Hacking SNEEK v2

[noobwarrior7]

If im not mistaken, cioscorp 3.x does have ehci modules from the wanin releases.

 

[tueidj]

Surely you're kidding? Not only does the ehci module block one of the ports for regular use, but it's also very incompatible with certain IOSes.
Then again, it's cioscrap so I wouldn't be surprised.

 

[wasabisun]

i had installed multicios in my real nand (ios 37 as ios 248). so now i have tried to load my backup dvd with softchip, using ios 248 with sneek , and i can load it.

 

[fogbank]

But... as is, these dumps are almost useless! You'll need to add in HBC and more IOSs to make this useable.

Perhaps people can play with this method and see what we can trim out and what we need to add in to make HBC run. I tried adding HBC an IOS61, but it returned straight to the Wii menu. (My SD card reader just died, so can't continue to test. Perhaps IOS36 would do the trick?)

I got HBC working right side up and with no scam warning/middle finger on an "artificially" constructed NAND.

Starting with the minimum posted before (EULA, Region Select, IOS17,30,31, Boot2, SM etc...) I did an official update to 4.2U. Then I copied the JODI title/tik files from an extracted BootMii dump with a valid HBC install and hex edited the uid.sys to add the JODI entry.

I realize that this is no big discovery, but it could be useful for people trying to get a clean "virgin" NAND with HBC installed for SNEEK.

 

[wilsoff]

I got HBC working right side up and with no scam warning/middle finger on an "artificially" constructed NAND.

Starting with the minimum posted before (EULA, Region Select, IOS17,30,31, Boot2, SM etc...) I did an official update to 4.2U. Then I copied the JODI title/tik files from an extracted BootMii dump with a valid HBC install and hex edited the uid.sys to add the JODI entry.

I realize that this is no big discovery, but it could be useful for people trying to get a clean "virgin" NAND with HBC installed for SNEEK.

You don't actually neeed EULA, Region Select, IOS17,30,31, Boot2. You just need:

• Systemmenu
• Systemmenu IOS
• setting.txt (region must match systemmenu or you get an opera error like the old semi-brick)

People will need an IOS for HBC to run too (try 35, 36, 61). (it depends on which suitable IOS HBC found when you installed it to the real NAND)

You can avoid getting the hex editor out for this by creating a HBC wad. Install that with showmiiwads and it will edit uid.sys for you. That would give you the scam screen / bird though. Then you just need to copy over JODI title/tik replacing the ones that are there.

Pretty much the same method, but possibly slightly easier than hexing.

Note: the title/tik must have been extracted from the Wii you're putting them back on. (or you must have the device.cert from the wii that JODI came from)

 

[DjoeN]

And after reading this whole treath and trying http://code.google.com/p/sneek/wiki/FAQ black screen solutions i still get a black screen :/

Damned, this suxs

 

[wilsoff]

Does the Wii check if the serial number in setting.txt is valid? If not then it might be possible to create a SNEEK NAND from scratch without taking anything from an existing Wii. The only thing we need that doesn't come from NUS is a setting.txt.

I can't get the encoding part working from here:
http://forum.wiibrew.org/read.php?11,39123,48809#msg-48809

If it can be made to work then you would be able to generate a file like this and create a setting.txt from it. Ideally the program would just have a series of drop down boxes to select the following and generate an encrypted setting.txt from that.

AREA=USA
MODEL=RVL-001(USA)
DVD=0
MPCH=0x7FFE
CODE=LU
SERNO=37xxxxxxx
VIDEO=NTSC
GAME=US

 

[giantpune]

i dont see how the serial number would keep sneek from starting. but to use certain things, it may be required. we still dont know exactly how the HBC scam is triggered, and it might be tied to this. also the shop channel might not work right.

the encrypting and decrypting are easy though. its just 1 function to do both. it is in libogc in the conf files and in comex's nand formatter called lolcrypt. just feed the function a 0x100 buffer and thats it.

CODEvoid lolcrypt(u8 *stuff)
{
ÂÂÂÂu32 key = 0x73b5dbfa;
ÂÂÂÂwhile(*stuff) {
ÂÂÂÂÂÂÂÂ*stuff ^= (key & 0xff);
ÂÂÂÂÂÂÂÂstuff++;
ÂÂÂÂÂÂÂÂkey = ((key31));
ÂÂÂÂ}
}

 

[wilsoff]

Spoiler

This was just some investigation, feel free to ignore

QUOTE(giantpune @ Feb 7 2010, 03:19 AM)
we still dont know exactly how the HBC scam is triggered

Thanks! The scam screen is triggered by consoleID.

1. get a nand dump working in sneek with HBC installed and working with no scam screen
2. get device.cert from your system
3. put it in sd:sys
4. verify that HBC still works without warning
5. edit one digit in the consoleID in device.cert (at offset 0xC6)
6. verify that HBC now goes to scam warning

So that proves it breaks it, but does it fix it too?!... Yes...

1. get a nand dump working in sneek with HBC installed and working with no scam screen
2. get device.cert from your system
3. put it in sd:sys
4. copy the HBC title/tik files from a nand dump made from a DIFFERENT Wii to the SD card (overwriting the existing ones)
5. verify that HBC now goes to scam warning
6. edit device.cert on your SD card to have the consoleID from the DIFFERENT Wii (no other change required)
7. verify that HBC works without warning

Note: easiest place to get consoleID for most people will be nand.bin (offset 0x21000019) or keys.bin (offset 0x19)

Here's a way to install HBC natively on the SNEEK NAND:
1. Delete HBC completely from your Sneek Nand (or never have it installed)
2. Install this wad to your sneek nand (using showmiiwads): HBC Installer - HBCI.wad
3. It will load, in this order: usb:/boot.elf, usb:/apps/hackmii_installer_v0.6/boot.elf, sd:/boot.elf, sd:/apps/hackmii_installer_v0.6/boot.elf so put the hackmii installer in one of those locations.
4. Now HBC should install to your Sneek nand through the normal installer.
Note: The icon and banner are sh!t, but the intention is that you'd the delete the channel once it's done its job.

 

[daxtsu]

You got the Hackmii installer to run in SNEEK, Wilsoff? For me it just turns the Wiimote off after loading IOS 34(I have 34, 31, 36, and 61 installed, too.. :/) and hangs, as if it's missing an IOS or something. USBGecko output doesn't have any useful info either, or not from what I can tell..

 

[kamikace]

Does the Wii check if the serial number in setting.txt is valid? If not then it might be possible to create a SNEEK NAND from scratch without taking anything from an existing Wii. The only thing we need that doesn't come from NUS is a setting.txt.

I can't get the encoding part working from here:
http://forum.wiibrew.org/read.php?11,39123,48809#msg-48809

If it can be made to work then you would be able to generate a file like this and create a setting.txt from it. Ideally the program would just have a series of drop down boxes to select the following and generate an encrypted setting.txt from that.

AREA=USA
MODEL=RVL-001(USA)
DVD=0
MPCH=0x7FFE
CODE=LU
SERNO=37xxxxxxx
VIDEO=NTSC
GAME=US

here you have an encrypter/decrypter (reupload) http://www.mediafire.com/?jwntzliwjih

 

[tHciNc]

I got a wad of hbc that when installed to a clean nand doesn't give scam screen, i changed title to JODI to Version 1.01 though, IOS 36 i put on nand and wad of hbc

 

[wilsoff]

You got the Hackmii installer to run in SNEEK, Wilsoff? For me it just turns the Wiimote off after loading IOS 34(I have 34, 31, 36, and 61 installed, too.. :/) and hangs, as if it's missing an IOS or something. USBGecko output doesn't have any useful info either, or not from what I can tell..

I think you need IOS35 for the channel I posted above.

It ran fine on mine - Clean NUSD install of 3.2E. You can't have HBC already on there though, otherwise you get a (-1060000106) error becuase it can't create the ticket. And you will have to put the hackmiiinstaller boot.elf on USB, unless you've got the modded boot2.bin that reads from SD.

Systemmenu v290 (3.2E)
IOS30
IOS35 (you should always have this installed with SNEEK as it uses this if any IOS

 

[daxtsu]

ShowMiiWads says your channel uses IOS 61, just to let you know.

I'll try installing IOS 35 real quick, but I won't get my hopes up. Still seems to freeze.. I'm running on a clean 3.2U nand, with a blank setting.txt for USA(taken from dolphin), and no device.cert if it matters.

 

[User423]

@wilsoff

Is cert.sys needed? And could I generate a new (clean) setting.txt?

/edit

So I need:

Boot2_v4
EULA_v2 (requires IOS 17)
Region Select_v1 (requires IOS 31)
Systemmenu_v289/290 (3.2U/3.2E)
IOS17_v518
IOS30_v1040
IOS31_v1040

+setting.txt and cert.sys to make it working?

 

[SanGor]

again you don't need the cert.sys as mentioned 100 times now.
you need a valid serial in the setting.txt otherwise the system menu won't boot at all, it won't even reach the rescue menu!!!

and again you need at least:

1. system menu
2. system menu's IOS, if it is

 

[User423]

Thanks, I´ll try it without the other files (EULA etc.).

 

[SifJar]

again you don't need the cert.sys as mentioned 100 times now.
you need a valid serial in the setting.txt otherwise the system menu won't boot at all, it won't even reach the rescue menu!!!

and again you need at least:

1. system menu
2. system menu's IOS, if it is

 

[Patryc]

we still dont know exactly how the HBC scam is triggered

Thanks! The scam screen is triggered by consoleID.

1. get a nand dump working in sneek with HBC installed and working with no scam screen
2. get device.cert from your system
3. put it in sd:\sys
4. verify that HBC still works without warning
5. edit one digit in the consoleID in device.cert (at offset 0xC6)
6. verify that HBC now goes to scam warning

So that proves it breaks it, but does it fix it too?!... Yes...

1. get a nand dump working in sneek with HBC installed and working with no scam screen
2. get device.cert from your system
3. put it in sd:\sys
4. copy the HBC title/tik files from a nand dump made from a DIFFERENT Wii to the SD card (overwriting the existing ones)
5. verify that HBC now goes to scam warning
6. edit device.cert on your SD card to have the consoleID from the DIFFERENT Wii (no other change required)
7. verify that HBC works without warning

Note: easiest place to get consoleID for most people will be nand.bin (offset 0x21000019) or keys.bin (offset 0x19)

Here's a way to install HBC natively on the SNEEK NAND:
1. Delete HBC completely from your Sneek Nand (or never have it installed)
2. Install this wad to your sneek nand (using showmiiwads): HBC Installer - HBCI.wad
3. It will load, in this order: usb:/boot.elf, usb:/apps/hackmii_installer_v0.6/boot.elf, sd:/boot.elf, sd:/apps/hackmii_installer_v0.6/boot.elf
4. Now HBC should install to your Sneek nand through the normal installer.
Note: The icon and banner are sh!t, but the intention is that you'd the delete the channel once it's done its job.

I tried your hbc installer... which IOS should I use to install it and what do I have to do to make it vulnerable?

 

[DjoeN]

Ok, got sneek working

Is it correct that it doesn't show the SD ? (stays gray) and when starting HBC it doesn't show anything (just hbc with en empty blue screen)
(Don't ask how hbc's working without the scam stuff, it works

)

Also when you don't do anything for awhile in the Wii gui you get an error, telling somethings wrong with the system