Hacking Possiable ways to softmod the Wii

[zidane_genome]

Rules :

Talk about how to softmod the Wii. There will be no mention of Bushings, his 5 day deadline, or anything related to his "discovery".

This is for US to spitball ideas off each other on ways to make a softmod.

If you mention Bushings, want to flame, or go offtopic, you'll be reported.

Now, to start things off...

I was reading the last thread, and the idea that nitrotux had about re-writing the firmware of the drive. I know this can be done on the 360, but that's because it has an actual PC interface (SATA)... since the Wii drive doesn't have a PC interface, we have to make a work around.

Is there a way to put the drive into debug mode from a .elf/.dol? Send the commands to put it into debug mode from HBC or TPhack? Once that's taken care of, can the drive read a normal DVD? If so, can the firmware be burnt to a disc to be read by the drive?

 

[fischju]

What is that method for booting backups without a modchip, when you have it connected to a PC?

 

[Forcystos]

http://dl.qj.net/Applications/pg/12/fid/13322/catid/526

This application's source should be very helpful. This is the program that enables backups when connected to a PC via parallel port. There's important addresses in there, including the addresses that have to be unlocked...

 

[zidane_genome]

Holy jesus! This would be so easy! But as far as I can see this only works on the DMS/D2A and D2B model Wii's as it is.

Now I just need to learn a little Wii programming...

// WII MODEL DETECTION -------------------------------------------------------------
ÂÂÂÂcn302_peek_byte(0x40BCB2, wiimodel);
ÂÂÂÂprintf("[+] WII Model Detection : ");
ÂÂÂÂÂÂÂÂif(wiimodel[0]!=0x20){
ÂÂÂÂÂÂ printf("DMS/D2A\n");
ÂÂÂÂÂÂ wii_memlocs = 0x82b6;
ÂÂÂÂÂÂ wii_mediaflag = 0x8576;
ÂÂÂÂÂÂ wii_emuflag = 0x8598;
ÂÂÂÂÂÂ wii_di = 0x8308;
ÂÂÂÂÂÂ wii_speed = 0x40BD7A;
ÂÂÂÂ}
ÂÂÂÂelse{
ÂÂÂÂÂÂ printf("D2B\n");
ÂÂ ÂÂÂÂÂÂ wii_memlocs = 0x82be;
ÂÂÂÂÂÂÂÂ wii_mediaflag = 0x8580;
ÂÂ ÂÂÂÂÂÂ wii_emuflag = 0x85A2;
ÂÂ ÂÂÂÂÂÂ wii_di = 0x8310;
ÂÂ ÂÂÂÂÂÂ wii_speed = 0x40BD86;

ÂÂÂÂ} 



// UNLOCK WII MEM ------------------------------------------------------------------ÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂcn302_write_block(wii_memlocs,0x2,wiiunlockcmd);ÂÂÂÂ
ÂÂÂÂprintf("[+] WII Memory Unlocked\n");

// WAIT FOR DISK INSERTED ---------------------------------------------------------
ÂÂÂÂprintf("\nPlease Insert a Disk...\n\n");
ÂÂÂÂcn302_peek_byte(0x40BA06, inquiry);

ÂÂÂÂwhile((inquiry[0] != 0xD0) && (inquiry[0] != 0xD2) && (inquiry[0] != 0xF3) && (inquiry[0] != 0xF4)){
ÂÂÂÂÂÂÂÂcn302_peek_byte(0x40BA06, inquiry);
ÂÂÂÂ}ÂÂÂÂ

ÂÂÂÂprintf("[+] Disk Inserted\n");

// PATCHING W00T !! --------------------------------------------------------------

ÂÂÂÂÂÂÂÂÂÂÂÂcn302_write_block(wii_memlocs,0x2,wiiunlockcmd);ÂÂÂÂ

ÂÂÂÂÂÂÂÂif(strcmp(argv[3],"Y")==0){
ÂÂÂÂÂÂÂÂÂÂÂÂprintf("[+] Patching Disk Speed !!\n");
ÂÂÂÂÂÂÂÂÂÂÂÂcn302_write_block(wii_speed,0x2,speed_value);
ÂÂÂÂÂÂÂÂ}
ÂÂÂÂÂÂÂÂelse{
ÂÂÂÂÂÂÂÂÂÂÂÂprintf("[+] Leave Low Speed Disk (not patching)\n");
ÂÂÂÂÂÂÂÂ}

ÂÂÂÂÂÂÂÂprintf("[+] Patching MediaFlag\n");
ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag,0x28);
ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_emuflag,0x04);

ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(0x408817, &disk_mediaflag[0]);
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(0x408816, &disk_mediaflag[1]);
ÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(0x408815, &disk_mediaflag[2]);
ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 2,0x2,disk_mediaflag);
ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 6,0x2,disk_mediaflag);
ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 12,0x2,disk_mediaflag);
ÂÂÂÂÂÂÂÂcn302_write_block(wii_mediaflag + 16,0x2,disk_mediaflag);
ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+4,disk_mediaflag[2]);
ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+8,disk_mediaflag[2]);
ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+14,disk_mediaflag[2]);
ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag+18,disk_mediaflag[2]);

ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(wii_di, inquiry);
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂwhile(inquiry[0] != 0xA8){
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂcn302_peek_byte(wii_di, inquiry);
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ}
ÂÂÂÂÂÂÂÂcn302_poke_byte(wii_mediaflag,0x38);

 

[teq]

There's only one problem with all of this: Implementing this via homebrew will be hard to do, as IOS reloads after any homebrew is exited.

But, don't fret! Because I have an alternative: Final Fantasy CC: MLaaK. The entire game is written in uncompiled C.

This provides an entrypoint that should allow the D2x to retain memory.

 

[jan777]

teq may be my next homebrew god

 

[teq]

teq may be my next homebrew god

Well, at present, I'm trying to see if I can piece a few loose ends together.... but don't get your hopes up.

I don't come from a console hacking background and I don't have the resources(ie: Infectus) or knowledge Bushing has accumulated, so I won't claim to.

 

[fischju]

If I had the ability to retain hopes, they would be in an elevated state now.

I will once again unpack my Wii ISOs from my failed chipping attempt.

 

[teq]

If I had the ability to retain hopes, they would be in an elevated state now.

I will once again unpack my Wii ISOs from my failed chipping attempt.

Sigh... what did I do?


Now I have to come up with results... but I'm so lazy...

 

[zidane_genome]

teq, I'm still learning some basic Wii coding, but could it be possible to "patch" GeckoOS to send these commands when loading a disc? I'm probably wrong, but hey, worth a shot!

 

[NeSchn]

Sorry I know you said don't mention anything about bushings or his 5 day deadline but what the hell is it?

 

[zidane_genome]

Sorry I know you said don't mention anything about bushings or his 5 day deadline but what the hell is it?

Do a search, we're not discussing it here... last warning...

 

[fischju]

If I had the ability to retain hopes, they would be in an elevated state now.

I will once again unpack my Wii ISOs from my failed chipping attempt.

Sigh... what did I do?


Now I have to come up with results... but I'm so lazy...

Well, it will take 4 more days for these new games to be done, and at least a day to unrar and burn them all. So, 5 days?

 

[zidane_genome]

ha ha ha... 5 days... very funny... but anyway... teq, let me know what you think of "injecting" some code into GeckoOS

 

[Christen]

ha ha ha... 5 days... very funny... but anyway... teq, let me know what you think of "injecting" some code into GeckoOS

In order to do that, would you not need access to the source code for Gecko?

 

[teq]

ha ha ha... 5 days... very funny... but anyway... teq, let me know what you think of "injecting" some code into GeckoOS

It's viable, but GeckOS has no source available... and like I mentioned before, I'm lazy.

 

[Christen]

Well, there's always tomorrow to start working on it, no rush.

 

[teq]

Well, there's always tomorrow to start working on it, no rush.

I plan to be lazy tomorrow, as well.

In any case, I'm collecting a lot of information, such as these tidbits from the OGC library:


CODE * \fn s32 DVD_MountAsync(dvdcmdblk *block,dvdcbcallback cb)
* \brief Mounts the DVD drive.
*
*ÂÂÂÂÂÂÂÂYou must call this function in order to access the DVD.
*
*ÂÂÂÂÂÂÂÂFollowing tasks are performed:
*ÂÂÂÂÂÂ- Issue a hard reset to the drive.
*ÂÂÂÂÂÂ- Turn on drive's debug mode.
*ÂÂÂÂÂÂ- Patch drive's FW.
*ÂÂÂÂÂÂ- Enable extensions.
*ÂÂÂÂÂÂ- Read disc ID

#define DVD_SPINMOTOR_ACCEPTÂÂÂÂ0x00004000ÂÂÂÂ/*!< Force DVD to accept the disk */

Granted, this is for the Gamecube library, but I'm wondering if it could still be activated via IPC... or if they've extended it to the Wii. Anyone care to chime in?

 

[denzil]

As Erant said before, probably in one of the "lost" threads: the necessary debug commands will not reach the drive, but get blocked by some yet unknown mechanism in Hollywood.

 

[teq]

As Erant said before, probably in one of the "lost" threads: the necessary debug commands will not reach the drive, but get blocked by some yet unknown mechanism in Hollywood.

Perhaps not Hollywood, but IOS?

The modified IOS released patches /dev/di to /dev/do, presumably so that Starlet doesn't impose the limit on DVDUnencryptedRead.

It might be possible that through the same method, certain calls will pass through unobstructed.