The Early History of Wii Modding

Discussion in 'Wii - Hacking' started by noobwarrior7, Jul 31, 2010.

Jul 31, 2010
  1. noobwarrior7
    OP

    Member noobwarrior7 GBAtemp Advanced Maniac

    Joined:
    Aug 2, 2008
    Messages:
    1,594
    Location:
    USA
    Country:
    United States
    To celebrate the release of Waninkoko's cIOSx rev20, I thought I would post this. Please remember to thank Waninkoko as you download and try his newest cIOS.

    :: Foreword::
    This "article," if you will, is mainly for latecomers. It is meant to be a source of general, accurate, but most importantly, detailed information.

    :: The Early History of Wii Modding::
    Running any unlicensed code (called "homebrew") on a Nintendo Wii (in Wii mode, not Gamecube mode) really only became a possibility for the average Wii owner with the first release of the (now defunct/repeatedly thwarted) long-lived Twilight Hack, requiring the user to have only a copy of Zelda: Twilight Princess and a standard SD card with the required files. The exploit itself involved installing very little onto the Wii’s internal NAND flash memory; only a specially crafted save-file. Team Twiizers was responsible for the Twilight Hack itself, and although it served only to load other programs being created, they were also responsible for disseminating the knowledge required for many(/most) of the earliest homebrew programs.

    The first such program to really gather a lot of general interest was a program used to “share” (read: pirate) private “dumps”, or copies, of Virtual Console and WiiWare titles, called Wad Installer (and then came Uninstaller, and then finally together as “Manager”). Wad Installer was created by a then-associate of Team Twiizers, Waninkoko. However, it was not endorsed by Twiizers, for it was created without their consent to use a Wii software bug (putting it lightly) they had shared with Waninkoko. This bug allowed content to exist and function via the Wii’s own software and hardware as if it had a proper signature. Using this bug, for example, Wad Installer could “fakesign” content upon installing onto the Wii’s internal NAND, and allow it to be run as if it was a program purchased for that system. This is what we still refer to today as, “the Trucha bug.” Also a common term, “wads” are simply native Wii Files for a specific app, such as a VC game, packed into a singular container.

    Small problems began to crop up pretty quickly after that, much as Team Twiizers believed they might. Aside from the obvious rampant piracy drawing negative attention towards Wii homebrew, there were a lot of user-end “issues” that became apparent. With “wads” increasing in popularity, people grew a little bolder and began “injecting,” the practice of replacing the content of wads to get customized channels, or different VC games. Upon the release of the first true homebrew loader, The Homebrew Channel by Team Twiizers, it became apparent that even custom Visuals for channels (called “banners”) were achievable. Unfortunately, many users and even “quickware” creators, didn’t want to take the time to learn the full in’s-and-out’s. To compound this problem, those in-the-know were strangely secretive about what they did know. The result was various processes and crapwares that resulted in the semi-infamous “banner bricks.” The term brick generally means to make a device unusable by accident, and if you install a wad to a Wii with any number of problems with the banner files (just known generally as a “Bad banner”), the result was(/is) a failure to properly boot. The whole process of average users tinkering with wads has still not been as finessed as you would think at this point in time, and is only considered now “moderately safe” because of other factors. Read up on Wadder if this is something that holds interest for you. Note that the methods of brick prevention now have changed (read:improved) greatly, so make sure to stay timely.

    Taking a moment to back up, it is definitely important to highlight possibly the most-used piece of Wii homebrew (which is still the definitive homebrew loader), The Homebrew Channel, or HBC. As an end-user item, it has always been a fully-featured and enjoyable app to use in order to stretch the potential of your Wii. Steps have been taken with every release to test and ensure the safety of the installer, which does install the channel directly onto your NAND internal flash. What often goes unnoticed is how much this enabled other developers to test and interact with Wii homebrew. Combined with the first region-free game loader, GeckoOS, and at times a USB-Gecko device, this led to many creations. Even non-developers could take more risks and use more “dangerous” apps that modified the system files of the Wii, as long as they were using a program written to return directly to the HBC. This meant, for example, that one could eventually remove the system menu itself (very “unsafe”) but return to the HBC rather than power off (which would result in a brick upon restarting) and load Wad Manager to install a different System Menu. This is still an unsafe process, but at the time, people believed there were cases where it was needed. Regardless, this illustrates how both planned and unplanned exploration has taken place only because of the HBC.

    At this point, all code run on the Wii was only running through advanced custom libraries manhandling built-in Wii Software, and not really what we’d call “natively” (It remains that way for a while, and we’ll get to it later). This is to say, all code was running off of IOS (This is the part about IOS, if you were looking for it). I have heard IOS named as, “Internal Operating System” and “Input-Output System,” both by reputable aficionados, but whether it is even officially written as something other than “IOS” anywhere is unclear. It makes sense that it might have no official name since even title developers do not interact with it directly. They are led to believe that it exists merely as an IO Bridge, and now I’m getting more technical than I can handle…
    …IOS are the often-Critical System files of the Wii, akin to but different from “firmware”. So forget firmware, starting now.
    Many of us got a first sneak peak at IOS when a special “hacked” IOS version 5 (not an official Nintendo IOS), or IOS5, was released in Wad form, and had to be installed in order to use an early Wii Disc Copier app. It was of minimal popularity however, and people only really began to interact with IOS after Team Twiizers (once again) introduced PatchMii, a program (and a framework) that would install a customized IOS with a given set of “patches” to allow it a few more internal “privileges”. Essentially the same thing had been done to IOS5.

    The PatchMii release confused many users, not really offering any clarity about the features of having a patched IOS. At this same time, there was another creation that rode in off the hype that had built to a kind of plateau temporarily with PatchMii. Another associate of Team Twiizers, Crediar, had made a system-menu patching application, called, “Starfall.” Perhaps one of the furthest-branching creations, Starfall laid the groundwork and inspiration for the likes of StartPatch, PriiLoader, and SNEEK, which you can find loads of information on. Patching not the IOS, but the Menu app on NAND itself, Starfall could enable permanent Region-Free gaming from the system menu, instead of through a loader like GeckoOS. It also offered the first semi-reliable brick protection (in combination with the Twilight Hack). The region-free options actually made some older, popular software virtually outdated, such as AnyRegion Changer by the talented Tona, which now (temporarily) only toted changing the Wii Shop Region as it’s only true benefit (until it was fixed on Nintendo’s server-end).

    Soon after, a wave of newcomers to the Wii scene arrived to take advantage of Team Twiizers newest revelation (yes, again). It was soon made known that PatchMii, combined with a special “hidden channel” installer released by Twiizers called “DVDX” (and later DISC/DISK) would allow a Wii System to not only play DVD Video in an appropriate video player app, but would also allow homebrew apps to reference/use files burnt to a DVD-R/+R (not RW). This was huge for those who wanted to use the Wii as a DVD player, or who wanted to play emulated games via “roms” burnt to disc instead of the SD card. However, a lot of noise rose up from those pirates no longer content to play their pirated VC and WiiWare. They had hopes that this would lead to a software-only method for playing pirated Discs. Team Twiizers were harassed incessantly despite making several clear statements that they did not endorse piracy of Wii Software. They themselves actually made mention (sarcastically) that someone the likes of Waninkoko did not respect creative rights and would be the one to go beg to, although they maintained he was incapable of such. They were wrong.

    Waninkoko proved to be up to the test, as he had been developing and testing for some time, a “custom IOS” or cIOS. The cIOS installer first appeared shortly after PatchMii and was essentially the same product. The original goal, however was to create the most stable and functional IOS (that was separate from all official IOS) that could still install “fakesigned” wads via the Trucha bug. The bug had been patched in newer IOS at first, but then with a certain update the fix was backported partially as several other key IOS were overwritten with new fixed versions, thus intentionally disabling Wad Manager. Wad Manager began to rely only on IOS249, which was the very high available slot Waninkoko chose to reference his custom IOS. Now keeping that in mind, the opportunity arose with the release of DVDX, to tweak his cIOS, ala PatchMii, with the intent to enable “backup” (unlicensed copy) loading. In just less than two months after the DVDX release, Waninkoko announced his intention and demonstrated a Proof of Concept internally to the scene, but before he could add whatever finishing touches he had desired, Backup-Loader, a special patcher (read:decrypter) program, and a wad of cIOS revision5 were leaked on the Wii-Hacking section of gbatemp.net. That is pretty much when it all turned into a hot mess. Insert pages upon pages of ridiculous drama, and then we’re back to the facts.

    The leak of Backup Loader might have been the death of it and cIOS, but another developer interested in loading backups, WiiGator, borrowed some code from Nuke’s GeckoOS and created a more stable solution called Backup Launcher 0.1. This enticed Waninkoko to continue his work on cIOS. Waninkoko and WiiGator began to collaborate, and the release of Backup Launcher 0.3 Gamma, with a corresponding cIOS rev7, was a very functional backup solution with no hardware modification required at all. WiiGator barely stuck around long enough to soak up any recognition, though, but remained long enough to eventually create a custom cMIOS (which enable Gamecube backups), a loader for it as well, and then finally cBoot2, which is a special app for system recovery. Waninkoko has since taken over and tweaked cMIOS, but little has been done to alter compatibility. However, cIOS is still in development and has had many stable releases. If you are interested in backup disc loading, the evolution of what Waninkoko and WiiGator started is clearly seen in WiiPower’s iteration, NeoGamma.

    At this point in the history of Wii-Modding, all parties in the scene essentially became the enemy of Nintendo. Backup-loading drew a lot of attention towards unlicensed software, and it became even easier as time progressed with creations like cIOScorp (aka: DarkCORP, the moderately unsafe practice of overwriting most Wii IOS’s with custom IOS’s to allow a system to natively recognize burnt discs; only REALLY unsafe if you plainly Remove any IOS), the USB-loading interfaces created by Kwiirk and polished by Hermes, and even SNEEK by Crediar which allows you to tweak and modify a “fake NAND” safely. It became clear that Nintendo would focus software updates on blocking the ability to enable unlicensed code to run in the first place. Every instance of the Trucha bug was eventually patched, several iterations of the Twilight Hack were put to rest, and the slots used for custom IOSs were filled with nonfunctional “stubs” that can’t even run the native system menu. Nintendo even went above and beyond to combat disc piracy at a hardware level with newer Wii drives. The Homebrew subscene has decidedly forked as much as possible from the piracy subscene, but usually their internal success has re-ignited the piracy scene every step of the way, and Nintendo has given them no benefit of the doubt for it. These and other developments have also caused Nintendo to use their knowledge of how certain modifications are being achieved, and checking systems to verify warranty validity before repairing damaged/defective systems.

    I hope that you will take the practice in reading that you have had with this article, and not stop, but continue to read and gain a better understanding of the modifications you perform to your product.
     


  2. Riicky

    Member Riicky GBAtemp Advanced Fan

    Joined:
    May 15, 2009
    Messages:
    607
    Location:
    Reading,Pennsylvania
    Country:
    United States
    nice article [​IMG]
     
  3. Quincy

    Member Quincy Your own personal guitarist :3

    Joined:
    Nov 13, 2008
    Messages:
    1,435
    Location:
    Your house, robbing your stuff
    Country:
    Netherlands
    Where's SoftMii? (A)
     
  4. noobwarrior7
    OP

    Member noobwarrior7 GBAtemp Advanced Maniac

    Joined:
    Aug 2, 2008
    Messages:
    1,594
    Location:
    USA
    Country:
    United States
    this article ends with merely a mention of cIOScorp, which is the primary piece of softmii, and softmii itself is still not in the second part, as the bulk value of softmii, was the learned knowledge involved in custom themes....not the package itself, IMO. theming, and cSM, and preloader and more are in part two, but many people were here for that, and honestly, there was suddenly a lot more BS going down in those times.
     
  5. Delta517

    Member Delta517 Its okay...Im a ninja ;)

    Joined:
    Nov 25, 2008
    Messages:
    1,327
    Country:
    Norway
    Ahh.... This makes me remember the first time I booted up the Twilight Hack. [​IMG]

    Good work on this thread, noobwarrior. [​IMG]
     
  6. noobwarrior7
    OP

    Member noobwarrior7 GBAtemp Advanced Maniac

    Joined:
    Aug 2, 2008
    Messages:
    1,594
    Location:
    USA
    Country:
    United States
    :-D Thanks for the kudos.
    Please do point out any typos [with or without ridicule]. ;-)

    We all know that spellcheck only does so much.
     
  7. moosehunter

    Member moosehunter GBAtemp Regular

    Joined:
    Nov 26, 2008
    Messages:
    199
    Country:
    United States
    Team Twiizers were responsible for the Twilight Hack itself
     
  8. noobwarrior7
    OP

    Member noobwarrior7 GBAtemp Advanced Maniac

    Joined:
    Aug 2, 2008
    Messages:
    1,594
    Location:
    USA
    Country:
    United States
     
  9. kingant

    Newcomer kingant Advanced Member

    Joined:
    Oct 24, 2008
    Messages:
    64
    Country:
    Venezuela
    Great Article! i still remember marcan vs waninkoko drama....
     
  10. MLRX

    Member MLRX GBAtemp Fan

    Joined:
    Apr 16, 2009
    Messages:
    378
    Country:
    United States
    This article was amazing. Dude there was soo much that I never knew of.
     
  11. FIX94

    Global Moderator FIX94 Global Moderator

    Joined:
    Dec 3, 2009
    Messages:
    6,549
    Location:
    ???
    Country:
    Germany
    Great Article man! The good old Twilight Hack... I have the Wii version only for this [​IMG] but the gamecube version was better [​IMG]
     
  12. tj_cool

    Supervisor tj_cool Stuff

    Joined:
    Jan 7, 2009
    Messages:
    9,942
    Location:
    This planet
    Country:
    Belgium
     
  13. ether2802

    Former Staff ether2802 we have the techno...!!

    Joined:
    Oct 14, 2007
    Messages:
    4,350
    Location:
    Pto. Vallarta
    Country:
    Mexico
    If enough good responses congratulating you, it may go sticked for a while...!! [​IMG]
     
  14. techboy

    Member techboy GBAtemp Advanced Maniac

    Joined:
    Mar 15, 2009
    Messages:
    1,720
    Location:
    Pennsylvania
    Country:
    United States
    Interesting read.

    Reminded me of the day I first used Backup Loader 0.3...played a copy of Elebits, and waited almost 3 minutes at each loading screen.

    I was surprised there was no mention of the "dummy" HBC (the bannerless chainloader channel) though...AFAIK that was the first public method of running brew without needing TP. HBC (as we know it now) came a few months later.
     
  15. bwillb

    Member bwillb GBAtemp Advanced Fan

    Joined:
    Jul 2, 2009
    Messages:
    620
    Country:
    United States
     
  16. joelozy

    Newcomer joelozy Advanced Member

    Joined:
    Jan 17, 2010
    Messages:
    88
    Country:
    United States
     
  17. dronesplitter

    Member dronesplitter GBAtemp Advanced Fan

    Joined:
    Sep 30, 2007
    Messages:
    537
    Country:
    United States
    I still remember getting an SD Gecko, I guess because I was too impatient to wait for libogc to support the internal SD slot, and using it with the Twilight Hack to load my first homebrew apps. Now there are apps that use USB2.0 loading. Thanks to all of the developers for making the Wii a far better console than it would have been.
     
  18. WiiCrazy

    Member WiiCrazy Be water my friend!

    Joined:
    May 8, 2008
    Messages:
    2,391
    Location:
    Istanbul
    Country:
    Turkey
    Few things are missing,

    - Freeloader
    - First spotting of trucha bug and using it on discs... Trucha signer... GC homebrew on discs
    - Earlier homebrew with no wiimote support... GC controller was necessary

    Otherwise, a good read!

    ps: I still have that IOS 5 released by Nitrotux on my wii, it's not yet blocked by Ninty [​IMG]
     
  19. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    I never knew of this "dummy" HBC...got any more info or old links or anything? (I wasn't in the "scene" back then, although I did know most of what was in that article)

    I note you didn't go right back to the start, to the Twiizer Attack, from which Team Twiizers got their name. So I figured I'd have a shot at explaining it quickly.

    At first, the only way to run any unsigned code on the Wii was via a modchip in GC mode. This meant you could only run GC homebrew of course, and many of the Wii's features were shut down while the code was running, including most of the Wii's memory. However, Team Twiizers used a pair of tweezers to "bridge" the memory, skipping past sections of it, so GC homebrew could access memory it wasn't supposed to. This let them map out the Wii's memory, bit by bit. Eventually, this allowed them to find the Wii's common key. This was a bit of a breakthrough, as it meant they could decrypt any Wii software they wanted.

    They could now decrypt IOS, and look for bugs. It was in this way that they found the trucha bug. The first public demonstration of this was by bushing at the 24c3 hacking conference, where he used a modchip to play a modified copy of Lego Star Wars, with wii remote info displayed on screen, via a custom injected DOL. However, TT decided not to make public the details of this bug at this time, choosing instead to try and develop a game based exploit, instead of relying on fake signed disks booted via modchips. Around this time, the Trucha Signer was developed, a tool to modify Wii games, which could then be burnt and played via modchips. It was written by xt5, who found the bug independently. When it was released, Datel used the Trucha Bug to make their Freeloader, a region free tool for Wii games. It was after this that Nintendo released IOS37, the first IOS with Trucha Bug fixed, causing much panic. TT did release a trucha signed disc eventually, to install HBC without the need for a game exploit, but it required a System Menu below 3.2 and a modchip (as all trucha signed discs would, except Freeloader).

    The release of IOS37 caused some less intelligent people to start writing System Menu patchers to change the IOS the System Menu used back to one with the trucha bug, as it was believed having HBC and a non-bugged System Menu IOS would cause a brick. However, the problem didn't exist at that time, as IOS37 wasn't used by System Menu, and as it turned out, there was no issue having HBC with a non-bugged System Menu IOS.

    I believe most of this is reasonably accurate, but I'm not sure exactly of the timescale, or where other things e.g. HBC fit into this.

    EDIT: Corrected some mistakes.

    More info on some of the stuff mentioned is found here: http://debugmo.de/2008/03/thank-you-datel/
     
  20. dronesplitter

    Member dronesplitter GBAtemp Advanced Fan

    Joined:
    Sep 30, 2007
    Messages:
    537
    Country:
    United States
    I believe the so-called "dummy" HBC he is referring to was really the early trial version that was supposed to deactivate itself after running a couple of times but hacked to continue working.
    Just found a post on a different site that mentions users PaRaDoX and Superken7 as responsible for removing the limits on that version of HBC. Don't know much more about it.
     

Share This Page