Zelda Exploit - Run Unsigned Code w/o Modchip

brakken · #1 01-27-2008, 01:48 AM

Here is a screen shot of an error in Zelda for the Nintendo Wii. So, what's so important about this particular error? Well, let's compare this to the GTA Exploit for the Sony PSP. Yes, that's right.

Bushing along with Segher have been able to modify a save game from Zelda to crash the machine and to run their own code on it. Note that you won't even need to "mod" your Nintendo Wii to run this exploit.

[ read more ]

brakken · #2 01-27-2008, 01:51 AM

Yes, that's right - an exploit for the Nintendo Wii has been discovered and it allows you to run custom code. The method is pretty simple. Copy over a save file for Zelda, load it and the code runs. Don't get too excited yet. They have only been able to run 4 lines of code, but this is in a days work.

Segher was the one to find the exploit and Bushing has been testing it out with the aid of the USB Gecko. The process is far from simple as once you modify a save game it requires it be to signed with 3 keys. Here's some info from Bushing.

"Once the Wii decrypts the save game, it checks its signature. Every Wii has its own private key which is used to sign save games, and when you save a game, the Wii actually saves three bits of data:

* The encrypted save game
* The signature for the save game (using your console's private key)
* A copy of your console's public key, signed by Nintendo."

Of course, the end user wouldn't have to go through this process unless they were wanting to inject their own code into the save game, but that shouldn't be necessary because when I asked Bushing what his goal was he answered:

"Assuming we don't run into a wall, it should be able to lead to a homebrew loader. I hope. No promises. :)"

- (Digg It!) -

smurfro · #3 01-27-2008, 02:43 AM

Is it possible to see a video of this buffer overflow? Or better... a savegame that we can use to see with our eyes?

fagmaster · #4 01-27-2008, 04:09 AM

That is just awesome. Good work Bushing + Others, hope to see some more soon!

PalmPal · #5 01-27-2008, 05:37 AM

The Zelda exploit (using the GameCube Epona buffer overflow) is in the early
stages, but they managed to get access to the VI buffer
http://www.flickr.com/photos/2321848...7603803895873/

nehe32 · #6 01-27-2008, 06:03 AM

hey guys, just was kinda made a link maybe between those public wii tools Segher released and the save game editing

http://git.infradead.org/?p=users/segher/wii.git

there are some makefiles and savegame decrypters there but i havent downloaded or tested any yet

gth44331 · #7 01-27-2008, 06:30 AM

Why does it all have to be so damn hard to UNDERSTAND!? :'( I can't make head nor tail of that infradead.org link. All I know is that it's source code. Why can't someone release binaries as well?

Auyx3636 · #8 01-27-2008, 07:17 AM

Wow this looks like it could be very promising. There has been a lot of development towards a full homebrew loader over the last month or so. I cant wait to see what happens next.

brakken · #9 01-27-2008, 07:39 AM

Nice work, eh? :)

azeazezar · #10 01-27-2008, 07:45 AM

Yes, exectly wat we are all waiting for.
Thank you for yer hard work so far.
Running homebrew on an unmodded wii, i just hope this will work with a pal wii.

bowmessage · #11 01-27-2008, 01:12 PM

that flickr pic is from the gamecube version.. does that matter?

azeazezar · #12 01-28-2008, 02:29 AM

The quest log pic is from wii version (up 3 post).
But watever, i dun care if its wii or gc version, as long as wii is hacked...

EDIT: The other pics in this threat are wii as well,
you can see that little fairy that sits where you aim yer wiimote.

GandalfTheWhite · #13 01-28-2008, 12:22 PM

I'm hoping you won't need an actual copy of zelda to get the loader going (once they code one). I already have it for GC.

Don Giovanni · #14 01-29-2008, 03:45 AM

For now, likely you will need the Wii version to get homebrew going in wii mode, but with the info we have can't really say. GC homebrew will likely be launchable with the wii game in time.

Using the overflow from GC mode and trying to reset the wii hardware so the other components would turn on could be overly complicated (or not possible since it seems to involve a reset of sorts to go back to wii mode)...but then again you never know. For now it just seems like staying in wii mode from the start is the best route.

Anyways, its amazing to see the progress that has been made in the past few months. Keep up the good work guys!

*edit* of course if you have a modchip backups will work for this (thinking now that's probably what you were getting at)

Jaymes · #15 01-29-2008, 02:27 PM

Wait. So once this is further in development will it work on the Wii and GC version or just one of them?