Hacking error -2011 on virgin 4.0

[kimikal27]

i just installed HBC whit bootmii and the HackMii installer on a virgin 4.0 wii, the wii is not a LU...

now when ever i try to install a cios i get the -2011 error, can any one help?

 

[WiiPower]

If you want to be one of my guinea pigs, you can try my Trucha Bug Restorer:
http://gbatemp.net/index.php?download=6340

You need IOS15v257, IOS15v266 and IOS36v3094 wads on root of sd card for it. With these names: IOS15-64-v257.wad, IOS15-64-v266.wad and IOS36-64-v3094.wad.

Step 1: Downgrade IOS15
Step 2: Install IOS36 with trucha bug to IOS249
Step 3: Restore IOS15
Step 4: Use IOS249 in the cIOS installer

 

[kimikal27]

check your pm m8

 

[kimikal27]

ok, i'm gonna try, cross your fingers

 

[kimikal27]

many thanks man, your tool works perfect

 

[fogbank]

Step 1: Downgrade IOS15

Am I getting this right?

1. Get the TMD and certs from the higher revision IOS (WAD file on SD).
2. Start the process of adding the title with ES_AddTitleStart() and supply the TMD and certs from step 1.
3. Use ISFS to delete the title.tmd from the /tmp folder.
4. Use ISFS to create a new title.tmd file in the /tmp folder.
5. Open the new file in RW mode.
6. Copy the TMD from step 1 into a new buffer.
7. Change the revision number to 0 (0x1DC and 0x1DD) in the buffer.
8. Write the buffer to the title.tmd file in the /tmp folder.
9. Finish adding the title with ES_AddTitleFinish.

You have now changed the revision of the installed IOS to 0.

 

[WiiPower]

Step 1: Downgrade IOS15

Am I getting this right?

1. Get the TMD and certs from the higher revision IOS (WAD file on SD).
2. Start the process of adding the title with ES_AddTitleStart() and supply the TMD and certs from step 1.
3. Use ISFS to delete the title.tmd from the /tmp folder.
4. Use ISFS to create a new title.tmd file in the /tmp folder.
5. Open the new file in RW mode.
6. Copy the TMD from step 1 into a new buffer.
7. Change the revision number to 0 (0x1DC and 0x1DD) in the buffer.
8. Write the buffer to the title.tmd file in the /tmp folder.
9. Finish adding the title with ES_AddTitleFinish.

You have now changed the revision of the installed IOS to 0.

There are 2-3 exploits, yes:
- at 3. you don't have the permisson to read or write the file, but you can delete it without problems...
- at 9. there's no additional hash check. The manipulated IOS is UNSIGNED(for all those that don't understand, that's worse than trucha signed)
- the IOS is UNSIGNED, but you can still launch it...

It was pretty fun to reverse comex' IOS35 downgrader by its behaviour.

PS: IMPORTANT: Such downgraded IOS may still contain modules of the higher revision and the tmd has the wrong owner id, so it's not recommend to use such an IOS longer than necessary. Hmm, you could count it as 1-2 additional bugs in nintendo's design that the wrong owner id is not problem.

 

[fogbank]

It was pretty fun to reverse comex' IOS35 downgrader by its behaviour.

Very cool and nice work!

 

[WiiPower]

It was pretty fun to reverse comex' IOS35 downgrader by its behaviour.

Very cool and nice work!

Ok i have to admit that comex did really nothing hide what his downgrader does except not releasing the source. If he would have only donwgraded if the IOS was already downloaded and/or changed the addtitlestart error, i would have had no chance to do this.

 

[carbonyle]

Ok I know it's beta stadium but I like to understand thing: why IOS15?
So we downgrade IOS15 (ok it's tricky we upgrade IOS15 since we give it a revision =0) to install a trucha capable IOS in 249 for the cIOS installation.
But why 15? why install IOS36 in 249? can't we use the IOS15 in the cIOS installer ? (since trucha is back)

 

[WiiPower]

Ok I know it's beta stadium but I like to understand thing: why IOS15?
So we downgrade IOS15 (ok it's tricky we upgrade IOS15 since we give it a revision =0) to install a trucha capable IOS in 249 for the cIOS installation.
But why 15? why install IOS36 in 249? can't we use the IOS15 in the cIOS installer ? (since trucha is back)

IOS15, because i knew that IOS16v257 works in boot2v4 Wiis, so i assumed that IOS15v257 that is almost identical to IOS16v257 will also work. And it does.

Waninkoko does not use the same code to decrypt IOS as me. I can use most(all?) IOS to de and encrypt files, the code from Waninkoko can do that only with IOS that are module seperated, so his installer fails when it uses the trucha capable IOS. The error -1017 is misleading here, because it's not missing trucha bug here.

This is why i tell to install a trucha capable IOS36. Where you install it does not really matter. The next version will give it a lower revison when installed as IOS249, so that the cIOS installation isn't a "downgrade" anymore(some people have -1035 now).

 

[carbonyle]

Ok things become clearer now. So in theory we can install the IOS36 (or install another IOS) anywhere (exept if there is already something)

 

[WiiPower]

Ok things become clearer now. So in theory we can install the IOS36 (or install another IOS) anywhere (exept if there is already something)

You can install it everywhere, but i won't support other than the 3 slots you can select from. It should only fail if it's a downgrade, upgrades should always work.

 

[comex]

Finally

 

[WiiPower]

Finally

Thanks for the hints.

 

[comex]

What hints?

 

[WiiPower]

For example:
"ES_AddTitleStart failed: ...", not downloading first before doing anything, and not doing a clean reinstall to leave no traces.

 

[comex]

But why would an ES_AddTitleStart error tell you anything about /tmp/title.tmd?

 

[fogbank]

For example:
"ES_AddTitleStart failed: ...", not downloading first before doing anything, and not doing a clean reinstall to leave no traces.

I've been trying to figure out how comex's worked without a file on SD and without downloading anything first. If ES_AddTitleStart requires a TMD and a cert, I thought of reading it from the NAND but I think I'm running into permissions problems:

/sys/cert.sys
/title/00000001/0000000x/content/title.tmd

I am able to open them using ISFS_Open but I can't even retrieve the stats with ISFS_GetFileStats (trying to get the file length to supply to ISFS_Read). If I reload cIOS I can get the file length of cert.sys but not title.tmd. And that's cheating anyway.

It could be my bad coding, and I'm probably way off base anway...?

 

[WiiPower]

But why would an ES_AddTitleStart error tell you anything about /tmp/title.tmd?

Well since my Wii is not connected via wifi, i could assume you execute ES_AddTitleStart to set the revision to 0. The nice coincidence was that i was working at fstoolbox at that time.
*Edit: And then of course i looked at the revison 0 tmd and my eyes fell off my head...

QUOTE(WiiPower @ Jul 3 2009, 10:16 AM) For example:
"ES_AddTitleStart failed: ...", not downloading first before doing anything, and not doing a clean reinstall to leave no traces.

I've been trying to figure out how comex's worked without a file on SD and without downloading anything first. If ES_AddTitleStart requires a TMD and a cert, I thought of reading it from the NAND but I think I'm running into permissions problems:

/sys/cert.sys
/title/00000001/0000000x/content/title.tmd

I am able to open them using ISFS_Open but I can't even retrieve the stats with ISFS_GetFileStats (trying to get the file length to supply to ISFS_Read). If I reload cIOS I can get the file length of cert.sys but not title.tmd. And that's cheating anyway.

It could be my bad coding, and I'm probably way off base anway...?

Well i just figured that comex reads this from nand somehow. If you can read the file but not get the size, that's not a problem. You could just read more than required and calculate the size of the tmd.