Notes from inside your Wii

HackMii header image 1

DSiWare Exploit Sudokuhax Release

January 27th, 2011 by yellows8 · 90 Comments

Update: 28/01/2011 Nintendo removed Sudoku from the EUR/AU and USA DSi Shop. At the time of the USA Sudoku removal, there was 234 injection requests from the client software, and 1684 client software release archive downloads. The download/request ratio is large because there was several downloads per minute, while each user took several minutes to buy Sudoku and inject Sudokuhax, thus there was one injection request every couple minutes. Current download and injection stats are available here.

Update: 02/02/2011 USA Sudoku was removed from NUS, EUR Sudoku is still available on NUS but both aren’t available from any of the DSi Shop regions. None of the Sudoku regions were updated on NUS yet. And at this time when trying access the Sudoku page from DSi Shop “Account activity”, it displays an error saying this software was removed due to certain circumstances.

Update: 03/24/2011 USA Sudoku was updated and is now available on DSi shop again. EUR/AU Sudoku was not yet updated. On roughly 03/30/11, EUR/AU Sudoku was updated and is now available on DSi Shop. This update fixes all the Sudoku string bugs, and the game will check for Sudokuhax and delete it when detected. Sudokuhax is dead for this updated Sudoku version.

As you may remember we started looking at the DSi about two years ago. Despite some early attempts using savegame hacks for hybrid card games we eventually resorted to more complex attacks that involved soldering many wires to tiny points on the PCB to be able to trace and modify the RAM. However, doing this is not feasible for the average homebrew user so we used the knowledge we gained through these complicated attacks to get more information about the whole system which allowed us to experiment with DSiWare games in the end. We also learned how to create savegames so we can now do what we did three years ago with the Wii: Savegame hacks!

In early December we managed to get DSi mode code execution by exploiting the DSiWare application ‘Sudoku’ by EA. Sudoku is only available for regions USA and EUR/AU. Exploiting DSiWare is interesting because in DSi mode the DSi SD card slot is accessible, the whole 16MB RAM is available, and the CPU is clocked 2x higher than DS-mode. The max size of the embedded code that can be loaded directly via this exploit is limited so a small payload was needed to chain load to another application. Initially a wifi loader was used, but this was switched to load from the DSi SD card slot. The SD card loader boots /boot.nds from the SD card directly from Sudokuhax.

DSiWare exploits can’t access gamecard slot1, it’s likely that only launcher/sysmenu can access slot1. The main advantage of DSiWare exploits over hybrid card EEPROM savedata exploits is SD card access, *and* the exploit supports SDHC. 🙂

Usage of the exploit is described below:

  1. Export Sudoku to SD card via the data management menu.
  2. Sudokuhax will then be injected into the Sudoku application via client software. The client software uploads DSi-specific data from the Sudoku application to a web server, then injects the retrieved data into the Sudoku application.
  3. Copy the output binary to SD card with the same filename as the original.
  4. Copy Sudokuhax from SD card to “internal memory” via the data management menu.
  5. Launch Sudoku, then press button A or touch screen at the Sudoku title screen.
  6. Now boot.nds on SD card will be run.

The data uploaded by the client software includes the anonymous DSi-unique console ID, and other data required for modifying the Sudoku binary on SD card. This data is used for logging unique web server requests.

The client software is available here. The tracker for the client software and Sudokuhax is available here. Client software source code licensed under GNU GPLv2 is available here.

→ 90 CommentsTags:


January 26th, 2011 by Segher · 15 Comments


Another year, another hack.

The Indiana Pwns hack is quite old, and it appears that people are selling that game for extortionist prices now (around EUR 100 on ebay, seriously). So, it would be good if there was some other game we could use.

lewurm has created a hack for the LEGO Batman game, thanks to the wonders of Free Software. I love it when I don’t have to do anything myself!

So head over to his page, and enjoy!

As always, be sure to read the license before redistributing the binary: it’s GPL, you are not allowed to distribute without also giving out the source code. So please don’t.

→ 15 CommentsTags:

Open-source USB Analyzer / 27C3

December 19th, 2010 by bushing · 7 Comments

We’ve seen a lot of interest in USB in the past few months — a slew of PS Jailbreak clones appeared from an USB trace taken with a $1500 Lecroy USB Analyzer, and marcan wrote a Kinect driver using libusb, based on some USB protocol traces taken with a $1200 Beagle 480 USB analyzer.

To build a decent USB 2.0 protocol analyser you don’t need that many things inside, and the designs aren’t all that much more complicated than the FPGA designs we worked with on the DSi. pytey and I have been discussing hardware USB 2.0 analysis on and off for 2+ years but we have never had the time (or funds) to create a gadget of our own. An opportunity arose when pytey showed me the absolutely fabulous Kickstarter site, where you can help fund fledgeling projects to get them off the ground.

Open-source hardware isn’t a new idea, but it’s not very easy to pull off designs of even modest complexity. Unlike open-source software (which can generally be made with free tools on any household computer, as long as you have the time to learn how to do so), hardware-hacking is … well … expensive, for lack of a better word, and slow. One attempt at making a board will generally take you from 5-500 hours of time to design it, and then a couple of weeks to have a prototyping house make you some PCBs. This will probably cost you $50-$200, and then you still have to buy the parts and assemble the board … assuming you have the right equipment to do so, this can take you another week (not including debugging!).

After you’ve done all that, if all goes well — you end up with one or two prototypes which you can then try to get working, usually involving some combination of firmware and client software on your computer. Unfortunately, you only have one or two boards, so it’s hard to do much collaboration online with people on one design.

pytey suggested that we might try to leverage Kickstarter to help us make the USB 2.0 analyzer a reality — and thus, OpenVizsla was born! This project has allowed us to collect enough funds ahead of time to have a factory make enough prototypes for all our colleagues to work on firmware, HDL and client software to make an open-source USB analyzer happen. We still have to put the work in to design the hardware, but we will have enough cash to be able to buy the parts for our boards in one chunk (achieving significant discounts with quantity), and we will be able to have enough prototypes made at once to justify a factory production run — no more hand-soldering for us! Once we’re done with this, we’ll end up with a design that people can tinker with and extend; there will be a project site that will soon host more details.

It seemed like a bit of a gamble, so we argued back and forth and picked a cash target high enough to ensure we would be able to make at least enough prototypes to have a decent chance of pulling the project off. I could never have expected the popular reaction to it; it seems like we really struck a nerve out there. We even got a couple of celebrities (Stephen Fry, DVDJon) on board, and our ploy to get some major backers (offering the right to directly participate in the early prototyping stages and a spot for a logo) paid off in spades. We even got support from Altium, who donated a couple of licenses of their lovely CAD/CAM software for us to use to speed up our design process.

Anyway, if you’re interested in the idea of playing with USB, I recommend you head over to the Kickstarter page; as of this writing, there’s still 3 days left for you to get in on the OpenVizsla production run.

On to CCC — our Console Hacking table at the Chaos Communication Congress in Berlin has become somewhat of a fixture there, so we’re trying to reserve some space this year. A few of you have already noticed that we have a “Console Hacking 2010” wrapup presentation planned; the description’s still a bit vague because our presentation will depend on how much progress we make between now and then. There’s going to be a PS3 surprise though. No questions about the content, please — we’re still busy hacking away over here, so just come see us there or wait for the video!

→ 7 CommentsTags: