In Memory patching of System Menu like Freeloader

Quote
Nuke
you can contact tik tok an botch at codejunkies.com heh

I tried the above method but my freeloader was an original released version, I would like a splash screen version or new version as mentioned on tik tik and botch site.


Wiicrazy,

savemii.net is now open, it could be worth checking that out.

Well I already gave my order ;)

Though freeloader can solve my problem, Recovery dongle will be the easiest at the moment. I'll still continue in freeloader patching since it can lead to something more interesting. Hopefully with a none bricked wii it will be easier too.

There has been three version of Freeloader, the original that contained debug, this took a lot of the guesswork out of what was going on, the second that had a SD loader and the final that also has a splash screen instead of the swipe effect.
I guess the only version thats been spread on the net is the original.

Quote
portems
There has been three version of Freeloader, the original that contained debug, this took a lot of the guesswork out of what was going on, the second that had a SD loader and the final that also has a splash screen instead of the swipe effect.
I guess the only version thats been spread on the net is the original.

What about the update.elf? Can it be a full fledged ogc application or a silent one like apploader that deals with only low level stuff?
I have already tailored a small title uninstaller with a default set title with no visual input/output. Would that run?

Your guess is as good as mine.
I have tried it with some homebrew and seems to work fine.

Quote
portems
There has been three version of Freeloader, the original that contained debug, this took a lot of the guesswork out of what was going on, the second that had a SD loader and the final that also has a splash screen instead of the swipe effect.
I guess the only version thats been spread on the net is the original.

Anyone know where I might be able to buy a copy?

In the above disassembly I changed the do_region_patching branch in the apploader_main to my custom routine as below.. I placed my custom routine in the big all zero area after the debug output strings where I'm thinking it's safe.

I don't know why it crashes on return from do_region_patching.. I can see the swipe effect and as soon as it ends wii freezes. Could you spot where the problem be, and is there any other flaw in the general approach you can see? I borrowed the push and pop sections from do_region_patching subroutine and just replaced the registers used in the compiled c code. I created the branch instructions manually fiddling with machine code. (Yeah I suck in ppc assembly :) )

ROM:812006F0                 bl      sub_812007EC #flush_cache
ROM:812006F4                 bl      sub_812009F4 #Custom Patch Routine, was do_region_patching


ROM:812009F4 # =============== S U B R O U T I N E =======================================
ROM:812009F4
ROM:812009F4 #Custom Patch Routine
ROM:812009F4 sub_812009F4:                           # CODE XREF: ROM:812006F4p
ROM:812009F4                                         # ROM:81200B04p
ROM:812009F4
ROM:812009F4 .set var_30, -0x30
ROM:812009F4 .set var_2C, -0x2C
ROM:812009F4 .set var_28, -0x28
ROM:812009F4 .set var_24, -0x24
ROM:812009F4 .set var_20, -0x20
ROM:812009F4 .set var_1C, -0x1C
ROM:812009F4 .set var_18, -0x18
ROM:812009F4 .set var_14, -0x14
ROM:812009F4 .set var_10, -0x10
ROM:812009F4 .set var_C, -0xC
ROM:812009F4 .set var_8, -8
ROM:812009F4 .set var_4, -4
ROM:812009F4 .set arg_4,  4
ROM:812009F4
ROM:812009F4                 bl      sub_812001CC #do_region_patching
ROM:812009F8                 stwu    %sp, -0x38(%sp)
ROM:812009FC                 mflr    %r0
ROM:81200A00                 stw     %r20, 0x38+var_30(%sp)
ROM:81200A04                 stw     %r21, 0x38+var_2C(%sp)
ROM:81200A08                 stw     %r22, 0x38+var_28(%sp)
ROM:81200A0C                 stw     %r23, 0x38+var_24(%sp)
ROM:81200A10                 stw     %r11, 0x38+var_20(%sp)
ROM:81200A14                 stw     %r5, 0x38+var_1C(%sp)
ROM:81200A18                 stw     %r6, 0x38+var_18(%sp)
ROM:81200A1C                 stw     %r7, 0x38+var_14(%sp)
ROM:81200A20                 stw     %r8, 0x38+var_10(%sp)
ROM:81200A24                 stw     %r9, 0x38+var_C(%sp)
ROM:81200A28                 stw     %r10, 0x38+var_8(%sp)
ROM:81200A2C                 stw     %r31, 0x38+var_4(%sp)
ROM:81200A30                 stw     %r0, 0x38+arg_4(%sp)
ROM:81200A34                 lis     %r0, 0x44
ROM:81200A38                 lis     %r11, -0x7ECD # 0x81330004
ROM:81200A3C                 lis     %r10, -0x7ECD # 0x81330008
ROM:81200A40                 lis     %r7, 0x4BFF # 0x4BFFEA99
ROM:81200A44                 lis     %r6, 0x4800 # 0x48000008
ROM:81200A48                 lis     %r5, 0x4BFF # 0x4BFFE955
ROM:81200A4C                 mtctr   %r0
ROM:81200A50                 ori     %r11, %r11, 4 # 0x81330004
ROM:81200A54                 ori     %r10, %r10, 8 # 0x81330008
ROM:81200A58                 ori     %r7, %r7, -0x1567 # 0x4BFFEA99
ROM:81200A5C                 ori     %r6, %r6, 8 # 0x48000008
ROM:81200A60                 ori     %r5, %r5, -0x16AB # 0x4BFFE955
ROM:81200A64                 lis     %r9, -0x7ECD # 0x81330004
ROM:81200A68                 b       loc_81200A78
ROM:81200A6C # ---------------------------------------------------------------------------
ROM:81200A6C
ROM:81200A6C loc_81200A6C:                           # CODE XREF: sub_812009F4+90j
ROM:81200A6C                                         # sub_812009F4+9Cj ...
ROM:81200A6C                 addi    %r11, %r11, 4
ROM:81200A70                 addi    %r10, %r10, 4
ROM:81200A74                 bdz     loc_81200AF0
ROM:81200A78
ROM:81200A78 loc_81200A78:                           # CODE XREF: sub_812009F4+74j
ROM:81200A78                 lwz     %r0, 0(%r9)
ROM:81200A7C                 addi    %r9, %r9, 4 # 0x81330004
ROM:81200A80                 cmpw    cr7, %r0, %r7
ROM:81200A84                 bne     cr7, loc_81200A6C
ROM:81200A88                 lwz     %r0, 0(%r11)
ROM:81200A8C                 cmpw    cr7, %r0, %r6
ROM:81200A90                 bne     cr7, loc_81200A6C
ROM:81200A94                 lwz     %r0, 0(%r10)
ROM:81200A98                 mr      %r8, %r10
ROM:81200A9C                 cmpw    cr7, %r0, %r5
ROM:81200AA0                 bne     cr7, loc_81200A6C
ROM:81200AA4
ROM:81200AA4 loc_81200AA4:                           # CODE XREF: sub_812009F4+100j
ROM:81200AA4                 lis     %r0, 0x4BFF # 0x4BFFEA99
ROM:81200AA8                 ori     %r0, %r0, -0x1567 # 0x4BFFEA99
ROM:81200AAC                 stw     %r0, 0(%r8)
ROM:81200AB0                 lwz     %r0, 0x38+arg_4(%sp)
ROM:81200AB4                 mtlr    %r0
ROM:81200AB8                 lwz     %r20, 0x38+var_30(%sp)
ROM:81200ABC                 lwz     %r21, 0x38+var_2C(%sp)
ROM:81200AC0                 lwz     %r22, 0x38+var_28(%sp)
ROM:81200AC4                 lwz     %r23, 0x38+var_24(%sp)
ROM:81200AC8                 lwz     %r11, 0x38+var_20(%sp)
ROM:81200ACC                 lwz     %r5, 0x38+var_1C(%sp)
ROM:81200AD0                 lwz     %r6, 0x38+var_18(%sp)
ROM:81200AD4                 lwz     %r7, 0x38+var_14(%sp)
ROM:81200AD8                 lwz     %r8, 0x38+var_10(%sp)
ROM:81200ADC                 lwz     %r9, 0x38+var_C(%sp)
ROM:81200AE0                 lwz     %r10, 0x38+var_8(%sp)
ROM:81200AE4                 lwz     %r31, 0x38+var_4(%sp)
ROM:81200AE8                 addi    %sp, %sp, 0x38
ROM:81200AEC                 blr
ROM:81200AF0 # ---------------------------------------------------------------------------
ROM:81200AF0
ROM:81200AF0 loc_81200AF0:                           # CODE XREF: sub_812009F4+80j
ROM:81200AF0                 li      %r8, 8
ROM:81200AF4                 b       loc_81200AA4
ROM:81200AF4 # End of function sub_812009F4
ROM:81200AF4
ROM:81200AF8 # ---------------------------------------------------------------------------
ROM:81200AF8                 mflr    %r0
ROM:81200AFC                 stwu    %sp, -8(%sp)
ROM:81200B00                 stw     %r0, 0xC(%sp)
ROM:81200B04                 bl      sub_812009F4
ROM:81200B08                 bl      sub_81200B20
ROM:81200B0C                 lwz     %r0, 0xC(%sp)
ROM:81200B10                 li      %r3, 0
ROM:81200B14                 addi    %sp, %sp, 8
ROM:81200B18                 mtlr    %r0
ROM:81200B1C                 blr
ROM:81200B20
ROM:81200B20 # =============== S U B R O U T I N E =======================================

In the below code a,b,c is search pattern for the "bl BS2Entry" section in the system menu.
0x4BFFEA99 is the replacement for it. ("bl BS2BootIRD")

void patch() 
{
	__asm__("bl 0x0100");
	__asm__("stwu %sp, -0x38(%sp)");
	__asm__("mflr 0");
	__asm__("stw 20, 0x38-0x30(%sp)");
	__asm__("stw 21, 0x38-0x2C(%sp)");
	__asm__("stw 22, 0x38-0x28(%sp)");
	__asm__("stw 23, 0x38-0x24(%sp)");
	__asm__("stw 11, 0x38-0x20(%sp)");
	__asm__("stw 5, 0x38-0x1C(%sp)");
	__asm__("stw 6, 0x38-0x18(%sp)");
	__asm__("stw 7, 0x38-0x14(%sp)");
	__asm__("stw 8, 0x38-0x10(%sp)");
	__asm__("stw 9, 0x38-0xC(%sp)");
	__asm__("stw 10, 0x38-0x8(%sp)");
	__asm__("stw 31, 0x38-0x4(%sp)");
	__asm__("stw 0, 0x38+4(%sp)");

	u32 a=0x4BFFEA99;
	u32 b=0x48000008;
	u32 c=0x4BFFE955;

	u32 p=0x4BFFEA99;

	u32 * s=0x81330000;
	u32 * e=0x81770000;
	u32 * f=0;

	u32 i;
	for (i=s;i<e;i=i+1) 
	{
		if (*s==a) 
		{
			if (*(s+1)==b ) {
				if (*(s+2)==c ) {
					f=s;
					break;
				}

			}
		}
	s++;
	}
	*(f+2) = p;

	__asm__("lwz 0, 0x38+4(%sp)");
	__asm__("mtlr %r0");
	__asm__("lwz 20, 0x38-0x30(%sp)");
	__asm__("lwz 21, 0x38-0x2C(%sp)");
	__asm__("lwz 22, 0x38-0x28(%sp)");
	__asm__("lwz 23, 0x38-0x24(%sp)");
	__asm__("lwz 11, 0x38-0x20(%sp)");
	__asm__("lwz 5, 0x38-0x1C(%sp)");
	__asm__("lwz 6, 0x38-0x18(%sp)");
	__asm__("lwz 7, 0x38-0x14(%sp)");
	__asm__("lwz 8, 0x38-0x10(%sp)");
	__asm__("lwz 9, 0x38-0xC(%sp)");
	__asm__("lwz 10, 0x38-0x8(%sp)");
	__asm__("lwz 31, 0x38-0x4(%sp)");
	__asm__("addi %sp, %sp, 0x38");

}

So no one has any insight into all this?

Successfuly did a basic patch... (changed the "The System Files..." text as "Da System Files...")

Now I need a nifty patch to apply that breaks me out of the error condition...

By the way unlike as suggested before freeloader doesn't restart the system menu... if it had done that then my basic recovery menu patch should have worked...



So basically what I need is either a system menu restart patch which I'll combine with recovery menu patch or a more complex patch that reverts the error condition... The latter not seems to be doable easily...

Here is my patch function, I compiled it and replaced the do_krad_effect function with it... apploader main is called by the ipl in iteration so to ensure the patch executed once I used 0x80002000 memory address which is unused by the freeloader.

void patch() 
{
	u32 * x = 0x80002000;
	if (*x != 0x6666) 
	{
		u32 * ps1 = 0x816114AE;
		u32 * ps2 = 0x816114B2;

		*ps1 = 0x00440061;		
		*ps2 = 0x00210020;

		*x=0x6666;
	}
}

I guess I found the right place to patch (end of the ipl::System::run((void)) routine)
I put there the branch instruction to OSReturnToMenu... it sent me to the backmenu display yet it still puked the error... I'll test patching it with OSShutdownSystem...

Hell it really shutted down the thing :) I need to test now OSRebootSystem...



Edited 3 time(s). Last edit at 10/30/2008 12:55AM by WiiCrazy.

any update on your progress of this....

my wii isn't bricked but you never know when u mightneed something like this

also i find what your doing very interesting

Well I bought a cheap wii, the bricked one stays the same... Probably I won't be continuing with the apploader stuff since I (possibly) burned the modchip (or something else) on the bricked wii's drive...

Maybe I can continue with the wiiconnect stuff since my bricked wii gets an ip from my router and downloads new messages...

The last test I did was with below code... It restarts the wii to a green empty screen... I was to put a hot reset before the hook but then suddenly that savemiifrii stuff emerged... so I stopped my attempts...

#include 

void patch();

		//*p = 0x4804513D; //change to bl OSReturnToMenu (works.. displays back menu screen and to warning screen)
		//*p = 0x48044E9D; //change to bl OSShutdownSystem (works.. shutdowns the wii)
		//*p = 0x48044DD9; //change to bl OSRebootSystem (works... reboots)
		//*p = 0x4803EB8D; //change to bl BS2BootIRD (doesn't work..)
		//*p = 0x4BFFB435; //Branch to main (f..king freezes)
		//*p = 0x48044FD5; //Branch to OSShutdownSystemForBS (works... shutdowns the wii)
		//*p = 0x48044D39; // change to bl __OSLaunchMenu (really relaunches menu)

//Overwrite the do_krad_effect function with this
void patch() 
{

	u32 * x = 0x80002000;
	if (*x != 0x6666) 
	{
		u32 * p;

		p = 0x81374CC8;	// bl BS2Entry
		*p = 0x4BFFEA91; // change bl BS2Entry with bl BS2BootIRD

		p = 0x81334BCC;  // unconditional branch at the end of ipl::System::run((void)) routine
		*p = 0x4BECB534; //patch it as branch to hook
		*x=0x6666;

	}
}

//Put it at adress 0x81200100 in the apploader binary after compilation
void hook() 
{
	__asm__("isync");
	__asm__("lis     %r3, 0");
	__asm__("ori     %r3, %r3, 0x3400");
	__asm__("mtsrr0  %r3");
	__asm__("mfmsr   %r3");
	__asm__("li      %r4, 0x30");
	__asm__("andc    %r3, %r3, %r4");
	__asm__("mtsrr1  %r3");
	__asm__("rfi");
}


//---------------------------------------------------------------------------------
int main(int argc, char **argv) {
//---------------------------------------------------------------------------------
	patch();
	return 0;
}