How to Gain Full Hardware Rights in Any Wii Game
#1
How to Gain Full Hardware Rights in Any Wii Game




Intro:
Normally, when you play your games (even if your game is launched via some sort of patched IOS/cIOS), you are restricted from accessing some of the Wii's hardware and various registers that are shared with Starlet.

Requirements:
- Wiimm's ISO Tools installed on your computer
- Already know how to use Wiimm's Tools (view this sub-forum HERE if you are new to Wiimm's Tools)

Linux guide (if somebody wants to add Windows commands, that would be nice):
#Example using RMCE01.wbfs (USA Mario Kart Wii) located at /home/user.

Open up your terminal...

Code:
wit extract RMCE01.wbfs /home/user/newfolder


Don't create newfolder beforehand, the tools will do it for you. Open up your favorite Hex Editor and open the file /home/user/new/folder/DATA/tmd.bin

TMD stands for Title Metadata. For more info, check out the Wiibrew article - https://wiibrew.org/wiki/Title_metadata

At offset 0x1D8 is all the bits/flags for Access Rights. Bit 0 (the final bit, Big Endian and that jazz) is the flag for 'factory_mode'. Factory_mode is when the IOS (Starlet) allows Broadway to access certain registers + hardware that was previously blocked. Bit 1 is for DVD video access, if you care.

Anyway, just set the entire word value to 0xFFFFFFFF, set every flag. Save changes and close the file. If you are using something like HxD Hex Editor, remove the .bak file that was generated. Now rebuild the wbfs file. Open up terminal...

Code:
wit copy /home/user/newfolder /home/user/newRMCE01.wbfs


At this point, we need the TMD to be fake-signed (or else the Wii might not boot your game). A good way to do this is change all the ID parameters. Plus that way, you know which game has full rights. We'll use RMCZ01 for the new ID.

Code:
wit edit newRMCE01.wbfs --id RMCZ01


Now add your new wbfs to your USB/SD and launch your USB Loader. You will see it has a unique game ID of RMCZ01. USB Loader GX will list this as a PAL game, lol. The game will also create and always use its own data save due to ID changes.

Fyi: Keep in mind, due to the game having this RMCZ01 ID, any GCTs you would have used for RMCE01 need to be changed to RMCZ01.gct.

Conclusion (Technical details):
When IOS (Starlet) boots the game, the TMD access rights field is checked. A logical AND using the value of 1 is done against the entire TMD field. If the result is 1, then syscall54(1) will be called. For more details, view the Hackmii post about TMDs - https://hackmii.com/2009/08/of-tmds-and-hardware/

Credits:
Bushing (Hackmii post)
Wiimm (Wiimm's ISO Tools)
WiiBrew (TMD article)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)