With each new game console, there’s an effort to get around whatever restrictions exist to run your own software on it. In the case of the Nintendo Wii, the system was cracked through one of its most popular games — The Legend of Zelda: Twilight Princess. How this hack works was recently covered in detail by [Skawo].
The key for this ‘Twilight Hack‘ is to use a modified game save that allows you to run arbitrary code from an SD card, something which was first patched out of the Wii firmware with version 3.3. As shown in the video using the source code, the basic concept is that the name of Link’s horse in the game is changed in the save file to be longer than the allocated buffer, which leads to a buffer overflow that can be used to reach the application loader code.
Interestingly, while the horse’s name can only be 8 characters long, and the buffer is 16 bytes (due to ShiftJS two-byte encoding), the save file loading code allocates no less than 100 bytes, for some reason. Since the code uses
strcpy() instead of strncpy() (or C11’s strncpy_s()), it will happily keep copying until it finds that magic 0x00 string terminator. Basically the horse can have any name that fits within the save file’s buffer, just with no null-byte until our specially crafted payload has been copied over.Although it took Nintendo a few months to respond to this hack, eventually it was patched out in a rather brutal fashion by simply searching for and wiping any modified save files. Naturally this didn’t stop hackers from a finding way to circumvent this save file check, which led to more counter-fixes by Nintendo, which led to more exploits, ad nauseam.
Even with firmware update 4.0 finally sunsetting the Twilight Hack, hackers would keep finding more ways to get their previous Homebrew Channel installed, not to mention so that they could keep watching DVDs on a Wii.