Listening to the very interesting lecture (https://fail0verflow.com/blog/2014/console-hacking-2013-omake.html) of team f0f I noticed that the vWii boot sequence is the following one: Looking at that picture we can see that cafe2wii loads straight into System Menu IOS, then System Menu IOS loads bootrom which checks and decrypts the ancast image (vWii System Menu) and if it is correct it executes it. Now we have bootrom dump, we have IOSes dumps, we have cafe2wii dump (a packet of them can be found in a famous dev-u site, the one with IRC chat ) So my questions are: 1 - can we "bypass" the bootrom patching the IOS to directly load an already decrypted System Menu image ? 2 - alternatively can we patch the IOS to load a pre-patched bootrom (ex. from file) ? 3 - as last chance can we boot a vWii homebrew -> warm-reboot vWii -> inject new System Menu using ToC/ToU described in the team f0f talk ? (thank to @QuarkTheAwesome for this suggestion). This will make, for example, custom System Menu themes and also priiloader a vWii reality. If you do not find this thread useful for whatever reason please avoid answering. Tank you very much for your attention hoping someone will get deeper into it. EDIT: just for your info, I managed to patch the IOS80 (System Menu IOS) and the vWii is still working so no checks for IOS80 integrity. I also managed to modify System Menu data content (00000022.app) but i bricked vWii (all test were done in realnand). I resotred it replacing original 00000022.app file via wupserver.