Bluebomb

From WiiBrew
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Bluebomb
BluebombLogo.png
General
Author(s)Fullmetal5
TypeExploit
Links
Download
Website
Source
Peripherals
BluetoothLogo.png USB mass storage device


Bluebomb is an exploit for Broadcom's Bluetooth stack used in the Nintendo Wii. The main benefit of it is that it can be used on the Wii mini, which lacks functionality used by other exploits. It can also be used to recover from Banner bricks. It takes advantage of the Wii's Bluetooth and injects unsigned code into the system via Bluetooth.

Installation requires a computer that can use Bluetooth and a Linux operating system.

 ×
 For the original Wii, we recommend using another exploit  instead if you intend to install the Homebrew Channel and/or BootMii.
 ×
 This exploit will not work on a Wii U’s vWii.
 ×
 Do not attempt to install a Wii IOS or System Menu on the Wii mini. Doing so will likely brick your console.

Requirements

USB is formatted as FAT32
⁃ This cannot be the same flash drive used for your Linux Machine.
A Linux machine
⁃ If you are using a Chromebook, you do not need to install another Operating System; instead, enable Linux in ChromeOS.
⁃ If you have a Raspberry Pi, you can use that instead as it most likely has Linux preinstalled.
⁃ Windows Subsystem for Linux will not work as it does not have direct access to the Bluetooth adapter or USB ports.
⁃ If you do not have a GNU/Linux operating system, Linux Mint is the most user-friendly option and can be run on computers running Windows or Mac, and the entire operating system can run without having to install.
- To install a GNU/Linux operating system, simply choose the distro of your choice and install it onto a USB, CD or DVD with programs like Rufus or BalenaEtcher.
⁃ An internal Bluetooth adapter will work.
⁃ If you do not have one, make sure to get one compatible with Linux.

Exploit Setup

1. Download the HackMii installer from the BootMii website. (If fixing a Wii brick, you can get a boot.elf of whatever app you want to use to fix the brick.)

2. Unpack it and place the boot.elf file in your flash drive.

3. Connect the flash drive to the console. For a Wii mini, the USB port is on the back. For a normal Wii, use the bottom port. (or the right port if it’s upright).

4. Turn on your console and navigate to the settings menu. On the top right corner, you should see a 4-character code like the one in the picture below. This code is your Wii Menu version, take note of this as you will need it later. Afterwards, turn your console off. (If you’re trying to use BlueBomb to recover from a brick, you can assume your Wii Menu version is 4.3.)

SystemMenuVersion.png

5. Launch your Linux distro and ensure you are connected to the internet.

6. Open the Linux Terminal by pressing CTRL + SHIFT + T.

7. Run the following commands:

wget https://wii.guide/assets/files/bluebomb-helper.sh

chmod +x bluebomb-helper.sh

./bluebomb-helper.sh

8. The helper will then download the required files, and ask for information about your console.

  1. If you have selected a Wii mini you will be asked to provide your region. This can be determined by the last letter of the Wii Menu version (U for USA and E for PAL models).

9. If you have selected a Wii you will be asked to provide your Wii Menu Version (What you determined in step 4)

10. Turn on your console and do not connect any Wiimotes.

11. Press the Sync button repeatedly until the terminal shows got connection handle. This could take numerous attempts, so don’t give up.

 ×
 Make sure that the console is close to the computer running the exploit, ideally it should be less than 3 feet.

Homebrew install

  1. You will see a scam warning screen. Wait 30 seconds for the text “Press 1 to continue” to appear, then press 1.
  2. Select Install The Homebrew Channel and click install.
  3. Click Continue when finished.
  4. Once done, select Exit to exit the HackMii Installer.
 ×
 Do not attempt to install BootMii. It does not work with Wii Mini just yet.

Credits

Original Guide

Fullmetal5 (BlueBomb Exploit)

NicolasPlayz (Making the original guide [for wii.guide and wiibrew])

urmum_69 (Script author)

twosecslater (Script author)

Commandblock6417 (Contributor)

Terry A. Davis (Script Motivation)

How it works

Bluebomb exploits a bug in the Bluetooth system that sets a lower bound to the Bluetooth channels that can be used, but no upper bound. On the computer, BlueBomb connects to the Wii, then uploads the stage 0 code in the attribute response, and it uploads some data in the format of a Bluetooth channel configuration in the service response. The channel configuration is normally part of a doubly linked list, but in this fake configuration the next pointer points to the beginning of the stage 0 code, while the previous pointer points near the function that handles packets being received. The computer then takes the out-of-bounds channel id of the fake configuration that was uploaded, and tells the Wii that that id is invalid, which makes the Wii "remove" it from the linked list it thinks it is in. This means changing the previous pointer of what appears to be next to be the next on the fake configuration, and the next pointer of what appears to be the previous to be the next of the fake configuration. Changing the "next" pointer of the previous changes part of the code in the packet receiving function to instead jump to the stage 0 code. Meanwhile, the previous of the next changes a byte in the stage 0 code that is intentionally jumped over to avoid corruption in that code.

Once the stage 0 code launches, it starts by making sure the packet handler function returns normally after the first part of stage 0 is finished. It then jumps over the byte that gets replaced by the exploit because of the changing of the linked list, and copies itself to an unused portion of memory where other Bluetooth connections won't interfere. After this, it changes the value changed earlier to instead point to a location in the copy of stage 0. The computer now uploads the stage 1 code in chunks, which gets stored in some more unused memory, and when the downloading finishes, it launches stage 1. This is done because the attribute response is limited in space, and there is not enough space for stage 1 to happen in 1000 bytes.

Finally, stage 1 opens the USB and reads the file system for a boot.elf or boot.dol file, usually the HackMii Installer, which is loaded into memory and run.