Hacking Possiable ways to softmod the Wii

[IOS37]

According to all the hints Marcan left @ elotrolado.net, there's a way to actually read from DVD-Rs without a softmod (and this is what they had discovered), and I think this is what should be found at first.

I'd like to read this. Can you direct me to the thread?

here
or here
"We know it works to read DVD-Rs, and therefore (with more or less effort) can be used to load copies."

 

[zidane_genome]

linkinworm, there's no guarantee there will be a softmod, it's just a discussion about if it's possible, and how it could be done...

As of now, it's not looking too promising... but remember, there's almost no documentation about Starlet. Once it's opened up, who knows what's going to happen!

Back to topic;
I know this is a rehash, but I wanna sum up some stuff, and make some guesses...

1) We can't get the source to GeckoOS yet.
2) We know there are apps that can access the DVD drive for unlimited reading (disc dumpers)
3) We can't flash the DVD firmware (yet) because Starlet blocks the debug code from reaching the drive.

Knowing this, is there a way to modify one of these disc dumpers to actually run the main.dol on a disc instead of just dumping it. Yes, I know that's the very first thing people think of, but it's worth a mention. Somehow use a modchips code with a disc launcher.

And lastly, even if theres no way to use a modchip code in a disc launcher, is it possible to create one, even if it can't launch backups yet. Something like GeckoOS, but a stripped down simple version that just launches real games (like the real Disc Channel, but without banners and such)

 

[linkinworm]

Unfortunately for you, the "pros" are against piracy. No backup loader for you.

maybe with patchmii, seeing as how bushing found this just after they made that.
edit,, i mean maybe thats the key.

 

[IOS37]

what happens if you try to launch a main.dol from a game via TW hack?

 

[teq]

1) We can't get the source to GeckoOS yet.

GeckOS won't help.

If you want to confirm this, patch the region address with the address that sets debug mode.

2) We know there are apps that can access the DVD drive for unlimited reading (disc dumpers)

Yes, but only for licensed games. Genplus doesn't read from DVDs without a drivechip.

3) We can't flash the DVD firmware (yet) because Starlet blocks the debug code from reaching the drive.
The firmware/GC-D is a rom and is unable to be flashed. It can be replaced with a writeable version, but if you're going to go to those lengths, you might as well get a drivechip.
QUOTE(zidane_genome @ Jul 23 2008, 02:03 PM) Knowing this, is there a way to modify one of these disc dumpers to actually run the main.dol on a disc instead of just dumping it. Yes, I know that's the very first thing people think of, but it's worth a mention. Somehow use a modchips code with a disc launcher.

And lastly, even if theres no way to use a modchip code in a disc launcher, is it possible to create one, even if it can't launch backups yet. Something like GeckoOS, but a stripped down simple version that just launches real games (like the real Disc Channel, but without banners and such)

No, Starlet has it too far locked down to even consider anything like this.

The key is in boot1/2, which initializes Starlet, and thus can obtain control before Starlet does.

IOS37

what happens if you try to launch a main.dol from a game via TW hack?

Nothing.

 

[linkinworm]

what happens if you try to launch a main.dol from a game via TW hack?

Nothing.

i know that datel freeloader works with this, you just cant use the controlers because its in wii mode

edit the GC free loader

 

[halatosis]

I don't know a lot about this stuff, but I had a quick thought. What is the process of loading wiiWare or vcgames? Do the same security rules apply to these wads that would apply to a wii disc image? Just a thought. Its nice to see people working cooperatively with this, not much flaming going on opposed to all the other forums I have visited. Keep up the good work.

 

[linkinworm]

I don't know a lot about this stuff, but I had a quick thought. What is the process of loading wiiWare or vcgames? Do the same security rules apply to these wads that would apply to a wii disc image? Just a thought.

i think they just follow the .app rule like VC games, nothing like wii games, as they dont contain the same keys i beleave

 

[crwys]

Well bushing has announced that he "believes" to have found a security hole that allows backups without mod chips. So, there must be some way, and the rumor of the karoloza team (or however you spell it).

Off topic:

If i remember reading correctly, bushing also found a security hole in vc and wii ware games, to allow downgrading, but some how waninkoko ruined it? Just trying to find out more info with wii hacking and stuff.

 

[Forcystos]

Wouldn't it be easier to see where and how the Starlet changes the issued commands? We don't yet have a DVD firmware dump, but we have Starlet's.

 

[teq]

Wouldn't it be easier to see where and how the Starlet changes the issued commands? We don't yet have a DVD firmware dump, but we have Starlet's.

Other way around, actually.

We have extensive knowledge of the GC chip, but know relatively nothing about Starlet.


Not to mention, what do you plan to do with Starlet? It's an entire system on a chip, capable of running an operating system. It's most likely that the DI commands are hardcoded in

 

[zidane_genome]

what teq said... Starlet is still a HUGE mystery... there's no dump of it, and only the basic stuff (it runs Wii games) is known about it.

There already are dumps of every chipset (D2A, D2B, D2C, and the other 2), and there are the codes to "softmod" the drive, but to apply the mod, you have to take the drive out of your Wii, and solder a Serial Port to the drive to hook it up to a Linux machine to flash the drive commands. Being as it's dangerous, since if you miss one thing, your brick the drive, and it's easier to buy a modchip than to add a serial port, that's what this thread is about...

and crwys, as stated in the first post, we are not discussing Bushing and his discovery here. this is not the place. There is a whole thread dedicated to that, please go there.

 

[kikekakik]

So, there IS a softmod out there... and it was done flashing the DVD drive... only he flashed it while it was outside the Wii... we're trying to flash it while it's IN the Wii...

The difference is that he has physical access to the drive.

It doesn't matter where the code originates from, the fact of the matter is, direct access to the drive is what you don't have if you're trying to access it via Starlet.


The only other alternative I can think of is initializing a disc that can access the drive directly without intervention from Starlet... but I don't know how that would work....


teq: i didnt mean any disrespect with my last post...

BUT YOU HAVE SERIOUS ISSUES.. i just quoted you because it looks like you dont remember when you agreed with the flashing thing...

but ok.. now i understand why you were included in that readme lol ...and this is not the topic

well.. first of all.. i still don understand WHY DO YOU WANT TO USE Final Fantasy?

1. ITS PPC CODE.. we have access to PPC fooor already loooong time... why injecting..
2. You have more chance of bricking messing with channels than creating your own app...
3. The code for coding a geckoRF like program (obviously much more simple... just loading a disc) is already available

4....just quoting from eol

QUOTE(marcansoft @ Jul 21 2008, 1:09 PM)

crettius escribió:
He estado echando un ojo en GBAtemp y hay un post intresante sobre el tema, realmente Nitrotux expuso una idea, y a raiz de la discusión posterior, se han puesto a dar vueltas al asunto. Para empezar han partido del código de "WabModCheap" creado por Alone Trio, es un cargador de backups vía PC, no sé si os acordáis. La idea es tratar de utilizar las funciones en un software que permita la ejecución de otras aplicaciones sin resetearse en medio. Hay 2 posibilidades interesantes:

1.- Partir del código de Final Fantasy CC: MLaaK, pués según dicen está entero programdo en C y sin compilar.
2.- Reutilizar el código del GeckOS, puesto que se entiende que permite la ejecución de software sin pasar por el reseteo.

Realmente yo no tengo mucha idea, a lo mejor se trata de tonterías, os pego el link al post, a ver que comentáis.

http://gbatemp.net/index.php?showtopic=96232&st=0
Si al leer la 1) no te quedas

es que te hace falta mejorar tu sentido ninja anti-gilipolleces

i know its very likely you dont understand spanish.... lol but I wont translate it for you.. LOL

...the chance of bricking your wii by messing with IOS is high.. i know.. but only if you make something really stupid like messing with the IOS that uses the system menu or something like that.. an IOS is used ONLY when it is called..

and very likely most of the unknown vulnerabilitis reside there....

and the DVD video thing i talked about can be found in IOS35! and IOS9? so.. maybe you havent even looked at the IOS..

i think you are the one who is really smoking something.. and instead of flaming people.. just try to find something out by your own.. not only assuming that what you were told is always true..

i wont discuss anything else you answer to this post..

 

[nitrotux]

According to all the hints Marcan left @ elotrolado.net, there's a way to actually read from DVD-Rs without a softmod (and this is what they had discovered), and I think this is what should be found at first.

I'd like to read this. Can you direct me to the thread?

here
or here
"We know it works to read DVD-Rs, and therefore (with more or less effort) can be used to load copies."

Thanks, this is some very interesting piece of information. So they really have a method to read DVD-R's without a drive chip.. I wonder how they did it.

 

[teq]

teq: i didnt mean any disrespect with my last post...

BUT YOU HAVE SERIOUS ISSUES.. i just quoted you because it looks like you dont remember when you agreed with the flashing thing...

but ok.. now i understand why you were included in that readme lol ...and this is not the topic

By this alone, I can already see that you're nothing but trouble.

Nowhere in my post does the word "flashing" appear. I chose not to correct zidane for the simple reason that I'm not petty, and chose rather to perpetuate the discussion.

If you're going to insinuate that I was in agreeance with him for the simple fact that I did not correct him, you can fuck off with your semantics right now.

well.. first of all.. i still don understand WHY DO YOU WANT TO USE Final Fantasy?

1. ITS PPC CODE.. we have access to PPC fooor already loooong time... why injecting..
2. You have more chance of bricking messing with channels than creating your own app...
3. The code for coding a geckoRF like program (obviously much more simple... just loading a disc) is already available

1) The viability of software that uses UNCOMPILED C to operate the entire program is the appeal. Not only that, it can be launched from the Wii menu and operates as a normal channel. If you still don't get why that would be desirable, I suspect you're a lost cause.

2) You can't brick your Wii if you make modifications to the code. Bricking most commonly occurs with bad banners, channel sounds, etc.

3) Like I said, GeckoRF operates from the Homebrew channel. This takes us out of the system menu IOS and probably distances us from an exploit within the IOS.

i know its very likely you dont understand spanish.... lol but I wont translate it for you.. LOL

Actually, I'm quite literate in Spanish, you biggot.

The problem I have with people like Marcan is that while they contribute to the "scene", they talk a big game -- to the point where they come off sounding like elitists. At least Bushing has an understanding of common courtesy.

QUOTE(kikekakik @ Jul 23 2008, 08:33 PM) and the DVD video thing i talked about can be found in IOS35! and IOS9? so.. maybe you havent even looked at the IOS..

Uh, the video function is legacy code left over from when the Wii was going to have a DVD player. It may be there for the Japanese Wii coming out that'll have MPEG2 support, but it means nothing for most consoles. It's not something that's exploitable.

nitrotux

Thanks, this is some very interesting piece of information. So they really have a method to read DVD-R's without a drive chip.. I wonder how they did it.

All my money is on the fact that the exploit lies in the boot sequence code.

 

[zidane_genome]

teq, please, correct me if I'm wrong... I don't want to keep thinking something is true, and build on that if it's not.

As for the FFCC hacking, that is a great idea, and if you did mess up some coding, it would just crash the game, and you'd have to power cycle... there would be no bricking.

See, people use that word way too often, and for the wrong definition. If you BRICK a device, that's it, there's no fix. It's just that, a brick. No other uses... when you install a bad banner, you SEMI-Brick a Wii, since it can be fixed. (Load backup of TP with autoboot, run a wad uninstaller, remove bad wad)

 

[teq]

teq, please, correct me if I'm wrong... I don't want to keep thinking something is true, and build on that if it's not.

I believe I mentioned it once, that the Wii's GC chip is a rom and would need to be replaced with the writable version in order to be flashed.

After that, I didn't feel it necessary to bring up again... and that anyone who did was just being anal about it(ie; this kike guy).

QUOTE(zidane_genome @ Jul 23 2008, 11:59 PM) As for the FFCC hacking, that is a great idea, and if you did mess up some coding, it would just crash the game, and you'd have to power cycle... there would be no bricking.

See, people use that word way too often, and for the wrong definition. If you BRICK a device, that's it, there's no fix. It's just that, a brick. No other uses... when you install a bad banner, you SEMI-Brick a Wii, since it can be fixed. (Load backup of TP with autoboot, run a wad uninstaller, remove bad wad)

I wouldn't say great, as it was just thinking outside the box.

When I saw the code for FFCC, I found that it would be a good platform to write on. It could be used to develop games, if exploited enough.


I was curious about the banner brick, as I've yet to experience one.... but is it possible to avoid the brick if the channel was installed on the second page?

 

[Jacobeian]

could you elaborate more on FFCC "uncompiled code" ? never heard of that before, it seems a rather interesting way to run code.
But isn't that some kind of script language (which relies on a build-in script engine in the wiiware application) or is it really C code ?

Aalso, I've another question (please only answer if you really know, no need for speculations or fantasy theories

):
when does the drive verify the validity of the inserted disc ? Does it only happen when a disc is inserted and the drive starts spinning ? or is it checked continuously ?

And what make the drive starts spinning ? Starlet when it detects an inserted disc (notified by the drive) or automatically by the drive mechanism ?

I think a better understanding of the low-leel drive mechanism and commands would be very helpful...
anyway, I agree with you, the most logical way would be some kind of particular starlet registers initialization (boot1 ?) that could screw up the disc verification

 

[OzModChips]

I believe there will be a video posted tonight of a wii with triple boot.
Can boot Jap, Us, and PAL firmware - making it 100% region free.

 

[teq]

could you elaborate more on FFCC "uncompiled code" ? never heard of that before, it seems a rather interesting way to run code.
But isn't that some kind of script language (which relies on a build-in script engine in the wiiware application) or is it really C code ?

It's actually C... so there must be an on the fly compiler somewhere.

QUOTE(Jacobeian @ Jul 24 2008, 01:05 AM) Aalso, I've another question (please only answer if you really know, no need for speculations or fantasy theories

):
when does the drive verify the validity of the inserted disc ? Does it only happen when a disc is inserted and the drive starts spinning ? or is it checked continuously ?

And what make the drive starts spinning ? Starlet when it detects an inserted disc (notified by the drive) or automatically by the drive mechanism ?

I think a better understanding of the low-leel drive mechanism and commands would be very helpful...
anyway, I agree with you, the most logical way would be some kind of particular starlet registers initialization (boot1 ?) that could screw up the disc verification

The initial check is when the disc is first inserted, then once it runs through, there is a bank where all of this data is stored to reference. If the disc is authorized, it gets passed to the DVD_Read command, which is what causes the disc to spinup.

As far as understanding the drive, it's fairly simple, as we already know most of it from the GameCube reference.

The only outstanding problem is Starlet.