News from Bushing

Most of you probably remember our infamous attempt to open a line of communication with Nintendo. We chose that bug because a previous attempt at communication had failed — we had thought that them fixing the strncmp bug in the System Menu’s IOS could cause the system menu to brick when it tried to load the banner for the Homebrew Channel. I emailed them about that in March, 2008 (right after IOS37 was released), and never got a response. Thinking maybe I’d failed to find the right email address, we tried again with another bug. We chose that bug because

We could position it as a piracy-related concern, and Nintendo has some channels for reporting piracy
We didn’t really care if they fixed the bug, since it wasn’t really that useful for legitimate homebrew
There was probably not much they could do to fix it, anyway, since it was more of a design flaw
The bug (as we intended to report it) wasn’t so much that you could poke a register to enable DVD video mode:

#define HW_DIFLAGS 0x0d800180

set32(HW_DIFLAGS, 0x200000);… it was that you could just set a bit in the TMD (in the “access rights” field) and it would let you send DVD video commands. You didn’t even need to patch IOS! If you set that bit in your TMD, when your title gets launched, ES reads the “access rights” field (offset 0×1d8) and checks a couple of bits. If bit 1 is set, it opens /dev/di and calls ioctl 0×8E, which in turns calls syscall 0×50, which does the above register poke. This seems to set some state in the DI controller chunk of the Starlet that allows DVD video commands to go through. This is how DVDX works — that bit is set in the TMD for DVDX and that makes the magic happen.

All of this is more or less academic, because if you can forge a signature to modify the TMD, then you can just patch the content of IOS — and that’s what most people (everyone else) did. We think our approach is cleaner, but oh well.

http://hackmii.com/2009/08/of-tmds-and-hardware/