Notes from inside your Wii

HackMii header image 2

The Doghouse: “WiiSystemmenu wadpatcher”

April 11th, 2008 by bushing · 15 Comments

Bruce Schneier publishes a monthly newsletter called Crypto-Gram. It’s a fascinating read, but one of my favorite parts is a recurring section he has called “The Doghouse” where he picks (on) a particularly bad example of crypto-related hardware or software. Generally, they are programs or hardware that make broad claims of security but are trivially broken — or generally anything which makes bold claims with little to back them up.

I’d like to bring that to my blog — I don’t know how often; it depends on how much bad software is out there. Maybe this will be the first and last entry.

Superken7 recently released a program called the WiiSystemmenu-wadpatcher (original text in Spanish — English translation courtesy of WiiNewz):

this tool patches the updated wad that prevents the loading of ISOS patched by trucha signer. This tool patches the .WAD in the systemmenu in particular the WiiSystemmenu-vXXX.wad.

initial problem:
in a short amount of time nintendo through media updates issues the famous IOS37 which prevents isos from being loaded that were previously patched with trucha signer.

To stop this and because there is no other tool like this, i have taken a few days to create a wadpatcher. You can patch your wiiSystemmenu and subsitute it with one compatible with trucha signer so we can once again load our isos. I mainly did this so i can play mario kart without issues. At the moment i have tested it with Naruto Clash of the Ninja Revolution PAL and it works.

This is exactly the kind of thing that I was afraid of, and ranted about yesterday. What’s wrong with this program?

Well, mainly, there is no existing system menu WAD that needs this patch. As I said, IOS37 is not currently used by the System Menu (1-2), nor anything else. So, already — we have a program here which is not a reaction to a current problem, but instead is an attempt at a “preemptive strike” … I guess. Or being first. One or the other.

The reason there are “no other tools out there like this” is because it’s useless and dangerous. (It also happens to be trivial to write — this tool modifies one byte in the TMD and then resigns it.)

Why useless? Again, there’s nothing for it to do … yet. I think the author expected Mario Kart to either ship with IOS37, run on IOS37, or include an updated version of 1-2 that uses IOS37. Well, okay. That claim ended up being false, so at best this is a program that is before its time.  Even if Mario Kart did use IOS37, the author’s claim that he wrote the program so he could “play mario kart without issues” is dubious — this program has — and never will — have any effect on the ability to play Mario Kart, or any other game with a valid signature.  It doesn’t matter what version of IOS the game uses; the system menu doesn’t really care about that.

How could it eventually be useful? That’s a tough one.  If you go and install a patched version of 1-2, then it will just be overwritten when you next install a game with an updated 1-2 in its update partition. That’s what will happen to most people. The only way this could possibly be useful is if a new game comes out, and someone opens it up in their favorite tool and actually does the research necessary to figure out if that disc contains a “problematic” Systemmenu.WAD. Then, they’ll presumably go online and warn all of their friends that they need to go patch their new ISObackup to remove that Systemmenu.WAD and replace it with one patched using their tool.

That’s pointless. First off, anyone who already installed their non-backup disc first will be unable to use this program. Oops. Hope they got the message. I guess it’ll have to be posted far and wide — the “IOS37 threat” shows that will happen anyway. Maybe that would be a more appropriate time to release a utility like this.

Why dangerous? I don’t think the author actually understands how this works, based on the comment about running Mario Kart. How many different ways could this brick your Wii? I can think of at least 3:

  1. If the code which verifies the signature of the System Menu’s TMD is changed to fix the signature-checking flaw, it will declare your system menu invalid, and refuse to boot.  Quick quiz:  Where is that code?
  2. The current System Menu uses IOS30; historically, they have only changed it to use a newer version of IOS when it required / supported features in that newer version of IOS.  There were a lot of other code changes in IOS37; it’s a fair assumption that the hypothetical new system menu will need some of those features.  Quick quiz:  What happens then if you patch it to use a different IOS?
  3. I think that 1-2 currently checks the currently running version of IOS, and ensures that it falls within a range (30+, or something).  What would happen if you patched the TMD to use a different IOS version?  Have you tested this with the (still-hypothetical) IOS37-using System Menu?
The sad part about all of this is that the easier way to avoid problems in this situation would be to delete the SystemMenu WAD *entirely* from the update partition.  Sure, you run the risk that you might miss out on some new features, but at least your Wii would boot — instead, if you patch it, you run the risk of having a system menu that tries to use features that don’t exist in your version of IOS.

Tags: Wii

15 responses so far ↓

  • 1 Naruto » The Doghouse: “WiiSystemmenu wadpatcher” // Apr 11, 2008 at 7:40 pm

    […] HackMii wrote an interesting post today on The Doghouse: "WiiSystemmenu wadpatcher"Here’s a quick excerptAt the moment i have tested it with Naruto Clash of the Ninja Revolution PAL and it works…. […]

  • 2 Superken7 // Apr 11, 2008 at 8:40 pm

    I am aware of the issues. Still, this was the first tool i coded for wii and i did it in part just for fun, and just to see if i was able to do it.

    It was motivated by the thought that mario kart might ship with ios37, which i knew was unlikely,
    but i love that game too much and did not want to be in a situation where i could not play it right away if it shipped with ios37. (it was painful enough to think i’d have to rip+analyze it before playing it)

    So, the tool was not meant so i could *play* mario kart, but so i could *do* the update that could come with mario kart, while not fixing our beloved rsa-checking feature.
    I would like to note that the translation says: “You can patch your wiiSystemmenu and subsitute it with one compatible with trucha signer so we can once again load our isos.”
    But what i really said was “we could still update while not having our wii trucha-fixed”.
    (i knew the new channel was coming, and did not want to miss it, so maybe removing the update was not enough. Thankfully, it turned out the new channel was usable from the game, which is something i did not know until i got it. I am happy i can play my original and not a copy.)

    And yes, the tool is dangerous for all the reasons you have listed. (i knew some of them, there is one i didnt think of)
    I was not expecting to get that posted in wiinewz, specially without a warning which i did include in my original post(which stated that the tool was dangerous
    in the sense that it could brick your wii)
    , thats why i posted in wiinewz that the admins should include the warning in the translation. (Sadly its still unchanged) I also posted that there are other ways of evading the ios37 update, like removing the update completely
    and patching the game to use a safe ios version.

    But lets put something clear:
    The tool was not expected to be the holy grail. i did not even expect it to get known out of the original forum. i mean, a few minutes ago i read
    your blog entry and was like wtf oO.
    I was just expecting to see if i could actually do it, and maybe learn something from it, and ended up coding a generic
    ios-version wadpatcher, which could have more uses appart from those presented for evading ios37. So maybe its “bad software” in the situation in which it was presented
    because its risky, but i dont think its useless.

    I very much appreciate your critics, but i think it has been taken a little out of proportion.
    I still find it funny that such a typical at-your-own-risk-tool gains so much attention, and even ends up in your blog entry.
    I hope it does not make people upset that i published my tool, or that i did not code a holy grail of the ios37 problem. If i could, i would have written and tested
    a modified ios and boot2 and whatever is necessary to get rid of all problems, but i still do not have the time nor the knowledge. It was not even supposed to be a good solution for evading the rsa-fix. I just did it for myself, and ended up publishing the source and my “findings”. Plus, i thought it might save my day if mario kart gets released
    and happens to use ios37, and the new mario kart channel happens to be usable only after updating.

    i hope this has clarified some things. sorry for the long reply 🙂

  • 3 marcan // Apr 11, 2008 at 9:58 pm

    But even if the Mario Kart channel uses IOS37, it means nothing. Go ahead and update your wii with IOS37 – you’ll notice that absolutely nothing has changed, because the system menu still uses IOS30. If the Mario Kart channel uses IOS37, it will at most mean that you can’t use a patched (trucha-signed) Mario Kart disc with it (when jumping to the real race to start a race), which is hardly a problem.

    The only issue that everyone dreads is a system menu update that uses IOS37, and as has been mentioned you can just delete the wad to get rid of that. The only situation where this wouldn’t work is if Mario Kart required a new system menu update to make the new channel function, which is a rather unlikely scenario.

  • 4 Superken7 // Apr 12, 2008 at 3:54 am

    yes marcan, i know that 🙂
    i did not say so explicitly, but with
    “..the tool was not meant so i could *play* mario kart, but so i could *do* the update that could come with mario kart, while not fixing our beloved rsa-checking feature.”
    i meant the unlikely scenario that mario kart actually provided a systemmenu update that used IOS37. That’s why it had “Wiisystemmenu” prepended to the “wadpatcher” name.
    I guess its the fact that i put so much emphasis into the ‘evading IOS37’ thing which has caused so much “trouble” 😛
    I guess next time i should release things with a less ‘practical use’ scenario in the release notes.

  • 5 marcan // Apr 12, 2008 at 10:47 am

    Again, why don’t you just delete the WAD then?

  • 6 Superken7 // Apr 12, 2008 at 3:32 pm

    Like i said, that could have removed the new mario kart channel. I was trying to find a simple solution for being able to update with new channels, etc, while not rendering my wii untrucha’able :-/

  • 7 marcan // Apr 13, 2008 at 11:17 am

    So you’re assuming that it would include an IOS37 system menu, that it would add new features, that the Mario Kart channel uses those features, that the system menu doesn’t need any new IOS37 features, and that the Kario Kart channel would be vital to playing the game.

    That’s way too many assumptions. It doesn’t justify releasing an untested tool to the masses.

  • 8 Odb718 // Apr 15, 2008 at 1:55 am

    marcan, from what I read, he didn’t intend to do a world wide release of the tool. Though that did end up happening I honestly think it was just an attempt to release a tool that could be of use later. As he said, the tool isn’t entirely useless. Maybe in it’s current form there’s better solutions to the problem. But as bushing’s said himself, the bottle neck in homebrew is the amount of people working on a problem. What Superken7’s done is released something others can learn from.
    As of right now there’s absolutely NO reason I can see to use the tool. Maybe people have downloaded and used it. But anyone staying up with “the news” will know it might not be in their best interest. If someone does download it and use it, well, they should have checked around better imo. The problems with mario kart never happened. But who’s to say a later game, or update, wont need “this” tool.
    Now obviously the three of you guys are far more learned on this subject then I am.
    The tool could be harmful. Sure. As far as I can tell, no one’s bricked their wii using it. (as of this date) It could possibly brick the wii later.

    I think bushing’s done the right thing by bringing attention to the negatives of the wad patcher. Some one like me, who’s a little paranoid about not being able to “downgrade” his wii to ensure homebrew channels would look at this app and get curios. I did, but I didn’t download it. I waited, idled, and read up on it. I was in #wiidev when bushing said that this could be a little dangerous. So I didn’t risk it. I think this blog will help a ton of people like me, who weren’t waiting around on EFNet.
    This almost feels like an attack on Superken7, instead of it’s original point of trying to let people know the tool really isn’t that useful.
    I don’t think either of you two are trying to personally attack him, but bring out the fact that it was a poor decision. But I think it mainly comes from how shitty google language tools can be, and missed posts in unknown forums. I think he released the wad patcher in good spirits.
    Hopefully this whole thing can sort of unite the international communities forming around wii homebrew. That and a better understanding of how the wii checks itself will help the average n00b along the path of homebrew.
    So with that all I can say is, bushing, your blogs….
    we need them.

  • 9 Phredreeke // Apr 15, 2008 at 2:09 am

    Mario Kart Wii doesn’t even have IOS37 on the disc does it?

  • 10 Ouch // Apr 21, 2008 at 6:18 am

    [quote]What Superken7’s done is released something others can learn from.[/quote]

    could you explain us how you learn from something when there is no sourcecode released ?
    bushing & markan are totally right, there was no use in releasing this tool, and this was clearly released in hurry without really thinking to the consequences

  • 11 Rollerz // Apr 24, 2008 at 3:53 pm

    Well i think he just wanted to play around and learn for himself. People use these kind of things at their own risk. Superken is not responsible for them. Is it possible to release the source Super?

  • 12 bushing // Apr 28, 2008 at 12:27 am

    No, MK didn’t come with IOS37, in the end.

    Rollerz, did you actually read the post you’re responding to?

  • 13 Vettacossx // Jun 8, 2008 at 12:53 pm

    Spanish developer Waninkoko has released a video of the wii system menu being downgraded. Wii System menu from 3.1E to 2.1E.


  • 14 bushing // Jun 12, 2008 at 12:56 am

    … and it’s unavoidably dangerous, and currently pointless.

  • 15 Your Wii is not a PSP (or an Xbox, or …) // Jun 12, 2008 at 4:59 am

    […] problem.  If a problem develops, this would be the wrong solution; a better solution would be patching the System Menu TMD to use a different version of IOS.  It’s possible for Nintendo to go back and patch all of the versions of IOS to fix the […]

You must log in to post a comment.