I can install IOS in vWii! But...

Discussion in 'Wii U - Hacking & Homebrew' started by damysteryman, Dec 8, 2012.

Dec 8, 2012
    • Member

    damysteryman I am too busy IRL these days...

    Member Since:
    Oct 4, 2007
    Message Count:
    1,179
    Country:
    Antarctica
    UPDATE 2013-01-03: Patches updated to allow installation of hidden titles now. (was still broken with error -1017 with older patches)
    Thanks to FIX94 for bringing this issue to my attention, so I could fix it :)
    IOS236 Installer also updated with these patches.

    Well, I am sure that thread title caught your attention :P Well, maybe.

    With the release of HBC v1.1.1 (v1.1.2 now) (for those who do not know of this, links here, here and here), access to AHBPROT-related features is now available on the vWii of the Wii U.

    So anyways, I installed the new HBC this morning, but unable to make a NAND dump due to BootMii being unable to be installed on the vWii. However, I managed to fully dump the entire unencrypted contents of my Wii U's vWii NAND using WiiPower+Nicksasa's old FS Toolbox app, which I had modified to add in support for AHBPROT runtime IOS patching so it would actually work in vWii. The main reason I wanted to dump the NAND contents was to have a look at the vWii IOS, especially due to them being hardcoded to throw error -1017 if trying to install a system title, and I wanted to try patch that out.

    FS Toolbox MOD dol+src here, use it at your own risk! Could brick vWii if you do not know what you are doing.

    So I managed to get what I wanted, and after a while messing around in IDA (despite me not really having much coding or reverse engineering knowledge), I managed to find out where this new IOS "feature" was, and managed to create a few patches that, when applied via either AHBPROT supporting app, or by hex editing the ES IOS module then rewriting it to NAND, will then allow that vWii IOS to be able to install system titles like IOS once more (and presumably system menu too, but I am too scared to try that right now, since I do not have any way to recover vWii if it does not like that).

    UPDATE 2012-12-11: (Patches updated, should work for all versions of vWii IOS now)
    So, here are the patches I made, 3 in total, must apply all 3 to ES module in IOS (well technically 5, pt1 and pt2 patches get applied twice each)

    Code:
    Kill_AntiSysTitleInstallv3_pt1 <- must patch 2 instances of this pattern!
    681A2A01D005
    681A2A0146C0
    Kill_AntiSysTitleInstallv3_pt2 <- must patch 2 instances of this pattern!
    D0023306429AD101
    46C03306429AE001
    Kill_AntiSysTitleInstallv3_pt3
    68FB2B00DB01
    68FB2B00DB10
    Modified iospatch.c for AHBPROT apps with these added patches here. <- link updated 2013-01-03, updated with v3 of my patch.

    Now that we can install IOS wads on vWii, what can we do?
    Well, here is where that big "But..." in the thread title comes in.
    Answer is, not much at all, at least not yet.

    You can install older IOS (and cIOS if you have signature patch enabled too), but you cannot do much with them. I have not tested any with games, so do not know what would happen there, but just testing them out in Multi-Mod Manager (WiiMod would blackscreen on me every time I tried loading it with AHBPROT support on vWii... do not know why), I noticed that both older Wii IOS, and cIOS, which are based on them, you can reload to them, and perform basic things (like navigate around the app for example), but nothing really too awesome.

    However, every time you try to initialize SD or USB with either old Wii IOS or cIOS, they would crash, freezing the Wii U, which is of course no real use at all. Also, for me, it seemed that initializing network abilities is not doable with these either. Trying did not freeze the Wii U like initiializing SD or USB did, but just "failed to initialize network" error message in apps.

    So, long story short, these patches allow Wii U vWii IOS to install system titles once again, no more error -1017. Do so at your own risk though. You can reload to older IOS, but can not use many features without them crashing and freezing up the Wii U. For things like USB Loaders to work on Wii U vWii, I believe things like d2x cIOS would have to be updated to support using vWii IOS as bases for vWii cIOS.

    ...I think that sums it all up. Well, enjoy!

    UPDATE 2012-01-03:
    IOS236 installer updated with new v3 patches: here
    Last edited by damysteryman, Jan 3, 2013
    Maxternal, 3DSGuy, G0dLiKe and 3 others like this.


    • Newcomer

    vinhdt New Member

    Member Since:
    Jan 14, 2009
    Message Count:
    43
    Country:
    United States
    I too was able to install the HBC on the virtual Wii mode on the WiiU but when I tried to use Dop-Mii, I couldn't find any iOS with truncha bug and I couldn't patch iOS36 with truncha bug.
    • Member

    Krestent What to post?

    Member Since:
    Mar 31, 2009
    Message Count:
    3,950
    Country:
    United States
    Is it possible that SD and USB on the vWii is accessed differently than on the original Wii, and the IOS's installed in the vWii make up for this? Can we make a cIOS using one of the vIOS as a base?
    Last edited by Krestent, Dec 8, 2012
    • Member

    damysteryman I am too busy IRL these days...

    Member Since:
    Oct 4, 2007
    Message Count:
    1,179
    Country:
    Antarctica
    @vinhdt:
    Yeah, it was not exactly a straight-forward process, I used the modified FS Toolbox to extract the IOS Module files, patch them with a hex editor, then use FS Toolbox again to rewrite the patched IOS Module files, along with a few extra files in order to prevent bricking (like content.map, and a few IOS tmds, since the patched IOS Module was a shared content one).

    @Krestent:
    I am assuming so anyway, based on the fact that Wii versions of those fail to work on vWii. Also, I tried packing vWii IOS36 v2864 to a wad, installed it on my regular Wii, and failed to load (Wii froze when loading up vWii IOS on it), so that also points in that direction. And yeah, as mentioned towards the end of my first post, I am pretty sure we could. Only one way to find out really. I managed to make a patched cIOS36 v3864 wad with this. It is mainly just a patched IOS36, similar to the likes of cIOS236, or older versions of cIOS249 (before the USB loader era). Of course it needs these patches already in effect to be installed, but it makes things more convenient once it is installed, especially for older apps that have not been updated with AHBPROT support.
    Last edited by damysteryman, Dec 8, 2012
    • Member

    Supercool330 New Member

    Member Since:
    Sep 28, 2008
    Message Count:
    594
    Country:
    United States
    Really cool damysteryman, I was going to try and look at this this morning as I figured it would be fairly straight forward to create a patch to disable the IOS and SM check, but I guess you beat me too it. What happens if instead of trying to install a patched Wii IOS, you try to install a patched vWii IOS such as making an IOS 236 based on vWii 236 (00000007-00000024)? Clearly the normal IOS patches still worked on the vWii IOSs since you were able to apply them and install an IOS using AHBPROT. I suspect that the more complex custom modules needed for cIOS d2x will require further modification, but hopefully that won't take the d2x team too long (it might be a little harder without a USB gecko to debug with, we really need a way to emulate a USB Gecko over the WiFi). I'm not sure if the vWii IOSs on NUSD are signed using the WiiU common key or the vWii common key, I suspect the prior in which case the installer will need to patch a WAD (dumped from a vWii) instead of downloading the vWii IOS from NUSD (unless someone releases the Wii U common key in the next few days).
    • Member

    SickPuppy New Member

    Member Since:
    Jul 29, 2009
    Message Count:
    1,191
    Country:
    United States
    I have installed HBC on Wii mode, I can confirm that the Lego Indy exploit works. Has anybody tried to use the IOS236 installer to install a cIOS? Oh, there is a newer installer available, v1.2 installs HBC 1.1.2
    Last edited by SickPuppy, Dec 8, 2012
    • Member

    Supercool330 New Member

    Member Since:
    Sep 28, 2008
    Message Count:
    594
    Country:
    United States
    The vWii IOSs have a hard coded block against installing any IOS or System Menu version. However, the way a lot of HABPROT apps work is to patch the IOS running in memory, so it is possible to simply patch out this check, and that is what damysteryman has found (I'm still going to try to find a single patch version just for fun, I like reverse engineering assembly code). However, even if you install a patched Wii IOS, it doesn't actually work, my guess is that we need to install patched vWii IOSs. This is slightly more complicated as we can't download these from NUS (I checked, they are in fact encrypted with the Wii U keys), but I suspect that if you dumped IOS 58 (the one with USB2) from the vWii and used it to install a cIOS, it might work. I will try this later this afternoon if I have the time (and if it works and I have a lot of free time, I will throw together a cIOS installer that just does the whole dump -> patch -> install process for you).
    • Member

    Gericom New Member

    Member Since:
    Jun 30, 2011
    Message Count:
    322
    Country:
    Netherlands
    Isn't it possible to get the Wii U keys by comparing the nus downloaded one with the one from the decrypted vWii nand dump?
    • Member

    SickPuppy New Member

    Member Since:
    Jul 29, 2009
    Message Count:
    1,191
    Country:
    United States
    So, homebrew can still be run from the use of vWii IOS58, I ran a sysCheck. sysCheck did not recognize IOS512 and IOS513.
    • Member

    Supercool330 New Member

    Member Since:
    Sep 28, 2008
    Message Count:
    594
    Country:
    United States
    No, encryption does not work that way. If you are interested, read this for more info.
    You can run any homebrew that will work off of any of the IOS versions installed on the vWii (that aren't stubbed) that uses AHBPROT as long as it isn't trying to install a system title. IOS512 and IOS513 are encrypted using the Wii U key (according to Crediar, whom I trust), and nobody is really sure what they do. It is speculated that they are used in the transition from Wii U to vWii mode.
    • Newcomer

    Stalkid64X New Member

    Member Since:
    Dec 3, 2012
    Message Count:
    56
    Country:
    United Kingdom
    How safe is it to do just a basic NAND dump using FSToolbox on the vWii?
    Last edited by Stalkid64X, Dec 8, 2012
    • Member

    Deltaechoe The Dopefish

    Member Since:
    May 3, 2012
    Message Count:
    509
    Country:
    United States
    A dump should be safe, restore is where it gets sketchy
    • Member

    Supercool330 New Member

    Member Since:
    Sep 28, 2008
    Message Count:
    594
    Country:
    United States
    Working on a version of blue dump to be used to dump wads. I will try to have it done by tonight.


    Edit: Just to be clear vWii IOSs can't be downloaded from NUS, and shouldn't be uploaded online (as they are the property of Nintendo). To protect yourself from future updates, everybody should dump all the versions of IOS from their vWii as soon as possible. I can confirm from the wiimpersonator logs that none of the IOSs have been updated since the launch day update (the first version that had them). The only updates to the vWii since launch have been one updat to the BC-NAND (whatever the hell that is), and two to the instruction manual channel.
    Last edited by Supercool330, Dec 8, 2012
    Cyan likes this.
    • Former Staff

    The Teej Also known as The Tjalian

    Member Since:
    Jun 27, 2004
    Message Count:
    4,209
    Location:
    England
    Country:
    United Kingdom
    While it might not work without Gamecube pads, would it at least be possible to launch Gamecube ISOs using the USB launcher method as a proof of concept? I think this would be pretty interesting if it was feasible, albeit how unlikely, to get Gamecube games working on this thing using a USB Loader.
    • Member

    Excelsiior New Member

    Member Since:
    Sep 13, 2009
    Message Count:
    235
    Country:
    Germany
    I modified a Wad-Manager with your stuff and it fails patching Anti-Install-Patch #4 and thus still returns -1017. Maybe #4 is region specific?
    • Member

    McHaggis Fackin' Troller

    Member Since:
    Oct 24, 2008
    Message Count:
    1,605
    Country:
    United Kingdom
    tueidj already has a video of Devolution launching a game on the vWii, I'm sure he's thinking of a way he can bring Devolution to the Wii U whilst keeping the AP working. I don't think DIOS MIOS would work, if old IOSes don't work. Speaking of which, it makes sense that they would crash if a lot of the hardware has changed.
    • Newcomer

    Rapper_skull New Member

    Member Since:
    Jul 10, 2010
    Message Count:
    34
    Country:
    Italy
    Last edited by Rapper_skull, Dec 9, 2012
    • Member

    damysteryman I am too busy IRL these days...

    Member Since:
    Oct 4, 2007
    Message Count:
    1,179
    Country:
    Antarctica
    OK!
    I have modified IOS236 Installer for use on Wii U vWii:
    IOS236 Installer MOD v6 Special vWii Edition
    App dol + source included.

    It uses these patches to install IOS236, and also applies them to IOS236 so that IOS236 can install system titles itself without AHBPROT.

    HOWEVER! It REQUIRES IOS36-64-v3864.wad on the root of your SD card, since it is not available to download from NUS. (Not by Wii or vWii anyway)
    You would have to dump it from your vWii, or find it elsewhere... I have it uploaded to my mediafire files, but I do not know how to actually share it, what with legality and forum rules and all. Maybe someone will hopefully find it then spread it all over the internet? :lol:

    Enjoy!

    @Supercool330:
    I have already dumped them from my vWii (packed with showmiiwads from nand fs dump), and uploaded them to mediafire, but no clue how I would go about sharing them though. But they are just sitting there for the meantime at least.

    @The Teej:
    I am not actually sure at this present time. I know there is another version of devolution in the works by tueidj, but it works in Wii mode, unlike say Dios Mios. And I have no clue what MIOS or Dios Mios would do when loaded on vWii. Also, no real way to test these at this time, since USB Loaders are pretty much useless on vWii for now.
    EDIT: ninja'd by McHaggis. :lol:

    @Excelsiior:
    That is strange... unless there is a typo somewhere or something similar... a similar thing happened to me when I was modifying the IOS236 installer, but I managed to find it. I wonder if looking at the included source for the modified IOS236 installer would help you find what could be causing it.

    @Rapper_skull:
    Yeah, same key for both Wii and vWii. But the vWii does not handle install of updates, it is Wii U Mode that does this, so vWii does not need it, and it is Wii U Mode that would have this new common key somewhere.
    Last edited by damysteryman, Dec 9, 2012
    McHaggis likes this.
    • Newcomer

    Rapper_skull New Member

    Member Since:
    Jul 10, 2010
    Message Count:
    34
    Country:
    Italy
    So vWii updates are handled by Wii U Mode?
    • Member

    damysteryman I am too busy IRL these days...

    Member Since:
    Oct 4, 2007
    Message Count:
    1,179
    Country:
    Antarctica
    That is correct.

SPONSORED LINKS
 

Share This Page