Notes from inside your Wii

HackMii header image 1

Introducing: LetterBomb (the letter from heaven)

August 9th, 2011 by blasty · 126 Comments

Up until now the only way to liberate your Wii console and enable the use of homebrew with System Menu 4.3 was to use a gamedisc based exploit such as “BatHaxx”, “Return of the Jodi” and others.

Today we are announcing a project that changes this completely and removes the requirement for an exploitable game.

In memory of BannerBomb, we present you with LetterBomb , a brand new System Menu exploit that will allow you to enable homebrew with the push of an envelope 😉 (no stamp licking involved)

This exploit reuses (and abuses) some of some Nintendo’s Wii Messageboard functionality. 🙂

You will need:

  • A Wii running System Menu 4.3 (E/U/J/K)
  • A SD(HC) card with some free space
  • Your Wii’s WiFi MAC Address (available from your Wii’s system settings). This is needed because the Wii will only accept messages addressed to its specific MAC address.
  • A few minutes of your time

For this very special occasion we have created an easy-peasy webpage that takes away some of the pain that is usually involved with getting homebrew onto your system:


This webpage will ask you for some necessary information (such as your System Menu region and MAC address), and  will then return a nicely packaged ZIP file that is ready for extraction to the root of your SD card. Simple eh?

All that is missing from that point is a boot.elf/boot.dol file (that you will need to place in the root of your card), and you should be good to go. For your convenience we have an option to prepackage and bundle the HackMii Installer boot.elf (this is enabled by default).

So, how do I do this?

Simple…. once you’ve unzipped the file to your SD card (and inserted it) just navigate to the “messageboard” on your Wii and in the default view you should browse to “yesterday” (the place where you usually see yesterday’s messages) – sometimes this may be “today” or “two days ago” (this depends on the timezone you are in).

From this view you will be presented with a small envelope (that should obviously stand out against the rest of your plain old boring ones), click it, kick back, twiddle your thumbs (the Brits among you, go and make a cup of tea) cross your fingers and hope it worked. 🙂

DISCLAIMER: We are aware of a similar exploit by giantpune (good work!), but as of today this has not been released. In anticipation of its release we decided to reverse engineer, hack and implement something ourselves.

→ 126 CommentsTags:

DSi System Update 1.4.2

May 19th, 2011 by yellows8 · 66 Comments

Update: 25/05/11 An updated Sudokuhax(final update) will be released at the same time as the final DSiWareHax, but if you already have Sudokuhax and want to copy this updated Sudokuhax to “internal memory” you must still be on 1.4.1.(or below) This updated Sudokuhax and the final DSiWareHax uses an updated SD card loader, changes include faster boot.nds loading among other things.

DSi system update 1.4.2 blocks copying all current and future DSiWare exploits to “internal memory”. Most of you won’t have the final DSiWareHax target, but don’t update for now anyway. Only people who already have the target game, and stay on system version 1.4.1(or below) until exploit release could copy the exploit to “internal memory”. DSiWare savedata exploits are dead with system update 1.4.2, after the release of this exploit later, there will be no more DSiWare savedata exploits.

The EC certificate APCert in the DSiWare on SD card signs the hashes stored in the DSiWare on SD card, this includes hashes of savedata among other things. This APCert is signed by the console-unique TWCert, this cert is signed by Nintendo. This TWCert is stored in NAND.

The initial system settings title verified the APCert with the TWCert contained in the DSiWare stored on SD card. This allowed us to modify DSiWare savedata, since we could resign the APCert with any TWCert from other systems. The new 1.4.2 system settings title verifies the APCert with TWCert stored in NAND. This stops us from modifying DSiWare savedata for arbitrary systems, as the only way to get those system certs is from NAND. When you don’t already have DSiWareHax, it’s impossible to obtain your system certs without soldering NAND. The new system settings will not allow any DSiWare on SD card signed by other systems to copy to “internal memory”.

→ 66 CommentsTags:

Return of the Jodi

February 2nd, 2011 by Segher · 6 Comments

Return of the Jodi

[UPDATED, at the bottom]

[Guest post by roto:]

Recently, news has spread of a Lego Star Wars exploit for the Wii. After last week’s Bathaxx release there wasn’t much rush to get our LSW exploit out there but it seems the cat is out of the bag. Releasing our own version now would make more sense than waiting or not releasing at all. No disrespect is meant towards the person who worked on the LSW exploit that has been making the rounds on news sites, but we figured it wouldn’t hurt to share what we’ve created.

This exploit works on the original Lego Star Wars game as well as the newer (1.01) release (NTSC and PAL) all through one masterfully crafted save.

Thanks goes out to lewurm for fine-tuning all code and testing the PAL region save and of course Team Twiizers for initial LIJ source.

[segher: And of course, thanks to roto for doing all the heavy lifting for this exploit! And to drmr for the awesome graphics.]

[UPDATE: New version, now properly supporting JPN region, with thanks to “Nekokabu” and “airline38”!]

Have a look at the source code, or download the binary.

As always, be sure to read the license before redistributing the binary: it’s GPL, you are not allowed to distribute without also giving out the source code. So please don’t.

→ 6 CommentsTags: