Hacking The Early History of Wii Modding

noobwarrior7

Well-Known Member
OP
Member
Joined
Aug 2, 2008
Messages
1,607
Trophies
0
Location
USA
XP
351
Country
United States
To celebrate the release of Waninkoko's cIOSx rev20, I thought I would post this. Please remember to thank Waninkoko as you download and try his newest cIOS.

:: Foreword::
This "article," if you will, is mainly for latecomers. It is meant to be a source of general, accurate, but most importantly, detailed information.

:: The Early History of Wii Modding::
Running any unlicensed code (called "homebrew") on a Nintendo Wii (in Wii mode, not Gamecube mode) really only became a possibility for the average Wii owner with the first release of the (now defunct/repeatedly thwarted) long-lived Twilight Hack, requiring the user to have only a copy of Zelda: Twilight Princess and a standard SD card with the required files. The exploit itself involved installing very little onto the Wii’s internal NAND flash memory; only a specially crafted save-file. Team Twiizers was responsible for the Twilight Hack itself, and although it served only to load other programs being created, they were also responsible for disseminating the knowledge required for many(/most) of the earliest homebrew programs.

The first such program to really gather a lot of general interest was a program used to “share” (read: pirate) private “dumps”, or copies, of Virtual Console and WiiWare titles, called Wad Installer (and then came Uninstaller, and then finally together as “Manager”). Wad Installer was created by a then-associate of Team Twiizers, Waninkoko. However, it was not endorsed by Twiizers, for it was created without their consent to use a Wii software bug (putting it lightly) they had shared with Waninkoko. This bug allowed content to exist and function via the Wii’s own software and hardware as if it had a proper signature. Using this bug, for example, Wad Installer could “fakesign” content upon installing onto the Wii’s internal NAND, and allow it to be run as if it was a program purchased for that system. This is what we still refer to today as, “the Trucha bug.” Also a common term, “wads” are simply native Wii Files for a specific app, such as a VC game, packed into a singular container.

Small problems began to crop up pretty quickly after that, much as Team Twiizers believed they might. Aside from the obvious rampant piracy drawing negative attention towards Wii homebrew, there were a lot of user-end “issues” that became apparent. With “wads” increasing in popularity, people grew a little bolder and began “injecting,” the practice of replacing the content of wads to get customized channels, or different VC games. Upon the release of the first true homebrew loader, The Homebrew Channel by Team Twiizers, it became apparent that even custom Visuals for channels (called “banners”) were achievable. Unfortunately, many users and even “quickware” creators, didn’t want to take the time to learn the full in’s-and-out’s. To compound this problem, those in-the-know were strangely secretive about what they did know. The result was various processes and crapwares that resulted in the semi-infamous “banner bricks.” The term brick generally means to make a device unusable by accident, and if you install a wad to a Wii with any number of problems with the banner files (just known generally as a “Bad banner”), the result was(/is) a failure to properly boot. The whole process of average users tinkering with wads has still not been as finessed as you would think at this point in time, and is only considered now “moderately safe” because of other factors. Read up on Wadder if this is something that holds interest for you. Note that the methods of brick prevention now have changed (read:improved) greatly, so make sure to stay timely.

Taking a moment to back up, it is definitely important to highlight possibly the most-used piece of Wii homebrew (which is still the definitive homebrew loader), The Homebrew Channel, or HBC. As an end-user item, it has always been a fully-featured and enjoyable app to use in order to stretch the potential of your Wii. Steps have been taken with every release to test and ensure the safety of the installer, which does install the channel directly onto your NAND internal flash. What often goes unnoticed is how much this enabled other developers to test and interact with Wii homebrew. Combined with the first region-free game loader, GeckoOS, and at times a USB-Gecko device, this led to many creations. Even non-developers could take more risks and use more “dangerous” apps that modified the system files of the Wii, as long as they were using a program written to return directly to the HBC. This meant, for example, that one could eventually remove the system menu itself (very “unsafe”) but return to the HBC rather than power off (which would result in a brick upon restarting) and load Wad Manager to install a different System Menu. This is still an unsafe process, but at the time, people believed there were cases where it was needed. Regardless, this illustrates how both planned and unplanned exploration has taken place only because of the HBC.

At this point, all code run on the Wii was only running through advanced custom libraries manhandling built-in Wii Software, and not really what we’d call “natively” (It remains that way for a while, and we’ll get to it later). This is to say, all code was running off of IOS (This is the part about IOS, if you were looking for it). I have heard IOS named as, “Internal Operating System” and “Input-Output System,” both by reputable aficionados, but whether it is even officially written as something other than “IOS” anywhere is unclear. It makes sense that it might have no official name since even title developers do not interact with it directly. They are led to believe that it exists merely as an IO Bridge, and now I’m getting more technical than I can handle…
…IOS are the often-Critical System files of the Wii, akin to but different from “firmware”. So forget firmware, starting now.
Many of us got a first sneak peak at IOS when a special “hacked” IOS version 5 (not an official Nintendo IOS), or IOS5, was released in Wad form, and had to be installed in order to use an early Wii Disc Copier app. It was of minimal popularity however, and people only really began to interact with IOS after Team Twiizers (once again) introduced PatchMii, a program (and a framework) that would install a customized IOS with a given set of “patches” to allow it a few more internal “privileges”. Essentially the same thing had been done to IOS5.

The PatchMii release confused many users, not really offering any clarity about the features of having a patched IOS. At this same time, there was another creation that rode in off the hype that had built to a kind of plateau temporarily with PatchMii. Another associate of Team Twiizers, Crediar, had made a system-menu patching application, called, “Starfall.” Perhaps one of the furthest-branching creations, Starfall laid the groundwork and inspiration for the likes of StartPatch, PriiLoader, and SNEEK, which you can find loads of information on. Patching not the IOS, but the Menu app on NAND itself, Starfall could enable permanent Region-Free gaming from the system menu, instead of through a loader like GeckoOS. It also offered the first semi-reliable brick protection (in combination with the Twilight Hack). The region-free options actually made some older, popular software virtually outdated, such as AnyRegion Changer by the talented Tona, which now (temporarily) only toted changing the Wii Shop Region as it’s only true benefit (until it was fixed on Nintendo’s server-end).

Soon after, a wave of newcomers to the Wii scene arrived to take advantage of Team Twiizers newest revelation (yes, again). It was soon made known that PatchMii, combined with a special “hidden channel” installer released by Twiizers called “DVDX” (and later DISC/DISK) would allow a Wii System to not only play DVD Video in an appropriate video player app, but would also allow homebrew apps to reference/use files burnt to a DVD-R/+R (not RW). This was huge for those who wanted to use the Wii as a DVD player, or who wanted to play emulated games via “roms” burnt to disc instead of the SD card. However, a lot of noise rose up from those pirates no longer content to play their pirated VC and WiiWare. They had hopes that this would lead to a software-only method for playing pirated Discs. Team Twiizers were harassed incessantly despite making several clear statements that they did not endorse piracy of Wii Software. They themselves actually made mention (sarcastically) that someone the likes of Waninkoko did not respect creative rights and would be the one to go beg to, although they maintained he was incapable of such. They were wrong.

Waninkoko proved to be up to the test, as he had been developing and testing for some time, a “custom IOS” or cIOS. The cIOS installer first appeared shortly after PatchMii and was essentially the same product. The original goal, however was to create the most stable and functional IOS (that was separate from all official IOS) that could still install “fakesigned” wads via the Trucha bug. The bug had been patched in newer IOS at first, but then with a certain update the fix was backported partially as several other key IOS were overwritten with new fixed versions, thus intentionally disabling Wad Manager. Wad Manager began to rely only on IOS249, which was the very high available slot Waninkoko chose to reference his custom IOS. Now keeping that in mind, the opportunity arose with the release of DVDX, to tweak his cIOS, ala PatchMii, with the intent to enable “backup” (unlicensed copy) loading. In just less than two months after the DVDX release, Waninkoko announced his intention and demonstrated a Proof of Concept internally to the scene, but before he could add whatever finishing touches he had desired, Backup-Loader, a special patcher (read:decrypter) program, and a wad of cIOS revision5 were leaked on the Wii-Hacking section of gbatemp.net. That is pretty much when it all turned into a hot mess. Insert pages upon pages of ridiculous drama, and then we’re back to the facts.

The leak of Backup Loader might have been the death of it and cIOS, but another developer interested in loading backups, WiiGator, borrowed some code from Nuke’s GeckoOS and created a more stable solution called Backup Launcher 0.1. This enticed Waninkoko to continue his work on cIOS. Waninkoko and WiiGator began to collaborate, and the release of Backup Launcher 0.3 Gamma, with a corresponding cIOS rev7, was a very functional backup solution with no hardware modification required at all. WiiGator barely stuck around long enough to soak up any recognition, though, but remained long enough to eventually create a custom cMIOS (which enable Gamecube backups), a loader for it as well, and then finally cBoot2, which is a special app for system recovery. Waninkoko has since taken over and tweaked cMIOS, but little has been done to alter compatibility. However, cIOS is still in development and has had many stable releases. If you are interested in backup disc loading, the evolution of what Waninkoko and WiiGator started is clearly seen in WiiPower’s iteration, NeoGamma.

At this point in the history of Wii-Modding, all parties in the scene essentially became the enemy of Nintendo. Backup-loading drew a lot of attention towards unlicensed software, and it became even easier as time progressed with creations like cIOScorp (aka: DarkCORP, the moderately unsafe practice of overwriting most Wii IOS’s with custom IOS’s to allow a system to natively recognize burnt discs; only REALLY unsafe if you plainly Remove any IOS), the USB-loading interfaces created by Kwiirk and polished by Hermes, and even SNEEK by Crediar which allows you to tweak and modify a “fake NAND” safely. It became clear that Nintendo would focus software updates on blocking the ability to enable unlicensed code to run in the first place. Every instance of the Trucha bug was eventually patched, several iterations of the Twilight Hack were put to rest, and the slots used for custom IOSs were filled with nonfunctional “stubs” that can’t even run the native system menu. Nintendo even went above and beyond to combat disc piracy at a hardware level with newer Wii drives. The Homebrew subscene has decidedly forked as much as possible from the piracy subscene, but usually their internal success has re-ignited the piracy scene every step of the way, and Nintendo has given them no benefit of the doubt for it. These and other developments have also caused Nintendo to use their knowledge of how certain modifications are being achieved, and checking systems to verify warranty validity before repairing damaged/defective systems.

I hope that you will take the practice in reading that you have had with this article, and not stop, but continue to read and gain a better understanding of the modifications you perform to your product.
 

Riicky

Well-Known Member
Member
Joined
May 15, 2009
Messages
607
Trophies
0
Age
38
Location
Reading,Pennsylvania
XP
134
Country
United States
nice article
smile.gif
 

noobwarrior7

Well-Known Member
OP
Member
Joined
Aug 2, 2008
Messages
1,607
Trophies
0
Location
USA
XP
351
Country
United States
this article ends with merely a mention of cIOScorp, which is the primary piece of softmii, and softmii itself is still not in the second part, as the bulk value of softmii, was the learned knowledge involved in custom themes....not the package itself, IMO. theming, and cSM, and preloader and more are in part two, but many people were here for that, and honestly, there was suddenly a lot more BS going down in those times.
 

noobwarrior7

Well-Known Member
OP
Member
Joined
Aug 2, 2008
Messages
1,607
Trophies
0
Location
USA
XP
351
Country
United States
:-D Thanks for the kudos.
Please do point out any typos [with or without ridicule]. ;-)

We all know that spellcheck only does so much.
 

FIX94

Former Staff
Former Staff
Joined
Dec 3, 2009
Messages
7,284
Trophies
0
Age
29
Location
???
XP
11,238
Country
Germany
Great Article man! The good old Twilight Hack... I have the Wii version only for this
laugh.gif
but the gamecube version was better
wink.gif
 

techboy

Well-Known Member
Member
Joined
Mar 15, 2009
Messages
1,720
Trophies
0
Age
31
Location
Pennsylvania
Website
Visit site
XP
306
Country
United States
Interesting read.

Reminded me of the day I first used Backup Loader 0.3...played a copy of Elebits, and waited almost 3 minutes at each loading screen.

I was surprised there was no mention of the "dummy" HBC (the bannerless chainloader channel) though...AFAIK that was the first public method of running brew without needing TP. HBC (as we know it now) came a few months later.
 

dronesplitter

Well-Known Member
Member
Joined
Sep 30, 2007
Messages
595
Trophies
0
XP
421
Country
United States
I still remember getting an SD Gecko, I guess because I was too impatient to wait for libogc to support the internal SD slot, and using it with the Twilight Hack to load my first homebrew apps. Now there are apps that use USB2.0 loading. Thanks to all of the developers for making the Wii a far better console than it would have been.
 

WiiCrazy

Be water my friend!
Member
Joined
May 8, 2008
Messages
2,395
Trophies
0
Location
Istanbul
Website
www.tepetaklak.com
XP
387
Country
Few things are missing,

- Freeloader
- First spotting of trucha bug and using it on discs... Trucha signer... GC homebrew on discs
- Earlier homebrew with no wiimote support... GC controller was necessary

Otherwise, a good read!

ps: I still have that IOS 5 released by Nitrotux on my wii, it's not yet blocked by Ninty
smile.gif
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
techboy said:
Interesting read.

Reminded me of the day I first used Backup Loader 0.3...played a copy of Elebits, and waited almost 3 minutes at each loading screen.

I was surprised there was no mention of the "dummy" HBC (the bannerless chainloader channel) though...AFAIK that was the first public method of running brew without needing TP. HBC (as we know it now) came a few months later.

I never knew of this "dummy" HBC...got any more info or old links or anything? (I wasn't in the "scene" back then, although I did know most of what was in that article)

I note you didn't go right back to the start, to the Twiizer Attack, from which Team Twiizers got their name. So I figured I'd have a shot at explaining it quickly.

At first, the only way to run any unsigned code on the Wii was via a modchip in GC mode. This meant you could only run GC homebrew of course, and many of the Wii's features were shut down while the code was running, including most of the Wii's memory. However, Team Twiizers used a pair of tweezers to "bridge" the memory, skipping past sections of it, so GC homebrew could access memory it wasn't supposed to. This let them map out the Wii's memory, bit by bit. Eventually, this allowed them to find the Wii's common key. This was a bit of a breakthrough, as it meant they could decrypt any Wii software they wanted.

They could now decrypt IOS, and look for bugs. It was in this way that they found the trucha bug. The first public demonstration of this was by bushing at the 24c3 hacking conference, where he used a modchip to play a modified copy of Lego Star Wars, with wii remote info displayed on screen, via a custom injected DOL. However, TT decided not to make public the details of this bug at this time, choosing instead to try and develop a game based exploit, instead of relying on fake signed disks booted via modchips. Around this time, the Trucha Signer was developed, a tool to modify Wii games, which could then be burnt and played via modchips. It was written by xt5, who found the bug independently. When it was released, Datel used the Trucha Bug to make their Freeloader, a region free tool for Wii games. It was after this that Nintendo released IOS37, the first IOS with Trucha Bug fixed, causing much panic. TT did release a trucha signed disc eventually, to install HBC without the need for a game exploit, but it required a System Menu below 3.2 and a modchip (as all trucha signed discs would, except Freeloader).

The release of IOS37 caused some less intelligent people to start writing System Menu patchers to change the IOS the System Menu used back to one with the trucha bug, as it was believed having HBC and a non-bugged System Menu IOS would cause a brick. However, the problem didn't exist at that time, as IOS37 wasn't used by System Menu, and as it turned out, there was no issue having HBC with a non-bugged System Menu IOS.

I believe most of this is reasonably accurate, but I'm not sure exactly of the timescale, or where other things e.g. HBC fit into this.

EDIT: Corrected some mistakes.

More info on some of the stuff mentioned is found here: http://debugmo.de/2008/03/thank-you-datel/
 

dronesplitter

Well-Known Member
Member
Joined
Sep 30, 2007
Messages
595
Trophies
0
XP
421
Country
United States
I believe the so-called "dummy" HBC he is referring to was really the early trial version that was supposed to deactivate itself after running a couple of times but hacked to continue working.
Just found a post on a different site that mentions users PaRaDoX and Superken7 as responsible for removing the limits on that version of HBC. Don't know much more about it.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
  • Xdqwerty @ Xdqwerty:
    Yawn
  • S @ salazarcosplay:
    and good morning everyone
    +1
  • K3Nv2 @ K3Nv2:
    @BakerMan, his partner is Luke
  • Sicklyboy @ Sicklyboy:
    Sup nerds
    +1
  • Flame @ Flame:
    oh hi, Sickly
  • K3Nv2 @ K3Nv2:
    Oh hi flame
  • S @ salazarcosplay:
    @K3Nv2 what was your ps4 situation
  • S @ salazarcosplay:
    did you always have a ps4 you never updated
  • S @ salazarcosplay:
    or were you able to get new ps4 tracking it \
    as soon as the hack was announced
  • S @ salazarcosplay:
    or did you have to find a used one with the lower firm ware that was not updated
  • K3Nv2 @ K3Nv2:
    I got this ps4 at launch and never updated since 9.0
  • K3Nv2 @ K3Nv2:
    You got a good chance of buying a used one and asking the seller how often they used or even ask for a Pic of fw and telling them not to update
  • RedColoredStars @ RedColoredStars:
    Speaking of PLaystation. I see Evilnat put out a beta for PS3 CFW 4.91.2 on the 22nd.
  • K3Nv2 @ K3Nv2:
    Don't really see the point in updating it tbh
    K3Nv2 @ K3Nv2: Don't really see the point in updating it tbh