Difference between revisions of "Wii system flaws"
Jump to navigation
Jump to search
Hallowizer (talk | contribs) (Mentioned the diflags register.) |
|||
| Line 18: | Line 18: | ||
| [[fail0verflow]] | | [[fail0verflow]] | ||
|- | |- | ||
| − | | | + | | DVD-Video support is inadequately protected |
| While the Wii was initially meant to support DVD playback, it was scrapped to avoid needing to pay licensing fees. This support was removed in later revisions of the disc drive. However, when the [[Hardware/Hollywood_Registers|Hollywood register ahbprot]] is disabled (e.g. by [[The Homebrew Channel]]), or diflags is enabled, homebrew can be used to read DVDs. | | While the Wii was initially meant to support DVD playback, it was scrapped to avoid needing to pay licensing fees. This support was removed in later revisions of the disc drive. However, when the [[Hardware/Hollywood_Registers|Hollywood register ahbprot]] is disabled (e.g. by [[The Homebrew Channel]]), or diflags is enabled, homebrew can be used to read DVDs. | ||
| − | | DVDs can be | + | | DVDs can be read on the Wii. |
| Unknown | | Unknown | ||
| July 2008 | | July 2008 | ||
Revision as of 03:03, 25 March 2021
This page documents the various bugs in the Wii.
Hardware
| Summary | Description | Successful exploitation result | Fixed in hardware revision | Discovered | Discovered by |
|---|---|---|---|---|---|
| HW_BOOT0 not clear-only | To prevent boot0 from being dumped, boot2 clears register HW_BOOT0 that allows the boot0 ROM to be read. However, Nintendo forgot to make this register clear-only, so simply re-enabling it allows boot0 to be dumped from 0xFFFE0000 or 0xFFFF0000 in memory. | boot0 can be obtained. | Unfixed | May 2008 | fail0verflow |
| DVD-Video support is inadequately protected | While the Wii was initially meant to support DVD playback, it was scrapped to avoid needing to pay licensing fees. This support was removed in later revisions of the disc drive. However, when the Hollywood register ahbprot is disabled (e.g. by The Homebrew Channel), or diflags is enabled, homebrew can be used to read DVDs. | DVDs can be read on the Wii. | Unknown | July 2008 | fail0verflow |
boot1
| Summary | Description | Successful exploitation result | Fixed in boot1 version | Discovered | Discovered by |
|---|---|---|---|---|---|
| strncmp used to compare hashes | boot1 verifies the signature of boot2 before booting it, however, the signing bug is present, allowing a fake boot2 to be loaded. | A custom bootloader can be installed, such as BootMii. | boot1c | Unknown | fail0verflow |
boot2
| Summary | Description | Successful exploitation result | Fixed in boot2 version | Discovered | Discovered by |
|---|---|---|---|---|---|
| No IOS signature check | Unlike boot1, boot2 does not check IOS's signature before launching it, allowing any System Menu IOS to be installed. | Any System Menu IOS can be installed. | Unfixed | Unknown | fail0verflow |
| No System Menu TMD signature check | When reading the System Menu TMD, no signature check is done; the IOS number is immediately trusted. | A custom System Menu IOS can be installed into a higher slot without overwriting the original IOS. | Unfixed | Unknown | fail0verflow |
IOS
| Summary | Description | Successful exploitation result | Fixed in system update | Discovered | Discovered by |
|---|---|---|---|---|---|
| Trucha bug | The Wii used the strncmp function to check signatures, which always stopped at the first null byte, weakening the security. More information can be found at signing bug. | Custom titles can be installed, and fakesigned discs can be played. | October 23 Update (still exploitable by IOS16 pirates), 4.0 | Unknown | fail0verflow |
| STM release bug | The state transition manager checks if a handle is invalid before releasing it, but forgets to actually refuse to release it if it is invalid. More information can be seen at STM Release Exploit | Control over IOS can be gained. | 4.0 | Unknown | fail0verflow |
| No signature checks when switching IOS | IOS signatures are checked on install, but never on launch. This means that if an IOS can be installed, it can be launched without further exploitation. | Any cIOS that can bypass the installation signature checks can be launched. | Unfixed | July 2008 | fail0verflow |
| No System Menu signature check | IOS does not verify the System Menu's signature before launching that, which means any System Menu can be installed. | A custom System Menu, such as Priiloader, can exist without bricking the system. | Unfixed | Unknown | crediar |
System Menu
| Summary | Description | Successful exploitation result | Fixed in system update | Discovered | Discovered by |
|---|---|---|---|---|---|
| No signature checks on NAND launch | Except when IOS is exploited, channels are checked for signatures before installation. However, no such check exists when launching from the NAND, allowing custom channels to live on the NAND perfectly fine.
Launching from SD card is internally treated as copying a channel to the NAND before launching it, which is why signature checks exist for SD launching. Note that there is a check for discs, to prevent homebrew discs without any exploits. |
If an unsigned channel can be installed to the NAND, it can be launched without further exploitation. | 4.3-U (unfixed in 4.3-Mini) | Unknown | fail0verflow |
MIOS
| Summary | Description | Successful exploitation result | Fixed in MIOS version | Discovered | Discovered by |
|---|---|---|---|---|---|
| Memory not cleared before booting GC game | When MIOS loads a GameCube game, it never clears the 48K bytes of memory that the game should not have access to. By using a pair of tweezers to change the address lines, the entire memory can be dumped. | MIOS and the rest of memory can be dumped using GameCube homebrew. | v8 | Unknown | fail0verflow |
Nintendo SDK
These flaws exist in every official application, because they are bundled in, probably in the official SDK. For this reason, they are very difficult to fix.
| Summary | Description | Successful exploitation result | Fixed in | Discovered | Discovered by |
|---|---|---|---|---|---|
| No upper bound to CCB array | The Fluoride Bluetooth stack includes a function to get a CCB from an ID. This function checks whether the ID is below the lower bound, however, no upper bound is enforced.
By carefully crafting an ID, a fake CCB entry can be placed in the handles array. Sending a packet to free this struct causes it to "unlink" from its adjacent entries, which can be used to get an arbitrary write, and therefore code execution. |
PPC code execution (used in Bluebomb) | vWii | September 2019 | Fullmetal5 |