Difference between revisions of "Talk:Datel FreeLoader"

From WiiBrew
Jump to navigation Jump to search
m
 
(16 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 +
== Code exec exploit ==
 +
 
I doubt it's a new exploit. Most likely they just used Trucha Signer to put their own code in the disc banner that gets exececuted when the wii menu reads the disc. We'll see if this breaks once the trucha exploit gets patched.
 
I doubt it's a new exploit. Most likely they just used Trucha Signer to put their own code in the disc banner that gets exececuted when the wii menu reads the disc. We'll see if this breaks once the trucha exploit gets patched.
  
: Putting code into the banner at all would be a hack in and of itself; however, it may just be a hacked apploader (which would still require use of the signing exploit. If I only had an image of this disc, I could explain how it works within, oh, five minutes or so. [[User:Bushing|Bushing]] 10:30, 11 March 2008 (PDT)
+
: Putting code into the banner at all would be a hack in and of itself; however, it may just be a hacked apploader (which would still require use of the signing exploit. If I only had an image of this disc, I could explain how it works within, oh, five minutes or so. [[User:Bushing|Bushing]] 10:30, 11 March 2008 (PDT)
  
 
take that as a hint *g
 
take that as a hint *g
 
whatever it is (bug in the opening.bnr, filesystem-exploit whatever..) it will provide full access to the whole system. not only some specific files as in the twilight hack.
 
whatever it is (bug in the opening.bnr, filesystem-exploit whatever..) it will provide full access to the whole system. not only some specific files as in the twilight hack.
  
If you look at this video here: http://www.youtube.com/watch?v=z4iWEtsZMvE You can see that he puts the disk in whilst on the channel menu and it produces a pixelised wipe effect over the whole screen, right to left and back again, before spitting the disk out to prompt you to put the foreign game in. That should demonstrate the depth of the exploit, i.e. before entering the disk channel, the freeloader has already taken effect.
+
If you look at this video here: http://www.youtube.com/watch?v=z4iWEtsZMvE You can see that he puts the disc in whilst on the channel menu and it produces a pixelised wipe effect over the whole screen, right to left and back again, before spitting the disc out to prompt you to put the foreign game in. That should demonstrate the depth of the exploit, i.e. before entering the disc channel, the freeloader has already taken effect.
: Noted.   I think you might be able to get a similar effect by using an auto-booting ('0ZDE') disc, but I think that it always transitions to a blank screen before running the dol. One way to find out ... [[User:Bushing|Bushing]] 15:26, 11 March 2008 (PDT)
+
: Noted. I think you might be able to get a similar effect by using an auto-booting ('0ZDE') disc, but I think that it always transitions to a blank screen before running the dol. One way to find out ... [[User:Bushing|Bushing]] 15:26, 11 March 2008 (PDT)
  
  
 
Doesn't the latest firmware update already patch the trucha exploit? [[User:142.59.172.116|142.59.172.116]] 12:28, 11 March 2008 (PDT)
 
Doesn't the latest firmware update already patch the trucha exploit? [[User:142.59.172.116|142.59.172.116]] 12:28, 11 March 2008 (PDT)
:: No, and believe me, you will hear about it all over the internets when they fix that exploit. [[User:Bushing|Bushing]]
+
:: No, and believe me, you will hear about it all over the internets when they fix that exploit. [[User:Bushing|Bushing]]
 
:no and it is not know if the freeloader even uses the "trucha"-exploit [[User:Adan0s|Adan0s]] 12:32, 11 March 2008 (PDT)
 
:no and it is not know if the freeloader even uses the "trucha"-exploit [[User:Adan0s|Adan0s]] 12:32, 11 March 2008 (PDT)
::Correct; we have not yet seen the contents of the disc, but I don't know of any other way they could have done this. (Most likely, it's two exploits -- the signing exploit, and then something to overwrite the System Menu code in memory. [[User:Bushing|Bushing]] 15:26, 11 March 2008 (PDT)
+
::Correct; we have not yet seen the contents of the disc, but I don't know of any other way they could have done this. (Most likely, it's two exploits -- the signing exploit, and then something to overwrite the System Menu code in memory. [[User:Bushing|Bushing]] 15:26, 11 March 2008 (PDT)
 +
 
 +
I just watched the video, i thought was auto boot trick, but was wrong as i noticed they used a funky effect. Cool hack
 +
 
 +
:Has anyone capable of figuring out how the menu hack works got a dump yet? [[User:130.237.152.216|130.237.152.216]] 01:56, 23 April 2008 (PDT)
 +
 
 +
I think it might be a Bannerbomb-like banner. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 18:52, 17 March 2021 (CET)
 +
 
 +
== So what does it actually do? ==
 +
 
 +
Is it a game hacker, similar to - the ARDS, in the meaning of having hacks? Or some - thing else? If so, what? [[User:Bletotum|Bletotum]]
 +
 
 +
It lets you run games from other regions (for example NTSC games on a PAL Wii). [[User:Muzer|Muzer]] 13:37, 4 April 2008 (PDT)
 +
 
 +
Huh, well I guess that's use-full for when you don't have the will to wait several months for the game. And some E-Bay fool in a region where it - is out may decide that - they don't want - theirs any-more, then sell it for $05.00 . Then you save $45.00 , and a few months. [[User:Bletotum|Bletotum]]
 +
 
 +
== Can it still run on all the Latest Wii Firmware? ==
 +
 
 +
I'm just checking before I make the mistake of downloading the latest firmware for my Wii and it ends up being blocked.
 +
 
 +
:Yes. The kernel itself actually blocks it, but this change will NOT come into affect until they also release a menu update to utilise the fix. So it is safe to upgrade. See [[IOS37]].
 +
 
 +
::Just use Gecko Region Free instead? [[User:130.237.152.216|130.237.152.216]] 01:56, 23 April 2008 (PDT)
 +
 
 +
== Fooling DI ==
 +
 
 +
I think the same exploit as the GC freeloader might be in use here. If you're unfamiliar, both GC and Wii discs have 6 marks in the BCA to make them not work with DVD readers, and identify them as NODs. Datel was able to bypass the GC check by simply putting null bytes where the marks would null stuff out, since the drive didn't have any form of verification for physical marks. MIOS doesn't seem to have ever implemented this, which would seem like something logical to do if the Wii had the hardware needed to check for physical marks. If this is the case, drivechips can be made redundant by NNODs (Not Nintendo Optical Disc). [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 05:41, 17 August 2021 (CEST)
 +
:I own this (and a bunch of other datel discs).  To clarify a few things: the cuts are normally just outside of the BCA, but (at least from my understanding based on [https://debugmo.de/2008/11/anatomy-of-an-optical-medium-authentication/ tmbinc's post]) their position is indicated by data put in the BCA.  Datel discs don't have the cuts outside the BCA, but instead they write data that reads as all zeros at a physical level in the place where the cuts should be (which is basically the same thing that hardware would see when reading the cuts based on what tmbinc says).  Note that all zeros at a physical level doesn't correspond to all zeros at a data level due to various error-correction and scrambling aspects of DVD (you can't get more than ten zeros in a row if I'm understanding [https://www.ecma-international.org/wp-content/uploads/ECMA-268_3rd_edition_april_2001.pdf#page=68 figure G.2 correctly]).
 +
:The cuts are also in the lead-in area of the disc, which isn't exposed over DI to titles running on the GameCube/Wii, so MIOS can't check it.  The check happens in the disc drive firmware itself, which is why drivechips modify the disc drive firmware and don't try to target MIOS.
 +
:Unfortunately, this attack isn't something that can be done by burning discs, because it's not possible to write a BCA using a standard burner (to my understanding).  It should be possible to write to the lead-in area, and although software might be annoyed by writing something that's not actually legal, there's nothing that makes it ''impossible'' to create the fake marks in the lead-in area though.
 +
:As a side note, the "an unknown method to frustrate attempts to dump the disc using standard methods" thing actually applies to all Datel discs.  They just have a large number of unreadable sectors; the only way to dump it is to ignore those sectors (either try to read them and ignore them if they error, or maintain a database of what sectors are supposed to be readable; [[CleanRip]] does both nowadays (though the database is incomplete and it works poorly for discs not in the database.  And it also handles Wii FreeLoader poorly because of it detecting as a Wii disc.)) --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 22:41, 17 August 2021 (CEST)
 +
::So Wii freeloader is a GC disc? I always thought it was a Wii disc whose apploader patches the system menu, and the apploader runs without pressing start, since it uses the signing bug (which is what caused IOS37) [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 23:37, 17 August 2021 (CEST)
 +
:::It's a GameCube-'''sized''' disc (I guess Datel only had machines set up to manufacture GameCube-sized discs, and it's not like they needed 4GB of space), but you are correct that it acts as a Wii disc whose apploader patches the system menu.  Specifically it's the apploader of the update partition; there is no data partition.  For reference, here's the first 0x40 bytes of the US Wii Freeloader disc (though these bytes exactly match the EU freeloader disc):
 +
00000000  52 46 4c 50 35 44 00 00  00 00 00 00 00 00 00 00  |RFLP5D..........|
 +
00000010  00 00 00 00 00 00 00 00  5d 1c 9e a3 00 00 00 00  |........].......|
 +
00000020  46 52 45 45 4c 4f 41 44  45 52 00 00 00 00 00 00  |FREELOADER......|
 +
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
:::Observe that it has the Wii magicword of 0x5d1c9ea3 at offset 18, not the GameCube one of 0xC2339F3D at offset 1C (see [[Wii disc]]).  (As a side effect, this causes the disc to spin at Wii speeds as far as I can tell.  Most datel discs have data put further out from the center to make use of faster read times, but Freeloader has all of its data near the center, possibly because the higher speeds make data further out unreadable due to tolerances in manufacturing.  This is just speculation though.) --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 03:49, 18 August 2021 (CEST)
 +
 
 +
== NTSC discs ''were'' pressed, and the update program is "selectively" blocked ==
 +
 
 +
Regarding [https://wiibrew.org/w/index.php?title=Datel_FreeLoader&curid=1837&diff=113916&oldid=113649 this edit], NTSC discs ''were'' actually pressed.  I own both the [https://web.archive.org/web/20100419054604/http://uk.codejunkies.com:80/Products/Wii-FreeLoader---US-Version___EF000593.aspx NTSC-U] and [https://web.archive.org/web/20100420212334/http://uk.codejunkies.com:80/Products/Wii-FreeLoader---Japanese-Version___EF000596.aspx PAL] discs, and apparently [https://web.archive.org/web/20100420212334/http://uk.codejunkies.com:80/Products/Wii-FreeLoader---Japanese-Version___EF000596.aspx NTSC-J] discs were also made (the site implies that the NTSC versions were for Europeans who imported NTSC consoles, though).
 +
 
 +
Datel also [http://uk.codejunkies.com/support/article.aspx?article_id=394 says] that freeloader blocks the update program by default, but will "selectively" run it if the disc is inserted twice, which "may, in a number of cases, still cause unwanted effects".  It's not clear exactly what they do, though (maybe it's something smart like only installing the IOS module used by the game, or maybe it's something much sillier and less stable). --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 20:22, 9 September 2021 (CEST)

Latest revision as of 19:22, 9 September 2021

Code exec exploit

I doubt it's a new exploit. Most likely they just used Trucha Signer to put their own code in the disc banner that gets exececuted when the wii menu reads the disc. We'll see if this breaks once the trucha exploit gets patched.

Putting code into the banner at all would be a hack in and of itself; however, it may just be a hacked apploader (which would still require use of the signing exploit. If I only had an image of this disc, I could explain how it works within, oh, five minutes or so. Bushing 10:30, 11 March 2008 (PDT)

take that as a hint *g whatever it is (bug in the opening.bnr, filesystem-exploit whatever..) it will provide full access to the whole system. not only some specific files as in the twilight hack.

If you look at this video here: http://www.youtube.com/watch?v=z4iWEtsZMvE You can see that he puts the disc in whilst on the channel menu and it produces a pixelised wipe effect over the whole screen, right to left and back again, before spitting the disc out to prompt you to put the foreign game in. That should demonstrate the depth of the exploit, i.e. before entering the disc channel, the freeloader has already taken effect.

Noted. I think you might be able to get a similar effect by using an auto-booting ('0ZDE') disc, but I think that it always transitions to a blank screen before running the dol. One way to find out ... Bushing 15:26, 11 March 2008 (PDT)


Doesn't the latest firmware update already patch the trucha exploit? 142.59.172.116 12:28, 11 March 2008 (PDT)

No, and believe me, you will hear about it all over the internets when they fix that exploit. Bushing
no and it is not know if the freeloader even uses the "trucha"-exploit Adan0s 12:32, 11 March 2008 (PDT)
Correct; we have not yet seen the contents of the disc, but I don't know of any other way they could have done this. (Most likely, it's two exploits -- the signing exploit, and then something to overwrite the System Menu code in memory. Bushing 15:26, 11 March 2008 (PDT)

I just watched the video, i thought was auto boot trick, but was wrong as i noticed they used a funky effect. Cool hack

Has anyone capable of figuring out how the menu hack works got a dump yet? 130.237.152.216 01:56, 23 April 2008 (PDT)

I think it might be a Bannerbomb-like banner. Hallowizer (talk) 18:52, 17 March 2021 (CET)

So what does it actually do?

Is it a game hacker, similar to - the ARDS, in the meaning of having hacks? Or some - thing else? If so, what? Bletotum

It lets you run games from other regions (for example NTSC games on a PAL Wii). Muzer 13:37, 4 April 2008 (PDT)

Huh, well I guess that's use-full for when you don't have the will to wait several months for the game. And some E-Bay fool in a region where it - is out may decide that - they don't want - theirs any-more, then sell it for $05.00 . Then you save $45.00 , and a few months. Bletotum

Can it still run on all the Latest Wii Firmware?

I'm just checking before I make the mistake of downloading the latest firmware for my Wii and it ends up being blocked.

Yes. The kernel itself actually blocks it, but this change will NOT come into affect until they also release a menu update to utilise the fix. So it is safe to upgrade. See IOS37.
Just use Gecko Region Free instead? 130.237.152.216 01:56, 23 April 2008 (PDT)

Fooling DI

I think the same exploit as the GC freeloader might be in use here. If you're unfamiliar, both GC and Wii discs have 6 marks in the BCA to make them not work with DVD readers, and identify them as NODs. Datel was able to bypass the GC check by simply putting null bytes where the marks would null stuff out, since the drive didn't have any form of verification for physical marks. MIOS doesn't seem to have ever implemented this, which would seem like something logical to do if the Wii had the hardware needed to check for physical marks. If this is the case, drivechips can be made redundant by NNODs (Not Nintendo Optical Disc). Hallowizer (talk) 05:41, 17 August 2021 (CEST)

I own this (and a bunch of other datel discs). To clarify a few things: the cuts are normally just outside of the BCA, but (at least from my understanding based on tmbinc's post) their position is indicated by data put in the BCA. Datel discs don't have the cuts outside the BCA, but instead they write data that reads as all zeros at a physical level in the place where the cuts should be (which is basically the same thing that hardware would see when reading the cuts based on what tmbinc says). Note that all zeros at a physical level doesn't correspond to all zeros at a data level due to various error-correction and scrambling aspects of DVD (you can't get more than ten zeros in a row if I'm understanding figure G.2 correctly).
The cuts are also in the lead-in area of the disc, which isn't exposed over DI to titles running on the GameCube/Wii, so MIOS can't check it. The check happens in the disc drive firmware itself, which is why drivechips modify the disc drive firmware and don't try to target MIOS.
Unfortunately, this attack isn't something that can be done by burning discs, because it's not possible to write a BCA using a standard burner (to my understanding). It should be possible to write to the lead-in area, and although software might be annoyed by writing something that's not actually legal, there's nothing that makes it impossible to create the fake marks in the lead-in area though.
As a side note, the "an unknown method to frustrate attempts to dump the disc using standard methods" thing actually applies to all Datel discs. They just have a large number of unreadable sectors; the only way to dump it is to ignore those sectors (either try to read them and ignore them if they error, or maintain a database of what sectors are supposed to be readable; CleanRip does both nowadays (though the database is incomplete and it works poorly for discs not in the database. And it also handles Wii FreeLoader poorly because of it detecting as a Wii disc.)) --Pokechu22 (talk) 22:41, 17 August 2021 (CEST)
So Wii freeloader is a GC disc? I always thought it was a Wii disc whose apploader patches the system menu, and the apploader runs without pressing start, since it uses the signing bug (which is what caused IOS37) Hallowizer (talk) 23:37, 17 August 2021 (CEST)
It's a GameCube-sized disc (I guess Datel only had machines set up to manufacture GameCube-sized discs, and it's not like they needed 4GB of space), but you are correct that it acts as a Wii disc whose apploader patches the system menu. Specifically it's the apploader of the update partition; there is no data partition. For reference, here's the first 0x40 bytes of the US Wii Freeloader disc (though these bytes exactly match the EU freeloader disc):
00000000  52 46 4c 50 35 44 00 00  00 00 00 00 00 00 00 00  |RFLP5D..........|
00000010  00 00 00 00 00 00 00 00  5d 1c 9e a3 00 00 00 00  |........].......|
00000020  46 52 45 45 4c 4f 41 44  45 52 00 00 00 00 00 00  |FREELOADER......|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
Observe that it has the Wii magicword of 0x5d1c9ea3 at offset 18, not the GameCube one of 0xC2339F3D at offset 1C (see Wii disc). (As a side effect, this causes the disc to spin at Wii speeds as far as I can tell. Most datel discs have data put further out from the center to make use of faster read times, but Freeloader has all of its data near the center, possibly because the higher speeds make data further out unreadable due to tolerances in manufacturing. This is just speculation though.) --Pokechu22 (talk) 03:49, 18 August 2021 (CEST)

NTSC discs were pressed, and the update program is "selectively" blocked

Regarding this edit, NTSC discs were actually pressed. I own both the NTSC-U and PAL discs, and apparently NTSC-J discs were also made (the site implies that the NTSC versions were for Europeans who imported NTSC consoles, though).

Datel also says that freeloader blocks the update program by default, but will "selectively" run it if the disc is inserted twice, which "may, in a number of cases, still cause unwanted effects". It's not clear exactly what they do, though (maybe it's something smart like only installing the IOS module used by the game, or maybe it's something much sillier and less stable). --Pokechu22 (talk) 20:22, 9 September 2021 (CEST)