Wii Internet Connection Reverse Engineered

AlexTheBeast writes "By packet sniffing his Wi-Fi connection, this hacker has already begun to dig into the internet interactions of the new Nintendo Wii. Basically, by using Firefox and after setting the user agent correctly, anybody can easily browse many WiiShop pages including the WiiShop main page and startup manual. More advanced connections including binary and virtual console downloads are currently in the works. Come join the project."

That's what happens...

[tttonyyy]

..when developers play with their Wii.

(Sorry, couldn't resist YAWJ (Yet Another Wii Joke))

Bad smell

[Rastignac]

I don't want to sniff out my wii. ;)

Re:Bad smell

[MyDixieWrecked]

well, I've been playing with my wii so much, my arm is sore

in fact, all my muscles are stiff. I'm in such bad shape, my wii makes me stiff.

Re:Bad smell

[inKubus]

I'm in such bad shape, my wii makes me stiff.

I can't decide if this is a Soviet Russia joke in disguise...

So ... What's next

[HappySqurriel]

So ... what's next?

Will we be getting a news story about a Hacker who had installed the Wiis web-browser on his PC by going to http://www.opera.com/ ?

Re:So ... What's next

[cloricus]

I was thinking that... Seriously today at work I sat in front of ethereal for two hours sniffing packets for regular network reports and just for general knowledge of what's going on and god knows what I saw go past. It isn't at all skillful to sniff out of a agent string and use a Firefox plugin to put in what ever you want - heck if you want to be 'uber leet' you can code your own agent string into Firefox! How awesome!

So in summery this isn't even remotely interesting. Go home script kiddies...and by home I mean digg! (Yes I do have the karma to burn.)

...Still four weeks till we get Wii's in Australia. :(

Re:So ... What's next

[SausageOfDoom]

Well, seeing as this shows that the channels are web-based, I would imagine that one possible next step would be to hijack the connection when it reaches your router, and then, depending on the page request, return your own content.

I'm guessing this would allow you to create custom channels by returning whatever content you wanted to the Wii. Perhaps it might also bypassing the need to buy Opera, as it sounds like it's already built in.

Re:So ... What's next

[Programmer_In_Traini]

i dont think the point was to be uber by displaying l33t h4ck1ng skillz0r. :)

but its a start at developping homebrewed apps for the wii. heck, maybe create homebrewed wiishops servers so users can share wii games.

thats the good thing with consoles on the net, its fairly easy to fool them once you know what kind of answer they expect.

Already Locked Down

[A+Brand+of+Fire]

Apparently Nintendo has caught wind of this and has already set up redirects to the Wii root website from these links.

Re:Already Locked Down

[l_bratch]

This only happens if your user agent is set incorrectly.

If you RTFA, you will see what user agent to set your browser to.

Correction

[A+Brand+of+Fire]

It seems that it redirects with links referred from other websites. After putting in the URL manually, I was able to view the pages. Pretty cool stuff.

Re:Correction

[tttonyyy]

Given the number of consoles Nintendo must be anticipating serving those pages to, I'd expect them to be pretty much unslashdottable. A few people from slashdot? T'is but a scratch!

Roms! \o/

[remembertomorrow]

Once the Virtual Arcade system has been worked out, someone will put up a custom server where you can download the games for 0 points. All you'll have to do is point wii.com (or whichever A/AAA records are needed) to their server.

It seems like this system will be hacked rather easily. :/

Re:Roms! \o/

[HappySqurriel]

Once the Virtual Arcade system has been worked out, someone will put up a custom server where you can download the games for 0 points. All you'll have to do is point wii.com (or whichever A/AAA records are needed) to their server.

It seems like this system will be hacked rather easily. :/

Well, being that Nintendo is not stupid I suspect that ever virtual console game is signed to prevent copying; on top of that (being that each game is only usable on one particular system) it is possible that Nintendo signs the signed code for each console when you buy a game. Now, unless the system is physically cracked, I think that it is nearly impossible to break this system.

Re:Roms! \o/

[HappySqurriel]

I'm not positive I know what you're asking, but I think I'll give it a try ...

I could be wrong but I think the difference between what I'm describing and Fair Play is that Fair Play takes an unsigned data format and signs it to be specific to your particular account/machine and there is nothing that prevents you from using an unsigned version of that data with your account/machine; now, Nintendo could design a system such that it will only play games that were both signed by Nintendo (to make them an official rom) and signed for your specific machine. In Nintendo's case, stripping the per-account signing would give you an officially signed Nintendo rom but that would not be playable on an unmodified machine unless you had access to the account based signing key (by modifying the system you'd be attempting to remove the requirement that the game had to be signed per machine, or for homebrew that it was even signed at all).

Re:Roms! \o/

[Abcd1234]

What the hell are you talking about? Signing a binary doesn't prevent copying. All it prevents is someone from modifying the ROM and then running it on the Wii. The only thing that will "prevent copying" is full-on encryption. However, the Wii would then need the key to decrypt the content, at which point you just hack the Wii to get the key.

Basically, they're facing the exact same problem content providers are facing: you're trying to lock down content while at the same time giving the user the means to unlock it (so they can use it). And unless you can ensure the hardware is unhackable, this simply cannot work.

Re:Roms! \o/

[Xenographic]

If they did any such thing to prevent people from downloading the ROMs, quite frankly, it would be a complete and utter waste of time.

As anyone should know by now, you can download ROMs and emulators for nearly any system you want online. It's not even hard. The Pirate Bay even has nice, huge, torrents with practically every ROM ever (including tons of bad dumps I have no idea why anyone would ever want).

So really, they shouldn't even bother. It would be a total waste of their time and money. Heck, if they're getting it from the store, at least people are paying for the ROM. So they can laugh about "hacking" the Wii store all they want, but if they're paying Nintendo instead of downloading it for free from any of the hundreds of ROM sites, well, they'd be shooting themselves in the foot to discourage that, I'd think.

Not that they wouldn't do such a thing, but...

Re:Roms! \o/

[HappySqurriel]

I suspect that Nintendo would be very careful about what code was running on their system for fear that it could be exploited to produce a soft-mod to allow for pirated games to be run.

Imagine if a buffer overflow error was found in the emulator, which allowed for unsigned code to be run, so the hacker could replace your firmware which allowed for booting from a usb hard-drive ...

Re:Roms! \o/

[named]

This is exactly what client certs were invented for. Using https with client & server certs allows the client to authenticate the server, and vice versa. It would be pretty easy for Nintendo to issue a cert for every Wii.

The only issue might be the extra CPU involved in using SSL, but if they're going to be preventing loss of revenue I can see the accountants springing for the extra hardware :)

So when will the remote get hacked?

[DrXym]

If it uses Bluetooth as it is supposed to, what is to stop the Wii remote being used on a PC or even a PS3 if you wanted to? What's the point you may ask - well it would make for useful mouse replacement for presentations, or just for couch surfing.

Re:So when will the remote get hacked?

[DrXym]

You don't need the sensor bar functionality as the thing is armed with gyroscopes and accelerometers, which are more than enough to control a cursor on an overhead projector. All those buttons could be mapped as mouse buttons and the D-Pad as a scroll wheel. Gyroscopic mice have been available for quite a while now that do just that, but they cost far more than a Wii remote.

Squid proxy = Homebrew injection

[palad1]

Good news everyone!
By setting-up a squid proxy one could be able to make homebrews appear as games requiring 0 wii points before being sent to the wii, which will gladly accept it as a runnable executable!

Now we just have to reverse engineer the 'Virtual Game Console'. 100 say it will turn-out to be a Mame clone.

Can't wait till the Wii gets released in Europe. Oh my :)

Besides, we may even be able to stream a divx player using this technique.

Re:Squid proxy = Homebrew injection

[geekboy_x]

You dont need that - the Wii Opera browser can hit normal web pages just fine, so flash-based homebrews can just be served off regular ol' pages, like this:

http://wiicade.com/Home.aspx

Have fun!

Am I the only one who is impressed by.....

[8127972]

..... the fact that this doesn't look like some sort of custom solution that would be forever tied to the hardware. Instead it seems to be very "off the shelf" in nature from what I can see. I'm impressed that Nintendo would go that route. Many companies wouldn't.

Welcome to the New Console Hack-fest

[SalaciousPucker]

Microsoft is really the only console maker that has ventured online in any substantial way. They locked down their hardware and sealed off the wild wild internet (no IE on the 360) for good reason.

I really think the Wii and/or the PS3 are going to be hacked to death. They have browsers, neither are experienced here and with Sony in particular, the whole thing seems kinda....rushed(?). I mean, with the media they are fine - people won't be burning blu-ray cheap enough soon enough. One click pirated downloads would be even worse though...it would be much easier. Given the cost & market for the PS3, a hack like this would be instant death for developer support.

Re:Welcome to the New Console Hack-fest

[iapetus]

Yes. With potential security holes like this, I doubt it'll be long before we see some sort of crazy hack to run Linux on the PS3. Wouldn't that be great?

Re:Welcome to the New Console Hack-fest

[FroBugg]

Is this really such a terrible thing for the Wii?

Sure, some people may end up downloading pirated games instead of buying them from Nintendo, but as iTunes shows, people are perfectly willing to pay reasonable prices for things they can get free elsewhere.

And since the Wii hardware itself is actually profitable for Nintendo (as opposed to the PS3), they're still going to make money from people who buy a Wii with no intention of ever buying a legit Virtual Console game or even a real Wii game. And maybe once these hackers have a Wii they'll buy some games after all.

Re:Welcome to the New Console Hack-fest

[Virgil+Tibbs]

thats where yellow dog linux is going- with all macs going intel, yellow dog hasno choice but to go to the ps3 because there are no other powerpc processors

Re:Welcome to the New Console Hack-fest

[xtracto]

Sure, some people may end up downloading pirated games instead of buying them from Nintendo, but as iTunes shows, people are perfectly willing to pay reasonable prices for things they can get free elsewhere.

And I am sure their primary userbase is not the hacker that downloads from romhustler or priarrrbay but mom and dad that get out of work, turn on their Wii and choose the newly released game from the Wii Channel.

DNS redirection

[AsnFkr]

Using DNS redirection you can get the Wii to any website you wish. Video

DMCA violation...?

[__aaclcg7560]

Isn't reverse engineering the Wii packets to figure out the proper browser user string a DMCA violation?

Re:DMCA violation...?

[Midnight+Thunder]

Isn't reverse engineering the Wii packets to figure out the proper browser user string a DMCA violation?

Depends. Reverse engineering is not a violation, but cracking encryption is.

Note I haven't ever read the DMCA, so am I am relying on what I have heard on forums and new sites.

It's actually a very good name.

Wii was a very good name to choose, just because of how much it sounds like a pet name for the penis.

Here in Finland there used to be a brand of chocolate milk called Jukiuilla. That sounds very, very close to a word which translates best to English as "bloody assrape".

People remembered that brand of milk. It became a hit sensation among teens just because of its name. While other chocolate milks had more benign names, that chocolate milk had a name that stood out. I think Nintendo has managed, intentionally or not, to do the same thing.

Re:It's actually a very good name.

[tttonyyy]

That's true. When Nintendo announced the name, many people were disappointed, upset, and even angry. There was even a petition to Nintendo of America to change the name.

Certainly everyone talked about it.

And now we make affectionate jokes about the name, and it's quite accepted.

Methinks Nintendo made a very smart (or lucky) choice.

Re:It's actually a very good name.

[somersault]

Wow.. interesting why anyone would want to think about pounded crap while drinking chocolate milk :s Yuck

Re:It's actually a very good name.

[eln]

The Finns have a word for "bloody assrape"? I'm suddenly afraid to go to Finland.

Re:It's actually a very good name.

Here in Finland there used to be a brand of chocolate milk called Jukiuilla. That sounds very, very close to a word which translates best to English as "bloody assrape".

Huh? I'm not that young but I've never heard of such product. It doesn't get a single google hit either, not even suggestions for possible typos. Also, while I know more filthy slang terms for shady activites than would be really healthy, I can't figure out how that word could mean anything at all, let alone violent sodomy in Finnish. Did this story take place in some parallel universe or are there more Finlands than I'm aware of?

The point is valid, of course. There are many products which have become legendary for their more or less intentionally funny naming or advertising. Still, this particular example leaves me completely puzzled. Got any references?

Re:It's actually a very good name.

[smoker2]

Wii was a very good name to choose, just because of how much it sounds like a pet name for the penis.

In the UK, wee is the "pet" name for piss.

Great choice, they could have called it "shite".

Re:It's actually a very good name.

Here in Finland there used to be a brand of chocolate milk called Jukiuilla. That sounds very, very close to a word which translates best to English as "bloody assrape".

Sorry to be serious but no, we didn't have that brand of chocolate milk in Finland and no, it doesn't mean "bloody assrape" nor does it mean anything else in Finnish. This whole post is a nice story but totally false.

why does this even work?

[v1]

I am very surprised we are not seeing them use public key encryption here. If the wii has microsoft's public key, it can send encrypted requests which cannot be reverse engineered unless you are able to guess microsoft's private key. The way around this would be to disasemble the code on the wii. Since they are merely using packet sniffing, the traffic must not be encrypted. If someone were to have bet me if this would have been encrypted, well, I guess I would be out some money about now. Not that it's a bad thing for us, but what is microsoft thinking?? They had to know this would happen, and I can't believe they would sit idle and let it occur.

Though I suppose in a couple months we'll see a "software update" (i.e. they drop the portcullis) and that'll be the end of the tinkering without a screwdriver.

Re:why does this even work?

[Yosho]

You appear to be under the misconception that the Wii is produced by Microsoft. It's not. It was created by Nintendo. Unlike Microsoft, they're not obsessed with encrypting everything under the sun. Why would they care if somebody figures out their network protocol?

Re:why does this even work?

[Yosho]

I suppose this means that there could be a way to get Virtual Console games for free or to leach them from someone else downloading them.

I highly doubt that knowing how the protocol works will enable people to get Virtual Console games for free. Everybody knows how HTTPS works, but you don't see people getting things for free from online stores all over the world. I suppose, in theory, it might be possible for somebody to sniff the connection of a download in progress, intercept the binary game data, and get it over to their Wii -- but the number of people who are capable of doing that, let alone would do it, is insignificant compared to the rest of the market.

How to setup for this (simple way)

[zepo1a]

This is for FF 1.5 (yeah lame..haven't updated yet, I assume will work for 2.0)
type
about:config
in FF Address bar
right click in window. New->String
use
general.useragent.override
for preferemce name, click ok
use
Opera/9.00 (Nintendo Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)
as string value. click OK. you should now be able to hit the site without a redirect to wii.com

Where's the Opera browser download then?

[assassinator42]

It seems like they have it sort of working. When will they release it? And does this mean we won't be able to use USB keyboards and mice with the browser?

Re:They'll Just Update It

[sitturat]

They'll just update the Wii hardware so that all this will be encrypted.

No, they'll just update the Wii software so that all this will be encrypted. Much easier.

Re:VC Question

[onlysolution]

You can input your credit card info to the Wii Shop, or input the code from the back of the points card to get wii points. 1 Wii point = 1 cent, which means Mario 64 is $10, SNES/Genesis/Turbo Gfx games are $6-8 and NES games are $5(!?)

Piss 3

[tepples]

In the UK, wee is the "pet" name for piss.

So what does that make the Piss-3?

Has anyone done this for XBL or Sony's PNP yet?

[AbRASiON]

Serious question, I always wondered about the MS network.