Hacking On the ability to play backups without drive chip

nitrotux · Jul 25, 2008

I've been thinking about the DVD drive softmod lately, and the fact marcan has admitted they can read DVD-R's without a drive chip, and the fact that bushing has posted a nice note for Nintendo on his blog.

As I've explained before there's basically 2 ways for getting a working DVD softmod:
1) Disable Starlet from blocking the FF and FE commands
2) Find a way to exploit the DVD drive with the allowed commands

Now the fact that bushing wants to talk to Nintendo is something special.
If they found a way to disable the Starlet debug command filter (this would be done through an IOS hack or similar), then they would not be knocking on Nintendo's door to fix this.
The reason is that we would simply call this disable method ourselves from the Starlet (IOS) side, because it's already possible to fully control IOS (see patchmii, IOS5 and Waninkoko's custom IOS), and Nintendo cannot patch this (unless they patch homebrew unsigned code alltogether, which I doubt is bushing's goal).

Then, there's only one other reason left:
There's a bug in the DVD firmware, and they want Nintendo to fix it for future retail Wii's.

There's one thing which bothers me, and that's the fact that Nintendo seems to be checking the caller UID on the video enable command for any possible security breach (and they are not doing this for any other command):
"(%s) (diIoctl) Video enable returning security error - callerUid = %u; inLen = %u\n"

In any case, the DVD is not the only method for playing backups.

I am doing a thorough and complete reverse engineering of the DI module in IOS31, and the ultimate idea is to silently relay all requests which are being sent from PPC to "/dev/di", internally in Starlet to the SD card. It will "emulate" the DVD drive (status responses etc), but the data will be coming from the SD card.

dinofan01 · Jul 25, 2008

isnt there a thread for this

teq · Jul 25, 2008

nitrotux said:
There's one thing which bothers me, and that's the fact that Nintendo seems to be checking the caller UID on the video enable command for any possible security breach (and they are not doing this for any other command):
"(%s) (diIoctl) Video enable returning security error - callerUid = %u; inLen = %u\n"

I'm just guessing here, but it could be a failsafe for CSS encryption.

rishard10212 · Jul 25, 2008

So what you're trying to do is run backups using an SD card? That doesn't sound too efficient.

teq · Jul 25, 2008

rishard10212 said:
So what you're trying to do is run backups using an SD card? That doesn't sound too efficient.

Neither does criticizing him.

zidane_genome · Jul 25, 2008

FREAKIN BURN!!! lol

anyway... so what, has Starlet been dumped yet, or are we still waiting for this Custom IOS to be released to dump Starlet?

FGOD · Jul 25, 2008

Has anyone made any progress in this DVD stuff?

blinktoday · Jul 25, 2008

nitrotux said:
I am doing a thorough and complete reverse engineering of the DI module in IOS31, and the ultimate idea is to silently relay all requests which are being sent from PPC to "/dev/di", internally in Starlet to the SD card. It will "emulate" the DVD drive (status responses etc), but the data will be coming from the SD card.

That's awesome news man.

QUOTE(nitrotux @ Jul 25 2008, 04:12 AM) As I've explained before there's basically 2 ways for getting a working DVD softmod:
1) Disable Starlet from blocking the FF and FE commands
2) Find a way to exploit the DVD drive with the allowed commands

Wouldn't the first method be easier because svpe confirmed that with the new firmware from team twiizers we have complete access to the starlet?

teq · Jul 25, 2008

I believe in the other thread, I addressed the fact that we've always been able to access Starlet, but the real concern is how much of it we can access.

Starlet is essentially a stand-alone device that can run an entire operating system -- it's a SoC or System on a Chip. Being able to program it will put us leaps ahead of anything we've been able to do with the Wii, but that all depends on how much security it has.

Christen · Jul 25, 2008

I suppose its basically impossible to hack the SD port drivers to allow SDHC cards, correct?

Because, as cool as this idea is, it'll be extremely limited with non SDHC cards maxing out at 2 GB, unless we can employ other mass storage devices with this idea.

blinktoday · Jul 25, 2008

Christen said:
I suppose its basically impossible to hack the SD port drivers to allow SDHC cards, correct?

Because, as cool as this idea is, it'll be extremely limited with non SDHC cards maxing out at 2 GB, unless we can employ other mass storage devices with this idea.

We should at least be able to play Gamecube games, right?

Jacobeian · Jul 25, 2008

nitrotux said:
In any case, the DVD is not the only method for playing backups.

I am doing a thorough and complete reverse engineering of the DI module in IOS31, and the ultimate idea is to silently relay all requests which are being sent from PPC to "/dev/di", internally in Starlet to the SD card. It will "emulate" the DVD drive (status responses etc), but the data will be coming from the SD card.

you should talk with emukiddid
his work with sd-boot on Gamecube (which is indeed THE gamecube ISO loader) was very similar, even if there was no IOS and that DI access are done differently, you could share about some of the possible issues he already encountered

good luck with IOS revese-engineering, the more that are doing this, the best we could get

nitrotux · Jul 25, 2008

I've looked into the video enable command some more.

It seems the PPC is not allowed to call this (the callerUID wont match with what IOS wants).

There is only one module which is allowed to call this, and that's the ES (the security-) module.

The ES opens up the device "/dev/di", and send an ioctl request with command 0x8E.
The DI module hears this, and simply calls a syscall, which does this:

Code:

syscall(int a)
{
if (a == 0)
ÂÂ D800180 &= ~0x200000;
else
ÂÂ D800180 |= 0x200000;
}

This register is also involved in setting DI into legacy mode (using bitmask 0x40).

So what's so special about clearing or setting bitmask 0x200000? Maybe it disables the Starlet filter?
I'm pretty sure this register will be fun to play with.

And to confirm once more, this was said on #wiidev recently by bushing:

QUOTE said:
daltonlaf: the wii has hardware protection that prevents you from reading anything that's not a Wii disc. We found a way around that

SOFTMOD HERE WE COME!

rishard10212 · Jul 25, 2008

hey, that sounds like a great find nitro. good luck. =]

Christen · Jul 25, 2008

Awesomeness. Keep up the great work tux!

Shuny · Jul 25, 2008

Nitrotux is our god

Hellfenix · Jul 25, 2008

That is AWESOME news.. hopefully this register will do something good.

Rock Raiyu · Jul 25, 2008

Awesome. It looks like we're getting somewhere. Excellent job Nitrotux!

Dr.Tenma · Jul 25, 2008

Nice, but nitroxtux, do you works alone ?

kikekakik · Jul 25, 2008

Nice work nitrotux!!! thats what i was saying.. but i couldnt find the way to call that function.. There is an ES call to set te Uid (ES_SetUID) to whatever you want.. i think it should be system menu.. or super user..

i've been trying to use

IOS_Ioctl(di_fd, 0x8E, inbuf, 0x20, outbuf, 0x20);

but dont know what inbuf and outbuf should be..

i think it could be called from PPC.. because it was implemented on early SDKs..

i have almost finished a disc launcher if you want.. let me know if I can help you with something

Hacking On the ability to play backups without drive chip

Well-Known Member

Misses the old days...

Well-Known Member

Well-Known Member

Well-Known Member

My sword has a +2 bleeding... wanna test it out?

Wii gaming bitch

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

I'm in yr forum, reading yr postz

Well-Known Member

Clock Up

Well-Known Member

Member

Similar threads

Popular threads in this forum