The past few weeks has seen increased interest in hacking IOS, the “firmware” of the Wii — I think many people are under the mistaken assumption that I disapprove of this. On the contrary — I think it’s an exciting direction, but I want to make sure people have realistic expectations.
- Limitations: IOS is responsible for most of the things you *don’t* see when using your Wii. It can’t do graphics and probably cannot do sound. We do not yet know if it’s possible to read the GameCube pads or the front buttons (power, reset). Currently, all we have is eight GPIO pins that the thing uses for bootup diagnostics. Marcan has done some great work in this area, including mounting an LCD to 6 of those pins, and most recently he was able to patch IOS to redirect its (sparse) debug output over USBGecko — if you don’t already have one, now would be a good time to go out and get one if you’re interested in participating.
- Capabilities: IOS currently manages all of the hardware that is unique to the Wii (as compared to the GameCube) — so, NAND Flash, SD card slot, WiFi, USB (at a low level — think libusb). It has a full-fledged virtual machine that is capable of running a simple, JavaScript-like language and carrying on HTTP, SSL and SMTP communications — this is WiiConnect24, and it’s barely used by Nintendo.
- Shared resources: Both the PPC and Starlet (ARM core) share both areas of memory; IOS could probably be used to patch PPC code (if someone sat down and wrote the code to make that happen). Both can control the EXI bus. They share the USB busses (IOS has drivers for USB HID devices and the USB Ethernet adapter; the PPC has the Bluetooth module driver).
- Requirements: IOS does a tremendous amount of poking at management registers to make the Wii work; replacing it entirely (while still playing games) is probably infeasible and not really worth the effort. Instead, we’ll probably be patching it, extending it, and occasionally writing special-purpose replacements for limited, specific purposes (like brick recovery)
- Piracy: We are not making a soft-mod or an isoloader. Most of the anti-DVDR protection on the Wii is done in hardware; assuming Nintendo designed it correctly, we will not be able to bypass this in software. Homebrew has always been our goal, and we have no intention of actively pursuing anything that would violate the DMCA. (That having been said, I no longer believe that Nintendo can tell the difference between what we do and what pirates can do; also, Nintendo and BroadOn have already made some pretty horrible mistakes which made VC piracy much easier to pull off.)
- Safety: This is a big, poorly-understood one. There are some very specific ways you can fuck yourself over by hacking on IOS:
- Disrupt the boot path. If you modify 1-2, 1-30 or boot2, you can easily get into a situation that will prevent you from recovering without hardware access to the NAND flash.
- Corrupt support files needed by the system menu. When it starts up, it looks at the other titles installed in NAND to build the main Channel display; this has been responsible for several bricks as people have experimented with banners. These mishaps are sometimes easier to recover from than actual code bugs.
- Tamper with the unknown. We don’t fully understand BC; it many ways, it is similar to boot1. It loads boot2. It seems to be run by the System Menu when you run a GameCube game. I’m guessing that the System Menu runs BC which runs boot2 which runs MIOS which runs your GameCube game; if this is correct, then modifying boot2 could prevent BC from loading it. If BC is used elsewhere, this could have bad consequences. Be Careful, or better yet — figure it out kthx
- Corrupt the filesystem. IOS is the driver that maintains the NAND filesystem; if it discovers problems, its first reaction seems to be to completely wipe it and start over, and there’s no recovery from that.
- Redundancy: Now that I’m done scaring you, there is some good news. The Wii can hold about 200+ different versions of IOS, and it will only load a version of IOS when required to by a TMD or an explicit ES call from a homebrew app. This means that it is possible — and mostly safe! — to experiment with a nonexistant version of IOS — say, IOS5 or IOS16. You can even patch existing versions of IOS, as long as you make sure you have a way to execute code if that IOS breaks. This also produces a unique challenge — anything that requires fundamental changes to the way that state is kept on the system means that you will have to modify every single version of IOS to get it to work — the best example of this would be adding in support for bigger NAND flash chips. There is not yet a safe way to do this, because we do not yet have a way to recover from a mishap if you make a mistake in patching all versions of IOS.
Expect to see more on this in the future; Marcan has already written a great article about our near-term plans, if you can read Spanish. I will be releasing some code in the near future to make it easier to experiment with IOS, but be warned that this would be a very poor choice for a first programming project.
Please try to keep all discussion at a technical level; I’m not in the mood for arguments, but I will try to answer any thoughtful questions you may have. At the very least, please look over all of these references before we begin:
20 responses so far ↓
1 linkinworm // Jul 10, 2008 at 11:53 am
so you are thinking of custom firmware? would be good but with HBC it doesnt matter, but if you got controle of the whole system with custom firmware go for it. iv asked this everywhere, what are the chances of unlocking the region on the wii? for both wii and GC?
2 zenitraM // Jul 10, 2008 at 12:09 pm
“It has a full-fledged virtual machine that is capable of running a simple, JavaScript-like language”
If it’s ECMAScript, then.. enter NES (clever acronym for Nintendo ES):
http://nes.sourceforge.jp/
http://code.google.com/p/es-operating-system/
A i386 OS, open-sourced, ECMAScript-based, and, ¡surprise! created by Nintendo.. too many coincidences?
3 F0ur2o // Jul 10, 2008 at 2:40 pm
i386 OS = IOS .. hmm
* an HTML5 rendering engine integration
Basically wii
4 bushing // Jul 10, 2008 at 2:47 pm
@linkinworm: I hate that term “custom firmware” because of the connotations it brings with it… but sure.
I’d say chances are 100%.
5 linkinworm // Jul 10, 2008 at 3:08 pm
@bushing
so what should it be called for future forum refrences, modified firmware? bushing firmware lol i dont like the term either really because its not exactly custom tbh unless its been written from scratch imo
6 Anonymous Coward // Jul 10, 2008 at 3:40 pm
Are you sure that the USB hardware is shared?
It looks to me that Starlet “owns” the USB, and Broadway just makes use of IOS to implement a Bluetooth stack over USB.
7 marcan // Jul 10, 2008 at 11:48 pm
@AC
Starlet owns the USB hardware, and exposes a libusb-like interface to it. This interface is then used by both Starlet drivers (KBD and ETH) and the PPC (Bluetooth)
@zenitraM
Yeah, we know about Nintendo ES. Unfortunately, it doesn’t seem to be related 🙁
@linkinworm
As far as modifying IOS, you could call it a “patched IOS” or a set of “IOS patches”. As for the from-scratch mini-IOS that we’re working on (mostly for recovery purposes), you could call it a “homebrew mini-IOS”, for example.
8 Hacks do IOS, PatchMii, firmware custom para Wii e pirataria, de idéias - NewsInside.org // Jul 11, 2008 at 6:15 am
[…] o negócio está ficando deveras interessante na cena homebrew Wii. Ontem foi publicado no site do Bushing (o cara do Homebrew Channel), um texto que explica, entre outras coisas, o que é e o que não é […]
9 Jack // Jul 11, 2008 at 3:56 pm
Is it possible that the the Starlet can be used for general purpose calculates? I mean, right now it is not possible to use through homebrew, or are there no way to use it together with the main CPU?
10 Nintengo // Jul 11, 2008 at 5:14 pm
Customs FW…. well I dont see the idea on doing this, not with the HBC. I like my Wii menu and the thing it has right, wich I dont plan to upgrade, im not crazy.
Piracy you say. I dont think that paying 2 times for the same game is piracy, Nintendo makes you pay for games you already paid long time ago. They had it comming and thats why this VC “piracy” is hapenning.
Now well, an Iso loader… thats interesting, at least to me it is, best way to hit them back is by doing this. Why hit them back, cuz its an atrocity to charge $60 + for a single Wii game that when you play 2 or 3 times it no longer gives you the fun its supposed to. They also have this comming and dont worry, it doesnt have to be you that brings this to the comunity, someone else will, sooner or later someone else will and then the Wii scene will be completed. I mean, if we can do it with PSP, PS2, Xbox etc why not with the Wii…
11 marcan // Jul 11, 2008 at 7:11 pm
@Nintengo
Promoting piracy is frowned upon here. Don’t try to justify why you pirate the games. We don’t care about whether you feel that the price of games is justified or not – Nintendo sets the price that they want, and you’re free to either buy the game or not.
12 SquidMan // Jul 11, 2008 at 11:32 pm
Heh, I tried looking at IOS with IDA Pro, and I guess it probably doesn’t help that I don’t know any ARM assembly, but I know I definitely can’t do anything with it 😛
Hope those tools weill help, because hacking IOS sounds oh so fun 🙂
13 linkinworm // Jul 12, 2008 at 2:26 pm
sorry to jack this guys, is there anyway to access the wii nand tree from the opera channel? or access the SD card from it? i googled about.
thanks, and sorry guys i know you get pissed off about stuff like this
14 Olly // Jul 13, 2008 at 7:32 am
WTF? Where’s the response I posted? I’m very confused.
I posted a response here a few days back, and now it’s disappeared. Any explanation?
15 Anonymous // Jul 13, 2008 at 1:15 pm
I wondered if it is possible to patch the latest IOS version so that Trucha signing works again?
I’m always fearful of loading anything in to the Wii flash in case it bricks it. I like being able to put in a modified dvd with a loader.dol file. I haven’t upgraded to the version that prevents trucha signing yet, but it would be nice to know that if in the future we were somehow forced to, that this bug could be opened up again by modifying IOS. thx
16 mercluke // Jul 13, 2008 at 6:23 pm
Anonymous // Jul 13, 2008 at 1:15 pm
I wondered if it is possible to patch the latest IOS version so that Trucha signing works again?
I’m always fearful of loading anything in to the Wii flash in case it bricks it. I like being able to put in a modified dvd with a loader.dol file. I haven’t upgraded to the version that prevents trucha signing yet, but it would be nice to know that if in the future we were somehow forced to, that this bug could be opened up again by modifying IOS. thx
if you want to use trucha disks in 3.3 then just install one of the many versions of geckoOS that have been made into a channel, i personally use this one: http://www.filedropper.com/geckoosdwii
17 Hatchhaker // Jul 14, 2008 at 1:16 am
Good insight. This has brought to my mind a couple of questions:
1) How big is WiiConnect24 compared to the rest of IOS? If it is very big and one doesn’t need News or Weather channels, would it be feasible to eliminate it in order to gain some space? (yes, I’m concerned about my NAND becoming full some day)
2) Is BC easy to patch? If so, it could perhaps send some signal (e.g. using Marcan’s display or USBGecko) as to when it is executed, so that all the cases in which it is launched can be traced. That would help reduce the uncertainity related to BC.
18 Hatchhaker // Jul 14, 2008 at 1:21 am
Sorry, I forgot this one:
“if it discovers problems, its first reaction seems to be to completely wipe it and start over, and there’s no recovery from that.”
That sounds like you could unbrick a wii simply by corrupting the filesystem (and losing all saves), is that right?
19 SquidMan // Jul 14, 2008 at 3:49 pm
Hatchhaker: By wipe it and start over, he means it erases the NAND Flash completely. Not reset to factory. That definitely has no recovery as he said.
20 Hatchhaker // Jul 15, 2008 at 4:15 pm
By “there’s no recovery” I understood “there’s no way to roll back – your data is lost”. Thanks for clarifying that point.
You must log in to post a comment.