Hacking LU64+ Anti-Downgrading theory

[damysteryman]

I think I have figured out why LU64+ Wiis die when downgrading their firmware.

I found it while looking at waninkoko's cIOS249 versions 10 and 13b, as I was trying to make my own cIOSCORP (but that's another story). As I was doing this, I found 2 bytes in the ticket that I thought were unused. These 2 bytes are located at offset 0x01E6 in a wad's ticket. In cIOS249 rev10 (Based on IOS36-v1042), these 2 bytes had the value 0x0000, but in cIOS249 rev13b (Based on IOS38-v3610, the latest one), the value of these 2 bytes was 0x0E1A. Convert this to decimal and you get... 3610! Despite cIOS249 rev13b's tmd version number (which lives at offset 0x01DC within the tmd) saying 0x000D (13 dec), this new version number found in the ticket says version 3610, which is the very version of IOS38 that cIOS249 rev13b was based on! So after seeing this, I looked at the tickets of System Menu Titles to find out their "secret" version numbers, and I found this:

System Menu v418 (4.0E) ticket:

Spoiler

00000000 0001 0001 7790 29D6 A3CE C2A0 F344 31C6 . . w ) D1
00000010 D11A 6A7C E30C D587 D3F4 633E 52C6 D334 j| c>R 4
00000020 1795 4FF1 D2F2 CD52 2EE4 996A 7C70 B53A O R. j|p :
00000030 6182 BA81 935F 38C3 4E96 0BAE 0B64 B8FB a _8 N d
00000040 49E0 2C60 FA83 6F27 85DD 1A22 ABBC 6374 I ,` o' " ct
00000050 4428 D57D AC83 3FF7 3CF4 230D CFEB 47F4 D( } ? < # G
00000060 EDBC AFB8 FC15 A314 36BC 96D6 D8FA 41C8 6 A
00000070 91B1 D8FB B245 77B3 0256 2408 BC7A E300 Ew V$ z .
00000080 6313 2063 A94E C0B2 4445 0552 880B F616 c c N DE R
00000090 AC05 9801 FBEE F6BE 15A9 E891 F93B FE23 ; #
000000A0 3DBF BFB3 37E3 1A9B 68B2 19DA 4B45 67AE = 7 h KEg
000000B0 9C5A E2B5 3C73 5D39 75A2 5584 2D9C A1AF Z <s]9u U -
000000C0 8A8D D145 E20E 1F11 E294 EB30 E197 8D52 E 0 R
000000D0 7DE8 790B CF94 2E55 B79A 21B9 0994 07BF } y .U !
000000E0 79F5 E230 7895 60D6 EB8E F6A6 F988 5D25 y 0x ` ]%
000000F0 9FCB 5982 E48E 366A E4B8 FA52 D8E3 1B69 Y 6j R i
00000100 076E AB90 0000 0000 0000 0000 0000 0000 n ............
00000110 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000140 526F 6F74 2D43 4130 3030 3030 3030 312D Root-CA00000001-
00000150 5853 3030 3030 3030 3033 0000 0000 0000 XS00000003......
00000160 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001B0 0000 0000 0000 0000 0000 0000 0000 0086 ...............
000001C0 1EA8 CEF9 813D 8340 CE2D 267D 00B4 3800 = @ -&}. 8.
000001D0 0000 CEB1 5293 50EE 0000 0000 0000 0001 .. R P .......
000001E0 0000 0002 FFFF <b>01A2</b> 0000 0000 0000 0000 ... ........
000001F0 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000200 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000210 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000220 0001 FFFF FFFF FFFF FFFF FFFF FFFF FFFF .
00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
00000240 FFFF 0000 0000 0000 0000 0000 0000 0000 ..............
00000250 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000280 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002A0 0000 0000 ....

0x01E6 = 0x01A2. Convert to decimal = 418!

System Menu v386 (3.4E) ticket:

Spoiler

00000000 0001 0001 5EBA C4C6 E5F7 A3B4 2027 F732 . . ^ ' 2
00000010 0CC5 3AA2 69DB B776 1A19 17A8 6AD7 624A : i v j bJ
00000020 9210 3864 C566 7115 D5C6 9A7E 917C 0DA1 8d fq ~ |
00000030 468A DF31 8818 3C50 7B10 4C34 5EE5 F943 F 1 <P{ L4^ C
00000040 E497 5712 769E D16E F2C8 2009 7BA7 D4DD W v n {
00000050 AE8F 3770 E267 B64B BF84 94C1 ECE1 1950 7p g K P
00000060 D4CC 2210 356B FF03 5E91 CFB0 B81E D032 " 5k ^ 2
00000070 70D4 4504 C673 2FBB 8428 61D8 3385 91FC p E s/ (a 3
00000080 24FE 5201 8DEE 6F1F 2E20 2317 F8CB 3FA4 $ R o . # ?
00000090 A601 BFCB CC39 CF88 D7AD 8E66 CDEF 5EC2 9 f ^
000000A0 9BD2 6C25 17F6 BF86 84B5 059B 148F 0BE8 l%
000000B0 6E88 1FB7 F567 EC78 BD3B C9B2 378A 28B2 n g x ; 7 (
000000C0 2E36 A18B 43BE F6B1 DCF1 AF84 CB68 2A54 .6 C h*T
000000D0 EB48 9040 2535 12D8 8019 F0DD 3561 393F H @%5 5a9?
000000E0 4CD6 DA19 D30B 1719 166B B32C A923 A742 L k , # B
000000F0 C480 2D35 036D 8F1A 301C FC40 9376 A96F -5 m 0 @ v o
00000100 13A2 E832 0000 0000 0000 0000 0000 0000 2............
00000110 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000140 526F 6F74 2D43 4130 3030 3030 3030 312D Root-CA00000001-
00000150 5853 3030 3030 3030 3033 0000 0000 0000 XS00000003......
00000160 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001B0 0000 0000 0000 0000 0000 0000 0000 0086 ...............
000001C0 1EA8 CEF9 813D 8340 CE2D 267D 00B4 3800 = @ -&}. 8.
000001D0 0000 CEB1 5293 50EE 0000 0000 0000 0001 .. R P .......
000001E0 0000 0002 FFFF <b>0182</b> 0000 0000 0000 0000 ... ........
000001F0 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000200 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000210 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000220 0000 FFFF FFFF FFFF FFFF FFFF FFFF FFFF ..
00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
00000240 FFFF 0000 0000 0000 0000 0000 0000 0000 ..............
00000250 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000280 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002A0 0000 0000 ....

0x01E6 = 0x0182. Convert to decimal = 386!

It looks like this "secret" version number has been present in every System memu and IOS

version released from System Menu version 3.3 onwards...

System Menu v354 (3.3E) ticket:

Spoiler

00000000 0001 0001 68A1 357A A7A2 1830 98E8 770C . . h 5z 0 w
00000010 527B 0F94 B251 DD25 E92D BE6C 2E58 7539 R{ Q % - l.Xu9
00000020 0925 DDF8 256A 1523 1CAD 86E4 6AF6 BE2E % %j # j .
00000030 5B98 F1DB 38E5 B943 A90C 2A6A 8D5D 4AFE [ 8 C *j ]J
00000040 3EF8 9AC8 2476 B97F 0F9E DC58 DBE9 27DB > $v  X '
00000050 C0DC 7578 FAA8 8AC9 6160 8D11 9A09 3A5C ux a` :\
00000060 40AF B7C1 D9E2 99A7 5A5F FBB8 3FD6 33B7 @ Z_ ? 3
00000070 FB5E EAB7 8FE2 6DCD F6FD 3980 2A39 9FE4 ^ m 9 *9
00000080 327A F89E E2FE 5FC7 D130 9571 8270 1D55 2z _ 0 q p U
00000090 2062 CD62 4826 0D2C 9184 01CD 20CD 63CE b bH& , c
000000A0 A661 0CC8 5086 4491 CEF6 28C1 6AD1 E7BA a P D ( j
000000B0 B2C7 C7DA E924 95B1 7786 894E 68FC D42A $ w Nh *
000000C0 EFA5 0296 5090 74F7 EC38 75D1 0E3E 882B P t 8u > +
000000D0 AA18 A0FD 586D 9AFD 75B6 7A74 FB44 AFE2 Xm u zt D
000000E0 2D59 164C 634E 3D38 B413 50CF 0061 A80F -Y LcN=8 P .a
000000F0 ACEE 640A A8EA CCF1 D911 3C2C AE5D 29B3 d <, ])
00000100 8A79 7B85 0000 0000 0000 0000 0000 0000 y{ ............
00000110 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000140 526F 6F74 2D43 4130 3030 3030 3030 312D Root-CA00000001-
00000150 5853 3030 3030 3030 3033 0000 0000 0000 XS00000003......
00000160 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001B0 0000 0000 0000 0000 0000 0000 0000 0086 ...............
000001C0 1EA8 CEF9 813D 8340 CE2D 267D 00B4 3800 = @ -&}. 8.
000001D0 0000 CEB1 5293 50EE 0000 0000 0000 0001 .. R P .......
000001E0 0000 0002 FFFF <b>0162</b> 0000 0000 0000 0000 ... b........
000001F0 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000200 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000210 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000220 0000 FFFF FFFF FFFF FFFF FFFF FFFF FFFF ..
00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
00000240 FFFF 0000 0000 0000 0000 0000 0000 0000 ..............
00000250 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000280 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002A0 0000 0000 ....

0x01E6 = 0x0162. Convert to decimal = 354!

...but not present in any wad released earlier than System Menu 3.3! Look:

System Menu v290 (3.2E) ticket:

Spoiler

00000000 0001 0001 8753 590B 2565 AD87 4CD5 DD23 . . SY %e L #
00000010 3668 725B F45D DBB8 AD00 FC63 5A98 B07D 6hr[ ] . cZ }
00000020 F498 2BFB 1EF9 4738 7F0A 8B6A 869E D1CE + G8 j
00000030 C072 0FF5 C292 9AD0 0B33 ACC6 DD53 8F4D r 3 S M
00000040 3530 F26A A21E 4DD3 7B79 D9A8 E313 B12D 50 j M {y -
00000050 39C0 7CF0 14EA 337D E294 991D 2AAD E1DA 9 | 3} *
00000060 D143 35E7 2FCA 691A DC20 18B6 C736 5785 C5 / i 6W
00000070 1E6F 318D 3C01 C49A A7EB 5336 639F 92E3 o1 < S6c
00000080 75C0 747A CEAA B56E CE3E F310 7F14 61AE u tz n >  a
00000090 DCE9 C079 6D0B 70F5 B501 75C6 5A76 DABD ym p u Zv
000000A0 D7E2 7845 D8ED E3EE 17FB 7754 4890 EBB7 xE wTH
000000B0 50C5 3F28 AF08 6EDF 9BA6 9F9B 0F91 246D P ?( n $m
000000C0 2CA1 BA0B 6675 8A9D 7239 DE71 1F9E 553D , fu r9 q U=
000000D0 4E95 ED46 A52A 4BC7 4367 EFEE D199 1FF7 N F *K Cg
000000E0 A733 22FD 5C31 7AD3 6091 4D83 92BF 3FB4 3" \1z ` M ?
000000F0 8521 6D95 06FC F583 5AD5 191D B11F 3744 !m Z 7D
00000100 2571 1554 0000 0000 0000 0000 0000 0000 %q T............
00000110 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000140 526F 6F74 2D43 4130 3030 3030 3030 312D Root-CA00000001-
00000150 5853 3030 3030 3030 3033 0000 0000 0000 XS00000003......
00000160 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001B0 0000 0000 0000 0000 0000 0000 0000 0086 ...............
000001C0 1EA8 CEF9 813D 8340 CE2D 267D 00B4 3800 = @ -&}. 8.
000001D0 0000 CEB1 5293 50EE 0000 0000 0000 0001 .. R P .......
000001E0 0000 0002 FFFF <b>0000</b> 0000 0000 0000 0000 ... ..........
000001F0 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000200 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000210 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000220 0001 FFFF FFFF FFFF FFFF FFFF FFFF FFFF .
00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
00000240 FFFF 0000 0000 0000 0000 0000 0000 0000 ..............
00000250 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000280 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002A0 0000 0000 ....

0x01E6 = 0x0000! Zero!

So, my theory is...
That LU64+ Wiis check this "secret" version number on certain installed titles, and if the check fails (i.e. "secret" version number = 0, or (maybe, not sure yet) "secret" version number < what it is overriding), it will refuse to boot that title NO MATTER WHAT. Now some of you may be wondering why all the "secret" version numbers in the above examples are equal to their actual version numbers, except for cIOS249 rev13b, which has 3610 instead of 13 (or 0). Well, I guess that the value of the "secret" version number doesn't have to be exact, but rather something as high as, or higher than, the latest version of that title currently available.

But not all types of titles are checked. Here is what is checked and what is not:

00000001 - System Titles (IOS) - CHECKED, to avoid modification or downgrading (e.g. System Menu 3.2 etc.)
00010000 - Disc Titles - unchecked, as tickets are not installed on Wii, and probably to retain compatibility with older titles.
00010001 - Wii Game Channels - unchecked, to retain compatibility with older titles.
00010002 - Wii System Channels - CHECKED, to avoid modification or downgrading (e.g. Photo Channel 1.0 etc.)
00010004 - Wii Game Channels that are linked to Disc Titles - unchecked, to retain compatibility with older titles.
00010005 - Downloadable Content (DLC) - unchecked, these 2 bytes in the DLC's ticket seem to serve a different purpose in these titles, probably to point to the channel that uses them. Also unchecked to retain compatibility with older titles.
00010008 - Hidden System Channels - CHECKED, to avoid modification or custom channels (e.g. DVDX etc.)

So...
Titles with a TitleID of:
00000001xxxxxxxx
00010002xxxxxxxx
00010008xxxxxxxx
are checked.

Even look at DVDX's latest ticket:

Spoiler

00000000 0001 0001 0000 0000 0000 0000 0000 0000 . . ............
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000B0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000C0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000D0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000E0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000F0 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000140 526F 6F74 2D43 4130 3030 3030 3030 312D Root-CA00000001-
00000150 5853 3030 3030 3030 3033 0000 0000 0000 XS00000003......
00000160 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001B0 0000 0000 0000 0000 0000 0000 0000 004F ...............O
000001C0 6E65 4461 6D6E 5374 7570 6964 4269 7400 neDamnStupidbyte.
000001D0 0001 6D6F 7669 6573 0000 0000 0001 0008 . movies..... .
000001E0 4456 4458 FFFF <b>0002</b> 0000 0000 0000 0000 DVDX . ........
000001F0 0000 0016 0000 0000 0000 0000 000D 1235 ... ......... 5
00000200 4785 64D0 0000 0000 0000 0000 0000 0000 G d ............
00000210 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000220 0000 FFFF FFFF FFFF FFFF FFFF FFFF FFFF ..
00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
00000240 FFFF 0000 0000 0000 0000 0000 0000 0000 ..............
00000250 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000280 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002A0 0000 0000 ....

0x01E6 = 0x0002 = 2 decimal. That wasn't there last time. Looks like Team Twiizers just copied the "secret" version number from the hidden eula and rgnsel channels (They're currently both version 2). Look at the Title Key Team Twiizers left us. "One Damn Stupid byte". This must be referring to the 0x02 at offset 0x01E7, which is part of the 2 byte "secret" version number found at offset 0x01E6.

Long story short:
LU64+ Wiis check for a 2 byte "secret" version number found at offset 0x01E6 within tickets of system titles. If this number = 0, then that particular title will refuse to boot. (I'm not sure what would happen if this "secret" version number is greater than 0 but lower than the latest available version, though.) So, to make it LU64+ compatible, change this "secret" version number (which is most likely 0) to a really, really high number, pack the wad, and install it and see if it works.

Now this is only a theory, and still needs more testing. But I can't fully test it as my Wii is not LU64+. I have made a basic proof-of-concept test for anyone who has an LU64+ Wii and is willing to take the extremely huge brick risk.

WARNING! THIS TEST HAS A HUGE BRICK RISK! I WILL NOT BE HELD RESPONSIBLE FOR ANY WIIS THAT ARE BRICKED FROM PERFORMING THIS TEST. IF YOU PERFORM THIS TEST AND YOUR WII BECOMES BRICKED, IT IS YOUR OWN FAULT FOR NOT HEEDING THIS WARNING! IF YOU DO NOT UNDERSTAND THE TEST BELOW, THEN DO NOT PERFORM IT!

Experimental LU64+ Downgrade Theory POC Test:
Items Needed:
An LU64+ Wii (That either has Bootmii installed as boot2 (if possible) with a NAND backup, and/or the willingness to take the extremely huge brick risk)
Ability to boot homebrew
Ability to install Trucha signed wads on your LU64+ Wii
Ability to run Trucha signed discs on your LU64+ Wii (e.g. Gecko OS)
An old version of IOS9 (Get it off the Zelda:TP Update partition, or Google)
A modchip
An ISO of Zelda:TP
Ability to burn ISOs to DVDs
A Hex Editor
Wad unpacking and packing utilities
Some way of patching which IOS Zelda:TP runs under (e.g. changing partition.bin etc.)

Steps:
Step 1: Acquire a copy of an old version of IOS9 and unpack it.
Step 2: Open IOS9's tmd (the 0000000100000009.tmd file) in a hex editor
Step 3: At offset 0x0193, replace the value 0x09 with the value 0x7B (which is 123 decimal). Save.
Step 4: Open IOS9's ticket (the 0000000100000009.tik file) in a hex editor
Step 5: At offset 0x01E3, replace the value 0x09 with the value 0x7B (which is 123 decimal). This will make it install as IOS123 so it doesn't override anything. Save.
Step 6: Change the "secret" version number at offset 0x01E6 from value 0x0000 to the value 0x9999 (39321 decimal). Save.
Step 7: Repack the newly made IOS123 (remember to trucha sign the ticket and tmd)
Step 8: Install this wad (using something like Wad Manager 1.4 running under IOS249)
Step 9: Patch your Zelda:TP ISO to run under IOS123 and burn it to disc
Step 10: Run your IOS123-patched Zelda:TP disc

Hopefully this should have Zelda:TP running under an old, downgraded IOS9 (installed as IOS123) on an LU64+ Wii.
And if this theory works, then we should be able to downgrade on LU64+ Wiis!

If you do perform this test, could you please post your results/observations in this thread, so we can determine if this theory becomes fact or not.

 

[kavid]

Do anybody try it.

 

[techboy]

Hm, interesting theory...Don't got an LU64, so can help you out.

Also, why do you say there's a brick risk for your test? As long as you do not overwrite good IOSes, there is virtually no brick risk at all. Installing a modified IOS9 as IOS123 will not brick the wii. Worst that happens is the patched Zelda doesn't boot, and the DVD you burnt is now a coaster...

 

[SoraK05]

http://gbatemp.net/index.php?showtopic=163...t&p=2075602

 

[damysteryman]

I just put that warning in for disclaimer reasons. Say if somebody didnt have a modchip and derived their own test based on this information, and decided to modify important IOS and System Menu instead of the safer POC test that I posted, and bricked, it's their own fault.

But you're right techboy. That POC test I posted should be brick free. (Hopefully it works too.)

Oh and thanks for linking to that other post you made, SoraK05. I was also thinking hardware (or similar) differences when I was working this out.

Supposing someone figured out how to add this hardware support into older IOS', or wanted to make CIOSCORP with the newest IOS', that should work as far as I know.

Well hopefully this is it.

And a little off topic but...
I have made a cIOSCORP using the latest (or close to it) versions of IOS currently available (for my own personal use). I used the 00000001.app file out of waninkoko's cIOS249 rev13b and this info I figured out to make it. I've tested this cIOSCORP on my Wii and it works fine, except for a few games, which give #001 error, of all errors. (I have no clue why they give #001 error). It just needs testing on an LU64+ Wii now, but with it being copyrighted WADs and whatnot, I can't post it...

 

[WiiPower]

A POC should much more safe to implement. I'm thinking of just installing an IOS35v1040 with the "secret" revision number of the latest IOS35. Maybe with both revision numbers at the latest revision. If you can use WAD Manager with this IOS35 to install channels on a boot2v4 Wii, your theory was proven.

Oh, about boo2v4, bushing told at #wiidev that he thinks that's the reason why some IOS can't be launched. Boot2 is involved in starting IOS, and he never heard of anybody having v3 and the problems, or having v4 and not having the problems.

And a little off topic but...
I have made a cIOSCORP using the latest (or close to it) versions of IOS currently available (for my own personal use). I used the 00000001.app file out of waninkoko's cIOS249 rev13b and this info I figured out to make it. I've tested this cIOSCORP on my Wii and it works fine, except for a few games, which give #001 error, of all errors. (I have no clue why they give #001 error). It just needs testing on an LU64+ Wii now, but with it being copyrighted WADs and whatnot, I can't post it...

I would try the 00000001.app files from the different cIOS, it might be that Waninkoko moved the 001 patch into another module or whatever. The 000000001.app from rev7 should be fine for all single layer discs and have the same compatiblity as cioscorp v1 then.(well in theory)

 

[joda]

Release a script that does all the repacking with for example wwunpacker, and sha1-sums of all wads you've used. Even better if the script checked the sha1-sums as well. The patching could be done automatically since the address is always the same.

This way, people could try it out, and you could distribute it.

But on they other hand, since people in general seem to be able to manage to fuck up how ever idiot proof you make anything, you'd probably have a whole lot of "You (yes YOU) bricked my Wii; you SUCK!"-posts in just a few days. It's all up to you.

Looks promising though ...

 

[mtb-bfh]

A POC should much more safe to implement. I'm thinking of just installing an IOS35v1040 with the "secret" revision number of the latest IOS35. Maybe with both revision numbers at the latest revision. If you can use WAD Manager with this IOS35 to install channels on a boot2v4 Wii, your theory was proven.

Exactly...why would anybody in their right mind if want to downgrade the entire firmware itself, or futz with IOS9? As far as I know, all anybody with an LU64 wants is a working preloader.

I don't have the time to try this with IOS35 right this moment (just got a new puppy today, and she's running me ragged) but if somebody else has a moment and wants to pack up a WAD for me, I'd be happy to guinea-pig it.

 

[svpe]

I'm sorry to spoil your 'great' theory, but this "OneDamnStupidByte" title key was used since the very first DVDX version because one little bit in the TMD is enough to enabled DVD Video mode.

 

[Det1re]

Now some of you may be wondering why all the "secret" version numbers in the above examples are equal to their actual version numbers, except for cIOS249 rev13b, which has 3610 instead of 13 (or 0). Well, I guess that the value of the "secret" version number doesn't have to be exact, but rather something as high as, or higher than, the latest version of that title currently available.

This is simply the version number of IOS38, on which it's based on [IOS38-64-v3610.wad].

 

[Scarfish]

I can confirm that this isnt working:
* Only changed the sort of secret version number and repacked the stuff
* Tested on my Wii with Preloader if it would brick my console, it wouldnt
* On the LU64 Wii I first ran IOS 35 downgrader which sets the version to 0
* Used the cboot2 method to run Wad Manager
* Installed the IOS35 v1040 with the secret version number fixed
* Started Wad Manager and told it to load from IOS35 --> it hangs

 

[chunan]

interested, i would test it on my LU64+ and will update here then

 

[fogbank]

Just a comment on your proposed "test":

It is my understanding that the rule "LU64+ Wiis cannot run older IOS versions" only applies to the later modular IOS versions, not the monolithic versions like IOS9. This is presumably why IOS16 runs correctly on them.

For a proper test you would need to use a different (higher number) IOS version.
I think IOS35 has already been mentioned in this thread.

EDIT: spelling