WiiLi.org

[revolt]

hi guys. i found that when my wii is in maintenance mode and i go check for an update it connects to the internet. then i get "new update found" and i have to possibility to accept or not.. but when i leave it on this screen i did a port scan and found that port 21 (ftp) is on??? does the update come from an ftp server or is this becouz of the maintenance mode ?

i tryed to bruteforce a little on the ftp but i didnt get enywhere with that

revolt

[GizmoTheGreen]

i dont know how well this has been dug into, but i will make some tests when i get home.

dont know anythng specific about bruteforcing though.

if we can get FW dumps, crack the encryption, or maybe sniff it unecrypted somewhere, we can modify it and set up an ftp server with mac spoof to make the wii think its a leguit update?

i dunno, just a thought.

we lack real hackers... you know, those poeple that really know how to do stuff, all im good for i testing and ideas
_________________
Project starter/leader of TrueLoveDS

[revolt]

if did some scanning on the port 21 and the only thing i could find is that it is possible to crash the wii using a rapid attack.

after doing this i can still click on "update" and then it crashes.

looks like this isnt of any use unless there would be a way to find the username and password, if it is even a real ftp server.

when trying a bruteforce attack the wii blocks multiple guesses from the same ip adres so if this would be a way it would take forever.

the only thing i can think of right now would be to find stuff in GC linux mode, but i dont know how much of the hardware would be accessable

revolt

[PsiCoLeO]

How were you able to do bruteforce attack.. if we can´t even see a login message? or where you able to get a login screen?

[revolt]

thats what is said in my last post.... i wasnt able to bruteforce because the wii blocks multiple guesses from the same ip..

only thing possible is to make the wii crash with a rapid attack. but for all i know this is only usefull to get the server down. it doesnt open any xtra stuff

revolt

[PsiCoLeO]

what do you mean with a rapid attack? could you give some instructions? sorry if thats a stupid question...

talking about another topic.. have you seen Datels Power Saves? those are modified saves, that allow you start a game with extra ammo or special items or stuff like that. Sorry posting it here but I didnt find a decent place to post this. So if datel is able to modify those saves, they might have broken the crypto behind those saves, as far as i know is an elliptic curve algorithm that is almost imposible to crack (nothing is imposible). If we can find a way to modify those saves, maybe we found a way to get homebrew/linux on the wii

Maybe we can find an exploit that really works..

PsiCo

[revolt]

for what i know the datel saves are just savegames from people who fully unlocked all options in the game and uploaded their saves for people who are to lazy to play the game them selves... there is no actual cracking of the save encryption..

and a rapid attack is basicly a attack that just sends all kind of usernames and password verry fast whitch lets it crash becouse it cant handel all the info at one..

if we could mod the savegames there could be an exploit but before we could do that i think we would first need to have some unencrypted ram dumps from the wii which would give us the info about the encryption becouse i dont think that bruteforcing the saves will get us anywhere within the next 10 years trying..

revolt

p.s. from what i know there is a group of hackers trying to read out unencrypted ram by booting the wii en than powering it off with an external power source to the ram to read it out...