Wii Internet Connection Reverse Engineered

AlexTheBeast writes "By packet sniffing his Wi-Fi connection, this hacker has already begun to dig into the internet interactions of the new Nintendo Wii. Basically, by using Firefox and after setting the user agent correctly, anybody can easily browse many WiiShop pages including the WiiShop main page and startup manual. More advanced connections including binary and virtual console downloads are currently in the works. Come join the project."

That's what happens...

[tttonyyy (726776)]

..when developers play with their Wii.

(Sorry, couldn't resist YAWJ (Yet Another Wii Joke))

It's actually a very good name.

[by Anonymous Coward]

Wii was a very good name to choose, just because of how much it sounds like a pet name for the penis.

Here in Finland there used to be a brand of chocolate milk called Jukiuilla. That sounds very, very close to a word which translates best to English as "bloody assrape".

People remembered that brand of milk. It became a hit sensation among teens just because of its name. While other chocolate milks had more benign names, that chocolate milk had a name that stood out. I think Nintendo has managed, intentionall

Re:

[tttonyyy (726776)]

That's true. When Nintendo announced the name, many people were disappointed, upset, and even angry. There was even a petition to Nintendo of America to change the name.

Certainly everyone talked about it.

And now we make affectionate jokes about the name, and it's quite accepted.

Methinks Nintendo made a very smart (or lucky) choice.

Re:It's actually a very good name.

[somersault (912633)]

Wow.. interesting why anyone would want to think about pounded crap while drinking chocolate milk :s Yuck

Re:It's actually a very good name.

[eln (21727)]

The Finns have a word for "bloody assrape"? I'm suddenly afraid to go to Finland.

Re:

[smoker2 (750216)]

Wii was a very good name to choose, just because of how much it sounds like a pet name for the penis.

In the UK, wee is the "pet" name for piss.

Great choice, they could have called it "shite".

Piss 3

[tepples (727027)]

In the UK, wee is the "pet" name for piss.

So what does that make the Piss-3?

Bad smell

[Rastignac (1014569)]

I don't want to sniff out my wii. ;)

Re:Bad smell

[MyDixieWrecked (548719)]

well, I've been playing with my wii so much, my arm is sore

in fact, all my muscles are stiff. I'm in such bad shape, my wii makes me stiff.

Re:Bad smell

[inKubus (199753)]

I'm in such bad shape, my wii makes me stiff.

I can't decide if this is a Soviet Russia joke in disguise...

So ... What's next

[HappySqurriel (1010623)]

So ... what's next?

Will we be getting a news story about a Hacker who had installed the Wiis web-browser on his PC by going to http://www.opera.com/ [opera.com] ?

Re:So ... What's next

[cloricus (691063)]

I was thinking that... Seriously today at work I sat in front of ethereal for two hours sniffing packets for regular network reports and just for general knowledge of what's going on and god knows what I saw go past. It isn't at all skillful to sniff out of a agent string and use a Firefox plugin to put in what ever you want - heck if you want to be 'uber leet' you can code your own agent string into Firefox! How awesome!

So in summery this isn't even remotely interesting. Go home script kiddies...and by home I mean digg! (Yes I do have the karma to burn.)

...Still four weeks till we get Wii's in Australia. :(

Re:

[Programmer_In_Traini (566499)]

i dont think the point was to be uber by displaying l33t h4ck1ng skillz0r. :)

but its a start at developping homebrewed apps for the wii. heck, maybe create homebrewed wiishops servers so users can share wii games.

thats the good thing with consoles on the net, its fairly easy to fool them once you know what kind of answer they expect.

Re:

[SausageOfDoom (930370)]

Well, seeing as this shows that the channels are web-based, I would imagine that one possible next step would be to hijack the connection when it reaches your router, and then, depending on the page request, return your own content.

I'm guessing this would allow you to create custom channels by returning whatever content you wanted to the Wii. Perhaps it might also bypassing the need to buy Opera, as it sounds like it's already built in.

Already Locked Down

[A Brand of Fire (640320)]

Apparently Nintendo has caught wind of this and has already set up redirects to the Wii root website from these links.

Correction

[A Brand of Fire (640320)]

It seems that it redirects with links referred from other websites. After putting in the URL manually, I was able to view the pages. Pretty cool stuff.

Re:Correction

[tttonyyy (726776)]

Given the number of consoles Nintendo must be anticipating serving those pages to, I'd expect them to be pretty much unslashdottable. A few people from slashdot? T'is but a scratch!

Re:

[l_bratch (865693)]

This only happens if your user agent is set incorrectly.

If you RTFA, you will see what user agent to set your browser to.

Re:

[Zangief (461457)]

Did you change your user agent? For example, for the Wii shop you need to identify as

Opera/9.00 (Nintendo Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)

Roms! \o/

[remembertomorrow (959064)]

Once the Virtual Arcade system has been worked out, someone will put up a custom server where you can download the games for 0 points. All you'll have to do is point wii.com (or whichever A/AAA records are needed) to their server.

It seems like this system will be hacked rather easily. :/

Re:Roms! \o/

[HappySqurriel (1010623)]

Once the Virtual Arcade system has been worked out, someone will put up a custom server where you can download the games for 0 points. All you'll have to do is point wii.com (or whichever A/AAA records are needed) to their server.

It seems like this system will be hacked rather easily. :/

Well, being that Nintendo is not stupid I suspect that ever virtual console game is signed to prevent copying; on top of that (being that each game is only usable on one particular system) it is possible that Nintendo signs the signed code for each console when you buy a game. Now, unless the system is physically cracked, I think that it is nearly impossible to break this system.

Re:

[Abcd1234 (188840)]

What the hell are you talking about? Signing a binary doesn't prevent copying. All it prevents is someone from modifying the ROM and then running it on the Wii. The only thing that will "prevent copying" is full-on encryption. However, the Wii would then need the key to decrypt the content, at which point you just hack the Wii to get the key.

Basically, they're facing the exact same problem content providers are facing: you're trying to lock down content while at the same time giving the user the means

Re:

[HappySqurriel (1010623)]

I find it doubtful that Nintendo would do this. This would be putting the private signing key on a theoretically publically accessable network. You wouldn't believe how tightly guarded signing processes are - it's normally only 2 or 3 people in the world that have access to it. The implications for are far too great for them to even contemplate that approach. But I do agree with you that it's not going to be easily cracked, by any means.

Not really ...

If Nintendo can keep their super private signing key priv

Re:

[HappySqurriel (1010623)]

They would probably be decripted durring runtime but we don't know whether this would be stored in memory or whether this memory would be easily readable from outside the CPU ... Being that the CPU was designed with signed emulation in mind, the Wii CPU could (theoritically) take in encrypted data/instructions from memory, decrypt them into registers/on chip memory, re-encrypt the output and store that in memory. Ultimately, it is beyond me (or anyone I know) to break a system like that but I'm sure there i

Re:

[HappySqurriel (1010623)]

I'm not positive I know what you're asking, but I think I'll give it a try ...

I could be wrong but I think the difference between what I'm describing and Fair Play is that Fair Play takes an unsigned data format and signs it to be specific to your particular account/machine and there is nothing that prevents you from using an unsigned version of that data with your account/machine; now, Nintendo could design a system such that it will only play games that were both signed by Nintendo (to make them an offici

Re:

[HappySqurriel (1010623)]

I suspect that Nintendo would be very careful about what code was running on their system for fear that it could be exploited to produce a soft-mod to allow for pirated games to be run.

Imagine if a buffer overflow error was found in the emulator, which allowed for unsigned code to be run, so the hacker could replace your firmware which allowed for booting from a usb hard-drive ...

So when will the remote get hacked?

[DrXym (126579)]

If it uses Bluetooth as it is supposed to, what is to stop the Wii remote being used on a PC or even a PS3 if you wanted to? What's the point you may ask - well it would make for useful mouse replacement for presentations, or just for couch surfing.

Re:

[DrXym (126579)]

You don't need the sensor bar functionality as the thing is armed with gyroscopes and accelerometers, which are more than enough to control a cursor on an overhead projector. All those buttons could be mapped as mouse buttons and the D-Pad as a scroll wheel. Gyroscopic mice have been available for quite a while now that do just that, but they cost far more than a Wii remote.

Re:

[Spokehedz (599285)]

The above is true, with the exception that the sensor bar tells the system what relation to the screen you are. It doesn't use the sensor bar all the time--such as when you swing the controller off the screen, for example.

But you DO need to point it at the screen so that the camera in the front of the wiimote can see the IR beams to know how to translate the sensor data received from the wiimote into movement in the screen.

Let me put it another way: The wiimote doesn't know which way is up if you don't poin

Re:

[AvitarX (172628)]

You could use something such as the acceleration of gravity to know which way is up. Pressing buttons 1 and 2 simulteniously to recalibrate which way is up if that becomes a problem.

Mice without sensor bars have existed in the past and work.

Squid proxy = Homebrew injection

[palad1 (571416)]

Good news everyone!
By setting-up a squid proxy one could be able to make homebrews appear as games requiring 0 wii points before being sent to the wii, which will gladly accept it as a runnable executable!

Now we just have to reverse engineer the 'Virtual Game Console'. 100 say it will turn-out to be a Mame clone.

Can't wait till the Wii gets released in Europe. Oh my :)

Besides, we may even be able to stream a divx player using this technique.

Re:

[geekboy_x (410674)]

You dont need that - the Wii Opera browser can hit normal web pages just fine, so flash-based homebrews can just be served off regular ol' pages, like this:

http://wiicade.com/Home.aspx [wiicade.com]

Have fun!

Re:

[Midnight Thunder (17205)]

I assume the phrase "signed code" has never entered your mind?

Well that has never been cracked before ;)

Am I the only one who is impressed by.....

[8127972 (73495)]

..... the fact that this doesn't look like some sort of custom solution that would be forever tied to the hardware. Instead it seems to be very "off the shelf" in nature from what I can see. I'm impressed that Nintendo would go that route. Many companies wouldn't.

Welcome to the New Console Hack-fest

[SalaciousPucker (911419)]

Microsoft is really the only console maker that has ventured online in any substantial way. They locked down their hardware and sealed off the wild wild internet (no IE on the 360) for good reason.

I really think the Wii and/or the PS3 are going to be hacked to death. They have browsers, neither are experienced here and with Sony in particular, the whole thing seems kinda....rushed(?). I mean, with the media they are fine - people won't be burning blu-ray cheap enough soon enough. One click pirated downloads would be even worse though...it would be much easier. Given the cost & market for the PS3, a hack like this would be instant death for developer support.

Re:Welcome to the New Console Hack-fest

[iapetus (24050)]

Yes. With potential security holes like this, I doubt it'll be long before we see some sort of crazy hack to run Linux on the PS3. Wouldn't that be great?

Re:

[xtracto (837672)]

Microsoft is really the only console maker that has ventured online in any substantial way. They locked down their hardware and sealed off the wild wild internet (no IE on the 360) for good reason.

That is something I found very interesting about Microsoft's new console. I kept hearing about the Hypervisor this and the Hypervisor that and the new Xbox was unbreakable and antihacker box and all that from Microsoft, after it was released I followed some of the hacking efforts and it seemed to be very heavy loc

Re:Welcome to the New Console Hack-fest

[FroBugg (24957)]

Is this really such a terrible thing for the Wii?

Sure, some people may end up downloading pirated games instead of buying them from Nintendo, but as iTunes shows, people are perfectly willing to pay reasonable prices for things they can get free elsewhere.

And since the Wii hardware itself is actually profitable for Nintendo (as opposed to the PS3), they're still going to make money from people who buy a Wii with no intention of ever buying a legit Virtual Console game or even a real Wii game. And maybe once these hackers have a Wii they'll buy some games after all.

Re:

[xtracto (837672)]

Sure, some people may end up downloading pirated games instead of buying them from Nintendo, but as iTunes shows, people are perfectly willing to pay reasonable prices for things they can get free elsewhere.

And I am sure their primary userbase is not the hacker that downloads from romhustler or priarrrbay but mom and dad that get out of work, turn on their Wii and choose the newly released game from the Wii Channel.

 

DNS redirection

[AsnFkr (545033)]

Using DNS redirection you can get the Wii to any website you wish. Video [youtube.com]

MOV

[HappySqurriel (1010623)]

Something I would like to see someone try is to redirect to a page that contains a movie file format which the Wii supports (like MOV); this could be the easiest way to convert your Wii to a media center extender (with crappy file support).

DMCA violation...?

[creimer (824291)]

Isn't reverse engineering the Wii packets to figure out the proper browser user string a DMCA violation?

Re:DMCA violation...?

[Midnight Thunder (17205)]

Isn't reverse engineering the Wii packets to figure out the proper browser user string a DMCA violation?

Depends. Reverse engineering is not a violation, but cracking encryption is.

Note I haven't ever read the DMCA, so am I am relying on what I have heard on forums and new sites.

why does this even work?

[v1 (525388)]

I am very surprised we are not seeing them use public key encryption here. If the wii has microsoft's public key, it can send encrypted requests which cannot be reverse engineered unless you are able to guess microsoft's private key. The way around this would be to disasemble the code on the wii. Since they are merely using packet sniffing, the traffic must not be encrypted. If someone were to have bet me if this would have been encrypted, well, I guess I would be out some money about now. Not that it's a bad thing for us, but what is microsoft thinking?? They had to know this would happen, and I can't believe they would sit idle and let it occur.

Though I suppose in a couple months we'll see a "software update" (i.e. they drop the portcullis) and that'll be the end of the tinkering without a screwdriver.

Re:why does this even work?

[Yosho (135835)]

You appear to be under the misconception that the Wii is produced by Microsoft. It's not. It was created by Nintendo. Unlike Microsoft, they're not obsessed with encrypting everything under the sun. Why would they care if somebody figures out their network protocol?

Re:

[dimer0 (461593)]

What does Microsoft have to do with this?

Why would you encrypt this?

[SuperKendall (25149)]

Honestly, why would you encrypt this?

Encryption takes overhead. And since every console would have to have the same key (public not private by the way in order to sign a page with something Nintendo would recognize) the key would not remain secret for long - so it would be a bit of development trouble for zero gain.

How to setup for this (simple way)

[zepo1a (958353)]

This is for FF 1.5 (yeah lame..haven't updated yet, I assume will work for 2.0)
type
about:config
in FF Address bar
right click in window. New->String
use
general.useragent.override
for preferemce name, click ok
use
Opera/9.00 (Nintendo Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)
as string value. click OK. you should now be able to hit the site without a redirect to wii.com

Where's the Opera browser download then?

[assassinator42 (844848)]

It seems like they have it sort of working. When will they release it? And does this mean we won't be able to use USB keyboards and mice with the browser?

Has anyone done this for XBL or Sony's PNP yet?

[AbRASiON (589899)]

Serious question, I always wondered about the MS network.