Good Morning from my Robotics Lab! This is Shadow_8472 and today I am actually hacking my Wii. Let’s get started!
!!ALERT!!
THIS BLOG POST ABOUT WII HACKING IS UNMAINTAINED!! While unmaintained documentation can be entertaining or contain useful hints not found anywhere else, it often lacks nuance and is best treated as unauthoritative. Be careful with it. Be responsible with it. This applies to all media forms – especially YouTube.
As of writing in August, 2024, the authoritative site is https://wii.hacks.guide/ [1].
Seriously. As with installing Linux or any activity that disregards OEM walled gardens, you take a risk by hacking your Wii. Many generous people have put years of effort into minimizing these risks, but at the end of the day, the only one to blame for bricking your device is you. The community may back you up on a volunteer basis with no obligations. You own your hardware. Have fun!
With that out of the way…
Recap
A video game console must be built like a castle to protect company profits. Security must stop pirates while being as invisible as possible to legitimate customers. The Homebrew community doesn’t cleanly fit into either category; it climbs the castle walls for fun, but in ways that aim to complement the original product.
I bought a Wii from someone in my area a couple years back with the intention of hacking it. I’ve researched it sporadically since then, building confidence, then backing out each time. Last time, I made it so far as to install the Homebrew Channel on Dolphin Emulator. This time, I make it all the way.
The Homebrew Channel
All video game consoles are just specialized computers. The Wii just didn’t hide this fact as much as most previous consoles. Its operating system boots to a menu with sever channels I mostly ignored, but nonetheless shaped the system’s identity. Perhaps the most [in]famous channel is The Homebrew Channel, a menu for 3rd party software and the primary objective for this week.
There is no direct way to install the Homebrew Channel, so an exploit must be used. The Wii has a rich history of exploits that rely on specially corrupted saves of specific games, but the three in use today only require an SD card formatted to FAT32 (LetterBomb and Wilbrand) or an Internet connection (str4hax). The idea is to load HackMii and install The Homebrew Channel from there.
Glossary of Terms
The Wii uses a lot of abbreviations. Refer to this section if you see any.
- Brick v. – to mess up software so bad, the system won’t start. It may as well be a clay brick.
- CIOS – Custom IOS
- IOS – Acronym unknown. Pertains to files in Wii’s firmware (Has nothing to do with Apple’s iPhones)
- NAND – System memory
- NUS – Nintendo Update Server
- NUSD – NUS Downloader
- WAD – Wii Application Distribution
- YAWMM – Yet Another Wad Manager ModMii Edition
Groundhog Exploits
First of all, what kind of Wii am I hacking?
- White with GameCube adapters
- US Serial number
- Firmware upgraded to 3.3U to play Animal Crossing: City Folk (U for US region)
- Bought 2nd hand, but presumably stock (unmodded)
As part of my setup, I joined the r/Wiihacks Discord server. The community was friendly enough, but I let myself be pressured into updating to firmware version 4.3U, but only once I’d confirmed my serial number matched US region. Updating to or past 4.2 carries a slight chance of bricking in exchange for simplified research. I was OK, but I strongly advise you to research how to update to 4.1 and hack from there.
I started with str4hax, which aims the Wii’s DNS at a special server that replaces the User Agreement with Dashie (Rainbow Dash from My Little Pony: Friendship is Magic) and takes one to two minutes to glitch the system into loading a script that boots the Wii into BootMii. I saw the exploit performed on a YouTube video, so I knew to expect rainbow static with green flashes. BootMii hung (got stuck) on its anti-scam warning, so I tried it around a dozen times in total.
What I didn’t understand at the time was the difference between exploit and payload. This difference was more apparent after running Wilbrand, a Wii Message Board based exploit named after the inventor of TNT. Using a bunch of special information including a Wii’s MAC address, it generates a special letter stored on a properly formatted SD card. When this letter is opened, the Wii crashes and loads boot.elf from the SD card. It took several tries to format my SD card, but once I had Wilbrand working, it was a much faster turn around. When it works correctly, HackMii should load quickly.
Neither of these were perfectly consistent:
- str2hax hung on Dashie for me once and a few times the script to load HackMii failed trying to change Internet settings.
- Wilbrand sometimes gave me a black screen and a blinking blue disk drive (.5 sec. on/.5 sec. off). I also had it drop TV signal in a different fail state.
HackMii Being Stubborn
Whichever exploit you use, when HackMii loads correctly, it puts a scam warning on screen, and after 30 seconds (or until HackMii finishes loading) it should tell you to press 1 to continue on to installing The Homebrew Channel and BootMii.
In my experience though, HackMii hung on this screen with no visual feedback besides the remote being stuck on (working correctly, HackMii does disconnect the remote). I was stuck here for over a day. Wisdom gleaned from community documentation and forum posts say this error is caused by one or more cIOS (or custom IOS) present on the Wii, which can be an indicator of piracy. The accepted diagnostic tool is SysCheck, but its documentation says to load it from The Homebrew Channel I haven’t installed yet!
Under advisement, I was directed to try using ModMii, a tool intended exclusively for Windows. Running under WINE, the CLI edition of version 7.0.2 wants to update to the latest version: 7.0.2. It also failed to set up its download list. The GUI edition was slightly less buggy in that it recognized it was up to date. I tried a few versions of WINE/Proton using Lutris to switch between them, but nothing worked. I was not desperate enough to explore trying .net to see if that made ModMii run. WINE rating: Garbage
Exploring on my own, I felt silly when I found a file called installer.log:
HackMii v1.2 installer starting up
PVR = 00087200
running under IOS 38 rev 0xe19
52 titles are installed
Found IOS 16: revision: 0x200.
Found IOS 10: revision: 0x300.
Found IOS 80: revision: 0x1b20.
Found IOS 38: revision: 0xe19.
Found IOS 37: revision: 0x161f.
Found IOS 36: revision: 0xe18.
Found IOS 35: revision: 0xe18.
Found IOS 34: revision: 0xe18.
Found IOS 33: revision: 0xe18.
Found IOS 31: revision: 0xe18.
Found IOS 30: revision: 0xb00.
Found IOS 28: revision: 0x70f.
Found IOS 22: revision: 0x50e.
Found IOS 20: revision: 0x100.
Found IOS 17: revision: 0x408.
Found IOS 15: revision: 0x408.
Found IOS 14: revision: 0x408.
Found IOS 13: revision: 0x408.
Found IOS 12: revision: 0x20e.
Found IOS 11: revision: 0x100.
Found IOS 21: revision: 0x40f.
Found IOS 2: revision: 0x201.
Found IOS 9: revision: 0x40a.
Found IOS 4: revision: 0xff00.
launching IOS 38 for the installer…
IOS launched…
IOS versions: Installer: 38, HBC: 0
starting preparations
Acting under the assumption I might have a bad cIOS hiding in that list, I converted the revision hexadecimal numbers into decimal looked up each one up on wiibrew.org [2]. All I found was that IOS2 was a false positive and actually part of the system menu. After bringing this back to r/WiiHacks’ Discord, I was advised about an odd line:
IOS versions: Installer: 38, HBC: 0
HackMii usually works better exploiting another IOS, like IOS58, which was either absent or incorrectly loaded during the 4.3 update (I never was properly convinced either way). Discounting ModMii or technical piracy, my last chance at obtaining IOS58 was NUSD. While it is a Windows tool, I found NUSD runs perfectly in WINE on Linux. Platinum rating.
From there, I loaded a WAD file for IOS58 on my SD card alongside a WAD manager called YAWMM, and copied/renamed its boot file to <SD_card>/boot.elf as the payload in place of HackMii. Installation was straightforward from there, and HackMii was repaired.
A blow for blow description of the solution that worked for me can be found here: https://www.rwiihacks.com/tutorials/hackmiiscamstuckfix/index.html#method-3 [3]
“Press (1) to continue” appeared, and I used it to install both The Homebrew Channel and BootMii as an IOS.
BootMii and Priiloader
The Wii has three boot stages: boot0, boot1, and boot2. boot2 can be written to, but only early hardware revisions will brick if boot2 is homebrewed. HackMii detected a patched motherboard and didn’t let me install BootMii to boot2.
BootMii can backing up and restoring the Wii’s internal NAND memory. If you can install it to boot2, it gives you a low-level option to recover from a brick. I don’t get that though.
My next obstacle is SD card size. A stock Wii can only use a 2GB or 32GB SD card depending on if it is running firmware version 4.0 or later. It is recommended to have something a bit bigger than 256MB, as I have been using so far. I sacrificed my Manjaro ARM 32GB microSD for the cause, but I got a NAND backup through BootMii.
Priiloader loads after boot2 and before the System Menu and thereby is a powerful tool from recovering from a brick (though it is second to BootMii boot2 edition). It also offers a bunch of customization options to research another day, but following the wii.hacks.guide tutorial, I disabled disk/online updates and disabled an anti-flicker feature intended for tube TV’s.
D2x and cIOS
As a general rule, wisdom gleaned from the community says cIOS should be avoided, as they’ve learned how to do most things they want to do without changing firmware. However, the wii.hacks.guide checklist does install four cIOS files. Published details are vague, but I gather they do things like allow loading games off USB instead of the DVD drive and using unofficial online services. Wiibrew.org wasn’t particularly helpful when I looked each base IOS up, but then again this is my first time customizing firmware.
Diving deeper, D2x patches official IOS files during installation. This process went smoothly even if it was nerveracking. I double or triple checked each of the four ISO’s to be installed. But even if something did go wrong, that’s what doing a NAND backup early is for.
Loading Homebrew Apps
One more touch, and I can consider my Wii fully hacked for now: the Homebrew Browser. If The Homebrew Channel doesn’t find apps on the SD card (or optionally a USB drive), it shows nothing but bubbles your pointer can pop on contact. The Homebrew Browser can load and update apps to SD (or USB), but itself must be loaded manually. I installed a few recommended utilities, but further tinkering will have to wait for another topic.
Takeaway
Unfortunately, the channel I was working in/using for notes was deleted once I had gotten to The Homebrew Channel. I am mad because by then I had only written my disclaimer and half the recap by then. By God’s grace, I forgive the one[s] responsible, but my hope is that our shared lesson be the value of the footprints we leave behind when working in niche community support topics.
Final Question
Have you ever tried hacking/soft modding a Wii or any other game console? I look forward to hearing from you in the comments below or on my Socials!
Works Cited
[1] Nintendo Homebrew, “Wii Hacks Guide,” wii.hacks.guide, 2024. [Online].Available: https://wii.hacks.guide/ [Accessed Aug. 12, 2024].
[2] wiibrew.org,Nov. 18, 2021. Available: [Online]. https://www.wiibrew.org [Accessed Aug. 12, 2024].
[3] u/WiiExpertise, “HackMii Scamstuck Fix,”rwiihacks.com, 2023. [Online]. Available: https://www.rwiihacks.com/tutorials/hackmiiscamstuckfix/index.html#method-3 [Accessed Aug. 12, 2024].