As luck would have it Ubisoft decided to be nice and happened to leave an unstripped elf file on disc for their games. After looking at the camera implementation they named libcam it seemed like nothing was exploitable, the game only accepted hardcoded video sizes and frames were sent uncompressed which eliminating most of the attack surface for the library.
I was able to find a few size fields that weren't checked however, these sizes were used to allocate things from the heap and the heap implementation for the library intentionally locks up when it runs of memory rather than returning null. After a few more weeks of looking at the camlib I finally decided to start poking at the Bluetooth stack itself The Bluetooth stack on the Wii was written by Broadcom and was actually used in quite a few devices, from car infotainment centers to old cellphones.
And luckily Google decided to use it for Android in , and of course in doing this they open sourced the stack. The stack is has 2 names, the older Bluedroid name and the newer Flouride name, I will be referring to it as Flouride for the rest of this article. There are several layers in Bluetooth that are used to exchange data, one of them is the l2cap layer which can be though of like a tcp packet, it as packet segmentation and reassembly, retransmission, and a port like interface called channels that can be used to talk to different services on the device as shown below.
Source: Specification of the Bluetooth System Core v2. This service can be queried to obtain a list of services that the device offers and what PSM they have.
Both devices are required to implement this as part of the Bluetooth spec. We will come back to the SDP service later as it will be useful to exploit the bug.
Channels are passed back and forth in l2cap packets and in Flouride each channel has a corresponding control structure called the Channel Control Block CCB. After spending some time looking at what values we control I found a small buffer handles that is in the SDP client. Back on the Wii, head on over to the Wii Message Center. There's going to be a new message for you with a bomb in it, but where that message is going to be will depend on your time zone and when you generated the file.
In most cases, it will be in yesterday's mail, but it could be today or a couple of days ago. You'll know when you see it. When you're ready to pull the trigger, just click on the LetterBomb message icon. The process will take about a minute, so be patient. You'll have a hacked Wii when it's done. If you run into any issues along the way it's probably because you don't have the right version of the Wii System Menu.
If you try to use LetterBomb with the wrong version, it'll freeze your Wii. Not to worry—just force-reboot your Wii, make sure you update properly, and try again. Obviously you want to do the update beforehand, but in the event you forget it's not really a big deal. Once LetterBomb has done its thing, it'll tell you to press 1 to continue.
However you can use a micro SD card in an adapter to slide into the SD slot, and you can write whatever is needed onto the SD card in a USB adapter as long as it's on the computer itself, but not the Wii. Please for the love of technologically challenged people everywhere, help me?!?!
I've followed directions and see absolutely no new messages on message board. Checked current and previous days. Reply 4 years ago. Well, if you perfectly copied your mac address and selected the system menu version on the website, then deposited the file onto the root of the SD card, it should work.
Sometimes though, there are stubborn systems that don't want to cooperate and give you a headache. If you veried that everything was done correctly and it still doesn't work, ask Youtube.
There are lots of people out there that make money for this, so there might be help for you yet! Reply 5 years ago. May you plz also put up on how to play games that have been on a save file using homebrew also? Introduction: How to Hack Your Wii. By Darzen SmallEngineRepair. More by the author:. About: I'm a mechanic mostly working with small engines, but I also fix larger cars and trucks. I'm only really interested in practical projects that benefit people, and have a useful function in life.
More About Darzen ». Did you make this project? Share it with us! I Made It! Answer Upvote. Reply Upvote. Darzen jack. Thank you very much for this easy method. I'll try it as sson as possible. MakerMan 5 years ago. Darzen MakerMan Reply 5 years ago. Thank you. It was A project that took A lot of patience, but the end result was worth it!
0コメント