Another year, another console, another Hackmii Installer!

Despite all of the anti-reverse-engineering tricks we put into our last installment of the HackMii Installer, Nintendo managed to find the IOS exploit we used to install The Homebrew Channel and fix it sometime within the last two years. There never was a Wii system update for this, the fixed IOS versions can only be found on a Wii U.

They also blocked our old title ID. Consequently, we have a new release with a new version of The Homebrew Channel; this will install on both Wii consoles, and inside the virtual Wii sandbox inside the Wii U.  The currently used IOS exploit is courtesy of tueidj.

Please note that this is not running in full Wii U mode; running this on a Wii U will probably work just like on a Wii. (See if you can find any differences, we can all try to hack the Wii U together from inside Wii mode!)

Also, due to technical limitations of the virtual Wii mode, BootMii will not work on a Wii U. If we are able to resolve this, we will make a new release with BootMii support.

As usual, grab the new installer here.

If you’re unsure what do to with the installer, see this wiki page for a general tutorial on how to setup homebrew on your Wii, and this one at the brand new wiiubrew.org for savegame exploits that still work on a Wii U.

Update:
Unfortunately some bugs snuck into the v1.1 release, which are now fixed in v1.2:

• PAL 50Hz (576i) video mode now works properly
• BootMii/boot2 can be installed again on newer Wiis
• Icons load again in The Homebrew Channel

Sorry for the inconvenience.

Our usualy update cycle tends to follow Nintendo’s updates: Nintendo plugs one of our exploits, and we release a new version with a new exploit. At the same time, you get all the new goodies and bugfixes that we may have accumulated since the previous version.

However, Nintendo’s care for the Wii lately has been rather sparse. We’ve been working on HBC every now and then behind the scenes: a bugfix here, a new feature there, and so on. Meanwhile, we waited and waited and waited for an update to break the current version. Alas, crickets.

And yet! Recently, Nintendo did break The Homebrew Channel. No, it wasn’t a system update. It wasn’t a new Wii model (though they did release a new Wii, it turns out it works just fine). What they came up with was a new Wiimote, which, completely by accident, happens to be incompatible with the previous version of The Homebrew Channel.

You see, way way back in 2006 when the Wii came out, someone figured out that you could send commands to the Wiimote in a certain way. Libraries were developed, and eventually we had support on the Wii itself with the advent of Wii homebrew. And yet, nobody though to question the way we were sending the commands. Nobody bothered to check whether the Wii itself was doing the same thing.

As it turns out, it wasn’t. It was using a different method of sending data to the Wiimote. The Wiimote itself supported both – until the new RVL-CNT-01-TR model came out, that is. They probably had to trim the firmware to make space for the Motion Plus stuff.

HBC 1.0.8 was released 18 months ago, and we’re at over 3.1 million unique installs – that’s 3.4% of all Wiis sold to date, and this is only counting on-line HBC installs! Today, we bring you the HackMii Installer v1.0, featuring The Homebrew Channel v1.1.0 and BootMii 1.4. Here’s what you get:

• The new RVL-CNT-01-TR Wiimotes are now supported. Unfortunately, although HBC itself will work, there’s no way it can make existing homebrew work with it too – authors will have to recompile using the latest libogc SVN. C’est la vie!

• HBC now has a new font renderer with TTF support. The new renderer uses FreeType to render fonts with kerning and antialiasing, which looks much, much better than the old crummy bitmap font engine. You can use multiple fonts, sizes, and colors, under the control of a theme. The rendering is optimized for the screen resolution in use (4:3 or 16:9) for the best quality (note: this means the fonts will look a bit different between both modes, as they are hinted at different resolutions). The new default font is Droid Sans.
• Unicode (UTF-8) support. HBC has been using UTF-8 in meta files for a while, but only supported the latin-1 subset. Now you can display any character present in whatever font you’re using.
• HBCは日本語を話します！ HBC wa Nihongo o hanashimasu! Yup, with Unicode support comes a Japanese translation, courtesy of JEEB. However, to enable it, you need to install a theme with a Japanese capable font. Check out the themes page to get it.
• While adding the new font engine we also fixed a bunch of underlying issues. The meta.xml system should now be quite a bit more tolerant and stable.
• We’ve added screenshot functionality for theme creators who want to show off their themes. Plug in your Nunchuk and press Z+C (in that order) to create a png screenshot on your SD card.
• The crashes when using no_ios_reload with a bad/disabled network config have been fixed – by removing <no_ios_reload/> mode. Instead, we always reload IOS, but don’t fret – you can still use AHB access, thanks to a trick that we implemented. Use <ahb_access/> (<no_ios_reload/> is actually just an alias for that now).
• “This update provides behind-the-scenes fixes that will improve the overall system performance”. And unlike Nintendo, we actually mean it; there’s an assortment of fixes for quite a few minor (and some not so minor) bugs and glitches, including those that come with the latest libogc and libfat (e.g. 4K sector support) and some issues when launching apps and hotplugging devices.

The full release notes with all the gory details are available on WiiBrew.

As usual, either grab the new installer here, or use The Homebrew Channel’s online update (a confirmation dialog should pop up when you start your current version, if you are connected to the Internet). Have fun!

The procedure for obtaining the new DSiWareHax and the updated Sudokuhax is identical to the original Sudokuhax, as described in the Sudokuhax post and the client software README. The client software was updated as well, updating to this version is required since the server doesn’t support client sw v1.0 anymore.

Hence the title and the 1.4.2 post, this is the last new DSiWareHax that will ever be released, since there’s no way to copy DSiWare exploits to DSi “internal memory” on 1.4.2+ without your system certs.

Today we are announcing a project that changes this completely and removes the requirement for an exploitable game.

In memory of BannerBomb, we present you with LetterBomb , a brand new System Menu exploit that will allow you to enable homebrew with the push of an envelope (no stamp licking involved)

This exploit reuses (and abuses) some of some Nintendo’s Wii Messageboard functionality.

You will need:

• A Wii running System Menu 4.3 (E/U/J/K)
• A SD(HC) card with some free space
• Your Wii’s WiFi MAC Address (available from your Wii’s system settings). This is needed because the Wii will only accept messages addressed to its specific MAC address.
• A few minutes of your time

For this very special occasion we have created an easy-peasy webpage that takes away some of the pain that is usually involved with getting homebrew onto your system:

http://please.hackmii.com

This webpage will ask you for some necessary information (such as your System Menu region and MAC address), and  will then return a nicely packaged ZIP file that is ready for extraction to the root of your SD card. Simple eh?

All that is missing from that point is a boot.elf/boot.dol file (that you will need to place in the root of your card), and you should be good to go. For your convenience we have an option to prepackage and bundle the HackMii Installer boot.elf (this is enabled by default).

So, how do I do this?

Simple…. once you’ve unzipped the file to your SD card (and inserted it) just navigate to the “messageboard” on your Wii and in the default view you should browse to “yesterday” (the place where you usually see yesterday’s messages) – sometimes this may be “today” or “two days ago” (this depends on the timezone you are in).

From this view you will be presented with a small envelope (that should obviously stand out against the rest of your plain old boring ones), click it, kick back, twiddle your thumbs (the Brits among you, go and make a cup of tea) cross your fingers and hope it worked.

DISCLAIMER: We are aware of a similar exploit by giantpune (good work!), but as of today this has not been released. In anticipation of its release we decided to reverse engineer, hack and implement something ourselves.

DSi system update 1.4.2 blocks copying all current and future DSiWare exploits to “internal memory”. Most of you won’t have the final DSiWareHax target, but don’t update for now anyway. Only people who already have the target game, and stay on system version 1.4.1(or below) until exploit release could copy the exploit to “internal memory”. DSiWare savedata exploits are dead with system update 1.4.2, after the release of this exploit later, there will be no more DSiWare savedata exploits.

The EC certificate APCert in the DSiWare on SD card signs the hashes stored in the DSiWare on SD card, this includes hashes of savedata among other things. This APCert is signed by the console-unique TWCert, this cert is signed by Nintendo. This TWCert is stored in NAND.

The initial system settings title verified the APCert with the TWCert contained in the DSiWare stored on SD card. This allowed us to modify DSiWare savedata, since we could resign the APCert with any TWCert from other systems. The new 1.4.2 system settings title verifies the APCert with TWCert stored in NAND. This stops us from modifying DSiWare savedata for arbitrary systems, as the only way to get those system certs is from NAND. When you don’t already have DSiWareHax, it’s impossible to obtain your system certs without soldering NAND. The new system settings will not allow any DSiWare on SD card signed by other systems to copy to “internal memory”.

[UPDATED, at the bottom]

[Guest post by roto:]

Recently, news has spread of a Lego Star Wars exploit for the Wii. After last week’s Bathaxx release there wasn’t much rush to get our LSW exploit out there but it seems the cat is out of the bag. Releasing our own version now would make more sense than waiting or not releasing at all. No disrespect is meant towards the person who worked on the LSW exploit that has been making the rounds on news sites, but we figured it wouldn’t hurt to share what we’ve created.

This exploit works on the original Lego Star Wars game as well as the newer (1.01) release (NTSC and PAL) all through one masterfully crafted save.

Thanks goes out to lewurm for fine-tuning all code and testing the PAL region save and of course Team Twiizers for initial LIJ source.

[segher: And of course, thanks to roto for doing all the heavy lifting for this exploit! And to drmr for the awesome graphics.]

[UPDATE: New version, now properly supporting JPN region, with thanks to "Nekokabu" and "airline38"!]

Have a look at the source code, or download the binary.

As always, be sure to read the license before redistributing the binary: it’s GPL, you are not allowed to distribute without also giving out the source code. So please don’t.

Update: 02/02/2011 USA Sudoku was removed from NUS, EUR Sudoku is still available on NUS but both aren’t available from any of the DSi Shop regions. None of the Sudoku regions were updated on NUS yet. And at this time when trying access the Sudoku page from DSi Shop “Account activity”, it displays an error saying this software was removed due to certain circumstances.

Update: 03/24/2011 USA Sudoku was updated and is now available on DSi shop again. EUR/AU Sudoku was not yet updated. On roughly 03/30/11, EUR/AU Sudoku was updated and is now available on DSi Shop. This update fixes all the Sudoku string bugs, and the game will check for Sudokuhax and delete it when detected. Sudokuhax is dead for this updated Sudoku version.

As you may remember we started looking at the DSi about two years ago. Despite some early attempts using savegame hacks for hybrid card games we eventually resorted to more complex attacks that involved soldering many wires to tiny points on the PCB to be able to trace and modify the RAM. However, doing this is not feasible for the average homebrew user so we used the knowledge we gained through these complicated attacks to get more information about the whole system which allowed us to experiment with DSiWare games in the end. We also learned how to create savegames so we can now do what we did three years ago with the Wii: Savegame hacks!

In early December we managed to get DSi mode code execution by exploiting the DSiWare application ‘Sudoku’ by EA. Sudoku is only available for regions USA and EUR/AU. Exploiting DSiWare is interesting because in DSi mode the DSi SD card slot is accessible, the whole 16MB RAM is available, and the CPU is clocked 2x higher than DS-mode. The max size of the embedded code that can be loaded directly via this exploit is limited so a small payload was needed to chain load to another application. Initially a wifi loader was used, but this was switched to load from the DSi SD card slot. The SD card loader boots /boot.nds from the SD card directly from Sudokuhax.

DSiWare exploits can’t access gamecard slot1, it’s likely that only launcher/sysmenu can access slot1. The main advantage of DSiWare exploits over hybrid card EEPROM savedata exploits is SD card access, *and* the exploit supports SDHC.

Usage of the exploit is described below:

1. Export Sudoku to SD card via the data management menu.
2. Sudokuhax will then be injected into the Sudoku application via client software. The client software uploads DSi-specific data from the Sudoku application to a web server, then injects the retrieved data into the Sudoku application.
3. Copy the output binary to SD card with the same filename as the original.
4. Copy Sudokuhax from SD card to “internal memory” via the data management menu.
5. Launch Sudoku, then press button A or touch screen at the Sudoku title screen.
6. Now boot.nds on SD card will be run.

The data uploaded by the client software includes the anonymous DSi-unique console ID, and other data required for modifying the Sudoku binary on SD card. This data is used for logging unique web server requests.

The client software is available here. The tracker for the client software and Sudokuhax is available here. Client software source code licensed under GNU GPLv2 is available here.

Another year, another hack.

The Indiana Pwns hack is quite old, and it appears that people are selling that game for extortionist prices now (around EUR 100 on ebay, seriously). So, it would be good if there was some other game we could use.

lewurm has created a hack for the LEGO Batman game, thanks to the wonders of Free Software. I love it when I don’t have to do anything myself!

So head over to his page, and enjoy!

As always, be sure to read the license before redistributing the binary: it’s GPL, you are not allowed to distribute without also giving out the source code. So please don’t.

To build a decent USB 2.0 protocol analyser you don’t need that many things inside, and the designs aren’t all that much more complicated than the FPGA designs we worked with on the DSi. pytey and I have been discussing hardware USB 2.0 analysis on and off for 2+ years but we have never had the time (or funds) to create a gadget of our own. An opportunity arose when pytey showed me the absolutely fabulous Kickstarter site, where you can help fund fledgeling projects to get them off the ground.

Open-source hardware isn’t a new idea, but it’s not very easy to pull off designs of even modest complexity. Unlike open-source software (which can generally be made with free tools on any household computer, as long as you have the time to learn how to do so), hardware-hacking is … well … expensive, for lack of a better word, and slow. One attempt at making a board will generally take you from 5-500 hours of time to design it, and then a couple of weeks to have a prototyping house make you some PCBs. This will probably cost you $50-$200, and then you still have to buy the parts and assemble the board … assuming you have the right equipment to do so, this can take you another week (not including debugging!).

After you’ve done all that, if all goes well — you end up with one or two prototypes which you can then try to get working, usually involving some combination of firmware and client software on your computer. Unfortunately, you only have one or two boards, so it’s hard to do much collaboration online with people on one design.

pytey suggested that we might try to leverage Kickstarter to help us make the USB 2.0 analyzer a reality — and thus, OpenVizsla was born! This project has allowed us to collect enough funds ahead of time to have a factory make enough prototypes for all our colleagues to work on firmware, HDL and client software to make an open-source USB analyzer happen. We still have to put the work in to design the hardware, but we will have enough cash to be able to buy the parts for our boards in one chunk (achieving significant discounts with quantity), and we will be able to have enough prototypes made at once to justify a factory production run — no more hand-soldering for us! Once we’re done with this, we’ll end up with a design that people can tinker with and extend; there will be a project site that will soon host more details.

It seemed like a bit of a gamble, so we argued back and forth and picked a cash target high enough to ensure we would be able to make at least enough prototypes to have a decent chance of pulling the project off. I could never have expected the popular reaction to it; it seems like we really struck a nerve out there. We even got a couple of celebrities (Stephen Fry, DVDJon) on board, and our ploy to get some major backers (offering the right to directly participate in the early prototyping stages and a spot for a logo) paid off in spades. We even got support from Altium, who donated a couple of licenses of their lovely CAD/CAM software for us to use to speed up our design process.

Anyway, if you’re interested in the idea of playing with USB, I recommend you head over to the Kickstarter page; as of this writing, there’s still 3 days left for you to get in on the OpenVizsla production run.

On to CCC — our Console Hacking table at the Chaos Communication Congress in Berlin has become somewhat of a fixture there, so we’re trying to reserve some space this year. A few of you have already noticed that we have a “Console Hacking 2010″ wrapup presentation planned; the description’s still a bit vague because our presentation will depend on how much progress we make between now and then. There’s going to be a PS3 surprise though. No questions about the content, please — we’re still busy hacking away over here, so just come see us there or wait for the video!