we're pretty sure that there are no JTAG testpoints available on the Wii's mainboard. Keep in mind that they don't want you to read out the NAND easily.by svpe - Hardware
you're talking nonsense. go annoy other people.by svpe - The Junkyard
wildgoosespeeder the Wii64 developers have been able to port a N64 emulator to the WIi which took them about 2 years because they had to rewrite huge parts to make it work. Don't you think that they considered every single plugin before starting to work? You need to rewrite huge parts of every gfx plugin anyway when you're porting it to the Wii so it doesn't really matter if someby svpe - Ideas, requests
Just click on that HMAC link and read the wikipedia pages.by svpe - Offtopic
The images are signed using a HMAC. Good luck with faking that without knowing the secret key.by svpe - Offtopic
Erasing all IOS versions? Now that's a good plan! While you're are it: Go to some high building and let the Wii drop from at least 100m. That's an equally good idea! :)by svpe - Homebrew General
erm. no. you'll need to add section headers to the ELF file because objdump doesn't like to just have some program headers. my version support big endian without any problems.by svpe - Software
Quotebg4545QuotesvpeNo, you cannot. the TMD is always deleted and needs to be reinstalled. You cannot copy the hbc back once it's been deleted. We have another exploit though that allows us to install arbitrary titles (e.g. BootMii or the HBC) once we can run powerpc code (which can be done with comex' exploit). I thought that it was possible to install the hbc if it was deleted (usingby svpe - Homebrew General
Quotelpeters82I didn't say it's a competition, plus no one important reads these forums anyway. I stand by my statement though. I think Team Twiizers will come up with an exploit for the System Menu 4.0 before Comex releases a working version of BannerBomb that can be installed on System Menu 4.0. I agree with you that Team Twiizers is working on BootMii, but Comex is also working onby svpe - Homebrew General
MIOS actually starts some powerpc code embedded into its ELF and this powerpc code loads the gc game then.by svpe - Software
contains more informations and all advisories. i recommend to take a look at and :>by svpe - Offtopic
Let's assume we can break a 512bit key in about one week. This time will be doubled for each additional bit the key contains since we need to test all possibilities for the first 512bits again when we set the 513th bit to one. The time it takes to bruteforce a key of arbitrary length n therefore is about 2^(n-512) weeks. We divide this by 52 since a year has about that much weeks. That yielby svpe - Software
You can do two things with RSA: * Encrypt data with your public key and decrypt it with your private key. * Encrypt data with your private key and decrypt it with your public key. Signatures are basically hashes encrypted with the private key. Nintendo's public key is stored in boot1, boot2 and every IOS. You could easily modify it given that you can install titles on the NAND. But why wby svpe - Software
yes, you can use GeckoOS to dump the whole memory. It already does the patch for you thanks to nuke :) And yes, there is a way to patch a game and run it as long as you only patch the main.dol. You can easily modify GeckoOS or write your own discloader to apply patches to the dol while it calls the game's apploader . You can then load the dol to IDA (by either using a plugin or by converby svpe - Software
They did some updates to the RSA checks. Yes, it's using memcmp now and they are also checking the padding now. It looks like a real secure RSA implementation this time and I don't think we're able to exploit anything there :(by svpe - Software
Only if you completely replace the FFS module in the kernel. You would have to reverse the existing one first to understand all messages it handles and somehow rewrite that then to use the sd slot. You can't just use the SDI module because it isn't even loaded when the kernel loads. The kernel uses the FFS module to load almost all modules from nand. you would therefore need to implemeby svpe - Software
QuotewhodaresI remember looking at that, I assumed it didn't need one, because I was (incorrectly) thinking the System Menu is what launched content (despite the fact I had written homebrew which loads VC games, doh!). Quick question: How does the IOS know which content file is the booting DOL? Does it just look for the first DOL with an entry/load point of 0x3400? it looks at the boot_by svpe - Homebrew General
Quotewhodares 2.svpe mentions real mode addressing. Will IOS load my/Nintendo's/marcan's NAND loader in real mode, and the loader have to set up virtual/protected mode? I suppose I don't need to worry about this while I use somebody elses loader, but it would seem interesting that IOS runs in real mode as opposed to virtual mode. IOS runs on Starlet while your code will run on theby svpe - Homebrew General
Finally some post that is not "hai, i can haz wad packer with banner toolz plzkthx!!" :-) "1. If the install goes wrong, and the files aren't registered properly or something, could it brick my Wii? (I'm working off the assumption that using an existing banner means I won't get a banner brick at least)" If you are just using existing banners nothing should happen. "2. Do I nby svpe - Homebrew General
go away, kthx. we don't support wads here.by svpe - Homebrew General
QuotetonaQuoteArikadoEDIT: LIGHTBULB!!! Couldn't we dump the code of Mario Kart Wii or Wii Fit to see how they install their respective channels without using fakesigned code? Epic fail. RSA 101 (Or read this) RSA encryption is done with key pairs. One key is used to encrypt data, and one key is used to decrypt it. The encryption key is also called a "private key," because you wanby svpe - Homebrew General
We don't even know how BC switches to compatibility mode and if you are still able to see the "new" hardware registers then. It's definitely not easy since you would need to write a ohci (USB) and a bluetooth stack and port a wiimote library like wiiuse. And you'd probably need to somehow patch the games to get their pad data using some IPC mechanism. Another alternative would beby svpe - Homebrew General
It's installed with a small dol that basically just calls ES_ImportBoot2. boot2 cannot be installed like normal titles using the ES_AddTitleStart/... functions because it doesn't live inside the filesystem.by svpe - Software
QuotewhodaresQuotesvpeall currently created channels except for the hbc are illegal because the violate nintendo's (banner) and team twiizer's (nandloader) copyright. we don't support creating them due to that and other reasons, sorry. Quotesvpeyes, it's using a banner completely created from scratch using a self-written python toolkit and not one stolen from some nintendo gby svpe - Homebrew General
Quotestrongfanoh... just out of curiosity, why is the HBC exempt? Does it use a different "banner"? yes, it's using a banner completely created from scratch using a self-written python toolkit and not one stolen from some nintendo game and then slightly modified using SDK tools which only official developers are allowed to use. marcan said that he maybe wants to release that toolkit onceby svpe - Homebrew General
all currently created channels except for the hbc are illegal because the violate nintendo's (banner) and team twiizer's (nandloader) copyright. we don't support creating them due to that and other reasons, sorry.by svpe - Homebrew General
use segher's tools to decrypt it and load it to IDA using the instructions posted in this forum by bushing.by svpe - Software
the unencrypted memory wasn't such a bad decision at all. it probably saved them much money. it was just a really stupid idea to store encryption keys permanently there instead of the internal ram starlet has (x'ffff_????) or just giving the AES engine access to the OTP. Not cleaning MEM2 before switching to GC mode wasn't such a good idea too. :-)by svpe - Software