This page hasn't been updated in a very long time and I haven't done
much with the Wii since then. Except for some "private" stuff that
Nintendo already patched. More on that later...maybe.
Just a teaser:
If you don't understand what that image means, then ignore it. Just to
make it clear, I did this within a week of getting the Wii and can no
longer do it. So don't bother asking me. Nintendo fixed the hole.
This page looks like shit mainly because it hasn't been touched since
the last update. It's a jumble of notes, sorry. Everything below is old
stuff, untouched since November of last year. Read it if you still
care.
Thanks for visiting, again. - roto
A NOTE TO THE VISITORS FROM VARIOUS
"NEWS" SITES:
None of the info here is complete or meant to be a "guide". Everything
here is just notes (some already old news). This page was not meant to
make the rounds on "geek news" sites and I'm sorry if you're
disappointed by what you see here. 90% of the stuff on here was written
on 11/19 (Wii launch date) so it's already made the rounds on the web.
If I get some REAL news, you'll know. Thanks for visiting.
Thanks again....
Let's get Wiitaded
Got my Wii from Toys'r'Us at 10AM today
(11/19/2006). Got home, plugged it in, fired up my WiFi packet sniffer.
Did I buy a game? I think... oh yeah.... Rayman. It's still in the
shrinkwrap.
As soon as I fired up the network connection, the
Wii wanted to update itself. Packet sniffer got a ton of logs for
System Update (16MB+). Then sniffed Wii News/Shop channels
(browsing/etc). UPDATE: I've been sniffing everything from adding Wii
Points, to downloading VC games, to redeeming Wii points with a used
Wiicard. Lots of sniffer logs.
Thanks to everyone in #wiidev and other places thats
working and having fun figuring out how the WiiShop and Wii's general
network connection function.
A few videos:
First attempt at hijacking the Wii's connection to the WiiShop, don't
laugh. Ok, laugh, its a joke.
Second video, a little more useful. Show's some of the JavaScript
functions work without a proper connection to the internet. The
sounds/BGM are embedded in the WiiShop "Channel".
User
Agents, the ones I've found being used by the Wii to access content via
HTTP/HTTPS:
Wii Updater, runs when the Wii is getting it's system (firmware) update. wii libnup/1.0
Virtual Console downloader, runs when the download for a VC game begins. libec-3.0.7.06111123
WiiConnect, checks for Updates and New content. WiiConnect24/1.0FC4plus1
(build 061114161108)
The user agents are all used in different instances (obviously).
Sometimes the user agent doesnt even matter, but othertimes you get
redirected to wii.com if your UA is wrong. I found all of these via
packet sniffer.
Browsing
the Wii Shop:
I found most of the links below in my packet
sniffer, some had to be found by going to links in the HTML source. Not
all were easy to figure out. JavaScript is iffy. This is just a few
selected pages from the Wii, viewed in Forefox. Nothing special. But
the source code in the pages and the .js (javascript) pages are full of
interesting info. Take a look for yourself.
Wii Specific JavaScript code: Ripped from the HTML.
http://oss.shop.wii.com/en_US/js//ec.js
http://oss.shop.wii.com/en_US/js//error.js http://oss.shop.wii.com/en_US/js//buttons.js
http://oss.shop.wii.com/en_US/js//images.js
http://oss.shop.wii.com/en_US/js//progress.js
http://oss.shop.wii.com/en_US/js//sound.js
http://oss.shop.wii.com/en_US/js//shop.js
http://oss.shop.wii.com/en_US/js//oss.js
(Tested JavaScript code on Wii, exiting and playing sound works via
JScript)
Shop Main Page:
http://oss.shop.wii.com/oss/common/vc/ <-- shows
nothing...(needs "init signal?)
Lots of files, different sizes. Some contain "certs"
Packet Dump of First HTTP connection (when Wii found out it needed a
firmware update): (full packet dump here)
HTTP - Hyper Text Transfer
Protocol
Command:
POST
URI:
http://nus.shop.wii.com:80/nus/services/NetUpdateSOAP
Version:
HTTP/1.1<CR><LF>
Host:
nus.shop.wii.com<CR><LF>
Accept:
text/html, image/gif, image/jpeg, */*<CR><LF>
Content-type:
text/xml; charset=utf-8<CR><LF>
Content-length:
1046<CR><LF>
User-Agent:
wii libnup/1.0<CR><LF>
SOAPAction:
"urn:nus.wsapi.broadon.com/GetSystemUpdate"<CR><LF><CR><LF>
Line
1:
<?xml version="1.0" encoding="UTF-8"?><LF>
Line
2:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"<LF>
Line
3:
xmlns:xsd="http://www.w3.org/2001/XMLSchema"<LF>
Line
4:
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><LF>
Line
5:
<soapenv:Body><LF>
Line
6:
<GetSystemUpdateRequest
xmlns="urn:nus.wsapi.broadon.com"><LF>
Line
7:
<Version>1.0</Version><LF>
Line
8:
<MessageId>13198105123219138</MessageId><LF>
Line
9:
<DeviceId>4362227772</DeviceId><LF>
Line
10:
<RegionId>USA</RegionId><LF>
Line
11:
<CountryCode>US</CountryCode><LF>
Line
12:
<TitleVersion><LF>
Line
13:
<TitleId>0000000100000001</TitleId><LF>
Line
14:
<Version>2</Version><LF>
Line
15:
</TitleVersion><LF>
Line
16:
<TitleVersion><LF>
Line
17:
<TitleId>0000000100000002</TitleId><LF>
Line
18:
<Version>33</Version><LF>
Line
19:
</TitleVersion><LF>
Line
20:
<TitleVersion><LF>
Line
21:
<TitleId>0000000100000009</TitleId><LF>
Line
22:
<Version>516</Version><LF>
Line
23:
</TitleVersion><LF>
Line
24:
<Attribute>1</Attribute><LF>
Line
25:
<AuditData></AuditData><LF>
Line
26:
</GetSystemUpdateRequest><LF>
Line
27:
</soapenv:Body><LF>
Line
28:
</soapenv:Envelope><LF>
Extra bytes (Padding):
.....S:.
00 00 00 00 FD 53 3A 96
FCS - Frame Check Sequence
FCS (Calculated): 0xF9FE0CA3
HTTP - Hyper Text Transfer
Protocol
Version:
HTTP/1.1
Status:
200
Reason:
<CR><LF>
Date:
Sun, 19 Nov 2006 19:59:19 GMT<CR><LF>
Server:
Apache/2.0.48<CR><LF>
Content-Type:
text/xml; charset=utf-8<CR><LF>
Transfer-Encoding:
chunked<CR><LF><CR><LF>
Line
1:
546<CR><LF>
Line
2:
<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope
xmlns:soapenv="http://sc
Line
hemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" x
Line
mlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><GetSystemUpd
Line
ateResponse
xmlns="urn:nus.wsapi.broadon.com"><Version>1.0</Version><DeviceId>43
Line
62227772</DeviceId><MessageId>13198105123219138</MessageId><TimeStamp>1163966359
Line
696</TimeStamp><ErrorCode>0</ErrorCode><ContentPrefixURL>http://nus.cdn.shop.wii
Line
.com/ccs/download</ContentPrefixURL><UncachedContentPrefixURL>http://ccs.shop.wi
Line
i.com/ccs/download</UncachedContentPrefixURL><TitleVersion><TitleId>000000010000
Line
0002</TitleId><Version>97</Version><FsSize>21839872</FsSize></TitleVersion><Titl
Line
eVersion><TitleId>000000010000000B</TitleId><Version>10</Version><FsSize>1654784
Line
</FsSize></TitleVersion><TitleVersion><TitleId>000000010000000C</TitleId><Versio
Line
n>6</Version><FsSize>1654784</FsSize></TitleVersion><TitleVersion><TitleId>00000
Line
0010000000D</TitleId><Version>10</Version><FsSize>1654784</FsSize></TitleVersion
Line
><TitleVersion><TitleId>0000000100000100</TitleId><Version>2</Version><FsSize>65
Line
536</FsSize></TitleVersion><TitleVersion><TitleId>0000000100000101</TitleId><Ver
Line
sion>4</Version><FsSize>229376</FsSize></TitleVersion><UploadAuditData>1</Upload
Line
AuditData></GetSystemUpdateResp
Extra bytes (Padding):
....J...
00 00 00 00 4A F8 DE C7
FCS - Frame Check Sequence
FCS (Calculated): 0xB61CB005
Fist part of Firmware Update yields the following:
(XML/SOAP requests/results sent by system)
* SOAP SERVER ADDRESS:
http://nus.shop.wii.com:80/nus/services/NetUpdateSOAP
http://rcw.wc24.wii.com/cgi-bin/check.cgi?mlchkid=0eb3197b5b3b7a6d5be699f4a1f96b31&chlng=c6d1f7d1383628459a7e1046f36c8708 Underlined value was changed, DarkFader noted "mlchkid" is
Member
Login Check ID...seems to fit in this situation. returns:
cd=321 msg=User Not Found.
Virtual
Console Stuff.
Adding Wiipoints goes over SSL connection. Downloading has some HTTPS connections too...
POSSIBLY INCORRECT: Download goes like this, you select the game, click "Download", the Wii connects to proper servers, checks your Wii points, then it sends you to the download location. A "TMD" file gets downloaded, followed by the rest of the data. Then the Wii combines the TMD with the rest of the data to create a proper Channel (content.bin).
Wii Shop Pages: http://209.67.106.203/oss/common/vc/B_04.jsp?p=1&platform=SFC%2FSNES&license=PERMANENT <-- Show SNES games
http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=000100014A414345 <- F-Zero http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=000100014D414845 <- Sonic, notice only 2 character change in ID http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=0001000146414145 <- Donkey Kong NES
Got a bunch of Virtual Console games together from some channel members. Lots of interesting stuff in there, files seem encrypted and tied to specific console. Comparing files shows huge differences, but also nice chunks of bytes that are equal. More later.
Game Identifiers: 1st Byte = System 2nd Byte = ? 3rd Byte = ? 4th Byte = Language
MAHE = Sonic (Genesis) MAAE = Alterted Beast (Genesis)
A "Guide" to browsing the Web via the Shop channel:
If you want a
(semi) easy way to browse the web via the Shop channel, download this file and place it's
contents into the root of webserver's htdocs (you need a PHP-enabled
web server). Set your DNS server to point "oss.shop.wii.com" to your
HTTP server (create wii.com zone, then "oss.shop" subdomain). If you
don't know how to set up an HTTP/DNS server, search online. Once the
Wii asks for the shop channel, the page is loaded and you are proxied
to Google.com (URL can be changed, modify top.location). Thanks to
Google you can pretty much go to any site you want. It's not the
EASISET way ( you need a PHP-enabled web server, and you need to have a
DNS server), but if anyone wants to they can try it out.
Thanks to a fellow Wii enthusiast for sending me
this little gem.
(I take no responsibility for the contents of WiiBrowse.zip, I'm just passing it along, I
didn't create it.)