Tutorial
Updated
Wii hacking explained
Wii Hacking explained - Guide and FAQ for popular homebrew
Information
This guide is not complete yet and is still a work in progress and I'll probably won't complete it. I lost interest and miss time.
If you spot any error in completed chapters (ch.1 & ch.2 only, do not report chapter3+), please send me a private message, as this thread will be locked to contains only guides. No comment will be accepted to keep focus on guides only and prevent help to be hidden in hundreds of replies.
Chapter 3 and more are not written yet. Don't take these chapters seriously. Current contents are only random ideas for my own future writing plan.
If you spot any error in completed chapters (ch.1 & ch.2 only, do not report chapter3+), please send me a private message, as this thread will be locked to contains only guides. No comment will be accepted to keep focus on guides only and prevent help to be hidden in hundreds of replies.
Chapter 3 and more are not written yet. Don't take these chapters seriously. Current contents are only random ideas for my own future writing plan.
Help needed
If you have suggestions or want to help me write a part in the guide, please contact me. We can talk about what's needed, what can be done, and how to write it.
It's possible this guide will be moved to Wikitemp to allow more users to write parts of it without any action from me.
It's possible this guide will be moved to Wikitemp to allow more users to write parts of it without any action from me.
General help request guideline
If you have console issues, hacking problem or general questions, DO NOT CONTACT ME! I'm not your private help desk. Time spent answering you privately could be used to write this guide for everyone.
If you have hacking questions and it's not covered in the guide yet, create a new thread to get help from other users, or even better search in recent threads to see if someone already answered your question before creating yet another one with the same question for the 200th times! Posting your question publicly will both get you faster answers due to more people helping you at the same time with different ideas, and benefit other users with the same issue searching on the net for that answers. I'm not the only capable and available person to help you, and don't be selfish!
Read the Troubleshooting part (end of the guide) to get an idea of proper report methods.
And last: Do not repost your question in multiple threads, scattered help is unproductive and dangerous. Providing suggestions without knowing which other action you did can be worse!
If you have console issues, hacking problem or general questions, DO NOT CONTACT ME! I'm not your private help desk. Time spent answering you privately could be used to write this guide for everyone.
If you have hacking questions and it's not covered in the guide yet, create a new thread to get help from other users, or even better search in recent threads to see if someone already answered your question before creating yet another one with the same question for the 200th times! Posting your question publicly will both get you faster answers due to more people helping you at the same time with different ideas, and benefit other users with the same issue searching on the net for that answers. I'm not the only capable and available person to help you, and don't be selfish!
Read the Troubleshooting part (end of the guide) to get an idea of proper report methods.
And last: Do not repost your question in multiple threads, scattered help is unproductive and dangerous. Providing suggestions without knowing which other action you did can be worse!
Why a new guide?
This guide does not intend to be another hacking guide for newbies where you blindly follow steps to softmod your console because there are already more or less good guides to do that (Modmii, CompleteSoftmodGuide or vWii complete hacking guide, for example), but instead provides help and fixes for commonly used homebrew available after completing the softmod guides (hardware compatibility, loaders, neek, etc.). I also don't intend to replace wiibrew here but only provide a quick overview for users who want to understand how their console is working. For advanced and technical explanations feel free to check wiibrew or wiiubrew wiki.
Over the years, I've written on GBAtemp many guides and provided a lot of answers, but they are all lost and hidden in hundreds of threads. I want to finally regroup all my guides in one place.
This guide's objectives are to explain how the Wii is working and hope it will help many users finally understand why and what they are doing when they hack their console, how to report issues properly and in an understandable way to get better and quicker help from other users or even detect and fix their own problems themselves.
This guide written primarily for the Wii also applies for the virtual Wii mode of the WiiU (vWii). If there's no indication, it should be identical. If the Wii and vWii are behaving differently, it will be specifically stated using this WiiU icon
I think this guide is highly due and needed based on the amount of created threads with recurrent questions posted every weeks. It clearly demonstrate that many people don't understand what they are using, why they are doing something when following a softmod guide or what's possible to do once they completed the guide. They are often lost after following a step by step guide which hold their hand and suddenly left them all by themselves without any more direction. Guides rarely tell users what they can or should do next, this is what I'll try to cover here.
I want this guide to explain three things:
- How it works ;
- What to do and why ;
- How to fix common encountered problems.
I hope covering all these steps will help everyone, end users will be able to find the information they need and helpers can point everyone to a single updated place instead of providing wrong or outdated information, or re-writing the same answer for the 100th times.
Table of content
Nothing is definitive and existing or future sections could move around at any time.
(If you like one of my post for a specific section, remember I might move it to another post in the future and you liked a post for nothing!)
Red text = not written yet.
Chapter 1 - The consoleChapter 2 - Hacking & securityChapter 3 - Homebrew presentation & setupChapter 4 - USB Loaders (in general) ?Chapter x - one per Loaders ?Chapter x - EmuNAND & Neek
* Hardware
* Boot sequence
* Internal memory (NAND structure)
* File system, folders and TitleID
* IOS and slots
* updating the console
overview
* existing blind step by step hacking guides
* console brick
* Trucha bug & IOS236
* AHB_PROT & AHB Access
Chapter 2.2 - More on Security, Signature check and Trucha bug detailed
* File signature
* fake signature
* checksum (multiple sections)
* cryptology and encryptions keys
* Signature bug
* Trucha bug demonstration
* what are homebrew?
* homebrew channel
* hardware compatibility, best usage (SD, HDD, Flash drives, SSD, HID USB, LAN, etc.)
* different homebrew (apps, games, media player, loaders)
* etc.
Chapter 3.2 - Hacking the console and Installing homebrew ?
Hackmii installer
Priiloader
Modmii
Chapter 3.3 - cIOS and patched IOS
* what is it?
* Existing cIOS
* Do you need it?
* how to install or update
* How to choose and where to install
* How to uninstall
* requirement (hardware, IOS, etc.)
* install
* setup
* etc.
* troubleshooting
* requirement (hardware, IOS, etc.)
* install
* setup
* etc.
* troubleshooting
* requirement
* install
* setup
* etc.
* troubleshooting
Troubleshooting and FAQ
* How to properly report an error and ask for help !
* Deleted system menu brick
The Wii and its Operating System
The first part of this guide will cover only the official and non-hacked functionalities. Everything related to hacking and homebrew will start in the next chapter.
Before talking about the softwares and how to use homebrew on a console, it's important to understand how it works inside the box.
The Wii console contains 1 GPU (Graphic Processor Unit) and 2 different 32 bits CPU (Central Processor Unit):
- The GPU is an ATI chipset, it's an updated version of the Gamecube GPU (It's not important to know more about it for now).
- The main processor is a IBM PowerPC (PPC) used for applications and games.
- The second processor is a NEC ARM9 used for security and hardware access restriction.
The GPU and the two CPUs are linked together by the RAM chipset, which itself is separated in two bank regions: 24MB fast SRAM memory called MEM1; 64MB DDR3 memory called MEM2.
The ARM processor is responsible for accessing these interfaces:
- Disc interface (di) ;
- Gamecube controller ports ;
- EXI (Gamecube memory card ports, debugger).
The ARM chipset is connected to other restricted components along the Advanced High-performance Bus (AHB), and grants right access on a case by case basis for application's requirements:
- 512MB NAND Type Internal Flash Memory
- 2x USB 2.0
- SD/SDHC
- Wifi b/g, used for network access
- Bluetooth, used for controllers
- Cryptology (Hardware AES/SHA engine)
The programs managing the security and hardware access running on the ARM chipsets are called "IOS" (Input/Output System).
Boot process
The ARM is the first processor to run code at console's boot.
The boot sequence can be visually represented like this:
Power > Boot0 > Boot1 > Boot2 > System menu
The first code to be executed when powering up the console is part of the processor's BootROM, called Boot0. Its content is written at manufacturing time and can't be changed anymore.
Boot0 is a program which loads, decrypts, verifies and runs Boot1 located on the first block of NAND. Boot1 is verified with a hash located in OTP (see below). If Boot1 is wrong, the console stops here and will refuse to boot.
Boot1 Initializes the RAM, then it loads, decrypts, verifies and runs the Boot2 program (TitleID 1-1) located in the folder "/title/00000001/00000001/" (More on that later). The verification is done from a signed hash located in boot2 itself.
Boot2 is responsible for loading and launching the system menu title (into the PowerPC chipset) and its corresponding IOS (into the ARM chipset). Boot2 is also responsible for launching MIOS instead of IOS if the CPU is detected running at gamecube speed.
System Menu is the main Wii user interface. It is now running and the user has the hand (literally).
What is OTP?
OTP is a One Time Programmable chipset memory. It's a chipset which is used to store fixed values at manufacturing time like Unique console ID and cryptographic keys.
The OTP on the Wii contains:
- The boot1 hash: used by Boot0 to verify if boot1 has been modified ;
- The common key: used to decrypt most titles & data ;
- Your unique Console ID ;
- Your unique NAND key: To encrypt/decrypt your NAND's content.
NAND
All the console's files are stored on a 512MB NAND Flash type chipset memory.
The NAND's content is encrypted using a per-console unique key stored in OTP.
The 512MB NAND is a single bank of memory, shared with both Nintendo's file (system) and user's file (savegames, bought games, etc.)
There's no reserved part for the system and reserved part for the user.
All the devices (NAND, SD card, gamecube memory card) available size are counted by Nintendo in a custom "block" unit instead of Bytes (8 blocks = 1MB). You can verify how many left blocks you have in the Data management section of the Wii System Menu, and the Nintendo online shop displays how big each game is in blocks to be able to download and install it.
The Console's Operating System and Firmware
Unlike other consoles (PS3, PS4, Xbox, WiiU, Switch, etc.), the Wii does not have a single operating system running all the time in the background, such as a Firmware, a supervisor or a home menu interface used for security.
The ARM CPU is what you can consider the most similar to a firmware as it's responsible for the security and hardware's right access, but acts more like a hardware's driver than a firmware. The ARM does not provide real-time features like screenshot, trophies/success, or console settings while you are playing a game.
The PowerPC CPU is dedicated entirely to the currently running program, and can't run two different programs (or Title) at the same time: It runs either a game (game, application, channel, etc.) OR the system menu interface, which actually is also a program and not a firmware. The Wii System Menu is not in memory anymore when a game is launched, the game replaces the menu completely to use all the available RAM and CPU power for itself. When you are in an application, you can't access another installed application (like Mii maker, eshop, internet browser, etc.) without exiting the one you are running.
So, if it's not running a firmware, you might wonder why the Wii provides a version number, like 3.1E or 4.3U?
This version number is a "virtual version" of the software used by Nintendo for its Graphical User Interface: The System menu.
The system menu is simply a program acting as game loader and content manager (savegame, channels).
This program is launched by Boot2 when you power the console up, and the same way the system menu replaces itself when it launches a game, a game also replaces itself with the system menu program when you choose to exit the running game (from the game's home menu interface).
The system menu version is not the firmware version of the console, for example new games work fine even if the system menu is outdated.
Why did I use the word "virtual version"?
Nintendo uses a version number for the System Menu software based on its features (for example 4.x is a major revision which added the SD menu over v3.x).
This versionning system is only subjective, and doesn't reflect the real program's version (build revision).
In "v4.3U", The letter represents the region of the console. U for USA, E for Europe/Australia, J for Japan, K for Korea.
TitleID and Title Version
Each application on the Wii (game or IOS) is called a "Title" and contains different information, here are 2 of which are important to know:
- Title Version: The internal build revision of the program. The Title Version is used by programs to determine if a new version of that title is available and update it when requested.
There is not much to say about this, but it's important to understand how the console is updating its files when you insert a game disc, or check if there's a new version online.
Every Wii game disc contain a partition with required and updated system files (IOS) which are checked by the system menu at game launch. If the system menu finds that the disc's update partition contains a Title with a higher version than the one you currently have on your console, it will prompt you to update your Wii before launching the game. It's not asking you to "update your firmware" (there's no firmware), it only detected that you had at least one file with outdated Title Version and will replace it with the newer version from the update partition.
This is interesting to understand that for later because Nintendo and homebrew will (ab)use this system.
- TitleID: The TitleID is a unique code per game or application, and is used to identify, access or launch it. The Title Identification code is also used by the folder's name in Hexadecimal (folder on the internal file system) where the program is located.
The TitleID is a 64bit number which represent a title (ex. 0001000146413950 -> European NES Virtual console Channel Zelda II: The Adventure of Link).
The TitleID can separated in two groups of 32 bits : 0001000146413950
The first half (TitleID High) is used to differentiate the Title type (system, game disc, channel, DLC, etc.).
These titleID High are used by the Wii:
00000001 System files (IOS, system menu, MIOS, BC)
00010000 Wii game disc
00010001 Game Channels (WiiWare, Virtual consoles)
00010002 System channels (Mii, Photo, Vote, Weather, etc.)
00010004 Games using both disc+channels (Mario kart, WiiFit, etc.)
00010005 DLC
00010008 Hidden Channels (EULA, region select)
The second group (TitleID Low) contains information on the Title itself: The console type, the internal game code and the region. It's usually the only part of the TitleID that users and loaders are using.
To be easier to read, the TitleID Low is usually represented using its ASCII converted characters, Example : Zelda 2 NES VC -> 0001000146413950 -> 0x46=F, 0x41=A, 0x39=9, 0x50=P -> 00010001-FA9P -> or more simply just FA9P.
The TitleID Low is decomposed in three groups, like this:
A = ConsoleID (G = gamecube, R or S = Wii disc, H = Channel, F = NES, etc.)
BB = Actual game code, chosen by Nintendo. LM = Luigi's Mansion, SB=Super Smash Bros., MN = New Super Mario Wii
C = Region (A = system, E = USA, P = PAL/EUR, J = JPN, K = Korean, X = Region free, etc.)
Informal TitleID6:
Additionally, on game discs only (Wii and gamecube), there is an additional 2 bytes value following the titleID often used by the game loaders: The publisher code.
With this additional data, it forms a TitleID using 6 digits (ex. GLME01 = Gamecube Luigi's Mansion USA, published by Nintendo)
This is the TitleID used in most game loaders to manage games, covers, memory card or cheat files.
The console's file system
The console uses a proprietary file system format and access is granted by the IOS.
The file system is based on files and folders, but programs rarely access them directly. Instead they rely on the IOS to access, read and write files based on the TitleID.
Each program uses the TitleID to locate the folders on the console and get the appropriate access rights (for example to store the savegame, or call another program to launch).
All installed Titles (games, IOS or apps) in the internal File System of the Wii are located in the /title/ folder, and using part of the TitleID as sub-folders: /title/< TitleID High >/< TitleID Low >/< the program's files are located here >
Some examples:
The Wii System Menu Title:
TitleID: 1-2 (or 00000001-0000002), stored in the folder /title/00000001/00000002/
TitleVersion: 481 (for v4.2U), 513 (for v4.3U)
The IOS58:
TitleID: 1-3A (or 00000001-0000003A), stored in /title/00000001/0000003A/
TitleVersion: v6176 (latest Wii IOS58 version), v6432 (latest vWii IOS58 version)
Note that 58 is 0x3A in hexadecimal.
New Super Mario bros. Wii game disc:
TitleID: SNMP (or 00010000-534E4D50), accessed folder is /title/00010000/534E4D50/
TitleVersion: Disc games don't use a TitleVersion as they are not installed titles which can be updated by the console's online service. The game disc still has a version which is usually version 0.
The TitleID path is used by Game discs to store their savegames on the console's memory in a "save" sub-folder /title/00010000/534E4D50/save/
The Mii Channel:
TitleID: 00010002-HACA, stored in /title/00010002/48414341/
TitleVersion: v6
Other folders used by the console
The console has other folders (other than /title/) but they will not be of any use to you right now.
They will be explained later if, or when needed.
IOS
The IOS is the program running on the ARM processor.
It's managing the security and works as a bridge or driver to allow the PPC programs to communicate with the hardware elements (Wiimote, SD, USB, NAND memory, etc.)
The particularity of the Wii is that the console is not based on a single firmware that Nintendo updates regularly, but instead uses a system with multiple different IOS revision.
To keep compatibility with old games, Nintendo decided to create a completely new IOS program revision (or Branch, like said on Wiibrew) whenever they released a new SDK to developers, ensuring that games developed with older SDK kept the same functionality and compatibility by continuing to use the old IOS they were designed to work with.
When Nintendo released a new SDK version to developers, they also released new IOS (batch) to use with matching SDK features.
If you've read the section about the processor, you know that the consoles runs two CPU at the same time: The PPC (Power PC) and the ARM processors.
In order to function correctly, every launched application on the PPC CPU have the information of which IOS they have to use. That information is stored in a separate files named "tmd" (Title Meta Data), which contains more important data that we will discover later.
One and ONLY ONE IOS is loaded in memory at a given time, and is usually the same for all the program's life. If for example you play Zelda Twilight princess, it will request IOS 9, and the game will ONLY use this one. All other installed IOS will not be loaded in memory, will not be accessed or used and have no effect on the currently running game or application. IOS are not conflicting with each others, that's how the console is designed to ensure the best compatibility with old games!
Along the console's life, Nintendo released many IOS revisions:
IOS9 (launch IOS, used by system menu 1.0 and games)
...
IOS20 (used by System menu 2.2)
IOS30 (used by System menu 3.x)
IOS36 (ES access, signing bug)
IOS37 (Fixes signing bug)
...
IOS58 (Adds USB2.0 support)
IOS59 (Adds encrypted WFS HDD partition support)
IOS60 (Adds SDHC support, used by System menu v4.0x)
...
up to
IOS80 (used by system menu 4.3x)
Every time a new SDK was released, new IOS batches were also released to be used by the new/future games and applications to be developed and requiring the new added features.
By convention, the multiple of 10th were used only by the System menu. Remember, System menu is a software like any other program or games, and as such it also requests a specific IOS to communicate with the console's hardware (Wiimote, SD, channels and savegames located on internal memory, etc.). For example, when Nintendo released Wiimote+, it needed a new System menu but also new IOS compatible with the new hardware.
On mostly every new System menu version, Nintendo also released a new corresponding IOS.
IOS30 -> System menu 3.0 to 3.3
IOS50 -> System menu 3.4
IOS60 -> System menu 4.0 (this IOS adds SDHC support, the System menu adds SD menu feature)
IOS70 -> System menu 4.2
IOS80 -> System menu 4.3
If you try to launch an application (Program, Title) which requests an IOS that you don't have, the console will refuse to boot it.
That's why it's dangerous to manually install a new System Menu without being sure you first installed the matching IOS. If the system menu can't be launched, you lose access to your console and can't do anything else, your console is dead.
You can find more information about IOS on wiibrew.
More about IOS Slots
Nintendo uses a system of "slot" to install the IOS application into.
A slot is nothing more than a folder with a 32 bits hexadecimal number as name, located in the "system folder" (/title/00000001/).
Few examples:
/title/00000001/00000009/ <-- IOS Slot 9
/title/00000001/0000000A/ <-- IOS Slot 10
/title/00000001/0000003A/ <-- IOS Slot 58
Nintendo has the possibility to install IOS in new folders up to "slot" 255 (000000FF).
The IOS's Title (the application loaded into the ARM CPU) is installed into the slot's folder.
When a software requests IOS58, it actually requests the IOS Title (or application) located INSIDE the folder number 58 (0x3A in hexadecimal).
The program loaded in the ARM CPU is the .app file, not the slot.
When a program requests an IOS, it doesn't request a slot number but the program which is located in that slot.
If a PPC program requests IOS58, it loads what's INSIDE the slot 58.
if a PPC program requests IOS249, it loads what's INSIDE the slot 249, and it can be anything you have into that slot! What's really important is not the slot number but the actual program type and version located inside the slot which is loaded into the ARM CPU.
IOS version and TitleVersion
The IOS is, like every other installed program on the console, referred to as a "Title" and using the "TitleVersion" system. Nintendo uses this TitleVersion number to update its system files (to fix bugs, for piracy prevention, etc.)
For example, by updating IOS36 it didn't become IOS37 but only an updated version of IOS36 (with the signing bug fixed). IOS36 has been updated 6 times, from IOS36 v1042 up to IOS36 v3608, but it was only done to fix bugs and never to add new features or Nintendo would risk breaking old game's compatibility.
IOS37 does not correspond to an update of IOS36, but to a complete new version of the IOS with new added features.
The IOSes were not always released in increasing slot order, for example IOS59 was released after IOS60, so a higher IOS slot doesn't always mean it contains new features, nor is a better IOS or newer than another IOS located in lower slots.
Some new IOS could even break compatibilities with old games (IOS58 adds USB2.0 support, but breaks games using USB1.1) and is why Nintendo uses the "frozen in time" program< - >slot requesting system. A game developed/designed to use IOS34 will always request the ARM processor to use IOS34 even if you have IOS35 available on your console.
Performing an update
When inserting a game disc or performing an online update, the System Menu checks and compare all TitleVersion on your console against the TitleVersion provided by Nintendo. If it detects at least one outdated Title (IOS or System Channel with a lower TitleVersion), it prompts the user to perform a console update.
If you ever see an update prompt, it doesn't mean there's a new firmware update but only one of your installed (or missing) Title has been detected having a lower TitleVersion than a compared ones. Performing the update replaces only the outdated, or missing, Titles.
On a game disc, the IOS and system channels are located on a distinct update partition.
Stub IOS
Instead of completely deleting the useless IOS (Old IOS used by previous System Menu version), Nintendo decided to replace them by releasing a dummy IOS Title (which does nothing) with a very high TitleVersion. This new non-functional IOS is usually called "Stub" (or "Mothballed" on Wiibrew). Doing this was used to free space used in the limited internal NAND memory of the console, and at the same time preventing re-installation of old IOS when inserting an old game disc if the IOS was simply deleted (missing IOS would be reinstalled if found on a disc's update partition).
Now, all previous IOS used by System menu (IOS10, 20, 30, ..., 70) are stubbed, only IOS80 is active for the System Menu application v4.3. If you ever try to install a different System menu, you will break your console if you don't have a fully working (non stub) IOS installed in the System Menu's requested IOS slot. (see cIOS and Modmii section below for more information to manually install a different system menu version)
To counter piracy and hacking, Nintendo also decided to install stub IOS in commonly used slots (like IOS249, IOS250, IOS254) in hope to prevent users from installing IOS in the same slot. Nintendo replaced the custom/patched IOS by releasing stub version with a higher TitleVersion than the one used by cIOS at that time.
Now the homebrew IOS installers let you specify the TitleVersion to use. You can easily set it to something higher than the TitleVersion used by Nintendo (v65280), for example by using the maximum possible value for a TitleVersion (v65535). (See the cIOS section in following chapters for more information about IOS installers)
Last edited by Cyan,
, Reason: update info boxes
