Welcome! Log In Create A New Profile Wiibrew Wiki HackMii Blog

Advanced

Idea for new Wii exploits?

Posted by XICO2KX 
Re: Idea for new Wii exploits?
February 26, 2011 09:34PM
Hi, I know this is my post here but I've been following the Wii homebrew scene for long ago. Unfortunately I don't have any type of Homebrew installed on my Wii (because I was stupid and didn't know about homebrew when I updated to 4.3, and now I don't have any of the required games to install).

Not having a way to install homebrew on system menu 4.3 is what interests me so much in the search of alternative ways to install Homebrew on 4.3. It happens that I already played quite a lot with the Internet Channel, including embedding malformed images and strange JavaScript code in pages, like what lewurm did, but got nowhere (unlike lewurm).

I also discovered that (strangely) the Photo Channel can display the thumbnails for some perfectly normal JPEG images, but when I select them (to view in big size), I get a message that their format is not supported... if this is true, how is the Wii able to show the thumbnails? Perhaps this doesn't help in any way the homebrew scene, but it's still a bug that perhaps is worth exploring (I have taken photos of the various steps and I also have the JPEG files that cause this, inform me if you're interested in getting them).

I'd like to thank lewurm for how far s/he got in investigating possible exploits. Yes, it's true that Nintendo can easily fix these exploits on the Internet Channel, but look, Bannebomb was also easily fixable and they indeed fixed it, but does it make not worth to develop things like Bannerbomb?
BTW, I don't know how easily Nintendo can update a channel with system updates... look at the new version of the Photo Channel: they made its update to version 1.1 (which I have by default) optional by downloading it from Shop Channel.

@otto:
I think a URL that does such things can be protected to avoid, for example, people from pointing it directly - if the URL is dynamic (e.g. changes every half hour), people won't be easily able to send, for example, a Wii Message Board message with the malicious URL. At the end, I think an URL is so dangerous as the Bannerbomb files. With an URL, you send it through email; with a corrupted banner you can send it to a friend on a SD card telling him to copy e.g. some game to his/her Wii - and when s/he accesses the SD menu, HackMii (or other code) will run.

Anyways, nobody said a Internet Channel hack must be via a web page...

About file:/// protocol, there's information on the wiki about the Internet Channel that explicitly says the file:/// protocol doesn't do anything (I have tried it myself too).

Something that I think that should be explored is the file download on the Internet Channel. I know Internet Channel doesn't support downloads, but with certain files it just keeps loading forever (and the progress bar progressively increases, but never gets to the max). There are also downloads where it just stops... perhaps it has to do with server configuration or file type. With this I'm not saying we can tell a Wii to download a DOL directly and run it (I haven't tried though, has anybody?), but perhaps there's some exploit that can be used.
Re: Idea for new Wii exploits?
March 03, 2011 04:23AM
You can just rent the game you need to install homebrew channel then return it. You don't have to own the game.
Re: Idea for new Wii exploits?
March 04, 2011 04:27PM
Re: Idea for new Wii exploits?
March 08, 2011 01:29AM
(First post, please educate me i break some nettiquete)

Another possible vector:
Playing with the Shopping channel but configuring Wii to use my PC as a proxy (and running Fiddler on it) , while downloading some demo I saw that:

a)
Several "browsers" seem to be involved, thus increasing the attack surface
User-Agent: Opera/9.00 (Nintendo Wii; U; ; 1038-58; en)
(this was HTTP for the EULA)
User-Agent: Opera/9.30 (Nintendo Wii; U; ; 2077-4; Wii Shop Channel/19.0(A); en)
(this was HTTPS to oss-auth.shop.wii.com)
User-Agent: RVL ECSHOP 4.0.0 Jul 2 2010 12:25:27
(this was HTTP to ccs.cdn.shop.wii.com)


b)
At one point (sadly I don't remember where and didn't take notes, but I seem to recall that it was in one of the requests sent by "RVL ECSHOP") Fiddler gave and error and the message appeared in the Wii screen. What I saw was one of those hexadecimal errors that you get e.g when DNS is not working. BUT after that I could read the message sent by fiddler. (so, if the Wii code parsing it had some buffer overflow....)

I found ECSHOP in
.....\nand-extracteda\title\00010002\48414241\content\0000005a.app
and
.....\nand-extracteda\title\00010002\48414241\content\0000005b.app


HTH,
Nix

(P.D: All this was on 4.3)
Re: Idea for new Wii exploits?
March 08, 2011 01:34PM
Re: Idea for new Wii exploits?
March 08, 2011 10:18PM
Re: Idea for new Wii exploits?
March 09, 2011 01:43PM
Re: Idea for new Wii exploits?
March 09, 2011 02:43PM
BroadOn on Twitter is crediar (homebrew developer).
Re: Idea for new Wii exploits?
March 09, 2011 03:26PM
Re: Idea for new Wii exploits?
March 10, 2011 10:59PM
Sorry, I didn't post the complete input.ini file After further analysis, the entries in the input fail are of 2 types:

prefixed with Gp: I guess this must be some legacy controller (gamecube?), the possible names are:
A
B
L
R
Z
Start
AnalogEast (similarly West, North, South)
DigitalEast (ditto here)
CEast (and here)


prefixed with Grc: This is probably the wiimote. Every name can be suffixed with either "Hor" or "Ver" (and sometimes even "Side") which I assum it relates to the wii position when you press the button.
Names are:
A
B
Up/Down/Left/Right
Select
Start
SmallA
SmallB
(these last 4 names I guess are the internal names for +/-/1/2, but I don't know the equivalence yet)

If someone has the ┬┐gamecube? controller and can test if pressing Z button in shopping channel does something, plese report here. (The input.ini showes this action for "browser window",so it should be outside of buttons, lists, ....)

Unless opening the GOGI Chrome gives some special backdoor, I guess this is going off-topic. So I propose to open a new thread ("Opera Internals")


HTH
Nix
Re: Idea for new Wii exploits?
March 11, 2011 07:53PM
Re: Idea for new Wii exploits?
April 16, 2011 04:01PM
More than a month after the last post on this thread, it seems everybody has lost interest in finding possible exploits on the free software available for the Wii (e.g. Internet Channel), so I went ahead, bought Lego Batman which was the cheapest game with exploits available for my Wii's region and system version, installed the Homebrew Channel and I'm loving it.

So, for me, there's no big interest in this discussion anymore. Again, Homebrew is wonderful and I'm loving some of the apps (e.g. WiiMC, just to say some example)
Re: Idea for new Wii exploits?
February 28, 2012 10:02AM
Re: Idea for new Wii exploits?
May 07, 2013 06:55AM
The best thing is that you can try back track 5 it is a best linux based expliot os you can find many expliots in it
Re: Idea for new Wii exploits?
May 07, 2013 11:49AM
That is completely irrelevant, as is most of this thread since letterbomb is available.
Sorry, you can't reply to this topic. It has been closed.