Christian Auby aka Desktopman released a homebrew Tetris game for Nintendo’s Wii console. For the download check out the linked page below, if you are more likly interested in a video then you might be right here: http://www.auby.no/files/wii/tetris.wmv
Thanks to brakken for the news and the screenshot! – http://www.tehskeen.com
Seems Bushing, Tmbinc and Segher did it! The Wii is finally exploited.
As I (Kojote) know tmbinc from various demoparties in the past and he is really a talented guy, there is no doubt about it now… The Wii has been exploited!
Check the video: http://youtube.com/watch?v=zaRhyEUOk44
A new version of the first Dual Layer ISO image dumper that has been verified to work for the Nintendo Wii has been released ( http://nekokabu.s7.xrea.com/blog/2008/02/post_34.html ). Using Wii/GC Raw Image Dumper Ver.0.05 you can dump the “second” layer of dual layer Nintendo Wii discs and with a little work join them with the first layer to produce a working backup.
Thanks to brakken / http://www.tehskeen.com for the news.
Here is another brandnew article from brakken:
Wiili.org is generally known for its attempt to gain the publicâ€™s interest in getting Linux up and running on the Nintendo Wii. They have been featured on many mainstream news site and social media sites including Digg.com. What isnâ€™t known and should be is the fact that they site administrator is copying its content from Wiibrew.org and there is turmoil going down surrounding the situation. To sum it up â€“ Wiili.org is feeding off of others people work for profit.
[Read the rest at it’s release page]
Not only the Wii scene is affected by such people, but I suppose generating lots of profit with others free work is a common thing in the homebrew scene. Sadly.
Another fine newsitem, which you can thank brakken ( http://www.tehskeen.com ) for… :)
tmbinc has released a hughe article about how he got the Wii to run code he wants.
After bushing had shown the first homebrew exploit, a lot of stuff has happened in the Wii-world. The exploit was based on a hole in the disc hashing&verification, but the original finder (segher) decided that he doesnâ€™t want the bug to be published. While this caused some controversy, the reason behind this was that the hole could be patched very easily in a future firmware version, as no original function relies on it. The next goal was to find a bug which could not be patched so easily, for example a savegame exploit. Patching such game exploits is considerable harder. Of course you could patch the game code when it is loaded (like some gamecube games are fixed in compatibility mode by the â€œgamecube compatibility IPLâ€), but we could just move on to another game. We wouldnâ€™t lose that much power if a game bug is fixed, vs. a critical system bug. I can totally understand that people are annoyed by us not doing full disclosure. Nevertheless we try our best to balance our different interests. Itâ€™s not always easy, even inside a team. Still, the rule is: If you find a bug, itâ€™s your choice what you do with it. If you donâ€™t like that, find your own bug.
Iâ€™ve concentrated less on the high-level things, Iâ€™m generally more interested in the system design and security architecture. So Iâ€™ve digged into the bootloader.
What we knew before was that there is a fixed block of code called â€œboot1?, which is supposed to be the first code executed from flash. Itâ€™s ARM (â€Starletâ€) code, btw, the powerpc (Broadway) is booted much later. We didnâ€™t knew how boot1 is encrypted (rumours ranged from an LFSR-based streamcipher to AES), nor if and how it was hashed. But what we had was a program called â€œBCâ€ (title id: 1-100), extracted out of a system update. We are absolutely not sure why BC does even exist (it might be used to return from GC mode to Wii mode, but why would you want to do so?), but what BC is doing matches what boot1 could be doing: Reading a bunch of sectors from flash, decrypting them, and checking a signature against a previously decoded cert chain, then jumping there. Once we re-coded the algorithm, it was clear that this in fact decrypts boot2. Encrypting a new boot2 requires signing the new hash. Now it turned out that â€œBCâ€ also contains â€œthe bugâ€ (well, a similar one), so chances were big that boot1 also does. But flashing a new boot2 is dangerous if you have no return – there is a backup mechanism to boot another copy of boot2, but we cannot count on that for several reasons (for example, if our new boot2 code hangs, the backup would not be tried, as boot1 thinks that everything is right).
It also became clear that once we are able to execute starlet code, it will be a lot of trial&error. So what I did was to revive my old FPGA-based NAND flash emulator, which I once built for the Xbox 360. I wired the Wiiâ€™s flash pins to the FPGA. Now the Wii flash has different properties (large block, larger size, different ECC algorithm used), but I could adapt it in a matter of hours. I had to fix the RESET handling (the Wii is waiting for R/#B to go low for a short moment of time), and some minor things, but then it worked! I could boot from my FPGA instead of the original Flashrom. So I could do code changes in a matter of seconds, instead of always reprogramming the flashrom (potentially external). Because my FPGA board has â€œonlyâ€ 512MB of RAM, I couldnâ€™t fit the whole flash contents into the RAM. As part of the NAND emulation happens on the embedded PowerPC core in the FPGA (a Virtex 2 Pro), I just added an ethernet MAC, and used lwip to fetch the flash pages from a TCP server. That made the development cycle even easier, as I could now just modify the virtual NAND content on my PC!
[Read the rest of the article by following the link, thank you]
According to http://www.tehskeen.com there is something interesting in the “wild”.
Some more news has surfaced from #wiidev on IRC/EFNET. A member of the channel released a screen capture from the “Gay Fish” Nintendo Wii disc. This disc is used to restore Nintendo Wii consoles to their factory state and allows you to change some internal settings.
Unlike other sites that say this disc isn’t *available* it is as the person in #wiidev had to have access to it to post the screen shot. Although, I wouldn’t go asking for the disc or you’ll be banned. Maybe they should write up a BAN list for noobs (it might take up 20KB of space in a plain text file).
Source: #wiidev / IRC / EFNET
Discuss here: http://www.tehskeen.com/forums/showthread.php?t=6179
There seems to be an exploit for the Wii game Zelda.
Here is a quote from brakkens site http://www.tehskeen.com :
Here is a screen shot of an error in Zelda for the Nintendo Wii. So, what’s so important about this particular error? Well, let’s compare this to the GTA Exploit for the Sony PSP. Yes, that’s right.
Bushing along with Segher have been able to modify a save game from Zelda to crash the machine and to run their own code on it. Note that you won’t even need to “mod” your Nintendo Wii to run this exploit.
Yes, that’s right – an exploit for the Nintendo Wii has been discovered and it allows you to run custom code. The method is pretty simple. Copy over a save file for Zelda, load it and the code runs. Don’t get too excited yet. They have only been able to run 4 lines of code, but this is in a days work.
Segher was the one to find the exploit and Bushing has been testing it out with the aid of the USB Gecko. The process is far from simple as once you modify a save game it requires it be to signed with 3 keys. Here’s some info from Bushing.
“Once the Wii decrypts the save game, it checks its signature. Every Wii has its own private key which is used to sign save games, and when you save a game, the Wii actually saves three bits of data:
* The encrypted save game
* The signature for the save game (using your console’s private key)
* A copy of your console’s public key, signed by Nintendo.”
Of course, the end user wouldn’t have to go through this process unless they were wanting to inject their own code into the save game, but that shouldn’t be necessary because when I asked Bushing what his goal was he answered:
“Assuming we don’t run into a wall, it should be able to lead to a homebrew loader. I hope. No promises. :)”
Seems the first Wii release didn’t make it long…
Here is a quote from the page:
WAB.COM is now the property of the United States government.
The domain and web site were surrendered to U.S. law enforcement pursuant to a federal prosecution and felony plea agreement for conspiracy to violate criminal copyright laws.
Antonio Del Santos, a.k.a “AloneTrio” pled guilty in the United States District Court for the Eastern District of Virginia on January 25, 2008, to conspiring with others to violate federal copyright laws by illegally releasing copyrighted code illegally circumvent built-in security protections and allow individuals to run “homebrew” software on game consoles, such as the Sony PSP and Nintendo Wii. Del Santos and his co-conspirators used www.wab.com as the exclusive outlet to provide copyrighted code to individuals. As a result, the WAB website is now the property of the United States government. Individuals involved in this conduct face up to five years in federal prison and a fine of $500,000 for each count charged.
Piracy is the unauthorized, willful reproduction or distribution of copyrighted material, such as software, movies, music, and games. People who distribute pirated works over the Internet via IRC, FTP sites, web sites, or file-sharing networks, and people who download or reproduce pirated works are risking criminal prosecution. Piracy is a crime even when the works are distributed over the Internet for free or where the conduct does not involve monetary gain, such as the trading of pirated products for other pirated products.
The Department of Justice and federal law enforcement will continue to investigate and prosecute individuals and groups that violate the federal criminal copyright laws at home and abroad. For more information on these and other federal anti-piracy investigations, visit www.cybercrime.gov.
In fact the whole things smells a lot. The page claimed to have ripped graphics from a PSX game, which turned out to be a homebrew one. So the ones who don’t believe should check this video here: http://www.youtube.com/watch?v=u9sedsE4cxE
Also the grammar above seems fishy. Best is to forget the “first homebrew Wii” game for now. The US eagle, basically those two logos shown on the left and right are hosted right on wab.com plus its still the 24th in the eastern part of the states. Browsing for “similar” violation texts did not succeed. This all was way too fast for someone to react proper, even for a goverment institution. Also the mentioned http://www.cybercrime.gov/index.html does not mention any case of “WAB”. I am sure they would announce their heroic success, if there would have been any. (Those are partitially results by discussing with EvilDragon/GP2x.de and reading the Maxconsole webboard).
The coder AMOS, who created the original PSX game “Wartris”, is known to me in person. He might be very amused about this :) Oh “AMOS”, greetings to Vienna ;)
A stripped down version of Wartris can be found here: http://pdroms.de/files/1510/
It seems Team Wab, were releasing a native Wii homebrew, in fact the first native Wii homebrew game ever. It’s called Wabtris and uses ripped graphics from a Playstation 1 game.
The download seems to be currently down.
PDRoms note: As the download does not work, some people are already talking about a fake release. We all shouldn’t be too excited, unless the real proof is given.
Wab is really proud to bring you the first and only Real WII Homebrew.
This release is called WABTRIS, a small tetris cover, WIIMOTE powered !!!
Stay tunned for the soon coming source code of it…
you just have to decompress, burn the iso, and boot it with ANY modchiped WII, and follow the instructions.
remember this is an “autobootable” dvd image, so you won’t go to channel menu !
Special thx to “PissProduction” (all graphics and musics are ripped from their MARVELLOUS game WARTRIS on playstation 1) – Greetings : Crediar, AloneTrio, segher, bLAStY, etc… from #wiidev@efnet
With over 87,000 viewers of the YouTube video of the 24c3 Nintendo Wii Presentation plus the countless news articles on the Internet the world now knows the Nintendo Wii has been fully exploited allowing end users to run their own code in Wii Mode.
Brakken catched the guy up for an interview, so let’s head over to tehskeen.com!