error -2011 on virgin 4.0

Discussion in 'Wii - Hacking' started by kimikal27, Jun 30, 2009.

  1. kimikal27
    OP

    kimikal27 GBAtemp Maniac

    Member
    1,381
    0
    Oct 28, 2008
    Galway
    i just installed HBC whit bootmii and the HackMii installer on a virgin 4.0 wii, the wii is not a LU...

    now when ever i try to install a cios i get the -2011 error, can any one help?
     


  2. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    If you want to be one of my guinea pigs, you can try my Trucha Bug Restorer:
    http://gbatemp.net/index.php?download=6340

    You need IOS15v257, IOS15v266 and IOS36v3094 wads on root of sd card for it. With these names: IOS15-64-v257.wad, IOS15-64-v266.wad and IOS36-64-v3094.wad.

    Step 1: Downgrade IOS15
    Step 2: Install IOS36 with trucha bug to IOS249
    Step 3: Restore IOS15
    Step 4: Use IOS249 in the cIOS installer
     
  3. kimikal27
    OP

    kimikal27 GBAtemp Maniac

    Member
    1,381
    0
    Oct 28, 2008
    Galway
    check your pm m8
     
  4. kimikal27
    OP

    kimikal27 GBAtemp Maniac

    Member
    1,381
    0
    Oct 28, 2008
    Galway
    ok, i'm gonna try, cross your fingers
     
  5. kimikal27
    OP

    kimikal27 GBAtemp Maniac

    Member
    1,381
    0
    Oct 28, 2008
    Galway
    many thanks man, your tool works perfect
     
  6. fogbank

    fogbank GBAtemp Fan

    Member
    413
    0
    Oct 28, 2008
    United States
    Am I getting this right?

    1. Get the TMD and certs from the higher revision IOS (WAD file on SD).
    2. Start the process of adding the title with ES_AddTitleStart() and supply the TMD and certs from step 1.
    3. Use ISFS to delete the title.tmd from the /tmp folder.
    4. Use ISFS to create a new title.tmd file in the /tmp folder.
    5. Open the new file in RW mode.
    6. Copy the TMD from step 1 into a new buffer.
    7. Change the revision number to 0 (0x1DC and 0x1DD) in the buffer.
    8. Write the buffer to the title.tmd file in the /tmp folder.
    9. Finish adding the title with ES_AddTitleFinish.

    You have now changed the revision of the installed IOS to 0.
     
  7. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    There are 2-3 exploits, yes:
    - at 3. you don't have the permisson to read or write the file, but you can delete it without problems...
    - at 9. there's no additional hash check. The manipulated IOS is UNSIGNED(for all those that don't understand, that's worse than trucha signed)
    - the IOS is UNSIGNED, but you can still launch it...

    It was pretty fun to reverse comex' IOS35 downgrader by its behaviour.

    PS: IMPORTANT: Such downgraded IOS may still contain modules of the higher revision and the tmd has the wrong owner id, so it's not recommend to use such an IOS longer than necessary. Hmm, you could count it as 1-2 additional bugs in nintendo's design that the wrong owner id is not problem.
     
  8. fogbank

    fogbank GBAtemp Fan

    Member
    413
    0
    Oct 28, 2008
    United States
    Very cool and nice work!
     
  9. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    Ok i have to admit that comex did really nothing hide what his downgrader does except not releasing the source. If he would have only donwgraded if the IOS was already downloaded and/or changed the addtitlestart error, i would have had no chance to do this.
     
  10. carbonyle

    carbonyle GBAtemp Fan

    Member
    360
    0
    Jan 9, 2009
    Swaziland
    Switzerland
    Ok I know it's beta stadium but I like to understand thing: why IOS15?
    So we downgrade IOS15 (ok it's tricky we upgrade IOS15 since we give it a revision =0) to install a trucha capable IOS in 249 for the cIOS installation.
    But why 15? why install IOS36 in 249? can't we use the IOS15 in the cIOS installer ? (since trucha is back)
     
  11. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    IOS15, because i knew that IOS16v257 works in boot2v4 Wiis, so i assumed that IOS15v257 that is almost identical to IOS16v257 will also work. And it does.

    Waninkoko does not use the same code to decrypt IOS as me. I can use most(all?) IOS to de and encrypt files, the code from Waninkoko can do that only with IOS that are module seperated, so his installer fails when it uses the trucha capable IOS. The error -1017 is misleading here, because it's not missing trucha bug here.

    This is why i tell to install a trucha capable IOS36. Where you install it does not really matter. The next version will give it a lower revison when installed as IOS249, so that the cIOS installation isn't a "downgrade" anymore(some people have -1035 now).
     
  12. carbonyle

    carbonyle GBAtemp Fan

    Member
    360
    0
    Jan 9, 2009
    Swaziland
    Switzerland
    Ok things become clearer now. So in theory we can install the IOS36 (or install another IOS) anywhere (exept if there is already something)
     
  13. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    You can install it everywhere, but i won't support other than the 3 slots you can select from. It should only fail if it's a downgrade, upgrades should always work.
     
  14. comex

    comex Advanced Member

    Newcomer
    56
    59
    Jan 21, 2007
    United States
    Finally :P
     
  15. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    Thanks for the hints.
     
  16. comex

    comex Advanced Member

    Newcomer
    56
    59
    Jan 21, 2007
    United States
    What hints? :wtf:
     
  17. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    For example:
    "ES_AddTitleStart failed: ...", not downloading first before doing anything, and not doing a clean reinstall to leave no traces.
     
  18. comex

    comex Advanced Member

    Newcomer
    56
    59
    Jan 21, 2007
    United States
    But why would an ES_AddTitleStart error tell you anything about /tmp/title.tmd?
     
  19. fogbank

    fogbank GBAtemp Fan

    Member
    413
    0
    Oct 28, 2008
    United States
    I've been trying to figure out how comex's worked without a file on SD and without downloading anything first. If ES_AddTitleStart requires a TMD and a cert, I thought of reading it from the NAND but I think I'm running into permissions problems:

    /sys/cert.sys
    /title/00000001/0000000x/content/title.tmd

    I am able to open them using ISFS_Open but I can't even retrieve the stats with ISFS_GetFileStats (trying to get the file length to supply to ISFS_Read). If I reload cIOS I can get the file length of cert.sys but not title.tmd. And that's cheating anyway.

    It could be my bad coding, and I'm probably way off base anway...?
     
  20. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    Well i just figured that comex reads this from nand somehow. If you can read the file but not get the size, that's not a problem. You could just read more than required and calculate the size of the tmd.