Not long after this year's E3 showfloor opened up for exhibitors, the internet started gossiping about a hacker who was supposedly trying to pilfer the impressive Zelda: Breath of the Wild demo from right under Nintendo's nose. For some sceptics, it sounded too incredible to be true. Illustration: Sam Woolley
How could someone possibly steal a demo from a kiosk that is presumably under a proverbial lock and key? Never mind the many fans hovering around the demo area, or the Nintendo representatives walking around the booth. This doesn't exactly look like the ideal place to swing a heist:
Image credit: gbatemp.net
And yet despite all these logistical issues, the idea that the Zelda demo could somehow escape Nintendo's control is not without precedent. Actually, incidents like that have already happened in the past. In 2004, two people almost got away with stealing a Metal Gear demo from the E3 show floor. Back in 2006, an unfinished Metroid Prime 3 E3 demo prototype found its way online. And in 2011, a Skyward Sword E3 demo was also uploaded to the internet and pirated ahead of the actual launch.
Since then, the internet has developed a culture of showboating on social media, especially in regards to hacking. Anybody can go online and say that they are X or they did Y, and it's often impossible to verify whether or not the boasts are true. Unsurprisingly, once the initial report of a potential hacker trying to steal the Zelda demo made the rounds, there were a number of people on the internet also claiming to attempt it. It is unclear whether or not the initial reported attempt inspired cry-wolf copycats, or if indeed multiple people had the same idea at the same time. Undoubtedly, some people are just bullshitting about trying to nab the Zelda demo.
Amidst all this, I found that the most famous Nintendo hacker of all, NWPlayer123, kept alleging that the rumours of an attempted Zelda demo heist were actually legit. NWPlayer123 confirmed to me that someone was trying to take the demo from E3, and she knew this because she was somewhat involved from the sidelines. Thing is, NWPlayer123 has a reputation online, and it's pretty solid. She is known for leaking the info of Splatoon's DLC before Nintendo announced it, even hacking the game so that Octolings could be playable. She has also datamined Super Smash Bros., along with other Wii U games. So when NWPlayer123 says someone attempted to take the E3 demo, I'm inclined to believe the rumour could be possible.
To be more specific, that someone was allegedly a 17-year-old game developer known for hacking Mario Kart 8. The hacker spoke to me over email, and told me about what he (supposedly) tried to do with the Zelda demo. As proof of his attendance, the hacker shared an image of his lanyard with Kotaku — though really, that could easily be faked. I did however see that the hacker was tweeting about attending E3 before the actual event started, and, in early June, even asked his followers if anybody would be willing to help him distract Nintendo attendants so that he could steal the demo.
According to the hacker, he didn't need access to the physical Wii U unit, beyond being able to use the system's tablet controller. "The Wii U hacking community has tools and resources to grab the game over the network as it is being played," the hacker said. I found one online tool that can be used to copy the data of any software running on a Wii U. Another debugging tool, known as TCP Gecko, can make a Wii U connect to a PC, where the user can then instruct the Wii U to take specific commands. Once a hacker starts "dumping" the data of the Wii U, finishing the job might take a couple of hours over a network.
During that time, the game itself might slow down, but so long as the hacker stays within network range, the dump could continue to process. As evidence, the hacker shared a video with me where he copied Mario Kart 8 to a computer while continuing to play the game.
I spoke to TCPGecko's creator, A.W. Chadwick — who was not involved with the alleged theft attempts — and he told me that, theoretically speaking at least, taking a demo using his software was indeed possible. To do it, someone would need to use an exploit done via the Wii U's internet browser.
"The user would navigate to a special webpage which tricks the Wii U into running code not developed by Nintendo (we call this arbitrary code execution (ACE))," Chadwick said. "Once the user has achieved ACE, they can then cause the Wii U to do almost anything they would like it to." That anything, he said, could include telling the system to dump its files onto a network.
Chadwick's tool was not created for the purpose of stealing software, nor does he endorse this type of usage of his program. "Like most tools however, my tools can be used for both good and bad purposes," Chadwick said. At the moment, the top Google results for TCP Gecko involve game cheats, or game modification.
The hacker says that he went into the Zelda booth on day one of E3 and noticed that the Wii Us showcasing the game were not retail units. This immediately put a wrinkle on his plan, because the program he wanted to use was not created to interface with Wii U kiosks, or development units. So, he and a few buddies regrouped and rewrote the program. Timeline-wise, this seems to hold up: A few days ago, the hacker uploaded a modification of the exploit to Github, and the description claims that the program was tweaked to work with development units.
"Having to code stuff last minute was a sort of stressing ideal [sic]," the hacker said. "Mainly [because] you never know how long or how much testing one might need to do before it works, and [there being] a very strict timeframe made the situation worse."
The hacker says he returned to the Zelda booth on E3 day two, ready to put his plan into action. As the hacker tells it, the security at the Zelda booth wasn't that bad, and that the crowds inadvertently helped him cover up that he "enter[ed] and exit[ed] the [configuration tools] in under 30 seconds". This aspect of the story raises my suspicion a bit, but it's actually not the thing that poses the biggest logistical problem for a theoretical demo theft. The Wii U's connection to the internet is the factor that would make or break a heist.
The hacker says that the units were not originally connected to the internet, which makes sense, considering that would make the Wii U vulnerable to anybody with hacking know-how. However, the hacker says that he used knowledge of leaked Wii U development tools, which are available online, to navigate around a non-retail unit's restrictions — like the inability to go to the home menu during a demo. The hacker says that he used a specific combination of button presses to enter the Wii U's system config tool, where he could manipulate the console's network settings to force the console online. From there, it was just a matter of running the internet browser exploit without getting caught. Easier said than done, especially given the fact that Nintendo was cycling people through its Zelda booth throughout the day.
The hacker says he then ran into another snag: TCP Gecko did not copy the right files. The hacker alleges that he was then forced to seek the help of a friend, NWPlayer123, who could perhaps tweak the program. Indeed, the last update to this other program on Github was uploaded just a few days ago, but the hacker says that it was not completed in time to grab Zelda that same day. At that point, the hacker's window to steal the Zelda demo was closing. With Friday coming up, it would be the last chance he would have to take the Zelda demo.
"Having all the setbacks gave a sort of disappointing but also a sort of thrill like essence feeling, it showed a level of excitement due to the fact we all had to race against the clock," the hacker said.
For all of the hacker's scheming, he says that his final attempt did not go as planned.
"On Day 3 I... arrived at the convention centre at 10:15 am, just 15 minutes after they opened the show floor, but by that time, they already have closed the line to play the demo as it was full," the hacker said. An anticlimatic end to a heist that would have been legendary. And yet, super convenient, no? The hacker and his pals can gain infamy just for "trying" and spreading the story of their attempt.
I spoke to a Wii U third party developer, Thomas Hopper, to verify some details about the hacker's tale. According to Hopper, his development unit does not have any magic key combinations to launch a config tool. However, the Wii U has more than one kind of development unit, and they don't all work in the exact same way.
"If you were blocking the home menu in your demo to [the] public on a devkit-light style unit the developer might have a key combination to get access to the home menu or a debug menu," Hopper speculated. While Hopper remained somewhat sceptical that the hacker's specific button combination could bring a unit to display configuration tools, he does admit that the hacker's tale is not entirely out of the question.
"They clearly have had access to a devkit at some point," Hopper said, after I shared the specifics of what the hacker allegedly attempted. "If you could somehow launch the system config tool you really could reconfigure the network settings."
The creator of TCP Gecko agrees that, hypothetically speaking, the hacker's story does seem believable. "I can't say for certain it is the case, but it seems quite plausible... my gut reaction is that there is no reason at a technical level to disbelieve what they have posted."
The hacker could not share any images or proof that he managed to fiddle with the Wii U kiosks at E3, but I can see that there was back and forth between him and other Wii U hackers on Twitter, where he was asking for help rewriting programs for the Wii U. I can also see that he was publicly troubleshooting some of the issues he came across on Twitter as well. Additionally, other hackers posted updates on their program tweaks around the same timeline that the hacker proposed. If the Zelda heist is a lie, it seems to be a well-coordinated one spanning multiple hackers, some of which are famed for knowing their shit. Maintaining a front like that could have been achieved through simpler terms, like just telling people that they tried and failed. Instead, these people went through the trouble of uploading actual program tweaks that could potentially jeopardise their reputation as ~elite hackerz~. Reputation is the only thing these hackers have to gain here, really.
The Goron in the room is this: Why go through all this trouble to break the law?
The hacker's motivations are arguably mischievous, given that he wanted to pirate the demo so that fans could play it. "It's an E3 demo and [there is] always unused content to see, not to mention it would be nice to play the game months early before its expected release," the hacker said. "Even though the end result was negative, I still find it to be completely worth it because why not risk chances in life?"
Others involved seemed to have more innocent intentions: NWPlayer123 tweeted that she was only really interested in the music files. Which, sure. Breath of the Wild's low-key tracks are pretty dope from what I've heard so far.
Kotaku cannot fully confirm whether or not the attempted Zelda heist of 2016 actually happened, and Nintendo told us that they have no comment on the situation. It could be that these hackers are just pulling a fast one on all of us. At the very least, it's wild to think that thanks to the advances in the Wii U hacking scene, a Zelda heist is even conceivable in the first place.