BlueBomb Wii: Difference between revisions

BlueBomb
BlueBomb
General
Author	Fullmetal5
Type	Exploits
Version	1.5
License	GPL-3.0
Last Updated	2020/02/29
Links
	Download
	Website
	Source

Revision as of 02:52, 26 March 2023

BlueBomb is a known exploit that targets Broadcom's Bluetooth stack, which is utilized in the Nintendo Wii gaming console. It takes advantage of the Wii's Bluetooth and injects unsigned code into the system via Bluetooth.

You will need a Linux computer to do this. A detailed guide is available on WiiBrew.

How it works

Bluebomb exploits a bug in the Bluetooth system that sets a lower bound to the Bluetooth channels that can be used, but no upper bound. On the computer, BlueBomb connects to the Wii, then uploads the stage 0 code in the attribute response, and it uploads some data in the format of a Bluetooth channel configuration in the service response. The channel configuration is normally part of a doubly linked list, but in this fake configuration the next pointer points to the beginning of the stage 0 code, while the previous pointer points near the function that handles packets being received. The computer then takes the out-of-bounds channel id of the fake configuration that was uploaded, and tells the Wii that that id is invalid, which makes the Wii "remove" it from the linked list it thinks it is in. This means changing the previous pointer of what appears to be next to be the next on the fake configuration, and the next pointer of what appears to be the previous to be the next of the fake configuration. Changing the "next" pointer of the previous changes part of the code in the packet receiving function to instead jump to the stage 0 code. Meanwhile, the previous of the next changes a byte in the stage 0 code that is intentionally jumped over to avoid corruption in that code.

Once the stage 0 code launches, it starts by making sure the packet handler function returns normally after the first part of stage 0 is finished. It then jumps over the byte that gets replaced by the exploit because of the changing of the linked list, and copies itself to an unused portion of memory where other Bluetooth connections won't interfere. After this, it changes the value changed earlier to instead point to a location in the copy of stage 0. The computer now uploads the stage 1 code in chunks, which gets stored in some more unused memory, and when the downloading finishes, it launches stage 1. This is done because the attribute response is limited in space, and there is not enough space for stage 1 to happen in 1000 bytes.

Finally, stage 1 opens the USB and reads the file system for a boot.elf or boot.dol file, usually the HackMii Installer, which is loaded into memory and run.

Media

How to Homebrew the Wii Mini! (BlueBomb Tutorial) (Michael MJD)

Known issues

https://github.com/Fullmetal5/bluebomb/issues

Changelog

v1.5

Remove BlueZ dependency and refactor.

v1.0

Initial Release.

External Links

WiiBrew - https://wiibrew.org/wiki/Bluebomb
GitHub - https://github.com/Fullmetal5/bluebomb

@@ Line 1: / Line 1: @@
 {{Infobox Wii Homebrews
 |title=BlueBomb
-|image=bluebombwii.jpg
+|image=bluebombwii2.png
 |description=Exploit that uses Bluetooth.
 |author=Fullmetal5
@@ Line 12: / Line 12: @@
 |source=https://github.com/Fullmetal5/bluebomb
 }}
-BlueBomb is a known exploit that targets Broadcom's Bluetooth stack, which is utilized in the Nintendo Wii gaming console. This exploit allows for unauthorized access to the Wii's system and can potentially be used for malicious purposes such as running unauthorized software or modifying system settings.
+BlueBomb is a known exploit that targets Broadcom's Bluetooth stack, which is utilized in the Nintendo Wii gaming console. It takes advantage of the Wii's Bluetooth and injects unsigned code into the system via Bluetooth.
-The exploit takes advantage of a vulnerability in the Wii's Bluetooth stack and can be executed by sending a specially crafted packet to the affected device.
+You will need a Linux computer to do this. A detailed guide is available on [https://wiibrew.org/wiki/Bluebomb WiiBrew].
-Due to the nature of the exploit, it is important for users to keep their Wii's firmware and software up-to-date to ensure protection against potential attacks utilizing BlueBomb.
+==How it works==
+Bluebomb exploits a bug in the Bluetooth system that sets a lower bound to the Bluetooth channels that can be used, but no upper bound. On the computer, BlueBomb connects to the Wii, then uploads the stage 0 code in the attribute response, and it uploads some data in the format of a Bluetooth channel configuration in the service response. The channel configuration is normally part of a doubly linked list, but in this fake configuration the next pointer points to the beginning of the stage 0 code, while the previous pointer points near the function that handles packets being received. The computer then takes the out-of-bounds channel id of the fake configuration that was uploaded, and tells the Wii that that id is invalid, which makes the Wii "remove" it from the linked list it thinks it is in. This means changing the previous pointer of what appears to be next to be the next on the fake configuration, and the next pointer of what appears to be the previous to be the next of the fake configuration. Changing the "next" pointer of the previous changes part of the code in the packet receiving function to instead jump to the stage 0 code. Meanwhile, the previous of the next changes a byte in the stage 0 code that is intentionally jumped over to avoid corruption in that code.
-==User guide==
+Once the stage 0 code launches, it starts by making sure the packet handler function returns normally after the first part of stage 0 is finished. It then jumps over the byte that gets replaced by the exploit because of the changing of the linked list, and copies itself to an unused portion of memory where other Bluetooth connections won't interfere. After this, it changes the value changed earlier to instead point to a location in the copy of stage 0. The computer now uploads the stage 1 code in chunks, which gets stored in some more unused memory, and when the downloading finishes, it launches stage 1. This is done because the attribute response is limited in space, and there is not enough space for stage 1 to happen in 1000 bytes.
-'''Note:''' You will need a Linux computer to do this. Download the pre-built binaries from the releases page and follow these instructions (a detailed guide is available on [https://wiibrew.org/wiki/Bluebomb WiiBrew]).
-*Disable your bluetooth service by running <code>sudo systemctl disable --now bluetooth</code>.
+Finally, stage 1 opens the USB and reads the file system for a boot.elf or boot.dol file, usually the HackMii Installer, which is loaded into memory and run.
-*Run bluebomb with the arguments to the app-specific payload and the stage1 you would like to run. Ex. <code>sudo ./bluebomb ./stage0/MINI_SM_NTSC.bin stage1.bin</code> for a NTSC Wii Mini's System Menu. You can also specify which hci device to use with bluebomb by adding before the <code>stage0</code> and <code>stage1</code> arguments. Ex. <code>sudo ./bluebomb 1 ./stage0/MINI_SM_NTSC.bin stage1.bin</code> to use HCI1.
-*Start your Wii and navigate to the app that you are exploiting, for the System Menu you only need to turn on the Wii, you can leave it sitting on the Health and Safety screen.
-*Turn OFF your Wiimote at this point. Do not let anything else connect to the console via bluetooth.
-*Make sure you console is close to your bluetooth adapter, you may have to move it closer to get it in range, this will depend on your adapter.
-*Click the SYNC button on your console. You may have to click it several times in a row before it sees the computer. You will know it is connected when bluebomb prints &quot;Got connection handle: #&quot; Stop pushing the SYNC button and wait for bluebomb to run, what happens will depend on what <code>stage1.bin</code> you are using. The one from this repo will load <code>boot.elf</code> off the root of a FAT32 formatted USB drive and run it. You can use the HackMii Installer's boot.elf from [https://bootmii.org/download/ here] to get the Homebrew Channel.
-'''Important''': The steps above will have disabled the bluetooth service on your machine to run the exploit. To enable the bluetooth service again run <code>sudo systemctl enable --now bluetooth</code>.
 ==Media==
@@ Line 36: / Line 29: @@
 == Known issues ==
 https://github.com/Fullmetal5/bluebomb/issues
-You can open an issue on this repo, or join the [https://discord.gg/MYm9kB7 Wii Mini Hacking Discord].
 ==Changelog==