I came across this on Ajaxian. It looks like opera has opened up the Wii Internet Channel to developers. You can now use Javascript to poll data from all 4 wiimotes.
The Wii Remote data is accessed through the opera.wiiremote object. This object offers a single method opera.wiiremote.update(n) which is used to obtain the status of an individual Wii Remote. The method expects a single parameter; the Wii Remote number. The number is zero-based, so it starts at 0 for the first remote, and ends at 3 for the fourth remote. The method returns a KpadStatus object, which has several properties that give information about the remote. [source]
There is good info and examples here: http://hullbreachonline.com/wii/sdk.htmlDevelopers: If you create something using this new API, send me the link, and I will add it to the Wii Portal
If you navigate your Wii Browser to this image, it will restart Opera:
http://img1.imagefuse.com/anon/11683629302.jpg
The bottom bar goes away, a grey screen appears then it reloads the bar and jumps back to the homepage
Let the fun begin! Thanks to ThE_OnE for pointing this out.
WARNING:
Please be aware that if what I'm reading is true it is only a matter of time before someone tries to use this for malicious purposes. There are bad people in the world who would get their jollies by breaking people's consoles with bad code. Please be advised that you take sole responsibility for your actions if you decide to enter one of these URLs into your Wii Browser.
I will do my best to filter the good from the bad, but I do not run the servers these images are hosted on and have no control over what people put there.
Lastly, it should be noted that all of this is being done for Homebrew purposes. There are legions of developers who would like to develop software for the Nintendo Wii, but without a big rich video game company to back you it is extremely hard to get an official developers kit. If you are attempting to find information about hacking your Wii for the sole purpose of ripping off Nintendo and their software development partners, please find another site.
Another possible way to access the Wii as emerged.
IDefense is reporting a new Opera JPEG exploit.
There is a lot of info on how this all works along with sample code here.
This is way beyond what I will pretend to understand about programming, so i'm just posting it here in case someone else might find it interesting.
UPDATE: Some forum posters have been trying out these codes but so far have not been able to get it to affect the Wii. If you have any success crashing the Wii with this method please report your results.
--This post if being updated throughout the day, if you are reading via RSS, it is recommended that you go to the actual URL of this post to get the most recent information. --
PS2-Scene is reporting a vulnerability in the Opera Browser. They have posted code which uses SVG to crash the Wii's Web Browser. This could lead to arbitrary code execution. The hackers are busy at work trying to make something useful out of this, while Opera is probably scrambling to issue a patch to fix the problem.
XiaNaix posted:
A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call.
Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.
This exploit could possibly be used to run code on the Wii! Get more info and example code from hereI've also added this link to the Wii Portal Page, so if you already have that bookmarked, you can test out the ' Crash My Wii' link from there as well. So to reiterate, they can get the Wii to crash. This has not yet opened up any way to run homebrew, but it's the hole most hackers have been waiting for. Will update later when more is known. UPDATE 11:35AM More information about this bug posted on iDefense. Seems like Opera has known about this one since November. UPDATE 11:40AM trapflag on IRC is looking at the registers to find ways to execute code:
http://paste.uni.cc/12615 (x86 opera)
UPDATE 11:45AM
pab_ has it crashing on Opera 9 PPC binary with debugger attached
Debugger Output
UPDATE 12:05PM
Opera's Response to this bug: "Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights. The vendor has categorized both of the holes as merely "moderate". The firm argues that it is not easy to exploit the heap overflow consistently." - http://www.heise-security.co.uk/news/83279
Also, Opera claims they fixed this bug in Opera 9.10... but the Wii's version appears to be earlier than that.
An important thing to note is that if this works, it is also possible for dangerous things to happen to your Wii. Please use caution before you click on any unknown links, as someone may try to implement malicious code that breaks your Wii.
FreePlayPSP on digg writes:
I'm not sure how much is known about the Wii's architecture, so I'm not sure how viable it will be to run our own unsigned code through this. Not to mention that Opera seems to run in a sort of sandbox - I've Lastmeasured my Wii to the point that the browser was 100% unresponsive but the Home button still worked just fine. Haven't tested this out yet, though, so it's possible that this 'breaks' the sandbox.
Nice PoC, lbradeen and larholm. Question, though: is this an actual overflow, or just an out-of-memory glitch from trying to create an array with 0xFFFFFFFF members? I don't know much about how Opera handles memory in its Javascript handler, or if 0xFFFFFFFF means -1 or 4294967295 for Javascript in general. I assume that shoving this function into createSVGTransformFromMatrix simply bypasses some sort of memory limitation check. Is this really usable to run unsigned code, or just to crash the system? --
Discuss this topic on the following forum posts:
- WiiNewz
- GBA Temp
- QJ.NET
- digg
- WiiLi
- WiiModWii
Or post your comments on this blog.
To get you caught up here's the latest on the Wii Opera Browser...
Nintendo announced that a BETA of the Opera browser will be availible for download from the Wii Shop for FREE starting on December 22nd.
This was very exciting news, because there are lots of cool and fun flash projects in development that are hoping to take advantage on the Wii's onscreen and pointing abilities to create their own content.
Some examples of sites that are being developed for the Wii include:
WiiCR
Flash based media player
WiiFii
Wii Menu for Flash Games
WiiX
Javascript based Wii Menu system
Other Flash game sites that may work with Wii (Source: X-Scene)
http://www.albinoblacksheep.com/games/wii/
http://wiicade.com/
http://www.wii2d.com/
Katamari Damacy clone
http://www.gamesforwork.com/games/swf/katamari.swf
http://www.homestarrunner.com
Now for the bad news. A site called Skeptical Gaming has posted an article which reads:
"A source close to the Wii Opera project", as they've wished to be identified, has given yours truly a little bit of info on what you'll be able to expect from the trial version of the Opera browser that's being made available to Wii owners this Friday.
...
Several key features are expected to be nerfed from the trial build. Most notably, full Javascript support. From what we've heard, part of the Opera Wii Browser QA issue is that several areas in the Wii's architecture can be exploited through Javascript, and Nintendo wants Opera to patch that before any release. Nintendo's so worried about potential violations and exposures of the Wii software, they're playing it safe.
...
Other things you'll notice with the trial version: Flash may not work correctly. It appears that Opera is custom building their Flash plug-ins to limit the security exposures that the plug-in presents. And while that's great from a control standpoint, it's expected to cause some compatibility issues. You'll have problems accessing some sites that utilize Flash.
Widget support is being hurriedly rushed in a desperate attempt to get it included in the Wii Browser on Friday, but it's not expected to be made available. Support for the Ajax technology is expected to work fine, however.
Source: Skeptical GamingYou can also read more comments on the subject over on diggMost people are calling this guy out saing it's BS. The article says there is no Javascript, but it fully supports AJAX?! Some things don't add up, so for now all we can do is wait and see what Nintendo delivers to us in the next few days... Check back soon for a full update on the capabilities of the Wii Web Browser once it has been released! UPDATE: It has been reported that the browser has been released in Europe and Australia, but not in the United States yet. Most people are confirming that it is a full browser, supports flash, ajax/javascript, loads youtube perfectly, and even passes the acid2 browser test. Other Features / Limitations: Opera can only store up to 21 bookmarks Flash Player 7 - [ Your Player Version: WII 7,0,70,0 | Operating System: Nintendo Wii | Debug Player: No | Video Encoder: No] (thx linFox)This is great news! Stay tuned for a full update later.
Some new information about the browser hacking going on inside the Wii's Shopping channel:
There is a piece of code found in the shopping channel:
var ec = new ECommerceInterface ();
The problem is that the code for ECommerceInterface isn't found in any of the .JS files. This leads me to believe the code is somehow stored in the Wii itself. Source: FunWithWiiWhile we do not support trying to download games for free, it is extremely interesting how these Javascript functions are included in the browser itself so that they are availible in every page displayed and not in the source of the pages served up from Nintendo. Has anyone tried to access urls with file:// or others?
On the PSP we were able to access some of the flash file system by using different internal addresses. The full PSP thread which talks about overflowing the buffer and the internal addresses via the wipeout browser dns hack can be found here:
http://forums.ps2dev.org/viewtopic.php?t=1948
UPDATE:
OK I've got the on-screen keyboard and sounds working!
Updated Code posted here
Here are instructions to get a somewhat working web browser on the Nintendo Wii by redirecting the content of the Wii Shopping Channel.
Basically you would download Simple DNS or another DNS server package and redirect oss.shop.wii.com to the ip address of your choice.
---
For example, to do it in Simple DNS Plus:
Download and Install Simple DNS Plus from: http://www.jhsoft.com/
Launch Simple DNS Plus and goto Tools -> Edit DNS Records
In the DNS records goto tools --> Quick Domain Wizard
In the domain field type "oss.shop.wii.com"
for the webserver ip type in the ip of the website in as the "Web Server IP"
(if you want to find out the ip goto cmd prompt and type ping sitename.com)
For example, Google's IP is 64.233.167.99
Erase the secondary DNS Server and press OK
Now, on the Wii
Goto the Wii Menu -> Wii Settings -> Internet -> Connection Settings ->
Chose your connection -> Change settings
Click next 3 times until you get to the DNS setup
Click Advanced Settings
Then enter the primary DNS as your computers IP address of the computer running Simple DNS
Finally, click ok and launch the Shopping Channel, it should bring up google now!
Source: WiiModWii
--
This works, well, kinda.
It does load the Google Homepage, and all links within the main www.google.com domain are clickable. I quickly tested a flash page, but it did not load, just a white box. There is also a loading widget that goes in front of the screen and will not go away. I suppose some Javascript can get rid of it.
There is no onscreen keyboard that pops up when you select a textbox, hopefully it can be triggered with some javascript as well..?
Next step is for someone to get the urls and header information the wii shopping channel browser uses and try to see if you can access the wii shopping pages on your pc. Then we will be able to see what kind of javascript or other types of applets are used to display the wii shopping channel.
Also going to try out how it handles file downloads. Will post back with updates.
Nice find wiimodwii! Lets get crackin on some Wii homebrew fellow web developers.
UPDATE:
Work is underway to create a Wii Portal page similar to the PSP Portals that popped up back in the day when the Wipeout Pure Browser Hack was discovered on the PSP.
UPDATE:
To disable the spinning 'loading' widget you must include this code in your webpage:
<script>
var shop = new wiiShop();
function wiiStartWaiting()
{
if (shop != null && "beginWaiting" in shop) {
shop.beginWaiting();
}
}
function wiiStopWaiting()
{
if (shop != null && "endWaiting" in shop) {
shop.endWaiting();
}
}
shop.endWaiting();
</script> UPDATE: I have the wiiKeyboard and wiiSound Objects working!! Sample Code here: Wii Shopping Channel Hack
|
|
