| Twilight Hack | |
|---|---|
 | |
| General | |
| Author | Team Twiizers |
| Type | Exploits |
| Version | 0.1 beta2 |
| License | GPL-2.0 |
| Last Updated | 2009/09/23 |
| Links | |
| Download | |
| Website | |
| Source | |
The Twilight Hack is the name given to the exploit found by Team Twiizers of Wiibrew.org that utilized a hacked game save of Legend of Zelda: Twilight Princess that enable homebrew on a Wii. This was the first method discovered to boot homebrew software without the use of hardware modifications to the Wii console.
Twilight Hack 0.1beta1 is compatible with System Menu up to 3.3, and 0.1beta2 is compatible with System Menu 3.4. However, it is not and will never be compatible with System Menu 4.0 and above, unless a specific Priiloader hack is enabled. Therefore, it is recommended to use another exploit instead.
The source code for the Twilight Hack was written to be readable, portable and reusable, and most of the code was reused for Indiana Pwns. The shared code is now referred to as the Savezelda loader and it is encouraged to use it to create your own savegame exploits, provided you follow the licensing terms of the codebase.
User guide
Required materials:
- SD card (<= 2GB, not SDHC) formatted as FAT16 or FAT32. (the Wii System Menu, which is used to copy the save, only reads SD cards, not SDHC).
- SD card reader.
- The Legend of Zelda: Twilight Princess that has been played at least once.
- Some homebrew to load (e.g. the Homebrew Channel installer).
Inside the zip file you will find versions of the hack for all three regions. You may copy all of them to your SD card, but you will need to choose the correct one to copy to your Wii based on your version of Zelda: Twilight Princess. USA users, additionally, need to determine the correct save slot to load once inside Twilight Princess. The easiest way to check your version is to compare the text string which is on the inner circle of the data surface with the ones below.
| Region | Inner circle text | File | Save slot |
|---|---|---|---|
| Europe/Australia (EUR) | RVL-RZDP-0A-0 JPN | /private/wii/title/rzdp/data.bin | Twilight Hack |
| Asia (JPN) | RVL-RZDJ-0A-0 JPN | /private/wii/title/rzdj/data.bin | Twilight Hack |
| America (USA) | RVL-RZDE-0A-0 JPN | /private/wii/title/rzde/data.bin | TwilightHack0 |
| America (USA) | RVL-RZDE-0A-0 USA | /private/wii/title/rzde/data.bin | TwilightHack0 |
| America (USA) | RVL-RZDE-0A-2 USA | /private/wii/title/rzde/data.bin | TwilightHack2 |
Step by Step
Ensure your SD card is formatted as FAT. By default SD cards are formatted as FAT, so if you're not sure you can skip this step.
- (Optional) If you have an existing Zelda save that you want to backup, do so before proceeding:
- Put your SD card in your Wii and turn it on.
- Go into Wii Options > Data Management > Save Data > Wii.
- Find your Zelda save, click on it, click "Copy", and click Yes.
- Put your SD card in your computer, and copy the "private" folder from the card to a safe place.
- Copy the "private" directory from the Twilight Hack download to the root of your SD card.
- Take your homebrew Wii executable (elf or dol file) and save it in the root directory of your SD card as "boot.elf" or "boot.dol" as appropriate.
- Put your SD card in your Wii and turn it on.
- Go into Wii Options > Data Management > Save Data > Wii.
- Find your Zelda save, click on it, click "Erase", and click Yes.
- Open the SD card and select the "Twilight Hack" save that corresponds to your game region.
- Note: Some people are having problems with the Wii not "seeing" the save file on the SD card. If you are experiencing this, try setting the archive bit for the data.bin file - in Windows this can be either be done from the file's properties dialog (right click on it in Windows Explorer and check the box) or from the command line using "attrib +a <path to data.bin>". More info at #wiihelp on Efnet.
- Click copy and then yes. Now exit out of the menu.
- If you are using System Menu 3.4, you must immediately put the Twilight Hack to use. Turning off or running some other channel or game will have the System Menu delete the savegame again, and you'll have to start over.
- Insert The Legend of Zelda: Twilight Princess game disc and run the game.
- If you have the USA version of the game, load the "TwilightHack0" or "TwilightHack2" version of the game as appropriate (see above).
- Otherwise, load the only "Twilight Hack" save game.
- Once in the game, either walk backwards or talk to the man standing in front of you.
- Follow the instructions listed on the screen.
Explanation
The Twilight Hack is an exploit that targets a buffer overflow error caused by loading a specially crafted save file for the game The Legend of Zelda: Twilight Princess. The save file contains a custom name for Epona, Link's horse, which is much longer than what the game would usually allow, and also contains a small program. The game doesn't check the name in the file when it is loaded into memory and this inadvertently drops the small program into memory, filling not only the "horse name" buffer but adjacent ones. These regions of memory happen to be designated as the next region for the console to execute. This exploit allows the execution of "boot.elf" or "boot.dol" file from the root of the SD card. If the boot.elf and bootmini.elf that loads HackMii exists on the root of the SD Card, it can be used to install BootMii IOS, BootMii Boot2 (if compatible), or the Homebrew Channel.
When System Menu 3.3 was released, a check was added to delete all Twilight Hack save files and prevent them from being copied onto the NAND. However, the System Menu only checked the first instance of zeldaTp.dat in the save which meant a hacked zeldaTp.dat could be placed later in the WAD and survive. A similar bug existed in the System Menu 3.4, where only the last file is checked to be a zeldaTp.dat, so the Twilight Hack places a file called FAILURE (with content FAILURE) there.
Media
wiibrew.org Twilight Hack (bushing42)
Known issues
After you load the save, the Wii Remote pointer may move to the bottom of the screen and stay there. It is purely a cosmetic bug and does not affect operation. The Wiimote pointer will return to normal after a reboot.
Changelog
0.1beta2
- Workaround for the System Menu 3.4 check. Only works once after being copied.
0.1beta1
- The Twilight Hack is now compatible with version 3.3 of the Wii System Menu.
- Improvements in video configuration. The entire console should now be visible in all video modes, and scrolling has been improved.
- For the USA version, the two variants of the hack have been packed into one save file. Just select the save slot that corresponds to your version of Twilight Pricess when you start the game.
- New savegame icons by drmr. The new icons now show which region that version of the hack is for.
- This version now tries to load boot.dol, and falls back to boot.elf if boot.dol is not found.
- Many, many bug fixes.
0.1alpha3b
- Experimental version with FAT32 support. Only try this if you receive an error message while loading boot.elf.
0.1alpha3a
- Correctly loads geckoloader code from USBGecko flash.
0.1alpha3
- Front SD slot is now supported; SDGecko slot support has been removed.
- FAT16 is now supported; you should save your ELF executable on your SD card as "boot.elf".
- RZDJ is now supported.
- Added support for Geckoloader stub: If you have a USBGecko installed and have already run the Geckoloader program to install into flash, then the Twilight Hack will try to load that stub if it does not detect an SD card.