The issue
As most of you already know, there is an issue in the Homebrew Channel that makes crash homebrew apps when you don't have your wii connected to the network and HBC is configured to load apps without reloading IOS, which is the only known way to get AHBPROT access rights.
Since 1.0.7, HBC launches an asynchronous call to the Wii in order to detect the network.
And usually the IOS58 take a long time to respond if no network connection is detected.
The problem is that the HBC doesn't shutdown communication with the internal network hardware on IOS side, in other words it doesn't cancel the asynchronous call before launching a homebrew.
So the IPC reply for that async call comes when the app is already loaded, causing the crash.
This issue affects ALL homebrew loaded by HBC 1.0.7+.
The known workarounds
There are 2 known workarounds to fix this issue but both have drawbacks.
Finding a solution
This old article by Bushing is really enlightening and gave me enough information to start investigating the problem.
Syscall 0x54, AKA set_ahbprot, is in charge of enabling/disabling AHBPROT access, see http://wiibrew.org/wiki/IOS/Syscalls.
By disassembling and inspecting the kernel (FFS, ES and IOSP modules) you find out that syscall 0x54 is called only twice and both invocations are from the same function, which is called in turn by the LAUNCH_TITLE ioctl.
This function checks access rights from the TMD of the title to be launched, i.e the 4 bytes at offset 0x1D8. See http://wiibrew.org/wiki/Title_metadata
Here is a quick C translation of the interesting part of this function:
CODEvoid check_access_rights(void *tmd)
{
s32 access_rights = *(s32 *)(tmd+0x1D8);
/* Shift bit 0 to the sign bit and check it */
if ((access_rights 5 > 5 > 5 > 5
As most of you already know, there is an issue in the Homebrew Channel that makes crash homebrew apps when you don't have your wii connected to the network and HBC is configured to load apps without reloading IOS, which is the only known way to get AHBPROT access rights.
Since 1.0.7, HBC launches an asynchronous call to the Wii in order to detect the network.
And usually the IOS58 take a long time to respond if no network connection is detected.
The problem is that the HBC doesn't shutdown communication with the internal network hardware on IOS side, in other words it doesn't cancel the asynchronous call before launching a homebrew.
So the IPC reply for that async call comes when the app is already loaded, causing the crash.
This issue affects ALL homebrew loaded by HBC 1.0.7+.
The known workarounds
There are 2 known workarounds to fix this issue but both have drawbacks.
- The 1st way is to force HBC to reload IOS when it loads the app, which also kill any initiated network callback automatically and prevents the apps from crashing.
However this solution makes you loose AHBPROT access rights. - Another solution is to wait about 1 minute on the HBC hoping that the asynchronous call is terminated in the meanwhile.
However experience teaches that this workaround doesn't work always for every Wii out there.
Finding a solution
This old article by Bushing is really enlightening and gave me enough information to start investigating the problem.
Syscall 0x54, AKA set_ahbprot, is in charge of enabling/disabling AHBPROT access, see http://wiibrew.org/wiki/IOS/Syscalls.
By disassembling and inspecting the kernel (FFS, ES and IOSP modules) you find out that syscall 0x54 is called only twice and both invocations are from the same function, which is called in turn by the LAUNCH_TITLE ioctl.
This function checks access rights from the TMD of the title to be launched, i.e the 4 bytes at offset 0x1D8. See http://wiibrew.org/wiki/Title_metadata
Here is a quick C translation of the interesting part of this function:
CODEvoid check_access_rights(void *tmd)
{
s32 access_rights = *(s32 *)(tmd+0x1D8);
/* Shift bit 0 to the sign bit and check it */
if ((access_rights 5 > 5 > 5 > 5
