Hacking Casper by giantpune

[giantpune]

the instructions were pretty simple. if you cant follow those, i dont see how a log on the screen would be any help either.

 

[Coto]

Casper accesses MINI (full hardware access) skipping the IOS barrier (IOS runs as a mini OS running inside the Hollywood CPU [specifically running inside ARM starlet]).

HBC runs on IOS (requires a exploited by team twiizer's /available on your Wii IOS), if your wii doesn't has that/those required IOS, HBC will refuse to boot.

If you have MINI access (Mini Is Not IOS), then you run a MINI ELF header file, giving full hardware access from there. (starlet cpu open/free to receive data?)

To make it short, giantpune developed another way of running MINI apps, without the hassle of installing bootmii and/or using team twiizer's bootmii.

At least, that's how I get it, if I'm wrong someone correct me.

 

[SifJar]

If you don't know what to use it for, why do you even want to use it?

Anyway, you can use it to load Ceiling Cat (the official BootMii GUI - the one used to make NAND dumps etc.) or GC Linux or SNEEK/UNEEK or Comex's NAND Formatter or probably some other stuff I can't think of.

giantpune, could you possibly include a on-screen log of what's actually going on, as it's like looking at a blank screen.

Also... maybe perhaps someone could create a tutorial for someone that doesn't even understand the basics of how this all works fully without looking like a complete n00b.

It's really very simple.

Setup your SD card exactly the way you would to load whatever (SNEEK, GC Linux etc.) via Bootmii.
Copy "armboot.bin" from the "BootMii" folder on the SD card to the root and rename it "bootmii_ios.bin"
Run casper.elf through whatever method you like (exploit, HBC, any other homebrew loader)

 

[obcd]

And yeah, epic achievement ripping code out of Riivolution.

It's not like the sources of Riivolution are easy to find for a simple cut, copy paste.
So, if he reversed it, it's an epic achievement.
It's just sad he has to waste his time in doing that...

 

[BvanBart]

But Giantpune. It would be nice to know WHY my Casper does not like my Wii?

 

[DeadlyFoez]

But Giantpune. It would be nice to know WHY my Casper does not like my Wii?

But Casper is the friendly ghost. Maybe your Wii doesn't like Casper.

 

[ZRicky11]

But Giantpune. It would be nice to know WHY my Casper does not like my Wii?

Make sure you have the latest IOS53 and check if it is clean (no patches applied).
If you don't, just install it with MMM or WiiMod

 

[tueidj]

So, if he reversed it, it's an epic achievement.

So apparently the "epic achievement HOWTO" looks like this:
1. Start SNEEK with logging enabled
2. Start Riivolution
3. Watch what happens and copy it into your own app, not bothering to understand how it works.
- Why is the return address configured (based on the IOS version/revision) if the syscall never returns after bootmii is launched?
- Why make it return 101 (a random value I picked when writing it) without bothering to check for it in the powerpc code?
- Why use the exact same random stack locations? There are approx. 400 null bytes sprayed over a wide area, plenty of options to make it not so obvious...

Riivolution doesn't even use obfuscation, reversing it is a piece of cake once the compression is taken care of. It looks like pune at least tried to use some encryption and anti-debug checks for casper but they're not hard to work around.

It's just sad he has to waste his time in doing that...

Indeed, when he could have just told me what he wanted to do and asked if I would help. We could have even pushed out a new Riivolution update, the option to load bootmii directly from the SD card was added to SVN over a year ago but there hasn't been any significant reason to do a new release.

I don't mind this app being out there. It serves a purpose and it at least has basic protection against someone poking at it to see what's going on under the hood. The only thing I have an issue with is people acting like this is somehow the holy grail of wii hacking ("This is an achievement of epic proportions!") when it's really just a direct clone of the hard work that somebody else did with a few minor tweaks added. If ninty push out an update that kills the exploit and pune manages to find some other way to keep casper alive (without just using the HBC exploit instead, which he also knows), then you can have all the backslapping, singing of praises and naming of firstborns that you want.

 

[BvanBart]

It is clean etc.

IOS53 (rev 5663),No,Disabled,Disabled,Disabled,Disabled,Disabled,Disabled

So that looks the way it should be right ?

 

[SifJar]

You've probably done something wrong. e.g. not set up the SD card correctly or something.

 

[tueidj]

No, his wii is epically broken.

 

[XFlak]

...and naming of firstborns that you want.

lol, as much as I love pune I don't think I'd name one of my kids after him, that's just asking for trouble, lol

 

[SifJar]

No, his wii is epically broken.

Oh well that explains it then

...and naming of firstborns that you want.

lol, as much as I love pune I don't think I'd name one of my kids after him, that's just asking for trouble, lol

And bullying

 

[BvanBart]

No, his wii is epically broken.

It does it's job lol . Still can play games and Homebrew. Just homebrew channel + Bootmii is a pain in the ***.


But when i understand correctly. If this bypasses all the IOS. Does it have read and write acces to NAND / BOOT?

 

[SifJar]

If BootMii doesn't work on your Wii, this won't either I'm fairly sure.

 

[tueidj]

There are actually three things I would like to see added (and I think others would also find them useful):
- Support for setting the new IOS version via command line args. Bootmii will ignore the autoboot settings if you set the IOS version to 0xFEFF01 (Bootmii IOS uses IOS 254v65281 when it is installed on the NAND) so you wouldn't have to worry about scrambling to hit a button when you have an autoboot option enabled in bootmii.ini.
- If a pathname is specified on the command line, load it instead of bootmii_ios.bin.
- If there's no SD card/file found look for a USB gecko and load the IOS binary from the flash RAM, like the twilight loader does (not from the same flash address obviously).

 

[obcd]

TT was kind enough to use his mailbomb idea. I guess he wanted to do something in return and was kind enough to use the hackmii ios exploit.
I looked at Casper with a hexeditor and couldn't find much obfuscation in it. You can even clearly see that libogc was used to create it.

 

[tueidj]

How exactly do you reverse engineer an idea? Does it involve a hex editor too?

 

[DeadlyFoez]

I still have to buy a usb gecko...but not really useful when I don't know how to program anything besides BASIC yet.

But I've got an oscilloscope coming in the mail and I'll be able to slightly take my hardware hackery level up a notch. A logic analyzer is my next toy on my wish list.

I'm slowly starting to grasp C, but not much more than programming an arduino to take inputs and flash LEDs, but it's at least a start.

 

[obcd]

I don't know, but how do you expect to write some working code if you don't know what it does or is suposed to do?