Wii?

This page hasn't been updated in a very long time and I haven't done much with the Wii since then. Except for some "private" stuff that Nintendo already patched. More on that later...maybe.
Just a teaser:

If you don't understand what that image means, then ignore it. Just to make it clear, I did this within a week of getting the Wii and can no longer do it. So don't bother asking me. Nintendo fixed the hole.
This page looks like shit mainly because it hasn't been touched since the last update. It's a jumble of notes, sorry. Everything below is old stuff, untouched since November of last year. Read it if you still care.

Thanks for visiting, again. - roto





A NOTE TO THE VISITORS FROM VARIOUS "NEWS" SITES: None of the info here is complete or meant to be a "guide". Everything here is just notes (some already old news). This page was not meant to make the rounds on "geek news" sites and I'm sorry if you're disappointed by what you see here. 90% of the stuff on here was written on 11/19 (Wii launch date) so it's already made the rounds on the web. If I get some REAL news, you'll know. Thanks for visiting.


Thanks again....


Let's get Wiitaded

    Got my Wii from Toys'r'Us at 10AM today (11/19/2006). Got home, plugged it in, fired up my WiFi packet sniffer. Did I buy a game? I think... oh yeah.... Rayman. It's still in the shrinkwrap.

    As soon as I fired up the network connection, the Wii wanted to update itself. Packet sniffer got a ton of logs for System Update (16MB+). Then sniffed Wii News/Shop channels (browsing/etc). UPDATE: I've been sniffing everything from adding Wii Points, to downloading VC games, to redeeming Wii points with a used Wiicard. Lots of sniffer logs.

    Thanks to everyone in #wiidev and other places thats working and having fun figuring out how the WiiShop and Wii's general network connection function.

A few videos:

First attempt at hijacking the Wii's connection to the WiiShop, don't laugh. Ok, laugh, its a joke.


Second video, a little more useful. Show's some of the JavaScript functions work without a proper connection to the internet. The sounds/BGM are embedded in the WiiShop "Channel".


User Agents, the ones I've found being used by the Wii to access content via HTTP/HTTPS:

Wii Shop Channel agent, runs when you're shopping the wii shop.
    Opera/9.00 (Nintendo Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)

Wii Updater, runs when the Wii is getting it's system (firmware) update.
    wii libnup/1.0

Virtual Console downloader, runs when the download for a VC game begins.
    libec-3.0.7.06111123

WiiConnect, checks for Updates and New content.
    WiiConnect24/1.0FC4plus1 (build 061114161108)

The user agents are all used in different instances (obviously). Sometimes the user agent doesnt even matter, but othertimes you get redirected to wii.com if your UA is wrong. I found all of these via packet sniffer.


Browsing the Wii Shop:

    I found most of the links below in my packet sniffer, some had to be found by going to links in the HTML source. Not all were easy to figure out. JavaScript is iffy. This is just a few selected pages from the Wii, viewed in Forefox. Nothing special. But the source code in the pages and the .js (javascript) pages are full of interesting info. Take a look for yourself.

Wii Specific JavaScript code:
Ripped from the HTML.
http://oss.shop.wii.com/en_US/js//ec.js
http://oss.shop.wii.com/en_US/js//error.js
http://oss.shop.wii.com/en_US/js//buttons.js
http://oss.shop.wii.com/en_US/js//images.js
http://oss.shop.wii.com/en_US/js//progress.js
http://oss.shop.wii.com/en_US/js//sound.js
http://oss.shop.wii.com/en_US/js//shop.js
http://oss.shop.wii.com/en_US/js//oss.js

(Tested JavaScript code on Wii, exiting and playing sound works via JScript)

Shop Main Page:
http://oss.shop.wii.com/oss/common/vc/  <-- shows nothing...(needs "init signal?)

http://oss.shop.wii.com/oss/common/vc/L_03.jsp?language=en&region=USA&country=US&next=S_02.jsp%3Fstate%3Dinit  <-- exact Wii replica... kinda
http://oss.shop.wii.com/oss/common/vc/W_01.jsp?language=en&region=USA&country=US <-- the Wii Shop Channel!


http://oss.shop.wii.com/oss/common/vc/CheckRegistered.jsp?language=en&region=USA&country=US&titleId=0001000248414241 <-- connecting please wait...


http://oss.shop.wii.com/oss/common/vc/S_02.jsp?language=en&region=USA&country=US&&state=init <-- "My Nintendo" Membership Link


http://oss.shop.wii.com/oss/common/vc/B_05.jsp?titleId=000100014D414845 <-- Sonic The Hedgehog Wii Shop Channel


http://oss.shop.wii.com/oss/common/vc/B_09.jsp?itemId=100033&amp;titleId=000100014D414845 <-- Confirm Download

No, you cant go further. How are you going to download games without WiiPoints? This is just what the Wii sees, you cant do much here.


http://ccs.shop.wii.com/ccs/download/0001000146414145/FFFD0000 <-- Donkey Kong game download image...

http://209.67.106.203/en_US/html/manual/USA/startup.html <-- Wii Shop Info


http://oss.shop.wii.com/oss/common/vc/TestSettings.jsp <- heh



Firmware Update Sniffed (Incomplete?):

(Use WiiShop User Agent)
http://ccs.shop.wii.com/ccs/download/000000010000000b/00000008 <- small file?
http://ccs.shop.wii.com/ccs/download/000000010000000b/00000009 <--- 1.5MB?
http://ccs.shop.wii.com/ccs/download/0000000100000002/00000009 <--- 4.3MB?
http://ccs.shop.wii.com/ccs/download/0000000100000002/0000000a < -- 2.5MB
MORE? Packet dump overflowed buffer, unable to find more refernces of files to download... sorry...

DarkFader's additions:
0000000100000002_00000009
0000000100000002_0000000a
0000000100000002_0000000c
000000010000000b_00000008
000000010000000b_00000009
000000010000000c_00000000
000000010000000c_00000001
000000010000000d_00000006
000000010000000d_00000007
0000000100000100_00000001
0000000100000100_00000002
0000000100000101_00000003
0000000100000101_00000004

Lots of files, different sizes. Some contain "certs"

Packet Dump of First HTTP connection (when Wii found out it needed a firmware update): (full packet dump here)
HTTP - Hyper Text Transfer Protocol
  Command:              POST
  URI:                  http://nus.shop.wii.com:80/nus/services/NetUpdateSOAP
  Version:              HTTP/1.1<CR><LF>
Host:                   nus.shop.wii.com<CR><LF>
Accept:                 text/html, image/gif, image/jpeg, */*<CR><LF>
Content-type:           text/xml; charset=utf-8<CR><LF>
Content-length:         1046<CR><LF>
User-Agent:             wii libnup/1.0<CR><LF>
SOAPAction:             "urn:nus.wsapi.broadon.com/GetSystemUpdate"<CR><LF><CR><LF>
  Line  1:              <?xml version="1.0" encoding="UTF-8"?><LF>
  Line  2:              <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"<LF>
  Line  3:              xmlns:xsd="http://www.w3.org/2001/XMLSchema"<LF>
  Line  4:              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><LF>
  Line  5:              <soapenv:Body><LF>
  Line  6:              <GetSystemUpdateRequest xmlns="urn:nus.wsapi.broadon.com"><LF>
  Line  7:              <Version>1.0</Version><LF>
  Line  8:              <MessageId>13198105123219138</MessageId><LF>
  Line  9:              <DeviceId>4362227772</DeviceId><LF>
  Line  10:             <RegionId>USA</RegionId><LF>
  Line  11:             <CountryCode>US</CountryCode><LF>
  Line  12:             <TitleVersion><LF>
  Line  13:             <TitleId>0000000100000001</TitleId><LF>
  Line  14:             <Version>2</Version><LF>
  Line  15:             </TitleVersion><LF>
  Line  16:             <TitleVersion><LF>
  Line  17:             <TitleId>0000000100000002</TitleId><LF>
  Line  18:             <Version>33</Version><LF>
  Line  19:             </TitleVersion><LF>
  Line  20:             <TitleVersion><LF>
  Line  21:             <TitleId>0000000100000009</TitleId><LF>
  Line  22:             <Version>516</Version><LF>
  Line  23:             </TitleVersion><LF>
  Line  24:             <Attribute>1</Attribute><LF>
  Line  25:             <AuditData></AuditData><LF>
  Line  26:             </GetSystemUpdateRequest><LF>
  Line  27:             </soapenv:Body><LF>
  Line  28:             </soapenv:Envelope><LF>
Extra bytes (Padding):
  .....S:.          00 00 00 00 FD 53 3A 96
FCS - Frame Check Sequence
  FCS (Calculated):     0xF9FE0CA3


Second packet (full dump here )
HTTP - Hyper Text Transfer Protocol
  Version:              HTTP/1.1
  Status:               200
  Reason:               <CR><LF>
Date:                   Sun, 19 Nov 2006 19:59:19 GMT<CR><LF>
Server:                 Apache/2.0.48<CR><LF>
Content-Type:           text/xml; charset=utf-8<CR><LF>
Transfer-Encoding:      chunked<CR><LF><CR><LF>
  Line  1:              546<CR><LF>
  Line  2:              <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://sc
  Line                  hemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" x
  Line                  mlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><GetSystemUpd
  Line                  ateResponse xmlns="urn:nus.wsapi.broadon.com"><Version>1.0</Version><DeviceId>43
  Line                  62227772</DeviceId><MessageId>13198105123219138</MessageId><TimeStamp>1163966359
  Line                  696</TimeStamp><ErrorCode>0</ErrorCode><ContentPrefixURL>http://nus.cdn.shop.wii
  Line                  .com/ccs/download</ContentPrefixURL><UncachedContentPrefixURL>http://ccs.shop.wi
  Line                  i.com/ccs/download</UncachedContentPrefixURL><TitleVersion><TitleId>000000010000
  Line                  0002</TitleId><Version>97</Version><FsSize>21839872</FsSize></TitleVersion><Titl
  Line                  eVersion><TitleId>000000010000000B</TitleId><Version>10</Version><FsSize>1654784
  Line                  </FsSize></TitleVersion><TitleVersion><TitleId>000000010000000C</TitleId><Versio
  Line                  n>6</Version><FsSize>1654784</FsSize></TitleVersion><TitleVersion><TitleId>00000
  Line                  0010000000D</TitleId><Version>10</Version><FsSize>1654784</FsSize></TitleVersion
  Line                  ><TitleVersion><TitleId>0000000100000100</TitleId><Version>2</Version><FsSize>65
  Line                  536</FsSize></TitleVersion><TitleVersion><TitleId>0000000100000101</TitleId><Ver
  Line                  sion>4</Version><FsSize>229376</FsSize></TitleVersion><UploadAuditData>1</Upload
  Line                  AuditData></GetSystemUpdateResp
Extra bytes (Padding):
  ....J...          00 00 00 00 4A F8 DE C7
FCS - Frame Check Sequence
  FCS (Calculated):     0xB61CB005



Fist part of Firmware Update yields the following:
(XML/SOAP requests/results sent by system)



* SOAP SERVER ADDRESS:
http://nus.shop.wii.com:80/nus/services/NetUpdateSOAP

* SOAPaction:
urn:nus.wsapi.broadon.com/GetSystemUpdate

* MESSAGE:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<GetSystemUpdateRequest xmlns="urn:nus.wsapi.broadon.com">
<Version>1.0</Version>
<MessageId>13198105123219138</MessageId>
<DeviceId>4362227772</DeviceId>
<RegionId>USA</RegionId>
<CountryCode>US</CountryCode>
<TitleVersion>
<TitleId>0000000100000001</TitleId>
<Version>2</Version>
</TitleVersion>
<TitleVersion>
<TitleId>0000000100000002</TitleId>
<Version>33</Version>
</TitleVersion>
<TitleVersion>
<TitleId>0000000100000009</TitleId>
<Version>516</Version>
</TitleVersion>
<Attribute>1</Attribute>
<AuditData></AuditData>
</GetSystemUpdateRequest>
</soapenv:Body>
</soapenv:Envelope>

* REPONSE:
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<GetSystemUpdateResponse xmlns="urn:nus.wsapi.broadon.com">
<Version>1.0</Version>
<DeviceId>4362227772</DeviceId>
<MessageId>13198105123219138</MessageId>
<TimeStamp>1163966359696</TimeStamp>
<ErrorCode>0</ErrorCode>
<ContentPrefixURL>http://nus.cdn.shop.wii.com/ccs/download</ContentPrefixURL>
<UncachedContentPrefixURL>http://ccs.shop.wii.com/ccs/download</UncachedContentPrefixURL>
<TitleVersion><TitleId>0000000100000002</TitleId>
<Version>97</Version>
<FsSize>21839872</FsSize>
</TitleVersion><TitleVersion>
<TitleId>000000010000000B</TitleId>
<Version>10</Version>
<FsSize>1654784</FsSize>
</TitleVersion>
<TitleVersion>
<TitleId>000000010000000C</TitleId>
<Version>6</Version>
<FsSize>1654784</FsSize>
</TitleVersion>
<TitleVersion>
<TitleId>000000010000000D</TitleId>
<Version>10</Version>
<FsSize>1654784</FsSize>
</TitleVersion>
<TitleVersion>
<TitleId>0000000100000100</TitleId>
<Version>2</Version>
<FsSize>65536</FsSize>
</TitleVersion>
<TitleVersion>
<TitleId>0000000100000101</TitleId>
<Version>4</Version>
<FsSize>229376</FsSize>
</TitleVersion>
<UploadAuditData>1</UploadAuditData>
</GetSystemUpdateResponse>
</soapenv:Body>
</soapenv:Envelope>

* UNFILTERED:
1.043622277721319810512321913811641804558190http://nus.cdn.shop.wii.com/ccs/downloadhttp://ccs.shop.wii.com/ccs/download00000001000000029721839872000000010000000B101654784000000010000000C61654784000000010000000D1016547840000000100000100265536000000010000010142293760

* FIXED:
Version:         1.0
DeviceID:        4362227772
MessageID:       13198105123219138
TimeStamp:      
1163966359696
ErrorCode:       0
DownloadURL:     http://nus.cdn.shop.wii.com/ccs/download    (Cached)
DownloadURL:     http://ccs.shop.wii.com/ccs/download        (Uncached)

0000000100000002/tmd.97        Filesize: 21839872
000000010000000B/tmd.10        Filesize: 1654784
000000010000000C/tmd.6        Filesize: 1654784
000000010000000D/tmd.10        Filesize: 1654784
0000000100000100/tmd.2        Filesize: 65536
0000000100000101/tmd.4        Filesize: 2293760



Sniffed WiFi data on bootup of console (Actually happens frequently, WiiConnect24):

WiConnect24 User Agent String:
WiiConnect24/1.0FC4plus1 (build 061114161108)

/cgi-bin/check.cgi

http://rcw.wc24.wii.com/cgi-bin/check.cgi?mlchkid=0eb3197b5b3b7a6d5be699f4a1f96b30&chlng=c6d1f7d1383628459a7e1046f36c8708
Returns:
cd=100
msg=Success.
res=41a92b071d662feea6281bbbf658b751febeb94d
mail.flag=000000000000000000000000000000000
interval=10

http://rcw.wc24.wii.com/cgi-bin/check.cgi
returns:
cd=320
msg=Receive data is incorrect format.

http://rcw.wc24.wii.com/cgi-bin/check.cgi?mlchkid=0eb3197b5b3b7a6d5be699f4a1f96b31&chlng=c6d1f7d1383628459a7e1046f36c8708
Underlined value was changed, DarkFader noted "mlchkid" is Member Login Check ID...seems to fit in this situation.
returns:
cd=321
msg=User Not Found.



Virtual Console Stuff.
Adding Wiipoints goes over SSL connection.
Downloading has some HTTPS connections too...

POSSIBLY INCORRECT: Download goes like this, you select the game, click "Download", the Wii connects to proper servers,
checks your Wii points, then it sends you to the download location. A "TMD" file gets downloaded,
followed by the rest of the data. Then the Wii combines
the TMD with the rest of the data to create a proper Channel (content.bin).


Wii Shop Main:
http://oss.shop.wii.com/oss/common/vc/W_01.jsp?language=en&region=USA&country=US

Wii Shop Pages:

http://209.67.106.203/oss/common/vc/B_04.jsp?p=1&platform=SFC%2FSNES&license=PERMANENT <-- Show SNES games

http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=000100014A414345 <- F-Zero
http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=000100014D414845 <- Sonic, notice only 2 character change in ID
http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=0001000146414145 <- Donkey Kong NES

Got a bunch of Virtual Console games together from some channel members. Lots of interesting stuff in there,
files seem encrypted and tied to specific console. Comparing files shows huge differences, but also nice chunks
of bytes that are equal. More later.

Game Identifiers:
1st Byte = System
2nd Byte = ?
3rd Byte = ?
4th Byte = Language

NAAE = Super Mario 64
219,584 00000000
1,683,616 00000001
4,559,888 00000002
2,669,056 00000003
2,156,800 00000004
9,527,456 00000005
263,424 00000006
2,528 tmd
21,082,352 bytes

JACE = F-Zero (SNES)
230,912 00000000
1,553,632 00000001
4,559,888 00000002
2,669,056 00000003
2,156,800 00000004
1,423,616 00000005
263,424 00000006
230,912 00000007
1,553,664 00000008
1,421,824 00000009
2,528 tmd
16,066,256 bytes

JAFE = SimCity (SNES)
247,808 00000000
1,554,688 00000001
4,559,888 00000002
2,669,056 00000003
2,156,800 00000004
2,135,536 00000005
263,424 00000006
247,808 00000007
1,554,720 00000008
2,528 tmd
15,392,256 bytes

FAAE = DonkeyKong (NES)
210,752 00000000
1,372,576 00000001
4,559,888 00000002
2,669,056 00000003
2,156,800 00000004
605,200 00000005
263,424 00000006
2,528 tmd
11,840,224 bytes

FAKE = Zelda (NES)
FAME = Wario's Woods (NES)
FAOE = Solomon's Key (NES)
FAIE = Soccer (NES)
FACE = Pinball (NES)
FAFE = Mario Brothers (NES)

MAHE = Sonic (Genesis)
MAAE = Alterted Beast (Genesis)



A "Guide" to browsing the Web via the Shop channel:

    If  you want a (semi) easy way to browse the web via the Shop channel, download this file and place it's contents into the root of webserver's htdocs (you need a PHP-enabled web server). Set your DNS server to point "oss.shop.wii.com" to your HTTP server (create wii.com zone, then "oss.shop" subdomain). If you don't know how to set up an HTTP/DNS server, search online. Once the Wii asks for the shop channel, the page is loaded and you are proxied to Google.com (URL can be changed, modify top.location). Thanks to Google you can pretty much go to any site you want. It's not the EASISET way ( you need a PHP-enabled web server, and you need to have a DNS server), but if anyone wants to they can try it out.
    Thanks to a fellow Wii enthusiast for sending me this little gem.
    (I take no responsibility for the contents of WiiBrowse.zip, I'm just passing it along, I didn't create it.)




Created - 11/19/06 - 11:30am
Updated - 11/24/06