In Memory patching of System Menu like Freeloader

This I'm writing without previous knowledge of the flow of control in the System Menu.

Menu loader patches the System Menu loading the title from the nand patching and restarting it. What about dvd apploader? Freeloader does probably patches the system menu in memory when it's apploader runs.

So can't this region patching be extended to patch other aspects of the system menu?

Probabilities are
1. An extended sadmenu patch so that system menu just displays disc channel (or better homebrew channel) and the rest is ignored.
2. Patching to display Recovery menu (this needs restart I guess, can apploader do this?)

I think these more now because I got a brick from an incorrectly packed u8 archive. Nothing autoboots even my wii is chipped. It just displays "...System files are corrupted..." mesage on press of the A button on wiimote.

So I plan to delve into the system menu patching using the apploader from freeloader... And any good ppc assembly book that you can suggest?

Quote

I think these more now because I got a brick from an incorrectly packed u8 archive. Nothing autoboots even my wii is chipped. It just displays "...System files are corrupted..." mesage on press of the A button on wiimote.

You should have installed Starfall, then you can get the recovery menu by holding Y on boot.

Quote
Muzer

Quote

I think these more now because I got a brick from an incorrectly packed u8 archive. Nothing autoboots even my wii is chipped. It just displays "...System files are corrupted..." mesage on press of the A button on wiimote.

You should have installed Starfall, then you can get the recovery menu by holding Y on boot.

Well It didn't install on my machine, I do not know why. It requested pressing 2+B at the same time... no matter how much I tried it didn't work...

I was careless because I thought I would be able to autoboot and fix the banner brick... So autoboot didn't work :(

Well started working on it on my own...
In the apploader disassembly, below data is significant
0x817FC8C0, 0x40, 0x440, 0x817FFF80, 0x40, 0x2000, 0x817FC8C0, 0x40, 0x440

It seems like a patch data, a memory address, expected value, patched value... yet it probably will fail with different sys menu versions unless the data always loaded into the same memory address in all system menu versions. There can be a range in either the patch data or in the code but this time just 0x40 or 0x440 do not qualify for a search term.

And the addresses above doesn't fit anywhere in the sys menu disassembly.

And below strings,
Report function was %08x, now is %08x
Searching for region patches
found patch at %08x
done extra Wii patch
found update check at %08x
found update flag at %08x
found runner at %08x
found real runner at %08x

There doesn't seem to be any cross references to them, so it seems the references are indirect. They used them probably for debugging.

Just my random findings...

80000003 game_region_byte:  .space 1        # DATA XREF: set_TV_mode
80000020 boot_magic:        .space 4        # DATA XREF: apploader_main+84
80000024 version:           .space 4        # DATA XREF: apploader_main+98
80000030 ArenaLo:           .space 4        # DATA XREF: apploader_main+A4
80000034 ArenaHi:           .space 4        # DATA XREF: apploader_main+B4
80000038 FST_buf:           .space 4        # DATA XREF: apploader_main+C4
8000003C FST_len:           .space 4        # DATA XREF: apploader_main+D4
800000CC TV_mode:           .space 4        # DATA XREF: set_TV_mode+10
800000EC debug_mon_addr:    .space 4        # DATA XREF: apploader_main+E4
800000F0 simulated_mem_size:.space 4        # DATA XREF: apploader_main+F4
800000F4 BI2_buf:           .space 4        # DATA XREF: apploader_main+100
80001800 jump_stub_loc:     .space 4        # DATA XREF: install_jump_stub+1C
80001804 dword_80001804:    .space 4        # DATA XREF: do_region_patching+3C
80001810 game_patch_stub:   .space 4        # DATA XREF: install_jump_stub+4
80001814 dword_80001814:    .space 4        # DATA XREF: sub_8120009C
800019A4 dword_800019A4:    .space 4        # DATA XREF: sub_812020F8+3C
811FFFE0 date_stamp:        .string "2001/09/08"
811FFFF0 apploader_entry:   .long   start
811FFFF4 apploader_length:  .long   0x2314
811FFFF8 trailer_length:    .long   0x192C0
811FFFFC         .align 3
81200000 # =============== S U B R O U T I N E =======================================
81200000 # int __stdcall apploader_init(void *osreport_fptr)
81200000 apploader_init:             # DATA XREF: start+C
81200000 .set var_4, -4
81200000 .set osreport_fptr,  4
81200000         stwu    %sp, -0x10(%sp)
81200004         mflr    %r0
81200008         stw     %r31, 0x10+var_4(%sp)
8120000C         stw     %r0, 0x10+osreport_fptr(%sp)
81200010         mr  %r0, %r3
81200014         lis     %r9, report_func_ptr@h
81200018         cmpwi   %r0, 0
8120001C         lwz     %r31, report_func_ptr@l(%r9)
81200020         stw     %r0, report_func_ptr@l(%r9)
81200024         beq     loc_81200044
81200028         lis     %r3, a_Reportfunctionwas08xnowis08x@h      # "Report function was %08x, now is %08x\n"
8120002C         mtlr    %r0
81200030         addi    %r3, %r3, a_Reportfunctionwas08xnowis08x@l # "Report function was %08x, now is %08x\n"
81200034         mr  %r4, %r31
81200038         mr  %r5, %r0
8120003C         crclr   4*cr1+eq
81200040         blrl
81200044 loc_81200044:               # CODE XREF: apploader_init+24
81200044         mr  %r3, %r31
81200048         lwz     %r0, 0x10+osreport_fptr(%sp)
8120004C         mtlr    %r0
81200050         lwz     %r31, 0x10+var_4(%sp)
81200054         addi    %sp, %sp, 0x10
81200058         blr
81200058 # End of function apploader_init

8120005C # =============== S U B R O U T I N E =======================================
8120005C install_jump_stub:          # CODE XREF: do_region_patching+280
8120005C         lwz     %r10, 0(%r3)
81200060         lis     %r0, game_patch_stub@h
81200064         extlwi  %r8, %r10, 24,6
81200068         srawi   %r8, %r8, 6
8120006C         add     %r11, %r3, %r8
81200070         ori     %r0, %r0, game_patch_stub@l
81200074         subf    %r8, %r3, %r0
81200078         lis     %r9, jump_stub_loc@h
8120007C         lis     %r10, 0x4800 # 0x48000001
81200080         ori     %r9, %r9, jump_stub_loc@l
81200084         ori     %r10, %r10, 1 # 0x48000001
81200088         rlwinm  %r0, %r8, 0,6,29
8120008C         stw     %r11, ((jump_stub_loc-0x1800)@l)(%r9)
81200090         or  %r10, %r0, %r10
81200094         stw     %r10, 0(%r3)
81200098         blr
81200098 # End of function install_jump_stub
8120009C # =============== S U B R O U T I N E =======================================
8120009C sub_8120009C:               # CODE XREF: do_region_patching+390
8120009C         lis     %r0, dword_80001814@h
812000A0         ori     %r0, %r0, dword_80001814@l
812000A4         subf    %r0, %r3, %r0
812000A8         rlwinm  %r0, %r0, 0,6,29
812000AC         oris    %r0, %r0, 0x4800
812000B0         stw     %r0, 0(%r3)
812000B4         blr
812000B4 # End of function sub_8120009C
812000B8 # =============== S U B R O U T I N E =======================================
812000B8 do_krad_effect:             # CODE XREF: do_region_patching+60
812000B8                     # do_region_patching+3B4
812000B8 .set var_8, -8
812000B8 .set var_4, -4
812000B8         stwu    %sp, -0x10(%sp)
812000BC         stw     %r30, 0x10+var_8(%sp)
812000C0         stw     %r31, 0x10+var_4(%sp)
812000C4         li  %r11, 0
812000C8         lis     %r9, 0xCC00
812000CC         cmplw   %r11, %r3
812000D0         ori     %r9, %r9, 0x2048 # 0xCC002048
812000D4         lhz     %r5, 0(%r9)
812000D8         bge     loc_812001B0
812000DC         srwi    %r4, %r5, 8
812000E0         clrlwi  %r30, %r4, 16
812000E4         mr  %r31, %r4
812000E8 loc_812000E8:               # CODE XREF: do_krad_effect+F4
812000E8         clrlwi  %r9, %r4, 16
812000EC         cmpwi   %r9, 0
812000F0         addi    %r12, %r11, 1
812000F4         beq     loc_81200144
812000F8         lis     %r8, -0x3400 # 0xCC002048
812000FC         lis     %r10, -0x3400 # 0xCC00202C
81200100         ori     %r8, %r8, 0x2048 # 0xCC002048
81200104         ori     %r10, %r10, 0x202C # 0xCC00202C
81200108         clrlwi  %r7, %r5, 24
8120010C loc_8120010C:               # CODE XREF: do_krad_effect+88
8120010C         slwi    %r0, %r9, 8
81200110         or  %r0, %r7, %r0
81200114         sth     %r0, 0(%r8)
81200118         addi    %r11, %r9, -1
8120011C loc_8120011C:               # CODE XREF: do_krad_effect+6C
8120011C         lha     %r0, 0(%r10)
81200120         cmpwi   %r0, 0x20A
81200124         bne     loc_8120011C
81200128         lis     %r9, -0x3400 # 0xCC00202C
8120012C         ori     %r9, %r9, 0x202C # 0xCC00202C
81200130 loc_81200130:               # CODE XREF: do_krad_effect+80
81200130         lha     %r0, 0(%r9)
81200134         cmpwi   %r0, 0x20A
81200138         ble     loc_81200130
8120013C         mr.     %r9, %r11
81200140         bne     loc_8120010C
81200144 loc_81200144:               # CODE XREF: do_krad_effect+3C
81200144         li  %r9, 0
81200148         cmplw   %r9, %r30
8120014C         bge     loc_812001A4
81200150         lis     %r10, -0x3400 # 0xCC002048
81200154         lis     %r11, -0x3400 # 0xCC00202C
81200158         ori     %r10, %r10, 0x2048 # 0xCC002048
8120015C         ori     %r11, %r11, 0x202C # 0xCC00202C
81200160         clrlwi  %r6, %r31, 16
81200164         clrlwi  %r7, %r5, 24
81200168 loc_81200168:               # CODE XREF: do_krad_effect+E8
81200168         slwi    %r0, %r9, 8
8120016C         or  %r0, %r7, %r0
81200170         sth     %r0, 0(%r10)
81200174         addi    %r8, %r9, 1
81200178 loc_81200178:               # CODE XREF: do_krad_effect+C8
81200178         lha     %r0, 0(%r11)
8120017C         cmpwi   %r0, 0x20A
81200180         bne     loc_81200178
81200184         lis     %r9, -0x3400 # 0xCC00202C
81200188         ori     %r9, %r9, 0x202C # 0xCC00202C
8120018C loc_8120018C:               # CODE XREF: do_krad_effect+DC
8120018C         lha     %r0, 0(%r9)
81200190         cmpwi   %r0, 0x20A
81200194         ble     loc_8120018C
81200198         mr  %r9, %r8
8120019C         cmplw   %r9, %r6
812001A0         blt     loc_81200168
812001A4 loc_812001A4:               # CODE XREF: do_krad_effect+94
812001A4         mr  %r11, %r12
812001A8         cmplw   %r11, %r3
812001AC         blt     loc_812000E8
812001B0 loc_812001B0:               # CODE XREF: do_krad_effect+20
812001B0         lis     %r9, -0x3400 # 0xCC002048
812001B4         ori     %r9, %r9, 0x2048 # 0xCC002048
812001B8         sth     %r5, 0(%r9)
812001BC         lwz     %r30, 0x10+var_8(%sp)
812001C0         lwz     %r31, 0x10+var_4(%sp)
812001C4         addi    %sp, %sp, 0x10
812001C8         blr
812001C8 # End of function do_krad_effect

812001CC # =============== S U B R O U T I N E =======================================
812001CC do_region_patching:             # CODE XREF: apploader_main+124
812001CC .set var_30, -0x30
812001CC .set var_2C, -0x2C
812001CC .set var_28, -0x28
812001CC .set var_24, -0x24
812001CC .set var_20, -0x20
812001CC .set var_1C, -0x1C
812001CC .set var_18, -0x18
812001CC .set var_14, -0x14
812001CC .set var_10, -0x10
812001CC .set var_C, -0xC
812001CC .set var_8, -8
812001CC .set var_4, -4
812001CC .set arg_4,  4
812001CC         stwu    %sp, -0x38(%sp)
812001D0         mflr    %r0
812001D4         stw     %r20, 0x38+var_30(%sp)
812001D8         stw     %r21, 0x38+var_2C(%sp)
812001DC         stw     %r22, 0x38+var_28(%sp)
812001E0         stw     %r23, 0x38+var_24(%sp)
812001E4         stw     %r24, 0x38+var_20(%sp)
812001E8         stw     %r25, 0x38+var_1C(%sp)
812001EC         stw     %r26, 0x38+var_18(%sp)
812001F0         stw     %r27, 0x38+var_14(%sp)
812001F4         stw     %r28, 0x38+var_10(%sp)
812001F8         stw     %r29, 0x38+var_C(%sp)
812001FC         stw     %r30, 0x38+var_8(%sp)
81200200         stw     %r31, 0x38+var_4(%sp)
81200204         stw     %r0, 0x38+arg_4(%sp)
81200208         lis     %r21, dword_80001804@h
8120020C         ori     %r21, %r21, dword_80001804@l
81200210         lwz     %r9, ((dword_80001804-0x1804)@l)(%r21)
81200214         lis     %r0, 0x4449 # 0x44495001
81200218         ori     %r0, %r0, 0x5001 # 0x44495001
8120021C         cmpw    %r9, %r0
81200220         lis     %r20, 0x8133
81200224         bne     loc_8120023C
81200228         li  %r3, 2
8120022C         bl  do_krad_effect
81200230         lis     %r0, 0x4449 # 0x44495002
81200234         ori     %r0, %r0, 0x5002 # 0x44495002
81200238         b   loc_8120058C
8120023C # ---------------------------------------------------------------------------
8120023C loc_8120023C:               # CODE XREF: do_region_patching+58
8120023C         lis     %r0, 0x4449 # 0x44495002
81200240         ori     %r0, %r0, 0x5002 # 0x44495002
81200244         cmpw    %r9, %r0
81200248         bne     loc_81200284
8120024C         stw     %r9, ((dword_80001804-0x1804)@l)(%r21)
81200250         b   loc_81200590
81200254 # ---------------------------------------------------------------------------
81200254 found_update_flag:          # CODE XREF: do_region_patching+2A4
81200254         lis     %r9, report_func_ptr@h
81200258         lwz     %r0, report_func_ptr@l(%r9)
8120025C         lis     %r3, a_foundupdateflagat08x@h # "found update flag at %08x\n"
81200260         mtlr    %r0
81200264         addi    %r3, %r3, a_foundupdateflagat08x@l # "found update flag at %08x\n"
81200268         addi    %r26, %r26, 1
8120026C         crclr   4*cr1+eq
81200270         blrl
81200274         lwzx    %r0, %r29, %r31
81200278         clrrwi  %r0, %r0, 16
8120027C         stwx    %r0, %r29, %r31
81200280         b   loc_81200490
81200284 # ---------------------------------------------------------------------------
81200284 loc_81200284:               # CODE XREF: do_region_patching+7C
81200284         lis     %r4, -0x7EA3 # 0x815D0D2C
81200288         addi    %r4, %r4, 0xD2C # 0x815D0D2C
8120028C         lis     %r3, a_Searchingforregionpatches@h # "Searching for region patches\n"
81200290         addi    %r3, %r3, a_Searchingforregionpatches@l # "Searching for region patches\n"
81200294         mtlr    %r0
81200298         lis     %r24, 3 # 0x3FFFF
8120029C         li  %r26, 0
812002A0         li  %r29, 0
812002A4         crclr   4*cr1+eq
812002A8         blrl
812002AC         lis     %r22, -0x7EE0
812002B0         li  %r9, 0
812002B4         ori     %r24, %r24, -1 # 0x3FFFF
812002B8 loc_812002B8:               # CODE XREF: do_region_patching+1DC
812002B8         cmplw   %r29, %r24
812002BC         addi    %r23, %r9, 1
812002C0         bgt     loc_812003A0
812002C4         slwi    %r9, %r29, 2
812002C8         lis     %r7, 0x2800 # 0x28000002
812002CC         lis     %r8, 0x3800 # 0x38000001
812002D0         lis     %r28, 0x4082 # 0x4082001C
812002D4         lis     %r27, 0x4800 # 0x4800001C
812002D8         lis     %r10, 3 # 0x3FFFF
812002DC         mr  %r11, %r9
812002E0         ori     %r7, %r7, 2 # 0x28000002
812002E4         lis     %r5, 0x4082
812002E8         ori     %r8, %r8, 1 # 0x38000001
812002EC         lis     %r6, 0x3800
812002F0         lis     %r3, a_foundpatchat08x@h # "found patch at %08x\n"
812002F4         ori     %r28, %r28, 0x1C # 0x4082001C
812002F8         ori     %r27, %r27, 0x1C # 0x4800001C
812002FC         lis     %r25, a_doneextraWiipatch@h # "done extra Wii patch\n"
81200300         ori     %r10, %r10, -1 # 0x3FFFF
81200304         addis   %r31, %r9, -0x7ECD
81200308 loc_81200308:               # CODE XREF: do_region_patching+1D0
81200308         lwzx    %r0, %r11, %r20
8120030C         rlwinm  %r0, %r0, 0,24,7
81200310         cmpw    %r0, %r7
81200314         bne     loc_8120038C
81200318         lwz     %r0, 4(%r31)
8120031C         clrrwi  %r0, %r0, 8
81200320         cmpw    %r0, %r5
81200324         bne     loc_8120038C
81200328         lwz     %r30, 8(%r31)
8120032C         cmpw    %r30, %r8
81200330         bne     loc_8120038C
81200334         lwz     %r0, 0x10(%r31)
81200338         cmpw    %r0, %r6
8120033C         bne     loc_8120038C
81200340         lwz     %r9, report_func_ptr@l(%r22)
81200344         addi    %r3, %r3, a_foundpatchat08x@l # "found patch at %08x\n"
81200348         mr  %r4, %r31
8120034C         mtlr    %r9
81200350         crclr   4*cr1+eq
81200354         blrl
81200358         lwz     %r0, 0x30(%r31)
8120035C         stw     %r30, 0x10(%r31)
81200360         cmpw    %r0, %r28
81200364         bne     loc_81200380
81200368         stw     %r27, 0x30(%r31)
8120036C         lwz     %r9, 0x2210(%r22)
81200370         addi    %r3, %r25, a_doneextraWiipatch@l # "done extra Wii patch\n"
81200374         mtlr    %r9
81200378         crclr   4*cr1+eq
8120037C         blrl
81200380 loc_81200380:               # CODE XREF: do_region_patching+198
81200380         addi    %r26, %r26, 1
81200384         addi    %r29, %r29, 1
81200388         b   loc_812003A0
8120038C # ---------------------------------------------------------------------------
8120038C loc_8120038C:               # CODE XREF: do_region_patching+148
8120038C                     # do_region_patching+158
8120038C                     # do_region_patching+164
8120038C         addi    %r29, %r29, 1
81200390         cmplw   %r29, %r10
81200394         addi    %r31, %r31, 4
81200398         addi    %r11, %r11, 4
8120039C         ble     loc_81200308
812003A0 loc_812003A0:               # CODE XREF: do_region_patching+F4
812003A0                     # do_region_patching+1BC
812003A0         mr  %r9, %r23
812003A4         cmplwi  %r9, 1
812003A8         ble     loc_812002B8
812003AC         lis     %r11, 0x3863 # 0x38630010
812003B0         lis     %r9, 3 # 0x3FFFF
812003B4         lis     %r20, -0x7ECD
812003B8         li  %r29, 0
812003BC         lis     %r6, 0x3881
812003C0         ori     %r11, %r11, 0x10 # 0x38630010
812003C4         lis     %r7, 0x4800
812003C8         lis     %r8, 0x2C03
812003CC         lis     %r10, 0x4080
812003D0         lis     %r3, a_foundupdatecheckat08x@h # "found update check at %08x\n"
812003D4         ori     %r9, %r9, -1 # 0x3FFFF
812003D8 loc_812003D8:               # CODE XREF: do_region_patching+2C0
812003D8         slwi    %r30, %r29, 2
812003DC         lwzx    %r0, %r30, %r20
812003E0         addis   %r31, %r30, -0x7ECD
812003E4         clrrwi  %r0, %r0, 16
812003E8         cmpw    %r0, %r6
812003EC         bne     loc_81200484
812003F0         lwz     %r0, 4(%r31)
812003F4         cmpw    %r0, %r11
812003F8         bne     loc_81200484
812003FC         lwz     %r0, 8(%r31)
81200400         clrrwi  %r0, %r0, 24
81200404         cmpw    %r0, %r7
81200408         bne     loc_81200484
8120040C         lwz     %r0, 0xC(%r31)
81200410         cmpw    %r0, %r8
81200414         bne     loc_81200484
81200418         lwz     %r0, 0x10(%r31)
8120041C         clrrwi  %r0, %r0, 16
81200420         cmpw    %r0, %r10
81200424         bne     loc_81200484
81200428         lwz     %r9, 0x2210(%r22)
8120042C         addi    %r3, %r3, a_foundupdatecheckat08x@l # "found update check at %08x\n"
81200430         mr  %r4, %r31
81200434         mtlr    %r9
81200438         li  %r29, 0
8120043C         crclr   4*cr1+eq
81200440         blrl
81200444         addi    %r3, %r30, 8
81200448         addis   %r3, %r3, -0x7ECD
8120044C         bl  install_jump_stub
81200450         li  %r0, 0x10
81200454         mtctr   %r0
81200458         lis     %r9, 0x3000 # 0x30000001
8120045C         ori     %r9, %r9, 1 # 0x30000001
81200460         mr  %r4, %r31
81200464 loc_81200464:               # CODE XREF: do_region_patching+2B0
81200464         lwz     %r0, 0(%r4)
81200468         rlwinm  %r0, %r0, 0,16,3
8120046C         cmpw    %r0, %r9
81200470         beq     found_update_flag
81200474         addi    %r4, %r4, 4
81200478         addi    %r29, %r29, 4
8120047C         bdnz    loc_81200464
81200480         b   loc_81200490
81200484 # ---------------------------------------------------------------------------
81200484 loc_81200484:               # CODE XREF: do_region_patching+220
81200484                     # do_region_patching+22C
81200484                     # do_region_patching+23C
81200484         addi    %r29, %r29, 1
81200488         cmplw   %r29, %r9
8120048C         ble     loc_812003D8
81200490 loc_81200490:               # CODE XREF: do_region_patching+B4
81200490                     # do_region_patching+2B4
81200490         lis     %r10, 0x3C20 # 0x3C208160
81200494         lis     %r11, 3 # 0x3FFFF
81200498         lis     %r20, -0x7ECD
8120049C         li  %r29, 0
812004A0         lis     %r6, 0x3BE0
812004A4         ori     %r10, %r10, -0x7EA0 # 0x3C208160
812004A8         lis     %r7, 0x6021
812004AC         lis     %r8, 0x38C0
812004B0         lis     %r3, a_foundrunnerat08x@h # "found runner at %08x\n"
812004B4         ori     %r11, %r11, -1 # 0x3FFFF
812004B8 loc_812004B8:               # CODE XREF: do_region_patching+3A0
812004B8         slwi    %r9, %r29, 2
812004BC         lwzx    %r0, %r9, %r20
812004C0         addis   %r31, %r9, -0x7ECD
812004C4         cmpw    %r0, %r6
812004C8         bne     loc_81200564
812004CC         lwz     %r0, 4(%r31)
812004D0         cmpw    %r0, %r10
812004D4         bne     loc_81200564
812004D8         lwz     %r0, 8(%r31)
812004DC         cmpw    %r0, %r7
812004E0         bne     loc_81200564
812004E4         lwz     %r0, 0xC(%r31)
812004E8         cmpw    %r0, %r8
812004EC         bne     loc_81200564
812004F0         lwz     %r9, 0x2210(%r22)
812004F4         addi    %r3, %r3, a_foundrunnerat08x@l # "found runner at %08x\n"
812004F8         mr  %r4, %r31
812004FC         mtlr    %r9
81200500         li  %r29, 0
81200504         crclr   4*cr1+eq
81200508         blrl
8120050C         lis     %r11, 0x4E80 # 0x4E800020
81200510         lis     %r3, a_foundrealrunnerat08x@h # "found real runner at %08x\n"
81200514         ori     %r11, %r11, 0x20 # 0x4E800020
81200518         b   loc_81200524
8120051C # ---------------------------------------------------------------------------
8120051C loc_8120051C:               # CODE XREF: do_region_patching+36C
8120051C         addi    %r31, %r9, 4
81200520         addi    %r29, %r29, 1
81200524 loc_81200524:               # CODE XREF: do_region_patching+34C
81200524         cmplwi  %r29, 0xF
81200528         bgt     loc_81200570
8120052C         lwz     %r0, 0(%r31)
81200530         mr  %r9, %r31
81200534         cmpw    %r0, %r11
81200538         bne     loc_8120051C
8120053C         lwz     %r0, 0x2210(%r22)
81200540         addi    %r3, %r3, a_foundrealrunnerat08x@l # "found real runner at %08x\n"
81200544         mr  %r4, %r31
81200548         mtlr    %r0
8120054C         addi    %r26, %r26, 1
81200550         crclr   4*cr1+eq
81200554         blrl
81200558         mr  %r3, %r31
8120055C         bl  sub_8120009C
81200560         b   loc_81200570
81200564 # ---------------------------------------------------------------------------
81200564 loc_81200564:               # CODE XREF: do_region_patching+2FC
81200564                     # do_region_patching+308
81200564                     # do_region_patching+314
81200564         addi    %r29, %r29, 1
81200568         cmplw   %r29, %r11
8120056C         ble     loc_812004B8
81200570 loc_81200570:               # CODE XREF: do_region_patching+35C
81200570                     # do_region_patching+394
81200570         cmpwi   %r26, 4
81200574         beq     loc_8120057C
81200578 loc_81200578:               # CODE XREF: do_region_patching:loc_81200578
81200578         b   loc_81200578
8120057C # ---------------------------------------------------------------------------
8120057C loc_8120057C:               # CODE XREF: do_region_patching+3A8
8120057C         li  %r3, 2
81200580         bl  do_krad_effect
81200584         lis     %r0, 0x4449 # 0x44495001
81200588         ori     %r0, %r0, 0x5001 # 0x44495001
8120058C loc_8120058C:               # CODE XREF: do_region_patching+6C
8120058C         stw     %r0, 0(%r21)
81200590 loc_81200590:               # CODE XREF: do_region_patching+84
81200590         lwz     %r0, 0x38+arg_4(%sp)
81200594         mtlr    %r0
81200598         lwz     %r20, 0x38+var_30(%sp)
8120059C         lwz     %r21, 0x38+var_2C(%sp)
812005A0         lwz     %r22, 0x38+var_28(%sp)
812005A4         lwz     %r23, 0x38+var_24(%sp)
812005A8         lwz     %r24, 0x38+var_20(%sp)
812005AC         lwz     %r25, 0x38+var_1C(%sp)
812005B0         lwz     %r26, 0x38+var_18(%sp)
812005B4         lwz     %r27, 0x38+var_14(%sp)
812005B8         lwz     %r28, 0x38+var_10(%sp)
812005BC         lwz     %r29, 0x38+var_C(%sp)
812005C0         lwz     %r30, 0x38+var_8(%sp)
812005C4         lwz     %r31, 0x38+var_4(%sp)
812005C8         addi    %sp, %sp, 0x38
812005CC         blr
812005CC # End of function do_region_patching
812005D0 # =============== S U B R O U T I N E =======================================
812005D0 # int __stdcall apploader_main(void **addr, int *length, int *offset)
812005D0 apploader_main:             # DATA XREF: start+18
812005D0 .set arg_4,  4
812005D0         stwu    %sp, -8(%sp)
812005D4         mflr    %r0
812005D8         stw     %r0, 8+arg_4(%sp)
812005DC         lis     %r6, phase@h
812005E0         lwz     %r9, phase@l(%r6)
812005E4         lis     %r10, fake_params@h
812005E8         slwi    %r0, %r9, 1
812005EC         addi    %r10, %r10, fake_params@l
812005F0         add     %r0, %r0, %r9   # r0 = phase*3
812005F4         slwi    %r0, %r0, 2     # r0 = phase * 12
812005F8         addi    %r7, %r10, apploader_params.offset # r7 = 0x440
812005FC         lwzx    %r11, %r7, %r0  # r11 = memory_region_list + 8 + phase*12
81200600         addi    %r8, %r10, apploader_params.length
81200604         stw     %r11, 0(%r5)    # offset = fake_params[phase].offset
81200608         lwz     %r9, phase@l(%r6)
8120060C         slwi    %r0, %r9, 1     # r0 = phase*2
81200610         add     %r0, %r0, %r9   # r0 = phase*3
81200614         slwi    %r0, %r0, 2     # r0 = phase*12
81200618         lwzx    %r9, %r8, %r0
8120061C         stw     %r9, 0(%r4)     # length = fake_params[phase].length
81200620         lwz     %r11, phase@l(%r6)
81200624         slwi    %r0, %r11, 1
81200628         add     %r0, %r0, %r11
8120062C         slwi    %r0, %r0, 2
81200630         lwzx    %r9, %r10, %r0
81200634         stw     %r9, 0(%r3)     # addr = fake_params[phase].addr
81200638         lwz     %r9, phase@l(%r6)
8120063C         slwi    %r0, %r9, 1
81200640         add     %r0, %r0, %r9
81200644         slwi    %r0, %r0, 2     # r0 = phase*12
81200648         lwzx    %r10, %r7, %r0  # r10 = fake_params[phase].offset
8120064C         cmpwi   %r10, 0
81200650         bne     return_to_bs2
81200654         lis     %r9, boot_magic@h
81200658         lis     %r0, 0xD15 # 0xD15EA5E
8120065C         ori     %r9, %r9, boot_magic@l
81200660         ori     %r0, %r0, -0x15A2 # 0xD15EA5E
81200664         stw     %r0, ((boot_magic-0x20)@l)(%r9)
81200668         lis     %r11, version@h
8120066C         ori     %r11, %r11, version@l
81200670         li  %r0, 1
81200674         lis     %r9, ArenaLo@h
81200678         stw     %r0, ((version-0x24)@l)(%r11)
8120067C         ori     %r9, %r9, ArenaLo@l
81200680         stw     %r10, ((ArenaLo-0x30)@l)(%r9)
81200684         lis     %r11, ArenaHi@h
81200688         lis     %r0, -0x7E81 # 0x817FFF80
8120068C         ori     %r0, %r0, -0x80 # 0x817FFF80
81200690         ori     %r11, %r11, ArenaHi@l
81200694         lis     %r9, FST_buf@h
81200698         stw     %r0, ((ArenaHi-0x34)@l)(%r11)
8120069C         ori     %r9, %r9, FST_buf@l
812006A0         stw     %r0, ((FST_buf-0x38)@l)(%r9)
812006A4         lis     %r11, FST_len@h
812006A8         ori     %r11, %r11, FST_len@l
812006AC         li  %r0, 0x24
812006B0         stw     %r0, ((FST_len-0x3C)@l)(%r11)
812006B4         lis     %r9, debug_mon_addr@h
812006B8         ori     %r9, %r9, debug_mon_addr@l
812006BC         lis     %r0, -0x7E80
812006C0         stw     %r0, ((debug_mon_addr-0xEC)@l)(%r9)
812006C4         lis     %r11, simulated_mem_size@h
812006C8         ori     %r11, %r11, simulated_mem_size@l
812006CC         lis     %r10, 0x180
812006D0         lis     %r9, BI2_buf@h
812006D4         lis     %r0, -0x7E81 # 0x817FC8C0
812006D8         stw     %r10, ((simulated_mem_size-0xF0)@l)(%r11)
812006DC         ori     %r9, %r9, BI2_buf@l
812006E0         ori     %r0, %r0, -0x3740 # 0x817FC8C0
812006E4         lis     %r3, 0x8000
812006E8         stw     %r0, ((BI2_buf-0xF4)@l)(%r9)
812006EC         li  %r4, 0x100
812006F0         bl  flush_cache
812006F4         bl  do_region_patching
812006F8         li  %r3, 0
812006FC         b   loc_8120070C
81200700 # ---------------------------------------------------------------------------
81200700 return_to_bs2:              # CODE XREF: apploader_main+80
81200700         addi    %r0, %r9, 1
81200704         stw     %r0, 0x220C(%r6) # phase++
81200708         li  %r3, 1
8120070C loc_8120070C:               # CODE XREF: apploader_main+12C
8120070C         lwz     %r0, 8+arg_4(%sp)
81200710         mtlr    %r0
81200714         addi    %sp, %sp, 8
81200718         blr
81200718 # End of function apploader_main

8120071C # =============== S U B R O U T I N E =======================================
8120071C apploader_close:            # DATA XREF: start+20
8120071C         lis     %r3, nullsub_1@h
81200720         addi    %r3, %r3, nullsub_1@l
81200724         blr
81200724 # End of function apploader_close
81200728 # =============== S U B R O U T I N E =======================================
81200728 start:                  # DATA XREF: RAM:apploader_entry
81200728 .set arg_4,  4
81200728         stwu    %sp, -8(%sp)
8120072C         mflr    %r0
81200730         stw     %r0, 8+arg_4(%sp)
81200734         lis     %r9, apploader_init@h
81200738         addi    %r9, %r9, apploader_init@l
8120073C         stw     %r9, 0(%r3)
81200740         lis     %r11, apploader_main@h
81200744         addi    %r11, %r11, apploader_main@l
81200748         lis     %r9, apploader_close@h
8120074C         stw     %r11, 0(%r4)
81200750         addi    %r9, %r9, apploader_close@l
81200754         stw     %r9, 0(%r5)
81200758         lis     %r11, phase@h
8120075C         li  %r0, 0
81200760         lis     %r3, game_patch_stub@h
81200764         lis     %r4, game_patch_code@h
81200768         stw     %r0, phase@l(%r11)
8120076C         addi    %r4, %r4, game_patch_code@l
81200770         ori     %r3, %r3, game_patch_stub@l
81200774         li  %r5, 0x1A0
81200778         bl  memcpy      # memcpy(game_patch_stub, game_patch_code, 0x1a0)
8120077C         lwz     %r0, 8+arg_4(%sp)
81200780         mtlr    %r0
81200784         addi    %sp, %sp, 8
81200788         blr
81200788 # End of function start
8120078C # =============== S U B R O U T I N E =======================================
8120078C memcpy:                 # CODE XREF: start+50
8120078C         mr  %r0, %r5
81200790         cmpwi   %r0, 0
81200794         addi    %r5, %r5, -1
81200798         blelr
8120079C loc_8120079C:               # CODE XREF: memcpy+24
8120079C         lbzx    %r9, %r4, %r5
812007A0         mr  %r0, %r5
812007A4         cmpwi   %r0, 0
812007A8         stbx    %r9, %r3, %r5
812007AC         addi    %r5, %r5, -1
812007B0         bgt     loc_8120079C
812007B4         blr
812007B4 # End of function memcpy
812007B8 # =============== S U B R O U T I N E =======================================
812007B8 nullsub_1:              # DATA XREF: apploader_close
812007B8                     # apploader_close+4
812007B8         blr
812007B8 # End of function nullsub_1
812007BC # =============== S U B R O U T I N E =======================================
812007BC sub_812007BC:
812007BC         cmplwi  %r4, 0
812007C0         blelr
812007C4         clrlwi. %r5, %r3, 27
812007C8         beq     loc_812007D0
812007CC         addi    %r4, %r4, 0x20
812007D0 loc_812007D0:               # CODE XREF: sub_812007BC+C
812007D0         addi    %r4, %r4, 0x1F
812007D4         srwi    %r4, %r4, 5
812007D8         mtctr   %r4
812007DC loc_812007DC:               # CODE XREF: sub_812007BC+28
812007DC         dcbi    %r0, %r3
812007E0         addi    %r3, %r3, 0x20
812007E4         bdnz    loc_812007DC
812007E8         blr
812007E8 # End of function sub_812007BC
812007EC # =============== S U B R O U T I N E =======================================
812007EC flush_cache:                # CODE XREF: apploader_main+120
812007EC         cmplwi  %r4, 0
812007F0         blelr
812007F4         clrlwi. %r5, %r3, 27
812007F8         beq     loc_81200800
812007FC         addi    %r4, %r4, 0x20
81200800 loc_81200800:               # CODE XREF: flush_cache+C
81200800         addi    %r4, %r4, 0x1F
81200804         srwi    %r4, %r4, 5
81200808         mtctr   %r4
8120080C loc_8120080C:               # CODE XREF: flush_cache+28
8120080C         dcbf    %r0, %r3
81200810         addi    %r3, %r3, 0x20
81200814         bdnz    loc_8120080C
81200818         blr
81200818 # End of function flush_cache
8120081C # =============== S U B R O U T I N E =======================================
8120081C sub_8120081C:
8120081C         cmplwi  %r4, 0
81200820         blelr
81200824         clrlwi. %r5, %r3, 27
81200828         beq     loc_81200830
8120082C         addi    %r4, %r4, 0x20
81200830 loc_81200830:               # CODE XREF: sub_8120081C+C
81200830         addi    %r4, %r4, 0x1F
81200834         srwi    %r4, %r4, 5
81200838         mtctr   %r4
8120083C loc_8120083C:               # CODE XREF: sub_8120081C+28
8120083C         icbi    %r0, %r3
81200840         addi    %r3, %r3, 0x20
81200844         bdnz    loc_8120083C
81200848         sync
8120084C         isync
81200850         blr
81200850 # End of function sub_8120081C
81200854 # =============== S U B R O U T I N E =======================================
81200854 sub_81200854:
81200854         cmplwi  %r4, 0
81200858         blelr
8120085C         clrlwi. %r5, %r3, 27
81200860         beq     loc_81200868
81200864         addi    %r4, %r4, 0x20
81200868 loc_81200868:               # CODE XREF: sub_81200854+C
81200868         addi    %r4, %r4, 0x1F
8120086C         srwi    %r4, %r4, 5
81200870         mtctr   %r4
81200874 loc_81200874:               # CODE XREF: sub_81200854+28
81200874         dcbst   %r0, %r3
81200878         addi    %r3, %r3, 0x20
8120087C         bdnz    loc_81200874
81200880         sc
81200884         blr
81200884 # End of function sub_81200854
81200888 # =============== S U B R O U T I N E =======================================
81200888 sub_81200888:
81200888         mfmsr   %r3
8120088C         rlwinm  %r4, %r3, 0,17,15
81200890         mtmsr   %r4
81200894         extrwi  %r3, %r3, 1,16
81200898         blr
81200898 # End of function sub_81200888
8120089C # =============== S U B R O U T I N E =======================================
8120089C sub_8120089C:
8120089C         cmpwi   %r3, 0
812008A0         mfmsr   %r4
812008A4         beq     loc_812008B0
812008A8         ori     %r5, %r4, -0x8000
812008AC         b   loc_812008B4
812008B0 # ---------------------------------------------------------------------------
812008B0 loc_812008B0:               # CODE XREF: sub_8120089C+8
812008B0         rlwinm  %r5, %r4, 0,17,15
812008B4 loc_812008B4:               # CODE XREF: sub_8120089C+10
812008B4         mtmsr   %r5
812008B8         extrwi  %r4, %r4, 1,16
812008BC         blr
812008BC # End of function sub_8120089C
812008BC # ---------------------------------------------------------------------------
812008C0 a_Reportfunctionwas08xnowis08x:.string "Report function was %08x, now is %08x\n"
812008C0                     # DATA XREF: apploader_init+28
812008C0                     # apploader_init+30
812008C0         .byte 0
812008E7         .align 2
812008E8 a_Searchingforregionpatches:.string "Searching for region patches\n"
812008E8                     # DATA XREF: do_region_patching+C0
812008E8                     # do_region_patching+C4
812008E8         .byte 0
81200906         .align 2
81200908 a_foundpatchat08x:.string "found patch at %08x\n" # DATA XREF: do_region_patching+124
81200908                     # do_region_patching+178
81200908         .byte 0
8120091D         .align 2
81200920 a_doneextraWiipatch:.string "done extra Wii patch\n" # DATA XREF: do_region_patching+130
81200920                     # do_region_patching+1A4
81200920         .byte 0
81200936         .align 2
81200938 a_foundupdatecheckat08x:.string "found update check at %08x\n"
81200938                     # DATA XREF: do_region_patching+204
81200938                     # do_region_patching+260
81200938         .byte 0
81200954 a_foundupdateflagat08x:.string "found update flag at %08x\n"
81200954                     # DATA XREF: do_region_patching+90
81200954                     # do_region_patching+98
81200954         .byte 0
8120096F         .align 2
81200970 a_foundrunnerat08x:.string "found runner at %08x\n" # DATA XREF: do_region_patching+2E4
81200970                     # do_region_patching+328
81200970         .byte 0
81200986         .align 2
81200988 a_foundrealrunnerat08x:.string "found real runner at %08x\n"
81200988                     # DATA XREF: do_region_patching+344
81200988                     # do_region_patching+374

81202000 fake_params:    apploader_params <0x817FC8C0,      0x40,     0x440>
81202000                     # DATA XREF: apploader_main+14
81202000                     # apploader_main+1C
81202000                 apploader_params <0x817FFF80,      0x40,    0x2000>
81202000                 apploader_params <0x817FC8C0,      0x40,     0x440>
8120206C # =============== S U B R O U T I N E =======================================
8120206C # Attributes: thunk
8120206C game_patch_code:            # DATA XREF: start+3C
8120206C         b   sub_812020F8
8120206C # End of function game_patch_code
81202070 # =============== S U B R O U T I N E =======================================
81202070 sub_81202070:
81202070         mflr    %r31
81202074         bl  set_TV_mode
81202078         mtlr    %r31
8120207C         li  %r0, 0
81202080         li  %r3, 0
81202084         li  %r4, 0
81202088         li  %r5, 0
8120208C         li  %r6, 0
81202090         li  %r7, 0
81202094         li  %r8, 0
81202098         li  %r9, 0
8120209C         li  %r10, 0
812020A0         li  %r11, 0
812020A4         li  %r12, 0
812020A8         li  %r13, 0
812020AC         li  %r14, 0
812020B0         li  %r15, 0
812020B4         li  %r16, 0
812020B8         li  %r17, 0
812020BC         li  %r18, 0
812020C0         li  %r19, 0
812020C4         li  %r20, 0
812020C8         li  %r21, 0
812020CC         li  %r22, 0
812020D0         li  %r23, 0
812020D4         li  %r24, 0
812020D8         li  %r25, 0
812020DC         li  %r26, 0
812020E0         li  %r27, 0
812020E4         li  %r28, 0
812020E8         li  %r29, 0
812020EC         li  %r30, 0
812020F0         li  %r31, 0
812020F4         blr
812020F4 # End of function sub_81202070
812020F8 # =============== S U B R O U T I N E =======================================
812020F8 sub_812020F8:               # CODE XREF: game_patch_code
812020F8 .set var_C, -0xC
812020F8 .set var_8, -8
812020F8 .set var_4, -4
812020F8 .set arg_4,  4
812020F8         stwu    %sp, -0x18(%sp)
812020FC         mflr    %r0
81202100         stw     %r29, 0x18+var_C(%sp)
81202104         stw     %r30, 0x18+var_8(%sp)
81202108         stw     %r31, 0x18+var_4(%sp)
8120210C         stw     %r0, 0x18+arg_4(%sp)
81202110         lis     %r11, jump_stub_loc@h
81202114         ori     %r11, %r11, jump_stub_loc@l
81202118         lwz     %r9, ((dword_80001804-0x1800)@l)(%r11)
8120211C         lis     %r0, 'DI'
81202120         ori     %r0, %r0, 0x5002 # 0x44495002
81202124         cmpw    %r9, %r0
81202128         mr  %r31, %r3
8120212C         mr  %r29, %r4
81202130         bne     loc_81202164
81202134         lis     %r3, dword_800019A4@h
81202138         lwz     %r30, ((jump_stub_loc-0x1800)@l)(%r11)
8120213C         addi    %r3, %r3, dword_800019A4@l
81202140         mr  %r4, %r31
81202144         bl  strcmp
81202148         cmpwi   %r3, 0
8120214C         bne     loc_81202164
81202150         mr  %r3, %r31
81202154         mtlr    %r30
81202158         mr  %r4, %r29
8120215C         blrl
81202160         b   loc_81202168
81202164 # ---------------------------------------------------------------------------
81202164 loc_81202164:               # CODE XREF: sub_812020F8+38
81202164                     # sub_812020F8+54
81202164         li  %r3, -1
81202168 loc_81202168:               # CODE XREF: sub_812020F8+68
81202168         lwz     %r0, 0x18+arg_4(%sp)
8120216C         mtlr    %r0
81202170         lwz     %r29, 0x18+var_C(%sp)
81202174         lwz     %r30, 0x18+var_8(%sp)
81202178         lwz     %r31, 0x18+var_4(%sp)
8120217C         addi    %sp, %sp, 0x18
81202180         blr
81202180 # End of function sub_812020F8
81202184 # =============== S U B R O U T I N E =======================================
81202184 set_TV_mode:                # CODE XREF: sub_81202070+4
81202184         lis     %r9, game_region_byte@h
81202188         lbz     %r0, game_region_byte@l(%r9)
8120218C         cmpwi   %r0, 'P'
81202190         bne     loc_812021A4
81202194         ori     %r9, %r9, TV_mode@l
81202198         li  %r0, 1
8120219C         stw     %r0, ((TV_mode-0xCC)@l)(%r9)
812021A0         blr
812021A4 # ---------------------------------------------------------------------------
812021A4 loc_812021A4:               # CODE XREF: set_TV_mode+C
812021A4         cmpwi   %r0, 'J'
812021A8         bne     loc_812021C0
812021AC loc_812021AC:               # CODE XREF: set_TV_mode+44
812021AC         lis     %r9, TV_mode@h
812021B0         ori     %r9, %r9, TV_mode@l
812021B4         li  %r0, 0
812021B8         stw     %r0, ((TV_mode-0xCC)@l)(%r9)
812021BC         blr
812021C0 # ---------------------------------------------------------------------------
812021C0 loc_812021C0:               # CODE XREF: set_TV_mode+24
812021C0         cmpwi   %r0, 'E'
812021C4         bnelr
812021C8         b   loc_812021AC
812021C8 # End of function set_TV_mode
812021CC # =============== S U B R O U T I N E =======================================
812021CC strcmp:                 # CODE XREF: sub_812020F8+4C
812021CC         b   loc_812021EC
812021D0 # ---------------------------------------------------------------------------
812021D0 loc_812021D0:               # CODE XREF: strcmp+28
812021D0         lbz     %r0, 0(%r4)
812021D4         addi    %r4, %r4, 1
812021D8         cmpw    %r9, %r0
812021DC         addi    %r3, %r3, 1
812021E0         beq     loc_812021EC
812021E4         li  %r3, -1
812021E8         blr
812021EC # ---------------------------------------------------------------------------
812021EC loc_812021EC:               # CODE XREF: strcmp
812021EC         lbz     %r9, 0(%r3)
812021F0         cmpwi   %r9, 0
812021F4         bne     loc_812021D0
812021F8         li  %r3, 0
812021FC         blr
812021FC # End of function strcmp
812021FC # ---------------------------------------------------------------------------
81202200 a__sysIOS:  .string "/_sys/IOS"
8120220C phase:          .long 0         # DATA XREF: apploader_main+C
81202210 report_func_ptr:.long  0        # DATA XREF: apploader_init+14

Edited 2 time(s). Last edit at 09/12/2008 05:40AM by bushing.

Neat, but I'm more curious about how the actual exploit works. Also, "/_sys/IOS"? Is that a path on the disc?

@bushing, thanks for the disassembly.

@HyperHacker
"/_sys/IOS", well it seems there is no direct reference to it. Now I see, with my current wii/gc system knowledge and ppc assembly I can only make little bits of the code clear, rest is a mystery.

It seems that it doesn't modify the system menu, instead it pollutes the disk information that is stored in a cache?
So patching system menu through modified freeloader may not be an option that I should consider.

I tested another thing, modified open source apploader and burned it... just changed the exit routine as below knowing that it won't work since the entry point of the dol probably not the actual memory address. Anyway, code executed and warning menu freezed.

My question is, at that point what are the limitations for the apploader? Can it make ios calls? Can it access nand of the wii? Can it access the memory used by the System Menu?

uint32_t return_entry_point(void) {
return bl_control.entry_point;
}

/*
*
*/
static void *al_exit(void)
{
printf("al_exit() = %p\n",bl_control.entry_point);
void (*ep)() = (void(*)())return_entry_point();
ep();
return bl_control.entry_point;
}

Code executed? You mean instead of the health warning it ran your code? Or it just froze at the warning screen?

Well of course executed my code and since it didn't make any sense it freezed.

Yesterday I investigated if I can put there a code that links to the libogc (to delete the offending title)... yet I don't think it's doable, there are lots of code that should be linked and that amounts to probably at least 100K-150K of binary code and the standard libraries clash with the apploader's ones (it compiles with an option -ffreestanding)

I suggest you go take a peek at YAGCD: [hitmen.c02.at]

Everything it says there about the GameCube still applies to the Wii, except replace "bootrom" with "System Menu".

The apploader is a piece of code that the system menu loads. It then calls that code to figure out how to load the DOL from the disc. Once that's done, the apploader exits, leaving the DOL in memory and returning control to the system menu. The system menu then jumps to the DOL.

The Freeloader disc doesn't even have a main DOL; instead of loading a DOL into memory, the Freeloader apploader patches the System Menu (in-memory), ejects the disc, and then jumps back into the (modified) menu.

You'll just have to experiment as to what you can actually do inside the Apploader, since it's not "supposed" to do anything other than help the menu load a DOL from disc.



Edited 1 time(s). Last edit at 09/19/2008 07:11AM by bushing.

These are my two patches to remove the save game 'no copy flag' from the system menu, so allows you to copy save games to your SD card on games which are no permitted, The search bytes are the same on all versions, so easy to locate and patch.

Patch 1.
-------

// search bytes
static const u32 nopcopyflag1[3] = {
	0x540007FF, 0x4182001C, 0x80630068
};


813BCD10 54 00 07 FF                 clrlwi. %r0, %r0, 31    # edit this line for no copy patch i.e 0x7C000000
813BCD14 41 82 00 1C                 beq     loc_813BCD30    # No copy Patch one check here
813BCD18 80 63 00 68                 lwz     %r3, 0x68(%r3)  
813BCD1C 38 80 00 F0                 li      %r4, 0xF0       
813BCD20 48 00 2D 69                 bl      anmSelectFadeout__Q33ipl5scene12SavedataEditFUl
813BCD24 38 00 00 0F                 li      %r0, 0xF        
813BCD28 90 1F 00 54                 stw     %r0, 0x54(%r31) 
813BCD2C 48 00 01 5C                 b       loc_813BCE88    


Patch 2.
-------

// search bytes
static const u32 nopcopyflag2[3] = {
	0x540007FF, 0x41820024, 0x387E12E2
}



8134A9F0 loc_8134A9F0:                           # CODE XREF: ipl::NandSDWorker::do_copy_nand_save_to_sd((void))+F0j
8134A9F0 80 01 00 14                 lwz     %r0, 0x130+var_11C(%sp) 
8134A9F4 90 1D 00 08                 stw     %r0, 8(%r29)    
8134A9F8 80 1D 00 24                 lwz     %r0, 0x24(%r29) 
8134A9FC 54 00 07 FF                 clrlwi. %r0, %r0, 31    # edit this line for no copy patch i.e 0x7C000000
8134AA00 41 82 00 24                 beq     loc_8134AA24    # No copy Patch two check here
8134AA04 38 7E 12 E2                 addi    %r3, %r30, 0x12E2 #
8134AA08 4C C6 31 82                 crclr   4*cr1+eq        
8134AA0C 48 1B AE E1                 bl      OSReport        
8134AA10 80 78 00 00                 lwz     %r3, 0(%r24)    
8134AA14 38 00 FF F3                 li      %r0, -0xD      
8134AA18 3C 63 00 04                 addis   %r3, %r3, 4     
8134AA1C 90 03 A5 24                 stw     %r0, -0x5ADC(%r3) 
8134AA20 48 00 06 20                 b       loc_8134B040

So the apploader runs as soon as the disc is inserted? Interesting. I guess the Freeloader disc is simply fakesigned then? I thought they were using some sort of exploit that simply nobody else was interested in because we didn't need it. :-/

Quote
bushing
I suggest you go take a peek at YAGCD: [hitmen.c02.at]

Everything it says there about the GameCube still applies to the Wii, except replace "bootrom" with "System Menu".

The apploader is a piece of code that the system menu loads. It then calls that code to figure out how to load the DOL from the disc. Once that's done, the apploader exits, leaving the DOL in memory and returning control to the system menu. The system menu then jumps to the DOL.

The Freeloader disc doesn't even have a main DOL; instead of loading a DOL into memory, the Freeloader apploader patches the System Menu (in-memory), ejects the disc, and then jumps back into the (modified) menu.

You'll just have to experiment as to what you can actually do inside the Apploader, since it's not "supposed" to do anything other than help the menu load a DOL from disc.

Well I patched this part of the freeloader code, thinking it is merely a debug output code

8120025C         lis     %r3, a_foundupdateflagat08x@h # "found update flag at %08x\n"
81200260         mtlr    %r0
81200264         addi    %r3, %r3, a_foundupdateflagat08x@l # "found update flag at %08x\n"
81200268         addi    %r26, %r26, 1
8120026C         crclr   4*cr1+eq
81200270         blrl

with this code,

3C 60 81 37 - lis %r3, 0x81374CC8@h
38 63 4C C8 - addi %r3, %r3, 0x81374CC8@l
3C 80 4B FF - lis  %r4, 0x4BFFEA99@h
38 84 EA 99 - addi %r4, %r4, 0x4BFFEA99@l
90 83 00 00 - stw  %r4, (%r3)
3B 5A 00 01 - addi    %r26, %r26, 1

my system menu disassembly looks like (ntsc 3.2)

seg006:81374CC0 loc_81374CC0:                           # CODE XREF: main+FCCj
seg006:81374CC0                 bl      BS2BootIRD
seg006:81374CC4                 b       loc_81374CCC
seg006:81374CC8 # ---------------------------------------------------------------------------
seg006:81374CC8
seg006:81374CC8 loc_81374CC8:                           # CODE XREF: main+FD8j
seg006:81374CC8                                         # main+FE8j
seg006:81374CC8                 bl      BS2Entry
seg006:81374CCC

and Nuke's disassembly looks like (either pal or 3.3 or both)

81374BEC 4B FF EA 99          bl      BS2BootIRD      # Branch
81374BF0 48 00 00 08          b       loc_81374BF8    # Branch
81374BF4             # ---------------------------------------------------------------------------
81374BF4
81374BF4             loc_81374BF4:                           # CODE XREF: main+FD8j
81374BF4                                                     # main+FE8j
81374BF4 4B FF E9 55          bl      BS2Entry        # Branch

After a bit of tweaking the used registers in the code, finally I was able to get it run but it had no effect. With my current ppc assembly knowledge I guess I can't get together a patch that searches for known code and replace it and do this especially in the freeloader's apploader code. For now It's too much for me.

What I'm not sure is, does my above code (we assume that it's executed in the apploader's main loop) really modifies the system menu or am I missing something badly?

And about the open source apploader, I'll pursue my quest to do a similar thing in that too... Sadmenu patch may help me in that regard I guess. Probably I'll need just these two functions SYS_ResetSystem and DCFlushRange from ogc to compile with apploader source.

Quote
HyperHacker
So the apploader runs as soon as the disc is inserted? Interesting. I guess the Freeloader disc is simply fakesigned then? I thought they were using some sort of exploit that simply nobody else was interested in because we didn't need it. :-/

yep. they are "just" abusing the strncmp bug. this is also the reason why freeloader isn't working anymore on the strncmp-fixed IOS30 (i.e.mainly consoles with system menu 3.3)

Your asm is over writing the 'move the link register' in that code and later the code will branch to the link register, this is not safe code practice as you don't know where the link register is pointing too when it makes the jump as it will be holding the 'previous' set. Also you really should be keeping an eye on registers r3 and r4 as if its used which looks like they are you are destroying whats in them.

Quote
WiiCrazy
Well I patched this part of the freeloader code, thinking it is merely a debug output code

8120025C         lis     %r3, a_foundupdateflagat08x@h # "found update flag at %08x\n"
81200260         mtlr    %r0
81200264         addi    %r3, %r3, a_foundupdateflagat08x@l # "found update flag at %08x\n"
81200268         addi    %r26, %r26, 1
8120026C         crclr   4*cr1+eq
81200270         blrl

with this code,

3C 60 81 37 - lis %r3, 0x81374CC8@h
38 63 4C C8 - addi %r3, %r3, 0x81374CC8@l
3C 80 4B FF - lis  %r4, 0x4BFFEA99@h
38 84 EA 99 - addi %r4, %r4, 0x4BFFEA99@l
90 83 00 00 - stw  %r4, (%r3)
3B 5A 00 01 - addi    %r26, %r26, 1

my system menu disassembly looks like (ntsc 3.2)

seg006:81374CC0 loc_81374CC0:                           # CODE XREF: main+FCCj
seg006:81374CC0                 bl      BS2BootIRD
seg006:81374CC4                 b       loc_81374CCC
seg006:81374CC8 # ---------------------------------------------------------------------------
seg006:81374CC8
seg006:81374CC8 loc_81374CC8:                           # CODE XREF: main+FD8j
seg006:81374CC8                                         # main+FE8j
seg006:81374CC8                 bl      BS2Entry
seg006:81374CCC

And about the open source apploader, I'll pursue my quest to do a similar thing in that too... Sadmenu patch may help me in that regard I guess. Probably I'll need just these two functions SYS_ResetSystem and DCFlushRange from ogc to compile with apploader source.[/quote]

Quote
Nuke
Your asm is over writing the 'move the link register' in that code and later the code will branch to the link register, this is not safe code practice as you don't know where the link register is pointing too when it makes the jump as it will be holding the 'previous' set. Also you really should be keeping an eye on registers r3 and r4 as if its used which looks like they are you are destroying whats in them.

Well I noticed of that later, but since it doesn't freeze and the krad effect is continued... I assume it ran... Anyway I found a much larger place to change code in the above disassembly. It doesn't have a table for search values as I thought previously instead it statically in the code loads the expected consequent memory values into different registers, transfer these values to R0, do some bit shifting(optional) and compare with the memory value. If a consecutive match found in the memory then with a displacement this area is patched.

I slowly make progress in ppc assembly so it took me a while :)
Later I'll get my hands dirty on that search and replace patch code, if recovery mode patching still fails I'll try patching the title related subroutines.

Using Freeloader you can put update.elf on an SD card and it will boot this instead of using the internal patching.
You are in a good place to patch anything in the System Menu.
Once you have done your patches simply return (leave your app) and Freeloader will continue execution of the System Menu with only your patches.

The Freeloader apploader does nothing special, it simply loads a couple of sections off the DVD just to fool the Wii into thinking everything is as it should be. It still needs to be an apploader at the end of the day.

Just a quick note, there are two types of save protection, those you find on games like Elebits and the other from Guitar Hero. Elebits uses a flag in the banner and Guitar Hero has files in a NOCOPY directory.

A simple way to fix the NOCOPY is to simply search for the nocopy text from 0x81330000 to 0x81800000 and change it to something else. You will find 2 or 3 copies of the text so just change them all. You don't even need to change any code for that one.

For the other you need to find the code that checks the flag in the banner but I will leave that one to you. Just a hint, it only checks the flags when first displaying the icons, it doesn't do it again.

Good luck

Quote
portems
Using Freeloader you can put update.elf on an SD card and it will boot this instead of using the internal patching.
You are in a good place to patch anything in the System Menu.
Once you have done your patches simply return (leave your app) and Freeloader will continue execution of the System Menu with only your patches.

The Freeloader apploader does nothing special, it simply loads a couple of sections off the DVD just to fool the Wii into thinking everything is as it should be. It still needs to be an apploader at the end of the day.

Well the disassembly is above and I can't see any elf loading from sd card. Do we talk about the same freeloader? Or did you mix it up with either Ocarina/Gecko Os or both?

Quote
portems
Using Freeloader you can put update.elf on an SD card and it will boot this instead of using the internal patching.
You are in a good place to patch anything in the System Menu.
Once you have done your patches simply return (leave your app) and Freeloader will continue execution of the System Menu with only your patches.

I've seen this claim made on [botch.front.ru], but there is no code to do this present in the copy of Freeloader that I disassembled. Have you personally tested this? Were there multiple pressings of Freeloader for each region?

you can contact tik tok an botch at codejunkies.com heh

I tried the above method but my freeloader was an original released version, I would like a splash screen version or new version as mentioned on tik tik and botch site.


Wiicrazy,

savemii.net is now open, it could be worth checking that out.



Edited 1 time(s). Last edit at 09/26/2008 07:23AM by Nuke.