Breaking analysis: Wii Hacked.

Hacking the Wii? Surely you’re taking the piss. Alex Bradner assures you it’s the real deal.

The Wii has been hacked. While we were sleeping, a team of dedicated hackers finally got the homebrew ball rolling on Nintendo’s latest console. The trick, which was perfected last night, lets anyone execute their own code by utilising a savegame hack on a modified console. There’s no reason why it won’t work on an un-modded console, it just hasn’t been tested: unsurprisingly, none of the hackers own an unmodified Wii console.

It all started about a month ago with a pair of tweezers and a heavily modified Wii. The tweezer attack involves bridging pins of the Wii’s memory module whilst in Gamecube mode in order to access chunks of isolated Wii system memory. During Gamecube mode, the Wii’s 64MB of memory is split into two chunks: a 16MB chunk is allocated for Gamecube operation. The hack, however, tricks the system into allocating the Gamecube memory over the top of the restricted Wii memory. The memory is then dumped through a controller port, and it was this data dump that made what you’re about to read possible.

Inside this data dump was Nintendo’s public key, which is used to decrypt all of Nintendo’s game releases. Then another major discovery was made: It became apparent that an undocumented processor, nicknamed ‘Starlet’ by its discoverers, is located inside the graphics chip. This processor controls the Wii’s memory, security and cryptography, as well as almost all the peripherals. With the public key and some information on how Wii cryptography works, the Wii game discs can be decrypted and their contents harvested.

The holy grail of Wii hacking is a system exploit: finding where code can be injected into the system to gain low level access. We’re not there yet, although an alternative software based exploit where you examine existing game code for vulnerabilities and inject your own code into them has been written.

The first promising sign: the hackers chose the number "DAR: 34567788". This proved that crashes could be used to alter memory.

The main group in the homebrew scene is run by some hackers known as Bushing, Segher, and Tmbinc, who came up with the software hack. At the 24C3 hackers’ conference, they successfully modified an existing game with custom code and ran it through a modded Wii without it balking. Using this groundwork, they have been looking for exploits within the code of existing games.

And they found one. Within Zelda: Twilight Princess, a vulnerability exists in the savegame handling which allows a very small amount of arbitrary code to be executed from an SD card. Now fresh code can be executed from the SD slot – even on an unchipped Wii, say the hackers.

This shows that if you make the name too long, it will also pick up the horse's name, too. This means they're not properly checking the length of that string before copying it.

In the last 12 hours a major breakthrough has been made. ‘Hello World’ (or rather, ‘Hello Bushing’, a shout out to one of the hacking group’s members) was successfully being run and displayed. This is to date the first non-trivial piece of entirely custom code executed, running from an SD card and an original copy of Zelda. It may have been run on a modded Wii, but according to the hackers, it should also run on an un-modded Wii. The fact that this has been done means that homebrew isn’t just in the air. With this exploit, it exists, and with a bit of refinement it might even be user friendly.

Wii: Hello World. World: It's good to see you.

You’re probably asking “What’s in it for me?” around about now. Well, at this stage, not an awful lot: these are still very early days reserved for the hardcore hackers. In the near future, however, as knowledge of the Wii system architecture starts to spread throughout the developer community, we will start to see some really cool programs.

The existence of homebrew is a big event, possibly even huge, depending on how Nintendo responds to the news. If there is no response, we will see a nice avenue for wringing more out of your Wii. Probably the worst way in which Nintendo could respond is to play the patching war – the same war now showing on a PSP near you -- a likely outcome if we start to see chip-less piracy instead of pure homebrew. In an ideal world, however, they would respond in a similar manner to how Apple responded to hacks directed at the iPhone, by promising an SDK in coming months. Given the nature of the company, this situation is unlikely -- but we can always live in hope.

It’s up to the community now. Let’s see some really great stuff that even Nintendo would be proud of!


If you want to hear more about the Wii Hack from the horse's mouth, check out our full transcript of our interview with Bushing -- one of the hackers who cracked the Wii -- here.