Finally Passing Wii Hacking 101

Good Morning from my Robotics Lab! This is Shadow_8472 and today I am actually hacking my Wii. Let’s get started!

!!ALERT!!

THIS BLOG POST ABOUT WII HACKING IS UNMAINTAINED!! While unmaintained documentation can be entertaining or contain useful hints not found anywhere else, it often lacks nuance and is best treated as unauthoritative. Be careful with it. Be responsible with it. This applies to all media forms – especially YouTube.

As of writing in August, 2024, the authoritative site is https://wii.hacks.guide/ [1].

Seriously. As with installing Linux or any activity that disregards OEM walled gardens, you take a risk by hacking your Wii. Many generous people have put years of effort into minimizing these risks, but at the end of the day, the only one to blame for bricking your device is you. The community may back you up on a volunteer basis with no obligations. You own your hardware. Have fun!

With that out of the way…

Recap

A video game console must be built like a castle to protect company profits. Security must stop pirates while being as invisible as possible to legitimate customers. The Homebrew community doesn’t cleanly fit into either category; it climbs the castle walls for fun, but in ways that aim to complement the original product.

I bought a Wii from someone in my area a couple years back with the intention of hacking it. I’ve researched it sporadically since then, building confidence, then backing out each time. Last time, I made it so far as to install the Homebrew Channel on Dolphin Emulator. This time, I make it all the way.

The Homebrew Channel

All video game consoles are just specialized computers. The Wii just didn’t hide this fact as much as most previous consoles. Its operating system boots to a menu with sever channels I mostly ignored, but nonetheless shaped the system’s identity. Perhaps the most [in]famous channel is The Homebrew Channel, a menu for 3rd party software and the primary objective for this week.

There is no direct way to install the Homebrew Channel, so an exploit must be used. The Wii has a rich history of exploits that rely on specially corrupted saves of specific games, but the three in use today only require an SD card formatted to FAT32 (LetterBomb and Wilbrand) or an Internet connection (str4hax). The idea is to load HackMii and install The Homebrew Channel from there.

Glossary of Terms

The Wii uses a lot of abbreviations. Refer to this section if you see any.

  • Brick v. – to mess up software so bad, the system won’t start. It may as well be a clay brick.
  • CIOS – Custom IOS
  • IOS – Acronym unknown. Pertains to files in Wii’s firmware (Has nothing to do with Apple’s iPhones)
  • NAND – System memory
  • NUS – Nintendo Update Server
  • NUSD – NUS Downloader
  • WAD – Wii Application Distribution
  • YAWMM – Yet Another Wad Manager ModMii Edition

Groundhog Exploits

First of all, what kind of Wii am I hacking?

  1. White with GameCube adapters
  2. US Serial number
  3. Firmware upgraded to 3.3U to play Animal Crossing: City Folk (U for US region)
  4. Bought 2nd hand, but presumably stock (unmodded)

As part of my setup, I joined the r/Wiihacks Discord server. The community was friendly enough, but I let myself be pressured into updating to firmware version 4.3U, but only once I’d confirmed my serial number matched US region. Updating to or past 4.2 carries a slight chance of bricking in exchange for simplified research. I was OK, but I strongly advise you to research how to update to 4.1 and hack from there.

I started with str4hax, which aims the Wii’s DNS at a special server that replaces the User Agreement with Dashie (Rainbow Dash from My Little Pony: Friendship is Magic) and takes one to two minutes to glitch the system into loading a script that boots the Wii into BootMii. I saw the exploit performed on a YouTube video, so I knew to expect rainbow static with green flashes. BootMii hung (got stuck) on its anti-scam warning, so I tried it around a dozen times in total.

What I didn’t understand at the time was the difference between exploit and payload. This difference was more apparent after running Wilbrand, a Wii Message Board based exploit named after the inventor of TNT. Using a bunch of special information including a Wii’s MAC address, it generates a special letter stored on a properly formatted SD card. When this letter is opened, the Wii crashes and loads boot.elf from the SD card. It took several tries to format my SD card, but once I had Wilbrand working, it was a much faster turn around. When it works correctly, HackMii should load quickly.

Neither of these were perfectly consistent:

  • str2hax hung on Dashie for me once and a few times the script to load HackMii failed trying to change Internet settings.
  • Wilbrand sometimes gave me a black screen and a blinking blue disk drive (.5 sec. on/.5 sec. off). I also had it drop TV signal in a different fail state.

HackMii Being Stubborn

Whichever exploit you use, when HackMii loads correctly, it puts a scam warning on screen, and after 30 seconds (or until HackMii finishes loading) it should tell you to press 1 to continue on to installing The Homebrew Channel and BootMii.

In my experience though, HackMii hung on this screen with no visual feedback besides the remote being stuck on (working correctly, HackMii does disconnect the remote). I was stuck here for over a day. Wisdom gleaned from community documentation and forum posts say this error is caused by one or more cIOS (or custom IOS) present on the Wii, which can be an indicator of piracy. The accepted diagnostic tool is SysCheck, but its documentation says to load it from The Homebrew Channel I haven’t installed yet!

Under advisement, I was directed to try using ModMii, a tool intended exclusively for Windows. Running under WINE, the CLI edition of version 7.0.2 wants to update to the latest version: 7.0.2. It also failed to set up its download list. The GUI edition was slightly less buggy in that it recognized it was up to date. I tried a few versions of WINE/Proton using Lutris to switch between them, but nothing worked. I was not desperate enough to explore trying .net to see if that made ModMii run. WINE rating: Garbage

Exploring on my own, I felt silly when I found a file called installer.log:

HackMii v1.2 installer starting up
PVR = 00087200
running under IOS 38 rev 0xe19
52 titles are installed
Found IOS 16: revision: 0x200.
Found IOS 10: revision: 0x300.
Found IOS 80: revision: 0x1b20.
Found IOS 38: revision: 0xe19.
Found IOS 37: revision: 0x161f.
Found IOS 36: revision: 0xe18.
Found IOS 35: revision: 0xe18.
Found IOS 34: revision: 0xe18.
Found IOS 33: revision: 0xe18.
Found IOS 31: revision: 0xe18.
Found IOS 30: revision: 0xb00.
Found IOS 28: revision: 0x70f.
Found IOS 22: revision: 0x50e.
Found IOS 20: revision: 0x100.
Found IOS 17: revision: 0x408.
Found IOS 15: revision: 0x408.
Found IOS 14: revision: 0x408.
Found IOS 13: revision: 0x408.
Found IOS 12: revision: 0x20e.
Found IOS 11: revision: 0x100.
Found IOS 21: revision: 0x40f.
Found IOS 2: revision: 0x201.
Found IOS 9: revision: 0x40a.
Found IOS 4: revision: 0xff00.
launching IOS 38 for the installer…

IOS launched…

IOS versions: Installer: 38, HBC: 0
starting preparations

Acting under the assumption I might have a bad cIOS hiding in that list, I converted the revision hexadecimal numbers into decimal looked up each one up on wiibrew.org [2]. All I found was that IOS2 was a false positive and actually part of the system menu. After bringing this back to r/WiiHacks’ Discord, I was advised about an odd line:

IOS versions: Installer: 38, HBC: 0

HackMii usually works better exploiting another IOS, like IOS58, which was either absent or incorrectly loaded during the 4.3 update (I never was properly convinced either way). Discounting ModMii or technical piracy, my last chance at obtaining IOS58 was NUSD. While it is a Windows tool, I found NUSD runs perfectly in WINE on Linux. Platinum rating.

From there, I loaded a WAD file for IOS58 on my SD card alongside a WAD manager called YAWMM, and copied/renamed its boot file to <SD_card>/boot.elf as the payload in place of HackMii. Installation was straightforward from there, and HackMii was repaired.

A blow for blow description of the solution that worked for me can be found here: https://www.rwiihacks.com/tutorials/hackmiiscamstuckfix/index.html#method-3 [3]

“Press (1) to continue” appeared, and I used it to install both The Homebrew Channel and BootMii as an IOS.

BootMii and Priiloader

The Wii has three boot stages: boot0, boot1, and boot2. boot2 can be written to, but only early hardware revisions will brick if boot2 is homebrewed. HackMii detected a patched motherboard and didn’t let me install BootMii to boot2.

BootMii can backing up and restoring the Wii’s internal NAND memory. If you can install it to boot2, it gives you a low-level option to recover from a brick. I don’t get that though.

My next obstacle is SD card size. A stock Wii can only use a 2GB or 32GB SD card depending on if it is running firmware version 4.0 or later. It is recommended to have something a bit bigger than 256MB, as I have been using so far. I sacrificed my Manjaro ARM 32GB microSD for the cause, but I got a NAND backup through BootMii.

Priiloader loads after boot2 and before the System Menu and thereby is a powerful tool from recovering from a brick (though it is second to BootMii boot2 edition). It also offers a bunch of customization options to research another day, but following the wii.hacks.guide tutorial, I disabled disk/online updates and disabled an anti-flicker feature intended for tube TV’s.

D2x and cIOS

As a general rule, wisdom gleaned from the community says cIOS should be avoided, as they’ve learned how to do most things they want to do without changing firmware. However, the wii.hacks.guide checklist does install four cIOS files. Published details are vague, but I gather they do things like allow loading games off USB instead of the DVD drive and using unofficial online services. Wiibrew.org wasn’t particularly helpful when I looked each base IOS up, but then again this is my first time customizing firmware.

Diving deeper, D2x patches official IOS files during installation. This process went smoothly even if it was nerveracking. I double or triple checked each of the four ISO’s to be installed. But even if something did go wrong, that’s what doing a NAND backup early is for.

Loading Homebrew Apps

One more touch, and I can consider my Wii fully hacked for now: the Homebrew Browser. If The Homebrew Channel doesn’t find apps on the SD card (or optionally a USB drive), it shows nothing but bubbles your pointer can pop on contact. The Homebrew Browser can load and update apps to SD (or USB), but itself must be loaded manually. I installed a few recommended utilities, but further tinkering will have to wait for another topic.

Takeaway

Unfortunately, the channel I was working in/using for notes was deleted once I had gotten to The Homebrew Channel. I am mad because by then I had only written my disclaimer and half the recap by then. By God’s grace, I forgive the one[s] responsible, but my hope is that our shared lesson be the value of the footprints we leave behind when working in niche community support topics.

Final Question

Have you ever tried hacking/soft modding a Wii or any other game console? I look forward to hearing from you in the comments below or on my Socials!

Works Cited

[1] Nintendo Homebrew, “Wii Hacks Guide,” wii.hacks.guide, 2024. [Online].Available: https://wii.hacks.guide/ [Accessed Aug. 12, 2024].

[2] wiibrew.org,Nov. 18, 2021. Available: [Online]. https://www.wiibrew.org [Accessed Aug. 12, 2024].

[3] u/WiiExpertise, “HackMii Scamstuck Fix,”rwiihacks.com, 2023. [Online]. Available: https://www.rwiihacks.com/tutorials/hackmiiscamstuckfix/index.html#method-3 [Accessed Aug. 12, 2024].

Can Linux See a GameCube Controller?

Good Morning from my Robotics Lab! This is Shadow_8472 with a side project for the week. Let’s get started!

I’ve had a Nintendo GameCube controller on my desk ever since I got a USB adapter some months ago. I poke at it every so often, trying to confirm it working in Linux, but in late June of this year, things came together.

Computer: Derpy Chips
Distribution: PopOS 22.04
Desktop Environment: KDE Plasma 5.24.7 (Qt 5.15.3)
Product: DragonRise Inc. Controller Adapter

In my research, I read about this product working with Dolphin Emulator on Linux, if not elsewhere. Dolphin sounded like a good first stop, and one day I sat down with enough patience to compile it. It needed a few tries before I read a guide on Dolphin’s GitHub explaining how the project has dropped qt5 support [1]. However, my qt version can use backports.

I installed my compiled Dolphin package. Now for a ROM. Commercial games are illegal to download, but I can either dump my own games (not in my skill set yet) or find a homebrew game. GameCube only has one such title I found worth mentioning: Toy Wars. It’s not even an exclusive – probably because it’s basically a baby Wii/Wii U on the inside.

Long story short: Toy Wars gave me a black screen. I happen to know the Wii has tons of Homebrew, so I found another guide [2] that walked me through performing a system update, netting me the Wii menu, the Homebrew channel, and then a content browser layered on top of that. While significantly hampered navigating this browser using the emulated Wii remote, I found and downloaded a free homebrew game about dogging space junk.

And still nothing from the GameCube controller. It showed up with the command “lsusb,” but Dolphin’s configuration options said it didn’t have permission. There was the missing link. By default, Linux is a lot more locked down to strange USB peripherals than Windows. I had to make a file under “/etc/udev/rules.d” describing my controller adapter and granting these missing permissions.

$ cat /etc/udev/rules.d/51-gcadapter.rules
SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="057e", ATTRS{idProduct}=="0337", MODE="0666"

The 51 in the name has to do with what order this and similar rules overwrite each other. There are a ton of possible parameters for the file contents, but idVender and idProduct can be found with the “lsusb” command where it says ID vvvv:pppp. Mode is the same as file permissions ([user, group, everybody]x[read*4+write*2+execute*1]).

Takeaway

From further observation, I concluded these changes let Dolphin reach out to find the state of my controller[s]; no events are triggered in Xorg, as happen for the mouse and keyboard. Long term, I have a gag goal of writing a custom driver so I can use my GameCube controller however I like, but I didn’t get that this go-around. Oh well.

Final Question

I couldn’t find out what the leading 0 is supposed to represent. If you know, I look forward to hearing from you in the comments below or on my Socials!

Works Cited

[1] Dolphin Emulator, “Building for Linux,” github.com, May 31, 2024. [Online]. Available: https://github.com/dolphin-emu/dolphin/wiki/Building-for-Linux. [Accessed: June 25, 2024].

[2] Nintendo Homebrew, “Installing Homebrew Channel on Dolphin Emulator,” 2024. [Online] Available: https://wii.hacks.guide/homebrew-dolphin.html. [Accessed: June 25, 2024].

A Bit About Wii Firmware

Good Morning from my Robotics Lab! This is Shadow_8472 with a smaller thought for the week. Let’s get started!

I mentioned last week how my family picked up a replacement Wii for Thanksgiving this year. Most everything appeared to be working at first, but when my sister, Taz (Tzarina8472), found Animal Crossing: City Folk needed a firmware update to play. I’m planning to hack this Wii at some point to get on its large homebrew scene, but firmware updates can patch out needed vulnerabilities.

My early research hinted that any version would work, but I later confirmed this on WiiBrew.org [1], whose FAQ’s opening introduces itself as an authoritative reference. All firmware versions have exploits, but updating to or past version 4.2 risks a system brick, and the WiiBrew FAQ does not recommended it for any Wii.

If there exists some website that lists what Wii games need what firmware, I couldn’t find it. Turns out games that may need a firmware update come bundled with the version they need. Luckily, the problematic 4.2 firmware was released the year after this of Animal Crossing. The system went from firmware version 3.2 to 3.3 (best guess from memory).

Final Question

What would you do with a freshly hacked Wii?

I look forward hearing your answers on in the comments below or on my Socials.

Work Cited

[1] “Wii Brew,” WiiBrew.org, Nov. 18, 2021. [Online]. available: www.wiibrew.org/wiki/Main_Page [Accessed Dec. 5, 2022].