Wii Hacks


Saturday, February 03, 2007

Arbitrary Code Execution via WiiKey?

As you may already know there are now 3 modchips out for the Wii. First it was Wiinja, then CycloWiz, and now WiiKey. Something caught my eye while I was looking over the specs for WiiKey this morning on Wii Newz...

# Fully upgradeable via DVD/disc (future proof, expect cool features to come)

Does this mean they've figured out a way to execute arbitrary code on the Wii or does it simply put the DVD drive into a special mode that passes the data on the DVD into the modchip?

UPDATE: The Update disc will likely be formatted for Gamecube and will launch in GC mode. The app will send commands to the chip to flash it with the updated code. Since the chip 'listens' and reacts to these commands, it also means Nintendo can possibly detect if you have a chip like this (WiiKey) installed in your console.

So to recap...Wii Homebrew is still not possible. Gamecube homebrew on the Wii IS possible via a modchip or through Action Replay/Freeloader. None of these chips get us any closer to Wii Linux


no_pants said...

can someone explain y all this modchips are being developed instead of some software crack or firmware ?

they did firmware for psp
y not for wii ?

Josh said...

Because to design a software hack you need to know both a security flaw, and how to run custom code... we know neither.

Bob Somers said...

Not only that, but any software-based firmware hack would easily be patched up by Nintendo in the next Wii system update.

Ari said...

Yeah...but any software-based firmware hack that can be easily patched up can just as easily be decontructed and used against them with a little backwards programming...thats how the PSP has up to date firmware that can play homebrew.

The only problem is there has to be a starting point firmware work-around before there can be any subsiquent hacks. Give it time...if its possible it will inevitably happen.

Josh said...

Thats assuming 2 things... one it assumes Nintendo will create holes at a rate comparable to Sony (which i seriously doubt). From what i understand about PSP reverse engineering, it also assumes the patches aren't encrypted, and from what I've seen of any executable code on the Wii, its all encrypted.

Plus PSP developers had the benefit of knowing how to structure code on PSP (version 1.0 allowed code execution without any protection). With every bit of executable code on the Wii being encrypted, its a bit harder to figure out, and tell we find a working exploit, impossible to test.

Falls on the two things i said earlier... we need to know how to structure executable code for the system, and a security flaw. I'm not saying its not possible, everything possible with technology really. But saying everything possible will inevitably happen isn't something I'll agree to. Just because something CAN be done doesn't mean people will take the time to do it. Physical access is always root access, but the value of a hacked item is not always worth the time put into it.

Then again knowing Nintendo's lack of fear when comes to mod chips (they didn't fix problems they knew about) I assume hardware hacks will probably come before soft mods.

Things that might allow for soft mods as i see it:
1. Leaked unencrypted bins, assuming the Nintendo doesn't require the encryption to even run it (i kind of doubt it does, but i wont rule it out as a possibility)
2. Maybe the custom software channel will be the way, if Nintendo doesn't moderate it/it doesn't require encryption (and its not just some weakened scripting language). If Nintendo does moderate it/encrypt it, maybe we can get a friend to throw a little exploitable bug into one.
3. Educated guessing, well, maybe since its based on the Gamecube, executables are structured more or less the same (educated guessing may or may not be the solution, just depends on luck really).
4. Someone cracks the encryption (geeze, not easy, but doable, will happen sometime surely)
5. And (possibly the most probable solution) someone creates something i don't know of/didn't mention, and makes me look like a dumbass. It wouldn't be the first time.

I personally haven't really looked into it, seeing as i can't get ahold of a wii... there hasn't been any shipments to my town from what i can tell since release day, and I'm not going to pay a 150 dollar markup to get it over the internet.

Rant Over

Carlos said...

It doesn't run code on the cpu. the modchips just intercept data sent to and from the dvd controller. think of it like a middle man attack on a LAN. it can read all data from the DVD drive. it can send data to the cpu as if it were coming from the DVD. the only way it'll run code is if it was signed.

it upgrades the firmware by reading the disc. for example, maybe you burn a DVD where the first sector says "WIIKEYFIRMWAREUPGRADE"
when the wiikey reads the information on the dvd (via the wii's dvd controller) it'll see that the DVD inserted has a firmware update and is not a Wii/GCN disc.
then from there it knows that whatever follows the "WIIKEYFIRMAREUPGRADE" will be firmware data, and thus updating itself.
it has nothing to do with the Wii's CPU or running code on the Wii. it's running code on it's own logic board.

Josh said...

Yeah, that sounds about right, considering if the wii/gcos could access the mod chip, we know the chip would be detectable, and we know it would be patched fast. Most likely the GCOS is completely ignorant of the firmware in the dvd-drive

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

The battle begins, nintendo wii does one thing the mod chip hackers bite back and so on so on.....

Yue said...

wiikey chip, upgradeable and full dvd region, wiichipset@hotmail.com, pls check on www.wiichpman.com, it will tell you the software and the solutions too!

Click Here to Post a Comment

Subscribe to the Nintendo Wii Hacks Blog RSS Feed

Also see:
PSP Hacks
PS3 Hacks
Zune Hacks
iPhone Hacks
Apple TV Hacks