Hacking Trucha Bug Restorer release

[WiiPower]

For everybody who wants to try to get Trucha Bug Restorer compatible with the 4.3 update:
ES_AddTitleFinish does check the signature of titles before moving them from /tmp to the correct IOS folder. The error code -1017 should indicate that it's failing because of a signature check and not a version check. If i try to start the installation as regular and then replace all files in /tmp from IOS15v1031 with the ones from IOS15v257*, i still get -1017 on ES_AddTitleFinish. My theory is that after calling ES_AddTitleStart the signatures are saved in memory and ES_AddTitleFinish checks against them. If that's true(which i doubt somehow), then it might be possible to search the signatures in memory and change them to the ones of the title we really want to install.

TT have said before they have dozens of IOS exploits, so I'm pretty sure they'll be releasing a new HackMii Installer soon. Even if they don't have IOS exploits working on 4.3, others do, like the guys behind Riivolution (installing its channel works on a "virgin" 4.3 Wii).

Any more info about this channel installation? I heard that TT has a few exploits lying around, but currently no exploit to get the privileges that allow to install stuff.

*I do that because IOS15v257 IS correctly signed

 

[SifJar]

TT have said before they have dozens of IOS exploits, so I'm pretty sure they'll be releasing a new HackMii Installer soon. Even if they don't have IOS exploits working on 4.3, others do, like the guys behind Riivolution (installing its channel works on a "virgin" 4.3 Wii).

Any more info about this channel installation? I heard that TT has a few exploit lying around, but currently no exploit to get the privileges that allow to install stuff.

No. All I know is AerialX said in the Riivolution thread here: http://gbatemp.net/t215807-riivolution?vie...t&p=2934518 that they updated for 4.3, and to use it you can load it via Indiana Pwns or Smash Stack and install the channel.

Also, apparently there's an IOS exploit that's been in the dop-Mii source for a while unnoticed that may work for this...

 

[WiiPower]

TT have said before they have dozens of IOS exploits, so I'm pretty sure they'll be releasing a new HackMii Installer soon. Even if they don't have IOS exploits working on 4.3, others do, like the guys behind Riivolution (installing its channel works on a "virgin" 4.3 Wii).

Any more info about this channel installation? I heard that TT has a few exploit lying around, but currently no exploit to get the privileges that allow to install stuff.

No. All I know is AerialX said in the Riivolution thread here: http://gbatemp.net/t215807-riivolution?vie...t&p=2934518 that they updated for 4.3, and to use it you can load it via Indiana Pwns or Smash Stack and install the channel.

Also, apparently there's an IOS exploit that's been in the dop-Mii source for a while unnoticed that may work for this...

Interesting, did anybody test this exploit by installing one of the new IOS and running dop-Mii with it?

 

[SifJar]

Arikado was going to do that last night when I was talking to him on IRC, but I left before he gave his results as it was late and I was tired.

 

[Supercool330]

Really cool to hear that this project might not be dead.

 

[SifJar]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

 

[BBking83]

Hang on. I know I'm no coder, but you're trying to get TBR to work on "virgin 4.3" Wiis, yeah? They won't have DVDx (IOS254 is stubbed).

So I guess you are relying on a new HackMii installer in which a new TBR can be run? Or just looking at ideas?

 

[tj_cool]

Hang on. I know I'm no coder, but you're trying to get TBR to work on "virgin 4.3" Wiis, yeah? They won't have DVDx (IOS254 is stubbed).

So I guess you are relying on a new HackMii installer in which a new TBR can be run? Or just looking at ideas?

DVDx isn't installed as IOS254

Anyway, yeah I think he means after a new HackMii installer is out.
It'd be great if that method works though

 

[SifJar]

Yeah I mean once a new HackMii Installer is released. Hence I said at the start of my post "BTW, once HackMii Installer is working on 4.3"

 

[BBking83]

Sorry, I swear I remember reading that it was. It must have been BootMii...

Yeah I mean once a new HackMii Installer is released. Hence I said at the start of my post "BTW, once HackMii Installer is working on 4.3"

fazeparm...

Sorry. Again.

 

[SifJar]

DVDx is installed as a hidden channel

IOS254 is BootMii/IOS

 

[WiiPower]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

I can't do any of that, and the exploit used in TBR is really simple compared to this. And if we get a new hackmii installer, i will take a closer look at mini. That way i could write something that always works as long as there's a way to get BootMii IOS.

 

[SifJar]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

I can't do any of that, and the exploit used in TBR is really simple compared to this. And if we get a new hackmii installer, i will take a closer look at mini. That way i could write something that always works as long as there's a way to get BootMii IOS.

That may be a better option, but why can't you do what I said? Something specifically stopping you? (Not trying to be rude, just curious)

 

[WiiPower]

I don't know how to run DVDX, ok that's something i should be able to figure out. Then i do not know what ahbprot is, but maybe it allows me to set the register for mem2 protection, which i don't know how to do it. Well once that's figured out, i may be able to read mem2, look for the code i patch in IOS to ignore signatures and then patch it. But i don't really know where to start on that one. Using mini code on the other hand, i could just write revision 0 into the IOS15 tmd, and done. Or i could read the ES module of IOS36 and patch it directly on nand. Also it should be possible to install patched IOS to nand with a mod of sneek that does NOT emulate the nand, but does everything else sneek does.

 

[Aurora Wright]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

Once it's working, you can just install BootMii as IOS and install a cIOS using cBoot2

 

[Kikoshi]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

Once it's working, you can just install BootMii as IOS and install a cIOS using cBoot2

So this way im able to Access the Boot2 with BootMii when i wasn't able to before? O_ O

 

[SifJar]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

Once it's working, you can just install BootMii as IOS and install a cIOS using cBoot2

Hard to setup legally (and yes I do care about the legally part).

 

[WiiPower]

It's hard to setup legally, that's right, but it's possible. But i would also prefer a solution that's easy to setup and is legal, which is why i mentioned mini.

 

[FenrirWolf]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

Once it's working, you can just install BootMii as IOS and install a cIOS using cBoot2

So this way im able to Access the Boot2 with BootMii when i wasn't able to before? O_ O

No, that won't let you install BootMii/boot2 if you haven't been able to before. cboot2 is a program executed by BootMii, not something that's written to your NAND.

 

[calthephenom]

BTW, once HackMii Installer is working on 4.3, there's apparently a reasonably simple way you can install fake signed content (e.g. patched IOS) on any Wii, regardless of the installed IOS. The Wii just needs DVDx, which when HackMii Installer gets updated to work (as I'm sure it will soon), all Wiis can have.

You run DVDx, which gives you access to ahbprot, allowing you to disable MEM2 protection and patch the sig checking function of ES, which then lets you install fakesigned content e.g. a patched IOS. sven_p mentioned this on #wiidev last night, WiiPower, perhaps you could implement this in a new version of TBR (I'm sure you'll be able to work out how to do all that stuff, I haven't a clue, but apparently its not too hard, and you seem pretty good with that sort of thing

)

Once it's working, you can just install BootMii as IOS and install a cIOS using cBoot2

So this way im able to Access the Boot2 with BootMii when i wasn't able to before? O_ O

No, that won't let you install BootMii/boot2 if you haven't been able to before. cboot2 is a program executed by BootMii, not something that's written to your NAND.

*cough Bootmii/IOS cough*