Hacking System Menu questions/thoughts

[digitydogs]

Scratch that just got it to compile now to test.

 

[ether2802]

what what what...????

 

[digitydogs]

well appertain the sysmenu memory location is still wrong. gotta keep looking.
wish we had preloader source code

 

[pelago]

Maybe launching games from the disc channel causes a hash check on the IOS that they require. And since all the IOSes have been "hacked" they fail the hash check and the game prompts for an update.

I realize that most of the people using this hack understood the consequences of what they were doing (and felt it was worth it), but think about it:

- ALL IOSes now use the same 00000001.app containing DVD drive code, whereas before there were four different .app files containing DVD drive code and different IOSes used different .app files.

- ALL IOSes between 9 and 22 have been completely replaced with different IOSes.

- The hashes of all IOSes have been altered by adding the DIP code and now all games prompt for updates unless you have Starfall installed.

If you are reading this thread and thinking that this is a pretty harmless hack then you need to consider these things. For everyone else....well I guess "have fun"!

I understand what you're saying. However, I don't think games could hash check the IOS they are running on, because Nintendo sometimes release updated versions of existed IOSes, e.g. when they fixed the signing bug. Disc-based games could not be updated to have the new hashes, so the games couldn't check the hashes as they wouldn't know whether the hash difference was a genuine update by Nintendo or a hack.

 

[IronMask]

Did anyone ever get the source to menupatcher by Wan?? I tried to register on the site but my spanish isnt too well and every time I try with a google/yahoo translaters it throws me back to spanish at registratiion screen and I can't figure out what all that the spanish is.... (Im pretty sure it's spanish!)

http://teknoconsolas.info/foro/viewtopic.p...=95&t=58235

Nevermind I got it...


CODE#include
#include
#include


s32 __Sysmenu_PatchApply(u8 *dol, u32 len, const u8 *orig, const u8 *patched, u32 patch_len)
{
ÂÂÂÂu32 cnt;

ÂÂÂÂ/* Find code and patch it */
ÂÂÂÂfor (cnt = 0; cnt < (len - patch_len); cnt++) {
ÂÂÂÂÂÂÂÂu8 *ptr = dol + cnt;

ÂÂÂÂÂÂÂÂif (!memcmp(ptr, orig, patch_len)) {
ÂÂÂÂÂÂÂÂÂÂÂÂ/* Replace code */
ÂÂÂÂÂÂÂÂÂÂÂÂmemcpy(ptr, patched, patch_len);

ÂÂÂÂÂÂÂÂÂÂÂÂreturn cnt;
ÂÂÂÂÂÂÂÂ}
ÂÂÂÂ}

ÂÂÂÂreturn -1;
}

void Sysmenu_PatchIOSReload(u8 *dol, u32 len)
{
ÂÂÂÂconst u8 oldcode[] = { 0x7F, 0x06, 0xC3, 0x78, 0x7F, 0x25, 0xCB, 0x78, 0x38, 0x7E, 0x02, 0xC0, 0x4C, 0xC6, 0x31, 0x82 };
ÂÂÂÂconst u8 newcode[] = { 0x3B, 0x20, 0x00, 0x01, 0x3B, 0x00, 0x00, 0xF9, 0x38, 0x7E, 0x02, 0xC0, 0x4C, 0xC6, 0x31, 0x82 };

ÂÂÂÂ/* Patch IOS reload */
ÂÂÂÂ__Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
}

void Sysmenu_PatchUpdateCheck(u8 *dol, u32 len)
{
ÂÂÂÂconst u8 oldcode[] = { 0x80, 0x65, 0x00, 0x50, 0x80, 0x85, 0x00, 0x54, 0xA0, 0xA5, 0x00, 0x58,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 0x48, 0x21, 0xC5, 0xB9, 0x2C, 0x03, 0x00, 0x00, 0x40, 0x82, 0x00, 0x20 };
ÂÂÂÂconst u8 newcode[] = { 0x80, 0x65, 0x00, 0x50, 0x80, 0x85, 0x00, 0x54, 0xA0, 0xA5, 0x00, 0x58,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ 0x48, 0x21, 0xC5, 0xB9, 0x2C, 0x03, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00 };

ÂÂÂÂ/* Patch update check */
ÂÂÂÂ__Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
}

s32 __Sysmenu_PatchRegionJap(u8 *dol, u32 len)
{
ÂÂÂÂconst u8 oldcode[] = { 0x2C, 0x1B, 0x00, 0x00 };
ÂÂÂÂconst u8 newcode[] = { 0x60, 0x00, 0x00, 0x00 };

ÂÂÂÂ/* Patch JAP region */
ÂÂÂÂreturn __Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
}

s32 __Sysmenu_PatchRegionUsa(u8 *dol, u32 len)
{
ÂÂÂÂconst u8 oldcode[] = { 0x28, 0x1B, 0x00, 0x01 };
ÂÂÂÂconst u8 newcode[] = { 0x60, 0x00, 0x00, 0x00 };

ÂÂÂÂ/* Patch USA region */
ÂÂÂÂreturn __Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
}

s32 __Sysmenu_PatchRegionPal(u8 *dol, u32 len)
{
ÂÂÂÂconst u8 oldcode[] = { 0x28, 0x1B, 0x00, 0x02 };
ÂÂÂÂconst u8 newcode[] = { 0x60, 0x00, 0x00, 0x00 };

ÂÂÂÂ/* Patch PAL region */
ÂÂÂÂreturn __Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
}

void Sysmenu_PatchRegionFree(u8 *dol, u32 len)
{
ÂÂÂÂconst u8 code[] = { 0x7C, 0x60, 0x07, 0x74, 0x2C, 0x00, 0x00, 0x01, 0x41, 0x82,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ0x00, 0x30, 0x40, 0x80, 0x00, 0x10, 0x2C, 0x00, 0x00, 0x00 };

ÂÂÂÂs32 cnt;

ÂÂÂÂ/* Find code */
ÂÂÂÂfor (cnt = 0; cnt < len; cnt += 4) {
ÂÂÂÂÂÂÂÂu8 *ptr = dol + cnt;

ÂÂÂÂÂÂÂÂ/* Code found */
ÂÂÂÂÂÂÂÂif (!memcmp(code, ptr, sizeof(code))) {
ÂÂÂÂÂÂÂÂÂÂÂÂu32 size = len - cnt;
ÂÂÂÂÂÂÂÂÂÂÂÂs32 ret;

ÂÂÂÂÂÂÂÂÂÂÂÂ/* Patch regions */
ÂÂÂÂÂÂÂÂÂÂÂÂret = __Sysmenu_PatchRegionJap(ptr, size);
ÂÂÂÂÂÂÂÂÂÂÂÂif (ret < 0)
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂret = __Sysmenu_PatchRegionUsa(ptr, size);
ÂÂÂÂÂÂÂÂÂÂÂÂif (ret < 0)
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂret = __Sysmenu_PatchRegionPal(ptr, size);
ÂÂÂÂÂÂÂÂ}
ÂÂÂÂ}
}

void Sysmenu_PatchNocopySaves(u8 *dol, u32 len)
{
ÂÂÂÂ{
ÂÂÂÂÂÂÂÂconst u8 oldcode[] = { 0x54, 0x00, 0x07, 0xFF, 0x41, 0x82, 0x00, 0x1C, 0x80, 0x63, 0x00, 0x68 };
ÂÂÂÂÂÂÂÂconst u8 newcode[] = { 0x7C, 0x00, 0x00, 0x00, 0x41, 0x82, 0x00, 0x1C, 0x80, 0x63, 0x00, 0x68 };

ÂÂÂÂÂÂÂÂ/* Patch "nocopy" savegame check (1) */
ÂÂÂÂÂÂÂÂ__Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
ÂÂÂÂ}
ÂÂÂÂ{
ÂÂÂÂÂÂÂÂconst u8 oldcode[] = { 0x54, 0x00, 0x07, 0xFF, 0x41, 0x82, 0x00, 0x24, 0x38, 0x7E, 0x12, 0xE2 };
ÂÂÂÂÂÂÂÂconst u8 newcode[] = { 0x7C, 0x00, 0x00, 0x00, 0x41, 0x82, 0x00, 0x24, 0x38, 0x7E, 0x12, 0xE2 };

ÂÂÂÂÂÂÂÂ/* Patch "nocopy" savegame check (2) */
ÂÂÂÂÂÂÂÂ__Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
ÂÂÂÂ}
ÂÂÂÂ{
ÂÂÂÂÂÂÂÂconst u8 oldcode[] = { 0x48, 0x00, 0x00, 0x58, 0x38, 0x61, 0x01, 0x00, 0x38, 0x8D, 0x9F, 0x68, 0x48, 0x03, 0xC9, 0x25 };
ÂÂÂÂÂÂÂÂconst u8 newcode[] = { 0x48, 0x00, 0x00, 0x58, 0x38, 0x61, 0x01, 0x00, 0x38, 0x8D, 0x9F, 0x68, 0x38, 0x60, 0x00, 0x01 };

ÂÂÂÂÂÂÂÂ/* Patch "nocopy" savegame check (3) */
ÂÂÂÂÂÂÂÂ__Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
ÂÂÂÂ}
ÂÂÂÂ{
ÂÂÂÂÂÂÂÂconst u8 oldcode[] = { 0x80, 0x01, 0x00, 0x08, 0x2C, 0x00, 0x00, 0x00, 0x41, 0x82, 0x00, 0x0C, 0x3B, 0xE0, 0x00, 0x01 };
ÂÂÂÂÂÂÂÂconst u8 newcode[] = { 0x80, 0x01, 0x00, 0x08, 0x2C, 0x00, 0x00, 0x00, 0x41, 0x82, 0x00, 0x0C, 0x3B, 0xE0, 0x00, 0x00 };

ÂÂÂÂÂÂÂÂ/* Patch "nocopy" savegame check (4) */
ÂÂÂÂÂÂÂÂ__Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
ÂÂÂÂ}
ÂÂÂÂ{
ÂÂÂÂÂÂÂÂconst u8 oldcode[] = { 0x41, 0x82, 0x00, 0x24, 0x38, 0x7E, 0x12, 0xE2, 0x4C, 0xC6, 0x31, 0x82, 0x48, 0x1B, 0xB4, 0xC9 };
ÂÂÂÂÂÂÂÂconst u8 newcode[] = { 0x80, 0x1D, 0x00, 0x24, 0x54, 0x00, 0x00, 0x3C, 0x90, 0x1D, 0x00, 0x24, 0x48, 0x00, 0x00, 0x18 };

ÂÂÂÂÂÂÂÂ/* Patch "nocopy" savegame check (5) */
ÂÂÂÂÂÂÂÂ__Sysmenu_PatchApply(dol, len, oldcode, newcode, sizeof(oldcode));
ÂÂÂÂ}
}


Source here.... http://www.mediafire.com/file/xmunnnmoote/...-v1_src.tar.bz2

Hope this helps...

 

[WiiPower]

Did anyone ever get the source to menupatcher by Wan?? I tried to register on the site but my spanish isnt too well and every time I try with a google/yahoo translaters it throws me back to spanish at registratiion screen and I can't figure out what all that the spanish is.... (Im pretty sure it's spanish!)

http://teknoconsolas.info/foro/viewtopic.p...=95&t=58235

Why do you need it?

Do you know this:
http://wiibrew.org/wiki/Menu_Loader_Clone
?

 

[IronMask]

I think Wiicrazy was asking for the source to menupatcher... so I went hunting...

I am not sure if this will help..

 

[david432111]

Title Lister

when you execute it, it starts to print all the info on the screen, when it finishes press A to make a title.txt on the SD, ok...??

ftpii with NAND access voilà

Can you upload that somewhere else? Mediafire is giving database errors.

 

[Skarface05]

Here is a link for for FTPii with Nand Access http://members.datafast.net.au/~jjordan/ftpii.dol

I don't have title lister handy - sorry.

 

[david432111]

Here is a link for for FTPii with Nand Access http://members.datafast.net.au/~jjordan/ftpii.dol

I don't have title lister handy - sorry.

Thanks, I didn't need the title lister anyways

EDIT: The one you linked doesn't have the nand dumping feature.

 

[digitydogs]

@ Ironmask. About the menupatcher code... thats what i've been looking into trying to figure out the correct entries for the following lines with preloader installed, as i think that is all that prevents it from working.

/* Constants */
#define SYSMENU_ADDR 0x8132FF80 -> believe the correct is 0x8132FFE0
#define SYSMENU_LEN 0x380000
#define SYSMENU_TITLEID 0x100000002ULL -> need new titleid

So if we can figure out what the correct ADDR and TITLEID are we should be able to recompile menu patcher to work with preloader and then we can set it to autoboot a system menu with true region free disc channel loading. With the above ADDR changed i still reboot into preloader but without a crash. So anyone have any idea what the new ADDR and TITLEID would be? assuming my ADDR is still wrong?

 

[david432111]

@ Ironmask. About the menupatcher code... thats what i've been looking into trying to figure out the correct entries for the following lines with preloader installed, as i think that is all that prevents it from working.

/* Constants */
#define SYSMENU_ADDR 0x8132FF80 -> believe the correct is 0x8132FFE0
#define SYSMENU_LEN 0x380000
#define SYSMENU_TITLEID 0x100000002ULL -> need new titleid

So if we can figure out what the correct ADDR and TITLEID are we should be able to recompile menu patcher to work with preloader and then we can set it to autoboot a system menu with true region free disc channel loading. With the above ADDR changed i still reboot into preloader but without a crash. So anyone have any idea what the new ADDR and TITLEID would be? assuming my ADDR is still wrong?

That would be much easier than cioscorp and quite easy to remove, but wouldn't it slow done the time it takes for it to turn on?

 

[digitydogs]

For me preloader loads instantly. and when autobooting i haven't noticed any slowdown unless a hacks.ini file isn't present on nand or sd.

 

[MistahJelly]

Whoa, so much coding....

 

[fogbank]

Maybe launching games from the disc channel causes a hash check on the IOS that they require. And since all the IOSes have been "hacked" they fail the hash check and the game prompts for an update.

I understand what you're saying. However, I don't think games could hash check the IOS they are running on, because Nintendo sometimes release updated versions of existed IOSes, e.g. when they fixed the signing bug. Disc-based games could not be updated to have the new hashes, so the games couldn't check the hashes as they wouldn't know whether the hash difference was a genuine update by Nintendo or a hack.

I didn't say that the games do the hash check, I said that launching games from the Disc Channel causes a hash check to be done (meaning the IOS could do it).

Either way I don't think that's the case now...it's could be the IOS4 that's not DIP'ed.

Pure speculation of course...

 

[FRanatic]

Here is a link for for FTPii with Nand Access http://members.datafast.net.au/~jjordan/ftpii.dol

I don't have title lister handy - sorry.

Thanks, I didn't need the title lister anyways

EDIT: The one you linked doesn't have the nand dumping feature.

Like I said earlier, it's on Wiibrew.
Latest version is 0.0.17 with nand support.

 

[sjones900]

Is this a continuing project or is this as far as it goes?

 

[Matt93]

It's continuing.

 

[srath]

What would happen if i removed ios254 on 3.4? Its just a dummy anyhow is it not?

 

[WiiBlaster]

Well Everyone, I created a modified TF Packer Made for Packing IOS wads, That I think everyone will Like

This is Trents TF Packer made for VC Games modified to show and pack Wads that are in the System Menu Titles Enjoy,

Wii IOS Packer with GUI which list everything in your system titles off of your WII_FS just click on the one you want to pack and thats it easy has pie
http://www.megaupload.com/?d=247RBGDO

I did remove the common.key so i could post it, Still doesn't give the IOS Number But I believe you can figure that one out on your own
I just use debug mode to list the IOS Numbers