bushing Wrote:PatchMii (_core)



Note: This is not a standalone, ready-to-use program — hence the name.  If you need to ask how to use this, you’re doing it wrong.

Wee’ve been pretty bad about releasing source code lately, so this is my attempt to atone.  I’ve been sitting on this code for a couple of months now — I wrote most of it a day or two after IOS37 was released — but I’ve been waiting for the mythical “right time” to release it in a useful form, and that hasn’t happened.  So, I’m releasing it as-is, because I think that many people will find this code useful in its current form, and it can be used as a building block for more sophisticated hacks.

The idea behind PatchMii is that wee should be able to replace Nintendo’s update process with one of own.  The most straightforward way to do this would be to set up a “shadow” update server that would vend patched versions of Nintendo’s updates, and then patch the System Menu to talk to it instead of the official servers.  However, there are some serious copyright issues with doing this, so this is the next best thing.  This code should work with anything available on the Nintendo update server — IOS and channels (at least, the ones for which you can freely download a ticket).

In the example configuration provided, patchmii-core will do the following things:

   1. Download the ticket and TMD for IOS37 from the Nintendo Update Server
   2. Use the built-in key-management functions of IOS to decode the title key (no common key required!)
   3. Using the TMD, download all of the encrypted contents from NUS
   4. Verify the integrity of each content against the hashes contained in the TMD
   5. Decrypt each content individually, look for versioning tags inside the binaries and display them
   6. Look for the signature check, and patch it out.   (I have included code that will handle all versions of IOS.)
   7. Re-encrypt the contents.  If necessary, recompute the hashes, modify the TMD.
   8. Modify the title ID in the TMD and ticket to IOS5.
   9. Fakesign the TMD and ticket.
  10. Install this patched IOS37 as IOS5.

The output of this process looks like this:

IOS Version: 00240412
Downloading IOS37 metadata: . ..tmd. ..ticket..Title ID: 0000000100000025
Number of parts: 15.  Total size: 1868K
Downloading contents:
Downloading part 1/15 (0K): hash OK. Firmware version: firmware.64.0802290707      Builder: admin@FWPUBLISH
Downloading part 2/15 (33536K): hash OK. DIP ( 06/08/07 18:17:09 64M )
Downloading part 3/15 (26112K): hash OK. OH0 ( 07/12/07 14:30:33 64M )
Downloading part 4/15 (15104K): hash OK. OH1 ( 06/08/07 18:17:21 64M )
Downloading part 5/15 (10752K): hash OK. SDI ( 02/22/08 17:57:15 64M )
Downloading part 6/15 (171776K): hash OK. SO ( 06/28/07 02:37:15 64M Release/apricot-win/HEAD )
Downloading part 7/15 (360448K): hash OK. KD ( 08/30/07 04:58:02 64M Release/apricot-win/SDK_FW_30_4_13_branch )
Downloading part 8/15 (62720K): hash OK. WD ( 12/12/07 16:13:56 64M Release/apricot-win/SDK_FW_30_4_13_branch )
Downloading part 9/15 (447488K): hash OK. WL ( 12/12/07 16:14:06 64M Ver.4.30.47.0/Release )
Downloading part 10/15 (42496K): hash OK. NCD ( 06/28/07 02:37:17 64M Release/apricot-win/HEAD )
Downloading part 11/15 (30464K): hash OK. ETH ( 08/09/07 18:09:02 64M Release/apricot-win/SDK_FW_30_4_13_branch )
Downloading part 12/15 (18944K): hash OK. STM ( 06/28/07 02:37:18 64M Release/apricot-win/HEAD )
Downloading part 13/15 (9216K): hash OK. USB_HID ( 2008-01-30-15-59 64M )
Downloading part 14/15 (520960K): hash OK. SSL ( 02/27/08 19:26:09 64M Release/builder/HEAD )
Downloading part 15/15 (162048K): hash OK. FFS ( 02/22/08 17:56:15 64M )
ES ( 02/23/08 13:25:41 64M )
IOSP ( 02/23/08 13:29:22 64M )
Found new-school ES hash check @ 0x5aea, patching.
Updating TMD.
Changing titleid from 00000001-00000025 to 00000001-00000005
forging tmd sig
forging tik sig
Download complete. Installing:
Installing ticket...
Adding title...
Adding content ID 00000000 (cfd 0):   done! (0x40 bytes)
Adding content ID 00000001 (cfd 1):   done! (0x8350 bytes)
Adding content ID 00000002 (cfd 1):   done! (0x6630 bytes)
Adding content ID 00000003 (cfd 1):   done! (0x3c00 bytes)
Adding content ID 00000004 (cfd 1):   done! (0x2a30 bytes)
Adding content ID 00000005 (cfd 1):   done! (0x29f80 bytes)
Adding content ID 00000006 (cfd 1):   done! (0x58010 bytes)
Adding content ID 00000007 (cfd 1):   done! (0xf520 bytes)
Adding content ID 00000008 (cfd 1):   done! (0x6d4f0 bytes)
Adding content ID 00000009 (cfd 1):   done! (0xa650 bytes)
Adding content ID 0000000a (cfd 1):   done! (0x7780 bytes)
Adding content ID 0000000b (cfd 1):   done! (0x4aa0 bytes)
Adding content ID 0000000c (cfd 1):   done! (0x2490 bytes)
Adding content ID 0000000d (cfd 1):   done! (0x7f330 bytes)
Adding content ID 0000000e (cfd 1):   done! (0x27910 bytes)
Done!

I have gone to lengths to making this program safe. It will refuse to patch the System Menu or IOS30 (which the System Menu depends on).
So, as it stands, this program is not very useful. I’m putting it out there as an experiment. What I would like to see happen is:

    * People submit patches to PatchMii itself to make this core code more stable, fix the cosmetic bugs I already know about, and add new capability to the core patching mechanism
    * People submit patches for useful hacks to IOS
    * People come up with ideas (and code) to make this into a useful product for end-users — a custom-updater program, or whatever.  The license on this code (GPLv2) allows you to take this code and turn it into your own program under your own name, as long as you release the source code — but I would like to work with you to coordinate features and functionality.

I will be unhappy and disappointed if any of the following happens:

  1  * People ask me how to use this
  2  * People brick their systems by using this program without understanding the risks
   3 * People report stupid spoon like cosmetic bugs, instead of submitting patches to me to fix them
   4 * People take this code, make a trivial change, slap their own name on it and take credit for it

So, have at it.  If this goes well, it will encourage us to more freely share source code in the future.  In any cases, individual parts of this code should be useful for anyone who wants to start experimenting with IOS.

Im happy, for people I like that have a un chipped wii, this is kinda what I have been waiting for, I can wait until a dev comes with a POC for a CFW!

And for the people that didnt want to read the whole quote

"The idea behind PatchMii is that wee should be able to replace Nintendo’s update process with one of own.  The most straightforward way to do this would be to set up a “shadow” update server that would vend patched versions of Nintendo’s updates, and then patch the System Menu to talk to it instead of the official servers.  However, there are some serious copyright issues with doing this, so this is the next best thing.  This code should work with anything available on the Nintendo update server — IOS and channels (at least, the ones for which you can freely download a ticket)."

:P

The source code for the hack can be found HERE

Discuss


- Source: [HackMii]