On the ability to play backups without drive chip

Discussion in 'Wii - Hacking' started by nitrotux, Jul 25, 2008.

Jul 25, 2008
  1. nitrotux
    OP

    Newcomer nitrotux Advanced Member

    Joined:
    Jun 24, 2008
    Messages:
    60
    Country:
    United States
    I've been thinking about the DVD drive softmod lately, and the fact marcan has admitted they can read DVD-R's without a drive chip, and the fact that bushing has posted a nice note for Nintendo on his blog.

    As I've explained before there's basically 2 ways for getting a working DVD softmod:
    1) Disable Starlet from blocking the FF and FE commands
    2) Find a way to exploit the DVD drive with the allowed commands

    Now the fact that bushing wants to talk to Nintendo is something special.
    If they found a way to disable the Starlet debug command filter (this would be done through an IOS hack or similar), then they would not be knocking on Nintendo's door to fix this.
    The reason is that we would simply call this disable method ourselves from the Starlet (IOS) side, because it's already possible to fully control IOS (see patchmii, IOS5 and Waninkoko's custom IOS), and Nintendo cannot patch this (unless they patch homebrew unsigned code alltogether, which I doubt is bushing's goal).

    Then, there's only one other reason left:
    There's a bug in the DVD firmware, and they want Nintendo to fix it for future retail Wii's.

    There's one thing which bothers me, and that's the fact that Nintendo seems to be checking the caller UID on the video enable command for any possible security breach (and they are not doing this for any other command):
    "(%s) (diIoctl) Video enable returning security error - callerUid = %u; inLen = %u\n"



    In any case, the DVD is not the only method for playing backups.

    I am doing a thorough and complete reverse engineering of the DI module in IOS31, and the ultimate idea is to silently relay all requests which are being sent from PPC to "/dev/di", internally in Starlet to the SD card. It will "emulate" the DVD drive (status responses etc), but the data will be coming from the SD card.
     


  2. dinofan01

    Member dinofan01 Misses the old days...

    Joined:
    Jul 4, 2008
    Messages:
    2,842
    Country:
    United States
    isnt there a thread for this
     
  3. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    I'm just guessing here, but it could be a failsafe for CSS encryption.
     
  4. rishard10212

    Newcomer rishard10212 Member

    Joined:
    Jan 10, 2006
    Messages:
    39
    Country:
    United States
    So what you're trying to do is run backups using an SD card? That doesn't sound too efficient.
     
  5. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    Neither does criticizing him.
     
  6. zidane_genome

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    FREAKIN BURN!!! lol

    anyway... so what, has Starlet been dumped yet, or are we still waiting for this Custom IOS to be released to dump Starlet?
     
  7. FGOD

    Member FGOD Wii gaming bitch

    Joined:
    Jun 1, 2008
    Messages:
    1,339
    Location:
    Netherlands, Den Helder
    Country:
    Netherlands
    Has anyone made any progress in this DVD stuff?
     
  8. blinktoday

    Newcomer blinktoday Advanced Member

    Joined:
    Jul 21, 2008
    Messages:
    66
    Country:
    Canada
    Wouldn't the first method be easier because svpe confirmed that with the new firmware from team twiizers we have complete access to the starlet?
     
  9. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    I believe in the other thread, I addressed the fact that we've always been able to access Starlet, but the real concern is how much of it we can access.

    Starlet is essentially a stand-alone device that can run an entire operating system -- it's a SoC or System on a Chip. Being able to program it will put us leaps ahead of anything we've been able to do with the Wii, but that all depends on how much security it has.
     
  10. Christen

    Member Christen GBAtemp Regular

    Joined:
    Aug 12, 2007
    Messages:
    154
    Country:
    Canada
    I suppose its basically impossible to hack the SD port drivers to allow SDHC cards, correct?

    Because, as cool as this idea is, it'll be extremely limited with non SDHC cards maxing out at 2 GB, unless we can employ other mass storage devices with this idea.
     
  11. blinktoday

    Newcomer blinktoday Advanced Member

    Joined:
    Jul 21, 2008
    Messages:
    66
    Country:
    Canada
    We should at least be able to play Gamecube games, right?
     
  12. Jacobeian

    Member Jacobeian GBAtemp Advanced Maniac

    Joined:
    May 15, 2008
    Messages:
    1,879
    Country:
    Cuba
    you should talk with emukiddid
    his work with sd-boot on Gamecube (which is indeed THE gamecube ISO loader) was very similar, even if there was no IOS and that DI access are done differently, you could share about some of the possible issues he already encountered [​IMG]

    good luck with IOS revese-engineering, the more that are doing this, the best we could get
     
  13. nitrotux
    OP

    Newcomer nitrotux Advanced Member

    Joined:
    Jun 24, 2008
    Messages:
    60
    Country:
    United States
    I've looked into the video enable command some more.

    It seems the PPC is not allowed to call this (the callerUID wont match with what IOS wants).

    There is only one module which is allowed to call this, and that's the ES (the security-) module.

    The ES opens up the device "/dev/di", and send an ioctl request with command 0x8E.
    The DI module hears this, and simply calls a syscall, which does this:

    Code:
    syscall(int a)
    {
    if (a == 0)
    ÂÂ D800180 &= ~0x200000;
    else
    ÂÂ D800180 |= 0x200000;
    }
    This register is also involved in setting DI into legacy mode (using bitmask 0x40).

    So what's so special about clearing or setting bitmask 0x200000? Maybe it disables the Starlet filter?
    I'm pretty sure this register will be fun to play with.

    And to confirm once more, this was said on #wiidev recently by bushing:
    SOFTMOD HERE WE COME!
     
  14. rishard10212

    Newcomer rishard10212 Member

    Joined:
    Jan 10, 2006
    Messages:
    39
    Country:
    United States
    hey, that sounds like a great find nitro. good luck. =]
     
  15. Christen

    Member Christen GBAtemp Regular

    Joined:
    Aug 12, 2007
    Messages:
    154
    Country:
    Canada
    Awesomeness. Keep up the great work tux!
     
  16. Shuny

    Member Shuny I'm in yr forum, reading yr postz

    Joined:
    Nov 15, 2006
    Messages:
    1,019
    Location:
    Somewhere in the world
    Country:
    France
    Nitrotux is our god [​IMG]
     
  17. Hellfenix

    Member Hellfenix GBAtemp Regular

    Joined:
    Jun 25, 2005
    Messages:
    204
    Location:
    Canada
    Country:
    Canada
    That is AWESOME news.. hopefully this register will do something good.
     
  18. Rock Raiyu

    Member Rock Raiyu Clock Up

    Joined:
    Jul 14, 2007
    Messages:
    5,066
    Location:
    Walking the path of heaven
    Country:
    United States
    Awesome. It looks like we're getting somewhere. Excellent job Nitrotux!
     
  19. Dr.Tenma

    Member Dr.Tenma GBAtemp Regular

    Joined:
    Jul 25, 2008
    Messages:
    150
    Country:
    France
    Nice, but nitroxtux, do you works alone ?
     
  20. kikekakik

    Newcomer kikekakik Newbie

    Joined:
    Apr 24, 2008
    Messages:
    7
    Country:
    United States
    Nice work nitrotux!!! thats what i was saying.. but i couldnt find the way to call that function.. There is an ES call to set te Uid (ES_SetUID) to whatever you want.. i think it should be system menu.. or super user..

    i've been trying to use

    IOS_Ioctl(di_fd, 0x8E, inbuf, 0x20, outbuf, 0x20);

    but dont know what inbuf and outbuf should be..

    i think it could be called from PPC.. because it was implemented on early SDKs..

    i have almost finished a disc launcher if you want.. let me know if I can help you with something
     

Share This Page