Hacking Bushing's DVD Exploit (Part 2)

[linkinworm]

yes i know this, but all of this is still part of the system somewhere along the line with the checking of everything, waninkoko must of done something like this to get the low level dvd reading to work

There's a difference between editing strings and editing code. Strings do nothing but display on the screen. They aren't processed.

What Waninkoko did was change actual code, which isn't a string.

again i know this, what i ment was somewhere along the line(in code) these commands are called, E.G when u insert the disk it will check for its integrity,I.E all its securty of the disk. which we could patch to do one of the things i mentions all about. saying all this, i bet the solution is even easier than all of these put together, not that i know it

 

[Slowking]

+ Modify the IOS, so that after a disc is read and verified, a delay is put in place that would allow someone to swap discs(ie: Action Replay).
+ Modify the IOS to read a header from a different source that would "spoof" the verification of the disc and pass through any data thereafter.
+ Redirect IOS Syscalls from DI to SDIO\UHCI and store the ISO on an SD card or USB Drive. From there, the bootloader could direct back to the DVD drive.

Great you started a new thread with completely unfounded speculations. Way to go!
Fact is. The check if it's a real game disc is entirely done by the disc drives firmware. If it's not an original game disc it will lock up, no matter what IOS thinks about it. So you HAVE TO PATCH THE DRIVES FIRMWARE in order to let it read burned discs. I guess bushing found a backdoor to do exactly this. (actually I think the backdoor was long since known [as shown here http://www.youtube.com/watch?v=uTx2MAOspS4 ] and bushing now found the part of IOS that blocks it from being used, so that he could enable drive patching trough software.)

 

[mcj]

Great you started a new thread with completely unfounded speculations. Way to go!

Actually those were just his thoughts. A lot different than some of the speculation that goes on here every day

 

[teq]

So, whats the barrier on my idea of an unbricker?

Accessibility, mostly.

The Starlet isn't entirely open for disposal.

 

[linkinworm]

+ Modify the IOS, so that after a disc is read and verified, a delay is put in place that would allow someone to swap discs(ie: Action Replay).
+ Modify the IOS to read a header from a different source that would "spoof" the verification of the disc and pass through any data thereafter.
+ Redirect IOS Syscalls from DI to SDIO\UHCI and store the ISO on an SD card or USB Drive. From there, the bootloader could direct back to the DVD drive.

Great you started a new thread with completely unfounded speculations. Way to go!
Fact is. The check if it's a real game disc is entirely done by the disc drives firmware. If it's not an original game disc it will lock up, no matter what IOS thinks about it. So you HAVE TO PATCH THE DRIVES FIRMWARE in order to let it read burned discs. I guess bushing found a backdoor to do exactly this. (actually I think the backdoor was long since known [as shown here http://www.youtube.com/watch?v=uTx2MAOspS4 ] and bushing now found the part of IOS that blocks it from being used, so that he could enable drive patching trough software.)

god i forgot about that, and thinking about it, the wii drive must be almost the same as a GC drive or a slighty modified(in terms of hardware) for it to be able to read GC disk because of the security that was on the gamecube disks( includeing that inner curve) that and the wii is a gamecube 1.5,
what cold bushing have found, maybe deleting all the IOS just lets the system read everything lol joke, who knows,

 

[Slowking]

Great you started a new thread with completely unfounded speculations. Way to go!

Actually those were just his thoughts. A lot different than some of the speculation that goes on here every day

I wouldn't want to forbid anyone to speculate, I myself love it, but it would really help if some people would read up on the basics of subject they are speculating about. If speculations are completely unfounded and with 5 minutes research proven false it's just annoying.

 

[teq]

+ Modify the IOS, so that after a disc is read and verified, a delay is put in place that would allow someone to swap discs(ie: Action Replay).
+ Modify the IOS to read a header from a different source that would "spoof" the verification of the disc and pass through any data thereafter.
+ Redirect IOS Syscalls from DI to SDIO\UHCI and store the ISO on an SD card or USB Drive. From there, the bootloader could direct back to the DVD drive.

Great you started a new thread with completely unfounded speculations. Way to go!
Fact is. The check if it's a real game disc is entirely done by the disc drives firmware. If it's not an original game disc it will lock up, no matter what IOS thinks about it. So you HAVE TO PATCH THE DRIVES FIRMWARE in order to let it read burned discs. I guess bushing found a backdoor to do exactly this. (actually I think the backdoor was long since known [as shown here http://www.youtube.com/watch?v=uTx2MAOspS4 ] and bushing now found the part of IOS that blocks it from being used, so that he could enable drive patching trough software.)

Uh, unfounded speculations? Do you even know what you're talking about?

The security on the drive is weak enough to be patched by several bytes, and here you are talking like it's a full on security algorithm.

I don't know if you recall, but in earlier system revisions, you could get around regions by inserting a GC game and then swapping it for a Wii game.

 

[zant]

so what has to be done to point the boot sequence to load the program FIRST from the SD card then from teh IOS (sorry if im a bit off)

 

[Slowking]

Uh, unfounded speculations? Do you even know what you're talking about?
Uhm yeah, but I highly doubt you do.

QUOTE(teq @ Jul 17 2008, 11:00 PM) I don't know if you recall, but in earlier system revisions, you could get around regions by inserting a GC game and then swapping it for a Wii game.

Dah, region control is done by the system menue /disc channel, not by the drive.

 

[teq]

so what has to be done to point the boot sequence to load the program FIRST from the SD card then from teh IOS (sorry if im a bit off)

Modify boot2?

 

[Jacobeian]

what did waninkoko do in his CIOS?

waninkoko simply copied & pasted what nitrotux or who ever did the custom IOS5 did before him, and what later Patch Mii authors released... this ONLY remove the DVDLowUnencryptedRead function limitation so you can read the DVD through libogc, in that case, to dump a DVD or to load roms from DVD WITH a modchip

what Bushing found is a LOT more advanced, he probably found a hole in the dvd firmware that can be forced through IOS, which is going against all what we could have thought before... very very interesting

edit: just read slowking post, he is probably right
teq, region protection is completely another thing, this is handled by the system menu or whatever software when reading teh first DVD data bytes, DVD identifiaction is done way before that

 

[teq]

Uh, unfounded speculations? Do you even know what you're talking about?
Uhm yeah, but I highly doubt you do.

QUOTE(teq @ Jul 17 2008, 11:00 PM) I don't know if you recall, but in earlier system revisions, you could get around regions by inserting a GC game and then swapping it for a Wii game.

Dah, region control is done by the system menue /disc channel, not by the drive.

If you're just going to troll, instead of providing any actual insight, then I suggest you go somewhere else.

The methods I described in the first post are speculative and aren't meant to hold on their own. If they did, I would've already implemented them and been on my way to playing backups.

Modifying the drive is a given, unless of course you can take the drive out of the picture all together.


EDIT: And as far as the region protection is concerned, it doesn't matter where it originates from -- the point was that the drive had no protection to stop a disc swap. They could've locked the drive while it was on the disc channel.

 

[Slowking]

Your speculations never hold, not on their own and not in any other case. And I explained exactly why. If you do read my first post again you will see it. Sorry if I sounded a little harsh but I've been through this on tehskeen allready. I guess I'm a little unnerved.

Btw. after you patch the drive you don't have to do anything else, that is clear, is it? Burned games will just get recognised as originals.

Edit:

EDIT: And as far as the region protection is concerned, it doesn't matter where it originates from -- the point was that the drive had no protection to stop a disc swap. They could've locked the drive while it was on the disc channel.

Your correct. it has no protection against a disc swap. But that doesn't matter, as it will check every disc that you swap in and if it's not an original the drive will lock up.

 

[Jacobeian]

I think you convinced me... this is probably something like that, tmbinc was also the FIRST to made a custom firmware (IPL) for the gamecube and this is what started the modchip dance on this console


by some aspect, we are now walking backwards, rediscovering DVD firmware patching after being able to run homebrew and using drivechips

 

[WiiCrazy]

Maybe he found how to patch usb 1.1 code in IOS to usb 2.0, that alone could "allow pirated Wii games to be
played on an unmodified Wii console."
Still ironic

, the last part is already true if you mean Wiiware and VC games, they are in essence Wii games too right?

As to how I wrote previously in a iso loader thread here.. you just need to swap the calls to read from sd/usb whatever instead of calling dvd. Seeing the latest patches to IOS's it now seems completely feasible to me.

 

[Stalkid64]

In regards to re-writing the NAND flash, talk with Dark AleX or Fanjita from the PSP scene. Somehow, the idea was to force the battery to boot to the memstick which in turn re-wrote the files. The memstick slot is provided with the SD front slot, now we have to figure out how to direct the boot sequence to the SD Slot, then to the wii system menu, sort of like the

http://hackmii.com/2008/06/your-wii-is-not-a-psp/
Read until understanding seeps into your apparently slow brain.

 

[ProdigySim]

I can't believe nobody can put 2 and 2 together.

bushing & co. have been rewriting parts of IOS, attemping to create stub versions of IOS, etc. for quite some time.

I can tell you without a doubt that this has nothing to do with ISO Loaders. There's nothing preventing that on the current system.

Since he considers it a "vulnerability" and it was only recently found, it wouldn't be something you could achieve simply by simply modifying current functionality of IOS.

It's much much MUCH more likely that reverse engineering the /dev/di (disc) module of IOS has lead to finding things out about the interface to the disc drive. If the interface allows a full set of commands to be sent to the disc drive, it's likely one could implement the same functionality of a current Wii mod chip using a custom IOS /dev/di module. All Mod chips do currently is send commands to the drive to set certain registers, etc.. It's entirely possibly that these same commands could be sent by the Starlet, and hence be sent using a custom IOS.

 

[teq]

It's much much MUCH more likely that reverse engineering the /dev/di (disc) module of IOS has lead to finding things out about the interface to the disc drive. If the interface allows a full set of commands to be sent to the disc drive, it's likely one could implement the same functionality of a current Wii mod chip using a custom IOS /dev/di module. All Mod chips do currently is send commands to the drive to set certain registers, etc.. It's entirely possibly that these same commands could be sent by the Starlet, and hence be sent using a custom IOS.

Okay... so take the source of say, OpenWii, and find the call to the D2x chip... throw it together in a custom IOS and.... tada?

 

[Slowking]

If that's the case you can't just use OpenWiis commands. You will have to use the IOSs commands, but with them you could upload OpenWiis or YAOSMs (better) drivecode to the drive. And that should be it. At least for D2A/DMS/D2B, for D2C the drivecode would have to be modified, but it should also work.

 

[F0ur2o]

I only post here to belittle people and make myself feel bigger and better.

I am a douche.

I eat bushing's ass nightly.

Constantly Fixing your posts bro.