Hacking the Channels

Do any of you think it is possible to save a channel to the SD card, edit it and inject the homebrew channel, and then put it back on your Wii? Since it's already on your Wii normally, the Ticket should already be installed.

We would probably need to have someone release an app that can extract and install channels.

but we can already copy a channel to our SD card via the Wii Menu! And why do we need to install the channel if a normal version is ALREADY ON THE WII? Since the Ticket is installed when you download it, you needn't install it again!

Well . . . if you took a channel off the Wii using the Wii menu, I dont think it copys everything to the SD card so you might not be able to inject something into only half of something, but i dont know. Also, im not sure what your talking about, so explain more.

If you put a channel on an SD card, doesn't it copy the WAD file? If you get it on your computer via SD card, all you have to do is edit it with a hex editor or something to CHANGE the code in the the WAD. That way, you wouldn't even need the Twilight Hack!

It wouldn't work, each ticket has the "Hash" of the channel it's for and regardless of how much or little you modified a channel, it will cause it's Hash to change making the ticket useless.



Edited 1 time(s). Last edit at 08/23/2008 06:03PM by stevey.

I see... so, the Hash is determined by the contents of the WAD file. And if you change the WAD file, then it changes the Hash. And the Ticket has a copy of the Hash in it, and if it doesn't match it won't accept it. Well that makes my Idea useless...

Actually, no, the ticket doesn't hash any data. Although I haven't examined the SD channel backup format, this sounds like it could be a valid idea. However, I'm pretty sure the channels are also signed with the Wii's private key (on SD), and I'm not sure if it will accept any valid Wii cert or only its own.

And of course, this is useless on 3.3 with no fakesigning bug.

What about if you wrote a homebrew app to patch something already installed using ISFS? You wouldn't have to worry about the NAND encryption, because you're on the Wii and have decrypted access. It will have been valid when downloading, so the ticket data should match, and if it doesn't hash data, then it should still appear valid after patching, and you wouldn't need the fakesign.

Would that not work?

Quote
whodares
....
Would that not work?

That does work, and people area already doing that in some applications. We can even install fakesigned content if we have homebrew working on 3.3. That's not really an issue.

I think the suggestion being made is if you installed a signed app, and then patched it on the NAND directly, you would effectively bypass the signature check that's only done at install time. However, I believe the check is done at launch time as well. Once you have NAND access, it's better to just patch the System Menu to remove the checks.

the hash/signature check is only done while installing the channels. you'll however need a signature (i.e. tik/tmd) for a title with a gid of zero to modify the nand contents. You'll most likely have to fakesign this signature. And if you can fakesign it you could also just fakesign your hacked channel.
Another possibility is - given that you can already run homebrew - just emulate the powerpc part of ES_LaunchTitle:
1) Load the TMD from the NAND and reload to the correct IOS version. Make sure that IOS actually gets reloaded (i.e. reload to a different version first and then reload to the title's version).
2) ES_Identify with the loaded TMD and a Ticket (either fakesigned or the original one)
3) Load the main executable (hint: it's a dol) using ES_ calls (do *not* load the content stated in the TMD's boot index because that one is just a small stub which loads the dol itself without any patches) and patch it while doing so.
4) Vector to the entry point - or switch to real addressing mode when loading the system menu (i.e. when the entry point is 0x3400) using the SRR0/1 registers and the rfi instruction.



Edited 1 time(s). Last edit at 09/26/2008 03:18PM by svpe.

the suggestion being made was that you edit a channel with a hex editor and then copy it to the Wii via system menu, so that you wouldn't need the Twilight Hack or modifications or any history of homebrew of any kind. This has been proven impossible within the first few posts.