Difference between revisions of "Twilight Hack"

From WiiBrew
Jump to navigation Jump to search
m
m (Update links (I uploaded Twilight Hack directly to the server))
 
(75 intermediate revisions by 39 users not shown)
Line 1: Line 1:
 +
{{Infobox homebrew
 +
| title      = Twilight Hack
 +
| image      = [[File:TwilightHack_0.1beta1.png|Twilight Hack icon]]
 +
| caption    =
 +
| type        = exploit
 +
| author      = [[Team Twiizers]]
 +
| version    = 0.1 beta2
 +
| download    = https://wiibrew.org/wiki/File:Twilight-hack-v0.1-beta2.zip
 +
| source      = http://git.infradead.org/users/segher/savezelda.git
 +
| peripherals = {{FrontSD}}
 +
}}
 +
The '''Twilight Hack''' was the first way to enable [[homebrew]] on a Wii without hardware modification. It was discovered in 2008. The Twilight Hack was used by playing a hacked game save for The Legend of Zelda: Twilight Princess which executes a homebrew application from an SD card. Examples of such homebrew .elf or .dol files can be found on the [[List of homebrew applications|Homebrew applications]] page. The Twilight Hack was created by [[Team Twiizers]].
 +
 +
Twilight Hack 0.1beta1 is compatible with System Menu up to [[System Menu 3.3|3.3]], 0.1beta2 is compatible with [[System Menu 3.4]]. The twilight hack is not and never will be compatible with [[System Menu 4.0]] and up. Use another [[:Category:Homebrew exploits|exploit]] from now on.
 +
 +
The source code was written to be readable, portable and reusable; most of the code was reused for [[Indiana Pwns]], and you are encouraged to use it to create your own savegame exploits (provided you follow the licensing terms of the codebase).
 +
 +
Fanmail can be left at [[Twiizers Fanmail]].
 +
 +
== Usage and Installation ==
 +
Required materials:
 +
* SD card (<= 2GB, not SDHC) formatted as FAT16 or FAT32. (The Wii System Menu, which is used to copy the save, only reads SD cards, not SDHC).
 +
* SD card reader
 +
* The Legend of Zelda: Twilight Princess that has been played at least once
 +
* Some homebrew to load (e.g. the [[Homebrew Channel]] installer)
 +
 +
[[File:Twilight Serial.jpg|thumb|right|Inner disc circle with serial]]
 +
Inside the zip file you will find versions of the hack for all three regions. You may copy all of them to your SD card, but you will need to choose the correct one to copy to your Wii based on your version of Zelda: Twilight Princess. USA users, additionally, need to determine the correct save slot to load once inside Twilight Princess.
 +
The easiest way to check your version is to compare the text string which is on the '''inner''' circle of the '''data''' surface with the ones below.
 +
 +
{| class="wikitable" style="width: 700px; text-align:center; font-size:90%;"
 +
|-
 +
! Region !! Inner circle text !! File !! Save slot
 +
|-
 +
| Europe/Australia (EUR) || RVL-RZDP-0A-0 JPN || /private/wii/title/rzdp/data.bin || Twilight Hack
 +
|-
 +
| Asia (JPN) || RVL-RZDJ-0A-0 JPN || /private/wii/title/rzdj/data.bin || Twilight Hack
 +
|-
 +
| America (USA) || RVL-RZDE-0A-0 JPN || /private/wii/title/rzde/data.bin || TwilightHack0
 +
|-
 +
| America (USA) || RVL-RZDE-0A-0 USA || /private/wii/title/rzde/data.bin || TwilightHack0
 +
|-
 +
| America (USA) || RVL-RZDE-0A-2 USA || /private/wii/title/rzde/data.bin || TwilightHack2
 +
|}
  
 
=== Step by Step ===
 
=== Step by Step ===
 
 
# Ensure your SD card is formatted as FAT. By default SD cards are formatted as FAT, so if you're not sure you can skip this step.
 
# Ensure your SD card is formatted as FAT. By default SD cards are formatted as FAT, so if you're not sure you can skip this step.
 
# ''(Optional)'' If you have an existing Zelda save that you want to backup, do so before proceeding:
 
# ''(Optional)'' If you have an existing Zelda save that you want to backup, do so before proceeding:
Line 13: Line 56:
 
# Go into Wii Options --> Data Management --> Save Data --> Wii.
 
# Go into Wii Options --> Data Management --> Save Data --> Wii.
 
# Find your Zelda save, click on it, click "Erase", and click Yes.
 
# Find your Zelda save, click on it, click "Erase", and click Yes.
#Open the SD card and select the "Twilight Hack" save that corresponds to your game region. Note: Some people are having problems with the Wii not "seeing" the save file on the SD card. If you are experiencing this, try setting the archive bit for the data.bin file - in Windows this can be either be done from the file's properties dialog (right click on it in Windows Explorer and check the box) or from the command line using "attrib +a <path to data.bin>". More info at #wiihelp on Efnet.
+
#Open the SD card and select the "Twilight Hack" save that corresponds to your game region. Note: Some people are having problems with the Wii not "seeing" the save file on the SD card. If you are experiencing this, try setting the archive bit for the data.bin file - in Windows this can be either be done from the file's properties dialog (right click on it in Windows Explorer and check the box) or from the command line using "attrib +a <path to data.bin>". More info at #wiihelp on Efnet.
 
# Click copy and then yes. Now exit out of the menu.
 
# Click copy and then yes. Now exit out of the menu.
 
#If you are using System Menu 3.4, you '''must immediately''' put the Twilight Hack to use. Turning off or running some other channel or game will have the System Menu delete the savegame again, and you'll have to start over.
 
#If you are using System Menu 3.4, you '''must immediately''' put the Twilight Hack to use. Turning off or running some other channel or game will have the System Menu delete the savegame again, and you'll have to start over.
Line 24: Line 67:
  
 
=== Troubleshooting ===
 
=== Troubleshooting ===
 
 
* If you get an error such as <tt>Failed to read boot.elf (-1)</tt>, your SD card may not be formatted as FAT. Try reformatting your SD card with the [http://www.sdcard.org/about/downloads/ Official SD Card Format Tool].
 
* If you get an error such as <tt>Failed to read boot.elf (-1)</tt>, your SD card may not be formatted as FAT. Try reformatting your SD card with the [http://www.sdcard.org/about/downloads/ Official SD Card Format Tool].
  
 
== Changelog ==
 
== Changelog ==
===0.1beta2===
+
=== 0.1beta2 ===
 
* Workaround for the System Menu 3.4 check. Only works once after being copied.
 
* Workaround for the System Menu 3.4 check. Only works once after being copied.
0.1beta 2 Mirrors: [http://ostsoft.net/go/?to=wiidl&dl=22 Mirror by Oste Hovel] [http://beta.ivancover.com/wii/twilight-hack-v0.1-beta2.zip Mirror by ivc]
+
[[File:Twilight-hack-v0.1-beta2.zip]]
  
===0.1beta1===
+
=== 0.1beta1 ===
 
* The Twilight Hack is now compatible with version 3.3 of the Wii System Menu.
 
* The Twilight Hack is now compatible with version 3.3 of the Wii System Menu.
 
* Improvements in video configuration. The entire console should now be visible in all video modes, and scrolling has been improved.
 
* Improvements in video configuration. The entire console should now be visible in all video modes, and scrolling has been improved.
Line 39: Line 81:
 
* This version now tries to load boot.dol, and falls back to boot.elf if boot.dol is not found.
 
* This version now tries to load boot.dol, and falls back to boot.elf if boot.dol is not found.
 
* Many, many bug fixes.
 
* Many, many bug fixes.
0.1beta1 Mirrors: [http://ostsoft.net/go/?to=wiidl&dl=21 Mirror by Oste Hovel] [http://beta.ivancover.com/wii/twilight-hack-v0.1-beta1.zip Mirror by ivc]
+
[[File:Twilight-hack-v0.1-beta1.zip]]
  
===0.1alpha3b===
+
=== 0.1alpha3b ===
* '''''Experimental''''' version with FAT32 support. Only try this if you receive an error message while loading boot.elf.
+
* '''''Experimental''''' version with FAT32 support. Only try this if you receive an error message while loading boot.elf.
0.1alpha3b Mirrors: [http://chaoshq.de/~crediar/twilight-hack-v0.1-alpha3b.zip Mirror by chaoshq.de] &bull; [http://ostsoft.net/go/?to=wiidl&dl=2 Mirror by Oste Hovel] &bull; [http://otto888page.googlepages.com/twilight-hack-v0.1-alpha3b.zip Mirror by otto888]
 
  
===0.1alpha3a===
+
=== 0.1alpha3a ===
 
* Correctly loads geckoloader code from USBGecko flash.
 
* Correctly loads geckoloader code from USBGecko flash.
0.1alpha3a Mirrors: [http://chaoshq.de/~crediar/twilight-hack-v0.1-alpha3a.zip Mirror by chaoshq.de] &bull; [http://ostsoft.net/go/?to=wiidl&dl=1 Mirror by Oste Hovel] &bull; [http://otto888page.googlepages.com/twilight-hack-v0.1-alpha3a.zip Mirror by otto888]
 
  
===0.1alpha3===
+
=== 0.1alpha3 ===
 
* Front SD slot is now supported; SDGecko slot support has been removed.
 
* Front SD slot is now supported; SDGecko slot support has been removed.
 
* FAT16 is now supported; you should save your ELF executable on your SD card as "boot.elf".
 
* FAT16 is now supported; you should save your ELF executable on your SD card as "boot.elf".
Line 56: Line 96:
  
 
== Explanation ==
 
== Explanation ==
The Twilight Hack works by employing a lengthly character name for the horse in the game ('Epona') in order to facilitate a [http://en.wikipedia.org/wiki/Stack_smashing stack smash]. This gets triggered when talking to the man next to you when you start the savegame as he loads the name to use it in his dialog or upon attempting to enter the next zone, before the man talks to you and reminds you to go the other way to get the horse.
+
The hack exploits a [http://en.wikipedia.org/wiki/Stack_smashing buffer overflow error] caused by loading a specially crafted save file for Twilight Princess. The save file stores a custom name for Epona, Link's horse, that is much longer than what the game would usually allow, in fact it even contains a small program. While the game doesn't allow you to manually enter a name this long it doesn't check the name in the file. When the game tries to load the name into memory it inadvertently drops the small program into memory filling not only the "horse name" buffer but adjacent ones. In a round about way these regions of memory happen to be designated the next region the console should execute. As you can see the save file is specially crafted indeed. Once the code loads it runs either a "boot.elf" or "boot.dol" file from the root of the SD card. If the boot.elf and bootmini.elf that loads HackMii exists on the root of your SD Card, you can use it to then install BootMii IOS, BootMii Boot2 (if compatible), or, importantly, the Homebrew Channel.
  
 
== [[Wiibrew FAQ|FAQ]] ==
 
== [[Wiibrew FAQ|FAQ]] ==
Line 68: Line 108:
 
::No. These tools merely change the container file format, it does not convert between GameCube/Wii code.
 
::No. These tools merely change the container file format, it does not convert between GameCube/Wii code.
  
* Does this work with the new v3.4 update?
+
* Does this work with the v4.0, 4.1, 4.2 or 4.3 System Menu update?
::Yes. At the moment, 3.4 does not properly block the latest version of Twilight Hack, but updating is still not recommended if you can avoid it.
+
::No, after the 4.0 update the Twilight Hack was completely blocked. However [[bannerbomb]] works on 4.0 - 4.2, [[LetterBomb]] works on 4.3, and [[Smash Stack]] and [[Indiana Pwns]] work on 3.0 - 4.3.
  
* Can we use games other than Zelda to achieve the same effect?
+
* Can we use games other than Zelda to achieve the same/similar effect?
::Eventually.
+
::Yes, [[Indiana Pwns‎|LEGO Indiana Jones]] and [[Smash Stack|Super Smash Bros. Brawl]] could be used.
  
 
* What about our current saves?
 
* What about our current saves?
::There's no easy way to merge saves between files. Use the Twilight Hack to install the [[Homebrew Channel]], then copy your old savefile back into place.
+
::There's no easy way to merge saves between files. Use the Twilight Hack to install the [[Homebrew Channel]], then copy your old savefile back into place.
  
 
Main FAQ Page: [[Wiibrew FAQ]]
 
Main FAQ Page: [[Wiibrew FAQ]]
  
==Known bug==
+
== Known bug ==
 
*After you load the save, the Wii Remote pointer may move to the bottom of the screen and stay there. It is purely a cosmetic bug and does not affect operation. The Wiimote pointer will return to normal after a reboot.
 
*After you load the save, the Wii Remote pointer may move to the bottom of the screen and stay there. It is purely a cosmetic bug and does not affect operation. The Wiimote pointer will return to normal after a reboot.
  
 
[[Category:Loaders|TP]]
 
 
[[Category:Homebrew]]
 
[[Category:Homebrew]]

Latest revision as of 00:53, 3 June 2017

Twilight Hack
Twilight Hack icon
General
Author(s)Team Twiizers
TypeExploit
Version0.1 beta2
Links
Download
Source
Peripherals
Error creating thumbnail:

The Twilight Hack was the first way to enable homebrew on a Wii without hardware modification. It was discovered in 2008. The Twilight Hack was used by playing a hacked game save for The Legend of Zelda: Twilight Princess which executes a homebrew application from an SD card. Examples of such homebrew .elf or .dol files can be found on the Homebrew applications page. The Twilight Hack was created by Team Twiizers.

Twilight Hack 0.1beta1 is compatible with System Menu up to 3.3, 0.1beta2 is compatible with System Menu 3.4. The twilight hack is not and never will be compatible with System Menu 4.0 and up. Use another exploit from now on.

The source code was written to be readable, portable and reusable; most of the code was reused for Indiana Pwns, and you are encouraged to use it to create your own savegame exploits (provided you follow the licensing terms of the codebase).

Fanmail can be left at Twiizers Fanmail.

Usage and Installation

Required materials:

  • SD card (<= 2GB, not SDHC) formatted as FAT16 or FAT32. (The Wii System Menu, which is used to copy the save, only reads SD cards, not SDHC).
  • SD card reader
  • The Legend of Zelda: Twilight Princess that has been played at least once
  • Some homebrew to load (e.g. the Homebrew Channel installer)
Inner disc circle with serial

Inside the zip file you will find versions of the hack for all three regions. You may copy all of them to your SD card, but you will need to choose the correct one to copy to your Wii based on your version of Zelda: Twilight Princess. USA users, additionally, need to determine the correct save slot to load once inside Twilight Princess. The easiest way to check your version is to compare the text string which is on the inner circle of the data surface with the ones below.

Region Inner circle text File Save slot
Europe/Australia (EUR) RVL-RZDP-0A-0 JPN /private/wii/title/rzdp/data.bin Twilight Hack
Asia (JPN) RVL-RZDJ-0A-0 JPN /private/wii/title/rzdj/data.bin Twilight Hack
America (USA) RVL-RZDE-0A-0 JPN /private/wii/title/rzde/data.bin TwilightHack0
America (USA) RVL-RZDE-0A-0 USA /private/wii/title/rzde/data.bin TwilightHack0
America (USA) RVL-RZDE-0A-2 USA /private/wii/title/rzde/data.bin TwilightHack2

Step by Step

  1. Ensure your SD card is formatted as FAT. By default SD cards are formatted as FAT, so if you're not sure you can skip this step.
  2. (Optional) If you have an existing Zelda save that you want to backup, do so before proceeding:
    1. Put your SD card in your Wii and turn it on.
    2. Go into Wii Options --> Data Management --> Save Data --> Wii
    3. Find your Zelda save, click on it, click "Copy", and click Yes
    4. Put your SD card in your computer, and copy the "private" folder from the card to a safe place.
  3. Copy the "private" directory from the Twilight Hack download to the root of your SD card.
  4. Take your homebrew Wii executable (elf or dol file) and save it in the root directory of your SD card as "boot.elf" or "boot.dol" as appropriate.
  5. Put your SD card in your Wii and turn it on.
  6. Go into Wii Options --> Data Management --> Save Data --> Wii.
  7. Find your Zelda save, click on it, click "Erase", and click Yes.
  8. Open the SD card and select the "Twilight Hack" save that corresponds to your game region. Note: Some people are having problems with the Wii not "seeing" the save file on the SD card. If you are experiencing this, try setting the archive bit for the data.bin file - in Windows this can be either be done from the file's properties dialog (right click on it in Windows Explorer and check the box) or from the command line using "attrib +a <path to data.bin>". More info at #wiihelp on Efnet.
  9. Click copy and then yes. Now exit out of the menu.
  10. If you are using System Menu 3.4, you must immediately put the Twilight Hack to use. Turning off or running some other channel or game will have the System Menu delete the savegame again, and you'll have to start over.
  11. Insert The Legend of Zelda: Twilight Princess game disc and run the game.
    • If you have the USA version of the game, load the "TwilightHack0" or "TwilightHack2" version of the game as appropriate (see above).
    • Otherwise, load the only "Twilight Hack" save game.
  12. Once in the game, either walk backwards or talk to the man standing in front of you.
  13. Follow the instructions listed on the screen.
  14. Enjoy.

Troubleshooting

  • If you get an error such as Failed to read boot.elf (-1), your SD card may not be formatted as FAT. Try reformatting your SD card with the Official SD Card Format Tool.

Changelog

0.1beta2

  • Workaround for the System Menu 3.4 check. Only works once after being copied.

File:Twilight-hack-v0.1-beta2.zip

0.1beta1

  • The Twilight Hack is now compatible with version 3.3 of the Wii System Menu.
  • Improvements in video configuration. The entire console should now be visible in all video modes, and scrolling has been improved.
  • For the USA version, the two variants of the hack have been packed into one save file. Just select the save slot that corresponds to your version of Twilight Pricess when you start the game.
  • New savegame icons by drmr. The new icons now show which region that version of the hack is for.
  • This version now tries to load boot.dol, and falls back to boot.elf if boot.dol is not found.
  • Many, many bug fixes.

File:Twilight-hack-v0.1-beta1.zip

0.1alpha3b

  • Experimental version with FAT32 support. Only try this if you receive an error message while loading boot.elf.

0.1alpha3a

  • Correctly loads geckoloader code from USBGecko flash.

0.1alpha3

  • Front SD slot is now supported; SDGecko slot support has been removed.
  • FAT16 is now supported; you should save your ELF executable on your SD card as "boot.elf".
  • RZDJ is now supported.
  • Added support for Geckoloader stub: If you have a USBGecko installed and have already run the Geckoloader program to install into flash, then the Twilight Hack will try to load that stub if it does not detect an SD card.

Explanation

The hack exploits a buffer overflow error caused by loading a specially crafted save file for Twilight Princess. The save file stores a custom name for Epona, Link's horse, that is much longer than what the game would usually allow, in fact it even contains a small program. While the game doesn't allow you to manually enter a name this long it doesn't check the name in the file. When the game tries to load the name into memory it inadvertently drops the small program into memory filling not only the "horse name" buffer but adjacent ones. In a round about way these regions of memory happen to be designated the next region the console should execute. As you can see the save file is specially crafted indeed. Once the code loads it runs either a "boot.elf" or "boot.dol" file from the root of the SD card. If the boot.elf and bootmini.elf that loads HackMii exists on the root of your SD Card, you can use it to then install BootMii IOS, BootMii Boot2 (if compatible), or, importantly, the Homebrew Channel.

FAQ

  • Can it load files from the internal SD slot?
Yes.
  • Can I load GameCube homebrew with this?
Not directly. Though you can use the Wii Gamecube Homebrew Launcher once you've got your Wii ready for homebrew.
  • What about if I use doltool or dol2elf?
No. These tools merely change the container file format, it does not convert between GameCube/Wii code.
  • Does this work with the v4.0, 4.1, 4.2 or 4.3 System Menu update?
No, after the 4.0 update the Twilight Hack was completely blocked. However bannerbomb works on 4.0 - 4.2, LetterBomb works on 4.3, and Smash Stack and Indiana Pwns work on 3.0 - 4.3.
  • Can we use games other than Zelda to achieve the same/similar effect?
Yes, LEGO Indiana Jones and Super Smash Bros. Brawl could be used.
  • What about our current saves?
There's no easy way to merge saves between files. Use the Twilight Hack to install the Homebrew Channel, then copy your old savefile back into place.

Main FAQ Page: Wiibrew FAQ

Known bug

  • After you load the save, the Wii Remote pointer may move to the bottom of the screen and stay there. It is purely a cosmetic bug and does not affect operation. The Wiimote pointer will return to normal after a reboot.