Breaking news (har har har)! Check back for updates.
Several pieces of Nintendo system software have been updated:
====== Titles Changed ====== SystemMenu Title ID: 00000001-00000002 Version: 0x 161 Size: 23511040 Contents: 9 (of which 6 are shared) IOS30 Title ID: 00000001-0000001e Version: 0x a10 Size: 1933312 Contents: 15 (of which 14 are shared) IOS31 Title ID: 00000001-0000001f Version: 0x a10 Size: 1933312 Contents: 15 (of which 14 are shared) bc Title ID: 00000001-00000100 Version: 0x 4 Size: 98304 Contents: 2 (of which 0 are shared) mios Title ID: 00000001-00000101 Version: 0x 8 Size: 262144 Contents: 2 (of which 0 are shared) Channel 'HACA' Title ID: 00010002-48414341 Version: 0x 5 Size: 8290304 Contents: 7 (of which 3 are shared)
I’m currently disassembling these to see what has changed. Please do not pester me about this or ask what our response will be; this isn’t exactly easy or quick. Comments will be enabled once i’ve completed my analysis.
Update 1: IOS30 and IOS31 have been changed — specifically, the kernel. The old timestamps read:
$IOSVersion: FFS: 06/08/07 18:10:10 64M $ $IOSVersion: ES: 07/10/07 18:11:26 64M $ $IOSVersion: IOSP: 06/25/07 14:17:16 64M $
The new timestamps read
$IOSVersion: FFS: 06/08/07 18:10:10 64M $ $IOSVersion: ES: 07/10/07 18:11:26 64M $ $IOSVersion: IOSP: 04/03/08 19:37:33 64M $
It’s interesting that Nintendo bothered to update the IOSP timestamp, because the only change I see in IOSP is that the version reported changed (there’s a variable that stores the value “040308”). They’re trying to be clever; the actual bug fix was in ES, where the encryption code lives.
The strncmp signing bug has been fixed in IOS30, which is what the system menu uses. (The new signature-checking code is identical to that in IOS37.) This probably means that it will no longer boot Trucha-signed discs, but I have not yet tried it. Early reports on IRC indicate that the Homebrew Channel still works; this is consistent with my understanding that the system menu does not verify the content of already-installed content.
I don’t know why IOS31 was patched.
Update 2: Okay, now this is just silly. Three functions have been added to the system menu. Guess what they do:
- ipl::utility::ESMisc::DeleteSavedata((unsigned long long, EGG::Heap*))
- ipl::utility::ESMisc::VerifySavedataZD((unsigned long long, EGG::Heap*))
- WADCheckSavedataZD
We Are Not Impressed.
Update 3: They wrote a special-purpose function to try to check for the exact exploit we used — specifically, if a savegame is for Zelda, it checks the length of 6 strings inside the savefile (two of which are the player name and horse name). It repeats this check for all 3 saveslots, and then another three times for all 3 backup slots.
No, we do not have a response to this yet; we will probably take a few days to formulate one. I predicted Nintendo would *not* do this; I’m disappointed. This was the first bug we found, in the first game we tried. We’ll find others, and they’ll have to try to catch up to each.
I’ll open up comments, but please only post if you have something constructive to say.
Update 4: It’s interesting to look at the timestamps here. The System Menu has a build marker of “systemmenu.rvl.0803060727” — yes, that’s March 6, 2008, 07:27. This update to the menu only accomplished one thing, as far as I can tell — the blocking of the TP hack. (I guess we can count the IOS30 patch together with it.) They spent 3 months testing it — this isn’t actually that surprising, when you consider the potential financial damage if they roll an update out that bricks Wiis.
Congrats to tmbinc and tehpola for finding a combination of two bugs in the code that Nintendo added that — when combined — allow us to fool their check into ignoring the TP hack. More info will be forthcoming — I still wouldn’t rush to update my system, anyway.
This still leaves the issue of how to deal with IOS30; there are several different ways to deal with this — some of which have already been released by people — and we’ll need to take some time to decide on the best one to use and test it thoroughly. There’s no urgency here, no need to rush into something.
216 responses so far ↓
1 WiiMii // Jun 20, 2008 at 5:32 pm
lol
2 LeGuiLloTe // Jun 20, 2008 at 7:44 pm
$10 US is kind of SOMETHING in my country.
Come on Bushing, we need to find a new exploit in WII SPORTS.
🙂
3 senti5000 // Jun 20, 2008 at 8:37 pm
@ZiggyTheHamster:
Uuuuuuuuuuuuu im so sorry, so now I am a pirate cuz I dont want to run the risk of soldering a chip to my Wii and ruin it, so im a pirare cuz I want the same thing that the chip does only without a chip? Sniffff , this smells to me that you are one the interests involved, what?? afraid that youll no longer sell more chips?
If I am a pirare cuz I want to run burned Games on my Wii with no chip then you are worst cuz you went and bought a chip and risked your Wii in order to, ohhh you know what, in order to run PIRACYYY ouch, If I were you I wouldnt talk again, and just to let know, I was just asking something, thats it…
@LeGuiLloTe: Jajajaj yeah Im with you, find it on Wii Sports, jajajaja you have just made my day, maybe they can cause an overflow in the golf putting mini game on wich you would have to make a perfect putting game in order to run it, ajjjajjajaj Im just kidding, sorry got carried away…
4 ZiggyTheHamster // Jun 20, 2008 at 9:05 pm
This is ridiculous.
No, I don’t sell chips. And if you use chips to play games you didn’t pay for that are commercially available – you’re a pirate.
If you use Twilight Hack, Homebrew Channel, or any other method to play games you didn’t pay for – you’re a pirate.
Nintendo does not care a lick about people running programs on their console. Until people start pirating games. Then they have to try and fight it.
I’m not meaning to sound combative as it seems you guys think I am. I’m just saying – using bushing and others’ work to run pirated games is just going to get the entire party rained down on.
The Wii is a unique machine, unlike any other. Amazing homebrew games and applications could be made once things get stable. But this might not happen if Nintendo uses all of their ability to try and stop what they perceive as piracy.
So, please. If you’re hounding bushing to get done with this because you want to be able to install more pirated things – please stop. That’s not the kind of thing we need.
And, for the record, my Wii is unmodded, though previously had a drivechip, and I used it to run GC homebrew.
5 senti5000 // Jun 20, 2008 at 9:14 pm
Yeah yeah, GC homebrew, ujummm! To more important things, nobody can rush anyone in to doing anything, when the team behind TH thinks the new one is ready then its ready, if you dont like using the TH then what the hell are you doing here boy, go do your homeworkm your mommy is calling!
6 wiibii // Jun 20, 2008 at 9:57 pm
ZiggyTheHamster for get about drivechips for a second at the man piracy is vc/wiiware right? coz it can be done on a unmodded wii. th 3.3 update as we know has a build date of march, but wii piracy stared with the wad (un)install but that was released in April. Now if you think about it even if there was no vc/wiiware piracy then Nintendo would still have released the 3.3 update. they don’t care what the users can do on there console they just care if the console will dpo what Nintendo tell them to do.
7 ZiggyTheHamster // Jun 20, 2008 at 10:09 pm
Maybe. But still. Piracy isn’t helping :).
8 332546253 // Jun 21, 2008 at 12:05 am
@northbayjoe:
Nope, the updated Twilight Hack for the 3.3 firmware update is not yet available. Keep following the blog, as I’m guessing that there will be a new entry when they do release it.
9 LeGuiLloTe // Jun 21, 2008 at 5:07 am
I just want to say that even though piracy is a bad way for accessing games, and that is bad for big N, I’m not gonna pay extra cash for games which I already paid when I bought the cartridges years ago.
Nintendo had a good idea with VC, but I’m not a vintage dumb!!
I know that homebrew is not only VC, but that’s the way I concern about it.
Go Bushing, Go bushing, GO!
10 Frosty's // Jun 21, 2008 at 8:14 am
Check out the Startrek game, I has already chrashed multiple times (freezing my system)
Without even doing anything special.
This game reeks of bad programming and could possibly be used for exploits 😉
11 Kevin Snyder // Jun 21, 2008 at 11:34 am
Now, I’m no programmer or developer that could write a workaround for this, but I’m curious: would a simple workaround be to change the characters of a different variable in the savedata?
Please don’t flame me, I’m not that good with all this stuff…
12 ZiggyTheHamster // Jun 21, 2008 at 1:03 pm
@Kevin:
The update is checking how long each field is, and I’m guessing the fields are extra-long for the program code, so changing it to change something else in the file isn’t going to work.
Apparently, what does work is that the Wii save file archives can contain files with the same name. And the firmware doesn’t check more than just the first (or last?) file of the same name. But TP doesn’t care. I think.
It’s something like that. There’s another post where bushing goes over the technicals.
@Everyone Else:
Seriously, if you’re waiting for the update to play your warezed games, then just stop bugging them. That’s not why they discovered the hack in the first place.
13 pipeline // Jun 21, 2008 at 2:51 pm
Has anyone try TH beta 1?
14 T34P075 // Jun 22, 2008 at 12:41 am
I am always entertained by the fact that it takes Ninty months to implement a patch and us days to get around it. Sometimes I wonder seriously ws hy they bother. Ninty sells more Wiis to hackers, who will get around the updates quickly anyways. It’s really like a big game of cat and mouse, where the cat can never quite catch the mouse…
15 Anonymous coward // Jun 23, 2008 at 3:06 am
They take months to test it because they don’t want to brick every Wii connected to the Internet. Pretty obvious, really.
16 [Màj] Twilight Hack déjà de retour… | GenerationWii : entrez dans le jeu // Jun 23, 2008 at 8:53 am
[…] aura fallu environ trois jours pour que les hackers de HackMii décryptent le nouveau code de la mise à jour 3.3 de la Wii qui empêche d’effectuer le […]