if you want to do that, you have to dump your nand, and make the wad from the dump, because waninkoko made a safety measure (?) so you cant dump ios 249
I was wondering if there is a legal way to generate your own cIOS wad. I have tried WAD Creator but it keeps giving me errors when I try to extract it.
- Joined
- Jul 14, 2008
- Messages
- 1,096
- Trophies
- 0
- Age
- 36
- Location
- Warwick, Rhode Island
- Website
- Visit site
- XP
- 143
- Country
s3phir0th115 said:
I have done it with cIOS rev9 (but not higher) using IOS36-64-v1042, bspatch.exe, and patch files that were in a 4.0 downgrader pack. The batch file looks something like this:
ECHO Patching IOS36 to cIOSv9...
MOVE /Y "0000000100000024.1042\*.app">nul
ren cios0f 0000000f.app
bspatch "00000000.app" "00000000.app" ios36cios00
bspatch "00000001.app" "00000001.app" ios36cios01
bspatch "0000000e.app" "0000000e.app" ios36cios02
bspatch "00000003.app" "00000003.app" ios36cios03
CLS
ECHO Packing WAD...
wadpacker ciostik ciostmd cioscert ciosv9.wad -sign -w>nul
ren 0000000f.app cios0f
DEL *.app
rmdir /S /Q 0000000100000024.1042>nul
rmdir /S /Q ..\tmp>nul
CLS
IF NOT EXIST ciosv9.wad ECHO Error packing cIOSv9^^!&GOTO EndHandler
FOR /F "tokens=1* delims= " %%a IN ('sha1 ciosv9.wad') DO IF NOT %%a==02c753069c5fc957203c00d7cfc0a4eb8b0b4214 ECHO Something went wrong, the new WAD does not match cIOSv9^^!&DEL ciosv9.wad&GOTO EndHandler
MOVE /Y "ciosv9.wad" "..\ciosv9.wad">nul
ECHO SHA1 sum is correct, everything went fine^^!
ECHO.
ECHO Everything done, enjoy^^!
MOVE /Y "0000000100000024.1042\*.app">nul
ren cios0f 0000000f.app
bspatch "00000000.app" "00000000.app" ios36cios00
bspatch "00000001.app" "00000001.app" ios36cios01
bspatch "0000000e.app" "0000000e.app" ios36cios02
bspatch "00000003.app" "00000003.app" ios36cios03
CLS
ECHO Packing WAD...
wadpacker ciostik ciostmd cioscert ciosv9.wad -sign -w>nul
ren 0000000f.app cios0f
DEL *.app
rmdir /S /Q 0000000100000024.1042>nul
rmdir /S /Q ..\tmp>nul
CLS
IF NOT EXIST ciosv9.wad ECHO Error packing cIOSv9^^!&GOTO EndHandler
FOR /F "tokens=1* delims= " %%a IN ('sha1 ciosv9.wad') DO IF NOT %%a==02c753069c5fc957203c00d7cfc0a4eb8b0b4214 ECHO Something went wrong, the new WAD does not match cIOSv9^^!&DEL ciosv9.wad&GOTO EndHandler
MOVE /Y "ciosv9.wad" "..\ciosv9.wad">nul
ECHO SHA1 sum is correct, everything went fine^^!
ECHO.
ECHO Everything done, enjoy^^!
The batch file is an excerpt from the downgradehelper.bat included in the pack.
The point is in order to do it this way you have to have the "diff" files to patch the base IOS. I don't know if they exist for revisions other than 9.
ddp127 said:
Which tool do I use to pack that wad with? tf_wad_packer doesn't seem to show everything like wad creator did.
Is there some tool that can change the number of an IOS? If so you could dump IOS250 (which is a copy of 249) and then change the titleid or whatever to make it into IOS249. Of course that's assuming it dumps IOS250 correctly in the first place.
FenrirWolf said:
I think there is a tool to patch what IOS something will use, but not change the IOS itself. I could be wrong though.
Man, you'd think information like this would be more readily available. All I'm wanting to do is make a wad so I can more easily hack 4.0 Wii's when I come across them instead of installing a trucha patched wad then running the installer.
You'll have to install a trucha patched wad to be able to get a cIOS wad installed anyway. But it will save you from having to install an old cIOS and then update it.
FenrirWolf said:
Well, from what I understand with the cboot2 workaround, the wad manager you're using will allow any IOS to be modified. That's how you're able to uninstall then install a trucha vulnerable wad in the first place. I would just want a cIOS wad so I can skip what I see as an unneeded step.
Not only that, but I think it would also allow me to deal with LU64+ Wii's as well, since I'd be installing something designed to work with them.
FenrirWolf said:
Yes, it can be done using a hex editor and modifying the TMD. Change the value at 0x18C and pack the WAD.
Also, if you know how to read the TMD it should be possible to extract the correct .app files from a NAND dump. The "contents" section in the TMD starts at 0x1E4 and lists each file in the title. The files with type = '0001' are local files (in the CONTENT folder of that title) and the files with type = '8001' are shared files (in the SHARED1 folder). You would have to look for the files in the SHARED1 folder with the hash that corresponds to the hash listed in the TMD.
You could use a NAND dump or a tool such as FSToolbox to obtain the correct files from the NAND.
I think this would be a lot of work and not easy to obtain accurate results though... There is probably an easier way
s3phir0th115 said:
Aside from the old "cios_fix" WAD there is at least one other cIOS widely available in WAD form (LU64 fix). It is a beta version of cIOS rev11 and can easily be found. It will get you cIOS installed, but you would still have to run the installer for higher revisions.
It's not that hard if you know what files you want in NAND.
By using FSToolBox and Hex, I have moved rev10 to IOS35, rev13 to IOS222 and else.
You can use FSToolBox to dump cert, tik, title and shared1 folders, and all files you need to pack a cIOS are inside these folders.
By using FSToolBox and Hex, I have moved rev10 to IOS35, rev13 to IOS222 and else.
You can use FSToolBox to dump cert, tik, title and shared1 folders, and all files you need to pack a cIOS are inside these folders.
kyogc said:
Would you mind sharing what procedure you could follow for that? I have a full nand dump ready to go. I just need to know which files to get and what to use to pack them.
s3phir0th115 said:
Start here:
http://wiibrew.org/wiki/Title_metadata
Extract the TMD of 0000001000000F9 and check the contents section starting at 0x1E4.
Note: this process would only allow you to recreate the cIOS revision that you currently have installed (afaik).
Example:
File 00000000.app
Index = 0000
Type = 0001 (local)
Hash = 0D1C3FFCE20046BA0D861F25315F295DB4C9CA32
This one's easy because it's local (already in the CONTENTS folder).
File 00000001.app
Index = 0001
Type = 8001 (shared)
Hash = B40F265AD296F362E6FBADCA53A350260656DF64
Find the file in the SHARED1 folder with that hash and include it in the WAD as 00000001.app.
I believe that is the process.
EDIT: SHARED2 should have been SHARED1
fogbank said:
Hmm. This is quite complicated compared to what I thought it'd be. I will take a stab at it I suppose.
Similar threads
- Question
- Question
