Hacking Downgrading IOS 15 on 4.3 Virgin wii

[petspeed]

Is it possible to Trucha patch IOS80 so we can launch "unofficial" Wiiware/VC games from SD card?

Waninkoko has already done this as long as you use his firmware updater 4.3b
or you may ask someone who did this to extract from his/her machine .


That was an idea, thank you. But it is illegal to link to a Nintendo IOS in this forum, so I don't think it will be easy to get it...

QUOTE(hetfield @ Jul 2 2010, 02:21 PM)

this french tutorial is just a strange tutorial.
Still do not understand what you need hbcv1.01 for.

hbcv1.06 works fine, it seems like nutnut does not know the reason why his HBC is upside down.
which is if you do not have an unpatched IOS34 & 61.
Install both of them, reinstal hbc v1.06, and HBC works just fine.

I agree, and also he installs HBC with a different ID to avoid SM 4.3 deleting it. I think the guide on Wiihack by Maugfrog is much less complicated, he installs a standard HBC and then installs Priiloader before reboot and uses it to block the HBC deletion. Much more clever in my oppinion. Besides Maugfrog's guide doesn't need so many reboots and thus not using Indiana Pwn og SmashStack so many times...

 

[SifJar]

Sorry, I forgot dop-Mii would need updated to support IOS80...

Anyway, you can just use a tool like IOSPatcher (by leathl, you can get it from the libWiiSharp Google Code page [http://code.google.com/p/libwiisharp/downloads/list]) to patch the IOS, then install it with WAD Manager.

 

[fogbank]

how exactly is that different from what it has always done?
what do you think "downgrade_tmd_revision" means?

you still are breaking the signature when you change it even by 1 byte.

You misundertand.

CODEret = ES_AddTicket
ret = Downgrade_TMD_Revision
ret = install_IOS

What this code does is it begins installing the higher revision IOS15, then deletes the TMD when its in /tmp and replaces it with a new one with the revision 0, then it finishes the installation of IOS15. So the result is the higher revision IOS15 with revision 0. Pretty much what you suggested.
Actually the ret = install_IOS function installs the lower revision IOS in this case
What fails on 4.3 is that the files in /tmp are checked at the start of the install process AND the end, and they fail the check at the end, because of different hash of TMD to the one entering /tmp.

I don't think I'm misunderstanding. The Downgrade_TMD_Revision function does not add the content. It starts the AddTitle, changes the TMD in /tmp/, then finishes the AddTitle. When ES_AddTitleFinish is called the only thing that that has been "added" is the TMD. Yes the result is the existing IOS15 revision content on the NAND with a modified TMD, but no content was added during the downgrade process. All I am suggesting is to add the actual content during the downgrade process (that is how it is "different from what it has always done"). I understand that the signature is broken when you change even 1 byte, but it may be worth a try to test their implementation of the signature check thoroughly by using the full procedure for installing a title instead of just ES_AddTtileStart and ES_AddTItleFinish. For all we know they may be checking the content hashes in the TMD against content hashes that were supposed to be stored in memory when the content was added (I know, it is unlikely).

I've never said that this would work (in fact I doubt it would), but it wouldn't be that hard to try it. That is how holes are found sometimes...by trying many different possibilities, instead of not trying them because they won't work "in theory".

 

[svpe]

I agree, and also he installs HBC with a different ID to avoid SM 4.3 deleting it. I think the guide on Wiihack by Maugfrog is much less complicated, he installs a standard HBC and then installs Priiloader before reboot and uses it to block the HBC deletion. Much more clever in my oppinion. Besides Maugfrog's guide doesn't need so many reboots and thus not using Indiana Pwn og SmashStack so many times...

No, apparently you don't seem to know why HBC turns upside down. Running it with a wrong titleid already causes that.
It's also illegal to distribute HBC wads just like it's illegal to distribute IOS wads fwiw.

 

[WiiPower]

I agree, and also he installs HBC with a different ID to avoid SM 4.3 deleting it. I think the guide on Wiihack by Maugfrog is much less complicated, he installs a standard HBC and then installs Priiloader before reboot and uses it to block the HBC deletion. Much more clever in my oppinion. Besides Maugfrog's guide doesn't need so many reboots and thus not using Indiana Pwn og SmashStack so many times...

No, apparently you don't seem to know why HBC turns upside down. Running it with a wrong titleid already causes that.
It's also illegal to distribute HBC wads just like it's illegal to distribute IOS wads fwiw.

You know you are talking to a wall here, don't you? You might think that GBAtemp is bad, but then don't look at those other pages. They all link to tons of packages that contain lots of IOS wads and whatnot. Do you expect anybody who does that or follows such a guide understands anything?

 

[petspeed]

I agree, and also he installs HBC with a different ID to avoid SM 4.3 deleting it. I think the guide on Wiihack by Maugfrog is much less complicated, he installs a standard HBC and then installs Priiloader before reboot and uses it to block the HBC deletion. Much more clever in my oppinion. Besides Maugfrog's guide doesn't need so many reboots and thus not using Indiana Pwn og SmashStack so many times...

No, apparently you don't seem to know why HBC turns upside down. Running it with a wrong titleid already causes that.
It's also illegal to distribute HBC wads just like it's illegal to distribute IOS wads fwiw.

You know you are talking to a wall here, don't you? You might think that GBAtemp is bad, but then don't look at those other pages. They all link to tons of packages that contain lots of IOS wads and whatnot. Do you expect anybody who does that or follows such a guide understands anything?

I didn't say I follow that guide and I don't say I find it okay to link to IOS Wads or other copyrighted material, all I meant was that I find the Wiihacks guide easier to use for noobs than the French guide. I fully agree with the policy regarding linking to copyrighted material here on GBATemp.

 

[Drag0nflamez]

I agree, and also he installs HBC with a different ID to avoid SM 4.3 deleting it. I think the guide on Wiihack by Maugfrog is much less complicated, he installs a standard HBC and then installs Priiloader before reboot and uses it to block the HBC deletion. Much more clever in my oppinion. Besides Maugfrog's guide doesn't need so many reboots and thus not using Indiana Pwn og SmashStack so many times...

No, apparently you don't seem to know why HBC turns upside down. Running it with a wrong titleid already causes that.
It's also illegal to distribute HBC wads just like it's illegal to distribute IOS wads fwiw.

You know you are talking to a wall here, don't you? You might think that GBAtemp is bad, but then don't look at those other pages. They all link to tons of packages that contain lots of IOS wads and whatnot. Do you expect anybody who does that or follows such a guide understands anything?

I didn't say I follow that guide and I don't say I find it okay to link to IOS Wads or other copyrighted material, all I meant was that I find the Wiihacks guide easier to use for noobs than the French guide. I fully agree with the policy regarding linking to copyrighted material here on GBATemp.

We give tutorials to get copyrighted material, legally.
NUS (Auto) Downloader will do it for us, totally legal (especially when you actually OWN a wii)

 

[gameking66]

So if this is tested, could someone make a noob-friendly step by step?

Derp.

QUOTE(WiiCrazy @ Jun 29 2010, 11:19 PM) Do not attempt before awaiting confirmation from a few people who are protected with bootmii!
It's confirmed working with no after-effects, so you can go ahead if you are not too noob

1. Grab WiiPower's latest TBR (1.13) from wiibrew which contains latest revision numbers (http://www.mediafire.com/?qzmqirhnuyz)
2. Download lowest revision of IOS 41 from NUS using NUSD (such as v2835)
3. Install IOS 41 using wad manager, it's a ninty signed IOS and it will gracefully install with non-trucha IOS
4. Use WiiPower's TBR to downgrade IOS 15 as usual... just select the IOS to be used as 41..
5. After downgrade, patch and install IOS 36 as usual...
6. Get rid of Korean IOS 41...
7. Do whatever you do with your trucha enabled IOS 36 ;p


ps1: TBR might codedump on selecting IOS 15, retry in case... I had modified da_letter_a's mod but I got all kinds of problems with the console code so I can't release it ATM.
ps2: Use the usual exploits such as SmashStack or Indiana Pawns to run TBR... Indiana Pwns doesn't boot dol files so it would be a good idea to boot loadmii which is said to be distributed in elf executable format.
ps3: If you are noob, do not attempt to do this, just wait TT to release new bootmii
ps4: The essence of this workaround is the fact that we (non korean wii owners) don't have korean ios but we can install any revision of them and use, one area Nintendo just neglected I guess..

 

[xfcrowman]

 

[fogbank]

All I am suggesting is to add the actual content during the downgrade process (that is how it is "different from what it has always done"). I understand that the signature is broken when you change even 1 byte, but it may be worth a try to test their implementation of the signature check thoroughly by using the full procedure for installing a title instead of just ES_AddTtileStart and ES_AddTItleFinish. For all we know they may be checking the content hashes in the TMD against content hashes that were supposed to be stored in memory when the content was added (I know, it is unlikely).

I've never said that this would work (in fact I doubt it would), but it wouldn't be that hard to try it. That is how holes are found sometimes...by trying many different possibilities, instead of not trying them because they won't work "in theory".

I tried this with the latest IOS61 and it failed with -1017. No surprise. At least I tried it.

 

[mauifrog]

You guys have actually read the sticky guide on this site right? If you have not, go ahead and read it, download the pack, then take a look at all those nice cios wads.

This is working pretty well for people
4.3 Virgin Softmod Guide

I understand why a site would not want to host a wad, but I don't understand why any individual would care.

 

[petspeed]

Where do people get this idea that the sysmenu's IOS needs to be patched to play warezed wiiware/VC from the SD card? It's wrong - unless whoever made the .wad did a shitty job and fakesigned the TMD for no good reason. Only the ticket needs fakesigning and it's not checked when loading a title from SD.

That was the information on all Wii forums when SM 4.0 came out and introduced the Move to SD feature and the SD menu.

I will try to install a standard no-patched IOS 60 on my Wii tonight and check if it is needed or not.


I installed a standard no-patched IOS60 and you are right, I can launch Wiiware/VC from the SD card even though it was installed with WAD Manager. However homebrew channels (like forwarders) moved to the SD card didn't launch. They worked again as soon as I trucha patched IOS60 again.

QUOTE(SifJar @ Jul 2 2010, 02:35 PM)

Sorry, I forgot dop-Mii would need updated to support IOS80...

Anyway, you can just use a tool like IOSPatcher (by leathl, you can get it from the libWiiSharp Google Code page [http://code.google.com/p/libwiisharp/downloads/list]) to patch the IOS, then install it with WAD Manager.

Thanks again SifJar, that is a nice tool.

 

[hetfield]

 

[WiiCrazy]

I had done my first tests on 3.2, with the comfort of homebrew channel... Now updated to 4.3 and everything turned into a nightmare... One app booting with one version of loadmii, the other one booting with another version... Same with using a forwarder for cfg... Finally found the best working combo...

To launch wad manager I used loadmii since I couldn't find an elf version with ios selection.

I tweaked TBR a bit, just added a sleep after IOS reload and removed hbc check so that it freezes less on reloading to IOS 15 and gracefully returns to Menu...

Now everything is ready to prepare a noob guide using just core stuff with no bloated packages...

 

[WiiPower]

I had done my first tests on 3.2, with the comfort of homebrew channel... Now updated to 4.3 and everything turned into a nightmare... One app booting with one version of loadmii, the other one booting with another version... Same with using a forwarder for cfg... Finally found the best working combo...

To launch wad manager I used loadmii since I couldn't find an elf version with ios selection.

I tweaked TBR a bit, just added a sleep after IOS reload and removed hbc check so that it freezes less on reloading to IOS 15 and gracefully returns to Menu...

Now everything is ready to prepare a noob guide using just core stuff with no bloated packages...

What libogc do you use? Maybe the IOS Reload code is still broken. I had heavy problems with it in the past*, then i updated and everything seems fine, but i didn't load IOS15 more than 2 or 3 times since then. And what are you talking about the HBC check? If an app is booted from HBC, i think everybody wants it to exit to it. If LoadMii has an own reload stub, then it might helpful if you remove the HBC check, so does it?

*i patched my libogc to use the IOS reload code from libogc 1.7 back then

 

[WiiPower]

I did just patch my libogc 1.8.3 with the IOS reload code from libogc 1.7.1, here's my test TBR .dol without any changes:
http://rapidshare.com/files/404761041/TBRlibogcTEST.zip
(ONLY download if you REALLY are going to test it)

I want to know if this runs more stable than the current version. If yes, libogc is still broken.

 

[WiiCrazy]

I had done my first tests on 3.2, with the comfort of homebrew channel... Now updated to 4.3 and everything turned into a nightmare... One app booting with one version of loadmii, the other one booting with another version... Same with using a forwarder for cfg... Finally found the best working combo...

To launch wad manager I used loadmii since I couldn't find an elf version with ios selection.

I tweaked TBR a bit, just added a sleep after IOS reload and removed hbc check so that it freezes less on reloading to IOS 15 and gracefully returns to Menu...

Now everything is ready to prepare a noob guide using just core stuff with no bloated packages...

What libogc do you use? Maybe the IOS Reload code is still broken. I had heavy problems with it in the past*, then i updated and everything seems fine, but i didn't load IOS15 more than 2 or 3 times since then. And what are you talking about the HBC check? If an app is booted from HBC, i think everybody wants it to exit to it. If LoadMii has an own reload stub, then it might helpful if you remove the HBC check, so does it?

*i patched my libogc to use the IOS reload code from libogc 1.7 back then

I compiled with libogc version=1.8.3 . I think adding sleep helped since original launched from HBC was working like 1 out of 10 now it freezes 1 out of 4 (actually used only 4 times so this has not statistical value, but saw it crashed like 8-9 times in a row the other way...)

Removed hbc check because possibly Indiana Pwns uses Exception Vector area... hence TBR (if used through Indiana Pwns) just codedumps on exit since HBC check succeeds but actually there is no HBC...

With different versions of loadmii, the original TBR app just codedumps on start or launches with no wiimote function... This is the reason btw I removed the HBC check, to launch it directly from Indiana Pwns and return to menu on exit...

ps: of course reload crash can be due to ogc version... I don't have 1.7 anymore...

 

[WiiPower]

The errors with different loading methods that occur directly on startup could be entrypoint related. If you want to release a stable tool, you might want to check that.

And i guess you want to patch your libogc yourself if my test .dol works better, so here's the function i replaced:
CODEs32 __IOS_LaunchNewIOS(int version)
{
ÂÂÂÂu32 numviews;
ÂÂÂÂs32 res;
ÂÂÂÂu64 titleID = 0x100000000LL;
ÂÂÂÂSTACK_ALIGN(tikview,views,4,32);
#ifdef DEBUG_IOSÂÂÂÂ
ÂÂÂÂs32 oldversion;
#endif
ÂÂÂÂs32 newversion;
ÂÂÂÂ
ÂÂÂÂif(version < 3 || version > 0xFF) {
ÂÂÂÂÂÂÂÂreturn IOS_EBADVERSION;
ÂÂÂÂ}
ÂÂÂÂ
#ifdef DEBUG_IOS
ÂÂÂÂoldversion = IOS_GetVersion();
ÂÂÂÂif(oldversion>0) printf("Current IOS Version: IOS%d\n",oldversion);
#endif
ÂÂÂÂ
ÂÂÂÂtitleID |= version;
#ifdef DEBUG_IOS
ÂÂÂÂprintf("Launching IOS TitleID: %016llx\n",titleID);
#endif
ÂÂÂÂ
ÂÂÂÂres = ES_GetNumTicketViews(titleID, &numviews);
ÂÂÂÂif(res < 0) {
#ifdef DEBUG_IOS
ÂÂÂÂÂÂÂÂprintf(" GetNumTicketViews failed: %d\n",res);
#endif
ÂÂÂÂÂÂÂÂreturn res;
ÂÂÂÂ}
ÂÂÂÂif(numviews > 4) {
ÂÂÂÂÂÂÂÂprintf(" GetNumTicketViews too many views: %u\n",numviews);
ÂÂÂÂÂÂÂÂreturn IOS_ETOOMANYVIEWS;
ÂÂÂÂ}
ÂÂÂÂres = ES_GetTicketViews(titleID, views, numviews);
ÂÂÂÂif(res < 0) {
#ifdef DEBUG_IOS
ÂÂÂÂÂÂÂÂprintf(" GetTicketViews failed: %d\n",res);
#endif
ÂÂÂÂÂÂÂÂreturn res;
ÂÂÂÂ}
ÂÂÂÂres = ES_LaunchTitle(titleID, &views[0]);
ÂÂÂÂif(res < 0) {
#ifdef DEBUG_IOS
ÂÂÂÂÂÂÂÂprintf(" LaunchTitle failed: %d\n",res);
#endif
ÂÂÂÂÂÂÂÂreturn res;
ÂÂÂÂ}
ÂÂÂÂ__ES_Reset();
ÂÂÂÂnewversion = IOS_GetVersion();
#ifdef DEBUG_IOS
ÂÂÂÂprintf(" IOS Version: IOS%d %d.%d\n",newversion,IOS_GetRevisionMajor(),IOS_GetRevisionMinor());
#endif
ÂÂÂÂif(newversion != version) {
#ifdef DEBUG_IOS
ÂÂÂÂÂÂÂÂprintf(" Version mismatch!\n");
#endif
ÂÂÂÂÂÂÂÂreturn IOS_EMISMATCH;
ÂÂÂÂ}
ÂÂÂÂreturn version;
}

PS: I will shoot anybody who quotes the code!(for 2 reasons)

 

[WiiCrazy]

@WiiPower : Btw it's ios specific or it might relate to the current code... Since this is only faced when reloading into ios 15 but not into 41, 36 and so on... I'm happy with the current form, I'm not releasing anything I'll just make a guide for my local forum. There are already dozen forks released I guess, I haven't used any of them. Don't have time.

 

[WiiPower]

@WiiPower : Btw it's ios specific or it might relate to the current code... Since this is only faced when reloading into ios 15 but not into 41, 36 and so on... I'm happy with the current form, I'm not releasing anything I'll just make a guide for my local forum. There are already dozen forks released I guess, I haven't used any of them. Don't have time.

Well, if you have a "new" Wii, it might be really IOS related, as we know that the "LU64+" Wiis can't load IOS36v1042 due to some timings. Maybe it's the same with IOS15v257, just that this works 1 out of 10 times. But my main suspect is still libogc. The IOS Reload code was changed when the timing stuff on the "LU64+" Wiis was discovered, and maybe its intention was to load IOS36v1042 on these Wiis. Anyways, at this time the IOS Reload code was broken, and it seemed fixed to me in 1.8.x. But i always load module based IOS and cIOS, so ... i'm repeating myself, i think you get it and i can stop