Changes

The hack exploits a [http://en.wikipedia.org/wiki/Stack_smashing buffer overflow error] caused by loading a specially crafted save file for Twilight Princess. The save file stores a custom name for Epona, Link's horse, that is much longer than what the game would usually allow, in fact it even contains a small program. While the game doesn't allow you to manually enter a name this long it doesn't check the name in the file. When the game tries to load the name into memory it inadvertently drops the small program into memory filling not only the "horse name" buffer but adjacent ones. In a round about way these regions of memory happen to be designated the next region the console should execute. As you can see the save file is specially crafted indeed. Once the code loads it runs either a "boot.elf" or "boot.dol" file from the root of the SD card. If the boot.elf and bootmini.elf that loads HackMii exists on the root of your SD Card, you can use it to then install BootMii IOS, BootMii Boot2 (if compatible), or, importantly, the Homebrew Channel.

The hack exploits a [http://en.wikipedia.org/wiki/Stack_smashing buffer overflow error] caused by loading a specially crafted save file for Twilight Princess. The save file stores a custom name for Epona, Link's horse, that is much longer than what the game would usually allow, in fact it even contains a small program. While the game doesn't allow you to manually enter a name this long it doesn't check the name in the file. When the game tries to load the name into memory it inadvertently drops the small program into memory filling not only the "horse name" buffer but adjacent ones. In a round about way these regions of memory happen to be designated the next region the console should execute. As you can see the save file is specially crafted indeed. Once the code loads it runs either a "boot.elf" or "boot.dol" file from the root of the SD card. If the boot.elf and bootmini.elf that loads HackMii exists on the root of your SD Card, you can use it to then install BootMii IOS, BootMii Boot2 (if compatible), or, importantly, the Homebrew Channel.

When [[System Menu 3.3]] came around, a check was added to delete all Twilight Hack save files, and prevent them from being copied onto the [[Hardware/NAND|NAND]]. Luckily, the [[System Menu]] only checked the first instance of zeldaTp.dat in the save, which meant a hacked zeldaTp.dat could be placed later in the WAD and survive.

When [[System Menu 3.3]] came around, a check was added to delete all Twilight Hack save files, and prevent them from being copied onto the [[Hardware/NAND|NAND]]. Luckily, the [[System Menu]] only checked the first instance of zeldaTp.dat in the save, which meant a hacked zeldaTp.dat could be placed later in the WAD and survive. This version of the Twilight Hack does not give different paths to the zeldaTp.dat files, but since the legitimate one (16k of zeros) is earlier, the hacked one gets written over it.

A similar bug existed in the [[System Menu 3.4]], although here, only the last zeldaTp.dat was checked, meaning the first zeldaTp.dat could contain the exploit here.

A similar bug existed in the [[System Menu 3.4]], although here, only the last file is checked to be a zeldaTp.dat, so the Twilight Hack places a file called FAILURE (with content FAILURE) there.

== [[Wiibrew FAQ|FAQ]] ==

== [[Wiibrew FAQ|FAQ]] ==