Idea for new Wii exploits?

Hi, I know this is my post here but I've been following the Wii homebrew scene for long ago. Unfortunately I don't have any type of Homebrew installed on my Wii (because I was stupid and didn't know about homebrew when I updated to 4.3, and now I don't have any of the required games to install).

Not having a way to install homebrew on system menu 4.3 is what interests me so much in the search of alternative ways to install Homebrew on 4.3. It happens that I already played quite a lot with the Internet Channel, including embedding malformed images and strange JavaScript code in pages, like what lewurm did, but got nowhere (unlike lewurm).

I also discovered that (strangely) the Photo Channel can display the thumbnails for some perfectly normal JPEG images, but when I select them (to view in big size), I get a message that their format is not supported... if this is true, how is the Wii able to show the thumbnails? Perhaps this doesn't help in any way the homebrew scene, but it's still a bug that perhaps is worth exploring (I have taken photos of the various steps and I also have the JPEG files that cause this, inform me if you're interested in getting them).

I'd like to thank lewurm for how far s/he got in investigating possible exploits. Yes, it's true that Nintendo can easily fix these exploits on the Internet Channel, but look, Bannebomb was also easily fixable and they indeed fixed it, but does it make not worth to develop things like Bannerbomb?
BTW, I don't know how easily Nintendo can update a channel with system updates... look at the new version of the Photo Channel: they made its update to version 1.1 (which I have by default) optional by downloading it from Shop Channel.

@otto:
I think a URL that does such things can be protected to avoid, for example, people from pointing it directly - if the URL is dynamic (e.g. changes every half hour), people won't be easily able to send, for example, a Wii Message Board message with the malicious URL. At the end, I think an URL is so dangerous as the Bannerbomb files. With an URL, you send it through email; with a corrupted banner you can send it to a friend on a SD card telling him to copy e.g. some game to his/her Wii - and when s/he accesses the SD menu, HackMii (or other code) will run.

Anyways, nobody said a Internet Channel hack must be via a web page...

About file:/// protocol, there's information on the wiki about the Internet Channel that explicitly says the file:/// protocol doesn't do anything (I have tried it myself too).

Something that I think that should be explored is the file download on the Internet Channel. I know Internet Channel doesn't support downloads, but with certain files it just keeps loading forever (and the progress bar progressively increases, but never gets to the max). There are also downloads where it just stops... perhaps it has to do with server configuration or file type. With this I'm not saying we can tell a Wii to download a DOL directly and run it (I haven't tried though, has anybody?), but perhaps there's some exploit that can be used.

You can just rent the game you need to install homebrew channel then return it. You don't have to own the game.

Quote
gbl08ma
Something that I think that should be explored is the file download on the Internet Channel. I know Internet Channel doesn't support downloads, but with certain files it just keeps loading forever (and the progress bar progressively increases, but never gets to the max).

After a long time it will show a message with "out of memory", it just takes a while because the Wii is that slow.

(First post, please educate me i break some nettiquete)

Another possible vector:
Playing with the Shopping channel but configuring Wii to use my PC as a proxy (and running Fiddler on it) , while downloading some demo I saw that:

a)
Several "browsers" seem to be involved, thus increasing the attack surface
User-Agent: Opera/9.00 (Nintendo Wii; U; ; 1038-58; en)
(this was HTTP for the EULA)
User-Agent: Opera/9.30 (Nintendo Wii; U; ; 2077-4; Wii Shop Channel/19.0(A); en)
(this was HTTPS to oss-auth.shop.wii.com)
User-Agent: RVL ECSHOP 4.0.0 Jul 2 2010 12:25:27
(this was HTTP to ccs.cdn.shop.wii.com)


b)
At one point (sadly I don't remember where and didn't take notes, but I seem to recall that it was in one of the requests sent by "RVL ECSHOP") Fiddler gave and error and the message appeared in the Wii screen. What I saw was one of those hexadecimal errors that you get e.g when DNS is not working. BUT after that I could read the message sent by fiddler. (so, if the Wii code parsing it had some buffer overflow....)

I found ECSHOP in
.....\nand-extracteda\title\00010002\48414241\content\0000005a.app
and
.....\nand-extracteda\title\00010002\48414241\content\0000005b.app


HTH,
Nix

(P.D: All this was on 4.3)

Quote
Daid

Quote
gbl08ma
Something that I think that should be explored is the file download on the Internet Channel. I know Internet Channel doesn't support downloads, but with certain files it just keeps loading forever (and the progress bar progressively increases, but never gets to the max).

After a long time it will show a message with "out of memory", it just takes a while because the Wii is that slow.

If it shows that message only after a while, it's because most likely it has downloaded already some bytes (and perhaps they aren't so few) into the amount of RAM dedicated to the Internet Channel. IMO the only way to make (useful) use of these downloaded bytes is if the Internet Channel's memory is not protected enough to allow the downloaded bytes to be executed. In other words, if there was a way to make the Internet Channel "run" these bytes, something could be done. But hey, AFAIK the most obvious and "easy" way to run these bytes is using a buffer overflow (or something similar), and that doesn't seem to be possible due to the fact that when memory is exceeded the browser shows that message, "out of memory".

Attacking the browser through Flash might not be easy too: the memory dedicated to flash is reduced too (e.g., the buffer for YouTube videos never loads the video entirely, it only loads 30s or so) and perhaps that memory is sandboxed too, so we can't do anything with it.

@nixcalo: thanks for your interest on this, I think many people have done what you did before, but never shared the occurences as you did. At least, I've never read about that ECSHOP calls.

Another thing interesting in the EULA and similar screens is that it seems to use Opera 9.00 and not Opera 9.30, this probably means the Wii system Menu uses Opera 9.00 in many parts of its UI (remember what was posted at hackmii some time (almost three years) ago, look: [hackmii.com] and also [hackmii.com] ), including the EULA screen. Where "normal" browsing is needed, like on the Shop and Interent channels, it uses another version of Opera, 9.30.

This is great because the versions above 9.00 and below 9.30 seem to have much exploits (although these are for desktop versions), than the version 9.30 and above. This is probably why Nintendo used 9.00 for "system" things (perhaps they had a modified 9.00 version already done, and didn't want to upgrade their mods to 9.30 when it came out), and chose to update to 9.30 for less exploitable browsing on the Shop Channel, the Internet Channel and perhaps on the help viewer too (maybe because these sections' "browser" had no specific mods for Wii and thus it could be updated easily to 9.30). By Nintendo's "mods" I mean special APIs for controlling the system from the "pages" (the UI) the browser is showing, special JavaScript classes, and so on. If these Nintendo mods don't include updates to the exploits found on version 9.00, it's probably because these exploits are still exploitable.

Has anyone tried to change what is displayed on the EULA screen by setting up a HTTP server on a PC and configure their router to point the EULA URL to the server on the computer? This was made by several people for the Shop Channel (in order to use it as a Internet browser/cheap Internet Channel), but since the Shop Channel started using HTTPS, it's impossible to fake a server because nobody knows the SSL keys. However (and here comes the interesting part), if what nixkalo said is correct, then the EULA thing doesn't use SSL yet... only simple HTTP. Furthermore, since the EULA uses Opera 9.00, it might be possible to exploit some things like I described on the above paragraph.

I know this all is very confuse, and I hope I explained well my ideas. These are just ideas, they have not much technical basement, but hey, we need to start somewhere ;) So here are my two cents :)

Anxiously waiting for developments on this
gbl08ma

I post what I find in case it's of some use:

(inside 00010002\48414241\content\0000005b.app)

a input.ini file has:
......
[Browser Window]
GpL = GOGI Previous Page
GpR = GOGI Next Page
GpB = GOGI Command Menu or Cancel
GpZ = GOGI Chrome Menu
GpA = Activate element | Click button | Click default button
.....
(but nunchunk Z did nothing. Could it be a different controller?)

myfilter.ini "includes"
[*.shop.wii.com]*
[*.wii.broadon.com]*

so, maybe we can use http s:// my.fake.net/path_is.shop.wii.com/files ? (no spaces of course , I just didn't know how to escape markup from wiki)

Thanks for posting this, it's indeed very interesting - specially for one that can't browse the Wii's NAND internals because doesn't have a way to install homebrew w/out specific games (for now!) :)

I see that both
GpL = GOGI Previous Page
GpR = GOGI Next Page
and also
GpA = Activate element | Click button | Click default button
coincide with the actions for the Left and Right and A key function, however
GpB = GOGI Command Menu or Cancel
"Command Menu or Cancel" has nothing to do (at least IMO) with the scrolling function that happens when you press B on the Wiimote, like GpZ on the nunchuk does not pop up any "Chrome Menu" (at least one that's visible on the user interface that is sent on the A/V interface).

So, is it possible that while GpL, GpR and GpA coincide with the Wiimote keys, but GpZ and GpB aren't existing keys in the "release" (publicly available) wiimote? That GpB and GpZ are keys that only exist on a "special" wiimote? Or that none of these Gp* references are wiimote/nunchuk keys?

If GpB and GpZ are keys that only exist on a special wiimote, I suppose we could emulate that wiimote using a bluetooth-enabled computer and some software (does anything exist yet?). But how would we emulate a special controller if we haven't seen it before? Anyways I don't think this is the way to go. Even if we could access that "Chrome Menu", perhaps it allows us to do nothing interesting.

About the myfilter.ini part, I don't think we could still redirect the Wii to our own server because we don't have the SSL certificate the Wii looks for when accessing these addresses.
---- Start of perhaps uninteresting text AKA noob's blah blah: ----
It's interesting to go to wii.broadon.com using a regular desktop browser and find that nothing is there; I use Chrome and it (as usual) suggested to go to [broadon.com] (without the "wii." record). There, I find a very simple homepage, that seems to belong to iGware Inc.. This homepage has "igware.com" as title, so it seems that broadon.com and igware.com point to the same place (as you can check).
Now, what and who is iGware, and why do they have this so nifty homepage (that only contains their address and contacts, with a copyright notice of 2010), and even more important, why does your Wii have a reference to a subdomain in this server, wii.broadon.com? (is it only a consequence of some homebrew? or does it exist on every wii?)

It would be so good if someone answered these questions...
For more reading digest...
Also, iGware has a patent registered: [www.patentgenius.com]
The patents registered by iGware Inc.: [www.patentbuddy.com] . Many patents seem to be related to communication in closed networks... Wii Shop Channel, please tell me, your network is powered by iGware/broadon?

Ah, Google is wonderful. I found this: [wiire.org] which kinda answers and also asks some of my questions, making this text even more uninteresting.
---- End of perhaps (un)interesting text ----

Thanks for the progress of everyone on this :)



Edited 1 time(s). Last edit at 03/09/2011 04:25PM by gbl08ma.

BroadOn on Twitter is crediar (homebrew developer).

Quote
bg4545
BroadOn on Twitter is crediar (homebrew developer).

What I thought: that broadon (on twitter) is not the other broadon I was talking about. Post edited to avoid more confusion.

Sorry, I didn't post the complete input.ini file After further analysis, the entries in the input fail are of 2 types:

prefixed with Gp: I guess this must be some legacy controller (gamecube?), the possible names are:
A
B
L
R
Z
Start
AnalogEast (similarly West, North, South)
DigitalEast (ditto here)
CEast (and here)


prefixed with Grc: This is probably the wiimote. Every name can be suffixed with either "Hor" or "Ver" (and sometimes even "Side") which I assum it relates to the wii position when you press the button.
Names are:
A
B
Up/Down/Left/Right
Select
Start
SmallA
SmallB
(these last 4 names I guess are the internal names for +/-/1/2, but I don't know the equivalence yet)

If someone has the ¿gamecube? controller and can test if pressing Z button in shopping channel does something, plese report here. (The input.ini showes this action for "browser window",so it should be outside of buttons, lists, ....)

Unless opening the GOGI Chrome gives some special backdoor, I guess this is going off-topic. So I propose to open a new thread ("Opera Internals")


HTH
Nix

And if the GOGI Chrome is really a backdoor (that would be too much luck, but anyways), and it was only accessible with a GameCube controller (if Gp means really a gamecube controller), then hacking would only be accessible to people with a GC controller... which leaves me out of the party as I don't have a GC controller - anyways, it's still cheaper than Indiana Jones game I think...

EDIT:

Wanna know what GOGI means? I did a quick Google search for "opera GOGI" and found this (fairly old) press-release from Opera:
[www.opera.com]

From the press-release:

Quote

GOGI is a feature-rich, high performance interface that enables developers to integrate Opera with their customized user interfaces and graphical toolkits.

And on [www.linuxfordevices.com]

Quote

allows Opera's Home Media SDK to build interfaces for devices that lack Qt, X, or other relevant graphical libraries

So my conclusion is that GOGI (standing for "Generic Opera Graphical Interface") is just a way to provide custom interfaces for Opera, like the one on the Internet Channel. More, "GOGI Opera Menu" probably isn't more than the toolbar (or the homepage, or the favorites page, or even perhaps these three things that might be part of a "Generic Opera Graphical User Interface") that appears when you press 1 on the wiimote. Why do they call that key GpZ, don't ask me, but this is my bet - and I hope it's wrong because if it is right, this thing of trying with a GameCube controller leads us nowhere.

BUT... the toolbar, homepage and etc. only exist on the IC (Internet Channel), right? So, this GOGI I was talking about is the one of the IC, and not the one of the Wii Shop. What I have just thought is, that a formal "GOGI Chrome Menu" is called by pressing 1 (optional setting, anyways) on the IC (it's the toolbar everyone sees), and a different one, on the Wii Shop is called by pressing (perhaps) Z on the GameCube controller (and what appears is perhaps - unlikely - a toolbar nobody has seen before?).

I can't wait to have someone trying out (try every single detail, please :D) with a GC controller on the Shop Channel and posting the results (for every single detail, please :D)



Edited 2 time(s). Last edit at 03/12/2011 12:09AM by gbl08ma.

More than a month after the last post on this thread, it seems everybody has lost interest in finding possible exploits on the free software available for the Wii (e.g. Internet Channel), so I went ahead, bought Lego Batman which was the cheapest game with exploits available for my Wii's region and system version, installed the Homebrew Channel and I'm loving it.

So, for me, there's no big interest in this discussion anymore. Again, Homebrew is wonderful and I'm loving some of the apps (e.g. WiiMC, just to say some example)

Quote
gbl08ma
And if the GOGI Chrome is really a backdoor (that would be too much luck, but anyways), and it was only accessible with a GameCube controller (if Gp means really a gamecube controller), then hacking would only be accessible to people with a GC controller... which leaves me out of the party as I don't have a GC controller - anyways, it's still cheaper than Indiana Jones game I think...

EDIT:

Wanna know what GOGI means? I did a quick Google search for "opera GOGI" and found this (fairly old) press-release from Opera:
[www.opera.com]

From the press-release:

Quote

GOGI is a feature-rich, high performance interface that enables developers to integrate Opera with their customized user interfaces and graphical toolkits.

And on [www.linuxfordevices.com]

Quote

allows Opera's Home Media SDK to build interfaces for devices that lack Qt, X, or other relevant graphical libraries

So my conclusion is that GOGI (standing for "Generic Opera Graphical Interface") is just a way to provide custom interfaces for Opera, like the one on the Internet Channel. More, "GOGI Opera Menu" probably isn't more than the toolbar (or the homepage, or the favorites page, or even perhaps these three things that might be part of a "Generic Opera Graphical User Interface") that appears when you press 1 on the wiimote. Why do they call that key GpZ, don't ask me, but this is my bet - and I hope it's wrong because if it is right, this thing of trying with a GameCube controller leads us nowhere.

BUT... the toolbar, homepage and etc. only exist on the IC (Internet Channel), right? So, this GOGI I was talking about is the one of the IC, and not the one of the Wii Shop. What I have just thought is, that a formal "GOGI Chrome Menu" is called by pressing 1 (optional setting, anyways) on the IC (it's the toolbar everyone sees), and a different one, on the Wii Shop is called by pressing (perhaps) Z on the GameCube controller (and what appears is perhaps - unlikely - a toolbar nobody has seen before?).

I can't wait to have someone trying out (try every single detail, please :D) with a GC controller on the Shop Channel and posting the results (for every single detail, please :D)

but still. many people dont have GC controlers and are probaly unlikely to get them (i wont and dont have one) so the point is that if the exploit gets working, it will probaly be the less used and probaly be abbandoned and patched considering nintendo is probaly looking for the exploits and closing down so after every update you would have to make a new internet channel exploit or simply not update. But it still need a GC controler. There probaly is way on the wii controler.

The best thing is that you can try back track 5 it is a best linux based expliot os you can find many expliots in it

That is completely irrelevant, as is most of this thread since letterbomb is available.