Hacking The 3.3 Upgrade News from Bushing

[MarcoZ]

Breaking news (har har har)! Check back for updates.

Several pieces of Nintendo system software have been updated:

====== Titles Changed ======

SystemMenu
Title ID: 00000001-00000002
Version: 0x 161
Size: 23511040
Contents: 9 (of which 6 are shared)

IOS30
Title ID: 00000001-0000001e
Version: 0x a10
Size: 1933312
Contents: 15 (of which 14 are shared)

IOS31
Title ID: 00000001-0000001f
Version: 0x a10
Size: 1933312
Contents: 15 (of which 14 are shared)

bc
Title ID: 00000001-00000100
Version: 0x 4
Size: 98304
Contents: 2 (of which 0 are shared)

mios
Title ID: 00000001-00000101
Version: 0x 8
Size: 262144
Contents: 2 (of which 0 are shared)

Channel 'HACA'
Title ID: 00010002-48414341
Version: 0x 5
Size: 8290304
Contents: 7 (of which 3 are shared)

I’m currently disassembling these to see what has changed. Please do not pester me about this or ask what our response will be; this isn’t exactly easy or quick. Comments will be enabled once i’ve completed my analysis.

Update 1: IOS30 and IOS31 have been changed — specifically, the kernel. The old timestamps read:

$IOSVersion: FFS: 06/08/07 18:10:10 64M $
$IOSVersion: ES: 07/10/07 18:11:26 64M $
$IOSVersion: IOSP: 06/25/07 14:17:16 64M $

The new timestamps read

$IOSVersion: FFS: 06/08/07 18:10:10 64M $
$IOSVersion: ES: 07/10/07 18:11:26 64M $
$IOSVersion: IOSP: 04/03/08 19:37:33 64M $

It’s interesting that Nintendo bothered to update the IOSP timestamp, because the only change I see in IOSP is that the version reported changed (there’s a variable that stores the value “040308?). They’re trying to be clever; the actual bug fix was in ES, where the encryption code lives.

The strncmp signing bug has been fixed in IOS30, which is what the system menu uses. (The new signature-checking code is identical to that in IOS37.) This probably means that it will no longer boot Trucha-signed discs, but I have not yet tried it. Early reports on IRC indicate that the Homebrew Channel still works; this is consistent with my understanding that the system menu does not verify the content of already-installed content.

I don’t know why IOS31 was patched.

Update 2: Okay, now this is just silly. Three functions have been added to the system menu. Guess what they do:

* ipl::utility::ESMisc:eleteSavedata((unsigned long long, EGG::Heap*))
* ipl::utility::ESMisc::VerifySavedataZD((unsigned long long, EGG::Heap*))
* WADCheckSavedataZD

We Are Not Impressed.
Update 3: They wrote a special-purpose function to try to check for the exact exploit we used — specifically, if a savegame is for Zelda, it checks the length of 6 strings inside the savefile (two of which are the player name and horse name). It repeats this check for all 3 saveslots, and then another three times for all 3 backup slots.

No, we do not have a response to this yet; we will probably take a few days to formulate one. I predicted Nintendo would *not* do this; I’m disappointed. This was the first bug we found, in the first game we tried. We’ll find others, and they’ll have to try to catch up to each.

I’ll open up comments, but please only post if you have something constructive to say.

Update 4: It’s interesting to look at the timestamps here. The System Menu has a build marker of “systemmenu.rvl.0803060727? – yes, that’s March 6, 2008, 07:27. This update to the menu only accomplished one thing, as far as I can tell — the blocking of the TP hack. (I guess we can count the IOS30 patch together with it.) They spent 3 months testing it — this isn’t actually that surprising, when you consider the potential financial damage if they roll an update out that bricks Wiis.

Congrats to tmbinc and tehpola for finding a combination of two bugs in the code that Nintendo added that — when combined — allow us to fool their check into ignoring the TP hack. More info will be forthcoming — I still wouldn’t rush to update my system, anyway.

This still leaves the issue of how to deal with IOS30; there are several different ways to deal with this — some of which have already been released by people — and we’ll need to take some time to decide on the best one to use and test it thoroughly. There’s no urgency here, no need to rush into something.

Was passed on to me via MSN, so formatting is not the same as the site. Thanks DarkRoy.
EDIT: Was missing update 4.

 

[zant]

well, I hope they release it soon. maybe sometime this week would be nice.

 

[RyuKakashi]

there's no rush for them to release it. most people already have HBC installed.

 

[zant]

yeah, but I had to format my wii cuz it was actin up, and my sister "did me a faver" and updated, so no HBC for me. thats why im in a rush here.

 

[RyuKakashi]

Well there's nothing heating up in terms of homebrew, so I don't see the rush there.
As for virtual console games and wiiware, I don't think you should be so excited to play those.
VC games you can just emulate otherwise. Wiiwares aren't that great.
Give other Wii games a try such as Boom Blox, No More Heroes, maybe even castle of shikigami 3.

 

[Mysticcal]

I still don't see why people have not added drivechips yet, if you have a drivechip, you can still install HBC. otherwise. go buy your games on VC as well as disc form like nintendo wants.

 

[kedest]

It's nice to see people are already thinking about solutions. I just hope homebrew is here to stay, but I have no interest in pirated VC and WiiWare.

 

[superrob]

I still don't see why people have not added drivechips yet, if you have a drivechip, you can still install HBC. otherwise. go buy your games on VC as well as disc form like nintendo wants.

If Traucha Bug = Fixed then HBC install = Gone

 

[Jacobeian]

well, some people here were right: IOS37 is FAKE

but now we got supa patched IOS30

I wonder if you can still install new channels in the new system menu ? or is the signature bug only fixed for disc verification ?

 

[killplaystation]

I still don't see why people have not added drivechips yet, if you have a drivechip, you can still install HBC. otherwise. go buy your games on VC as well as disc form like nintendo wants.

If Traucha Bug = Fixed then HBC install = Gone

IIRC the HBC install does not use the trucha bug, it uses another undisclosed bug. i maybe wrong

 

[Jacobeian]

well you are wrong... because the trucha bug IS the signature bug, used by any applications to sign titles they want to install

HB channel comes with a channel installer that need to be launched either from a disc (BIIIP, that does not work anymore) or a hacked TP save (BIIIIP? they are now automatically deleted)

maybe you could still install through the WAD ?

 

[Eternal Myst]

As for virtual console games and wiiware, I don't think you should be so excited to play those.
VC games you can just emulate otherwise. Wiiwares aren't that great.

N64 and NeoGeo can't be emulated properly and those games are epic.WiiWare has a few good games,and there may be some really good ones in the future.

 

[berlinka]

maybe you could still install through the WAD ?

I can confirm that! I installed the first Homebrew channel through a wad file. I'm looking at it right now.... homebrewchannel.wad

Worked like a charm!

 

[DbGt]

If i format my wii, can i install the HB channel using the Tw hack? what firmware will i have? also, what about the saves?

 

[Jacobeian]

maybe you could still install through the WAD ?

I can confirm that! I installed the first Homebrew channel through a wad file. I'm looking at it right now.... homebrewchannel.wad

Worked like a charm!

so this means they didn't fix the signature bug completely, as WADs rely on this too
strange idea from nintendo

 

[Shuny]

well you are wrong... because the trucha bug IS the signature bug, used by any applications to sign titles they want to install

HB channel comes with a channel installer that need to be launched either from a disc (BIIIP, that does not work anymore) or a hacked TP save (BIIIIP? they are now automatically deleted)

maybe you could still install through the WAD ?

Objection.

HBC doesn't use the Trucha Signer exploit itself. You can update your Wii with the HBC without problems.

 

[samsam12]

will this update cause bricks if there are wads installed? my sd card reader is being a bitch so i cant uninstall my wads.

 

[shane1972]

Hi,

I only run wads via an sd card and use wad installer that has been signed does that mean that it wont work anymore?
Also i have a emu disc which has gcos and about 1000 old roms will that still work?

Cheers

 

[RyuKakashi]

will this update cause bricks if there are wads installed? my sd card reader is being a bitch so i cant uninstall my wads.

No, there is no way this update will brick anything, no matter what. All it will do is render trucha discs useless, and delete the twilight save.

QUOTE(shane1972 @ Jun 17 2008, 02:28 PM) Hi,

I only run wads via an sd card and use wad installer that has been signed does that mean that it wont work anymore?
Also i have a emu disc which has gcos and about 1000 old roms will that still work?

Cheers

Your emu disc is a gamecube disc and thus should be fine.
As for wad installer, I've heard success stories in other threads. You should still be able to install WADs and stuff just fine as long as you already have a way of running WAD installer.

 

[TaxiTitan]

Is this update only for the U.S. Wii?
So I guess an installed WAD installer still works?

How about for example Manhunt 2 uncut (Its trucha signed)?
Will GCOS boot disc still work?
What about us PAL Wii users?

Is the workaround easy to do?
I guess SSBB PAL is gonna need the update.