Notes from inside your Wii

HackMii header image 1

DSi System Update 1.4.2

May 19th, 2011 by yellows8 · 66 Comments

Update: 25/05/11 An updated Sudokuhax(final update) will be released at the same time as the final DSiWareHax, but if you already have Sudokuhax and want to copy this updated Sudokuhax to “internal memory” you must still be on 1.4.1.(or below) This updated Sudokuhax and the final DSiWareHax uses an updated SD card loader, changes include faster boot.nds loading among other things.

DSi system update 1.4.2 blocks copying all current and future DSiWare exploits to “internal memory”. Most of you won’t have the final DSiWareHax target, but don’t update for now anyway. Only people who already have the target game, and stay on system version 1.4.1(or below) until exploit release could copy the exploit to “internal memory”. DSiWare savedata exploits are dead with system update 1.4.2, after the release of this exploit later, there will be no more DSiWare savedata exploits.

The EC certificate APCert in the DSiWare on SD card signs the hashes stored in the DSiWare on SD card, this includes hashes of savedata among other things. This APCert is signed by the console-unique TWCert, this cert is signed by Nintendo. This TWCert is stored in NAND.

The initial system settings title verified the APCert with the TWCert contained in the DSiWare stored on SD card. This allowed us to modify DSiWare savedata, since we could resign the APCert with any TWCert from other systems. The new 1.4.2 system settings title verifies the APCert with TWCert stored in NAND. This stops us from modifying DSiWare savedata for arbitrary systems, as the only way to get those system certs is from NAND. When you don’t already have DSiWareHax, it’s impossible to obtain your system certs without soldering NAND. The new system settings will not allow any DSiWare on SD card signed by other systems to copy to “internal memory”.

→ 66 CommentsTags:

Return of the Jodi

February 2nd, 2011 by Segher · 6 Comments

Return of the Jodi

[UPDATED, at the bottom]

[Guest post by roto:]

Recently, news has spread of a Lego Star Wars exploit for the Wii. After last week’s Bathaxx release there wasn’t much rush to get our LSW exploit out there but it seems the cat is out of the bag. Releasing our own version now would make more sense than waiting or not releasing at all. No disrespect is meant towards the person who worked on the LSW exploit that has been making the rounds on news sites, but we figured it wouldn’t hurt to share what we’ve created.

This exploit works on the original Lego Star Wars game as well as the newer (1.01) release (NTSC and PAL) all through one masterfully crafted save.

Thanks goes out to lewurm for fine-tuning all code and testing the PAL region save and of course Team Twiizers for initial LIJ source.

[segher: And of course, thanks to roto for doing all the heavy lifting for this exploit! And to drmr for the awesome graphics.]

[UPDATE: New version, now properly supporting JPN region, with thanks to “Nekokabu” and “airline38”!]

Have a look at the source code, or download the binary.

As always, be sure to read the license before redistributing the binary: it’s GPL, you are not allowed to distribute without also giving out the source code. So please don’t.

→ 6 CommentsTags:

DSiWare Exploit Sudokuhax Release

January 27th, 2011 by yellows8 · 90 Comments

Update: 28/01/2011 Nintendo removed Sudoku from the EUR/AU and USA DSi Shop. At the time of the USA Sudoku removal, there was 234 injection requests from the client software, and 1684 client software release archive downloads. The download/request ratio is large because there was several downloads per minute, while each user took several minutes to buy Sudoku and inject Sudokuhax, thus there was one injection request every couple minutes. Current download and injection stats are available here.

Update: 02/02/2011 USA Sudoku was removed from NUS, EUR Sudoku is still available on NUS but both aren’t available from any of the DSi Shop regions. None of the Sudoku regions were updated on NUS yet. And at this time when trying access the Sudoku page from DSi Shop “Account activity”, it displays an error saying this software was removed due to certain circumstances.

Update: 03/24/2011 USA Sudoku was updated and is now available on DSi shop again. EUR/AU Sudoku was not yet updated. On roughly 03/30/11, EUR/AU Sudoku was updated and is now available on DSi Shop. This update fixes all the Sudoku string bugs, and the game will check for Sudokuhax and delete it when detected. Sudokuhax is dead for this updated Sudoku version.

As you may remember we started looking at the DSi about two years ago. Despite some early attempts using savegame hacks for hybrid card games we eventually resorted to more complex attacks that involved soldering many wires to tiny points on the PCB to be able to trace and modify the RAM. However, doing this is not feasible for the average homebrew user so we used the knowledge we gained through these complicated attacks to get more information about the whole system which allowed us to experiment with DSiWare games in the end. We also learned how to create savegames so we can now do what we did three years ago with the Wii: Savegame hacks!

In early December we managed to get DSi mode code execution by exploiting the DSiWare application ‘Sudoku’ by EA. Sudoku is only available for regions USA and EUR/AU. Exploiting DSiWare is interesting because in DSi mode the DSi SD card slot is accessible, the whole 16MB RAM is available, and the CPU is clocked 2x higher than DS-mode. The max size of the embedded code that can be loaded directly via this exploit is limited so a small payload was needed to chain load to another application. Initially a wifi loader was used, but this was switched to load from the DSi SD card slot. The SD card loader boots /boot.nds from the SD card directly from Sudokuhax.

DSiWare exploits can’t access gamecard slot1, it’s likely that only launcher/sysmenu can access slot1. The main advantage of DSiWare exploits over hybrid card EEPROM savedata exploits is SD card access, *and* the exploit supports SDHC. :)

Usage of the exploit is described below:

  1. Export Sudoku to SD card via the data management menu.
  2. Sudokuhax will then be injected into the Sudoku application via client software. The client software uploads DSi-specific data from the Sudoku application to a web server, then injects the retrieved data into the Sudoku application.
  3. Copy the output binary to SD card with the same filename as the original.
  4. Copy Sudokuhax from SD card to “internal memory” via the data management menu.
  5. Launch Sudoku, then press button A or touch screen at the Sudoku title screen.
  6. Now boot.nds on SD card will be run.

The data uploaded by the client software includes the anonymous DSi-unique console ID, and other data required for modifying the Sudoku binary on SD card. This data is used for logging unique web server requests.

The client software is available here. The tracker for the client software and Sudokuhax is available here. Client software source code licensed under GNU GPLv2 is available here.

→ 90 CommentsTags: