Ideas for executing our code

From WiiLi

We will need to find at least one way to execute our code in order to get this project off the ground.

Contents 1 Crack the signing system and just burn a DVD 2 Find a software error in the main software 2.1 Mii data 2.2 Channel updates 2.3 Mii Love Parade 2.4 Friend request data 2.5 Wii Messages 2.6 Low level drivers 2.6.1 Network drivers 2.6.2 Wiimote driver 2.6.3 External usb network network card driver 2.6.4 Bluetooth driver 2.6.5 Wireless network card 2.6.6 Dvd-drive driver 2.7 Images 3 Hijack the updates 4 External binary file errors 4.1 Internet Channel 4.2 Virtual Console games 4.3 Commercial games 5 Boot in GCN mode and breakout of it 6 Modchip 7 Extra ideas 7.1 1 7.2 2 7.3 3

[edit] Crack the signing system and just burn a DVD

Would be very clean and easy for the end users, but the actual cracking will be hard.

[edit] Find a software error in the main software

Less easy since it requires us to first find an error, such as a buffer overflow, to exploit and then to make it work all the time.

[edit] Mii data

Supposedly there is a possible crash related to invalid favorite color values of a Mii. With the Mii parade, crashing Miis might get leaked to users that share their Wii Numbers.

[edit] Channel updates

Since the Forecast and News Channels are so simple, the developers may have taken shortcuts in the parsers. In order to exploit such an error, we would have to find a way to redirect the Wii to a server of our control, such as a DNS redirect as was done by the Wii Shop Channel.

[edit] Mii Love Parade

Would too require redirection of the traffic to the wrong server. Most likely not vulnerable, with the exception of the Mii data itself.

[edit] Friend request data

Requires redirection.

[edit] Wii Messages

Would more or less require us to figure out the data format. Requires redirection or possibly a computer acting as a Wii. Likely to be filtered by Nintendo's servers, but is a dangerously easy to use way in if we find one.

[edit] Low level drivers

Would give total control to us and no potential issues with eventual security levels.

[edit] Network drivers

Requires redirection and/or raw packet sending.

[edit] Wiimote driver

Will require a custom bluetooth program running on a nearby bluetooth enabled computer.

[edit] External usb network network card driver

A usb port is a very exposed port, the driver for the external network card might be too trusting for it's own good. It might not do all the needed sanity checks on the incoming data.

[edit] Bluetooth driver

Would require either hijacking the bus to the bluetooth module or the module itself.

[edit] Wireless network card

Not to be confused with the network drivers. Would require either hijacking the buss to the Wireless network card module or the module itself.

[edit] Dvd-drive driver

Would require either hijacking the buss, or running aribity code on the dvd-drive card. With a drivechip, this might be easier then expected, the drivechip can likely force the cpu on the dvd-drive to send unexpected data to the main card.

[edit] Images

There has been severe bugs in many image file parsers. It is not too unlikely that there is one on the Wii, such as through the Internet Channel or the Photo Channel.

[edit] Hijack the updates

The update system uses SSL and refuses bad certificates. So unless someone hacks RSA, this isn't going to help.

[edit] External binary file errors

[edit] Internet Channel

It is so big and complex it might have some error we can use. Since Opera uses an outdated version of Flash, version 7, there has been vulnerabilities in Flash that has affected the browser. The version that the browser was initially based on is 9.00. There has been real vulnerabilities in old versions of the browser, but the current version is currently not know to have any vulnerabilities.

[edit] Virtual Console games

Very unlikely unless we can attack the binary loader for them. The save state system also looks interesting.

[edit] Commercial games

Guaranteed to have some sort of error. But may run in limited access levels. Save games are encrypted using sect233r1 [1]

The "Zelda exploit" uses this method [2]

[edit] Boot in GCN mode and breakout of it

Since we can already run homebrew in GameCube mode, all that is required is to figure out how to reenter Wii mode.

[edit] Modchip

Always a fallback, but it will void your warranty.

[edit] Extra ideas

[edit] 1

Try booting plainly off of "admin mode" - press + and - at the same time at the boot screen then press A. Hopefully that would not require magic numbers or anything.

[edit] 2

Put the Wii's network settings through a computer to get the information sent to and from the shop channel / anything else (they have redirected the shop channel to google before) and try to steal magic numbers from those (like a proxy, just put it through a computer running Wireshark)

[edit] 3

Steal magic numbers from a disk so it would boot cleanly (been done before probably)