Another fine newsitem, which you can thank brakken ( http://www.tehskeen.com ) for… 🙂

tmbinc has released a hughe article about how he got the Wii to run code he wants.

Read on:

After bushing had shown the first homebrew exploit, a lot of stuff has happened in the Wii-world. The exploit was based on a hole in the disc hashing&verification, but the original finder (segher) decided that he doesn’t want the bug to be published. While this caused some controversy, the reason behind this was that the hole could be patched very easily in a future firmware version, as no original function relies on it. The next goal was to find a bug which could not be patched so easily, for example a savegame exploit. Patching such game exploits is considerable harder. Of course you could patch the game code when it is loaded (like some gamecube games are fixed in compatibility mode by the “gamecube compatibility IPL”), but we could just move on to another game. We wouldn’t lose that much power if a game bug is fixed, vs. a critical system bug. I can totally understand that people are annoyed by us not doing full disclosure. Nevertheless we try our best to balance our different interests. It’s not always easy, even inside a team. Still, the rule is: If you find a bug, it’s your choice what you do with it. If you don’t like that, find your own bug.

I’ve concentrated less on the high-level things, I’m generally more interested in the system design and security architecture. So I’ve digged into the bootloader.

What we knew before was that there is a fixed block of code called “boot1?, which is supposed to be the first code executed from flash. It’s ARM (”Starlet”) code, btw, the powerpc (Broadway) is booted much later. We didn’t knew how boot1 is encrypted (rumours ranged from an LFSR-based streamcipher to AES), nor if and how it was hashed. But what we had was a program called “BC” (title id: 1-100), extracted out of a system update. We are absolutely not sure why BC does even exist (it might be used to return from GC mode to Wii mode, but why would you want to do so?), but what BC is doing matches what boot1 could be doing: Reading a bunch of sectors from flash, decrypting them, and checking a signature against a previously decoded cert chain, then jumping there. Once we re-coded the algorithm, it was clear that this in fact decrypts boot2. Encrypting a new boot2 requires signing the new hash. Now it turned out that “BC” also contains “the bug” (well, a similar one), so chances were big that boot1 also does. But flashing a new boot2 is dangerous if you have no return – there is a backup mechanism to boot another copy of boot2, but we cannot count on that for several reasons (for example, if our new boot2 code hangs, the backup would not be tried, as boot1 thinks that everything is right).

It also became clear that once we are able to execute starlet code, it will be a lot of trial&error. So what I did was to revive my old FPGA-based NAND flash emulator, which I once built for the Xbox 360. I wired the Wii’s flash pins to the FPGA. Now the Wii flash has different properties (large block, larger size, different ECC algorithm used), but I could adapt it in a matter of hours. I had to fix the RESET handling (the Wii is waiting for R/#B to go low for a short moment of time), and some minor things, but then it worked! I could boot from my FPGA instead of the original Flashrom. So I could do code changes in a matter of seconds, instead of always reprogramming the flashrom (potentially external). Because my FPGA board has “only” 512MB of RAM, I couldn’t fit the whole flash contents into the RAM. As part of the NAND emulation happens on the embedded PowerPC core in the FPGA (a Virtex 2 Pro), I just added an ethernet MAC, and used lwip to fetch the flash pages from a TCP server. That made the development cycle even easier, as I could now just modify the virtual NAND content on my PC!

[Read the rest of the article by following the link, thank you]

http://debugmo.de//?p=59

According to http://www.tehskeen.com there is something interesting in the “wild”.

Read on:

Some more news has surfaced from #wiidev on IRC/EFNET. A member of the channel released a screen capture from the “Gay Fish” Nintendo Wii disc. This disc is used to restore Nintendo Wii consoles to their factory state and allows you to change some internal settings.

Unlike other sites that say this disc isn’t *available* it is as the person in #wiidev had to have access to it to post the screen shot. Although, I wouldn’t go asking for the disc or you’ll be banned. Maybe they should write up a BAN list for noobs (it might take up 20KB of space in a plain text file).

Source: #wiidev / IRC / EFNET

Discuss here: http://www.tehskeen.com/forums/showthread.php?t=6179

http://tehskeen.com/modules.php?name=News&file=showarticle&threadid=6198

There seems to be an exploit for the Wii game Zelda.

Here is a quote from brakkens site http://www.tehskeen.com :

Here is a screen shot of an error in Zelda for the Nintendo Wii. So, what’s so important about this particular error? Well, let’s compare this to the GTA Exploit for the Sony PSP. Yes, that’s right.

Bushing along with Segher have been able to modify a save game from Zelda to crash the machine and to run their own code on it. Note that you won’t even need to “mod” your Nintendo Wii to run this exploit.

Yes, that’s right – an exploit for the Nintendo Wii has been discovered and it allows you to run custom code. The method is pretty simple. Copy over a save file for Zelda, load it and the code runs. Don’t get too excited yet. They have only been able to run 4 lines of code, but this is in a days work.

Segher was the one to find the exploit and Bushing has been testing it out with the aid of the USB Gecko. The process is far from simple as once you modify a save game it requires it be to signed with 3 keys. Here’s some info from Bushing.

“Once the Wii decrypts the save game, it checks its signature. Every Wii has its own private key which is used to sign save games, and when you save a game, the Wii actually saves three bits of data:

* The encrypted save game
* The signature for the save game (using your console’s private key)
* A copy of your console’s public key, signed by Nintendo.”

Of course, the end user wouldn’t have to go through this process unless they were wanting to inject their own code into the save game, but that shouldn’t be necessary because when I asked Bushing what his goal was he answered:

“Assuming we don’t run into a wall, it should be able to lead to a homebrew loader. I hope. No promises. :)”

http://tehskeen.com/

Seems the first Wii release didn’t make it long…

Here is a quote from the page:

WAB.COM is now the property of the United States government.
The domain and web site were surrendered to U.S. law enforcement pursuant to a federal prosecution and felony plea agreement for conspiracy to violate criminal copyright laws.

Antonio Del Santos, a.k.a “AloneTrio” pled guilty in the United States District Court for the Eastern District of Virginia on January 25, 2008, to conspiring with others to violate federal copyright laws by illegally releasing copyrighted code illegally circumvent built-in security protections and allow individuals to run “homebrew” software on game consoles, such as the Sony PSP and Nintendo Wii. Del Santos and his co-conspirators used www.wab.com as the exclusive outlet to provide copyrighted code to individuals. As a result, the WAB website is now the property of the United States government. Individuals involved in this conduct face up to five years in federal prison and a fine of $500,000 for each count charged.

Piracy is the unauthorized, willful reproduction or distribution of copyrighted material, such as software, movies, music, and games. People who distribute pirated works over the Internet via IRC, FTP sites, web sites, or file-sharing networks, and people who download or reproduce pirated works are risking criminal prosecution. Piracy is a crime even when the works are distributed over the Internet for free or where the conduct does not involve monetary gain, such as the trading of pirated products for other pirated products.

The Department of Justice and federal law enforcement will continue to investigate and prosecute individuals and groups that violate the federal criminal copyright laws at home and abroad. For more information on these and other federal anti-piracy investigations, visit www.cybercrime.gov.

In fact the whole things smells a lot. The page claimed to have ripped graphics from a PSX game, which turned out to be a homebrew one. So the ones who don’t believe should check this video here: https://www.youtube.com/watch?v=u9sedsE4cxE

Also the grammar above seems fishy. Best is to forget the “first homebrew Wii” game for now. The US eagle, basically those two logos shown on the left and right are hosted right on wab.com plus its still the 24th in the eastern part of the states. Browsing for “similar” violation texts did not succeed. This all was way too fast for someone to react proper, even for a goverment institution. Also the mentioned http://www.cybercrime.gov/index.html does not mention any case of “WAB”. I am sure they would announce their heroic success, if there would have been any. (Those are partitially results by discussing with EvilDragon/GP2x.de and reading the Maxconsole webboard).

The coder AMOS, who created the original PSX game “Wartris”, is known to me in person. He might be very amused about this 🙂 Oh “AMOS”, greetings to Vienna 😉

A stripped down version of Wartris can be found here: //files/1510/

http://www.wab.com/

It seems Team Wab, were releasing a native Wii homebrew, in fact the first native Wii homebrew game ever. It’s called Wabtris and uses ripped graphics from a Playstation 1 game.

The download seems to be currently down.

PDRoms note: As the download does not work, some people are already talking about a fake release. We all shouldn’t be too excited, unless the real proof is given.

Release notes:

Wab is really proud to bring you the first and only Real WII Homebrew.
This release is called WABTRIS, a small tetris cover, WIIMOTE powered !!!
Stay tunned for the soon coming source code of it…

you just have to decompress, burn the iso, and boot it with ANY modchiped WII, and follow the instructions.
remember this is an “autobootable” dvd image, so you won’t go to channel menu !

Special thx to “PissProduction” (all graphics and musics are ripped from their MARVELLOUS game WARTRIS on playstation 1) – Greetings : Crediar, AloneTrio, segher, bLAStY, etc… from #wiidev@efnet

http://www.wab.com/

With over 87,000 viewers of the YouTube video of the 24c3 Nintendo Wii Presentation plus the countless news articles on the Internet the world now knows the Nintendo Wii has been fully exploited allowing end users to run their own code in Wii Mode.

Brakken catched the guy up for an interview, so let’s head over to tehskeen.com!

http://www.tehskeen.com/forums/showthread.php?p=23646&posted=1#post23646

This article has been taken from Wiinintendo.NET and is not property of PDRoms!

Nintendo-Scene.com is reporting of an interesting presentation that took place at the 24th Annual Chaos Communication Congress (24C3) right now; it would appear that a fully hacked Wii capable of running native homebrew with full hardware access has been presented.

The guys over at 24C3 just demoed a Wii hack that is set to provide native Wii homebrew in the near future (not running in GC mode, and with full access to all the Wii hardware!)

They were able to find encryption and decryption keys by doing full memory dumps at runtime over a custom serial interface. Using these keys, they were able to create a Wii ‘game’ that ran their own code (their demo happened to show live sensor/Wiimote information, amongst a few other things).

Someone was able to start Homebrew in Wii-Mode. The video [in English] is from a hackers event in Germany. It’s mainly about the xbox 360, but at the end they speak about wii and show own Code injected in Lego Star Wars. More information: wii homebrew.

ԉ۪ll keep this post updated as more news/images/video come in.

Update – View the video on YouTube

Update 2 – (From GBATemp forums) There is a “Lightning Talk” with the topic “Console Hacking: State of the Wii” by Ben Byer+others on, Sun, 17:15–19:30, this is central European time (I think) and there is a live stream:
mms://streaming-internet.fem.tu-ilmenau.de/saal3

Thanks to http://www.tehskeen.com for the hint.

http://wiinintendo.net/2007/12/28/the-wii-officially-hacked/

It seems some group of coders were able to hack the Wii and run native code on it, thanks to MK2k for the video. Unfortunatly he did not mention any source along with this.

http://youtube.com/watch?v=H5YB1Mmx7E4

DCEmu via its Wii-News and Gamecube Emulation Sites are proud to present the first Dual Nintendo Wii and Nintendo Gamecube Coding Competition. This Coding Competition will hopefully ignite a mass of interest for creating homebrew and emulators on the Nintendo Wii and Nintendo Gamecube.

http://wii-news.dcemu.co.uk/wii-gc-coding-contest-2007-62222.html