Hacking Bushing's DVD Exploit (Part 2)

[ProdigySim]

I have disassembled the routines IOS does to send commands and read/write status/irq bits.

They are a very good match with what is in libogc.

But you only need to know how to send commands... because that's the only thing needed.

Alright, I have to say, you're probably right.

Someone mentioning "MIOS" before got me thinking... If those commands still work through MIOS (Gamecube mode), of course, Starlet must be able to run those commands on the drive.

I actually didn't know that you could run those commands through software on the gamecube, though. I guess that's what threw me.

Edit: Either way, the implementation is where it's difficult. libogc isn't the only place those commands are available. Seriously, like I said before, it's not to hard to figure out that this is the issue.

 

[nitrotux]

I've always been told the debug commands were not possible, so I was not sure.

But there was alot of confusion about this. Now that it is clear (atleast to me), the only thing needed is some exploit code.

Possible ways for inspiration is OpenWii's sourcecode or looking at the exploit code used for the GC DVD drive.

 

[teq]

Sounds like we're on to something here.

There's an APP in the NAND that relates to MIOS... maybe the instruction could be fed through there?


EDIT: Does anyone know what DVDLowReadDVDConfig does?

 

[ProdigySim]

Before we get too far in this direction, do we know that these commands even WORK run through MIOS? Maybe we should test that first. It would be an easy first step to testing this theory.

 

[zidane_genome]

hell... who knows... maybe Bushings was calling shenanigans on all of us, just to come back in a few days and say GOTCHA! but with all the discussion going on here, everyone actually collaborating on ideas, he may read all this, and say "shit... they actually figured something out!" and release a mod...

and now, for the obligatory "OMGGIMMEHAXORSNOW!!!!11oneone"...

Has it been 5 days? lol

 

[teq]

Before we get too far in this direction, do we know that these commands even WORK run through MIOS? Maybe we should test that first. It would be an easy first step to testing this theory.

I'm trying to find the APP to give us an entrypoint.

 

[jaxxster]

this whole thread is stupid. Reasons like this thread is why some of the more serious sites look down on our communtiy.

 

[teq]

Stop pretending you know what you are talking about, and making shitty offtopic posts (like this one)

I don't even know why discussion is on this forum/board. You guys should seriously head to #hackmii on EFnet and talk turkey there.

At any case, I welcome your knowledge wholeheartedly teq.

I'm on #hackmii, but they've been talking about encryption all day. I think this would be a taboo topic there.


jaxxsterthis whole thread is stupid. Reasons like this thread is why some of the more serious sites look down on our communtiy.

Okay guys, let's just shut down the thread because this fuckwit decided to voice his ominous opinion.

Seriously, if you have nothing constructive to say, shut the fuck up.

 

[dread123]

i want to know what more serious sites look down on us?
there aren't any.
Seriously i think this is looking very promising and good to see others are able to do what bushing and co are able to do. keep up the investigative work peeps

 

[teq]

i want to know what more serious sites look down on us?
there aren't any.
Seriously i think this is looking very promising and good to see others are able to do what bushing and co are able to do. keep up the investigative work peeps

TehSkeen and ElOtrolado, just to name a couple.

Though, I keep seeing the misinformed people from here going over there and trashing their forums (linkinworm, I'm looking in your direction).


EDIT: Let's keep the crosstalk to a minimum, so we can actually have some constructive information passed around.

 

[killplaystation]

EDIT: Let's keep the crosstalk to a minimum, so we can actually have some constructive information passed around.

That's the problem, there's no new information. People just love to post. But i love pizza

 

[zidane_genome]

i want to know what more serious sites look down on us?
there aren't any.
Seriously i think this is looking very promising and good to see others are able to do what bushing and co are able to do. keep up the investigative work peeps

TehSkeen and ElOtrolado, just to name a couple.

Though, I keep seeing the misinformed people from here going over there and trashing their forums (linkinworm, I'm looking in your direction).


EDIT: Let's keep the crosstalk to a minimum, so we can actually have some constructive information passed around.



Sorry teq, I have to do this... last crosstalk from me though...

You say that TehSkeen is a more serious site that looks down on GBATemp?? WTF... first thing I see on that site is this :

CODE

Due to the fact I bricked my first Nintendo Wii CZroe was kind enough to send me one and let me pay a small monthly fee (this was due to the fact I am disabled). Sadly, I bricked that one. So while saving up to move and paying off the bricked Wii I'm unable to purchase another one.

This is so sad! This guy is one of the main admins on the site, and he's bricked 2 Wii's!! If jayparadox (sp?), bushings, and wanikoko would like to post how many Wii's they've bricked, I would love to hear it... let's see how much more of a serious board they are when their admins can't even unbrick a freakin Wii!

 

[skawo96]

Bushing bricked a few times wii...however he have his infectus chip...Look on "Mario Kart Brick" for example.
Like there (skip to bottom)
http://hackmii.com/2008/04/brickmii/#more-8
or there
http://hackmii.com/2008/05/anatomy-of-a-ma...k-pt-2/#more-29
or there
http://hackmii.com/2008/05/autopsy-of-a-mario-kart-brick/

 

[Lumstar]

TMNT >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this thread.

 

[Wabsta]

Wait... You guys actually found out how to do it?

EDIT: Nvm, I read the other topic.

 

[Slimmmmmm]

Speculation, teq could this be right?

custom ios -------------------------------> starlet? ----------------------------------> dvd drive
code changed here-------------------------different command-------------------------uses a diff "mode" eg for config @ factory
booting order?

sorry for posting if this can be proved wrong and I missed it, and yes, I am seriuos, could it be as simple as changing a 1 to an 0 making starlet act differently before the dvd drive verifys?
If you look at the rediculous protection on gamecube notably the password to verify pretty much being password, then maybe this is why bushing is making out it is soooooo important that nintendo react, because they've done it again??

 

[Stalkid64]

OK, someone with some authority on Wii hacking (sorry, I promised not to say who) recently confirmed the debug command theory.

I don't know how to say it so that everyone understands, but here goes:



THE KEY TO PLAYING BACKUPS WITHOUT DRIVECHIP IS BY UPLOADING YOUR OWN EXPLOIT CODE INTO THE DVD FIRMWARE BY SENDING THE DEBUG COMMANDS.


If you take a look at libOGC, at the function DVD_LowUnlockDrive, this is how to put the drive into debug mode:
CODEstatic u8 __dvd_unlockcmd$221[12] = {0xff,0x01,'m','a','t','s','h','i','t','a',0x02,0x00};
static u8 __dvd_unlockcmd$222[12] = {0xff,0x00,'d','v','d','-','g','a','m','e',0x03,0x00};

s32 DVD_LowUnlockDrive(dvdcallbacklow cb)
{
#ifdef _DVD_DEBUG
ÂÂÂÂprintf("DVD_LowUnlockDrive()\n");
#endif
ÂÂÂÂu32 i;

ÂÂÂÂ__dvd_callback = __dvd_unlockdrivecb;
ÂÂÂÂ__dvd_finalunlockcb = cb;
ÂÂÂÂ__dvd_stopnextint = 0;

ÂÂÂÂfor(i=0;i

 

[Erant]

Nitrotux seems to present his findings as fact. I have one simple question for you, have you tried it? Because if you had, you'd have found that
these commands are filtered in hardware. Issuing an 0xFF or a 0xFE command from the starlet (or the PPC, with the Starlet in DI legacy mode, for that matter), will actually send a very nice 0x00 command, which is gibberish to the drive. This has been known for quite a long time, just take a look at the WiiKey features:

- Dev Mode: Remaps drive debug commands from 0xFx to 0x2x

So, my kind request to you (and everyone), please test your hypothesises before presenting them as proven fact.

Erant

 

[Jacobeian]

baby stalkid, could you just go away with your sarcasms ?
yes, among trash speculation, there are some intereting things posted by nitrotux in this thread

and yes, we know the method is quite old and was used in old gamecube days but what's so bad if we believe the same thing could be done on WIi through MIOS ? If we are on the wrong way, just tell us

anyway, again, here's what Cobra IPL and later Anaconda one were doing to allow backup boot:

Initialize the diskdrive into a reset state (by setting HW register cc003024)
- Unlock the drives' debug feature by sending two special commands named
"ff 01 MATSHITA 02 00" and "ff 00 DVD-GAME 03 00"
- Sending some small codeblock into the drives' memory by using a command named
"fe 01 01 00 "
- Starting this codeblock by hooking it into a system call within the drive
resulting in the known (?) states of the bootphase of Cobra04
(laser off, motor off, delay to swap, motor on, laser on)
- Unlocking the drive by performing a ReadDiscID command (A8000040) to be able
to read sectors
- Enable audio streaming depending on the setup of the DiscID
- Reading , parsing and starting the apploader of the swapped disc , resulting
in booting the application on it

according to nitrotux, it's possible to modify IOS DI layer to allow sending the appropriate commands
*theorically*, the firmware RAM could be also patched this way, even if I don't have a fucking idea on what should be patched

I've no goal here, I really don't care of softmod, just want to understand how things work so I'd prefer to be teached rather than to be mocked

 

[F0ur2o]

I smell like cabbage and still have poop on my nose from giving bushing another good ass rimming.

Leave.



Now.