I don't understand [edit] how unsigned code is executed...

I've yet to do anything yet (I don't have an SD card reader for my computer) but I'm reading a lot and thinking a lot on the subject. Could anyone shed some light on how the bannerbomb exploit works? If I understand correctly, the overflow occurs when a corrupted banner is loaded from the SD card to be displayed in the SD card menu in 4.2. Since this allows access to NAND, this is technically all that is needed to load homebrew correct? All permissions are unlocked?

Now what I'm wondering is, is it not possible to utilize the Disc Channel to perform a similar attack? Or does the System Menu prevent an oversized banner from being loaded, and if so, why does the SD card menu not perform a check on this?

I've never played Brawl, but does this exploit (stacksmash) work under 4.2? If this exploit occurs within game code, would it be possible for Nintendo to prevent this in future updates? or does it rely on a weakness in IOS?

And finally, does anyone know anything about WODE? Would it be possible to perform an attack through this device, hopefully allowing homebrew without any modification to the NAND?

Thanks in advance for any responses, all information is helpful.



Edited 1 time(s). Last edit at 01/05/2010 01:04PM by ABoyAndHisWii.

Yes that's pretty much how bannerbomb works.

Quote
ABoyAndHisWii
Now what I'm wondering is, is it not possible to utilize the Disc Channel to perform a similar attack? Or does the System Menu prevent an oversized banner from being loaded, and if so, why does the SD card menu not perform a check on this?

The banner code would probably allow this to be exploited via the disc channel, but since the disc (banner) needs to be modified the Wii will not load it. You would need to make a legit Wii disc have the banner exploit, which isn't possible.

Quote
ABoyAndHisWii
I've never played Brawl, but does this exploit (stacksmash) work under 4.2? If this exploit occurs within game code, would it be possible for Nintendo to prevent this in future updates? or does it rely on a weakness in IOS?

Yes, it works on any System Menu version. The exploit is in the game itself and since it relies on something that is part of the game (stage loading from SD cards) then it can't be patched on currently released Brawl discs. Nintendo can't do anything about it really.

WODE has basically the same use as having a modchip. It would allow you to play copied games, but homebrew can't be used with it because the Wii requires games to be signed. Homebrew can't be correctly signed because only Nintendo has the keys for that.



Edited 1 time(s). Last edit at 01/05/2010 12:30PM by bg4545.

Quote
bg4545
The banner code would probably allow this to be exploited via the disc channel, but since the disc (banner) needs to be modified the Wii will not load it. You would need to make a legit Wii disc have the banner exploit, which isn't possible.

I've never heard of WODE so I can't help with that one..

WODE is Wii Optical Drive Emulator, marketed for backups, so I'm not sure how close it is to breaking the rules to discuss it, but I'm only interested in homebrew here so I hope it's OK. My theory is that since it essentially replaces the DVD drive with a USB HDD and then emulates the operation of the DVD drive with linux on it's own processor, it might be possible to inject a corrupted banner into the image of a legit Nintendo disc, modifying it as you say but not in the way that you meant (you did mean the impossibility of modifying a disc right?)

Yeah, I googled :P
see my edit
The Wii would refuse to load the modified disc image because the signature check after editing it (injecting bannerbomb) would fail



Edited 2 time(s). Last edit at 01/05/2010 12:41PM by bg4545.

Heh, I feel kinda stupid after you point that out. For some reason I was assuming the banner wasn't involved.

-Edit- So how does bannerbomb manage to work? What's different in the case of channels on SD card?



Edited 1 time(s). Last edit at 01/05/2010 12:46PM by ABoyAndHisWii.

Quote
ABoyAndHisWii
-Edit- So how does bannerbomb manage to work? What's different in the case of channels on SD card?

The whole disc is signed, with keys we do not have. content.bin banners are signed and encrypted with keys we have.

Quote
ABoyAndHisWii
I've yet to do anything yet (I don't have an SD card reader for my computer) but I'm reading a lot and thinking a lot on the subject. Could anyone shed some light on how the bannerbomb exploit works? If I understand correctly, the overflow occurs when a corrupted banner is loaded from the SD card to be displayed in the SD card menu in 4.2. Since this allows access to NAND, this is technically all that is needed to load homebrew correct? All permissions are unlocked?

Sort of. Basically, the Wii crashes, and because there is too much information some of it flows over into the "return address". The Wii then tries to load whatever is at this address in memory to recover from the crash. But there is elf/dol loader code loaded into memory at that address and it is executed. It doesn't allow access to NAND as such, the application must do that itself. NAND access is not necessary to run homebrew, many homebrew apps don't access NAND at all. However, it does run the application as "System Menu" which means it has higher permissions than usual (my understanding is its a little like running something as "root" on a Unix system), because the exploit is in the System Menu. I think this is all correct, no doubt someone will correct any mistakes I have made.

There are three permission levels:
1. SU (can do anything, like root)
2. System Menu (can do a lot, like an admin)
3. Game/Channel (can't do much, like a normal user)