Notes from inside your Wii

HackMii header image 2

Wii menu TP-hack-killer analysis

June 17th, 2008 by bushing · 172 Comments

Okay, I’ve spent a little bit of time trying to reconstruct the C code used to build the channel from my disassembler.  The full IDA Pro output for those funcs is here: http://static.hackmii.com/verifyzelda.html

Below, you’ll find my C version.  I’ve tried to make it function exactly like the one in the new system menu.  Hopefully I did a good job, because I’d like to see people try to find bug in this that could lead to an exploit.   There are at least two here, which we used in combination; can you find any more?

Don’t worry, I’ll give the answers if nobody gets them :)

// this helper function gets called during the NAND check
// for the TP hack files

int ipl::utility::ESMisc::DeleteSavedata(u32 titleid_h, u32 titleid_l) {
    char pathname[0x100];
    int deleted_files = 0;
    sprintf(pathname, "/title/%08x/%08x/data/", titleid_hi, titleid_lo);

    int num_dir_entries = 0;
    int retval = nandReadDir(pathname, 0, &num_dir_entries);
    if (retval != 0 || num_dir_entries == 0) {
        OSReportError("iplESMisc.cpp::DeleteSavedata: "
             "Could not read1 %s: %d\n", pathname);
        goto done;
    dirent_t *direntries=malloc(sizeof dirent_t * num_dir_entries);
    if (direntries == NULL) {
        "Could not alloc: %d\n");
        goto done;
    retval = nandReadDir(pathname, num_dir_entries, direntries);
    if (retval != 0) {
        OSReportError("iplESMisc.cpp::DeleteSavedata: "
        "Could not read2 %s: %d\n", pathname);
        goto done;
    int i;
    for (i=0; i < num_dir_entries; i++) {
        char buf[0x100];
        strcpy(buf, pathname);
        strcat(buf, direntries[i].filename);
        retval = NANDPrivateDelete(buf);
        if (retval != 0) {
            OSReportError("iplESMisc.cpp::DeleteSavedata: Failed to delete %s: %d\n", buf);
            goto done;
        deleted_files = 1;
    if (direntries != NULL) free(direntries);
    return deleted_files;

// this function is called upon boot or something
ipl::utility::ESMisc::VerifySavedataZD(u32 titleid_hi, u32 titleid_lo) {
    int savegame_bad = 1;
    char pathname[0x100];

    sprintf(pathname, "/title/%08x/%08x/data/%s", titleid_hi, titleid_lo, "zeldaTp.dat");

    if(ipl::utility::ESMisc::ChangeUid(titleid_hi, titleid_lo)==0) goto done;
    int retval = nandPrivateOpen(pathname, &fd, O_RDWR);
    if (retval == -ENOENT) {
        OSReportError("iplESMisc.cpp::VerifySavedataZD: Does not exist %s: %d\n", pathname);
        goto done;

    if (retval == 0) {
        OSReportError("iplESMisc.cpp::VerifySavedataZD:Open save data file failed: %d\n");
        goto done;

    u32 file_length;
    retval = NANDGetLength(fd, &file_length);
    if (retval != 0) {
        OSReportError("iplESMisc.cpp::VerifySavedataZD:Get file length failed: %d\n");
        goto done;

    char *buf = malloc(file_length);
    if (buf == NULL) {
        OSReportError("iplESMisc.cpp::VerifySavedataZD: Alloc failed: %d\n");
        goto done;
    int bytes_read;
    bytes_read = NANDRead(fd, buf, _align_size(file_length, 32));
    if (bytes_read != _align_size(file_length, 32)) {
        OSReportError("iplESMisc.cpp::VerifySavedataZD: Read file failed: %d\n");
        goto done;

    if (WADCheckSavedataZD(buf) == 0) {
        OSReport("iplESMisc.cpp::VerifySavedataZD: Verify failed for %016llx\n", 
            titleid_hi << 32 | titleid_lo);
        fd = 0;
        ipl::utility::ESMisc::DeleteSavedata(titleid_h, titleid_l);
    savegame_bad = 0;

    if (buf) free(buf);
    if (fd) NANDClose(fd);

    return savegame_bad;

int _align_size(int value, int alignment) {
    // round up value to next highest multiple of alignment
    // e.g align_size(40, 32) = 64
    return value + (alignment-1) & ~alignment;
int _check_strlen(char *string, int max) {
    int i;
    for (i=0; i< max; i++) if (string[i]=='\0') return 1;
    return 0;

int _check_save(char *buf) {
    if (!_check_strlen(buf + 0x56, 8)) return 0; // random strings
    if (!_check_strlen(buf + 0x60, 8)) return 0; // inside savegame
    if (!_check_strlen(buf + 0x7A, 8)) return 0;
    if (!_check_strlen(buf + 0x96, 8)) return 0;
    if (!_check_strlen(buf + 0x1BC, 17)) return 0; // player name
    if (!_check_strlen(buf + 0x1CD, 17)) return 0; // horse name
    return 1;

int WADCheckSavedataZD(char *buf) {
    int i;
    // check 3 primary saveslots
    for (i=0; i<3; i++) if (!_check_save(buf + i*0xA94)) return 0;
    // check 3 backup saveslots
    for (i=0; i< 3; i++) if (!_check_save(buf + 0x2008 + i*0xA94)) return 0;
    return 1;

// this function is called when any savegame WAD is being 
// installed (copied from SD)
int _wad_check_for_twilight_hack(WAD *wadfile) {
    int i;
    for (i=0; i <  wadfile.numfiles; i++) {
        // skip any leading directory names
        char *p = strrchr(wadfile.filename[i], '/');
        if (p == NULL) p = wadfile.filename[i];
        else p++;
        if (strcmp(wadfile.filename[i], "zeldaTp.dat")==0) {
            return WADCheckSavedataZD(wadfile.filedata[i]);



Tags: Wii

172 responses so far ↓

  • 1 Frozen // Jun 17, 2008 at 9:40 pm

    First thing that sticks out to me are fixed file lengths of 32. Are those built into the wii so it can’t support longer?

  • 2 jepler // Jun 17, 2008 at 9:47 pm

    Is something garbled near this line in the source? ‘for (i=0; i<< 32 | titleid_l);’

  • 3 bushing // Jun 17, 2008 at 9:48 pm

    You mean the alignments to a multiple of 32, right?

  • 4 bushing // Jun 17, 2008 at 9:48 pm

    yeah, sorry, I newbed up the HTML, it should be fixed now

  • 5 anonymous coward // Jun 17, 2008 at 9:55 pm

    1: int ipl::utility::ESMisc::DeleteSavedata(u32 titleid_h, u32 titleid_l)
    4: sprintf(pathname, “/title/%08x/%08x/data/”, titleid_hi, titleid_lo)

    missing letters? 😛

  • 6 aster // Jun 17, 2008 at 10:02 pm

    In _wad_check_for_twilight_hack
    It looks like if you can have a wad with more than one “zeldaTp.dat” in it it will only scan the first one and ignore the second.

    Although shouldn’t
    (strcmp(wadfile.filename[i], “zeldaTp.dat”)
    (strcmp(p, “zeldaTp.dat”) ?

    otherwise I don’t see how p is used..

  • 7 psi // Jun 17, 2008 at 10:05 pm

    I’d guess NANDPrivateDelete would not remove a directory that contains files? If directory entry would be so constructed that it always appears first, it’d abort further file removal.

  • 8 Frozen // Jun 17, 2008 at 10:06 pm

    Re: Bushing

    Oh I totally read that wrong. Man I’m rusty. I completely glanced over the function call within the function call.

  • 9 bushing // Jun 17, 2008 at 10:18 pm

    Congrats to aster (here) and chishm (on IRC) and aster for finding the bugs. That was fast :)

    The two bugs are:
    * When you copy a savefile from SD to NAND, _wad_check_for_twilight_hack (my name for the function), it checks for a file called zeldaTp.dat. If it finds it, it goes and checks it to see if it’s our hacked version.

    I made an ugly hack to Segher’s twintig program to let me stick in two files with the same name — “zeldaTp.dat” and “zeldaTp.dat?”. When it writes the savefile out, I made it strip out the ?. So, the first zeldaTp.dat is 16K of null bytes, but it could probably be just one byte (or even zero)

    So, this will allow us to actually get the game on the system, but the menu will delete it or not let you use it.

    * When it reads in “zeldaTp.dat” (which is usually 16384 bytes), it first gets the length of the file from the filesystem, rounds that up to the next multiple of 32, and then allocates that buffer.

    If we add an extra byte onto the end of savefile, then it will be 16385 bytes. It will allocate 16416 bytes, and then try to read that many bytes from the file on NAND. It will “only” read 16385 bytes, and then it gives up and ignores the file, and thus we can make a slightly modified TP hack.

    The TP hack code should be portable to other stack-overflow bugs on the Wii, so it would be a nice idea to start looking in more games.

  • 10 anonymous coward // Jun 17, 2008 at 10:20 pm

    1st bug, “copy time” bypass:
    wad file can contain 2 zeldaTp.dat files, first one valid, second one “hacked”
    2nd bug, “boot time” bypass:
    zeldaTp.dat file won’t checked if file size is not aligned.

  • 11 tona // Jun 17, 2008 at 10:24 pm

    And fixing those bugs will probably set Nintendo back another good number of bugs, all the while the next exploit can be found, stored up, and hopefully kept secret until these issues are fixed in an IOS update.

  • 12 tona // Jun 17, 2008 at 10:25 pm

    Set nintendo back another good number of months.

  • 13 John // Jun 17, 2008 at 10:39 pm


    As far as looking in more games, game saves are the primary target, no?

    If I had the ability to edit saves, I’d start trying to crash my system just for fun.

  • 14 tehnoir // Jun 17, 2008 at 10:47 pm

    With Nintendo also checking the player name, does this mean that the player name was susceptible to the same buffer overflow?

    And just out of curiosity, what happens if the horse or player names have a null value?

  • 15 tehnoir // Jun 17, 2008 at 10:51 pm

    John: I think that game saves are more-so just the best way for delivery. How else will you get your Wii to execute your code? (other than current exploits that is)

    There are only a few ways for the general public to copy their own data to the Wii. Memory card or SD and…well, short of something like USB, that’s all I can think of, heh.

  • 16 John // Jun 17, 2008 at 10:54 pm


    That’s what I was thinking, how else would you get code on the Wii and be able to tell the Wii where to start reading it from, I just wanted to make sure. 😉

  • 17 mth // Jun 17, 2008 at 10:56 pm

    How long can file names be (the “filename” field in “dirent_t”)? In DeleteSavedata(), “pathname” is 31 bytes (including tailing zero) and “buf” is fixed to 256 bytes.

    Having an undeleteable file at the start of the directory makes DeleteSavedata() abort, leaving the rest of the files alone. It does lead to a non-zero exit code, but the exit code is not checked by VerifySavedataZD(). Can NANDPrivateDelete() delete all types of directory entries or only files?

    _check_save() would be reading outside the buffer for short files.

    VerifySavedataZD() allocates “buf” of exactly the file size, but reads a number of bytes rounded up to a multiple of 32. So you could load up to 31 bytes onto the heap behind the allocated buffer.

    VerifySavedataZD() tries to open the save file in read-write mode. This seems strange to me, since it will only be reading the file. If you could remove write permissions from the save file, this function would leave it alone.

    I don’t know the spec of nandPrivateOpen(), but it seems strange to abort on a zero return value. If it would return a file descriptor, why is also a pointer to “fd” passed to it? This might be a strange API design rather than a bug though.

    Speaking of “fd”, I don’t see it being declared anywhere. If “fd” is declared but not initialized to 0, it is possible to close a different file descriptor if one of the early checks fails.

    I would expect “buf” to be one of the arguments passed to NANDRead(). Also strange about “buf” is that it is freed when it is non-NULL, but its value is undefined before the malloc() attempt.

    Having a file larger than the available heap space would cause VerifySavedataZD() to fail. Might not be practical though.

    In any case, what happens if VerifySavedataZD() returns 1? Is it worthwhile to try to find a bug in the error handling path or will the Wii refuse to boot or something if this function returns 1?

    I would expect “return 0″ at the end of _wad_check_for_twilight_hack().

    Is it possible to lie in the “wadfile.numfiles” field, or would that also cause too few files to be installed?

    In _wad_check_for_twilight_hack(), is the strcmp() really done on “wadfile.filename[i]” and not on “p”? If so, putting the save game inside a directory would avoid the check. Even adding “./” would be enough.

    I assume the Wii filesystem is case sensitive? If not, a different case in the file name would avoid the check in _wad_check_for_twilight_hack().

  • 18 mth // Jun 17, 2008 at 11:12 pm

    Wow, lots of comments since I started typing.

    I forgot that NANDRead() would obviously not read more bytes than there are actually in the file, so it’s not possible to overflow the heap. Indeed having a file size not a multiple of 32 will bypass the delete part of the function.

    All of these bugs are easily fixable by Nintendo though. So eventually Zelda will not be exploitable anymore and other games have to be used. At some point, the Wii firmware will have a savegame validation framework built in, that checks for all known savegame exploits…

  • 19 GameZelda // Jun 17, 2008 at 11:24 pm

    Good job on finding the new bugs.

    Also, what paths separators does the Wii accept? It only accepts slashes or it also accepts backslashes?

  • 20 HyperHacker // Jun 17, 2008 at 11:36 pm

    Excellent work as always. :-)

  • 21 skawo96 // Jun 17, 2008 at 11:51 pm

    Bushing done a fantastic work, give him a break. There is really no rush to releasing it, who would download it, does the Mii Parade is that cool?

  • 22 MrShlee // Jun 17, 2008 at 11:51 pm

    I’m glad you have already found a way to bypass the very basic detection BUT it seems the game of cat and mouse has officially started. :(

    This is a sad day.

  • 23 skawo96 // Jun 17, 2008 at 11:51 pm

    *Of course byu ‘Who would DL it” i mean 3.3 update :)

  • 24 agoaj // Jun 18, 2008 at 12:11 am

    Well, Nintendo could also release a patch that checks that the file size of several saves are within a certain limit. If they included a large table with popular games it could destroy a bunch of candidates.

  • 25 James // Jun 18, 2008 at 12:45 am

    If you can find one in super mario galaxy then i think a lot of people will have this game or even wii sports?

  • 26 ESmazter // Jun 18, 2008 at 12:49 am

    So, will the TP Hack development stop at this point and begin on other games or will you try to use the given bugs?

    A bit unclear at the moment : /

  • 27 Nuke // Jun 18, 2008 at 12:55 am

    htf can your reverse code back to C in that time frame, you are a code robot!

    Most saves have pointers so my guess is near all saves can be exploited, Red Steel for example even uses a flat text file as its save data file heh

  • 28 Wii Firmware Update 3.3 - Page 4 - Wiihacks - Nintendo Wii Hacks Community // Jun 18, 2008 at 12:57 am

    […] with the homebrew channel until after this update. More info here i reccommend you check it out. Wii menu TP-hack-killer analysis June 16 Wii […]

  • 29 I.R.on // Jun 18, 2008 at 1:43 am

    bytes_read = NANDRead(fd, buf, _align_size(file_length, 32));
    this will fail with extra 1 byte in the save file but the file should already reside in the nand, this doesn’t fix it for those who already have 3.3 update I think since they will not be able to copy the save file over their nand. And for those with lower firmwares than 3.3, Zelda TP game need to be bug free too, if it has the same flaw above then it will refuse to load the save too.

  • 30 dennis // Jun 18, 2008 at 2:46 am

    int i;
    for (i=0; i < num_dir_entries; i++) {
    char buf[0x100];
    strcpy(buf, pathname);
    strcat(buf, direntries[i].filename);

    could easily overwrite buf[], no?

    u32 file_length;
    retval = NANDGetLength(fd, &file_length);
    if (retval != 0) {
    OSReportError(”iplESMisc.cpp::VerifySavedataZD:Get file length failed: %d\n”);
    goto done;

    char *buf = malloc(file_length);
    if (buf == NULL) {
    OSReportError(”iplESMisc.cpp::VerifySavedataZD: Alloc failed: %d\n”);
    goto done;

    int bytes_read;
    bytes_read = NANDRead(fd, buf, _align_size(file_length, 32));

    if file length is null, a buffer of 0 bytes in size is allocated on the heap, this will be written 32(?) bytes to by NANDRead()

  • 31 HCK // Jun 18, 2008 at 3:33 am

    True Awesomeness…

  • 32 icegibbon // Jun 18, 2008 at 5:36 am

    Look s like if you create a long file name in /title/%08x/%08x/data/ directory, you could cause buf to overflow before NANDPrivateDelete is called.

    Truly amazing decompile!

  • 33 Niceguy10 // Jun 18, 2008 at 5:52 am

    Well, they fixed it within two days of release, so I think that we can beat nintendo any day 😀

  • 34 Sunrise // Jun 18, 2008 at 6:00 am

    What does ipl::utility::ESMisc::ChangeUid do?

  • 35 Grillo // Jun 18, 2008 at 6:06 am

    I think that instead to try to find an exploit to an official nintendo game, (witch they developed and have all the code an documentation) it would be better to find an exploit on a third party game.

  • 36 LaPatateInc // Jun 18, 2008 at 6:26 am

    Apparently there has been a fix for twilight hack in the talk of wiibrew.org :
    Can someone confirm it ?

  • 37 p // Jun 18, 2008 at 6:26 am

    What would crease me up is if any parameters of the new functionality could be overflowed so we could exploit the system by just having the corrupt save that it checks .. no need for zelda.

  • 38 Sunrise // Jun 18, 2008 at 6:35 am

    int WADCheckSavedataZD(char *buf) {
    int i;
    // check 3 primary saveslots
    for (i=0; i<3; i++) if (!_check_save(buf + i*0xA94)) return 0;
    // check 3 backup saveslots
    for (i=0; i< 3; i++) if (!_check_save(buf + 0×2008 + i*0xA94)) return 0;
    return 1;

    Doesn’t that mean that if you copy the save from a slot other than the first (which contains a valid save) it should work

  • 39 Sunrise // Jun 18, 2008 at 6:38 am

    ^ Sorry thought return 0 was good boy :(

  • 40 zant // Jun 18, 2008 at 7:17 am

    so, r we gonna see a release soon then?

    really paying close attention to this…….

    so all this update did was search for the old TP hack specifically, but with more and more games come up with bugs, thats a lot of things nintendo is gonna need to fix.

    thanks for discovering the bug!

  • 41 zant // Jun 18, 2008 at 7:32 am

    somebody already released a fix. but it is for pal systems. anyway to edit the save to make it region free

  • 42 anonymous // Jun 18, 2008 at 7:43 am

    Hope it works, now I just need the new Lite On drive for the 360 to be flashed and my week will be complete 😉

  • 43 zant // Jun 18, 2008 at 8:06 am

    ok, the new hack released on eltrolado.net is confirmed a fake…….. Please bushing and team, release it as fast as you can!

  • 44 Sunrise // Jun 18, 2008 at 8:12 am

    Have you already updated your system zant? :0

  • 45 aaaaaa // Jun 18, 2008 at 8:29 am

    “ok, the new hack released on eltrolado.net…”

    You should have known right there that it was useless. Unless it is a release by Waninkoko, worthless SDK banner channels by jayparadox, or stolen emulator code by LoPsT, then ignore everything that comes from that site.

  • 46 Team-Gx » Wii System Menu 3.3 Analysis // Jun 18, 2008 at 8:42 am

    […] Source: HackMii […]

  • 47 zant // Jun 18, 2008 at 8:47 am

    yeah, I updated. and bout eltrolado, yeah, I already knew that. I just wanted to try. RELEASE!

  • 48 kahlua18 // Jun 18, 2008 at 9:22 am

    would it be possible to substitute the horses string name with a homemade character set that uses blank data to increase it bit size without making the string specifically longer in order to bypass the check and to stack smash?

  • 49 Sunrise // Jun 18, 2008 at 9:30 am

    Trouble is is checks for null value which would terminate the string anyway and therefore not overflow … ie write the rest to the stack

  • 50 Midnite // Jun 18, 2008 at 10:32 am

    When Zelda (or the Wii) loads the savegame does it care about filename case? When the Wii is looking for Zelda saves it does a strcmp (which is case sensitive) on the string “zeldaTp.dat”. If the Zelda save game was called “ZeldaTp.dat” would Zelda still load it? If so, then the Wii check would skip right over that file.

  • 51 Saurabh // Jun 18, 2008 at 11:49 am

    @Midnite: I suppose in that case, so would the game :)

  • 52 Matt // Jun 18, 2008 at 12:59 pm

    “Look s like if you create a long file name in /title/%08x/%08x/data/ directory, you could cause buf to overflow before NANDPrivateDelete is called.

    Truly amazing decompile!”

    What about this? Although after the potentially vulnerable section of code, I see a call to strlen in the disassembly. I don’t know PPC assembly, are the registers starting from r3 being used for arguments, and r3 being used for the return?
    The strings being pointed at by r29 are all contiguous?

  • 53 CaitSith2 // Jun 18, 2008 at 1:17 pm

    Causing any buffer overflows in the wii system menu, is a VERY BAD IDEA. You could potentially brick your Wii by doing this, as this function is called at every startup. The only buffer overflows that one should do in the Wii system menu, are ones that can be reversed without triggering them in the process. This is not one that you can reverse once it is done.

  • 54 Mii // Jun 18, 2008 at 1:51 pm

    Just wondering here, how about hacking the photo channel? Everyone has it, so ya. Could you possibly stick some code in to act like a picture?

    Sorry if this comment is completely and utterly a waste of time, I’m a noob at this stuff.

  • 55 Zant // Jun 18, 2008 at 2:00 pm

    Not to be a troll, but when r we going to see this new hack? its been 2 days, and according to what im reading, its a simple fix. JUST RELEASE IT ALREADY!


  • 56 011010 // Jun 18, 2008 at 2:16 pm

    Zant, they are not obligated to release anything to you. I\’m sure when they feel it is ready, they will release it publicly.

  • 57 A8029FE5 // Jun 18, 2008 at 2:18 pm

    Zant, they are not obligated to release anything to you. I’m sure when they feel it is ready, they will release it publicly.

  • 58 Cobarde // Jun 18, 2008 at 2:18 pm

    Who cares about the Zelda TP exploit. With any other homebrew launcher in a channel form, we don’t even need Zelda.

    Get working on the Trucha(or any other bug like it) and forget about the stupid Zelda save.

  • 59 A8029FE5 // Jun 18, 2008 at 2:21 pm


    True, but for people with an unmodified Wii, they still need a way to install a channel on in the first place. Also, with the signing bug being fixed, I don’t even think it is possible to install with a modified Wii.

  • 60 ESmazter // Jun 18, 2008 at 2:25 pm

    Well, how the hell will you intall the HB Channel if you dont have an exploit? 😀

  • 61 Zant // Jun 18, 2008 at 2:29 pm

    i know there not obliged, but it would be nice to have it by week’s end. I mean, it can’t take THAT much to tweak a bit of code. I’ve written in HTML and in a bit of Java, and It doesn’t take that much to tweak. But i’ll wait (only for another day or two)

  • 62 Matt // Jun 18, 2008 at 2:38 pm

    “Causing any buffer overflows in the wii system menu, is a VERY BAD IDEA. You could potentially brick your Wii by doing this, as this function is called at every startup. The only buffer overflows that one should do in the Wii system menu, are ones that can be reversed without triggering them in the process. This is not one that you can reverse once it is done.”

    Is it a viable buffer overflow? Would it be possible to delete zeldaTp.dat after the overflow? Or better yet, let the delete method delete zeldaTp.dat before the overflow? (How does the Wii list directories?)

  • 63 Matt // Jun 18, 2008 at 3:10 pm

    Wait, total path length is probably restricted to 255 by the IOS, right? Making that impossible in any case.

  • 64 TRA // Jun 18, 2008 at 3:17 pm

    LOL, comparing HTML (which is a MARKUP LANGUAGE) and Java to Disassambly and C is totally stupid – shouldn’t you go to school or something?

  • 65 Zant // Jun 18, 2008 at 3:31 pm

    Ah haha, thats the funny thing…. I am in school 😛

  • 66 Zant // Jun 18, 2008 at 3:32 pm

    I don’t know if any of you played FF X-2 , but in the words of Shinra: “I’m just a kid”

  • 67 Freeway // Jun 18, 2008 at 4:11 pm


    You’ve started a thread on gbatemp saying you’ve had a 3.4 update, when you haven’t. Now you’re on here demanding a new hack be released.

    Can’t take much! You’ve written some HTML and Java, it MUST be easy!

    Just let them get on with what they need to do. There’s no point in releasing anything that isn’t 100% ready and 100% safe. If you think you can do it quicker, go ahead. I know I’d rather wait for bushing n co than use some half baked rushed hack from a whining school kid.

    Now shut up.

  • 68 crwys // Jun 18, 2008 at 4:22 pm

    Totally agreed, way to speak it Freeway. Bushing and the team will release it when they feel like its ready to go public. No need to rush perfection ( Bushing ) Keep up the good work Bushing! =)

  • 69 wowfunhappy // Jun 18, 2008 at 4:40 pm

    Although I agree Bushing should take his time, that doesn’t give you guys a right to bash zant.

  • 70 Bossk // Jun 18, 2008 at 4:44 pm

    Yes it does. Saying stupid things in a public place gives people the right to respond to it.
    He knows he has no knowledge at all off programming techniques (“a bit of java” does not count) he shouldn’t make silly demands.

  • 71 cap9qd // Jun 18, 2008 at 5:10 pm

    You have to love the “Couldn’t you JUST …” that show you don’t know what you are talking about. Usually the people that comment on this blog are insightful and considerate except for some posts here. I would ask that you go away and not ruin a GREAT thing, this blog and Bushing’s work, with your B.S. Thanks!

  • 72 nitro2k01 // Jun 18, 2008 at 5:38 pm

    One thing I’m thinking about is how you managed to find out the method names. (Like ipl::utility::ESMisc::VerifySavedataZD) Does the binary image come as an ELF or some other format with symbolics? Or did you just make up that method name?

  • 73 Zant // Jun 18, 2008 at 5:41 pm

    ok. I shut up now. I guess you really cant rush perfection. Sorry about that thread, got scared with 3.3 and I updated, so I thought something else broke when Nintendo’s servers where down. How do you find out what the new updates do? Do you use the drive doctor from datel or infectus? This is really interesting stuff.

  • 74 Th3_MoL3 // Jun 18, 2008 at 6:28 pm

    wow talk about n00b to the Nth degree.

  • 75 wowfunhappy // Jun 18, 2008 at 6:42 pm

    @zant, check the blog post bushing made before he made this one. It answer’s the exact question you just asked! :)

    While I agree that this stuff is interesting, next time, I suggest trying to satisfy your curiosity yourself before asking others. It will stop you from being made fun of :)

  • 76 BigHed3 // Jun 18, 2008 at 7:50 pm

    For other games to look into, I’d say just look at a list of the top 10 Wii games.

    Wii Sports,
    Wii Play,
    Smash Bros.,
    Mario Galaxy,
    Wii Fit,
    Mario Kart.

    Obviously the idea is to hack a save file for a game that most people would already have.

    Either that or maybe try to hack the save data for a free Wii Channel, like the Nintendo Channel or Everybody Votes.

  • 77 crwys // Jun 18, 2008 at 8:04 pm

    Id say hack whatever is the easiest to do it for. Come on now… Bushing and everyone else is doing this on their own time, the least we can do is bear with what game we have to rent or buy.

  • 78 DtD // Jun 18, 2008 at 8:31 pm

    Hey guys, quit bashin the kid, he obviously didn’t understand how hard it is to do this stuff and how high of expectations everyone has for TP:Hack and Bushing, and I think he gets it now.

    Also, just because someone said something stupid doesn’t mean you should degrade them and make them feel bad. Instad, correct them politlely and teach them something new.


  • 79 DtD // Jun 18, 2008 at 8:32 pm

    BTW> Bushing, you are one crazy dude… XD

  • 80 CaitSith2 // Jun 18, 2008 at 8:44 pm

    Tweaked my own save file, based on bug number 2 of attempting to read an aligned to 32 bytes filesize. As a result, my save survived the update. TP still loads the save file just fine.

  • 81 modrobert // Jun 18, 2008 at 8:51 pm

    Hex-Rays Decompiler?

  • 82 modrobert // Jun 18, 2008 at 8:55 pm

    nm, forgot it doesn’t work on ppc.

  • 83 cap9qd // Jun 18, 2008 at 10:50 pm

    You are very right…very very very interesting!!!

    It would be interesting to see what other games do contain a similar vulnerability; Bushing has said before that TP was the first game they tried and has hinted at the existance of others.

  • 84 Josh Triplett // Jun 19, 2008 at 12:46 am

    @Bushing: I see a couple of bugs in the code that nobody seems to have mentioned yet. Several of them may potentially provide ways to trigger arbitrary code execution from the system menu. Since this code runs on boot, if triggered by a save game already copied to the system, this could brick the Wii by causing it to crash every time. However, if triggered by a save game on an SD card, then in the worst case you should only need to remove the SD card and reboot to recover. In particular, note that such an exploit could work without the need to have any particular game; you would only need a magic save game on your SD card to trigger the exploit directly from the system menu. The irony of using an exploit in the code designed specifically to foil the Twilight Hack seems particularly sweet. :)

    First, in ipl::utility::ESMisc::DeleteSavedata:

    int retval = nandReadDir(pathname, 0, &num_dir_entries);
    if (retval != 0 || num_dir_entries == 0) {
    OSReportError(”iplESMisc.cpp::DeleteSavedata: ”
    “Could not read1 %s: %d\n”, pathname);
    goto done;

    dirent_t *direntries=malloc(sizeof dirent_t * num_dir_entries);
    if (direntries != NULL) free(direntries);

    So if nandReadDir fails or num_dir_entries == 0, then the error case occurs, the goto jumps right past the declaration and initialization of direntries, and the cleanup code proceeds to free the invalid pointer. This seems likely to cause heap corruption and possibly crash the system menu. Freeing an invalid pointer can potentially provide a vector to run arbitrary code, though it seems dangerous.

    Also in ipl::utility::ESMisc::DeleteSavedata:

    dirent_t *direntries=malloc(sizeof dirent_t * num_dir_entries);
    if (direntries == NULL) {
    “Could not alloc: %d\n”);
    goto done;

    If the directory has enough entries (or appears to), the call to malloc will fail to obtain enough memory, so it will return NULL, triggering the call to OSReportError, and then ipl::utility::ESMisc::DeleteSavedata will return successfully without deleting the file.

    num_dir_entries uses a signed integer type, so with enough directory entries you could trigger signed integer overflow, which sometimes proves exploitable.

    Similarly, if you have enough directory entries, you can make the expression (sizeof dirent_t * num_dir_entries) in the call to malloc overflow to a small number, causing malloc to successfully return a buffer which provides far too little space to hold the results of nandReadDir. (This one doesn’t depend on signed integer overflow; it would occur even if num_dir_entries had an unsigned type.)

    From _wad_check_for_twilight_hack:

    // skip any leading directory names
    char *p = strrchr(wadfile.filename[i], ‘/’);

    Could you take advantage of file/directory confusion or naming confusion here? Could you provide a file or directory zeldaTp.dat/ , which would then cause this code to strip it off as a directory but still allow other code to handle it as expected? I suspect not; it seems likely that that kind of confusion will lead to other errors elsewhere.

  • 85 GameZelda // Jun 19, 2008 at 2:09 am

    @Josh Triplett:

    I’m pretty sure that the first bug is a bushing error, since the compiler should not allow to work with a variable that hasn’t been declared (not to be confused with a variable without a value set).

  • 86 Anonymous coward // Jun 19, 2008 at 3:12 am

    @74 BigHed3

    > Either that or maybe try to hack the save data for a free Wii Channel, like the Nintendo Channel or Everybody Votes.

    Free downloadable channels would be the easiest to fix as Nintendo can fix the bug inside the channel itself without affecting the rest of the system and push out an update. So these channels should be avoided if there’s another way.

    The photo channel is probably more difficult to test, remember there are three versions… Wiis that came with 1.0, Wiis that came with 1.0 + the 1.1 downloadable update, and Wiis that came with 1.1.

    Exploiting bugs in the Zelda check in Wii Menu 3.3 is one way, but finding a new bug in a common game (such as one you list) would be a better way as this would require yet more development instead of minor bug fixes to an existing fix.

    Eventually I suspect Nintendo will have to develop a general save game checker in which games can be added and tested in less than three months.

  • 87 HBC // Jun 19, 2008 at 4:49 am

    umm sorry for the noob question but i havent been able to find an answer to this question yet. I updated to 3.3E (yea stupid i know T_T) but my wii is chipped so is it possible to install HBC using the isos? or do they use this trucha signed thing? my USA patched PAL smash brawl doesnt work anymore. Hoping to be able to use Gecko.

  • 88 Phredreeke // Jun 19, 2008 at 6:20 am

    Isos use truchasigning. Your only hope is Bushing’s updated Zelda exploit.

  • 89 Pipeline // Jun 19, 2008 at 8:08 am

    I just read that someone is working on a homebrew channel save from a SD card.

    this it possible for a workaround to get it to copy?

  • 90 GameZelda // Jun 19, 2008 at 8:15 am

    Is this another bug, or a typo in the translation to C?

    “[…]_check_save(buf + 0×2008 + i*0xA94)[…]”

    If you look at the save file, it has (always?) 0x4000 bytes, and the first 0x2000 bytes are identical to the second 0x2000 bytes.

    This code starts to check in 0x2008 (8 bytes of delay from the real value).

  • 91 GameZelda // Jun 19, 2008 at 8:17 am

    NOTE: In the disassembly, it’s also 0x2008, so I suppose that it’s a bug?

  • 92 Sunrise // Jun 19, 2008 at 8:58 am

    quote > Phredreeke // Jun 19, 2008 at 6:20 am
    “Isos use truchasigning. Your only hope is Bushing’s updated Zelda exploit.”

    Can somebody clarify, do game ISOs that are obtained from say newsgroups all use Trucha? So will this update even knacker chipped wiis?

  • 93 shcraa // Jun 19, 2008 at 9:06 am

    only if a video mode fix, regionfrii or one of various other disc modifying tools which use trucha have been applied

  • 94 shcraa // Jun 19, 2008 at 9:08 am

    ps: you can load trucha signed discs via gecko region free or Gecko OS

  • 95 Zelda // Jun 19, 2008 at 9:36 am

    i just got my wii 1 week ago it was version 3.1 and i updated to 3.3 because i wanted to use the wii shop channel i couldn’t go in it without updating now i regret it because i really didn’t know about this hack damn hope get the new version of the hack up soon and for now on I’m not updating ever again after this new twilight princess hack

  • 96 Pipeline // Jun 19, 2008 at 10:14 am

    LOOK here…this it possible for a workaround to get it to copy?




  • 97 abrew // Jun 19, 2008 at 10:24 am

    You can update it aslong as there isn’t a fix to one of our hacks. so why not update?

  • 98 wowfunhappy // Jun 19, 2008 at 10:42 am

    Okay, so you’re all upset about Nintendo’s hack-blocking update, correct?

    1-800-255-3700 – CALL NINTENDO!
    http://www.nintendo.com/consumer/webform.jsp – E-MAIL NINTENDO!


    I for one just got off the phone with a Nintendo representative. I told him “I have been a good Nintendo customer for several years. When the so called ‘twilight princess chainloader’ was released, I did not currently own twilight princess, I bought it just so I could run the modified save file it uses… I am very upset with the new update… I don’t think you have a right to block homebrew”

    I then asked WHY they were doing this. He stumbled, taking a while to formulate his poor answer. I then responded by saying “I just want you to know that you WILL loose me as a customer if you continue to do this.”

    Here’s my main point though- he stumbled. Do you know what that tells me? It tells me that very few people have bothered to call Nintendo about this. People- TELL THEM YOUR OPINION!!! If enough people call, they won’t be able to just ignore it. TELL THEM THAT THEY HAVE LOST A CUSTOMER! MAKE IT CLEAR THAT THEY ARE LOOSING MONEY BY DOING THIS!

    I have E-mailed Nintendo as well and am currently awaiting a response from them. In the meantime…


    The above is all you need to know. Now what are you waiting for???

  • 99 Rob // Jun 19, 2008 at 11:35 am

    @Sunrise: Game backups do not use trucha. Hacked discs which are not direct backups such as the ones that install the bomebrew channel do use trucha and are blocked.

  • 100 9th_Sage // Jun 19, 2008 at 12:44 pm

    Yes, he was referring to the homebrew channel installer discs, which do use Trucha.

  • 101 C$ // Jun 19, 2008 at 2:43 pm

    What about the freeloader discs? Did the update block them (since it blocks the trucha bug)

  • 102 Zant // Jun 19, 2008 at 2:56 pm

    yes. the new update KILLS freeloader. search before you ask or check wiibrew.org

  • 103 Marzipan // Jun 19, 2008 at 3:20 pm

    So, if I already have the homebrew channel on here, it will still work after the update? I’ll still be able to use my ROMs and all that jazz?

  • 104 A8029FE5 // Jun 19, 2008 at 3:29 pm


    Yes, they are blocked. However, if you install the Homebrew Channel before updating to 3.3, you can still use Gecko Region Free. However, I wouldn’t update until you have to.


    Yes, the Homebrew Channel will still work on the 3.3 firmware. As stated above, just make sure it is installed before updating.

  • 105 CaitSith2 // Jun 19, 2008 at 4:15 pm

    If the homebrew channel is calling for an IOS that is not present, then the only safe way to update, is with an older game disc that requires a system update. Mario Kart Wii or Mario Galaxy should both do the trick.

  • 106 AzzaKanazza // Jun 19, 2008 at 6:28 pm

    In this code here:

    char buf[0x100];
    strcpy(buf, pathname);
    strcat(buf, direntries[i].filename);
    retval = NANDPrivateDelete(buf);

    I dont know much about the IOS code, but if a filename was put in which was at least 250 chars, wouldnt that cause a buffer overflow in the strcat call when it tries to append the filename to the pathname, or is there a restriction on the length of a filename? Because the length of the pathname combined witht the filename would be longer than 0x100 or 255 chars?

  • 107 AzzaKanazza // Jun 19, 2008 at 6:31 pm

    PS: Where can i get a definitive assembly reference for the ARM processor, i did look on the net but i couldnt find anything for the


    instruction and a few others, wouldnt mind having a good look over the assembly my self (i have only ever done 808x assembly…

  • 108 AzzaKanazza // Jun 19, 2008 at 6:34 pm

    PS: I dont know if the rumors about the RegionFrii not working are correct, i have two region freed and scrubbed games (i have a modchipped wii D2pro 9-wire) and they still work fine, i was expecting them to fail because apparently regionfree uses Trucha to sign the partitions??? My other trucha signed discs however DO NOT work at all… so i think RegionFrii might be all right??

  • 109 Cobarde // Jun 19, 2008 at 7:11 pm

    A friend of mine can use GH3 customs(trucha signed) after updating his Wii(3.3PAL). He’s coming back tomorrow, so I’ll get all the info about it ASAP.

  • 110 crwys // Jun 19, 2008 at 8:15 pm


    They aren’t talking about region free games. They are talking about using the datel free loader so you can play any game that is outside your region. Region frees games i suppose are the same but you have to make changes to the .iso or wad file so its easier to use datel free loader. This information may not be exactly true

  • 111 Marzipan // Jun 19, 2008 at 9:05 pm

    Thanks guys. Ill rent MKWii this weekend. 😀

  • 112 GameZelda // Jun 19, 2008 at 10:09 pm

    @AzzaKanazza (and some other comments that report the overflow on the 0x100 buffer):

    I’m pretty sure that this is not exploitable, since in savegames, the filename field seems to be always 0x40 bytes (if it can also be in the IV and the “random” data fields, it could reach 0x75 bytes).

    About RegionFrii, I think that it does only patch the ISO header, which is not signed, but not the video modes (like the most recent region free tools).

  • 113 AzzaKanazza // Jun 19, 2008 at 10:55 pm


    Ahhok, i was under the impression that the RegionFrii tool trucha signs the partitions, but it musnt


    Cheers for that info on the filename, i guess it wouldnt be exploitable then :) Im relatively new to the WiiHack scene.

    As for the regionfrii, thats great, im pretty sure i never used the video mode change as my TV supports both anyways. That explains it to a T, thanks mate! :)

  • 114 Armen // Jun 19, 2008 at 11:06 pm

    Hey didnt some guy find a way to downgrade the wii version its on nintendo scene the video heres the link http://www.teknoconsolas.info/foro/viewtopic.php?f=95&t=44777

  • 115 Armen // Jun 19, 2008 at 11:08 pm

    and if so maybe you could run it in the homebrew channel to downgrade if ever needed the only thing is he didnt release it yet maybe i tcould be fake correct me if im wrong :\

  • 116 HyperHacker // Jun 20, 2008 at 12:45 am

    GameZelda: the 0x2008 offset probably means the first string to be checked is 8 bytes from the beginning of the save data.

    Sunrise: Backups will still run, but modified ISOs and homebrew discs (such as the HBC installer) will not.

    wowfunhappy: You’re wasting your time. The NOA tech support doesn’t know what the NOJ programmers are doing, and they’re not likely to pass your rant along.

    Re: exploiting this code: it’s probably possible, but why bother? It’s extremely risky (the exploit would run every time you boot the Wii), and these bugs will probably be fixed soon. Fixing up the TP hack to take advantage of the bugs (which really should only take a couple minutes, but I assume they’re also updating the exploit code itself and need to test it) and then finding more exploits in other games would be much more productive. It’s a lot more difficult to add these sorts of checks than to fix the bugs we’ve seen here, so game exploits will last much longer, and can be released one by one as Nintendo patches them.

  • 117 Anonymous coward // Jun 20, 2008 at 2:37 am

    Why are Nintendo still coding using strcpy when they should be using strncpy and then setting the last character in the buffer to ” to avoid these kinds of exploits?

  • 118 Anonymous coward // Jun 20, 2008 at 2:38 am

    … setting the last character in the buffer to ‘backslash-zero’ … (that part got eaten up)

  • 119 Mad_Gouki // Jun 20, 2008 at 2:40 am

    What does the backslash-zero do as an operator?

  • 120 Hackers Rejoice! The Twilight Princess Hack is Back! - My Wii News // Jun 20, 2008 at 3:01 am

    […] what all that coding stuff means, but if you are into that matter, check out the in-depth analysis: Here. Also, keep checking back to My Wii News, we’ll keep you updated. Share and Enjoy: These […]

  • 121 Anonymous coward // Jun 20, 2008 at 4:12 am

    #119: It’s how you represent a zero in a variable defined as char in C.

    They really should be limiting the size of all string copies from untrusted data sources (i.e. saved games) to a fixed-length buffer and putting zero at the end of the buffer to terminate the string it in case the copy to the buffer completely filled it up. It’s what caused the original TP bug after all.

  • 122 Jan // Jun 20, 2008 at 5:03 am

    Come on with the new hack already 😛

  • 123 GameZelda // Jun 20, 2008 at 5:54 am


    No, the first string is not +8 bytes. As I said, the first and second 0x2000 bytes are identical (and the string positions too), but the code starts to check at 0x2008.

    If you want to see it, take a Zelda TP savefile, extract the files, and open zeldaTp in a hex editor.
    If you go to offset 0x1BC, you will be in the first character of the string “Link”.
    If you go to offset 0x21BC (0x2000 + 0x1BC), you will be in the first character of the string “Link”.
    If you go to offset 0x21C4 (0x2008 + 0x1BC), you will be in a zone after the string “Link” (still in the zone of the string, but after it has been terminated by 0x00).

  • 124 DrFred // Jun 20, 2008 at 5:59 am

    If this code were to be exploited it wouldn’t have to run every time the wii boots. Surely it would just run when you press “copy” on the data management. This checks the file before copying and so would crash the wii before the file is copied to the system memory.

  • 125 jhark // Jun 20, 2008 at 8:11 am

    It’s been 3 days. Either you figured it out or you haven’t. Don’t say that you figured it out within 7 hours of the update release if you haven’t actually fixed it.

  • 126 ESmazter // Jun 20, 2008 at 8:26 am

    Yep thats shit. Even many news site say, he made a fix. Maybe he is just playing a game with us and wants attention :(

  • 127 FireC // Jun 20, 2008 at 8:49 am

    He is not playing a game. Proof is here:

    http://boards.gamefaqs.com/gfaqs/genmessage.php?board=930752&topic=43730560 (Look on the bottom post on page 1)

    From what is there, Bushing does have something, but god knows what the heck he is doing.

  • 128 pajero // Jun 20, 2008 at 9:07 am

    bushing, it’s been 3 days since your last post. Are you still working on a fix for the TP, or you changed your aproach? If you’re still working on it, then good luck 😉

  • 129 pajero // Jun 20, 2008 at 9:12 am


    That’s not proof, that’s a bunch of text that some bloke wrote. If it’s not on hackmii.com, I won’t belive it…

  • 130 ESmazter // Jun 20, 2008 at 9:15 am

    oh shit george bush wrote me

    ES: hey georgie boy
    GWBUSH: Hey ES
    ES: Got some hoax?
    GWBUSH: Sure, here [LINK REMOVED]
    ES: OMFG it works thx k bye


    Whatever, I’d really like to see something BY B himself and not someone from the forums.

  • 131 AzzaKanazza // Jun 20, 2008 at 9:21 am

    Come on guys, im sure Bushing has a job and probably a family too give him a break, programmers and software engineers usually get paid for this you know!!!

  • 132 Nilsk123 // Jun 20, 2008 at 10:14 am

    I cant believe some people still declare hoax after all he’s done for the scene.

  • 133 qqqqqq // Jun 20, 2008 at 10:33 am


    Please tell me that you didn’t just link to GameFAQs as a news source. That site is just about the most worthless site in existence.

    @jhark, ESmazter, and pajero:

    Team Twiizers does not have to release anything to you, so be grateful that they do. If you want a fix so badly, find one yourself. Otherwise, stop complaining. I doubt anyone on Team Twiizers is even reading these comments at this point.

  • 134 pajero // Jun 20, 2008 at 10:51 am


    Have I demanded anything? Have I criticized anyone? Have I complained? I asked a question: if bushing was still working on the TP-hack-patch, or on a brand new way of hacking the Wii. That’s it… I didn’t ask if it was ready, or when would it be ready…
    If you don’t know how to read, it’s not really my fault…

  • 135 qqqqqq // Jun 20, 2008 at 11:00 am


    Sorry, I guess you’re right. That still applies to the other two, however…

  • 136 pajero // Jun 20, 2008 at 11:02 am


    That’s ok. Cheers m8

  • 137 crwys // Jun 20, 2008 at 11:21 am

    Bushing is very busy im sure. And who knows maybe he is working on a little something else for us? :) You never know, i know that the wait will be worth it.

  • 138 Bjorker // Jun 20, 2008 at 11:52 am

    He’s probably just taking a few days off.
    Good for him!

  • 139 Unicron // Jun 20, 2008 at 12:22 pm

    Let Bushing and the rest of Team Twiizers work on it. Its’ not like they do this for a living you know, they DO have lives. Of course, they may have discovered a few bugs in the update allowing a new hack to be used, decompile it and write the C equalent in just one day or so, but that doesn’t mean they have to give the new hack to you right away(as if they would anyway…). To all of you whining to bushing to release the hack: shut up and wait! There is sensitive code, here, which may brick your Wii if not thourouly written and tested. I personally want quality instead of quantity/speed, and that’s exactly what bushing and Team Twiizers give.

  • 140 Zelda // Jun 20, 2008 at 3:22 pm

    Yeah don’t care as long it takes as long it works on 3.3 update I’m good

  • 141 Icefire // Jun 20, 2008 at 3:25 pm

    @Bushing: can you give out your (modified) versions of the savegame compiler/decompiler? Then someone could easily get these people to stop asking for it 😛

  • 142 satoshi // Jun 20, 2008 at 3:59 pm


    Did you not just do what you are condeming everyone else for doing?

  • 143 cap9qd // Jun 20, 2008 at 4:39 pm

    They are probably TESTING THEIR CODE! If you havent caught on by now that they don’t release untested and alpha software then you obviously don’t follow their work…you just use it.

    The whiners are the same people that bitch and bitch when software isnt released on their own f**ked up time-table (WiiMedia for example…which was dropped thanks to all the whiners…thank you all) and then bitch when the alpha software doesnt work to their liking or bricks their Wii. Grow the f**k up.

    Sorry…there are a lot of great people on here that post great comments…and some that dont…this rant was for the whiners.

  • 144 cap9qd // Jun 20, 2008 at 4:43 pm

    Well…my bet is they are working one an exploit that isnt so easily updated, as the two bugs that are exposed here.

  • 145 jhark // Jun 20, 2008 at 7:31 pm

    “If you havent caught on by now that they don’t release untested and alpha software then you obviously don’t follow their work…you just use it.”


    Every version released so far is an ALPHA version.

  • 146 sarkwalvein // Jun 20, 2008 at 7:57 pm

    Hey, in the post #9 (by bushing) there is almost a manual on how to get the hack working again… If you are so much anxious, just follow the instructions…

  • 147 cap9qd // Jun 20, 2008 at 8:36 pm

    Sorry I miss spoke…my meaning of ALPHA was untested code. Obviously it understood what I was saying.

  • 148 Pipeline // Jun 20, 2008 at 9:14 pm

    Would there be a way to NAND Dump the Homebrew channel itself and fix it so it can just be copied on to a wii?

    Just wondering because there is a guy in my class at school working on something like this and I would like to help.

  • 149 WhoopJack // Jun 20, 2008 at 11:15 pm

    Since Nintendo installs channels from the shop channel, would it be possible to change your router DNS to point to your own page for the shop channel (as I’ve seen done by someone else where they pointed to google and browsed on their Wii). Then from your own page install the Homebrew channel and any other hacked channels you might have? I’m not sure what the install sequence is when you do it from the shop channel, but I’m sure someone could easily find out by installing a free channel through a proxy where the requests get recorded.

  • 150 z3r0 // Jun 20, 2008 at 11:46 pm


    Didn’t Nintendo block the Shop Channel from being used to browse the internet in one of their updates? Besides, that would involve actually tricking the console into believing that it is in fact on the Shop Channel and not some foreign place.

  • 151 WhoopJack // Jun 21, 2008 at 12:13 am

    Yeah, Nintendo did block the easy way in, but looks like mozy got it to work again a while ago (http://mozy.org/wii/#shop).

    I guess the save game hacks are easier since you bypass the default install process which likely brings asymmetric key encrypted files into the picture, where Nintendo holds the private key that you’d need. Oh well.

  • 152 jhark // Jun 21, 2008 at 7:11 am

    we’re at the 5 day mark now…

  • 153 Daverball // Jun 21, 2008 at 7:26 am

    So what?
    Just be patient. They owe you nothing. I wouldn’t even care if it took two months, they do a great job and great stuff takes its time.

  • 154 Neversoft // Jun 21, 2008 at 7:44 am

    I’m stunned at how impatient some of you people are, you don’t deserve the amount of effort that Bushing and the rest put into this (although I doubt they’re thinking about you when they’re hacking away anyway). More to the point, how come many of you appear to have had no previous interest in Wii homebrew (otherwise you’d have the HBC installed already and you wouldn’t need the updated Twilight hack) but it’s suddenly *very* important now that you’ve shoved a brand new firmware up your Wii without bothering to check for any possible repercussions… So you didn’t care for homebrew a week ago but it’s a life threatening situation now that you CAN’T install it? Grow up!

  • 155 Scoop // Jun 21, 2008 at 8:40 am

    I didnt even manage to get it installed. I was on for days trying different patches etc and all came up on my wii SD card as a ? in the blocks. I lost my temper and gave up installing the 3.3 patch. Next day when i calmed down I tried a 4th SD card and bloody typical the chain loaded showed up but obviously Nintendo have blocked me from saving the file to my Wii. Im hoping soon there will be a new patch for me to try now that I have sorted the SD card out. Great work and gods speed.


  • 156 rod // Jun 21, 2008 at 9:02 am

    well there be twilight hack for rzde j us

  • 157 rod // Jun 21, 2008 at 9:04 am

    i have 3.3u but i dont know how to do the new twilight hack you guys made for the pal wii

  • 158 rod // Jun 21, 2008 at 9:05 am

    can you help me

  • 159 Ark // Jun 21, 2008 at 10:22 am


    Realize some of us actually have not paid attention to the homebrew scene until recently, and did not know the repercussions of this update until researching Wii homebrew in general.

    Now, granted, I am as impatient as everyone else, but unless someone has actual input, then it’s best to just wait it out. Toy around with other games and save files, see what they may have. Take a look at the C output and look at anything. If you are not very technical, then just sit back and chill, play a damn game. Hell, mess around with DS homebrew if you want. Just be patient, and we will see progress over the next few weeks.

  • 160 Phredreeke // Jun 21, 2008 at 10:29 am

    > Sunrise: Can somebody clarify, do game ISOs that are obtained from say newsgroups all use Trucha?

    This isn’t a place for discussing piracy.

    People need to learn to research before updating their Wii systems. I hope this makes people think twice the next time they update their Wii.

  • 161 Nikayah // Jun 21, 2008 at 12:12 pm

    I have two ideas although i have no clue if they will work, i don’t even know very much about how the wii reads stuff or whatever, but what if you put a modified Mii on the wiimote with a program like transfer mii (its for linux as far as i know). Or even figure out how to send a mii from a computer to a wii (like you can with the mii channel, but with a computer to send it instead)

  • 162 bitflusher // Jun 21, 2008 at 1:28 pm

    impatient people, there are two approaches to solving a problem.

    approach 1 by someone @elotrolado.net forums:
    make something that has a slim chance it could possibly work. and release it the second you compiled it
    result: http://wiibrew.org/wiki/Talk:Twilight_Hack#3.3_T.Hack.3F
    something that got rushed, doesn’t work and is possibly full of other errors that could brick many wii’s

    approach 2 by team tweezers:
    do research, share it and have it verified, implement it and make it work, then test it and test it to ensure it does nothing it shouldn’t do. and when you are absolutely shure, release it

  • 163 Zelda // Jun 21, 2008 at 9:03 pm

    its out go to wiibrew.org and work with 3.3 update yay

  • 164 Putting the genie back into bottle? (MIOS) // Jun 22, 2008 at 12:09 am

    […] June 16th (”3.3″) Wii System Update did more than bring the death of the Twilight Hack (sort of) and a patched version of IOS30.  It also brought new versions of BC and MIOS — […]

  • 165 Wii firmware version 3.3 » Restart // Jun 22, 2008 at 3:25 am

    […] Update :- Some additional information here and interesting update here […]

  • 166 Sunrise // Jun 22, 2008 at 7:46 am

    I’ll discuss what I want, when I want and where I want until such time as I agree to some posting rules.

    My question was valid and probably a lot more helpful that your 100% useless post, which incidentally by reposting my question makes you guilty of the same.

    I’d suggest trying MSN or similar to find some youngsters who’ll bow to your bullying attempts ..maybe try
    DON’T spell that like that blah or
    DON’T you know correct grammar blah or
    DON’T you search before asking blah blah.

    Finally, I find it ironic that you mention piracy, I presume from a legal aspect, and we’re all discussing decompiling (and not just for education but for vulnerability) encrypted and copyrighted code.

  • 167 Darksyntax // Jun 22, 2008 at 8:38 am

    that zant guy is annoying. This is why i make no effort to contribute to such projects — the ungrateful, illinformed consumer mass that see it as “easy”.

  • 168 Phredreeke // Jun 23, 2008 at 4:58 am


    There’s no need to be rude about it. Bushing is very much against piracy, so I’d say it’s impolite to ask about ISOs downloaded from newsgroups in his blog.

    The vulnerabilities we’re looking for is not for running pirated games (which has been possible almost since the release of the console anyway) but for running our own code.

  • 169 hochniveau: Das offizielle Blog der h8u.de Gemeinde // Jun 24, 2008 at 2:47 pm

    […] der das Verwenden des modifizierten Speicherstandes analysiert und auch da ein h

  • 170 Creg // Jun 25, 2008 at 2:26 pm

    I have finally discovered the flaw.

  • 171 Wii ISO Loader? « nooblog // Aug 3, 2008 at 12:35 pm

    […] nicht verwendet, doch war es nur eine Frage der Zeit bis Dies geschehen sollte. Es geschah dann am 16 Juni mit der Firmware Version “3.3X”, die jedoch nicht nur modifizierten Spielen, sondern […]

  • 172 Korean Wii // Sep 13, 2008 at 3:17 pm

    […] (It identifies itself as 3.3K, and it does have the anti-Twilight Hack code.) […]

You must log in to post a comment.