|
|||
|
|
|||
|
|
 |
 |
 |
| Notices |
 |
 |
 |
|
|
|
|||||||
|
|
|
|
|
| Latest PS3 News | ||||||||||||
|
|
|
|
 |
|
|
Thread Tools |
 |
Thread for theroetical brick fixing ideas |
 |
|
|
12-12-2009
|
||||
|
||||
Thread for theroetical brick fixing ideas
***THIS IS NOT A HELP THREAD*** If you need help then post in another thread or your post will be deleted and ignored. Please do not post useless comments in this thread. I do not want this thread flooded with comments like "I hope you guys can figure this out", or "keep up the good work". I dont want to see anything like that in here. This thread is STRICTLY for discussions of how we might be able to fix wii's. Only post in this thread if you have good useful info. ************************************************** ** Ok. So cfwprophet, I had the same idea of using an infectus to change what data is in the ram and hopefully find a way to fix things. After spending a few nights talking with marcan he said this idea is possible, but it is hugely out of our league....maybe we can prove him wrong  The only thing that I can think that would be a hold back from this idea is I believe all the data in ram is encrypted and it only get unecrypted when the data goes through hollywood. But as an idea, instead of injecting a whole system IOS into ram, it might be easier to inject the data that the 2 preloader hacks change and put that into ram instead so we can get SSBB to boot. Of course this is really only helpful for those with 003 errors. It does not good if anyone is in a full brick situation...unless we find out something spectacular. Now as far as how bootmii works when installed into boot2, this is actually rather interested. Bootmii installs into blocks 3 and 4 in the nand. To uninstall bootmii all that you have to do is erase blocks 3 and 4 either through the hackmii installer or by erasing them using an infectus. They way that boot2 works. There are 7 blocks for boot2. The first 2 and the last 2 are official boot2 data. There is 3 magic block maps whithin boot2. Only 2 of those magic blockmaps are used when it is an official nintendo boot2. The blockmaps are in blocks 2, 4, and 6. When boot1 is run is looks over all of boot2 and finds the newest version of boot2. When bootmii is installed to boot2 it writes a blockmap to block 4 that says "I am the newest version of boot2". The bootmii blockmap that gets installed reports to boot1 that blocks 1 and 2 are bad blocks. So boot1 skips over trying to execute anything in blocks 1 and 2 because it thinks that the blocks are bad, so it then goes and runs bootmii on blocks 3 and 4 because boot1 thinks that is the newest version of boot2 (thanks to the magic blockmap). In reality bootmii is using nintendo's own protections against them. The ability to make blocks appear bad is absolutely genius. So lets keep going forward with this and see what we can come up with. 
|
|
|
|
|
|
|
|
|
12-12-2009
|
||||
|
||||
|
Quote:
 The call comes from Hollywood >> RAM >> Starlight >> Read NAND with Keys saved in OTP >> Get requested encrypted file and decrypt it >> RAM. (if im not wrong) The hardest part for what i know will be the timming.To match the correct timming for the injection of the data.If we can inject data to the ram we could do what ever we want as long they didnt protect this.With usb cabel to the pc and selecting the file first you want to inject. We even could inject the BootMii executeable from the IOS version, block the data from starlight and run the .app file before anything else.Like when it is installed as boot2. Have we abilitys to read the ram in realtime or save to pc what is going on?With a Devkit or Gecko?
|
|
|
|
|
|
|
|
|
12-12-2009
|
||||
|
||||
|
I will say (especially if the data in ram is decrypted) that this is possible, but it is quite a long shot. Almost like that we would need to power the ram first and inject the data before powering on the wii. Using an infectus for this might be possible, the major hold back at first is that no one has developed firmware for the infectus to handle this type of thing. There are about 4 or 5 things that we need to figure out all at once to make this seamlessly work together. I'm no enigineer, but I can try my best but I know I will fail quickly. What other ideas do you have? I want to be able to OWN my wii and any other wii that comes in my path in the end. Here's a pic with some of the hollywood's pinouts mapped and labeled. I bet that you've seen this before. I will look at the data sheet for that specific chip and see if I can identify the data stream pins. This might actually require cutting some of the via's so data can not be written unless it is done by the infectus. I will see if I can find someone that can work with the modchip side of the infectus and see what they have to say about it. Can you give me a link to the thread that you have going on over there please. Thank you. I dont have a gecko. SO I'm not exactly sure how it works. I am thinking of buying one of those also. I know that a usb gecko is what is generally use for finding preloader hacks and making ocarina codes.
Last edited by DeadlyFoez; 12-12-2009 at 05:57 PM.
Reason: Automerged Doublepost
|
|
|
|
|
|
|
|
|
12-15-2009
|
||||
|
||||
|
I have a few ideas.Ask bushing for releasing the method to read the OTP.This would give the abbility to convert a dump. Pay some coder to do the job for writting the code for the infectus. But we will really need a gecko/devkit and a modchip to do the job.I will buy a gecko with the next month. Will the preloader patches to boot DL´s also work with a permanet patch? Quote:
|
|
|
|
|
|
|
|
|
12-15-2009
|
||||
|
||||
|
I dont know if a permanent patch would work. I'm sure it's possible. Your the thread on the infectus site, if thats where you have one. Or I can find it myself. I just haven't gone over there yet. I'm going to buy a gecko withing the next month after this christmas crap is done. I've actually been a little busy with work lately, but I'll see about talking to a few more people about some things and what we might be able to do.
|
|
|
|
|
|
|
|
|
12-15-2009
|
||||
|
||||
|
I spoke with marcan and bushing today. The ram is not encrypted, and there is no way discovered yet to extract the keys from OPT through a hardware means. Ok, just thinking about this a little, I can see a level of difficulty in trying to get this to work. One of the things I just recently thought of, ignoring the other obvious brick walls, is just even be able to inject data into ram. For us to do that we need to lock up the wii into a state where nothing is being written to ram at all, then dump our data into it, and then get it to continue on. Just thinking about the huge obstacles with this, I am starting to doubt that the infectus is capable of serving this purpose.
Last edited by DeadlyFoez; 12-15-2009 at 08:24 PM.
Reason: Automerged Doublepost
|
|
|
|
|
|
|
|
|
12-19-2009
|
||||
|
||||
|
Quote:
Quote:
But i think we do not need to patch it before booting the Wii into the RAM.The modchips on the PS2 also patched the ram in real time.One example is region patching. So i think we would need to know the offset off ram where the files like system ios and rescue menu will be loaded to.Then the Wii stops becouse the ram calls system ios and system menu to the starlight.In case of a fullbrick one off them (or maybe both) are corrupted or missing and starlight can not answer the request.It should be ok to patch the files into the ram right after the request from it.As long the files are on the correct offset and will be patched to the right time it should be working. Quote:
Beside the fact that im also no coder ill be willing to invest my own money to pay one of the coders to writte the app for us to use with the infectus.I dono want to make proffit with it.I would released it for free becouse i only want to be able to unbrick every wii.After all we would need the infectus chip and to solder onto the very tiny solder points for the ram.At least it still would be a modders job. 
|
|
|
|
|
|
|
|
|
12-21-2009
|
||||
|
||||
|
Well, we can at least try. I would be willing to learn how to program. Do you wanna both just work together and see if we can find a way to write the code ourselves? I was a good qbasic programmer back in the days, but i ended doing other things with computers instead or trying to learn any languages. I assume .net is a good way to go. But I could be wrong. Bushing has already reverse engineered the infectus usb protocall, but I think he only put his effort towards the nand programmer end of the infectus, not the modchip part. But he might be able to give us a little advice or insight as to what needs to be accomplished. Doing this, we might be able to get away with changing a certain file quickly. If we can make it happen that that opens the doors to everything.
|
|
|
|
|
|
| Thread Tools | |
|
|
Posted 19 hours ago
by
