Derniers tests et previews
TEST Final Fantasy VII Rebirth : une version Switch 2 qui pique les yeux ou pas ?
TEST Psyvariar 3, le retour d’un shoot’em up qui préfère le risque au confort
TEST 007 First Light : James Bond revient secouer le jeu d’action-infiltration
TEST The Amusement, la VR avance à pas feutrés dans un parc hanté par les souvenirs
Dernières actualités
Summer Game Fest Live 2026 : suivez cette grosse conférence de juin ce vendredi soir, plusieurs projets déjà attendus
Tomo: Endless Blue, quand Pokemon rencontre Minecraft… et plus encore
CONTROL Resonant : un nouvel aperçu totalement surréaliste pour dévoiler sa date de sortie et ses éditions
Granblue Fantasy: Relink - Endless Ragnarok lance ses précommandes, agrandit son roster et s'attaque au Monde dans sa 2e bande-annonce (MAJ 05/06)
patch hack
tu as poster sur un autre forum et il t on déjà dit d installer bootmii
pourquoi croit tu qu il t on indiquer d installer bootmii pas pour le fun en tous cas
que ca soit le hack, installé un cios ou mettre linux sur ta wii tu sera obliger de la modifier ta nand ( memoire de la wii) et c estce genre de manipulation qui peut provoquer un brique
sache aussi ce que tu as installer a modifier ta nand
pour l installation d un cios
- dowgrade de l ios 15
- patch (trucha bug) de l ios 36 qui te permettra ensuite d installer le cios 249 pour pouvoir lancer backup via l usb
et oui tu n as pas que toucher a ta SD tu as bien modifier ta WII plus que tu ne le crois
d’où l intérêt de bootmii et du priiloader
car en cas de brick ça peut te servir pour réinjecter ta nand (backup de la memoire de ta wii)
et encore le mieux c est d'avoir bootmii en boot 2
car sache que si ta wii est recente du risque d avoir bootmii en ios que si l ios ou est installer bootmii est corompu ben tu pourra te servir de ta wii comme cale livre en cas de brique
Donc un conseil que ca soit sur Wiigen ou un autre forum on est pas la pour te dire des ******* mais plutot de prendre tes précaution
car tu n est peut etre pas comme tous le monde
mais quand tu auras briquer ta wii et et ben la tu pleura comme tous le monde
ce que je te souhaite pas comme même
Si tout les faits sont avérer la guerre va repartir de plus belle avec sony,il y aura un accès au psn et j'espère bien qu'il ne durera pas, ça ne fait pas bon ménage avec cfw.
Je voudrais savoir si SciiFii v5 permet de mettre à jour le hack de ma wii.
Peut-il rajouter les fichiers manquants et remplacer les fichiers anciens.
Peut-il corriger les bugs (écran noir avec : Le fichier système est corrompu)en sortant d'un jeu pour revenir au menu de la wii.
En gros peut-il régler les problèmes pour rendre la wii compatible avec les derniers jeux (Projet ZERO 4 patch fr ne marche pas avec USB Loader GX dernière version)
Beaucoup de questions mais j'ai déjà utilisé SciiFii v4 et ça n'a rien changé (si, une chose, wiifit plus ne se lançait plus).
Merci a tous.
Wii en 4.3E
Comme je te l'ai déjà dit:
Fait un Hack Simple avec SciiFii pour avoir l'IOS251
Fait un Hack Simple Herme ( via mon MOD pour mettre les cIOS 222. 223 )
Sinon:
Peut tu nous dire d'ou vienne c'est cIOS ou comment tu les a installer..
A Roukxwel
pour que USBloader fonctionne avec le port n1 , il faut qu'il soit sur la base du cIOS222 et les cIOS d'hermes v5.1 installer.
Pour repondre au membre, déjà tes cIOS on été installer je ne sais comment car ta du herme v4 et v5.1 et les cIOS de SciiFii mais le 251 en D2x! et les autres sans patch..
Je te conseil de faire un UnHack pour remettre tes IOS d'aplomb puis de refaire un Hack simple avec loader ( pour le loader-GX la derniere est v2.2 Rev1099 ), les cIOS d'Herme v5.1 et ainsi les remplacés les cIOS de SciiFii par ceux D2x si tu le souhaite.
Tout est dispo via SciiFii MOD MAtt R004a disponible dans ma signature
**********************************
* The Xbox 360 reset glitch hack *
**********************************
Introduction / some important facts
===================================
tmbinc said it himself, software based
approaches of running unsigned code on
the 360 mostly don' t work, it was designed
to be secure from a software point of view.
The processor starts running code from
ROM (1bl ) , which then starts loading a RSA
signed and RC4 crypted piece of code from
NAND (CB) .
CB then initialises the processor security
engine, its task will be to do real time
encryption and hash check of physical
DRAM memory. From what we found, it' s
using AES128 for crypto and strong
(Toeplitz ?) hashing. The crypto is different
each boot because it is seeded at least
from:
- A hash of the entire fuseset.
- The timebase counter value.
- A truly random value that comes from the
hardware random number generator the
processor embeds. on fats, that RNG could
be electronically deactivated, but there's a
check for "apparent randomness" (merely a
count of 1 bits) in CB, it just waits for a
seemingly proper random number.
CB can then run some kind of simple
bytecode based software engine whose
task will mainly be to initialise DRAM, CB
can then load the next bootloader (CD)
from NAND into it, and run it.
Basically, CD will load a base kernel from
NAND, patch it and run it.
That kernel contains a small privileged
piece of code (hypervisor) , when the
console runs, this is the only code that
would have enough rights to run unsigned
code.
In kernel versions 4532/4548 , a critical flaw
in it appeared, and all known 360 hacks
needed to run one of those kernels and
exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of
those 2 kernels and will stop the boot
process if you try to load them.
The hypervisor is a relatively small piece of
code to check for flaws and apparently no
newer ones has any flaws that could allow
running unsigned code.
On the other hand, tmbinc said the 360
wasn't designed to withstand certain
hardware attacks such as the timing attack
and "glitching ".
Glitching here is basically the process of
triggering processor bugs by electronical
means.
This is the way we used to be able to run
unsigned code.
The reset glitch in a few words
===============================
We found that by sending a tiny reset pulse
to the processor while it is slowed down
does not reset it but instead changes the
way the code runs , it seems it' s very
efficient at making bootloaders memcmp
functions always return "no differences" .
memcmp is often used to check the next
bootloader SHA hash against a stored one,
allowing it to run if they are the same. So
we can put a bootloader that would fail
hash check in NAND, glitch the previous
one and that bootloader will run, allowing
almost any code to run.
Details for the fat hack
========================
On fats, the bootloader we glitch is CB, so
we can run the CD we want.
cjak found that by asserting the
CPU_PLL _BYPASS signal, the CPU clock is
slowed down a lot, there' s a test point on
the motherboard that' s a fraction of CPU
speed, it' s 200Mhz when the dash runs,
66.6 Mhz when the console boots, and
520Khz when that signal is asserted.
So it goes like that:
- We assert CPU_PLL _BYPASS around POST
code 36 (hex).
- We wait for POST 39 start (POST 39 is the
memcmp between stored hash and image
hash), and start a counter.
- When that counter has reached a precise
value (it' s often around 62% of entire POST
39 length), we send a 100ns pulse on
CPU_RESET .
- We wait some time and then we deassert
CPU_PLL _BYPASS .
- The cpu speed goes back to normal, and
with a bit of luck, instead of getting POST
error AD, the boot process continues and
CB runs our custom CD.
The NAND contains a zero- paired CB, our
payload in a custom CD, and a modified
SMC image.
A glitch being unreliable by nature, we use
a modified SMC image that reboots
infinitely (ie stock images reboot 5 times
and then go RROD) until the console has
booted properly.
In most cases, the glitch succeeds in less
than 30 seconds from power on that way.
Details for the slim hack
=========================
The bootloader we glitch is CB_A , so we
can run the CB_B we want.
On slims, we weren't able to find a
motherboard track for CPU_PLL _BYPASS .
Our first idea was to remove the 27Mhz
master 360 crystal and generate our own
clock instead but it was a difficult
modification and it didn' t yield good
results.
We then looked for other ways to slow the
CPU clock down and found that the HANA
chip had configurable PLL registers for the
100Mhz clock that feeds CPU and GPU
differential pairs.
Apparently those registers are written by
the SMC through an I2C bus.
I2C bus can be freely accessed, it' s even
available on a header (J2C 3).
So the HANA chip will now become our
weapon of choice to slow the CPU down
(sorry tmbinc, you can 't always be right, it
isn' t boring and it does sit on an
interesting bus
So it goes like that:
- We send an i2c command to the HANA to
slow down the CPU at POST code D 8 .
- We wait for POST DA start (POST DA is the
memcmp between stored hash and image
hash), and start a counter.
- When that counter has reached a precise
value, we send a 20ns pulse on CPU_RESET .
- We wait some time and then we send an
i2c command to the HANA to restore
regular CPU clock.
- The cpu speed goes back to normal, and
with a bit of luck, instead of getting POST
error F2, the boot process continues and
CB_A runs our custom CB_B .
When CB_B starts, DRAM isn' t initialised so
we chose to only apply a few patches to it
so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that
we can use a modified SMC image.
- Don't decrypt CD, instead expect a
plaintext CD in NAND.
- Don't stop the boot process if CD hash
isn' t good.
CB_B is RC4 crypted, the key comes from
the CPU key, so how do we patch CB_B
without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo- random-
keystream
So if we know plaintext and crypted, we
can get the keystream, and with the
keystream, we can encrypt our own code. It
goes like that:
guessed-pseudo -random-keystream =
crypted xor plaintext
new-crypted = guessed-pseudo -random-
keystream xor plaintext-patch
You could think there's a chicken and egg
problem, how did we get plaintext in the
first place?
Easy: we had plaintext CBs from fat
consoles, and we thought the first few
bytes of code would be the same as the
new CB_ B, so we could encrypt a tiny piece
of code to dump the CPU key and decrypt
CB_B !
The NAND contains CB_A , a patched CB_B ,
our payload in a custom plaintext CD, and
a modified SMC image.
The SMC image is modified to have infinite
reboot, and to prevent it from periodically
sending I2C commands while we send
ours.
Now, maybe you haven' t realised yet, but
CB_A contains no checks on revocation
fuses, so it' s an unpatchable hack !
Caveats
=======
Nothing is ever perfect, so there are a few
caveats to that hack:
- Even in the glitch we found is pretty
reliable (25 % success rate per try on
average), it can take up to a few minutes to
boot to unsigned code.
- That success rate seems to depend on
something like the hash of the modified
bootloader we want to run (CD for fats and
CB_B for slims).
- It requires precise and fast hardware to
be able to send the reset pulse.
Our current implementation
==========================
We used a Xilinx CoolRunner II CPLD
(xc2 c64a) board, because it' s fast, precise,
updatable, cheap and can work with 2
different voltage levels at the same time.
We use the 48Mhz standby clock from the
360 for the glitch counter. For the slim
hack, the counter even runs at 96Mhz
(incremented on rising and falling edges of
clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST
code, our first implementations used the
whole 8 bits POST port for this, but we are
now able to detect the changes of only 1
POST bit, making wiring easier.
Conclusion
==========
We tried not to include any MS copyrighted
code in the released hack tools.
The purpose of this hack is to run Xell and
other free software , I (GliGli) did NOT do it
to promote piracy or anything related, I
just want to be able to do whatever I want
with the hardware I bought, including
running my own native code on it.
Credits
=======
GliGli, Tiros: Reverse engineering and hack
development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99 , SeventhSon, tmbinc,
anyone I forgot... : Prior reverse
engineering and/or hacking work on the
360.
Crunch
J'ai jamais vu ça je ne site pas les pseudo ici parcque je pense que on a pas le droit mais c'est quoi cette espece de hack qui est sortie sur ps3 ou vous pouvez faire tout est n'importe quoi dans les parti en ligne. Mais lol cette aprém j'ai fait une parti le mec (en prime un francais honte a lui) 328 kill 0 fois mort mais............ loooooooooollll
Merci et bonne soirée a vous et bon jeu mais pas sur ce jeu la...
100% MEMORY PATCH PREPARATION DONE
20% DOWNLOADING BASE IOS.NETWORK UNVALIABLE AND WAD FILES NISSING PLEASE REFER TO THE READNE.
20% DOWNLOADING BASE IOS.NETWORK UNVALIABLE AND WAD FILES NISSING PLEASE REFER TO THE READNE.
5% DOWNLOADING PRIILOADER
EXCEPTION: ERROR GETTING FILES