An article from Bushing the man behind the Twilight Hack


A lot of stuff has happened lately, and I haven’t written in a while. VC piracy has (as expected) flourished, and we’re still waiting to see what form Nintendo’s reaction will take — at least, I don’t really feel like releasing any code until I see what happens.

So, I’ve stepped back and am working on another problem — well, I was sort of forced to.

Bricks as seen in the “scene” come in two forms — “full-brick” and “semi-brick”. Both are the result of installing updated System Menus from discs that came from other regions. (Tsk, tsk.)

A “full-brick” Wii displays an Opera error message instead of the “warning” screen when the Wii boots — it does not even check the disc drive for a disc before displaying this, meaning it is impossible to fix this using software.

A “semi-brick” Wii is similar, but it allows you to boot the system to the main menu, and play games, etc. However, you can’t get into the Settings menu (to enable WiFi, update the software, etc)

Each region has its own version of the System Menu (1-2). For example, the newest version of the system menu available is v. 288 (NTSC/J), v.289 (NTSC/U), v.290 (PAL). The only difference between those three versions is two different files — the main executable for the menu (a .DOL file, more or less) and an ARC archive that stores compressed versions of the HTML / image resources.

All of this is fine and good, but why put them in separately named directories? (E.g. EU/EU/GER/Setup/ScreenSave.html above)? The path name could always be the same because there are different files for each version.

So, there’s a specific path that the graphics need to sit at. So, you’d think they’d hard-code a pathname like that into the code, right? No…

The code’s pretty hard to tease apart, but they seem to be trying to determine the system region from the SYSCONF file, and then building up a pathname to load like so: sprintf(filename, “html/%s2/iplsetting.ash/%s/%s/ENG/Setup/ScreenSave.html”, region, region, region). This is so silly, because if they had hard-coded the path then the system would have booted just fine.

The code does this in slightly different ways in several places — this has to somehow distinguish the semi-brick case from the full-brick case, although I don’t think that anyone really understands why some people end up with one and not the other.

Still, a semi-brick is better, because it will still boot discs, meaning that there is still some hope for a fix. If you can find a game with a newer version of the system menu in its update partition, then you can run it, and it will automagically fix things. However, this requires a wait of several months until one comes out.

A friend came and asked me if I could help him figure out how to fix a “semi-brick” Wii, manually. All that needs to happen in this case is we need to install a newer version of the System Menu WAD. There are a number of ways to do this, and unfortunately I picked the wrong one.

Marcan had written some test code that can manually load the System Menu, and I modified it to try to patch the System Menu enough to get into the Settings screen by correcting the pathname. My theory was that then we could use that to have the Wii update itself using its own internal code. This had to be safest, right?

Well, now we have:

Looks like I just bricked a Wii. The owner was kind enough to send me the Wii so I can try to unbrick it — this is not currently possible, but I think we now know enough to do it using an external NAND flash programmer and a bunch of software which I need to write.

The bright side of this, if there is one, is that I’ve been wanting to address the “bricking problem” for a long time, and now I have a perfect test subject to work on.

More about my plan of attack in my next post.


Marcan has posted an extracted version of the HTML from the System Menu.

Some highlights:

http://marcansoft.com/transf/wiisettings/US2/ iplsetting.ash/FIX/US/ENG/index01.html

http://marcansoft.com/transf/wiisettings/US2/ iplsetting.ash/FIX/US/ENG/Setup/startup_index1.html


http://marcansoft.com/transf/wiisettings/US2/ iplsetting.ash/FIX/US/ENG/Setup/ScreenSave.html
Enjoy!

full details -- > http://hackmii.com/2008/04/brickmii/

good luck guys, hope you the best!

This is what I've been talking about. Taking the chance of bricking your Wii should be done after we have a way to fix them. Sure he's talking about something other then the hacked channels (installing firmwares from different regions)... But overall, the same thing can be said. Don't go around installing shit when you don't know what can happen.

Thankfully, Bushing replied to my question about the hacked channels with some tasty info:


I’m not a big fan of them, because we put those time limits on them for a reason — we didn’t want people to keep using them because they weren’t done, and we (hadn’t/)haven’t done much testing with IOS37 to make sure there would be no problems.

We’ve done some more testing and no longer have any specific reason to think IOS37 will brick Wiis that have a “custom” channel installed — unless something changes — so we will be releasing the “real” homebrew channel shortly. I promise it’ll be less butt-ugly than the demo!

To all three people that haven' installed the hacked channel, just wait it out a bit longer.

*continues to hold out*

This just gave me a frecken awsome idea! Compressed html? We could change the pics, make themes, and install them into the nand, and we would have custom looking wii setting menus!! maybe a channel called Theme installer that will allow you to download themes and upload (they would have to be verified, and be in a certain format like .wii or something, so people cant make brickers) from a server and allows you to install them from that channel, the channel could come with a recovery menu so like if you brick by a bad theme, you would have to press B when u turn your wii on and it will run some executables from the sd card (Im sure the hackers can make a custom IPL, so it will work through full bricks and load the file recovery.boot from the sd) and then after its ran the binarys it would load up the wii theme channel (from the sd card, maybe a decrypted version) and the wii theme channel could have a backup (the first time you start the channel it back ups ur nand) and you can use it to restore a messed nand, that would be awsome.

also another application like a firewall, the firewal channal yeah it will block every single attempt trying to write to important bits like the flash, Ipl etc, and you can change the firewalls settings in the channel and it will always run in the background, you can allow certain programs and block certain things, this will provent you from bricks, any nintendo force update etc, you could also make it pop up asking for u to allow, never allow or block this once time.

that would be cool and it dosnt look to hard for the hackers to do. what u fink?

Custom themes (like on the PSP) would be so cool. I hope it is possible one day.

dude, it is possible, even now, only for the wii setting menu atleast, compressed html has to load images, and those images are normal images that we can edit, we just need a way to get into flash, as for wii normal menu, i think we will have to wait for a while.

if its made of silicon then you can do anything on it, silicon based computers(basicaly everything) can be hacked, hell even some not so good mp3 players have custom firmwares, as soon as dna computers come, i think the hackers will have there work cut out for them selves, a real challenge,

Have you tried an older game which has the update on it? Maybe it would overwrite an invalid countries' menu with the correct version from the game?
I am also holding out until a proper menu loader, but for the time being I would like to see an elf loader with wiimote support; else, I'll just patiently wait for a wii-channel loader.

Wish more could learn to do the same, the should be glad they do not need a gecko as well. Glad I held onto gc controllers with extension cords! :)

Thanks to all the coders again, especially Bushing and company.

I am looking forward to being able to learn more about the wii, Once the coders have finished their preliminary investigations.

But, If Nintendo bricks a wii, No one will buy another wii; and as wiis break, Game sales will decline. When game sales decline, Nintendo will go bankrupt. What is more to Nintendo, destroying other people's property or making good games for good consoles?

Boycott Nintendo: Read the patents!

And seriously folks, Do any of the coders have high hopes for a Nintendo-Free Operating System and drivers anytime before the scene dies? What am I talking about, God willing, the scene will never die.

hmm, i hope he will sort it out..

But, If Nintendo bricks a wii, No one will buy another wii; and as wiis break, Game sales will decline. When game sales decline, Nintendo will go bankrupt. What is more to Nintendo, destroying other people's property or making good games for good consoles?

Boycott Nintendo: Read the patents!

It's not on Nintendo if your Wii bricks... They're only bricking if you're doing stuff with them that you're not supposed to.