Hacking A channel-less, sd-less entry point: str2hax

[Alexander1970]

The Wii Mini physically does not have internet programmed into it

Hello.

Very right.
The Wii Mini´s System menu did not have anything like Internet Browser.For i remember it has DISC Channel,Mii Channel and a Manual Icon.And of course no WiFi.Thats why it still cannot be hacked today.

 

[XFlak]

Correction: it still cannot be hacked today

Edit: at the time of original posting this was true since then...

https://forum.wii-homebrew.com/index.php/Thread/59342-Installing-Homebrew-on-the-Wii-Mini/

 

[MaxiBash]

The Wii Mini physically does not have internet programmed into it

It's possible that we can re-enable internet access by installing the IOS and by installing a regular v4.3. Sure, it can't connect wireless, but it's possible over a LAN connection.

 

[Brayton]

The Wii Mini physically does not have internet programmed into it

Okay, I was thinking something close to that, but thank you! that gives me more info than what I thought.

--------------------- MERGED ---------------------------

Correction: it still cannot be hacked today

It's possible that we can re-enable internet access by installing the IOS and by installing a regular v4.3. Sure, it can't connect wireless, but it's possible over a LAN connection.

Oh, thank you, that gives me more info, so no reinstalling menu as it's on 4.3, and no GameCube port 4 with all d-pad, no LAN, no SD Card, only thing I would think is hardware or maybe USB?

 

[CoolStarDood]

Okay, I was thinking something close to that, but thank you! that gives me more info than what I thought.

--------------------- MERGED ---------------------------




Oh, thank you, that gives me more info, so no reinstalling menu as it's on 4.3, and no GameCube port 4 with all d-pad, no LAN, no SD Card, only thing I would think is hardware or maybe USB?

Like i said earlier in the thread, the only games i can think of that send info to and from a USB device are Skylanders and disney infinity. If we can find a vulnerability in one of those games, it would be as simple as a copy of the game, and either a dedicated USB device, or said game's portal device and a custom NFC card

 

[Vexrhi]

I followed all of the steps, but the regular EULA loads instead, any idea what to do?

 

[ranjeets]

I followed all of the steps, but the regular EULA loads instead, any idea what to do?

Same here, I have a 4.3E, normal eula is loading on following steps.

 

[Fullmetal5]

I followed all of the steps, but the regular EULA loads instead, any idea what to do?

Same here, I have a 4.3E, normal eula is loading on following steps.

Make sure you guys are changing your active connection, select "Use this connection" if you are using a different one.

 

[ranjeets]

Make sure you guys are changing your active connection, select "Use this connection" if you are using a different one.

I have a single connection.

i guess changing dns server should resolve to a different server. But seems its not happening.
replaced dots with '_'
~$ nslookup cfh_wapp_wii_com 97_74_103_14
Server: 97_74_103_14
Address: 97_74_103_14#53

Non-authoritative answer:
cfh_wapp_wii_com canonical name = cfh_wapp_wii_com_edgesuite_net_
cfh_wapp_wii_com_edgesuite_net canonical name = a1390_g_akamai_net_
Name: a1390_g_akamai_net
Address: 202_83_26_106
Name: a1390_g_akamai_net
Address: 202_83_26_113

~$ nslookup cfh_wapp_wii_com 8_8_8_8
Server: 8_8_8_8
Address: 8_8_8_8#53

Non-authoritative answer:
cfh_wapp_wii_com canonical name = cfh_wapp_wii_com_edgesuite_net_
cfh_wapp_wii_com_edgesuite_net canonical name = a1390_g_akamai_net_
Name: a1390_g_akamai_net
Address: 202_83_26_106
Name: a1390_g_akamai_net
Address: 202_83_26_113

resolving cfh_wapp_wii_com with google dns and new dns is giving same result.

 

[Fullmetal5]

I have a single connection.

i guess changing dns server should resolve to a different server. But seems its not happening.
replaced dots with '_'
~$ nslookup cfh_wapp_wii_com 97_74_103_14
Server: 97_74_103_14
Address: 97_74_103_14#53

Non-authoritative answer:
cfh_wapp_wii_com canonical name = cfh_wapp_wii_com_edgesuite_net_
cfh_wapp_wii_com_edgesuite_net canonical name = a1390_g_akamai_net_
Name: a1390_g_akamai_net
Address: 202_83_26_106
Name: a1390_g_akamai_net
Address: 202_83_26_113

~$ nslookup cfh_wapp_wii_com 8_8_8_8
Server: 8_8_8_8
Address: 8_8_8_8#53

Non-authoritative answer:
cfh_wapp_wii_com canonical name = cfh_wapp_wii_com_edgesuite_net_
cfh_wapp_wii_com_edgesuite_net canonical name = a1390_g_akamai_net_
Name: a1390_g_akamai_net
Address: 202_83_26_106
Name: a1390_g_akamai_net
Address: 202_83_26_113

resolving cfh_wapp_wii_com with google dns and new dns is giving same result.

That's odd, something must be changing the response to you. Unfortunately there's nothing I can do from my side about this.

$ dig cfh.wapp.wii.com @97.74.103.14

; <<>> DiG 9.14.4 <<>> cfh.wapp.wii.com @97.74.103.14
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35113
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cfh.wapp.wii.com. IN A

;; ANSWER SECTION:
cfh.wapp.wii.com. 10800 IN A 107.180.43.74

;; AUTHORITY SECTION:
wii.com. 3600 IN NS ns28.domaincontrol.com.
wii.com. 3600 IN NS ns27.domaincontrol.com.

;; Query time: 48 msec
;; SERVER: 97.74.103.14#53(97.74.103.14)
;; WHEN: Sat Aug 03 13:44:48 CDT 2019
;; MSG SIZE rcvd: 113

 

[ranjeets]

Thanks, made it work by redirecting cfh_wapp_wii_com to 107.180.43.74 with my router.

 

[Beenz]

The primary DNS always changes to 097.074.103.014 for some reason.

 

[FancyNintendoGamer567]

@Beenz Do you have Auto-Obtain DNS set to Off during the whole thing?

 

[Beenz]

@Beenz Do you have Auto-Obtain DNS set to Off during the whole thing?

Yes. It just takes the DNS settings I enter (for both primary and secondary) and makes any 2 digit numbers 3 digit by automatically adding a 0 before what I actually entered.

 

[FancyNintendoGamer567]

Oh, the zeros are normal, ignore them.

 

[Beenz]

Oh, the zeros are normal, ignore them.

Oh ok. It still loads the normal EULA though, and I thought the zeros were the issue.

 

[Vila_]

Nice, keep it up

 

[nifl]

Thanks, made it work by redirecting cfh_wapp_wii_com to 107.180.43.74 with my router.

I'm running into the same problem you did.. how did you redirect with your router? I already tried redirecting the DNS servers my modem uses to 107.180.43.74 as the primary and 173.201.71.14 as the second but it didn't work. Did you use port forwarding?

 

[moparisthebest]

Good news is I tried this on 3.2U and it works there too! Thanks for the great work!

Bad news is this exploit's reliability strangely seems to be based on the network speed of the HTML file, anyone else experience this? I tried the provided HTTP server 5 times, and it only worked twice. I hosted the files on my LAN like so:

downloaded the files like so:

curl -v4A 'Opera/9.00 (Nintendo Wii; U; ; 1038-58; en)' --http1.1 http://cfh.wapp.wii.com/eula/049/en.html -o index.html http://cfh.wapp.wii.com/eula/049/rd.png -O http://cfh.wapp.wii.com/eula/049/payload.png -O

nginx configuration:

server {
        listen       192.168.1.1:80;

        server_name cfh.wapp.wii.com;
        root /var/www/htdocs/cfh.wapp.wii.com/;

        rewrite "(?i).*\.html$" "/index.html" last;
        rewrite "(?i).*/payload\.png$" "/payload.png" last;
        rewrite "(?i).*/rd\.png$" "/rd.png" last;
}

And redirected to my nginx server with this dnsmasq config:

host-record=cfh.wapp.wii.com,192.168.1.1,6000

And tried this about 20 times over 2 days and it NEVER worked once, finally worked out the only difference between our servers was yours was slower than mine, so I added this to the nginx config:

        location = /index.html {
            limit_rate 50k;
        }

And so far I've tried this about 10 times across 2 different Wii's (one 4.3U one 3.2U) and it's worked 100% of the time. I tried 300k a few times and it only worked once, so I'm sticking with 50k I guess.

I can't imagine why this would be the case, but it seems to be and I'm curious if anyone has a guess as to why.

Thanks!

edit: when I say "did not work" *most* of the time it locked up on the EULA page, every now and then I saw the black print complaining it couldn't find the payload, it never once got to the stage where it tried to resolve hbc.hackmii.com (whenever it got that far, it always worked)

 

[wiihackz]

I keep getting an error 30500, why?

--------------------- MERGED ---------------------------

I'm entering the right numbers for the DNS server, and my internet connection works. I keep getting an error 30500, why?