WiiLi.org Shop Channel Exploit (Maybe)

WiiLi.org
a new revolution

FAQ

Memberlist

Usergroups

Profile

Shop Channel Exploit (Maybe)

WiiLi.org Forum Index -> WiiLi Development

View previous topic :: View next topic

Author

Message

Ryan

Joined: 21 Jan 2008
Posts: 6

Digg It

Posted: Tue Jan 22, 2008 8:27 pm Post subject: Shop Channel Exploit (Maybe)

I don't know if this was posted before, well, for starters, lets talk over the Internet Channel's User Agent. The browsers user agent is Opera/9.00 (Nintendo Wii; ; 1038-58; Wii Shop Channel/1.0; en)

Yours is totally different. However, you goto this site (http://oss.shop.wii.com/oss/common/vc/W_01.jsp?language=en®ion=USA) on your browser, of course, it will forward to [url]wii.com[/url]. However, if you download this https://addons.mozilla.org/en-US/firefox/addon/59 for firefox, you can change your User Agent to the Wii's, and the site changes to something totally different. You goto that site, and here is the source.

Code:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<script type="text/javascript">
var ec = new ECommerceInterface();
ec.cancelOperation();

var shop = new wiiShop();
var snd = new wiiSound();

var cSE_Forcus = 2;
var cSE_Decide = 3;

var dummy = shop.connecting;

var titles = new Array();
titles["ja"] = "Wiiショッピングチャンネル";
titles["en"] = "Wii Shop Channel";
titles["fr"] = "Chaîne boutique Wii";
titles["es"] = "Canal Tienda Wii";
titles["de"] = "Wii-Shop-Kanal";
titles["it"] = "Canale Wii Shop";
titles["nl"] = "Wii-winkelkanaal";

var messages = new Array();
messages["ja"] = "Wiiショッピングチャンネルに更新があります！<BR><BR>「Wii本体設定」の「Wii本体の更新」を実行して<BR>Wiiショッピングチャンネルを更新してから<BR>もういちどお越しください。";
messages["en"] = "There is an update to the Wii Shop Channel!<BR><BR>To receive this update, go to Wii Settings and select Wii System Update. When you return to the Wii Shop Channel, you will receive the update. Come back after you’ve updated!";
messages["fr"] = "Une mise à jour pour la chaîne boutique Wii est disponible!<BR><BR>Pour recevoir cette mise à jour, choisissez "Mise à jour" dans les paramètres Wii. Revenez ensuite sur la chaîne boutique Wii!";
messages["es"] = "¡Hay una nueva actualización disponible para el Canal Tienda Wii!<BR><BR>Para recibirla, selecciona "Actualización" dentro de la configuración de Wii y a continuación vuelve al Canal Tienda Wii.";
messages["de"] = "Eine neue Version des Wii-Shop-Kanals ist verfügbar!<BR><BR>Bitte rufe die Wii-Systemeinstellungen auf und wähle unter "Internet" die Option "Update des Wii-Systems" aus, um die neue Version zu erhalten. Besuche den Wii-Shop-Kanal wieder, nachdem du das Update durchgeführt hast!";
messages["it"] = "È disponibile un aggiornamento del Canale Wii Shop!<BR><BR>Per ricevere l’aggiornamento, seleziona Aggiornamento della console Wii alla voce Internet delle Impostazioni console Wii, poi accedi al Canale Wii Shop. Torna dopo aver eseguito l’aggiornamento!";
messages["nl"] = "Er is een nieuwe versie van het Wii-winkelkanaal!<BR><BR>Ga naar de Wii-instellingen en kies voor Systeemsoftware bijwerken. Als je terugkeert naar de Wii-winkel, ontvang je een nieuwe versie. Kom hier terug als je dit hebt gedaan.";

var buttons = new Array();
buttons["ja"] = "Wiiメニューへ";
buttons["en"] = "Wii Menu";
buttons["fr"] = "Menu Wii";
buttons["es"] = "Menú de Wii";
buttons["de"] = "Wii-Menü";
buttons["it"] = "Menu Wii";
buttons["nl"] = "Wii-menu";

function setMessage() {
var r = ec.getDeviceInfo();
document.getElementById("titleMulti").innerHTML = titles[r.language];
document.getElementById("messageMulti").innerHTML = messages[r.language];
document.getElementById("buttonMulti").innerHTML = buttons[r.language];

if (shop != null && "endWaiting" in shop) {
shop.endWaiting();
}
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}

function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

</script>
<title>F-02</title>
<style type="text/css">

</style>
<link href="text.css" rel="stylesheet" type="text/css" />
</head>

<body onload="MM_preloadImages('under_banner_b.gif'); setMessage();">
<div id="underbanner"><img src="under_banner_a.gif" width="187" height="55" id="Image7" /></div>
<div id="underbunnershadow"><img src="under_banner_shadow.gif" width="211" height="75" /></div>
<div class="dot" id="line02">･･･････････････････････････････････････････････････････････････････････････</div>
<div id="line01"><span class="dot">･･･････････････････････････････････････････････････････････････････････････</span></div>
<div id="underspacer" onmouseover="MM_swapImage('Image7','','under_banner_b.gif',1); snd.playSE( cSE_Forcus );"><a href="javascript:shop.returnToMenu();"><img src="spacer.gif" width="187" height="55" border="0" onmouseover="MM_swapImage('Image7','','under_banner_b.gif',1)" onmouseout="MM_swapImgRestore()" onclick="snd.playSE( cSE_Decide )"/></a></div>
<div class="style22" id="text01-01">
<div align="left" class="titleBlackL"><span class="titleBlue"><span id="titleMulti"></span></span></div>
</div>
<div class="catarogtitleBlack" id="text02-01">
<div align="center" class="buttonTextBlackM"><span id="messageMulti"></span></div>
</div>
<div id="underword">

<div align="center" class="buttonTextBlackM"><span id="buttonMulti"></span></div>
</div>
</body>

</html>

I've made adavnced HTML things before, i'm just too lazy to look over this.
Also, some more source codes

Code:

Packet Info
Flags: 0x00
Status: 0x04 Encrypted
Packet Length: 1544
Timestamp: 11:59:22.642730600 11/19/2006
Data Rate: 22 11.0 Mbps
Channel: 7 2442 MHz
Signal Level: 50%
Noise Level: 0%
802.11 MAC Header
Version: 0
Type: %10 Data
Subtype: %0000 Data Only
Frame Control Flags: %00000010
0... .... Non-strict order
.0.. .... WEP Not Enabled
..0. .... No More Data
...0 .... Power Management - active mode
.... 0... This is not a Re-Transmission
.... .0.. Last or Unfragmented Frame
.... ..1. Exit from the Distribution System
.... ...0 Not to the Distribution System

Duration: 213 Microseconds
Destination: 00:17:AB:42:A4:8F
BSSID: 00:18:39:87:19:8D
Source: 00:18:39:87:19:8B
Seq. Number: 1857
Frag. Number: 0
802.2 Logical Link Control (LLC) Header
Dest. SAP: 0xAA SNAP
Source SAP: 0xAA SNAP
Command: 0x03 Unnumbered Information
Vendor ID: 0x000000
Protocol Type: 0x0800 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5 (20 bytes)
Type of Service: %00100000
001. .... Precedence: Priority
...0 .... Normal Delay
.... 0... Normal Throughput
.... .0.. Normal Reliability
.... ..0. ECT bit - transport protocol will ignore the CE bit
.... ...0 CE bit - no congestion

Total Length: 1500
Identifier: 37015
Fragmentation Flags: %010
0.. Reserved
.1. Do Not Fragment
..0 Last Fragment

Fragment Offset: 0 (0 bytes)
Time To Live: 241
Protocol: 6 TCP - Transmission Control Protocol
Header Checksum: 0xF48E
Source IP Address: 209.67.106.201
Dest. IP Address: 192.168.2.32
No IP Options
TCP - Transport Control Protocol
Source Port: 80 http
Destination Port: 56974
Sequence Number: 1771989307
Ack Number: 3416391579
Offset: 5 (20 bytes)
Reserved: %000000

Flags: %011000
0. .... (No Urgent pointer)
.1 .... Ack
.. 1... Push
.. .0.. (No Reset)
.. ..0. (No SYN)
.. ...0 (No FIN)

Window: 5714
Checksum: 0xC5FF
Urgent Pointer: 0
No TCP Options
HTTP - Hyper Text Transfer Protocol
Version: HTTP/1.1
Status: 200
Reason: <CR><LF>
Date: Sun, 19 Nov 2006 19:59:19 GMT<CR><LF>
Server: Apache/2.0.48<CR><LF>
Content-Type: text/xml; charset=utf-8<CR><LF>
Transfer-Encoding: chunked<CR><LF><CR><LF>
Line 1: 546<CR><LF>
Line 2: <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://sc
Line hemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" x
Line mlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><GetSystemUpd
Line ateResponse xmlns="urn:nus.wsapi.broadon.com"><Version>1.0</Version><DeviceId>43
Line 62227772</DeviceId><MessageId>13198105123219138</MessageId><TimeStamp>1163966359
Line 696</TimeStamp><ErrorCode>0</ErrorCode><ContentPrefixURL>http://nus.cdn.shop.wii
Line .com/ccs/download</ContentPrefixURL><UncachedContentPrefixURL>http://ccs.shop.wi
Line i.com/ccs/download</UncachedContentPrefixURL><TitleVersion><TitleId>000000010000
Line 0002</TitleId><Version>97</Version><FsSize>21839872</FsSize></TitleVersion><Titl
Line eVersion><TitleId>000000010000000B</TitleId><Version>10</Version><FsSize>1654784
Line </FsSize></TitleVersion><TitleVersion><TitleId>000000010000000C</TitleId><Versio
Line n>6</Version><FsSize>1654784</FsSize></TitleVersion><TitleVersion><TitleId>00000
Line 0010000000D</TitleId><Version>10</Version><FsSize>1654784</FsSize></TitleVersion
Line ><TitleVersion><TitleId>0000000100000100</TitleId><Version>2</Version><FsSize>65
Line 536</FsSize></TitleVersion><TitleVersion><TitleId>0000000100000101</TitleId><Ver
Line sion>4</Version><FsSize>229376</FsSize></TitleVersion><UploadAuditData>1</Upload
Line AuditData></GetSystemUpdateResp
Extra bytes (Padding):
....J... 00 00 00 00 4A F8 DE C7
FCS - Frame Check Sequence
FCS (Calculated): 0xB61CB005�

Code:

Packet Info
Flags: 0x00
Status: 0x04 Encrypted
Packet Length: 1418
Timestamp: 11:59:22.562047600 11/19/2006
Data Rate: 22 11.0 Mbps
Channel: 7 2442 MHz
Signal Level: 41%
Noise Level: 0%
802.11 MAC Header
Version: 0
Type: %10 Data
Subtype: %0000 Data Only
Frame Control Flags: %00000001
0... .... Non-strict order
.0.. .... WEP Not Enabled
..0. .... No More Data
...0 .... Power Management - active mode
.... 0... This is not a Re-Transmission
.... .0.. Last or Unfragmented Frame
.... ..0. Not an Exit from the Distribution System
.... ...1 To the Distribution System

Duration: 223 Microseconds
BSSID: 00:18:39:87:19:8D
Source: 00:17:AB:42:A4:8F
Destination: 00:18:39:87:19:8B
Seq. Number: 764
Frag. Number: 0
802.2 Logical Link Control (LLC) Header
Dest. SAP: 0xAA SNAP
Source SAP: 0xAA SNAP
Command: 0x03 Unnumbered Information
Vendor ID: 0x000000
Protocol Type: 0x0800 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5 (20 bytes)
Type of Service: %00000000
000. .... Precedence: Routine
...0 .... Normal Delay
.... 0... Normal Throughput
.... .0.. Normal Reliability
.... ..0. ECT bit - transport protocol will ignore the CE bit
.... ...0 CE bit - no congestion

Total Length: 1374
Identifier: 8918
Fragmentation Flags: %010
0.. Reserved
.1. Do Not Fragment
..0 Last Fragment

Fragment Offset: 0 (0 bytes)
Time To Live: 64
Protocol: 6 TCP - Transmission Control Protocol
Header Checksum: 0x13EF
Source IP Address: 192.168.2.32
Dest. IP Address: 209.67.106.201
No IP Options
TCP - Transport Control Protocol
Source Port: 56974
Destination Port: 80 http
Sequence Number: 3416390245
Ack Number: 1771989307
Offset: 5 (20 bytes)
Reserved: %000000

Flags: %011000
0. .... (No Urgent pointer)
.1 .... Ack
.. 1... Push
.. .0.. (No Reset)
.. ..0. (No SYN)
.. ...0 (No FIN)

Window: 32768
Checksum: 0x9AD3
Urgent Pointer: 0
No TCP Options
HTTP - Hyper Text Transfer Protocol
Command: POST
URI: http://nus.shop.wii.com:80/nus/services/NetUpdateSOAP
Version: HTTP/1.1<CR><LF>
Host: nus.shop.wii.com<CR><LF>
Accept: text/html, image/gif, image/jpeg, */*<CR><LF>
Content-type: text/xml; charset=utf-8<CR><LF>
Content-length: 1046<CR><LF>
User-Agent: wii libnup/1.0<CR><LF>
SOAPAction: "urn:nus.wsapi.broadon.com/GetSystemUpdate"<CR><LF><CR><LF>
Line 1: <?xml version="1.0" encoding="UTF-8"?><LF>
Line 2: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"<LF>
Line 3: xmlns:xsd="http://www.w3.org/2001/XMLSchema"<LF>
Line 4: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><LF>
Line 5: <soapenv:Body><LF>
Line 6: <GetSystemUpdateRequest xmlns="urn:nus.wsapi.broadon.com"><LF>
Line 7: <Version>1.0</Version><LF>
Line 8: <MessageId>13198105123219138</MessageId><LF>
Line 9: <DeviceId>4362227772</DeviceId><LF>
Line 10: <RegionId>USA</RegionId><LF>
Line 11: <CountryCode>US</CountryCode><LF>
Line 12: <TitleVersion><LF>
Line 13: <TitleId>0000000100000001</TitleId><LF>
Line 14: <Version>2</Version><LF>
Line 15: </TitleVersion><LF>
Line 16: <TitleVersion><LF>
Line 17: <TitleId>0000000100000002</TitleId><LF>
Line 18: <Version>33</Version><LF>
Line 19: </TitleVersion><LF>
Line 20: <TitleVersion><LF>
Line 21: <TitleId>0000000100000009</TitleId><LF>
Line 22: <Version>516</Version><LF>
Line 23: </TitleVersion><LF>
Line 24: <Attribute>1</Attribute><LF>
Line 25: <AuditData></AuditData><LF>
Line 26: </GetSystemUpdateRequest><LF>
Line 27: </soapenv:Body><LF>
Line 28: </soapenv:Envelope><LF>
Extra bytes (Padding):
.....S:. 00 00 00 00 FD 53 3A 96
FCS - Frame Check Sequence
FCS (Calculated): 0xF9FE0CA3�

SystemKernelPanic

Joined: 17 Mar 2008
Posts: 1

Digg It

Posted: Mon Mar 17, 2008 7:11 pm Post subject:

What will you do with this? I think you need a specific Javascript already included in the Wii memory, this script could be more interesting.

Display posts from previous:

	WiiLi.org Forum Index -> WiiLi Development	All times are GMT
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum