Difference between revisions of "Bluebomb"

	Bluebomb
General
Author(s)	Fullmetal5
Type	Exploit
Links
	Download
	Website
	Source
Peripherals

Latest revision as of 16:33, 30 March 2024

Bluebomb is an exploit for Broadcom's Bluetooth stack used in the Nintendo Wii. The main benefit of it is that it can be used on the Wii mini, which lacks functionality used by other exploits. It can also be used to recover from Banner bricks. It takes advantage of the Wii's Bluetooth and injects unsigned code into the system via Bluetooth.

Installation requires a computer that can use Bluetooth and a Linux operating system.

For the original Wii, we recommend using another exploit instead if you intend to install the Homebrew Channel and/or BootMii.
This exploit will not work on a Wii U’s vWii.
Do not attempt to install a Wii IOS or System Menu on the Wii mini. Doing so will likely brick your console.

Requirements

USB formatted as FAT32
- This cannot be the same device used for your Linux Machine.
A Linux machine
- If you are using a Chromebook, Linux mode will not work, you will have to replace ChromeOS, this is possible on some models of chromebook.
- If you have a Raspberry Pi, you can use that instead as it most likely has Linux preinstalled.
- Windows Subsystem for Linux will not work as it does not have direct access to the Bluetooth adapter or USB ports.
- If you do not have a GNU/Linux operating system, Linux Mint is the most user-friendly option and can be run on computers running Windows or Mac, and the entire operating system can run without having to install.
- To install a GNU/Linux operating system, simply choose the distro of your choice and install it onto a USB, CD or DVD with programs like Rufus or BalenaEtcher.
An internal Bluetooth adapter will work.
- If you do not have one, make sure to get one compatible with Linux.

Exploit Setup

1. Download the HackMii installer from the BootMii website. (If fixing a Wii brick, you can get a boot.elf of whatever app you want to use to fix the brick.)

2. Unpack it and place the boot.elf file in your flash drive.

3. Connect the flash drive to the console. For a Wii mini, the USB port is on the back. For a normal Wii, use the bottom port. (or the right port if it’s upright).

4. Turn on your console and navigate to the settings menu. On the top right corner, you should see a 4-character code like the one in the picture below. This code is your Wii Menu version, take note of this as you will need it later. Afterwards, turn your console off. (If you’re trying to use BlueBomb to recover from a brick, you can assume your Wii Menu version is 4.3.)

5. Launch your Linux distro and ensure you are connected to the internet.

6. Open the Linux Terminal by pressing CTRL + SHIFT + T.

7. Run the following commands:

wget https://wii.guide/assets/files/bluebomb-helper.sh

chmod +x bluebomb-helper.sh

./bluebomb-helper.sh

8. The helper will then download the required files, and ask for information about your console.

If you have selected a Wii mini you will be asked to provide your region. This can be determined by the last letter of the Wii Menu version (U for USA and E for PAL models).

9. If you have selected a Wii you will be asked to provide your Wii Menu Version (What you determined in step 4)

10. Turn on your console and do not connect any Wiimotes.

11. Press the Sync button repeatedly until the terminal shows got connection handle. This could take numerous attempts, so don’t give up.

 ×
 Make sure that the console is close to the computer running the exploit, ideally it should be less than 3 feet.

Homebrew install

You will see a scam warning screen. Wait 30 seconds for the text “Press 1 to continue” to appear, then press 1.
Select Install The Homebrew Channel and click install.
Click Continue when finished.
Once done, select Exit to exit the HackMii Installer.

 ×
 Do not attempt to install BootMii. It does not work with Wii Mini just yet.

Credits

Original Guide

Fullmetal5 (BlueBomb Exploit)

NicolasPlayz (Making the original guide)

urmum_69 (Script author)

twosecslater (Script author)

Devnol (Contributor)

Terry A. Davis (Script Motivation)

How it works

Bluebomb exploits a bug in the Bluetooth system that sets a lower bound to the Bluetooth channels that can be used, but no upper bound. On the computer, BlueBomb connects to the Wii, then uploads the stage 0 code in the attribute response, and it uploads some data in the format of a Bluetooth channel configuration in the service response. The channel configuration is normally part of a doubly linked list, but in this fake configuration the next pointer points to the beginning of the stage 0 code, while the previous pointer points near the function that handles packets being received. The computer then takes the out-of-bounds channel id of the fake configuration that was uploaded, and tells the Wii that that id is invalid, which makes the Wii "remove" it from the linked list it thinks it is in. This means changing the previous pointer of what appears to be next to be the next on the fake configuration, and the next pointer of what appears to be the previous to be the next of the fake configuration. Changing the "next" pointer of the previous changes part of the code in the packet receiving function to instead jump to the stage 0 code. Meanwhile, the previous of the next changes a byte in the stage 0 code that is intentionally jumped over to avoid corruption in that code.

Once the stage 0 code launches, it starts by making sure the packet handler function returns normally after the first part of stage 0 is finished. It then jumps over the byte that gets replaced by the exploit because of the changing of the linked list, and copies itself to an unused portion of memory where other Bluetooth connections won't interfere. After this, it changes the value changed earlier to instead point to a location in the copy of stage 0. The computer now uploads the stage 1 code in chunks, which gets stored in some more unused memory, and when the downloading finishes, it launches stage 1. This is done because the attribute response is limited in space, and there is not enough space for stage 1 to happen in 1000 bytes.

Finally, stage 1 opens the USB and reads the file system for a boot.elf or boot.dol file, usually the HackMii Installer, which is loaded into memory and run.

@@ Line 7: / Line 7: @@
 | download    = https://github.com/Fullmetal5/bluebomb/releases
 | source      = https://github.com/Fullmetal5/bluebomb
-| website     = https://wii.guide/bluebomb
+| website     = https://fullmetal5.github.io/
-| peripherals = {{Bluetooth}} {{USBMSD}}
+| peripherals = [[File:BluetoothLogo.png|16px]] {{USBMSD}}
 }}
+'''Bluebomb''' is an exploit for Broadcom's Bluetooth stack used in the Nintendo Wii. The main benefit of it is that it can be used on the [[Wii mini]], which lacks functionality used by other exploits. It can also be used to recover from Banner bricks. It takes advantage of the Wii's [[Bluetooth]] and injects unsigned code into the system via Bluetooth.
-'''Bluebomb''' is an exploit for Broadcom's Bluetooth stack used in the Nintendo Wii. The main benefit of it is that it can be used on the Wii Mini, which lacks functionality used by other exploits. It can also be used to recover from Banner bricks. It takes advantage of the Wii's Bluetooth and injects unsigned code into the system via Bluetooth.
 Installation requires a computer that can use Bluetooth and a Linux operating system.
-  <span class="closebtn" onclick="this.parentElement.style.display='none';">&times;</span>
+* For the original Wii, we recommend using [[Homebrew setup|another exploit]] instead if you intend to install the Homebrew Channel and/or BootMii.
-  For the original Wii, we recommend using <span class="plainlinks">[https://wiibrew.org/wiki/Homebrew_setup{{{1| }}} {{{2|{{{1|another exploit }}}}}}]</span> instead if you intend to install the Homebrew Channel and/or BootMii.
+* This exploit will not work on a Wii U’s vWii.
-</div>
+* Do not attempt to install a Wii IOS or System Menu on the Wii mini. Doing so will likely brick your console.
-<div class="alert">
+==Requirements==
-  <span class="closebtn" onclick="this.parentElement.style.display='none';">&times;</span>
+* USB formatted as FAT32
-  This exploit will not work on a Wii U’s vWii.
+** This cannot be the same device used for your Linux Machine.
-</div>
+* A Linux machine
+** If you are using a Chromebook, Linux mode will not work, you will have to replace ChromeOS, this is possible on some models of chromebook.
+** If you have a Raspberry Pi, you can use that instead as it most likely has Linux preinstalled.
+** Windows Subsystem for Linux will not work as it does not have direct access to the Bluetooth adapter or USB ports.
+** If you do not have a GNU/Linux operating system, Linux Mint is the most user-friendly option and can be run on computers running Windows or Mac, and the entire operating system can run without having to install.
+** To install a GNU/Linux operating system, simply choose the distro of your choice and install it onto a USB, CD or DVD with programs like Rufus or BalenaEtcher.
+* An internal Bluetooth adapter will work.
+** If you do not have one, make sure to get one compatible with Linux.
-<div class="alert">
+==Exploit Setup==
-  <span class="closebtn" onclick="this.parentElement.style.display='none';">&times;</span>
-  Do not attempt to install a Wii IOS or System Menu on the Wii mini. Doing so will likely brick your console.
-</div>
-===Requirements===
-<dl>
-  <dt>USB is formatted as FAT32</dt>
-  <dd>⁃ This cannot be the same flash drive used for your Linux Machine.</dd>
-  <dt>A Linux machine</dt>
-  <dd>⁃ If you are using a Chromebook, you do not need to install another Operating System; instead, enable Linux in ChromeOS.</dd>
-  <dd>⁃ If you have a Raspberry Pi, you can use that instead as it most likely has Linux preinstalled.</dd>
-  <dd>⁃ Windows Subsystem for Linux will not work as it does not have direct access to the Bluetooth adapter or USB ports.</dd>
-  <dd>⁃ If you do not have Linux, Ubuntu is the most user-friendly option and can be run on computers running Windows or Mac.</dd>
-  <dd>⁃ 32-bit devices will require Ubuntu 16.04.</dd>
-  <dd>⁃ For 64-bit devices, it is recommended to use the LTS edition due to its stability, but the latest release works as well.
-</dd>
-  <dd>⁃ You can <span class="plainlinks">[https://ubuntu.com/tutorials/tutorial-create-a-usb-stick-on-windows#1-overview{{{1| }}} {{{2|{{{1|flash a Linux install to a USB flash drive}}}}}}]</span> instead of installing it on your computer.</dd>
-  <dt>A Bluetooth adapter.</dt>
-  <dd>⁃ An internal Bluetooth adapter will work.</dd>
-  <dd>⁃ If you do not have one, make sure to get one compatible with Linux.</dd>
-</dl>
-===Exploit Setup===
 . Download the HackMii installer from <span class="plainlinks">[https://bootmii.org/download/{{{1| }}} {{{2|{{{1|the BootMii website.}}}}}}]</span>
 (If fixing a Wii brick, you can get a boot.elf of whatever app you want to use to fix the brick.)
@@ Line 98: / Line 81: @@
 </div>
-===d2xl cIOS for Wii Mini===
+==Credits==
-<div class="alert">
+<span class="plainlinks">[https://raw.githubusercontent.com/RiiConnect24/Wii-Guide/master/_pages/en_US/bluebomb.md{{{1| }}} {{{2|{{{1|Original Guide}}}}}}]</span>
-  <span class="closebtn" onclick="this.parentElement.style.display='none';">&times;</span>
-  This cIOS version is only for the Wii Mini. Be also aware that cIOS for Wii Mini is still experimental, though no problems have been reported yet
-</div>
-. Download the <span class="plainlinks">[https://wii.guide/assets/files/d2xl_wii_mini_cIOS_installer_v1_beta2.zip{{{1| }}} {{{2|{{{1|Leseratte’s d2xl cIOS Installer}}}}}}]</span>
-. Put the <code>cIOS Installer</code> in the <code>apps</code> folder on the USB drive. (If not there you can make a folder called <code>apps</code>)
-. Insert your USB drive into your Wii mini and load The <code>cIOS Installer</code> from the Homebrew Channel.
-. Press continue, then set the options to the following
-<code>
-Select cIOS: d2xl-v1-beta2
-</code>
-<code>
-Select cIOS base: 57
-</code>
-<code>
-Select cIOS slot: 249
-</code>
-Take a note of the version number (either <code>v31776</code> or <code>v31775</code>)
-. Once set, press A to install. Once done successfully, exit the installer.
-⦿ If the install fails with a <code>TMD version mismatch error</code>, move the +Control pad left or right in the <code>Select cIOS</code> option until the version number is different than the one you tried before.
-===Enabling Ethernet===
-If you wish to use ethernet on the Wii Mini, you have to run the <span class="plainlinks">[https://wii.guide/assets/files/Wii_Mini_Ethernet_Enable.zip{{{1| }}} {{{2|{{{1|Ethernet Enabler Homebrew}}}}}}]</span> app made by [[User:Fullmetal5|Fullmetal5]]. To run it, just unzip it in the <code>apps</code>folder in your USB drive and run it from the Homebrew Channel.
-===Credits===
-span class="plainlinks">[https://https://wii.guide/bluebomb{{{1| }}} {{{2|{{{1|Original Guide}}}}}}]</span>
 [[User:Fullmetal5|Fullmetal5]] (BlueBomb Exploit)
-[[User:NicolasPlayz |NicolasPlayz]] (Making the original guide [for wii.guide and wiibrew])
+[[User:NicolasPlayz |NicolasPlayz]] (Making the original guide)
 urmum_69 (Script author)
@@ Line 142: / Line 92: @@
 twosecslater (Script author)
-Commandblock6417 (Contributor)
+Devnol (Contributor)
 Terry A. Davis (Script Motivation)
+==How it works==
+Bluebomb exploits a bug in the Bluetooth system that sets a lower bound to the Bluetooth channels that can be used, but no upper bound. On the computer, BlueBomb connects to the Wii, then uploads the stage 0 code in the attribute response, and it uploads some data in the format of a Bluetooth channel configuration in the service response. The channel configuration is normally part of a doubly linked list, but in this fake configuration the next pointer points to the beginning of the stage 0 code, while the previous pointer points near the function that handles packets being received. The computer then takes the out-of-bounds channel id of the fake configuration that was uploaded, and tells the Wii that that id is invalid, which makes the Wii "remove" it from the linked list it thinks it is in. This means changing the previous pointer of what appears to be next to be the next on the fake configuration, and the next pointer of what appears to be the previous to be the next of the fake configuration. Changing the "next" pointer of the previous changes part of the code in the packet receiving function to instead jump to the stage 0 code. Meanwhile, the previous of the next changes a byte in the stage 0 code that is intentionally jumped over to avoid corruption in that code.
+Once the stage 0 code launches, it starts by making sure the packet handler function returns normally after the first part of stage 0 is finished. It then jumps over the byte that gets replaced by the exploit because of the changing of the linked list, and copies itself to an unused portion of memory where other Bluetooth connections won't interfere. After this, it changes the value changed earlier to instead point to a location in the copy of stage 0. The computer now uploads the stage 1 code in chunks, which gets stored in some more unused memory, and when the downloading finishes, it launches stage 1. This is done because the attribute response is limited in space, and there is not enough space for stage 1 to happen in 1000 bytes.
+Finally, stage 1 opens the USB and reads the file system for a boot.elf or boot.dol file, usually the HackMii Installer, which is loaded into memory and run.