the drive output ‘error message’ on serial port
Sends a copy of the EEPROM chip into the Copy Protection chip via the serial interface.
- Button – pressing this button activates the chip and sends EEPROM contents on the serial-port.
- DEBUG register : a copy of the register in Copy Protection chip. This register is however possible to edit.
1) Find the correct password. This is done by placing a Volt-probe at the eject signal. Then its time to ‘smart brute-force’ the password. The Copy Protection chip sends eject-signal every time something wrong has happened, like typing a wrong letter in the password. Try all letters starting from A,B,C… When we don’t get a eject signal we found our first letter in the password! So just keep trying. The serial port will answer with ‘PASSWORD OK’.
2) Send the correct password to the Copy Protection chip.
3) In the programmer chip change the allowed flags to DVD-RW.
4) Activate the programmer.
5) Insert the backup DVD! Watch the serial-ouput-data!