HackMii

This isn’t the prettiest code I’ve ever written — it doesn’t have much of an interface, and I just threw this release together in a few minutes. However, it’s been exceedingly useful to me, and hopefully some of you will find it useful, too. I’ll quote the README here:

This program will do the following, automatically:

• Download IOS11 from the Nintendo Update Server
• Patch it to remove the MEM2 protection (so the PPC can access all 64MB of it)
• Patch it to allow it to delete itself later using ES_DeleteTitle()
• Find an unused IOS slot (counting downward from IOS255)
• Install the hacked IOS11 there
• Reboot into the hacked IOS
• Copy the private key structure from the IOS address space into MEM1
• Reboot back into a sane IOS
• Delete the temporary, hacked IOS
• Display the keys on screen
• Try to write them to a file on the SD card — keys.txt
• Pause for 60 seconds to allow you to copy the keys down using pen and paper,if necessary

I wrote this a week or two after I killed a Wii trying to reproduce tmbinc’s original Tweezer Hack. May it rest in peace.

The first version of this code just used a patched version of IOS, which was an ugly hack. It’s still an ugly hack, but at least it no longer contains copyrighted code. You should only really need to run it once on any given Wii, but it should be safe to run as much as you want. If nothing else, it demonstrates the kinds of ways you can use PatchMii_core to do something useful (as opposed to just running it and then packaging the result up as cIOS).

(c) 2008 bushing / hackmii.com

Download: xyzzy-1.0.zip (source and binary)

As part of our efforts to understand how the Wii works, we believe we
have found a security issue that could allow pirated Wii games to be
played on an unmodified Wii console.

I would like to speak to an engineer about this — please have one contact me.

Sincerely,
bushing

Update: A representative from Nintendo has contacted me (see comment below). The rest of you can stop emailing me now. Assuming Nintendo acts in good faith, I don’t expect to be writing much more about this until it’s resolved.

Update 2: Apparently I presume too much of e.g. MaxConsole. The “comment below” was referring to comment 11. I listed the email in the order I received it.

The rest of the copycat emails can stop now. Srsly, guys. I did not post my email address here to invite you to debate this with me. Suffice it to say that I have put more thought into this than you have, and when you find your own exploits you can decide how to handle them.

There is still a wealth of work left to be done on reverse-engineering the Wii.  Off the top of my head, we still know very little about:

• WiiConnect24
• Opera on the Wii
• Communications between the Wii and the DS (see e.g. the Nintendo Channel)
• Huge chunks of IOS in general
• other, uh, stuff

I’d like to try an experiment.  Most of you know that I idle on #wiidev;  as great as it is, it has become an extremely busy channel, and it’s become impossible for me to read through backlogs to find questions about the stuff I’m most interested — namely, reverse-engineering and working on the projects I’ve already mentioned in previous posts, this post, and the ones you out there think of.

That’s not a criticism of #wiidev — rather, it’s a realization that the purpose of #wiidev is a more general “how do we develop stuff on the Wii?” rather than “how does the Wii work?”.   I think it might be time to create a new channel.

#hackmii on EFnet will be dedicated to reverse-engineering the Wii.  And we’re going to run it with special, strict rules in order to maintain a high signal-to-noise ratio.  Specifically:

• The channel will be +m — only certain people will be able to speak (those who are given the +v voice flag).  All are welcome to come in and observe, but we really need to keep the chatter down to actual productive conversation for this to be useful.
• If you want to be voiced on the channel, sit and lurk a while so that you understand the level of discussion on the channel.  When you have a constructive comment to add, message it to one of the ops; if they agree that your comment is a constructive one, they will +v you. (Do NOT ask for permission to ask.  This is a waste of time.  The goal of this is to reduce time-wastage as much as possible.)
• Once you have a +v, we will trust you until you start misbehaving.  When that happens, we’ll probably just devoice you until you have something constructive to say (see above).
• As far as actual rules — what is proper behavior vs misbehaving?  – I want to start out simple.  I expect everyone to act like adults, so we can start with only a few core rules:

1. No “chatting” out of boredom.  Don’t announce your presence when you join the channel; don’t tell us you’re leaving unless you’re in the middle of a conversation. Don’t just start talking about lame shit just because nobody else is talking.  Silence is Golden.
2. Technical talk only.  If you can’t code, this may not be the place for you.  (OTOH, we’ve had some great contributions from people who do not fancy themselves as disassembly gurus; reverse-engineering is more about a curiosity and a willingness to try things for yourself than about a specific skillset.)  Feel free to drop by and listen, however, and if you have good ideas, please contribute them (see above).
3. Questions are okay, too — every investigation begins with a question!  However, we only want good questions — and we only want people who are willing to stick around and work on finding the answer to that question if none currently exists.
4. You may have the best luck if you have an IRC bouncer, because many conversations will take place on-and-off over the course of days.  We will try to set up some bots to maintain +vs for people who get disconnected, and I hope to set up a publicly-readable log of the channel for people who want to go back and search to see what is known about a subject.
5. I reserve the right to revise these rules and to ignore them whenever I feel like it.   This is my experiment, but I intend to put considerable energy into it to make it a great place to get some work done.

I’m aware that this may be a dismal failure, but at least I’ll be there hanging around