error -2011 on virgin 4.0

Discussion in 'Wii - Hacking' started by kimikal27, Jun 30, 2009.

Jun 30, 2009

error -2011 on virgin 4.0 by kimikal27 at 9:41 PM (7,374 Views / 0 Likes) 41 replies

  1. kimikal27
    OP

    Member kimikal27 GBAtemp Maniac

    Joined:
    Oct 28, 2008
    Messages:
    1,381
    Location:
    Galway
    Country:
    Ireland
    i just installed HBC whit bootmii and the HackMii installer on a virgin 4.0 wii, the wii is not a LU...

    now when ever i try to install a cios i get the -2011 error, can any one help?
     


  2. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    If you want to be one of my guinea pigs, you can try my Trucha Bug Restorer:
    http://gbatemp.net/index.php?download=6340

    You need IOS15v257, IOS15v266 and IOS36v3094 wads on root of sd card for it. With these names: IOS15-64-v257.wad, IOS15-64-v266.wad and IOS36-64-v3094.wad.

    Step 1: Downgrade IOS15
    Step 2: Install IOS36 with trucha bug to IOS249
    Step 3: Restore IOS15
    Step 4: Use IOS249 in the cIOS installer
     
  3. kimikal27
    OP

    Member kimikal27 GBAtemp Maniac

    Joined:
    Oct 28, 2008
    Messages:
    1,381
    Location:
    Galway
    Country:
    Ireland
    check your pm m8
     
  4. kimikal27
    OP

    Member kimikal27 GBAtemp Maniac

    Joined:
    Oct 28, 2008
    Messages:
    1,381
    Location:
    Galway
    Country:
    Ireland
    ok, i'm gonna try, cross your fingers
     
  5. kimikal27
    OP

    Member kimikal27 GBAtemp Maniac

    Joined:
    Oct 28, 2008
    Messages:
    1,381
    Location:
    Galway
    Country:
    Ireland
    many thanks man, your tool works perfect
     
  6. fogbank

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    Am I getting this right?

    1. Get the TMD and certs from the higher revision IOS (WAD file on SD).
    2. Start the process of adding the title with ES_AddTitleStart() and supply the TMD and certs from step 1.
    3. Use ISFS to delete the title.tmd from the /tmp folder.
    4. Use ISFS to create a new title.tmd file in the /tmp folder.
    5. Open the new file in RW mode.
    6. Copy the TMD from step 1 into a new buffer.
    7. Change the revision number to 0 (0x1DC and 0x1DD) in the buffer.
    8. Write the buffer to the title.tmd file in the /tmp folder.
    9. Finish adding the title with ES_AddTitleFinish.

    You have now changed the revision of the installed IOS to 0.
     
  7. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    There are 2-3 exploits, yes:
    - at 3. you don't have the permisson to read or write the file, but you can delete it without problems...
    - at 9. there's no additional hash check. The manipulated IOS is UNSIGNED(for all those that don't understand, that's worse than trucha signed)
    - the IOS is UNSIGNED, but you can still launch it...

    It was pretty fun to reverse comex' IOS35 downgrader by its behaviour.

    PS: IMPORTANT: Such downgraded IOS may still contain modules of the higher revision and the tmd has the wrong owner id, so it's not recommend to use such an IOS longer than necessary. Hmm, you could count it as 1-2 additional bugs in nintendo's design that the wrong owner id is not problem.
     
  8. fogbank

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    Very cool and nice work!
     
  9. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    Ok i have to admit that comex did really nothing hide what his downgrader does except not releasing the source. If he would have only donwgraded if the IOS was already downloaded and/or changed the addtitlestart error, i would have had no chance to do this.
     
  10. carbonyle

    Member carbonyle GBAtemp Fan

    Joined:
    Jan 9, 2009
    Messages:
    360
    Location:
    Switzerland
    Country:
    Switzerland
    Ok I know it's beta stadium but I like to understand thing: why IOS15?
    So we downgrade IOS15 (ok it's tricky we upgrade IOS15 since we give it a revision =0) to install a trucha capable IOS in 249 for the cIOS installation.
    But why 15? why install IOS36 in 249? can't we use the IOS15 in the cIOS installer ? (since trucha is back)
     
  11. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    IOS15, because i knew that IOS16v257 works in boot2v4 Wiis, so i assumed that IOS15v257 that is almost identical to IOS16v257 will also work. And it does.

    Waninkoko does not use the same code to decrypt IOS as me. I can use most(all?) IOS to de and encrypt files, the code from Waninkoko can do that only with IOS that are module seperated, so his installer fails when it uses the trucha capable IOS. The error -1017 is misleading here, because it's not missing trucha bug here.

    This is why i tell to install a trucha capable IOS36. Where you install it does not really matter. The next version will give it a lower revison when installed as IOS249, so that the cIOS installation isn't a "downgrade" anymore(some people have -1035 now).
     
  12. carbonyle

    Member carbonyle GBAtemp Fan

    Joined:
    Jan 9, 2009
    Messages:
    360
    Location:
    Switzerland
    Country:
    Switzerland
    Ok things become clearer now. So in theory we can install the IOS36 (or install another IOS) anywhere (exept if there is already something)
     
  13. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    You can install it everywhere, but i won't support other than the 3 slots you can select from. It should only fail if it's a downgrade, upgrades should always work.
     
  14. comex

    Newcomer comex Advanced Member

    Joined:
    Jan 21, 2007
    Messages:
    56
    Country:
    United States
    Finally :P
     
  15. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    Thanks for the hints.
     
  16. comex

    Newcomer comex Advanced Member

    Joined:
    Jan 21, 2007
    Messages:
    56
    Country:
    United States
    What hints? :wtf:
     
  17. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    For example:
    "ES_AddTitleStart failed: ...", not downloading first before doing anything, and not doing a clean reinstall to leave no traces.
     
  18. comex

    Newcomer comex Advanced Member

    Joined:
    Jan 21, 2007
    Messages:
    56
    Country:
    United States
    But why would an ES_AddTitleStart error tell you anything about /tmp/title.tmd?
     
  19. fogbank

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    I've been trying to figure out how comex's worked without a file on SD and without downloading anything first. If ES_AddTitleStart requires a TMD and a cert, I thought of reading it from the NAND but I think I'm running into permissions problems:

    /sys/cert.sys
    /title/00000001/0000000x/content/title.tmd

    I am able to open them using ISFS_Open but I can't even retrieve the stats with ISFS_GetFileStats (trying to get the file length to supply to ISFS_Read). If I reload cIOS I can get the file length of cert.sys but not title.tmd. And that's cheating anyway.

    It could be my bad coding, and I'm probably way off base anway...?
     
  20. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    Well i just figured that comex reads this from nand somehow. If you can read the file but not get the size, that's not a problem. You could just read more than required and calculate the size of the tmd.
     

Share This Page