This is what started it all, from Brakken’s post over at tehskeen.com:
Marcan, one of the members of Team Twiizers has discovered if a device present in the GameCube memory card port identifies itself with an unique ID that it will turn the Wii into recovery mode therefor allowing a user to run a recovery disc or even their own code.
I’ve talked with Marcan and he’s being very closed about the device and would not go into detail about it’s purpose, other then the fact that it lets you fix certain very specific cases of bricking. He wouldn’t reveal any other details and I was told to wait until it’s officially announced.
This ignited a quick reply from Marcan over at hackmii.com which boiled down to this:
Apparently tehskeen took a month-old video, coupled it with a paragraph of reality and a paragraph of rampant speculation and nonsense, and made it into a news story. This is undoubtedly going to spread around as these things do, so I’m going to stop it dead in its tracks.
Finally it ended up at Engadget where they first interpret the whole thing as a way to run backups, and then later updated the story. In a way this is funny, because I truly think it can be used to run backups, infact, it can be used to run pretty much anything you desire to code. To quote Marcan again:
To clarify, this won’t actually fix anything. It just lets you fix it, using homebrew tools and/or newer retail games, depending on what exactly you need to fix.
The way I interpret this running any unsigned code will work, which means anything is possible. Some of you might think this can already be done via the ZTP exploit so what’s the big deal? Well, I suspect the difference is that this way you don’t have to worry about any nintendo updates blocking the code, as it seems to be done in a stage before the Wii menu is fully loaded. This should make it theoretically possible with an interactive “modchip style menu” like the GC modchips qoob and viper provides, simply a menu accessible at boot with various settings. If you read the youtube comments of the video, marcan42, who also posted the video, writes:
It’s in the system menu (right in the startup part, before it tries to load any data).
We might end up selling them ;)
Where’s the market for a recovery dongle which only works in some obscure cases and the user has to write their own software? I think the downplay of the whole thing is to prevent others with commercial interest from exploring this route.
This takes me to another dear topic which is not related specifically to Marcan; the whole black/white hat schizophrenia (in the split personality sense) flourishing in the hacking community where some people appear in public as nice homebrew folks with strict ethical rules of conduct, lashing out at anyone mentioning backups, and then acting quite the opposite when addressing the close circle of friends (eg. via IRC or private forums) while researching new console exploits. In my humble opinion, be proud of who you are and stand up for it.
Discover more from modrobert's weblog
Subscribe to get the latest posts sent to your email.
“The way I interpret this running any unsigned code will work, which means anything is possible. Some of you might think this can already be done via the ZTP exploit so what’s the big deal? Well, I suspect the difference is that this way you don’t have to worry about any nintendo updates blocking the code, as it seems to be done in a stage before the Wii menu is fully loaded. ”
This is incorrect. The “recovery dongle” only activates a function of the System Menu, it is nothing pre-system menu at all. If you are on 3.3, you’re still won’t be able to run fakesigned discs, or any other form of “unsigned” content. On a normal system with 3.3 installed, you would need:
1) The Twilight Hack ALREADY installed,
2) An image of Twilight Pricess, modified to have a boot code of 0
3) A drivechip installed to allow said disc to boot.
4) Some homebrew to run through the Twilight Hack that would fix your brick somehow (This means you need knowledge of what kind of brick you have).
Alternatively, you could have a drivechip that auto-patches the boot code (first character of disc id) to 0.
As you can see, this isn’t all that useful in terms of running “unsigned code.” What’s more, it doesn’t even work in all situations. If the System Menu executable itself is corrupted in some way, we can no longer boot the system menu at all, hence, no recovery menu.
“Where’s the market for a recovery dongle which only works in some obscure cases and the user has to write their own software? I think the downplay of the whole thing is to prevent others with commercial interest from exploring this route.”
No, this would really only sell to less than 50 people. It’s not that useful. If you’re in the business of fixing bricked Wiis, you would want one–and only one. There aren’t a lot of uses for this, and it’s a lot of hassle to make it useful.
If you want something that would be REALLY amazing for recovery/unsigned code running, read about the planned “boot2 recovery hack”.
What is more, you can get exactly the same effect, but enhanced a bit so that it will boot any game not just recovery discs, if you install Starfall, then hold Y when booting.
Furthermore, the recovery mode goes through the same code and infrastructure as normal disc booting, PLUS the debugdisc check. Its only use is if the normal boot path through the system menu is borked for some reason. It provides NO benefit (indeed, some drawbacks) if your Wii isn’t bricked.
Seriously, you can stop now with the baseless speculation. Open up the System Menu in IDA, look for BS2BootIRD, and come back if I’m lying about something. Thanks for contributing to this mess. Next time I’ll think twice about researching a potential way of heping some people’s bricked Wiis.
Sorry, but moderation was active by default in the weblog, so much for free speech, fixed now.
tona,
Thanks for the info. So ninty, who can sign any discs they want, decides to make a dongle function to be used for repairs together with their repair disc? If so, why the dongle? I still think there are more features to be explored here.
Muzer,
Starfall? EDIT: Never mind, found it
marcan,
Ok, for me the speculation was meant in a positive way, from that perspective the more things this hack of yours can do the better it is. Regarding the mess (if any), maybe better to think twice before posting a youtube video if you want something kept private.
Could this dongle function be meant to boot the whole system from disc?
It’s not even a dongle per se, at least for Nintendo. It’s their version of the USBGecko. They added some code to check for it in the system menu – presumably then they boot a recovery disc that might let them do all sorts of interesting stuff over it. That’s useless for us because we don’t have said disc, nor can we sign a disc to look like an official one, nor can we press discs to boot on an unmodded drive. The system menu itself doesn’t use the device except to check for it.
Seriously, there AREN’T any more features to be explored here. We already talked about the impossibility of a pandora battery on the Wii on hackmii (unless there happens to be some very strange hidden hardware recovery mode), because the entire software chain – from boot0 to IOS – doesn’t have support for anything like that (the PSP’s equivalent of boot0 is what incorporates the pandora functionality). At the time we didn’t look at the system menu because a check there – which is what we’re dealing with here – is nowhere as powerful as a real “pandora battery” (which allows low-level recovery). The system menu makes exactly ONE communication attempt with the memory cards on boot. It reads FOUR bytes, checks three of them against a constant, ignores the fourth one. If they match, it goes into recovery mode. If they don’t, it boots normally. Period. It’s binary. It gets turned into a boolean variable. One or zero. There is absolutely no way you could possibly “improve” this thing. We’re not dealing with the unknown here. I have a disassembly of the system menu in front of my face and I can damn well guarantee that this is exactly how it works.
As for the youtube video, the title is “Wii Recovery Dongle”, I use the word “recover” all over the place in the description, and I mention that it can be used to fix bricked Wiis. I never mentioned unsigned code, booting homebrew, IOSes, downgrading, or any of the other presumed “uses” for this thing that brakken made up. I don’t have ANY problem at all with this being public (I’m not stupid – I wouldn’t have posted the youtube video if I didn’t want it out there). I understand that people will probably speculate about it on forums and other communities. What I DO have a problem with is having some important site (like tehskeen) put out a news story with made-up “facts”. The original newspost didn’t even speculate about the device – it flat out claimed that it could do all of these things that it can’t do. Now brakken is trying to cover his ass with more made up facts, such as how the device could be improved to provide the ability to run unsigned code (it can’t).
Thanks for the explanation, interesting indeed.
Based on the info in your comment about the system check for the “dongle”; this might be added protection for a disc ninty have (or to enable certain features of it), rather than anything in the Wii system.
This leads to another quesiton, has anyone tried this “dongle” with the “repair disc” that was mentioned a while back?
Repair disc: http://img205.imageshack.us/img205/9219/gayfishtv3.jpg
Screenshot: http://img205.imageshack.us/img205/489/gayfishhp3.gif
The repair disc isn’t autobootable and therefore won’t even boot with this thing inserted. It’ll install IOS16 though (because installs do still work, although booting doesn’t, when the disc is not autobootable), but that’s worthless (it’s just another normal IOS).
Whatever this is meant to be used is certainly lower level. The repair disc is meant mostly for the final stages of repair.
For all we know the real disc(s) that nintendo uses might allow full access to the Wii, but the _disc_ would do that, by virtue of being signed software, and a pressed disc. It would still work on any console without this thing in it, as long as the console boots.
What this boils down to is that, for all the _signed_ software that we currently have by Nintendo (which is what we care about, because if we can run unsigned software we’ve owned the system already), this only has one effect: make the system menu skip the normal boot process and immediately boot a disc. It doesn’t disable any protections. It won’t help us do anything that we can’t already do on a fully working Wii.
As marcan said, the repair discs don’t “autoboot.” So, this recovery menu is useful to us in the same way it is to Nintendo: We can possibly run a disc on the Wii before the System Menu tries to do something that breaks (for whatever reason).
So, Nintendo can fix things like banner bricks and region bricks should they ever get sent a Wii with such an issue (And someone pays for them to fix it).
Photos of the dongle can be found here.
Excellent web site you have got here.. It’s difficult to
find excellent writing like yours nowadays.
I truly appreciate individuals like you! Take care!!
Helpful information. Lucky me I discovered your site accidentally, and I am shocked why this twist of fate didn’t happened earlier! I bookmarked it.
This is one of the reasons why these video games have become well-liked on the web. Upon the selection, players can begin creating draws. Mostly card games are acquainted among family associates.