How to fix the connection issue while running in AHBPROT mode

Discussion in 'Wii - Hacking' started by davebaol, Jul 12, 2011.

  1. davebaol
    OP

    Member davebaol GBAtemp Advanced Fan

    Joined:
    Sep 3, 2010
    Messages:
    913
    Country:
    Italy
    The issue

    As most of you already know, there is an issue in the Homebrew Channel that makes crash homebrew apps when you don't have your wii connected to the network and HBC is configured to load apps without reloading IOS, which is the only known way to get AHBPROT access rights.
    Since 1.0.7, HBC launches an asynchronous call to the Wii in order to detect the network.
    And usually the IOS58 take a long time to respond if no network connection is detected.
    The problem is that the HBC doesn't shutdown communication with the internal network hardware on IOS side, in other words it doesn't cancel the asynchronous call before launching a homebrew.
    So the IPC reply for that async call comes when the app is already loaded, causing the crash.
    This issue affects ALL homebrew loaded by HBC 1.0.7+.


    The known workarounds

    There are 2 known workarounds to fix this issue but both have drawbacks.
    • The 1st way is to force HBC to reload IOS when it loads the app, which also kill any initiated network callback automatically and prevents the apps from crashing.
      However this solution makes you loose AHBPROT access rights.
    • Another solution is to wait about 1 minute on the HBC hoping that the asynchronous call is terminated in the meanwhile.
      However experience teaches that this workaround doesn't work always for every Wii out there.


    Finding a solution

    This old article by Bushing is really enlightening and gave me enough information to start investigating the problem.
    Syscall 0x54, AKA set_ahbprot, is in charge of enabling/disabling AHBPROT access, see http://wiibrew.org/wiki/IOS/Syscalls.
    By disassembling and inspecting the kernel (FFS, ES and IOSP modules) you find out that syscall 0x54 is called only twice and both invocations are from the same function, which is called in turn by the LAUNCH_TITLE ioctl.
    This function checks access rights from the TMD of the title to be launched, i.e the 4 bytes at offset 0x1D8. See http://wiibrew.org/wiki/Title_metadata

    Here is a quick C translation of the interesting part of this function:

    CODEvoid check_access_rights(void *tmd)
    {

    s32 access_rights = *(s32 *)(tmd+0x1D8);

    /* Shift bit 0 to the sign bit and check it */
    if ((access_rights 5 > 5 > 5 > 5
     


  2. stfour

    Member stfour GBAtemp Advanced Maniac

    Joined:
    May 24, 2011
    Messages:
    1,592
    Country:
    Italy
    This is interesting.

    But is there no way to enable AHBPROT using a faked ios ? Let me explain better... for example running under your cIOSX, is there no way to reload ios58 and enabling AHBPROT and then spawn another application with full hardware rights ?
     
  3. davebaol
    OP

    Member davebaol GBAtemp Advanced Fan

    Joined:
    Sep 3, 2010
    Messages:
    913
    Country:
    Italy
    Well, I could add this patch to the cios, maybe applying it on demand though a custom ioctl command.
     
  4. stfour

    Member stfour GBAtemp Advanced Maniac

    Joined:
    May 24, 2011
    Messages:
    1,592
    Country:
    Italy
    This will be great !
     
  5. nobody_tw

    Newcomer nobody_tw Advanced Member

    Joined:
    Feb 18, 2011
    Messages:
    51
    Country:
    Taiwan
    •This approach has been intensively tested on a modified version of IOS236 Installer v5 and it never failed.
    => Is it your mod version or burritoboy9984's one
    burritoboy9984's IOS236 v5 mod version still carsh sometime !!

    It seems great!!

    You are really amazing person to Wii-Hacking [​IMG]
     
  6. davebaol
    OP

    Member davebaol GBAtemp Advanced Fan

    Joined:
    Sep 3, 2010
    Messages:
    913
    Country:
    Italy
    @nobody_tw
    No, It's the original IOS236 Installer v5 by Dr Clipper and modified by me with this patch.
    And it's not public yet.
     
  7. jskyboo

    Member jskyboo GBAtemp Regular

    Joined:
    Sep 12, 2009
    Messages:
    288
    Country:
    United States
    Very interesting!! Thanks for the post, I'll check this out a little later.
     
  8. madri1

    Member madri1 GBAtemp Regular

    Joined:
    Feb 15, 2006
    Messages:
    170
    Country:
    France
    can't we just patch the callback in memory to disable it ?
     
  9. davebaol
    OP

    Member davebaol GBAtemp Advanced Fan

    Joined:
    Sep 3, 2010
    Messages:
    913
    Country:
    Italy
    @madri1
    Hmm... I think what you propose is not feasible.
     
  10. jskyboo

    Member jskyboo GBAtemp Regular

    Joined:
    Sep 12, 2009
    Messages:
    288
    Country:
    United States
    Wow this is some exciting stuff!! I think Anakin properly conveys my emotion right now: http://www.youtube.com/watch?v=AXwGVXD7qEQ. I'll need to do some more testing but good job!

    Thanks for the post davebaol!
     
  11. madri1

    Member madri1 GBAtemp Regular

    Joined:
    Feb 15, 2006
    Messages:
    170
    Country:
    France
    daveboal how did you find out that the syscal 54 is at that place ?
     
  12. davebaol
    OP

    Member davebaol GBAtemp Advanced Fan

    Joined:
    Sep 3, 2010
    Messages:
    913
    Country:
    Italy
    @jskyboo
    [​IMG]

    @madri1
    That place is where syscall 0x54 is called, not where it is defined.
    Actually the syscall remains untouched.
     
  13. petspeed

    Member petspeed GBAtemp Fan

    Joined:
    Nov 13, 2009
    Messages:
    482
    Country:
    Denmark
    wow, it would be great to have this problem fixed. Great job.
     
  14. cwstjdenobs

    Member cwstjdenobs Sodomy non sapiens

    Joined:
    Mar 10, 2009
    Messages:
    1,757
    Location:
    Ankh-Morpork
    Country:
    United Kingdom
    So if you reload the current IOS it doesn't get read back in from the FS? Cool.

    Oh and great work man.
     
  15. leo.uff

    Newcomer leo.uff Member

    Joined:
    Sep 23, 2010
    Messages:
    31
    Country:
    Brazil
    davebaol,

    great work!
     
  16. davebaol
    OP

    Member davebaol GBAtemp Advanced Fan

    Joined:
    Sep 3, 2010
    Messages:
    913
    Country:
    Italy
    Hmmm... I think you misunderstood how it works.
    The ios is reloaded from nand as usual and it will be the original one (unpatched) but with AHBPROT rights.
    Actually the running ios is patched in memory in order to launch the next title (usually itself, but not necessarily) with AHBPROT enabled regardless of the bit 0 from the access rights field of the tmd.
     
  17. cwstjdenobs

    Member cwstjdenobs Sodomy non sapiens

    Joined:
    Mar 10, 2009
    Messages:
    1,757
    Location:
    Ankh-Morpork
    Country:
    United Kingdom
    Makes a lot more sense now. Thanks for the explanation.

    EDIT: And I should start reading stuff properly.
     
  18. JoostinOnline

    Member JoostinOnline Certified Crash Test Dummy

    Joined:
    Apr 2, 2011
    Messages:
    10,834
    Location:
    The Twilight Zone
    Country:
    United States
    I still don't understand why Team Twiizers hasn't bothered fixing this bug yet. It makes me wonder if they care (maybe their hate of cIOS's has extended to AHBPROT?). There are other channels (forwarders) that fix the problem with AHBPROT, so why not the HBC?

    I don't mean to insult the creators of the HBC, because they definitely have done some amazing things. It's just that this bug resulted in several full bricks from Priiloader v0.5, and AFAIK they didn't put any effort into fixing the problem. I hope I'm wrong about that though.
     
  19. madri1

    Member madri1 GBAtemp Regular

    Joined:
    Feb 15, 2006
    Messages:
    170
    Country:
    France
    when we move to sub_201.... with 1 set to register R0, the code at sub_2... is

    (code 16)
    sub_2010B830
    BX PC

    (code 32)
    loc_2010B834
    B dword_2010B398

    and the dword contains :
    dword_2010B398 DCD 0xE6000A90, 0xE12FFF1E

    should that dword be converted to be readable as a syscall ??

    again, how to you map a syscal to a function or location in the elf file ?
     
  20. ZRicky11

    Newcomer ZRicky11 Member

    Joined:
    Feb 26, 2011
    Messages:
    37
    Country:
    Italy
    Hi
    I tried to insert your code in IOS236 Installer: you're right, it works fine!
    Also if I load it when the internet connection isn't initialised correctly, good work...again [​IMG]
     

Share This Page