Able to install cIOS with the system menu?

Discussion in 'Wii - Hacking' started by Krestent, Jan 20, 2010.

Jan 20, 2010
  1. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    I posted that I was going to install SM3.5K into 000000010000009C in another thread, but now I can't find that thread (yes, I searched). So I installed it and also IOS52.

    I tested my theory by loading IOS254 with the cIOS rev17 installer, which brought up Bootmii/IOS. But, when I load IOS156 with the installer, it just continues, like if I had selected a trucha signed IOS, and even lets me install the cIOS! How do I get around this?

    Running SM4.0, cIOS rev17, installed non-stub IOS52, installed IOS156(really SM3.5K).
     


  2. BBking83

    Member BBking83 GBAtemp Advanced Fan

    Joined:
    Oct 23, 2008
    Messages:
    676
    Location:
    Australia
    Country:
    Australia
    It's vulnerable...

    http://wiibrew.org/wiki/IOS52

    I wouldn't be installing different SMs, especially different region ones.
    What were you trying to get out of this? Just testing?
     
  3. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    Testing... but the thing is, I know IOS52 is vulnerable, but running code from the IOS that's really the SM itself?
     
  4. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    How did you install System Menu as IOS? Just change the title ID? I assume you needed trucha to install it...
     
  5. fogbank

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    Maybe if you load SM in that manner the Wii checks the TMD for the required IOS (52) and loads that first, but the actual System Menu does not load. Either that or the cIOS installer does not load the SM correctly and you are still running the IOS that was being used when you launched the installer (and if that IOS is vulnerable the cIOS installation succeeds).

    Just guessing...
     
  6. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    So I might next try installing a non-trucha vulnerable IOS to IOS52 and see if the installer still runs?
     
  7. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Yeah, try that. If it does indeed check the TMD of the SM and switch to IOS52, with an unpatched IOS52 installation will fail.
     
  8. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    I'm out of the house at the moment...but anyway, does Bootmii/IOS use mini or some IOS? If so, how does it run?
     
  9. Jacobeian

    Member Jacobeian GBAtemp Advanced Maniac

    Joined:
    May 15, 2008
    Messages:
    1,879
    Country:
    Cuba
    Something you don't understand is that system menu and IOS are two completely different things: the fact they can be installed from "wads" as "title" in the Wii memory does not mean they can be handled in a similar way.

    System Menu is code running on the PowerPC cpu, while IOS runs on the ARM cpu, those are two fundamentaly different and incompatible binary type, how do you expect that loading the system menu installed as an IOS could work ??? It simply can NOT work, you have to load some IOS code in ARM memory as well as the System Menu code in Main memory at some point, then make cpu starts code execution.

    I agree that experimenting stuff is fun but you also need MINIMAL knowledge of what you're doing [​IMG]


    Bootmii/IOS, when loaded (IOS_Reload), will load mini then the interface program, just as BootMii/Boot2 would do when the wii is powered.
     
  10. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    Then how about this: Would it work if I patched some code that calls the system menu, such as the "return to SYstem Menu" option in some homebrew to call 000000010000009C instead of 00000001000000002?
     
  11. Jacobeian

    Member Jacobeian GBAtemp Advanced Maniac

    Joined:
    May 15, 2008
    Messages:
    1,879
    Country:
    Cuba
    using homebrew maybe, at least it would be more realistic, though I don't know what kind of protection/requirements are in those ES functions

    edit: in libogc you have this neat little function WII_LaunchTitle(u64 titleID), you could try to load the system menu title installed as IOS and see what happen. The biggest risk is if the korean system menu try to write some files on your NAND when started and this ends up messing your old system configuration, preventing the original system menu to work when you reboot your console.

    Be sure to have bootmii as boot2 installed otherwise I won't take that risk if I were you.
     
  12. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    In that case I'll try to make SM2.0U work...Whatever it wrote to the nand is probably still there from the time my Wii was virgin.

    And OF COURSE I have Bootmii/boot2. I'm not that stupid.
     
  13. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    If you do this, you could have multiple System Menus installed. Reasonably pointless really, but you could modify MyMenu to install themes to a "backup" System Menu so you could test them without risk of bricking. That's about the only use for it I can think of.
     
  14. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    What open-source homebrew has this feature?
     
  15. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    If MyMenuify isn't open source, i dont think there is another theming homebrew. Other than softmii, but its long dead and crap.

    Anyway, the only other use for this I can think of would be for StartPatch. You could make a modified version which would install to a fake SM, then you could safely test patches without any risk. But you could also update Menu Loader or use Banana Patcher to test the patches, in the later you just need to change the format a little.

    In short, it'd be an interesting experiment, but not very useful I think. But you never know, maybe it'd be useful to have a backup SM, and perhaps someone could write a MINI app which would load titles off the NAND, so if you messed up your System Menu, you could use that app with the backup SM installed elsewhere to boot your Wii. Maybe I'm being ridiculous though...
     
  16. XFlak

    Member XFlak Wiitired but still kicking

    Joined:
    Sep 12, 2009
    Messages:
    9,122
    Location:
    Ontario
    Country:
    Canada
    i happen to have the source code for mymenuify---if any1 needs/wants it just pm me
     
  17. Cmurda187

    Member Cmurda187 GBAtemp Regular

    Joined:
    Oct 24, 2008
    Messages:
    230
    Location:
    The depths of HELL
    Country:
    United States
    Didn't Wanin do somethig kind of similar to this with a nand emulation project he was working on before. I remember seeing some video where he was using different system menus with nand emulation
     
  18. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    The system menu is expected to be title 0000000100000002, it's hard-coded in things all over the place.
     
  19. Krestent
    OP

    Member Krestent What to post?

    Joined:
    Mar 31, 2009
    Messages:
    3,952
    Country:
    United States
    But will that stop a system menu installed to 000000010000009C from launching?
     
  20. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    You can't launch a title from there. 1-3 to 1-255 is reserved for IOSes only.
     

Share This Page