Note: This is not a standalone, ready-to-use program — hence the name. If you need to ask how to use this, you’re doing it wrong.We’ve been pretty bad about releasing source code lately, so this is my attempt to atone. I’ve been sitting on this code for a couple of months now — I wrote most of it a day or two after IOS37 was released — but I’ve been waiting for the mythical “right time” to release it in a useful form, and that hasn’t happened. So, I’m releasing it as-is, because I think that many people will find this code useful in its current form, and it can be used as a building block for more sophisticated hacks.The idea behind PatchMii is that we should be able to replace Nintendo’s update process with one of own.
The most straightforward way to do this would be to set up a “shadow” update server that would vend patched versions of Nintendo’s updates, and then patch the System Menu to talk to it instead of the official servers. However, there are some serious copyright issues with doing this, so this is the next best thing. The output of this process looks like this: IOS Version: 00240412Downloading IOS37 metadata:.tmd.ticket.Title ID: 000025Number of parts: 15. Total size: 1868KDownloading contents:Downloading part 1/15 (0K): hash OK. Firmware version: firmware.707 Builder: admin@FWPUBLISHDownloading part 2/15 (33536K): hash OK.
DIP ( 06/08/07 18:17:09 64M )Downloading part 3/15 (26112K): hash OK. OH0 ( 07/12/07 14:30:33 64M )Downloading part 4/15 (15104K): hash OK. OH1 ( 06/08/07 18:17:21 64M )Downloading part 5/15 (10752K): hash OK. SDI ( 02/22/08 17:57:15 64M )Downloading part 6/15 (171776K): hash OK.
SO ( 06/28/07 02:37:15 64M Release/apricot-win/HEAD )Downloading part 7/15 (360448K): hash OK. KD ( 08/30/07 04:58:02 64M Release/apricot-win/SDKFW30413branch )Downloading part 8/15 (62720K): hash OK.
WD ( 12/12/07 16:13:56 64M Release/apricot-win/SDKFW30413branch )Downloading part 9/15 (447488K): hash OK. WL ( 12/12/07 16:14:06 64M Ver.4.30.47.0/Release )Downloading part 10/15 (42496K): hash OK. NCD ( 06/28/07 02:37:17 64M Release/apricot-win/HEAD )Downloading part 11/15 (30464K): hash OK. ETH ( 08/09/07 18:09:02 64M Release/apricot-win/SDKFW30413branch )Downloading part 12/15 (18944K): hash OK. STM ( 06/28/07 02:37:18 64M Release/apricot-win/HEAD )Downloading part 13/15 (9216K): hash OK.
USBHID ( 2008-01-30-15-59 64M )Downloading part 14/15 (520960K): hash OK. SSL ( 02/27/08 19:26:09 64M Release/builder/HEAD )Downloading part 15/15 (162048K): hash OK. FFS ( 02/22/08 17:56:15 64M )ES ( 02/23/08 13:25:41 64M )IOSP ( 02/23/08 13:29:22 64M )Found new-school ES hash check @ 0x5aea, patching.Updating TMD.Changing titleid from 0000025 to 0000005forging tmd sigforging tik sigDownload complete.
Installing:Installing ticket.Adding title.Adding content ID 00000000 (cfd 0): done! (0x40 bytes)Adding content ID 00000001 (cfd 1): done! (0x8350 bytes)Adding content ID 00000002 (cfd 1): done! (0x6630 bytes)Adding content ID 00000003 (cfd 1): done! (0x3c00 bytes)Adding content ID 00000004 (cfd 1): done!
(0x2a30 bytes)Adding content ID 00000005 (cfd 1): done! (0x29f80 bytes)Adding content ID 00000006 (cfd 1): done! (0x58010 bytes)Adding content ID 00000007 (cfd 1): done!
(0xf520 bytes)Adding content ID 00000008 (cfd 1): done! (0x6d4f0 bytes)Adding content ID 00000009 (cfd 1): done! (0xa650 bytes)Adding content ID 0000000a (cfd 1): done! (0x7780 bytes)Adding content ID 0000000b (cfd 1): done! (0x4aa0 bytes)Adding content ID 0000000c (cfd 1): done! (0x2490 bytes)Adding content ID 0000000d (cfd 1): done!
(0x7f330 bytes)Adding content ID 0000000e (cfd 1): done! (0x27910 bytes)Done!I have gone to lengths to making this program safe. It will refuse to patch the System Menu or IOS30 (which the System Menu depends on).So, as it stands, this program is not very useful. I’m putting it out there as an experiment. What I would like to see happen is:. People to PatchMii itself to make this core code more stable, fix the cosmetic bugs I already know about, and add new capability to the core patching mechanism. People submit patches for.
People come up with ideas (and code) to make this into a useful product for end-users — a custom-updater program, or whatever. The license on this code (GPLv2) allows you to take this code and turn it into your own program under your own name, as long as you release the source code — but I would like to work with you to coordinate features and functionality. Once this is n00b proof we can finaly stop getting stupid kids asking dumb questions about stuff like this and there crazy ideas on “if you set your wii to connect to your pc then send the wad over you can install your own wad” but theres never really been a point befor because everyone got hyped over IOS37, its good to see how much you have done for the wii since the C23(i think it was that) convention, keep up the good work, just hope waninkoko doesnt get in on this eh? Lol stealing you thunder with his piracy tools.// Jul 10, 2008 at 10:28 pm. I’ve started pruning some comments; please try to stay on the subject of this code (or at within spitting distance of it).@WhoDares: Thanks, fixed.@BTaylor: Yes; Marcan has a program called “menuloader” which will let you reload the System Menu using any arbitrary version of IOS.
I think that he’s been busy with some of the boot2 stuff, but feel free to bug him. 😉This code should work with all future updates, yes. It should work with all past, present, and future versions of IOS — it’s possible that Nintendo would change the signature check to break this program, but I doubt they would (since if we can patch IOS, they’ve already lost).BTaylor // Jul 11, 2008 at 3:01 pm. Regarding my previous comment: I see the files are downloadable via https as well as plain http now. I’m guessing newer system software versions use that? When did that start?And would it still be possible to do custom updates if someone could upload files to an Akamai secure server? Although that would be illegal, only doable by a few people (although more than just Nintendo itself), and deleted right away.Regarding the link to gbatemp with the IOS modified to remove the DVD unencrypted read restriction:Is it possible to overwrite one IOS5 with another?Lastly, is there a good, free disassembler that can handle IOS?.SquidMan // Jul 11, 2008 at 11:30 pm.
@Matt: I specifically addressed this in the third paragraph of this post (“The most straightforward way”). I think we can eventually do something that looks and feels like that, but doesn’t require a proxy.@9th Sage: Any IOS can be deleted with the right filesystem calls but why bother?@Matt part 2: I’m not really sure why they allow both http and https now — they seem to be interchangeable. Yes, it’s possible to overwrite one IOS5 with another, but at some point we’re going to want to start coordinating this and merging patchesAnd unfortunately, I can’t recommend anything nearly as good as IDA Pro, which is admittedly not a cheap program.9th Sage // Jul 12, 2008 at 8:14 am. One thing I was wondering about. Rather than trying to patch an IOS to your needs.
Would it be easier to write an IOS which actually loads it’s functionality from ELF’s stored on the NAND? Then you can update the elf’s to redirect the functionality either to another version of the IOS or to run custom code (ie, plugin architecture similar to Windows DLL files).I don’t know if I quite explained my thinking correctly, but it would mean you wouldn’t have to keep releasing full IOS’.Kaer // Jul 12, 2008 at 4:19 pm. If the purpose of this is to basically patch the signature check fix, how would you test if the patch worked@bushing: you said Marcan had a program called menuloader that can force the System Menu to reload with a different IOS. I assume it reloads it without actually modifying it, correct. Also the System Menu will still use IOS30 when you cycle power, correct.If so, where do I get this program?I have not updated my system to 3.3 yet, but I do have IOS37 installed and am just curious about a few things.I do agree that the System Menu should not be modified until an easy recovery method is established.Also how would affect Updates that are on Wii Game Discs. I assume if a game required an update you would first run this to update your wii, then you should be able to play the game.
However if a game installed and IOS that was game specific, you would not have to worry if its patched or not, correct.Anyway lets keep the good work.// Jul 13, 2008 at 11:49 pm. @WhoDares/28: Can you please rephrase the first part of your question? Yes, this is all done on an unmodified Wii.
Boot2 is not a file; it’s the second-stage bootloader, which sits in NAND Flash before the start of the actual NAND Filesystem. The file /dev/boot2 is an interface that allows boot2 to be updated.@skawo96. @bushing:My first question: You said there is a Kernel and 13 ELF drivers, that’s 14 files. However your PatchMii output above has downloaded 15 files. Are 14 of these 15 files the Kernel and ELFs?
If so, what’s the 15th file?Also, I do understand boot2 is not a file. I think because I mixed two questions together, I made it unclear what I was trying to ask. So, I’ll hopefully clarify them here-1. Are the IOS Kernel and ELF files stored in the NAND FS? Are we able to read them easily?2.
Can we use /dev/boot2 to read a copy of the current boot2? If not, is there any other way I can grab me a copy off my Wii?Cheers!.WhoDares // Jul 15, 2008 at 11:53 pm. On the file patching; With different versions of a file, the patching location may vary, which is why I thought use CRC to make sure you’re putting the patch in the correct place for that version of the file.I suppose you could always search the file looking for a specific block of code. The only reason I’m not completely for this approach though is in case there is another copy of the same code in the same file but for a different job, then if it’s patched incorrectly could cause other issues.HCK // Jul 16, 2008 at 1:53 am. @dude: Waninkoko’s release is more or less equivalent to PatchMii (using the same patches, no less — unless anyone else can give me a good reason to use IOS37 as opposed to anything else). The first release of cIOS was completely bungled, in terms of being legit. The second one was better, but still kinda sketchy because it requires you “find” some specific WAD file for it to patch, instead of downloading it from Nintendo like PatchMii does.The more frustrating part is the amount of attention cIOS has received.
It does two things, both of which are fundamentally boring:1) Remove the signature check in IOS37. (This check is never used, anyway the only reason that patch exists was that it was my Proof Of Concept for PatchMii, but note that I’m not going around telling people to actually use it!)2) Remove the limitation on unencrypted reads from Wii discs (or anything that the Wii thinks is a Wii disc).Then, he made this release, using the ‘c’ word. Somehow, this became1) Remove all signature checks on the Wiis2) Remove the limitation on unencrypted reads from DVDs/DVD-Rs, even on unmodded systems.I’m still not sure how that happened, because I never saw him say that. But that’s what the media reported.@00Davo, Xero: PLEASE READ ABOVE.The most straightforward way to do this would be to set up a “shadow” update server that would vend patched versions of Nintendo’s updates, and then patch the System Menu to talk to it instead of the official servers. However, there are some serious copyright issues with doing this, so this is the next best thing.Naamah31 // Jul 24, 2008 at 12:39 am.
Beta3 changelog. improved the reliability of the usbstorage driver. It now resets the drive if it starts to error.beta2 changelog.
added a ehc custom module which implements standard ios usb API over /dev/usb/ehc, plus custom usbstorage direct api. restored the legacy oh0 module from nintendo.