Possiable ways to softmod the Wii

Discussion in 'Wii - Hacking' started by zidane_genome, Jul 19, 2008.

Jul 19, 2008
  1. zidane_genome
    OP

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    Rules :

    Talk about how to softmod the Wii. There will be no mention of Bushings, his 5 day deadline, or anything related to his "discovery".

    This is for US to spitball ideas off each other on ways to make a softmod.

    If you mention Bushings, want to flame, or go offtopic, you'll be reported.


    Now, to start things off...

    I was reading the last thread, and the idea that nitrotux had about re-writing the firmware of the drive. I know this can be done on the 360, but that's because it has an actual PC interface (SATA)... since the Wii drive doesn't have a PC interface, we have to make a work around.

    Is there a way to put the drive into debug mode from a .elf/.dol? Send the commands to put it into debug mode from HBC or TPhack? Once that's taken care of, can the drive read a normal DVD? If so, can the firmware be burnt to a disc to be read by the drive?
     


  2. fischju

    Member fischju Rehabilitated Jaywalker

    Joined:
    Jan 11, 2008
    Messages:
    1,940
    Country:
    United States
    What is that method for booting backups without a modchip, when you have it connected to a PC?
     
  3. Forcystos

    Newcomer Forcystos Member

    Joined:
    Jul 19, 2008
    Messages:
    23
    Country:
    Puerto Rico
    http://dl.qj.net/Applications/pg/12/fid/13322/catid/526

    This application's source should be very helpful. This is the program that enables backups when connected to a PC via parallel port. There's important addresses in there, including the addresses that have to be unlocked...
     
  4. zidane_genome
    OP

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    Holy jesus! This would be so easy! But as far as I can see this only works on the DMS/D2A and D2B model Wii's as it is.

    Now I just need to learn a little Wii programming...

    Code:
    // WII MODEL DETECTION -------------------------------------------------------------
    ÂÂÂÂcn302_peek_byte(0x40BCB2, wiimodel);
    ÂÂÂÂprintf("[+] WII Model Detection : ");
    ÂÂÂÂÂÂÂÂif(wiimodel[0]!=0x20){
    ÂÂÂÂÂÂ printf("DMS/D2A\n");
    ÂÂÂÂÂÂ wii_memlocs = 0x82b6;
    ÂÂÂÂÂÂ wii_mediaflag = 0x8576;
    ÂÂÂÂÂÂ wii_emuflag = 0x8598;
    ÂÂÂÂÂÂ wii_di = 0x8308;
    ÂÂÂÂÂÂ wii_speed = 0x40BD7A;
    ÂÂÂÂ}
    ÂÂÂÂelse{
    ÂÂÂÂÂÂ printf("D2B\n");
    ÂÂ ÂÂÂÂÂÂ wii_memlocs = 0x82be;
    ÂÂÂÂÂÂÂÂ wii_mediaflag = 0x8580;
    ÂÂ ÂÂÂÂÂÂ wii_emuflag = 0x85A2;
    ÂÂ ÂÂÂÂÂÂ wii_di = 0x8310;
    ÂÂ ÂÂÂÂÂÂ wii_speed = 0x40BD86;
    
    ÂÂÂÂ} 
    
    
    
    // UNLOCK WII MEM ------------------------------------------------------------------ÂÂÂÂÂÂÂÂ
    ÂÂÂÂÂÂÂÂcn302_write_block(wii_memlocs,0x2,wiiunlockcmd);ÂÂÂÂ
    ÂÂÂÂprintf("[+] WII Memory Unlocked\n");
    
    // WAIT FOR DISK INSERTED ---------------------------------------------------------
    ÂÂÂÂprintf("\nPlease Insert a Disk...\n\n");
    ÂÂÂÂcn302_peek_byte(0x40BA06, inquiry);
    
    ÂÂÂÂwhile((inquiry[0] != 0xD0) && (inquiry[0] != 0xD2) && (inquiry[0] != 0xF3) && (inquiry[0] != 0xF4)){
    ÂÂÂÂÂÂÂÂcn302_peek_byte(0x40BA06, inquiry);
    ÂÂÂÂ}ÂÂÂÂ
    
    ÂÂÂÂprintf("[+] Disk Inserted\n");
    
    // PATCHING W00T !! --------------------------------------------------------------
    
    ÂÂÂÂÂÂÂÂÂÂÂÂcn302_write_block(wii_memlocs,0x2,wiiunlockcmd);ÂÂÂÂ
    
    ÂÂÂÂÂÂÂÂif(strcmp(argv[3],"Y")==0){
    ÂÂÂÂÂÂÂÂÂÂÂÂprintf("[+] Patching Disk Speed !!\n");
    ÂÂÂÂÂÂÂÂÂÂÂÂcn302_write_block(wii_speed,0x2,speed_value);
    ÂÂÂÂÂÂÂÂ}
    ÂÂÂÂÂÂÂÂelse{
    ÂÂÂÂÂÂÂÂÂÂÂÂprintf("[+] Leave Low Speed Disk (not patching)\n");
    ÂÂÂÂÂÂÂÂ}
    
    ÂÂÂÂÂÂÂÂprintf("[+] Patching MediaFlag\n");
    ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag,0x28);
    ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_emuflag,0x04);
    
    ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(0x408817, &disk_mediaflag[0]);
    ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(0x408816, &disk_mediaflag[1]);
    ÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(0x408815, &disk_mediaflag[2]);
    ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 2,0x2,disk_mediaflag);
    ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 6,0x2,disk_mediaflag);
    ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 12,0x2,disk_mediaflag);
    ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 16,0x2,disk_mediaflag);
    ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+4,disk_mediaflag[2]);
    ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+8,disk_mediaflag[2]);
    ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+14,disk_mediaflag[2]);
    ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+18,disk_mediaflag[2]);
    
    ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(wii_di, inquiry);
    ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂwhile(inquiry[0] != 0xA8){
    ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(wii_di, inquiry);
    ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ}
    ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag,0x38);
     
  5. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    There's only one problem with all of this: Implementing this via homebrew will be hard to do, as IOS reloads after any homebrew is exited.

    But, don't fret! Because I have an alternative: Final Fantasy CC: MLaaK. The entire game is written in uncompiled C.

    This provides an entrypoint that should allow the D2x to retain memory.
     
  6. jan777

    Member jan777 motion control..? srsly? so 2008. 3DS is teh bombz

    Joined:
    Jan 4, 2008
    Messages:
    2,829
    Country:
    Philippines
    teq may be my next homebrew god
     
  7. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    Well, at present, I'm trying to see if I can piece a few loose ends together.... but don't get your hopes up.

    I don't come from a console hacking background and I don't have the resources(ie: Infectus) or knowledge Bushing has accumulated, so I won't claim to.
     
  8. fischju

    Member fischju Rehabilitated Jaywalker

    Joined:
    Jan 11, 2008
    Messages:
    1,940
    Country:
    United States
    If I had the ability to retain hopes, they would be in an elevated state now.

    I will once again unpack my Wii ISOs from my failed chipping attempt.
     
  9. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    Sigh... what did I do?


    Now I have to come up with results... but I'm so lazy...
     
  10. zidane_genome
    OP

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    teq, I'm still learning some basic Wii coding, but could it be possible to "patch" GeckoOS to send these commands when loading a disc? I'm probably wrong, but hey, worth a shot!
     
  11. NeSchn

    Member NeSchn GBAPimpdaddy.

    Joined:
    Oct 4, 2007
    Messages:
    3,533
    Location:
    Troy,New York PimpStatus: King
    Country:
    United States
    Sorry I know you said don't mention anything about bushings or his 5 day deadline but what the hell is it?
     
  12. zidane_genome
    OP

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    Do a search, we're not discussing it here... last warning...
     
  13. fischju

    Member fischju Rehabilitated Jaywalker

    Joined:
    Jan 11, 2008
    Messages:
    1,940
    Country:
    United States
    Well, it will take 4 more days for these new games to be done, and at least a day to unrar and burn them all. So, 5 days?
     
  14. zidane_genome
    OP

    Member zidane_genome My sword has a +2 bleeding... wanna test it out?

    Joined:
    May 21, 2006
    Messages:
    2,320
    Country:
    United States
    ha ha ha... 5 days... very funny... but anyway... teq, let me know what you think of "injecting" some code into GeckoOS
     
  15. Christen

    Member Christen GBAtemp Regular

    Joined:
    Aug 12, 2007
    Messages:
    154
    Country:
    Canada
    In order to do that, would you not need access to the source code for Gecko?
     
  16. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    It's viable, but GeckOS has no source available... and like I mentioned before, I'm lazy.
     
  17. Christen

    Member Christen GBAtemp Regular

    Joined:
    Aug 12, 2007
    Messages:
    154
    Country:
    Canada
    Well, there's always tomorrow to start working on it, no rush. [​IMG]
     
  18. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States

    Granted, this is for the Gamecube library, but I'm wondering if it could still be activated via IPC... or if they've extended it to the Wii. Anyone care to chime in?
     
  19. denzil

    Newcomer denzil Advanced Member

    Joined:
    Jun 11, 2008
    Messages:
    88
    Country:
    United States
    As Erant said before, probably in one of the "lost" threads: the necessary debug commands will not reach the drive, but get blocked by some yet unknown mechanism in Hollywood.
     
  20. teq

    Member teq GBAtemp Maniac

    Joined:
    May 13, 2008
    Messages:
    1,232
    Country:
    United States
    Perhaps not Hollywood, but IOS?

    The modified IOS released patches /dev/di to /dev/do, presumably so that Starlet doesn't impose the limit on DVDUnencryptedRead.

    It might be possible that through the same method, certain calls will pass through unobstructed.
     

Share This Page