HackMii

Notes from inside your Wii

HackMii header image 2

Your Wii is not a PSP (or an Xbox, or …)

June 12th, 2008 by bushing · 30 Comments

I didn’t think that I had to explicitly say this, but I see the same things come up over and over again, so I’m hoping I can clear this up for people.

The Wii is not a PSP, or an Xbox, or any other console system.   Stop making guesses about the Wii based on your experience with other consoles.  It Doesn’t Work Like That.

(Warning:  I don’t own either of those systems; most of what I know came from TyRaNiD’s excellent presentation about the Pandora Battery at 24c3, my conversations with him afterwards, and a little bit of Google searching.)

Downgrading

I see a lot of talk (questions, ideas) about “downgrading the firmware” of a Wii.  As far as I can tell, this comes mostly from the PSP world, where there was once a firmware which contained no signature checks whatsoever (1.0) and a firmware which contained an easily-defeatable check (1.5).  Later firmwares fixed these bugs, so it was desirable to take a PSP with a new version of the firmware and downgrade it to an old version.

This is meaningless in the Wii world.  First, there is no such thing as a “firmware version” on the Wii — the Wii stores a copy of every firmware (IOS) that has been released, and new firmwares for new games are just added to the collection.  You also have the System Menu, which has the only visible version number — 3.1E, etc — but it tells you nothing about the firmware.  The System Menu is responsible for launching most code (from disc or NAND), but it’s the IOS firmware which does the security checks.   

Even the IOS version numbers don’t really matter so much.  Any program on the Wii can switch to a different IOS version while it’s running with one simple function call — it’s not really a hack, but more like how the system was designed.  

From a homebrew point of view, there is almost no difference whatsoever between any of the IOS versions.  With one famous exception, there are no security holes that have been fixed between versions of IOS — it’s all a game-compatibility thing. The one exception — IOS37 — is still harmless because it’s never used; a future system menu will probably use it, but even that could be bypassed by using something like the Twilight Hack with Gecko Region Free. (Remember, you can easily switch back and forth between IOS versions in the middle of any program!)

For more info about the IOS system, see Wii System Software: a guided tour and On firmware patching, risk and responsibility.

This came up most recently in discussion about Waninkoko’s “Downgrader” video.  In his defense, he never said this was useful to do, but people jumped on it because of the title. This is not a solution to any currently existing problem.  If a problem develops, this would be the wrong solution; a better solution would be patching the System Menu TMD to use a different version of IOS.  It’s possible for Nintendo to go back and patch all of the versions of IOS to fix the signing bug, which would prevent that from working; the best solution would eventually be to patch IOS37 to disable the fix.  Which brings me to…

Custom Firmware

Dark Alex is consistently mentioned in the same breath as “custom firmware”.  It looks like he’s done some quality work — as far as I can tell, it’s mostly

  • Ability to use different versions of the firmware for better game compatibility without losing the exploits
  • Warez issues (enhanced versions of built-in isoloader code?)
  • Recovery code
Of those three things, the first is completely irrelevant — we can already switch firmware versions all we want.  If Nintendo only patches IOS without patching boot2, we can just go an patch them back. The second is of no interest to me, and probably much harder on the Wii anyway.  The third is much more interesting, and is something I’m working on for boot2.  And speaking of recovery,

Unbricking

The PSP has a much smaller NAND Flash chip (32MB vs 512MB), and when it becomes corrupted, the unit becomes bricked — much like a Wii.  Originally, the recovery method available involved reflashing this chip with a dump from someone else’s unit — not possible on the Wii, because each NAND Flash is uniquely encrypted per console.  The second, nicer method (and the main subject of TyRaNid’s talk) involves a battery and a memory stick, and to plagiarize from his presentation:

  • The Pre-IPL was not very large, less than 4KBytes
  • Based on a hardware register the Pre-IPL would either:
    • Read IPL from Flash
    • Read IPL from Memory Stick
  • This tied in with the leaked information about the service mode

The Pre-IPL is the equivalent of our boot0.  We have no such ability to read code from another source.  There will never be a “Pandora Battery” equivalent.

Banning

Both Sony and Microsoft are known for banning people from their various online services, particularly Xbox Live! Nintendo’s online services are not nearly so sophisticated — I’d even go as far as to call them primitive — and they seem to have no intention of banning people for anything.  If people start cheating in online games, that may change, but until then I don’t think it’s an issue.  If the Nintendo Channel uploads your playtime log, and that includes the Homebrew Channel, then … then … nothing.  They don’t care.  Really.

Tags: Wii

30 responses so far ↓

  • 1 Odb718 // Jun 12, 2008 at 3:15 am

    So by that reasoning it should be “O.K.” to play pal copies of games not out in other regions and vice versa ahead of local release dates?
    Those last few statements sound pretty unrealistic… until you think of the story about the guy who sent the modded wii back for repairs. They barely even said anything back to the guy. That’s a hardware mod made so backups can be played. So I guess you’d be right when saying they don’t really care if people use homebrew. Just sounds off to me.

  • 2 bushing // Jun 12, 2008 at 4:56 am

    I said nothing of the sort.

    Nintendo doesn’t care enough about you hacking your Wii to take action against you for having the Homebrew Channel installed on your Wii. They’d have some potential liability, and almost no benefit.

  • 3 Malcolm Parsons // Jun 12, 2008 at 5:02 am

    > If people start cheating in online games, that may change.

    I’ve heard of people cheating online in mario kart wii.

  • 4 Chris // Jun 12, 2008 at 5:34 am

    thanks a lot for that, this should clear up a lot of misunderstandings and speculating discussions that pollute the “scene” forums nowadays

    sadly, there will still be closed-minded people who still can’t get the point

  • 5 & // Jun 12, 2008 at 5:43 am

    So…..when are we going to get custom firmware?

    I can’t wait.

  • 6 Bob. // Jun 12, 2008 at 5:44 am

    So when are we going to get custom firmware?

    Maybe when Waninkoko releases the downgrader.

  • 7 Wii Downgrader - Page 8 - WiiNewz Forums // Jun 12, 2008 at 6:14 am

    […] Originally Posted by ccfman2004 I think we are better off if something like the PSP’s Pandora Battery is made for the Wii. This way we could fool all we wanted with the Wii and always be able to recover. The recovery menu in Custom Firmware on the PSP does no good if the entire firmware memory is corrupted. This downgrading could be useful if Nintendo decides to patch the TP hack. Right now Custom Firmware is not necessary since all current hacks work. IMO, I think it would be more important to figure a way to run the system menu from the SD card since we would be to run any version of the system menu we wanted and still be able to run the Homebrew Channel. Of course none of this matters until Nintendo updates the System Menu to use IOS 37. I do hope that bushing and the other pro Wii hackers can find a way to patch IOS 37 and deactivate the Trucha Patch like we can with the Error 001. best article ever Your Wii is not a PSP […]

  • 8 Your Wii is not a PSP (or an Xbox, or // Jun 12, 2008 at 6:28 am

    […] Wii is not a PSP (or an Xbox, or

  • 9 Azeazezar // Jun 12, 2008 at 7:08 am

    Bushing>> If people start cheating in online games, that may change.

    Malcolm Parsons >I’ve heard of people cheating online in mario kart wii.

    Yes, but that had nothing to do with homebrew, they use a bug in the game.
    It would be different if someone would take the mario kart game, decrypt it, double the speed of each cart and bike, trucha patch it and then beat the world chapignon ghosts.

  • 10 bailli // Jun 12, 2008 at 7:35 am

    As always a good/amusing read bushing 🙂

    You don’t know how often I am tempted to post an anwser in such threads – but right after I open the reply page I close it again because I know nobody will listen…
    I hope people will believe your article but I doubt it since the custom-firmware-kiddies are usually the same kiddies who think you wouldn’t want any code/programs to be released and waninkoko brought the wii “homebrew scene” to “the people”… (Attention! slang: translate “homebrew” as “wiiware/vc piracy”)

  • 11 CPX // Jun 12, 2008 at 9:29 am

    @ Azeazezar – actually it’s already possible to cheat online with MKWii. All that is needed is a USB Gecko. Infinite Golden Mushroom FTW!

  • 12 Unicron // Jun 12, 2008 at 10:00 am

    I don’t really care wether I can downgrade or not, ’cause if I do downgrade, and remove IOSxx wich prevents me from running HBC, newer games probably wont run as they should, preventing me from playing newer releases. However, I do wish(it’s just a wish!) that I someday will be able to customize the look&feel of the system menu, ’cause the current music annoys the hell out of me! This will be kinda like the X-Box dashbord themes.

    You can always dream, can’t you? 😉

    Anyways, Bushing, Segher and all the others who have made this possible, I/we thank you for your efforts.(and if i could program, I would probably do/make something myself)

  • 13 Whizz // Jun 12, 2008 at 11:44 am

    Bushing, you said hacked VC games would piss Nintendo off. Peope can use the Homebrew Channel to play these VC games and others on emulators. Don’t you think that will piss them off even more?

  • 14 PSPNWIINPS3 // Jun 12, 2008 at 12:16 pm

    Um, it is VERY much like the PSP scene in some ways. So, you can’t downgrade, I’m positve you can patch the IOS or System Menu to launch the old action replay disks and freeloader. I bet you can even patch it to circumvent the security checks.
    As for recovery, yes every NAND is encrypted per wii, but if every person DUMPS his/her OWN nand, than it should match. I worked in the PSP scene, and to be able to “unbrick”, we had to get the eeprom in the battery to read from the memory stick. This COULD be possible cause of the Wii’s front SD slot. There COULD be some sort of patch that could be released to make it possible to redirect to the SD card before the system menu, there for possibly unbricking it. The IPL has to be installed to the SD, and could possbly not boot the wii if there is no sd card instered with thay IPL. But, thats just a thought.

  • 15 HyperHacker // Jun 12, 2008 at 12:37 pm

    Yes, there *could* be a *patch* created to do that, but such functionality is not built in like it is on PSP.

  • 16 marcan // Jun 12, 2008 at 2:15 pm

    @Whizz:
    The Homebrew Channel cannot be used for playing games, at all. It can be used to launch an emulator, sure, so what? They have no reason to ban the Homebrew Channel because that’s not the root cause – it’s merely a tool. People can already run emulators without HBC, and there are other launchers out there – banning HBC won’t do a thing. At worst, they’ll target the general homebrew scene by fixing the relevant bugs. And then we’ll just use different ones.

    @PSPNWIINPS3:
    Go read the relevant articles again. Yes, there “COULD be some sort of patch that could be released to make it possible to redirect to the SD card before the system menu, there for possibly unbricking it.” That functionality doesn’t come built in to the wii, so if it’s already bricked then you’re screwed. However, before you brick it, you could install a patch to make recovery possible. And that is EXACTLY one of the things that we’re trying to accomplish.

    And yet the fact that this isn’t built in to the Wii is more proof that, indeed, the Wii has very very VERY little to do with a PSP. We’re getting into general embedded system concepts here. Yes, there are boot ROMs and several boot stages, and several places where boot code can be stored, signatures, etc. Every embedded system is going to have some of these. However, the Wii isn’t really comparable to the PSP in any of the relevant details. Trying to draw parallels between them is only going to cause confusion.

  • 17 Trolly // Jun 12, 2008 at 3:59 pm

    Well, I certainly agree on the count of Nintendo aren’t going to do anything. Unless of course this transpires into anything bigger than just homebrew. Though if they do something, it’ll probably be fruitless by that point.

    Anyway, I had no idea anything vaguely custom firmware-related was going on. Not sure what it meant, as I’m extremely tired, but meh.

    Also, I may just be taking you wrong, but PLEASE stop acting like you’re above the ‘childish’ antics of scene forums like GBATemp (I’m sure you’ve seen me there).
    I just feel a little like you’re saying we’re all complete idiots who all pirate for our own little selfish needs, and don’t really know what’s going on.
    Of course, if I took you wrongly, feel free to correct me.

  • 18 Jinxvorheeze // Jun 12, 2008 at 6:04 pm

    @bushing
    The Wii is built entirely different from the PSP in a security type of way. A lot of people install Dark_Alex custom firmware and don’t understand exactly what it does. They don’t think about the fact that the only reason it has to downgrade is to launch unsigned code. It downgrades your PSP to OFW 1.5 then it injects the newer code into the old firmware so you get all of the new features while using the old firmware. Every M33 CFW since it was OE (and before) has just been OFW 1.5 with new code injected into it (I’m not trying to cut down DA in the least, I use M33 CFW on my Slim and he does do an extremely irritable amount of work to get it to function properly). Right now on the Wii, we don’t have a reason to use Custom Firmware. Custom doesn’t mean customizable, it means it was custom made. People need to stop talking about the firmware on the Wii like it’s the dashboard of an Xbox. Evolution-X is a prime example. People assume that Evo-X is CFW for the Xbox. All Evo-X does is take a security flaw in the Xbox and launches the Linux code as soon as the system is booted and then directs the code to where Evo-X is stored. Is it technically CFW? Yes, but only in the sense that it enables the security flaw that was readily available on boot without you having to physically activate the security flaw yourself. The rest of the firmware is left intact and the rest of the code changes are carried out by the Dashboard replacement when it is run. It is the equivalent of force booting the Wii to the Homebrew channel at startup instead of going to the Wii menu. The menu is still there, and you can access it by exiting Evo-X (or XBMC). but it allows you to directly load unsigned code without needing to run the Xbox Linux program EVERY TIME. Sounds a lot like the HBC…. making it so you don’t have to launch the Twilight Hack every time.

    I guess what I’m getting at is. Why would anyone waste their time creating a full Custom Firmware that does exactly what we have the ability to do now. In the past, downgrading has only been done to defeat security that blocked the launching of unsigned code. Or in the Xbox’s case (which has already happened on the Wii with the HBC and HBL) to make it more efficient for people to use. If there was a way to alter the drive key of the Wii to make it play backups using a homebrew code (like the Xbox), then CFW would be useful. If Nintendo fully blocked Homebrew and there was no efficient way of using the Wii and Homebrew at the same time (like the PSP and it’s updates) then CFW would be useful. But neither of these situations will ever arise. You cannot access the drive key of the Wii through the Wii itself without hardware modification, and Nintendo has such a messed up security system that the could not feasibly patch all of the holes in security. Like you said it chooses different IOS based on the title that has been inserted making it infinitely easy to create overflow hacks to launch code like the Twilight Hack. So with all of the advancements of the Homebrew Scene, there is no reason to have CFW. Not saying that what Waninkoko did was not awesome from a Proof of Concept point of view, but the relevance to the scene is nothing more than to just say it could (and has) been done. He himself has stated he would not release it because it is useless and will cause more damage than good and that it is strictly for if it is needed in the future.

  • 19 Maat // Jun 12, 2008 at 6:39 pm

    You sad in your article that you never found security patches or something like that in the new IOS excet for the famous IOS37…. but if i remember correctly, i remember someone sad that it existed a bug in the nintendo wii a long a go that was really necessary to be fixed,just like it was trucha(don’t remember who to write it)……
    I think the only part that’s interest in doing wii “custom firmware” it would be to customize the wii system menu…apart that, i don’t see anything more interesting.
    I know that you sad that nintendo it isn’t going to ban because of homebrew but i have seen cases of bans probably because of customization and maybe other things, but i do belive in no ban for homebrew ,but i do belive in ban for cheating.

  • 20 marcan // Jun 12, 2008 at 10:17 pm

    @Trolly:
    “I just feel a little like you’re saying we’re all complete idiots who all pirate for our own little selfish needs, and don’t really know what’s going on.”
    A lot of people fit that description, and they get annoying after a while. If you don’t, that’s awesome, but a lot of other people around those places (GBATemp, ElOtroLado, etc) do.

    @Maat:
    Yeah, bushing forgot to mention that, IIRC, the Twiizer Attack is fixed in newer IOSes (n) since the keystore is held in internal Starlet memory instead of the external chip. We’re not sure when it got fixed, but it probably was before all this homebrew and Nintendo found it themselves. Either way, since you can still boot IOS9 with the flaw (and there are easier software methods of getting at the keys anyway), this is irrelevant.

  • 21 Wii Updates - Part 3 » Restart // Jun 13, 2008 at 12:51 am

    […] this front, there is a post by Bushing highlighting the potential issues with this kind of a downgrade. He also talks about […]

  • 22 Chris // Jun 13, 2008 at 1:25 am

    @Jinxvorheeze :

    read the article gain, what Waninkoko did , will NEVER be useful in this form, so why did he mentionned this would EVENTUALLY be releaded when it becomes useful ?

    Simple, to make people think he is working on something genius and to grab some attention (who said paypal donation ?) from fooled people hoping their “dreams” come true.

  • 23 Link // Jun 13, 2008 at 1:39 am

    Well, I thought about that system menu downgrade thing too and I agree – yeah, it’s probably not worth it for now. However, I can imagine that it would be its way. Imagine Nintendo rushes out with a fixed IOS and the new menu uses that IOS. I’d say it’s dangerious to patch the IOS because maybe your menu won’t boot at all anymore. A temporary downgrade would help – like downgrading X (X >= 3.3) to 3.2 just to make sure – we’re back to IOS30. Then write a homebrew which would want to use IOSxx (xx might be 37 but that’s not important – xx should be just a version which has strong security checks) . Then you can patch IOSxx and try whether your homebrew still functions. After that, you can be sure your patch works and upgrade your system menu again.

    I probably do not have to much of an idea about the internals that’s what I personally though of. However, correct me, if I am writing garbage.

    For now however I agree: downgrading the system menu as of now doesn’t give you an advantage over anything!

  • 24 marcan // Jun 13, 2008 at 6:54 am

    @Link: There are three problems with that argument:
    – Sure, downgrades *might* have a chance of being useful for developers (but see below), just as we have patched IOSes that output debug information to aid in experimentation. But we don’t publish them or show them off because it only leads to fruitless mental masturbation and because they’re useless to most people.

    – There are ways of testing out hacks without bricking a Wii – say, using an Infectus like bushing does – so we don’t need system menu downgrades as a way of keeping things safe during experimentation.

    – If you can run the downgrader, you can run any other homebrew. If you can run homebrew, you can boot any IOS. If you boot an old IOS, you can do anything. For example, you could take a copy of the new secure IOS, install it as another IOS number, and test patches out there. You can even boot the new system menu with that fake new but patched IOS – we have tools to do that without actually installing a modified menu. In the end, everything that you described can be done in far safer ways, without modifying or downgrading the system at all, and only install a modified IOS once you’ve fully tested it out.

  • 25 Jinxvorheeze // Jun 13, 2008 at 11:23 am

    @Chris
    I don’t need to read the article again. I understood what he was saying perfectly, and agreed with him every step of the way. I even agreed that what Waninkoko did will never amount to anything more than a neat proof of concept. You can’t deny the man his feats even if it wont become some miraculous saving grace of the Wii homebrew scene, the fact he did it is a task in its own. Do I agree with the way he is going about announcing it? No, he is making it seem like a huge step in Wii Hacking which it most certainly is not. But to say that he did not put any work or effort forward in this project would be downright ignorant, but effort unfortunately does not guarantee usefulness. It takes the understanding that the system menu is not what actually controls the Wii security checks, so downgrading it does no good. Take downgrading the current menu, it doesn’t remove IOS37 because IOS37 isn’t built into the system menu. This is not a NAND hack, it is a shell replacement hack (of sorts).

  • 26 Baosen // Jun 13, 2008 at 12:55 pm

    Are you able to create something like the PSP DEVolution? It’s a mod used to flash the “firmware-chip” of the PSP, if something gets wrong with it (bricking etc).

  • 27 Maat // Jun 13, 2008 at 5:18 pm

    @Baosen
    Yes it’s written a few articles back about the dual memory hack that a guy did ,this is like the only 2 PSP modchips, but the problem is that the wii has 512MB of memory against the 32MB of PSP,well that would make the modchip more expensive and maybe less probable, but hey if somebody would do it, it would be good for developers write and read the flash at their will(of course i forgot to mention that there’s infectus mod chip that can read and write in wii’s memory,but it ins’t like the psp modchips,since it doesnt hold information,just writes)…..

    Something that would be great would be to remove wii’s health screen, just like they did with the DS… something that just ocurred me,maybe the olny modification in the firmware we are gonna see is the same that was made for NDS,that only was done for removing the health screen and making it safe against bricks,and to play flashcarts using the GBA SLOT(i think the last one we will not see in the wii)

  • 28 Homebrew - Wii System Menu update STOPPT Twilight Hack! - Wiihack.de // Jun 17, 2008 at 1:57 am

    […] was weiter Deine Wii ist keine PSP, hier ein sehr interessanter Artikel hierüber auf hackmii: Your Wii is not a PSP (or an Xbox, or …) ich habe bei mir gar keine Updatemeldung bekommen…Gottseidank habe ich erst Samstag den […]

  • 29 Lucid // Jul 13, 2008 at 5:06 am

    Will you make a plugin feature like the PSP?
    (Being that you mentioned a future recovery menu)

  • 30 Custom firmware IOS para Wii at alexnoguera blog // Jul 25, 2008 at 9:25 am

    […] Como dicen en hackMii, la Wii no es una PSP. […]

You must log in to post a comment.