Wii Stuff

Wii?

This page hasn't been updated in a very long time and I haven't done much with the Wii since then. Except for some "private" stuff that Nintendo already patched. More on that later...maybe.
Just a teaser:

If you don't understand what that image means, then ignore it. Just to make it clear, I did this within a week of getting the Wii and can no longer do it. So don't bother asking me. Nintendo fixed the hole.
This page looks like shit mainly because it hasn't been touched since the last update. It's a jumble of notes, sorry. Everything below is old stuff, untouched since November of last year. Read it if you still care.

Thanks for visiting, again. - roto

A NOTE TO THE VISITORS FROM VARIOUS "NEWS" SITES: None of the info here is complete or meant to be a "guide". Everything here is just notes (some already old news). This page was not meant to make the rounds on "geek news" sites and I'm sorry if you're disappointed by what you see here. 90% of the stuff on here was written on 11/19 (Wii launch date) so it's already made the rounds on the web. If I get some REAL news, you'll know. Thanks for visiting.

Thanks again....

Let's get Wiitaded

    Got my Wii from Toys'r'Us at 10AM today (11/19/2006). Got home, plugged it in, fired up my WiFi packet sniffer. Did I buy a game? I think... oh yeah.... Rayman. It's still in the shrinkwrap.

    As soon as I fired up the network connection, the Wii wanted to update itself. Packet sniffer got a ton of logs for System Update (16MB+). Then sniffed Wii News/Shop channels (browsing/etc). UPDATE: I've been sniffing everything from adding Wii Points, to downloading VC games, to redeeming Wii points with a used Wiicard. Lots of sniffer logs.

    Thanks to everyone in #wiidev and other places thats working and having fun figuring out how the WiiShop and Wii's general network connection function.

A few videos:

First attempt at hijacking the Wii's connection to the WiiShop, don't laugh. Ok, laugh, its a joke.

Second video, a little more useful. Show's some of the JavaScript functions work without a proper connection to the internet. The sounds/BGM are embedded in the WiiShop "Channel".

User Agents, the ones I've found being used by the Wii to access content via HTTP/HTTPS:

Wii Shop Channel agent, runs when you're shopping the wii shop.
    Opera/9.00 (Nintendo Wii; U; ; 1038-58; Wii Shop Channel/1.0; en)

Wii Updater, runs when the Wii is getting it's system (firmware) update.
    wii libnup/1.0

Virtual Console downloader, runs when the download for a VC game begins.
    libec-3.0.7.06111123

WiiConnect, checks for Updates and New content.
    WiiConnect24/1.0FC4plus1 (build 061114161108)

The user agents are all used in different instances (obviously). Sometimes the user agent doesnt even matter, but othertimes you get redirected to wii.com if your UA is wrong. I found all of these via packet sniffer.

Browsing the Wii Shop:

I found most of the links below in my packet sniffer, some had to be found by going to links in the HTML source. Not all were easy to figure out. JavaScript is iffy. This is just a few selected pages from the Wii, viewed in Forefox. Nothing special. But the source code in the pages and the .js (javascript) pages are full of interesting info. Take a look for yourself.

Wii Specific JavaScript code:
Ripped from the HTML.
http://oss.shop.wii.com/en_US/js//ec.js
http://oss.shop.wii.com/en_US/js//error.js
http://oss.shop.wii.com/en_US/js//buttons.js
http://oss.shop.wii.com/en_US/js//images.js
http://oss.shop.wii.com/en_US/js//progress.js
http://oss.shop.wii.com/en_US/js//sound.js
http://oss.shop.wii.com/en_US/js//shop.js
http://oss.shop.wii.com/en_US/js//oss.js

(Tested JavaScript code on Wii, exiting and playing sound works via JScript)

Shop Main Page:
http://oss.shop.wii.com/oss/common/vc/ <-- shows nothing...(needs "init signal?)

http://oss.shop.wii.com/oss/common/vc/L_03.jsp?language=en&region=USA&country=US&next=S_02.jsp%3Fstate%3Dinit <-- exact Wii replica... kinda
http://oss.shop.wii.com/oss/common/vc/W_01.jsp?language=en&region=USA&country=US <-- the Wii Shop Channel!

http://oss.shop.wii.com/oss/common/vc/CheckRegistered.jsp?language=en&region=USA&country=US&titleId=0001000248414241 <-- connecting please wait...

http://oss.shop.wii.com/oss/common/vc/S_02.jsp?language=en&region=USA&country=US&&state=init <-- "My Nintendo" Membership Link

http://oss.shop.wii.com/oss/common/vc/B_05.jsp?titleId=000100014D414845 <-- Sonic The Hedgehog Wii Shop Channel

http://oss.shop.wii.com/oss/common/vc/B_09.jsp?itemId=100033&titleId=000100014D414845 <-- Confirm Download

No, you cant go further. How are you going to download games without WiiPoints? This is just what the Wii sees, you cant do much here.

http://ccs.shop.wii.com/ccs/download/0001000146414145/FFFD0000 <-- Donkey Kong game download image...

http://209.67.106.203/en_US/html/manual/USA/startup.html <-- Wii Shop Info

http://oss.shop.wii.com/oss/common/vc/TestSettings.jsp <- heh

Firmware Update Sniffed (Incomplete?):

(Use WiiShop User Agent)
http://ccs.shop.wii.com/ccs/download/000000010000000b/00000008 <- small file?
http://ccs.shop.wii.com/ccs/download/000000010000000b/00000009 <--- 1.5MB?
http://ccs.shop.wii.com/ccs/download/0000000100000002/00000009 <--- 4.3MB?
http://ccs.shop.wii.com/ccs/download/0000000100000002/0000000a < -- 2.5MB
MORE? Packet dump overflowed buffer, unable to find more refernces of files to download... sorry...

DarkFader's additions:
0000000100000002_00000009
0000000100000002_0000000a
0000000100000002_0000000c
000000010000000b_00000008
000000010000000b_00000009
000000010000000c_00000000
000000010000000c_00000001
000000010000000d_00000006
000000010000000d_00000007
0000000100000100_00000001
0000000100000100_00000002
0000000100000101_00000003
0000000100000101_00000004

Lots of files, different sizes. Some contain "certs"

Packet Dump of First HTTP connection (when Wii found out it needed a firmware update): (full packet dump here)

HTTP - Hyper Text Transfer
Protocol

 
Command:             
POST

 
URI:                 
http://nus.shop.wii.com:80/nus/services/NetUpdateSOAP

 
Version:             
HTTP/1.1<CR><LF>

Host:                  
nus.shop.wii.com<CR><LF>

Accept:                
text/html, image/gif, image/jpeg, */*<CR><LF>

Content-type:          
text/xml; charset=utf-8<CR><LF>

Content-length:        
1046<CR><LF>

User-Agent:            
wii libnup/1.0<CR><LF>

SOAPAction:            
"urn:nus.wsapi.broadon.com/GetSystemUpdate"<CR><LF><CR><LF>

  Line 
1:             
<?xml version="1.0" encoding="UTF-8"?><LF>

  Line 
2:             
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"<LF>

  Line 
3:             
xmlns:xsd="http://www.w3.org/2001/XMLSchema"<LF>

  Line 
4:             
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><LF>

  Line 
5:             
<soapenv:Body><LF>

  Line 
6:             
<GetSystemUpdateRequest
xmlns="urn:nus.wsapi.broadon.com"><LF>

  Line 
7:             
<Version>1.0</Version><LF>

  Line 
8:             
<MessageId>13198105123219138</MessageId><LF>

  Line 
9:             
<DeviceId>4362227772</DeviceId><LF>

  Line 
10:            
<RegionId>USA</RegionId><LF>

  Line 
11:            
<CountryCode>US</CountryCode><LF>

  Line 
12:            
<TitleVersion><LF>

  Line 
13:            
<TitleId>0000000100000001</TitleId><LF>

  Line 
14:            
<Version>2</Version><LF>

  Line 
15:            
</TitleVersion><LF>

  Line 
16:            
<TitleVersion><LF>

  Line 
17:            
<TitleId>0000000100000002</TitleId><LF>

  Line 
18:            
<Version>33</Version><LF>

  Line 
19:            
</TitleVersion><LF>

  Line 
20:            
<TitleVersion><LF>

  Line 
21:            
<TitleId>0000000100000009</TitleId><LF>

  Line 
22:            
<Version>516</Version><LF>

  Line 
23:            
</TitleVersion><LF>

  Line 
24:            
<Attribute>1</Attribute><LF>

  Line 
25:            
<AuditData></AuditData><LF>

  Line 
26:            
</GetSystemUpdateRequest><LF>

  Line 
27:            
</soapenv:Body><LF>

  Line 
28:            
</soapenv:Envelope><LF>

Extra bytes (Padding):

  .....S:.         
00 00 00 00 FD 53 3A 96

FCS - Frame Check Sequence

  FCS (Calculated):     0xF9FE0CA3

Second packet (full dump here )

HTTP - Hyper Text Transfer
Protocol

 
Version:             
HTTP/1.1

 
Status:              
200

 
Reason:              
<CR><LF>

Date:                  
Sun, 19 Nov 2006 19:59:19 GMT<CR><LF>

Server:                
Apache/2.0.48<CR><LF>

Content-Type:          
text/xml; charset=utf-8<CR><LF>

Transfer-Encoding:     
chunked<CR><LF><CR><LF>

  Line 
1:             
546<CR><LF>

  Line 
2:             
<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope
xmlns:soapenv="http://sc

 
Line                 
hemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" x

 
Line                 
mlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><GetSystemUpd

 
Line                 
ateResponse
xmlns="urn:nus.wsapi.broadon.com"><Version>1.0</Version><DeviceId>43

 
Line                 
62227772</DeviceId><MessageId>13198105123219138</MessageId><TimeStamp>1163966359

 
Line                 
696</TimeStamp><ErrorCode>0</ErrorCode><ContentPrefixURL>http://nus.cdn.shop.wii

 
Line                 
.com/ccs/download</ContentPrefixURL><UncachedContentPrefixURL>http://ccs.shop.wi

 
Line                 
i.com/ccs/download</UncachedContentPrefixURL><TitleVersion><TitleId>000000010000

 
Line                 
0002</TitleId><Version>97</Version><FsSize>21839872</FsSize></TitleVersion><Titl

 
Line                 
eVersion><TitleId>000000010000000B</TitleId><Version>10</Version><FsSize>1654784

 
Line                 
</FsSize></TitleVersion><TitleVersion><TitleId>000000010000000C</TitleId><Versio

 
Line                 
n>6</Version><FsSize>1654784</FsSize></TitleVersion><TitleVersion><TitleId>00000

 
Line                 
0010000000D</TitleId><Version>10</Version><FsSize>1654784</FsSize></TitleVersion

 
Line                 
><TitleVersion><TitleId>0000000100000100</TitleId><Version>2</Version><FsSize>65

 
Line                 
536</FsSize></TitleVersion><TitleVersion><TitleId>0000000100000101</TitleId><Ver

 
Line                 
sion>4</Version><FsSize>229376</FsSize></TitleVersion><UploadAuditData>1</Upload

 
Line                 
AuditData></GetSystemUpdateResp

Extra bytes (Padding):

  ....J...         
00 00 00 00 4A F8 DE C7

FCS - Frame Check Sequence

  FCS (Calculated):     0xB61CB005

Fist part of Firmware Update yields the following:

(XML/SOAP requests/results sent by system)



      * SOAP SERVER ADDRESS:

http://nus.shop.wii.com:80/nus/services/NetUpdateSOAP

      

      * SOAPaction:

urn:nus.wsapi.broadon.com/GetSystemUpdate

      

      * MESSAGE:

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Body>

<GetSystemUpdateRequest xmlns="urn:nus.wsapi.broadon.com">

<Version>1.0</Version>

<MessageId>13198105123219138</MessageId>

<DeviceId>4362227772</DeviceId>

<RegionId>USA</RegionId>

<CountryCode>US</CountryCode>

<TitleVersion>

<TitleId>0000000100000001</TitleId>

<Version>2</Version>

</TitleVersion>

<TitleVersion>

<TitleId>0000000100000002</TitleId>

<Version>33</Version>

</TitleVersion>

<TitleVersion>

<TitleId>0000000100000009</TitleId>

<Version>516</Version>

</TitleVersion>

<Attribute>1</Attribute>

<AuditData></AuditData>

</GetSystemUpdateRequest>

</soapenv:Body>

</soapenv:Envelope>

      

      * REPONSE:

<?xml version="1.0" encoding="utf-8"?>

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Body>

<GetSystemUpdateResponse xmlns="urn:nus.wsapi.broadon.com">

<Version>1.0</Version>

<DeviceId>4362227772</DeviceId>

<MessageId>13198105123219138</MessageId>

<TimeStamp>1163966359696</TimeStamp>

<ErrorCode>0</ErrorCode>

<ContentPrefixURL>http://nus.cdn.shop.wii.com/ccs/download</ContentPrefixURL>

<UncachedContentPrefixURL>http://ccs.shop.wii.com/ccs/download</UncachedContentPrefixURL>

<TitleVersion><TitleId>0000000100000002</TitleId>

<Version>97</Version>

<FsSize>21839872</FsSize>

</TitleVersion><TitleVersion>

<TitleId>000000010000000B</TitleId>

<Version>10</Version>

<FsSize>1654784</FsSize>

</TitleVersion>

<TitleVersion>

<TitleId>000000010000000C</TitleId>

<Version>6</Version>

<FsSize>1654784</FsSize>

</TitleVersion>

<TitleVersion>

<TitleId>000000010000000D</TitleId>

<Version>10</Version>

<FsSize>1654784</FsSize>

</TitleVersion>

<TitleVersion>

<TitleId>0000000100000100</TitleId>

<Version>2</Version>

<FsSize>65536</FsSize>

</TitleVersion>

<TitleVersion>

<TitleId>0000000100000101</TitleId>

<Version>4</Version>

<FsSize>229376</FsSize>

</TitleVersion>

<UploadAuditData>1</UploadAuditData>

</GetSystemUpdateResponse>

</soapenv:Body>

</soapenv:Envelope>

      

      * UNFILTERED:

1.043622277721319810512321913811641804558190http://nus.cdn.shop.wii.com/ccs/downloadhttp://ccs.shop.wii.com/ccs/download00000001000000029721839872000000010000000B101654784000000010000000C61654784000000010000000D1016547840000000100000100265536000000010000010142293760

      

      * FIXED:

Version:         1.0

DeviceID:        4362227772

MessageID:       13198105123219138

TimeStamp:

1163966359696

ErrorCode:       0

DownloadURL:    
http://nus.cdn.shop.wii.com/ccs/download    (Cached)

DownloadURL:    
http://ccs.shop.wii.com/ccs/download   
    (Uncached)

      

0000000100000002/tmd.97        Filesize:
21839872

000000010000000B/tmd.10        Filesize:
1654784

000000010000000C/tmd.6        Filesize:
1654784

000000010000000D/tmd.10        Filesize:
1654784

0000000100000100/tmd.2        Filesize:
65536

0000000100000101/tmd.4        Filesize:
2293760

Sniffed WiFi data on bootup of console (Actually happens frequently, WiiConnect24):

WiConnect24 User Agent String:
WiiConnect24/1.0FC4plus1 (build 061114161108)

/cgi-bin/check.cgi

http://rcw.wc24.wii.com/cgi-bin/check.cgi?mlchkid=0eb3197b5b3b7a6d5be699f4a1f96b30&chlng=c6d1f7d1383628459a7e1046f36c8708
Returns:

cd=100
msg=Success.
res=41a92b071d662feea6281bbbf658b751febeb94d
mail.flag=000000000000000000000000000000000
interval=10

http://rcw.wc24.wii.com/cgi-bin/check.cgi
returns:

cd=320
msg=Receive data is incorrect format.

http://rcw.wc24.wii.com/cgi-bin/check.cgi?mlchkid=0eb3197b5b3b7a6d5be699f4a1f96b31&chlng=c6d1f7d1383628459a7e1046f36c8708
Underlined value was changed, DarkFader noted "mlchkid" is Member Login Check ID...seems to fit in this situation.
returns:

cd=321
msg=User Not Found.

Virtual Console Stuff.

Adding Wiipoints goes over SSL connection.
Downloading has some HTTPS connections too...

POSSIBLY INCORRECT: Download goes like this, you select the game, click "Download", the Wii connects to proper servers, 
checks your Wii points, then it sends you to the download location. A "TMD" file gets downloaded,
followed by the rest of the data. Then the Wii combines
the TMD with the rest of the data to create a proper Channel (content.bin).


Wii Shop Main:
http://oss.shop.wii.com/oss/common/vc/W_01.jsp?language=en&region=USA&country=US

Wii Shop Pages:
http://209.67.106.203/oss/common/vc/B_04.jsp?p=1&platform=SFC%2FSNES&license=PERMANENT <-- Show SNES games

http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=000100014A414345 <- F-Zero
http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=000100014D414845 <- Sonic, notice only 2 character change in ID
http://209.67.106.203/oss/common/vc/B_05.jsp?titleId=0001000146414145 <- Donkey Kong NES

Got a bunch of Virtual Console games together from some channel members. Lots of interesting stuff in there,
files seem encrypted and tied to specific console. Comparing files shows huge differences, but also nice chunks
of bytes that are equal. More later.

Game Identifiers:
1st Byte = System
2nd Byte = ? 
3rd Byte = ?
4th Byte = Language

NAAE = Super Mario 64
	      219,584 00000000
	    1,683,616 00000001
	    4,559,888 00000002
	    2,669,056 00000003
	    2,156,800 00000004
	    9,527,456 00000005
	      263,424 00000006
	        2,528 tmd
	    21,082,352 bytes

JACE = F-Zero (SNES)
	   230,912 00000000
	 1,553,632 00000001
	 4,559,888 00000002
	 2,669,056 00000003
	 2,156,800 00000004
	 1,423,616 00000005
	   263,424 00000006
	   230,912 00000007
	 1,553,664 00000008
	 1,421,824 00000009
	     2,528 tmd
	 16,066,256 bytes

JAFE = SimCity (SNES)
	  247,808 00000000
 	1,554,688 00000001
 	4,559,888 00000002
 	2,669,056 00000003
 	2,156,800 00000004
 	2,135,536 00000005
 	  263,424 00000006
 	  247,808 00000007
 	1,554,720 00000008
 	    2,528 tmd
 	15,392,256 bytes

FAAE = DonkeyKong (NES)
	  210,752 00000000
	1,372,576 00000001
	4,559,888 00000002
	2,669,056 00000003
	2,156,800 00000004
	  605,200 00000005
	  263,424 00000006
	    2,528 tmd
	11,840,224 bytes
	
FAKE = Zelda (NES)
FAME = Wario's Woods (NES)
FAOE = Solomon's Key (NES)
FAIE = Soccer (NES)
FACE = Pinball (NES)
FAFE = Mario Brothers (NES)

MAHE = Sonic (Genesis)
MAAE = Alterted Beast (Genesis)

A "Guide" to browsing the Web via the Shop channel:

    If you want a (semi) easy way to browse the web via the Shop channel, download this file and place it's contents into the root of webserver's htdocs (you need a PHP-enabled web server). Set your DNS server to point "oss.shop.wii.com" to your HTTP server (create wii.com zone, then "oss.shop" subdomain). If you don't know how to set up an HTTP/DNS server, search online. Once the Wii asks for the shop channel, the page is loaded and you are proxied to Google.com (URL can be changed, modify top.location). Thanks to Google you can pretty much go to any site you want. It's not the EASISET way ( you need a PHP-enabled web server, and you need to have a DNS server), but if anyone wants to they can try it out.
    Thanks to a fellow Wii enthusiast for sending me this little gem.
    (I take no responsibility for the contents of WiiBrowse.zip, I'm just passing it along, I didn't create it.)

Created - 11/19/06 - 11:30am
Updated - 11/24/06