Notes from inside your Wii

HackMii header image 2

Thanks, Waninkoko.

April 13th, 2008 by bushing · 35 Comments

[In Spanish: http://www.elotrolado.net/post_Gracias–Waninkoko_1711666033#post1711666033]

I’ve ranted a bit about how we need to be responsible as coders and consider the effects that releasing software will have on the community — in terms of hardware damage. I didn’t think that I had to also point out the need to consider broader, longer-term effects.

Several people have send me links to a recent release — the first pirated VC game. No, I’m not posting any links, and please don’t post any in comments — it’s easy enough to find anyway, if you really care. It’s currently the raw decrypted files, and not yet in a form suitable to be installed on a Wii, but I give that another 24 hours.

This is a direct result of Waninkoko’s release of his NAND FS Dumper. This is not the same as his “NAND Dumper” that he released a few days ago, which dumped the raw, encrypted contents of NAND to an SD card. (That’s pretty easy to do — just do some reads from /dev/flash — and is based on like 6 lines of code that I gave him. It’s also mostly harmless.)

No, this uses a exploit in the NAND FS permission system on the Wii that lets it read all of the contents of all titles on the Wii — including decrypted VC games and anything else.

For what it’s worth, this is the reason we never released any tools or code after the 24c3 hack. Segher asked that we not, in the fear that this moment would come. So, we didn’t, and sure enough it happened anyway, although it took perhaps four months longer than it would have. There is only so much we can do.

Anyway, Waninkoko’s code is almost exactly the same as some code that dhewg released months ago — the Wiifuse server. What’s the difference? Dhewg didn’t want to enable this, so he left it to the end user to provide the authentication credentials that Wiifuse uses to read the contents of the NAND. Waninkoko’s program does the same thing, but it comes with a hacked TMD that enables “root access” (more or less).

Why is this a problem? Remember what happened when Datel released their Freeloader?

Piracy is morally wrong — developers need to eat, too. However, I don’t expect this to persuade everyone, so I will also offer a more pragmatic reason. Nintendo’s primary motive in patching security holes is strictly financial — in the same way that releasing firmware patches is dangerous for us because it requires careful testing, releasing firmware patches is expensive for Nintendo because it requires careful testing on their part, too. Consequently, they will not bother to fix bugs until they cause specific, identifiable monetary loss on their part.

We saw this with IOS37, which I believe was a reaction to Datel’s Freeloader. However, Nintendo has never bothered to activate IOS37 — why? I think it’s because they were specifically trying to prevent / discourage Datel from pressing discs for US and Japanese Wiis. All of the PAL discs have already been made, and Datel has already spent all of the money they need to spend to sell those discs. At this point, they will continue to sell the discs they made because they have nothing to lose by doing so — and when IOS37 comes, they will try to deal with it however they can.

On the other hand, they have not yet spent the money to make USA and NTSC/J discs. They now know there is a very real possibility their current software will stop working on updated Wiis at some future date, so they now have to sit and wait for that “shoe to drop” before proceeding. Nintendo released IOS37 to stall Datel.

Now, Nintendo needs to keep people from copying VC games. So what will they do? They have to patch all of the things that could enable this. So, they will now go ahead and patch all of the old versions of IOS, and they will probably go ahead and patch BOOT2.

I know that Waninkoko is not a bad guy — he and I have chatted a fair bit on IRC — but I think he is reckless and does not think through the consequences of his actions.

Oh, and another thing — people keep asking me “Will there be some way to downgrade our consoles once IOS37 has been released?” I hate that question. Why?

The answer will always be “Probably, but it will require finding a security hole which Nintendo hasn’t patched.” That’s why I don’t like to answer the question — because if I start talking about all of the security holes that could be used to downgrade a Wii, then they will get patched before we have a chance to use them.

Guess what? The hole that Waninkoko is using to read VC games out of the NAND FS is the same hole that I was planning on using (first) to be able to downgrade versions of IOS. So, when it takes another few months to be able to downgrade a Wii, you can say “Thanks, Waninkoko!”

Tags: Wii

35 responses so far ↓

  • 1 Rhys // Apr 13, 2008 at 8:20 pm

    waninkoko.kudos -= 5;

  • 2 Agent Smith // Apr 13, 2008 at 8:32 pm

    The cracking of VC games was inevitable Mr Anderson.

  • 3 Sven // Apr 13, 2008 at 8:53 pm

    What’s the situation with the Wiimote ‘pointer’ tracking code shown in the 24c3 hack video? Now there’s some code that would benefit the homebrew community without risk of negative consequences.

  • 4 Slowking // Apr 13, 2008 at 9:18 pm

    Sorry but I have to disagre with you on this. Sure if you don’t release anything it will slow down Nintendo patching things, but it will also slow down the creation of homebrew and the find of new security holes.
    Look at what cool things have happened, since the turcha signer was relaesed. That could have happened a few month earlier, also. (ofcourse most good things came out of the twilight hack but I really like how even normal users can now modify their games and play with stuff in them)

  • 5 bushing // Apr 13, 2008 at 10:30 pm

    Sven: The code was borrowed from the Lego Star Wars DOL. We can’t use it.

    Slowking: Eh? I think you’re referring to my remark that Segher didn’t want to release anything that performed signing; since he discovered the bug, we respected his wishes. Homebrew development wasn’t slowed in the slightest, nor was the finding of new security holes — in both cases, the bottleneck is not having enough people sit down and reverse-engineer the code.

    Anyway, this is not a black-and-white issue. There are some things that are safe to release (Twilight Hack), some which are controversial (Trucha Signer), and some which are just bad ideas.

  • 6 bailli // Apr 14, 2008 at 12:40 am

    Slowking: What impact does the NAND dumper have on homebrew?! I think the correct anwser is nothing…

    bushing: Nice blog. Just found it through this hole pirated VC issue. My favourite is your rant about the WiiSystemmenu patcher. 😉 I just don’t know how people can release such software and sleep peacefully at night…

  • 7 Homebrew - Danke, Waninkoko! - Wiihack.ws // Apr 14, 2008 at 1:17 am

    […] another few months to be able to downgrade a Wii, you can say “Thanks, Waninkoko!” Quelle: Thanks, Waninkoko. Meinungen? Oder seid ihr auch alle so […]

  • 8 svenk91 // Apr 14, 2008 at 1:40 am

    ain’t the emu’s as much as a treat as the new way to run downloaded vc games? maybe even bigger because emu’s are easyer to use and have some advanced featerus like savestate. not to mention that snes emu’s, for example, can run almost all snes games while the VC games are only limited in number.

    it will only be interesting for wiiware stuff.

  • 9 Ravster // Apr 14, 2008 at 2:51 am

    My gawd, with datels thing in place, dont you think downgrading will also give them monetary loss?

    You sound like a penis in your post.

  • 10 Superken7 // Apr 14, 2008 at 4:29 am

    I agree that the fact that they are being pirated in the wild is a “disaster”,
    but why blame it all on waninkoko?
    IMHO, extracting the certs, tik and tmd from the systemmenu is far too easy to prevent somebody from extracting the contents just like with the fs dumper. I think it is more the fact that it requires an usbgecko.
    Since wiifuse_server has exactly the same functionality in the end (just less convinient), it could have perfectly happened the same way. (or please enlighten me, i have never used wiifuse_server)
    So i do not completely agree here with blaming (just) waninkoko for that pirated release… what if this had happened three weeks ago? or two days after wiifuse_server’s release? what’s the difference here? i dont see why that would not have been possible.

    i hope this doesnt hurt homebrew much, at least no wadpacker has been released.

  • 11 mo // Apr 14, 2008 at 4:47 am

    I really love Super Mario Brothers.

    But so far I have paid for it on NES £40
    SNES (in Super mario all-stars) £40
    GB DX Mario Bros DX £30
    Wii VC £7

    I cant go on paying Nintendo all my hard earned cash just for them to re-hash the code onto some new system again and again.

    I thought we just paid for the licence.

    Its like all my Beatles Albums I just have to re-buy from LP, Casette, CD …

    Costs me too much. They are being greedy…..

    I just cant do without it.

  • 12 mo // Apr 14, 2008 at 4:48 am

    Why didnt you wait for the WiiWare to come out first!

    Its a good bet they will be using the same encryption on that. You could have had that on day one. Now Im sure they will re-think.

  • 13 Bolo // Apr 14, 2008 at 6:05 am

    I agree in the technical aspects that this can slow down other developers work, like yourself and that’s sad. But i’m having a hard time beliving there is any developers “starving” because of piracy. Sure it’s a whole lot different when it comes to independent creators struggling to get their product availbe to market without the help of the usual companies/publishers.

  • 14 halo // Apr 14, 2008 at 6:44 am

    I know that Waninkoko is not a bad guy — eh haks virtuwel consoal and doesn’t afraid of anything.

  • 15 Stalkid64 // Apr 14, 2008 at 6:45 am

    mo: They have the right to dictate how their content is released, and they have the right to continue to ask for money in return. The content does not “lose value” over the years – why shouldn’t they if they can offer it in a better format (for example?
    Buying a product once doesn’t entitle you to lifelong free access. After all, I bought milk yesterday. Why am I not entitled to free milk today? If I buy a car, why am I not entitled to the new model for free?
    People have a legal and moral right to make money from their work. Whether people choose to buy it is down to them, unless they’re forcing you at gunpoint. Nobody is legally or morally entitled to it for free just because they bought a product once.

  • 16 Dasda // Apr 14, 2008 at 7:57 am

    The moment you start writing tools to do illegal stuff, Nintendo will start reacting and patching our exploits. I think that the Zelda hack would have been patched a long time ago if it would allow pirated games to run.
    If you’re smart enough to not release tools like these because of these consequences, I thank you for supporting the progress in Wii homebrew.
    I don’t just blame Waninkoko, but I blame everyone who doesn’t think before they do things. Please do, because your actions could easily screw up for others.

    mo: If you think the game is great, and want to support the developers, you shouldn’t be afraid to pay a few bucks to get it. But if you think that you’ve already paid for it, play it on your old consoles instead of using virtual consoles. The feeling is way better on the old consoles (although the game is the same), and I think that you’ll actually enjoy them more than on the Wii.

  • 17 BenPriest // Apr 14, 2008 at 8:20 am

    I don’t think that throwing dirt at that Waninkoko is moral. Homebrew and piracy is always bound together and if you don’t like it, go home and play with your genuine, unmodded Wii, and let us exploit it! Not releasing these tools is shameful cowardice and those who release it are only giving the regular user what they deserve. Long live Waninkoko!

  • 18 Agreed! // Apr 14, 2008 at 11:09 am

    Whats the difference between running a hacked VC Game or a emulator. If piracy is such an issue then why release a homebrew loader in the first place. You knew once the loader was released that work to port the emulators would start. I acutally think the VC hack is stupid because it is alot easyer to load, and save from the emulator and it does not waste internal memory. Also why keep tools, and code from the community. Its alot easyer and faster to get applications and or other hacks out with a wide range of haxors instead of your 5-10 man team. I know you are concerned about wii’s bricking, but hell let the people who want to mess around brick their shit. Also your worried that nintendo will update your exploits but more will be found. It will go back n forth with nintendo until they get bored and release their next system.

  • 19 Stalkid64 // Apr 14, 2008 at 12:06 pm

    The regular user does not deserve to rip off Nintendo. Don’t spout such utter garbage here.

  • 20 bushing // Apr 14, 2008 at 2:40 pm

    Superken7: Re: “IMHO, extracting the certs, tik and tmd from the systemmenu is far too easy to prevent somebody from extracting the contents just like with the fs dumper.” He’s not using the tmd from the systemmenu. Look at it more closely.

    BenPriest: “Homebrew and piracy is always bound together and if you don’t like it, go home and play with your genuine, unmodded Wii, and let us exploit it!” Both the homebrew and pirate scenes are trying to get more out of their Wiis than Nintendo intended; the difference is that one scene is trying to write code, the other is trying to steal it. Trust me, you don’t want me to go home, you wouldn’t be exploiting anything.

  • 21 Phredreeke // Apr 15, 2008 at 2:07 am

    So he hacked the TMD to give the app full access to the Wii? Did he discover that hack on his own?

    Am I right in that while the NAND dumper requires your Wii key to decrypt (not easily retrieved) the contents, the NAND FS dumper does the decryption for you?

    Regarding homebrew vs. piracy, homebrewers are always the smart guys. Pirates just exploit the homebrewer’s discoveries for their own gains.

  • 22 bushing // Apr 15, 2008 at 2:38 am

    @ Phredreeke: Either Marcan or I told him about the TMD; I talked to him quite a bit because he’s smart and he asks good questions. And he learns quickly. Oh well.

    Yes, your understanding of the “NAND dumper” vs “NAND FS dumper” is correct — with the latter, IOS happily does the decryption for you. I’m working on a blog entry about the keys now, even.

  • 23 Waninkoko // Apr 15, 2008 at 2:52 am

    bushing: I’m not smart… just look what I’ve done…

    I have to admit that I screw it up. And from now on I’ll try to think carefully about what I should release and ask you or marcan about what do you think.

    Btw, I’ll have an Infectus soon so probably I’ll be able to help with boot2/ios.

  • 24 rokujou // Apr 15, 2008 at 10:02 am

    “Trust me, you don’t want me to go home, you wouldn’t be exploiting anything.” I actually laughed out when I read that.

  • 25 I R JESUS // Apr 15, 2008 at 2:40 pm

    “Trust me, you don’t want me to go home, you wouldn’t be exploiting anything.” I actually laughed out when I read that.

    I was ROFL. You sound like your the only elite coder/hacker that can hack or exploit the wii. Serious man the real elites would not waste their time on the wii because their is no profit. Not saying I dont R-E-S-P-E-C-T your work cause I acutally do. Just saying that was uber ignorant.

  • 26 dCiSo // Apr 15, 2008 at 5:50 pm

    “I was ROFL. You sound like your the only elite coder/hacker that can hack or exploit the wii. Serious man the real elites would not waste their time on the wii because their is no profit. Not saying I dont R-E-S-P-E-C-T your work cause I acutally do. Just saying that was uber ignorant.

    I don’t think he was meaning that he was the only one who had the skill. I think he meant it more along the lines is nobody with the skills that him and the rest who are working hard at this would bother. In a way you said it yourself in your post. If it was not for busing and the rest of the guys in #Wiidev we would not be anywhere because those others with the skills either dont have the time to do it or want paid to do it. In a sense he is right if he would walk away right now how many people would really be contributing what he does?

  • 27 bushing // Apr 16, 2008 at 4:38 am

    @Waninkoko: Thanks for writing in — I really respect that. I think we’ll need all the help we can get for coming up with simple, powerful patches for boot2.

    @I R Jesus: dCiSo put it well, but I’ll use my own words — as with all great hackers (and scientists, etc), I stand on the shoulder of giants, and if I weren’t here, hopefully someone else would eventually get around to doing the research I’ve done. Still, I think that I’d be missed. Anyway, my comment was specifically in response to the admonishment to “go home […] and let us exploit it!”

    (also, I don’t think that that word “ignorant” means what you think it means)

  • 28 Stalkid64 // Apr 16, 2008 at 5:02 am

    “the real elites would not waste their time on the wii because their is no profit”

    Cant. Stop. Laughing.
    You really have no clue about these things do you? It’s not done for profit. Even if it were, well note that the Wii is currently used by 20+ million people and is the best selling console this generation. No profit? C’mon.
    Here comes that laughter again…

  • 29 Phredreeke // Apr 16, 2008 at 7:42 am

    As I said, the homebrewers are the smart guys. The commercial hackers just use the homebrewer’s work to profit on.

  • 30 pb // Apr 20, 2008 at 6:54 am

    bushing, as you predicted (well actually not in 24 hours, but a bit more) here comes the first one packaged and ready for installation …. the nfo from a pub tracker …


    This is the PAL Virtual console version of Super Mario Bros 3 for Wii.


    PAL Wii(modded or unmodded) !!COULD KILL OTHER REGION WIIS and won’t work!!
    Zelda Twilight Princess, with the Zelda exploit. If you are unfamiliar with this:
    SD card

    1 Put both files on the root of your SD card and insert it in your Wii.
    2 Run Zelda Twilight Princess, and go to the loader.
    3 Press 1+2 on the Wiimote when it says you have to do so.
    4 Wait ’till it’s installed, and it will reset your Wii automatic.
    5 Enjoy your (first) pirated VC game. 😉

    NOTE: Do not use the Homebrew channel, it is VERY unstable and a very easy way to kill your Wii.

    I’m not responsible for any damage to your Wii.



  • 31 Phredreeke // Apr 21, 2008 at 2:34 am

    The unfortunate thing is that this gives Nintendo grounds to patch the Zelda exploit. Previously it could only be used for running homebrew (yes, you could run emulators, but the VC versions are more convenient, just click on the channel versus put in zelda disc, load save, talk to the guy, wait for emu to launch, select rom)

  • 32 bushing // Apr 28, 2008 at 12:47 am

    True, although they don’t currently have the ability to patch games on-the-fly (upon loading). They could eventually develop this capability — and if they already planned on it, Zelda might be a good way to test it out — but aside from that, it wouldn’t be worth the time and effort involved.

    … and there are always other games …

  • 33 wowfunhappy // May 1, 2008 at 1:18 pm

    I’m aware this is a bit offtopic, but I couldn’t think of a better place to ask this, since you didn’t make any blog post which is related to the topic.

    Bushing, I understand Waninkoko’s mistake about pirating the VC. (I know you’ve apolagized, I’m not really that upset with you Waninkoko) I don’t want Nintendo to patch the homebrew channel, and I don’t like piracy.

    If I may ask your opinion though- what are your responses to Waninkoko’s release of a no-time-limit homebrew channel.

    I don’t make use of the channel myself as I own a copy of Zelda. However, one of my friends does not. So, I brought my copy of Zelda over to his house and used it to install the no-time-limit homebrew channel. Had it not been for that channel, my friend would not be able to run wii homebrew, something my friend is very much enjoying right now, or so he tells me.

    Now, if something I realeased was hacked, I’d be upset, but then again, we’re all hackers, aren’t we?

    And I don’t totally understand why you put a time limit there in the first place. According to wiibrew.org, “Because it’s an ugly, crude version that pales in comparison to what we hope to release in the near future,” but that doesn’t change the fact that the current channel WORKS, and that it’s allowing my friend to use homebrew.

    So, yeah, do you have any comment? I just wanted to know your opinion on the hacked channel…

  • 34 marcan // May 1, 2008 at 11:47 pm

    Waninkoko didn’t release the hacked channel – JParadox did.

    As we’ve mentioned before, the time limited homebrew channel was something that I cooked up in two hours on April Fool’s, as a sort of teaser. I’m not too worried about the time limit hack – it was bound to happen sooner or later. The idea of the time limit was to have something that people could use to prove that it works, while covering our asses as far as stupid bugs (and there are quite a few). We also didn’t expect the final channel to take this long. On the other hand, the final channel is going to cover much, much more than we initially thought of, so I hope people feel it was worth the wait.

  • 35 Dylan Saliba // May 6, 2008 at 9:47 am

    So I just wanted to give props to Marcan and Bushing. You both are incredible and if you ever need nuggets and your in Colorado. I owe you both for working so hard on what I could only dream about doing since day one of the Wii.
    Thank you so very much!

You must log in to post a comment.