Wii hacked using buffer overflow

By Karl Koscher at 5:43 pm on February 25, 2008 | 5 Comments

Slashdot is reporting that a lot of Wii homebrew code is being developed and released now. Apparently, a bug was found in The Legend of Zelda: Twilight Princess that allows you to smash the stack by overflowing the horse name buffer. Creating a modified saved game allows you to inject this malicious name. I was under the impression that the Wii cryptographically signed saved games to prevent bugs like these from being exploited, but it appears that people have either figured out how to sign saved games, or bypass the signature check, if one exists at all.

Filed under: Miscellaneous5 Comments »

5 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by rudd

    February 25, 2008 @ 11:24 pm

    Wii games are cryptographically signed. After a bit of poking around, here’s some info I found out about the exploit:

    From Teh Skeen, the forum where the exploit came to be:
    “Once the Wii decrypts the save game, it checks its signature. Every Wii has its own private key which is used to sign save games, and when you save a game, the Wii actually saves three bits of data:

    * The encrypted save game
    * The signature for the save game (using your console’s private key)
    * A copy of your console’s public key, signed by Nintendo.”

    It looks like they managed to figure out how to decrypt saved games, create new saved games from scratch and how to change the checksum for modified saved games.

    Pretty interesting to read through, here are some links:


  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by rudd

    February 25, 2008 @ 11:26 pm

    Hmm, my links don’t appear to be showing up. Here they are again:
    http://www.tehskeen.com/forums/showthread.php?p=24784#post24784

    http://git.infradead.org/?p=users/segher/wii.git

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by chrislim

    March 1, 2008 @ 1:02 pm

    This is pretty fascinating, it never crossed my mind that saved games would need to be cryptographically signed.
    What are the implications for Nintendo now? A homebrew loading solution that involves only software would reach a much larger audience and could significantly increase piracy, etc. Obviously, if the saved game were rejected because its cryptographic signature were invalid, the exploit would be blocked…
    Is there an update mechanism for the Wii so they can issue a patch to protect against the buffer overflow problem discovered in the game Legend of Zelda? Since the game’s code is on DVD, how might they patch it?
    How did the hackers cryptographically sign their modified saved games? Were they able to do a “chosen-plaintext attack” by supplying a saved game to the code that signs games? Did they compromise the console’s private key? Either way, it seems quite difficult for Nintendo to control this vulnerability now that it’s in the wild…

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by robertm2

    March 3, 2008 @ 12:43 pm

    Being a Wii-owner myself and having played a lot of video games growing up, this info is very interesting to me. But it also makes me wonder, why would people want to do this? It seems like a serious motive for anyone to want to do this is non-existent. Assuming the only way to overwrite saved files is to have physical access to the Wii (it seems like the hacker did it with some USB device), I feel like the most logical motive would be if you wanted to run code that would overwrite some system files of the console that belong to your friends (or maybe not so much your friends), making the device inoperable. What do you guys think? Am I overlooking something here?

  • 5
    Get your own gravatar for comments by visiting gravatar.com

    Comment by ripjans - gratis wii

    September 9, 2008 @ 5:45 am

    @robertm2:
    Are you saying they are actually trying to create a virus for the Nintendo Wii here? I just recently got my Wii, only thing I’ve been able to exchange is some Mii, but thats it.
    It would be a new era tho, a virus on your console!

RSS feed for comments on this post