Hacking I can install IOS in vWii! But...

damysteryman

I am too busy IRL these days...
OP
Member
Joined
Oct 4, 2007
Messages
1,223
Trophies
1
XP
1,026
Country
Antarctica
UPDATE 2013-01-03: Patches updated to allow installation of hidden titles now. (was still broken with error -1017 with older patches)
Thanks to FIX94 for bringing this issue to my attention, so I could fix it :)
IOS236 Installer also updated with these patches.

Well, I am sure that thread title caught your attention :P Well, maybe.

With the release of HBC v1.1.1 (v1.1.2 now) (for those who do not know of this, links here, here and here), access to AHBPROT-related features is now available on the vWii of the Wii U.

So anyways, I installed the new HBC this morning, but unable to make a NAND dump due to BootMii being unable to be installed on the vWii. However, I managed to fully dump the entire unencrypted contents of my Wii U's vWii NAND using WiiPower+Nicksasa's old FS Toolbox app, which I had modified to add in support for AHBPROT runtime IOS patching so it would actually work in vWii. The main reason I wanted to dump the NAND contents was to have a look at the vWii IOS, especially due to them being hardcoded to throw error -1017 if trying to install a system title, and I wanted to try patch that out.

FS Toolbox MOD dol+src here, use it at your own risk! Could brick vWii if you do not know what you are doing.

So I managed to get what I wanted, and after a while messing around in IDA (despite me not really having much coding or reverse engineering knowledge), I managed to find out where this new IOS "feature" was, and managed to create a few patches that, when applied via either AHBPROT supporting app, or by hex editing the ES IOS module then rewriting it to NAND, will then allow that vWii IOS to be able to install system titles like IOS once more (and presumably system menu too, but I am too scared to try that right now, since I do not have any way to recover vWii if it does not like that).

UPDATE 2012-12-11: (Patches updated, should work for all versions of vWii IOS now)
So, here are the patches I made, 3 in total, must apply all 3 to ES module in IOS (well technically 5, pt1 and pt2 patches get applied twice each)

Code:
Kill_AntiSysTitleInstallv3_pt1 <- must patch 2 instances of this pattern!
681A2A01D005
681A2A0146C0
Kill_AntiSysTitleInstallv3_pt2 <- must patch 2 instances of this pattern!
D0023306429AD101
46C03306429AE001
Kill_AntiSysTitleInstallv3_pt3
68FB2B00DB01
68FB2B00DB10

Modified iospatch.c for AHBPROT apps with these added patches here. <- link updated 2013-01-03, updated with v3 of my patch.

Now that we can install IOS wads on vWii, what can we do?
Well, here is where that big "But..." in the thread title comes in.
Answer is, not much at all, at least not yet.

You can install older IOS (and cIOS if you have signature patch enabled too), but you cannot do much with them. I have not tested any with games, so do not know what would happen there, but just testing them out in Multi-Mod Manager (WiiMod would blackscreen on me every time I tried loading it with AHBPROT support on vWii... do not know why), I noticed that both older Wii IOS, and cIOS, which are based on them, you can reload to them, and perform basic things (like navigate around the app for example), but nothing really too awesome.

However, every time you try to initialize SD or USB with either old Wii IOS or cIOS, they would crash, freezing the Wii U, which is of course no real use at all. Also, for me, it seemed that initializing network abilities is not doable with these either. Trying did not freeze the Wii U like initiializing SD or USB did, but just "failed to initialize network" error message in apps.

So, long story short, these patches allow Wii U vWii IOS to install system titles once again, no more error -1017. Do so at your own risk though. You can reload to older IOS, but can not use many features without them crashing and freezing up the Wii U. For things like USB Loaders to work on Wii U vWii, I believe things like d2x cIOS would have to be updated to support using vWii IOS as bases for vWii cIOS.

...I think that sums it all up. Well, enjoy!

UPDATE 2012-01-03:
IOS236 installer updated with new v3 patches: here
 

vinhdt

Well-Known Member
Newcomer
Joined
Jan 14, 2009
Messages
70
Trophies
0
XP
367
Country
United States
I too was able to install the HBC on the virtual Wii mode on the WiiU but when I tried to use Dop-Mii, I couldn't find any iOS with truncha bug and I couldn't patch iOS36 with truncha bug.
 

Krestent

What to post?
Member
Joined
Mar 31, 2009
Messages
3,953
Trophies
0
Website
Visit site
XP
340
Country
United States
Is it possible that SD and USB on the vWii is accessed differently than on the original Wii, and the IOS's installed in the vWii make up for this? Can we make a cIOS using one of the vIOS as a base?
 

damysteryman

I am too busy IRL these days...
OP
Member
Joined
Oct 4, 2007
Messages
1,223
Trophies
1
XP
1,026
Country
Antarctica
@vinhdt:
Yeah, it was not exactly a straight-forward process, I used the modified FS Toolbox to extract the IOS Module files, patch them with a hex editor, then use FS Toolbox again to rewrite the patched IOS Module files, along with a few extra files in order to prevent bricking (like content.map, and a few IOS tmds, since the patched IOS Module was a shared content one).

@Krestent:
I am assuming so anyway, based on the fact that Wii versions of those fail to work on vWii. Also, I tried packing vWii IOS36 v2864 to a wad, installed it on my regular Wii, and failed to load (Wii froze when loading up vWii IOS on it), so that also points in that direction. And yeah, as mentioned towards the end of my first post, I am pretty sure we could. Only one way to find out really. I managed to make a patched cIOS36 v3864 wad with this. It is mainly just a patched IOS36, similar to the likes of cIOS236, or older versions of cIOS249 (before the USB loader era). Of course it needs these patches already in effect to be installed, but it makes things more convenient once it is installed, especially for older apps that have not been updated with AHBPROT support.
 

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,108
Country
United States
Really cool damysteryman, I was going to try and look at this this morning as I figured it would be fairly straight forward to create a patch to disable the IOS and SM check, but I guess you beat me too it. What happens if instead of trying to install a patched Wii IOS, you try to install a patched vWii IOS such as making an IOS 236 based on vWii 236 (00000007-00000024)? Clearly the normal IOS patches still worked on the vWii IOSs since you were able to apply them and install an IOS using AHBPROT. I suspect that the more complex custom modules needed for cIOS d2x will require further modification, but hopefully that won't take the d2x team too long (it might be a little harder without a USB gecko to debug with, we really need a way to emulate a USB Gecko over the WiFi). I'm not sure if the vWii IOSs on NUSD are signed using the WiiU common key or the vWii common key, I suspect the prior in which case the installer will need to patch a WAD (dumped from a vWii) instead of downloading the vWii IOS from NUSD (unless someone releases the Wii U common key in the next few days).
 

stomp_442

New Member
Member
Joined
Jul 29, 2009
Messages
1,830
Trophies
1
XP
738
Country
United States
I have installed HBC on Wii mode, I can confirm that the Lego Indy exploit works. Has anybody tried to use the IOS236 installer to install a cIOS? Oh, there is a newer installer available, v1.2 installs HBC 1.1.2
 

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,108
Country
United States
Has anybody tried to use the IOS236 installer to install a cIOS?
The vWii IOSs have a hard coded block against installing any IOS or System Menu version. However, the way a lot of HABPROT apps work is to patch the IOS running in memory, so it is possible to simply patch out this check, and that is what damysteryman has found (I'm still going to try to find a single patch version just for fun, I like reverse engineering assembly code). However, even if you install a patched Wii IOS, it doesn't actually work, my guess is that we need to install patched vWii IOSs. This is slightly more complicated as we can't download these from NUS (I checked, they are in fact encrypted with the Wii U keys), but I suspect that if you dumped IOS 58 (the one with USB2) from the vWii and used it to install a cIOS, it might work. I will try this later this afternoon if I have the time (and if it works and I have a lot of free time, I will throw together a cIOS installer that just does the whole dump -> patch -> install process for you).
 

Gericom

Well-Known Member
Member
Joined
Jun 30, 2011
Messages
1,377
Trophies
2
Age
25
XP
4,645
Country
Netherlands
The vWii IOSs have a hard coded block against installing any IOS or System Menu version. However, the way a lot of HABPROT apps work is to patch the IOS running in memory, so it is possible to simply patch out this check, and that is what damysteryman has found (I'm still going to try to find a single patch version just for fun, I like reverse engineering assembly code). However, even if you install a patched Wii IOS, it doesn't actually work, my guess is that we need to install patched vWii IOSs. This is slightly more complicated as we can't download these from NUS (I checked, they are in fact encrypted with the Wii U keys), but I suspect that if you dumped IOS 58 (the one with USB2) from the vWii and used it to install a cIOS, it might work. I will try this later this afternoon if I have the time (and if it works and I have a lot of free time, I will throw together a cIOS installer that just does the whole dump -> patch -> install process for you).
Isn't it possible to get the Wii U keys by comparing the nus downloaded one with the one from the decrypted vWii nand dump?
 

stomp_442

New Member
Member
Joined
Jul 29, 2009
Messages
1,830
Trophies
1
XP
738
Country
United States
So, homebrew can still be run from the use of vWii IOS58, I ran a sysCheck. sysCheck did not recognize IOS512 and IOS513.
 

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,108
Country
United States
Isn't it possible to get the Wii U keys by comparing the nus downloaded one with the one from the decrypted vWii nand dump?
No, encryption does not work that way. If you are interested, read this for more info.
So, homebrew can still be run from the use of vWii IOS58, I ran a sysCheck. sysCheck did not recognize IOS512 and IOS513.
You can run any homebrew that will work off of any of the IOS versions installed on the vWii (that aren't stubbed) that uses AHBPROT as long as it isn't trying to install a system title. IOS512 and IOS513 are encrypted using the Wii U key (according to Crediar, whom I trust), and nobody is really sure what they do. It is speculated that they are used in the transition from Wii U to vWii mode.
 

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,108
Country
United States
Working on a version of blue dump to be used to dump wads. I will try to have it done by tonight.


Edit: Just to be clear vWii IOSs can't be downloaded from NUS, and shouldn't be uploaded online (as they are the property of Nintendo). To protect yourself from future updates, everybody should dump all the versions of IOS from their vWii as soon as possible. I can confirm from the wiimpersonator logs that none of the IOSs have been updated since the launch day update (the first version that had them). The only updates to the vWii since launch have been one updat to the BC-NAND (whatever the hell that is), and two to the instruction manual channel.
 
  • Like
Reactions: Cyan

The Teej

Also known as The Tjalian
Former Staff
Joined
Jun 27, 2004
Messages
4,210
Trophies
0
Age
36
Location
England
Website
zeldapower.com
XP
633
Country
While it might not work without Gamecube pads, would it at least be possible to launch Gamecube ISOs using the USB launcher method as a proof of concept? I think this would be pretty interesting if it was feasible, albeit how unlikely, to get Gamecube games working on this thing using a USB Loader.
 

McHaggis

Fackin' Troller
Member
Joined
Oct 24, 2008
Messages
1,749
Trophies
0
XP
1,466
Country
While it might not work without Gamecube pads, would it at least be possible to launch Gamecube ISOs using the USB launcher method as a proof of concept? I think this would be pretty interesting if it was feasible, albeit how unlikely, to get Gamecube games working on this thing using a USB Loader.
tueidj already has a video of Devolution launching a game on the vWii, I'm sure he's thinking of a way he can bring Devolution to the Wii U whilst keeping the AP working. I don't think DIOS MIOS would work, if old IOSes don't work. Speaking of which, it makes sense that they would crash if a lot of the hardware has changed.
 

damysteryman

I am too busy IRL these days...
OP
Member
Joined
Oct 4, 2007
Messages
1,223
Trophies
1
XP
1,026
Country
Antarctica
OK!
I have modified IOS236 Installer for use on Wii U vWii:
IOS236 Installer MOD v6 Special vWii Edition
App dol + source included.

It uses these patches to install IOS236, and also applies them to IOS236 so that IOS236 can install system titles itself without AHBPROT.

HOWEVER! It REQUIRES IOS36-64-v3864.wad on the root of your SD card, since it is not available to download from NUS. (Not by Wii or vWii anyway)
You would have to dump it from your vWii, or find it elsewhere... I have it uploaded to my mediafire files, but I do not know how to actually share it, what with legality and forum rules and all. Maybe someone will hopefully find it then spread it all over the internet? :lol:

Enjoy!

@Supercool330:
I have already dumped them from my vWii (packed with showmiiwads from nand fs dump), and uploaded them to mediafire, but no clue how I would go about sharing them though. But they are just sitting there for the meantime at least.

@The Teej:
I am not actually sure at this present time. I know there is another version of devolution in the works by tueidj, but it works in Wii mode, unlike say Dios Mios. And I have no clue what MIOS or Dios Mios would do when loaded on vWii. Also, no real way to test these at this time, since USB Loaders are pretty much useless on vWii for now.
EDIT: ninja'd by McHaggis. :lol:

@Excelsiior:
That is strange... unless there is a typo somewhere or something similar... a similar thing happened to me when I was modifying the IOS236 installer, but I managed to find it. I wonder if looking at the included source for the modified IOS236 installer would help you find what could be causing it.

@Rapper_skull:
Yeah, same key for both Wii and vWii. But the vWii does not handle install of updates, it is Wii U Mode that does this, so vWii does not need it, and it is Wii U Mode that would have this new common key somewhere.
 
  • Like
Reactions: McHaggis

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    Sicklyboy @ Sicklyboy: *teleports behind you* "Nothing personnel, kiddo" +1