How to Gain Full Hardware Rights in Any Wii Game
#1
How to Gain Full Hardware Rights in Any Wii Game




Intro:
Normally, when you play your games (even if your game is launched via some sort of patched IOS/cIOS), you are restricted from accessing some of the Wii's hardware and various registers that are shared with Starlet.

Requirements:
- Wiimm's ISO Tools installed on your computer
- Already know how to use Wiimm's Tools (view this sub-forum HERE if you are new to Wiimm's Tools)

Linux guide (if somebody wants to add Windows commands, that would be nice):
#Example using RMCE01.wbfs (USA Mario Kart Wii) located at /home/user.

Open up your terminal...

Code:
wit extract RMCE01.wbfs /home/user/newfolder


Don't create newfolder beforehand, the tools will do it for you. Open up your favorite Hex Editor and open the file /home/user/new/folder/DATA/tmd.bin

TMD stands for Title Metadata. For more info, check out the Wiibrew article - https://wiibrew.org/wiki/Title_metadata

The word at offset 0x1D8 is all the bits/flags for Access Rights. The final bit (bit 31)of the word is the flag for 'factory_mode'. Factory_mode is when the IOS (Starlet) allows Broadway to access certain registers + hardware that was previously blocked. Bit 30 is for DVD video access, if you care. Other bits are unknown.

Anyway, just set the entire word value to 0xFFFFFFFF, set every flag. Save changes and close the file. If you are using something like HxD Hex Editor, remove the .bak file that was generated. Now rebuild the wbfs file. Open up terminal...

Code:
wit copy /home/user/newfolder /home/user/newRMCE01.wbfs


At this point, we need the TMD to be fake-signed (or else the Wii might not boot your game). A good way to do this is change all the ID parameters. Plus that way, you know which game has full rights. We'll use RMCZ01 for the new ID.

Code:
wit edit newRMCE01.wbfs --id RMCZ01


Now add your new wbfs to your USB/SD and launch your USB Loader. You will see it has a unique game ID of RMCZ01. USB Loader GX will list this as a PAL game, lol. The game will also create and always use its own data save due to ID changes.

Fyi: Keep in mind, due to the game having this RMCZ01 ID, any GCTs you would have used for RMCE01 need to be changed to RMCZ01.gct.

Conclusion (Technical details) plus example code:
When IOS (Starlet) boots the game, the TMD access rights field is checked. A logical AND using the value of 1 is done against the entire TMD field. If the result is 1, then syscall54(1) will be called. For more details, view the Hackmii post about TMDs - https://hackmii.com/2009/08/of-tmds-and-hardware/

Here is an example snippet of code that uses the Starlet side of the Hollywood GPIOs to shut down the Wii. Normally this code would not work because these registers are controlled by Starlet and prevent PPC access, but now the code does work.

Code:
C0000000 00000003
3D80CD80 816C00E0
616B0002 916C00E0
4E800020 00000000

#Source (C0)
lis r12, 0xCD80
lwz r11, 0x00E0 (r12)
ori r11, r11, 0x0002
stw r11, 0x00E0 (r12)
#blr

Credits:
Bushing (Hackmii post)
Wiimm (Wiimm's ISO Tools)
WiiBrew (TMD article)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)