It’s been a few days, so I’m just going to post some brief notes on what I’ve been working on lately.
- Twilight Hack: Marcan did a great job of putting together a nice new release that works with System Menu 3.3: Twilight Hack v0.1beta1. It seems to work well; we have some initial reports that some SD cards don’t work with it, giving a “error -1 reading boot.elf”. I’ve found at least two different problems that can cause that, so expect a small update soon — in the mean time, reformatting the card often fixes it.
- Updates: No new updates, as seen on Marcan’s Wiimpersonator. I would not expect this to last; Nintendo will probably release a fixed version of their anti-TP hack code which will not be nearly so easy to defeat. For those of you who updated to 3.3, take that as a warning and just don’t update next time. We’re working on a long-term solution.
- Korean Wii: We believe that the new Korean Wiis have a new common key, and we won’t be able to use our tweezer attack to recover it. I’d like to take a look at one and see what other avenues of attack there may be. If anyone knows how I can buy one of these and get it shipped to the US, please let me know.
- Forum: I must confess to the fact that I didn’t even know there was a Wiibrew Forum until recently, but the admins there have put a lot of work into spiffing the place up recently. I think we can turn this into a good resource to take the place of some of the discussion that doesn’t really belong on a wiki, so please drop by and bring your quality questions with you.
- UnbrickMii / Factory — both of these have updates which deserve their own article. Stay tuned.
36 responses so far ↓
1 mooseknuckle2000 // Jul 1, 2008 at 5:12 pm
right on…glad to see you’re still hard at work. Your guys’ efforts are very much appreciated.
2 DarthCloud // Jul 1, 2008 at 6:00 pm
bushing if you looking for a Korean Wii you might want to register over http://www.assemblergames.com/ and ask in the marketplace forum how to get a korean wii. For sure a Korean member can help you with that. IIRC tmbinc has posted on asm for finding is triforce arcade some month ago.
3 WiiNoob // Jul 1, 2008 at 6:43 pm
I want to make a request for what i would think would be a simple program: something to return a drive state value to a drivless wii. I ask this because people who have sold their wii drives ( or broke it, or whatever) and are waiting or dont want to get new ones can use their wii. When i was waiting for my drive i tried using my wii. IT would freeze at the start of every program. My theory is that the black screen freeze it gives is because it is waiting for the drive to return its state. Is there a way to make a program return the same response every time (like empty, or no disc, or etc)? The concept sounds simple enough, but im a novice and need more experienced people.
4 fireace // Jul 1, 2008 at 7:39 pm
Do you really think they will rush to plug the hack? They spent a lot of time developing and testing this fix (and therefore money) and you broke it very quickly. Chances are it will take at least that long again. Also considering all that they might decide its not worth the time and money if its going to be broken so quickly anyway, until there’s hints of an ISO loader I doubt they will get very serious about it. I guess they don’t want the Wii to end up like the DS in terms of piracy though.
5 tona // Jul 1, 2008 at 8:54 pm
Why wouldn’t they rush to plug it? This update would be for just a few lines of code at most, not entirely new algorithms and function implementations. One fix is likely just adding a moving a totaly of 3 lines in their “Look for zeldaTp.dat” function. This fix would be far simpler and require much less consideration for compatibility issues.
6 Neue Informationen auf Hackmii.com - Beitrag - Wii Will Rock You! // Jul 1, 2008 at 10:35 pm
[…] Für Interessierte gibt es hier den Link: HackMii.com […]
7 Nuke // Jul 1, 2008 at 10:58 pm
The Taiwan Model is released next week here, I can easily obtain one for you if needed.
8 DarthCloud // Jul 2, 2008 at 3:29 am
http://www.nintendo.tw/index.html
Yup Wii got also release in taiwan on 12 july. Would be interresting to see if it also use a new key or share the same as korean one. I think nintendo is testing with both korean and taiwan Wii their new protection before releasing an iQue Wii in china.
9 Enze // Jul 2, 2008 at 12:14 pm
tona: Probably because updates that close together are annoying.
10 wowfunhappy // Jul 2, 2008 at 1:29 pm
That’s sort of along the lines of what I’ve been thinking- it probably looks bad for Nintendo if they release updates too frequently.
I also think they’re not going to release an update unless that update brings a new feature along with it- it doesn’t have to be a very large feature, but just SOMETHING besides “automatically removing hacked save files” to keep Nintendo from looking bad. And new features, even small ones, require both an idea and testing…
11 seac // Jul 2, 2008 at 1:46 pm
@ wowfunhappy: …. and Nintendo will have to test the update for 3 whole months 😉
12 TioSolid // Jul 2, 2008 at 4:34 pm
Thanks for the update, didnt know about the Korean Wii o.0
and please, syndicate the full RSS feed ;/
13 Justin // Jul 2, 2008 at 6:40 pm
Do you know the Korean Wii doesn’t have gamecube function? Because of the Region code of Korean Wii is seperated from Japanese, (the region code of Gamecube was identical to japan) they remove gamecube funtion from Korean Wii. Is that possible to activate the gamecube function? I’m just asking.
14 bushing // Jul 2, 2008 at 6:46 pm
@WiiNoob: I don’t know what’s wrong with your Wii, but it’s not the missing drive. The Wii I use for NAND-flash experimentation hasn’t had a drive connected to it in 6 months, and it works just fine.
@Nuke: Great! Check your email.
15 player0 // Jul 2, 2008 at 7:43 pm
I wonder if bushing can post the source code of the TH loader so that people can try to port it to different games and give Nintendo a headache to patch all these hacked saves. For a candidate in mind, FFCC the WiiWare game may worth to have a look because it allows you to control the game flow (how to save and load, running custom C like codes) at source level.
16 HyperHacker // Jul 2, 2008 at 8:20 pm
Justin: once homebrew works on it it should be possible to load a homebrew IOS, or even MIOS from an American/Japanese Wii, to run Gamecube games. (Would be quite a neat hack, adding backward compatibility without an emulator.) However the disc drive may not be capable of reading the smaller Gamecube discs, so you’d need to chip it and use copies on full-size DVDs, or write some sort of HDLoader-like app.
player0: It’d be better to have a few people find exploits, and keep them secret until there’s a need for one. If we release them all at once, Nintendo can patch them all at once.
17 bushing // Jul 3, 2008 at 12:35 am
Segher’s been working on cleaning up the source code for the Twilight Hack — it should be portable to almost anything that we can crash through a buffer overflow (if not everything). We intend to GPL it, it’s just taken longer than we’d hoped.
If anyone finds a way to crash a different game using a buffer overflow, please let me know and that may help us get the source out a bit more quickly.
@HyperHacker: Agreed about releasing one exploit at a time — there’s nothing horribly sensitive about the Twilight Hack source, though. It’s really a matter of:
Step 1. Find a game that will crash when you make a buffer or string too long in a savefile
Step 2. Instrument the game to help pinpoint the location of the crash. Nuke helped me do this with Zelda by patching the DOL to output debug info over the USBGecko; GeckoRD would probably be an easier way to do this now.
Step 3. Proof of concept — Manipulate the buffer contents until you can force a register or a stack pointer to contain an arbitrary number. Execute a few instructions. See http://picasaweb.google.com/bushing/TwilightHackRetrospective02 for an example or two.
Step 4. Modify Twilight Hack sourcebase to fit in buffer.
18 Anonymous coward // Jul 4, 2008 at 12:59 am
It looks like Pop has a buffer overflow problem…
http://www.nnooo.com/games/pop/faq.html
See “Whenever I get to the end of the Tally Screen the game crashes”.
19 Update for Twilight Hack in the works??? | NES Hacks // Jul 4, 2008 at 11:14 am
[…] SOURCE […]
20 HyperHacker // Jul 4, 2008 at 12:08 pm
Not every crash is a buffer overflow, or anything useful at all.
21 kmeisthax // Jul 4, 2008 at 3:12 pm
Exploiting buffer overflows in WiiWare or Virtual Console games would be unwise – existing copies can be patched while existing Wii disc games cannot be patched.
22 miom // Jul 4, 2008 at 7:46 pm
I think there is a great potential in Opera and Adobe Flash.
23 DtD // Jul 5, 2008 at 12:40 am
Plus, even if it was a buffer overflow, it specifically says on thier website they are trying to make a fix for it.
~DtD
24 Anonymous coward // Jul 5, 2008 at 5:11 am
> Not every crash is a buffer overflow, or anything useful at all.
However two of the questions in the FAQ are…
-How many friends did you choose to send updates to?
-How many friends do you have on your friends list?
So it seems there’s a problem with dynamic memory allocation somewhere in there.
Secondly, to update a VC or WiiWare game you usually have to go to the shop and re-download it yourself and you can always keep a backup of the bugged version on SD card.
So it’s a game worth bearing in mind when Zelda is finally patched.
25 nanika // Jul 5, 2008 at 5:31 am
But if Pop is patched, the unpatched one is completely unavailable for new users, whereas there will be thousands of unpatched Zelda disks at least.
26 adr990 // Jul 6, 2008 at 2:37 am
I’m good in wad’s
But not in save files yet…
Bushing, do you use app’s for edit the save file?
Or just Hex edit?
And the TP hack was here already before Waninkoko’s save extractor/installer for making the save file more open…
Great! but how? haha
I not have a USB gecko yet… (only SD Gecko)
But I may can help with finding a error in the game by making the name too long
Adr
27 svpe // Jul 6, 2008 at 3:24 am
They are either using a hexeditor or self-made applications to generate the savefile.
Then some checksum calculation program – which has to be written for each game – is used to make sure that the game thinks that the save is valid.
The last step is to use segher’s twintig with the NG-* files to generate and sign the savefile. (You could also use my fork mkwiisave here which uses a USB gecko connection to sign the savegame.)
However, all this is *way* more complicated than just using some tools on WAD files.
28 adr990 // Jul 6, 2008 at 11:09 am
Hmm I see…
By the way:
I’m dutch and never jumped much in the seger’s twintig and such but… what it is really?
And I first go hex edit the TP save (only look)+ look if I can change banner…. since I think I can 😛
Than I wanted to try this games for a new hack:
Rayman raving rabbits 1
it is copy able on normal way, not like 2 that it isn’t.
but not think it will work on that game…
I think more SMG but that game is get played more… 😉
29 adr990 // Jul 6, 2008 at 2:45 pm
(sorry for double post but can’t edit)
I tried much and I am happy with result…
Though I didn’t make a new “tp hack”…
I didn’t could get a error… since Rayman Raving Rabbits 1 is giving error when I changed my save name longer than 3 (ADR -> ADRQ or something)
Than he will say the save is broke…
But I could easy edit the Save icon name and author name of it 🙂 with 3 character long name and custom save name and author no problem though…
So how it was on TlozTP? same error if you have a longer name?
(I will try anyways too soon)
(Can I post some pics? I even had a broken save file title it was nice to see for me 😛 I have fun in this 🙂 )
30 HyperHacker // Jul 6, 2008 at 3:53 pm
The game probably does a checksum of the important parts of the save file, to tell if it’s corrupt. You’d have to figure out the algorithm and fix it manually.
31 adr990 // Jul 7, 2008 at 2:18 am
Ah okay, thanks 🙂
Manually?, via a trucha disc of it or via USB gecko or hex edit?
Or I should just try a another game?
Thanks for all help, I gonna try some other ways…
32 HCK // Jul 7, 2008 at 2:48 am
Why does everyone get mad for the source? 100 different hacks will be ported in 100 games, Nintendo will blow up everything with 3.4 and it will be easy for em since they can get the source.
Then they’ ll just check if the loader is in the save file of every game instead of using a useless check of the byte lenght, and then and the TH&friends-clones will be dead.
Seriously: I think people should create their own hacks. That would be headacke to fix.
33 ERROR // Jul 7, 2008 at 9:56 am
I’m with HCK on this one. Releasing the source of the TH will only help Nintendo in making a permanent patch.
34 Aaron // Jul 7, 2008 at 7:50 pm
@HCK: Nintendo already has the compiled binary of the Twilight Hack, so if they want to scan save files for the loader code, they can already do that. But just checking for the loader code byte-by-byte wouldn’t do much good, since the loader could be modified in any number of ways to make it “look” different but work the same. So at the end of the day, I don’t see how releasing the source would make much difference.
35 Tempraire // Jul 7, 2008 at 7:57 pm
I wonder how long it will take nintendo to patch this… probably a few months like the last one, which gives the wiibrew community lots of time to work on another solution. Does anyone think we can find a more permanent solution to this is the future? I will be looking into other games for buffer overflows.
36 HCK // Jul 15, 2008 at 3:56 am
Having the source code or have not it MAKES difference, there’ s not much to discuss about this point IMO…
You must log in to post a comment.