Possible alternative to hacking 4.0

Discussion in 'Wii - Hacking' started by fogbank, May 25, 2009.

May 25, 2009
  1. fogbank
    OP

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    Here is what I did:

    SystemMenu 3.3Uv1 (so IOS30 is trucha patched).

    No previous IOS16 on the system.

    I obtained IOS16 v512 using NUS Downloader v1.1 and packed it into a WAD. Installed that:

    Title=1-10 (IOS16) vers: 2.0 (512)

    Using Sorg's modified WAD Manager 1.4 I attempted to install IOS16 v257 using IOS30 and got an error (-1035).

    Using Nicksasa's FSToolbox I dumped the TMD from 0000000100000010 to my SD card.

    Using a hex editor I changed the value at 0x1DC in the TMD to x0001.

    With FSToolbox I wrote the modified TMD to the NAND:

    Title=1-10 (IOS16) vers: 0.1 (1)

    Using Sorg's modified WAD Manager 1.4 I attempted to install IOS16 v257 using IOS30. Success:

    Title=1-10 (IOS16) vers: 1.1 (257)

    This means I was able to successfully install IOS16 v257 on a system that already had IOS16 v512 using a trucha patched IOS.

    I have no idea if this would work on a virgin 4.0 Wii, but it may be worth a try. Also since the LU64+ Wii's don't seem to have any trouble using IOS16 v257 this may be a way to install cIOS 4.0 systems without using the DVDX installer.
     


  2. KiiWii

    Member KiiWii GBAtemp Psycho!

    Joined:
    Nov 17, 2008
    Messages:
    3,176
    Country:
    United Kingdom
    Nice work!

    Any volunteers to test on a virgin 4.0?
     
  3. xTimmy

    Newcomer xTimmy Member

    Joined:
    Jan 19, 2009
    Messages:
    36
    Location:
    A Confidential Establishment
    Country:
    United States
    i would volunteer, but, it will have to wait until i get my fiancee a wii [​IMG]
     
  4. beegee7730

    Banned beegee7730 ITS PAAFEKUTO!

    Joined:
    Mar 31, 2009
    Messages:
    1,693
    Location:
    England
    Country:
    United Kingdom
    I thought this was done before?
     
  5. sorgelig

    Member sorgelig GBAtemp Regular

    Joined:
    May 2, 2009
    Messages:
    170
    Country:
    Russia
    fogbank,
    to install anything not from nintendo, you have to sign. Since you don't have nintendo's key to sign, you have to fool Wii by profiding trucha signature. In other words, there should be at least one IOS in system having trucha bug. Virgin 4.0 has no such IOS.

    You need to dig inside wii more seriously than just move around known vulnerabilities. Do you really think that people with big experience who discovered vulnerabilities couldn't guess to what you did?
     
  6. chunan

    Newcomer chunan Member

    Joined:
    May 17, 2009
    Messages:
    37
    Country:
    Taiwan
    LU64+ can't use FSToolbox as it can't dump files from the nand to sd card
     
  7. fogbank
    OP

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    IOS16 v257 is signed by Nintendo.

    Comex's DVDX installer uses a similar mechanism to downgrade IOS35 (at least according to the available info).

    I know plenty about how the Wii security works, thank you.
     
  8. fogbank
    OP

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    In his post about his release, Nicksasa said FSToolbox should work with newer IOS versions. It's possible that it doesn't, and that was the one thing I could of think that would stop this from working [​IMG]

    Also the real limitation would be writing to the NAND with FSToolbox, because you don't really need to dump the IOS16 TMD from the NAND on the Wii your working with.
     
  9. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    I don't see much chances for this, FSToolbox requires a trucha IOS to write to nand. And that's not available on 4.0 and on 3.4 there's no IOS16. WiiGator's cBoot2 works from BootMii IOS and runs IOS without the need to install. And i heard that the next version of BootMii will allow to install BootMii IOS on Lu64+ Wiis.
     
  10. fogbank
    OP

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    When I write the modified TMD to the NAND it is not fakesigned, so where is the trucha bug being exploited in this scenario?

    I would think that maybe the IOS_Open calls have been secured in 3.4/4.0, so FSToolbox would not work...?
     
  11. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    It's worth a test on the new Wiis, but i expect from nintendo that they don't allow anybody to write to nand. And also i think Nicksasa's tool uses a Identify as SU, which requires trucha and ES_Identify which are both patched.
     
  12. fogbank
    OP

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    I expect you are right. Nicksasa stated that he didn't use ES functions, but the first output from his tool is "Informing the Wii that I am God..." (a la ATD), so I think that means he built on functions that already used ES_Identify to identify as SU.

    I have a 3.4U Wii boxed up in storage, so I may give it a try when I have some time to break it out, but I suspect it won't work [​IMG]

    Thanks for the input.
     
  13. ether2802

    Former Staff ether2802 we have the techno...!!

    Joined:
    Oct 14, 2007
    Messages:
    4,350
    Location:
    Pto. Vallarta
    Country:
    Mexico
    you really need to test this on a 4.0 just to be sure it will work or not, cause guessing it is not really a good way to solve the thing out...!! [​IMG]
     
  14. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    I still see the best chance at cBoot2 as it does not touch any installed IOS except BootMii IOS if BootMii could not be installed as boot2.
     
  15. sorgelig

    Member sorgelig GBAtemp Regular

    Joined:
    May 2, 2009
    Messages:
    170
    Country:
    Russia
    oh yeah.. try this and see how it will work and how many files you will able access even for just read.

    Do u think, application working with NAND require super user authentification just for fun?

    Take FSBrowser. This is good example of access rights. Try to authentificate as system menu and then as super user. See difference.

    It's not a signing bug vilnerability, but it also have been fixed.
    If you will try to athentificate as SU with CIOS then you will succeed. But if you will try it with for example IOS61, then you will fail.
     
  16. fogbank
    OP

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    Agreed. There is still an exploit out there that can accomplish this (used by Comex's DVDX installer), but the method I described would likely fail without being able to authenticate as SU.

    Sounds like cboot2 may be a more viable solution anyway.
     
  17. sorgelig

    Member sorgelig GBAtemp Regular

    Joined:
    May 2, 2009
    Messages:
    170
    Country:
    Russia
    as far as i know lu64+ are too new to have vilnerable boot1. So, you will not able to install bootmii (and its modifications) as boot2.
    to install it as IOS, you again have to use SU authentification.
    I don't know if dvdx has something special to be able installed.. If so, then there is a chance.

    Another problem for lu64+ is inability to run most homebrew. Screen goes black and nobody including bushing know whay it happens.
     
  18. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
  19. fogbank
    OP

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    I agree that LU64+ probably all have the newer boot1, however both the HBC/HackMii team and Comex must have another exploit at their disposal because they both seem to be able to add to or modify content on the NAND even on systems with the ES_Identify bug patched (3.4 and higher). Like I mentioned earlier, Comex's DVDX installer can modify IOS35 on 3.4 and 4.0 systems with no existing cIOS, and the HackMii installer can add HBC, BootMii as IOS, and DVDX on virgin 3.4/4.0 systems as well. I think the chances of this exploit being made public any time soon are "slim-to-none", but that is understandable.

    My hope was that somehow Nicksasa's app used this exploit to read/write to the NAND (that's why I asked him if he used ES_Identify) but obviously I was wrong and he didn't realize that he was using it.
     
  20. chunan

    Newcomer chunan Member

    Joined:
    May 17, 2009
    Messages:
    37
    Country:
    Taiwan
    I dont know if FSToolbox uses ES_Identify, but I got Error! ES_Identify (ret=-1017) once I load it on my LU64+.
     

Share This Page