Hacking the Wii


Over the weekend, while I wasn’t working on splicing together and editing a video for work (how I got roped into doing that, I’ll never know), I dug my Nintendo Wii out of the box I had so foolishly packed it in — why I thought it would stay in there for long, I don’t know — and proceeded to install a new channel on it, the Homebrew Channel.  This is a third-party channel that lets you play homebrew games, emulators, and other applications (e.g. Linux, media players, etc.) on your Wii. Yes, you can play a lot of older games without installing this hack and the emulators by buying them on the Virtual Console, but if you already own them, why pay for them again, especially if they aren’t even available on the shop (e.g. the entire Mega Man original series)?  Below the fold, the nitty gritty of the hack, and a video of it in action.

The actual hacking was incredibly easy, and incredibly safe, compared to other hack jobs I’ve seen, using the Twilight Hack Chainloader.  The Wii has the ability to store saved game files for certain titles on your SD card for transport between consoles.  Some enterprising geeks hacked a Zelda: Twilight Princess saved game file to change your horse’s name to a super long one, causing a “stack smash” — that is, in the console’s internal memory, there’s only so much space allotted for string variables to be displayed to the screen, and the name intentionally overflows that space allowing access to memory addresses that normally get used only by the game or console.  You download that hacked savegame on your computer, put it in the appropriate spot on the SD card, then delete your original savegame file on the Wii and replace it with the hacked one (yeah, you lose your saved game data, but I’ve already beaten Twilight Princess and would likely play it again from the beginning the next time I play it anyway, so no big deal).  You then load the game, and when you approach and talk to a person standing nearby who would normally then reference your horse’s name, it overflows the memory, writing to the next set of operations that it’s supposed to carry out, instructions that tell it to execute a file that you place on the SD card.

You can use this to run any arbitrary code you’d like, which is why this exploit’s called a chainloader, and I tested this first with a homebrewed Tetris game.  It isn’t bad, certainly not anything I’d spend an immense amount of time playing, but it’s a start — proof that the hack worked.  After I reset the console I was able to get into all my channels and games, so no damage was done.  I put the Homebrew Channel installer code onto the SD card, and ran the hack again — and smooth as silk, it installed a very professional-looking channel complete with custom wave animation and even a little ditty like all the other channels get.  The installer was done via a very non-Nintendo-looking console application (does this mean the Wii runs computer hardware?), but the prompts (if you have a clear enough TV) are very simple to follow, the console equivalent of “press next all the way through”.  And it integrates seamlessly with the rest of the Wii Channels menu, as well.  If I hadn’t have installed it myself by such nefarious means, I would have thought the console came with it.

You can also test homebrew apps (or, say, if you were coding your own app), by uploading it over your wireless LAN, if you have one.  This is good for checking to see how something works without actually getting up, pulling the SD card out, and putting it back into your computer, or if your SD card is already full of other stuff and you aren’t sure you want to keep a particular app long-term.

Here’s a video of installing the new channel, complete with a demo of a few different homebrew / emulator programs.  All in all, very impressive.  The only shame of the whole thing is the SD card that you use is limited to 2 gigs, meaning I can only store so many ROMs or media at a time.  Ah, the crosses I have to bear.

And yeah, if any of you other Wii-owners want to borrow my copy of Twilight Princess and get this hack running, I’ll loan it out to you, as soon as Jodi’s done playing it — she’s starting a new game now.

Comments

  1. Me says

    You got roped into doing the video editing because the idiot that used to do it no longer works there.

    Cool hack.

  2. says

    I should have put Twilight Princess on your other game post awhile ago….. or maybe you did?
    It’s a great game, I love it :)

  3. says

    OH, heavens no, me?  Never!  Copyright infringement is a great evil thing, taking money away from those poor souls at the RIAA/MPAA/BSA!  I always buy all the games I like. 

    (Please note the operative words in that last sentence.)

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>