More actions
No edit summary |
No edit summary |
||
Line 25: | Line 25: | ||
By using PatchMii, the process of downloading and patching IOS becomes much more efficient and streamlined, saving users time and effort. | By using PatchMii, the process of downloading and patching IOS becomes much more efficient and streamlined, saving users time and effort. | ||
== PatchMii-core will do the following things:== | |||
# Download the ticket and TMD for IOS37 from the Nintendo Update Server. | |||
# Decode the title key using the built-in key-management functions of IOS, eliminating the need for a common key. | |||
# Download all encrypted contents from NUS, verified against the hashes in the TMD. | |||
# Decrypt each content, display versioning tags inside the binaries. | |||
# Patch out the signature check, accommodating all versions of IOS. | |||
# Re-encrypt the contents, recompute the hashes if necessary, and modify the TMD. | |||
# Change the title ID in the TMD and ticket to IOS5. | |||
# Fakesign the TMD and ticket. | |||
# Install the patched IOS37 as IOS5. | |||
This configuration ensures a seamless process of downloading, patching, and installing IOS, making it easier and more efficient for users. | |||
===The output of this process looks like this:=== | |||
<pre> | |||
IOS Version: 00240412 | |||
Downloading IOS37 metadata: . ..tmd. ..ticket..Title ID: 0000000100000025 | |||
Number of parts: 15. Total size: 1868K | |||
Downloading contents: | |||
Downloading part 1/15 (0K): hash OK. Firmware version: firmware.64.0802290707 Builder: admin@FWPUBLISH | |||
Downloading part 2/15 (33536K): hash OK. DIP ( 06/08/07 18:17:09 64M ) | |||
Downloading part 3/15 (26112K): hash OK. OH0 ( 07/12/07 14:30:33 64M ) | |||
Downloading part 4/15 (15104K): hash OK. OH1 ( 06/08/07 18:17:21 64M ) | |||
Downloading part 5/15 (10752K): hash OK. SDI ( 02/22/08 17:57:15 64M ) | |||
Downloading part 6/15 (171776K): hash OK. SO ( 06/28/07 02:37:15 64M Release/apricot-win/HEAD ) | |||
Downloading part 7/15 (360448K): hash OK. KD ( 08/30/07 04:58:02 64M Release/apricot-win/SDK_FW_30_4_13_branch ) | |||
Downloading part 8/15 (62720K): hash OK. WD ( 12/12/07 16:13:56 64M Release/apricot-win/SDK_FW_30_4_13_branch ) | |||
Downloading part 9/15 (447488K): hash OK. WL ( 12/12/07 16:14:06 64M Ver.4.30.47.0/Release ) | |||
Downloading part 10/15 (42496K): hash OK. NCD ( 06/28/07 02:37:17 64M Release/apricot-win/HEAD ) | |||
Downloading part 11/15 (30464K): hash OK. ETH ( 08/09/07 18:09:02 64M Release/apricot-win/SDK_FW_30_4_13_branch ) | |||
Downloading part 12/15 (18944K): hash OK. STM ( 06/28/07 02:37:18 64M Release/apricot-win/HEAD ) | |||
Downloading part 13/15 (9216K): hash OK. USB_HID ( 2008-01-30-15-59 64M ) | |||
Downloading part 14/15 (520960K): hash OK. SSL ( 02/27/08 19:26:09 64M Release/builder/HEAD ) | |||
Downloading part 15/15 (162048K): hash OK. FFS ( 02/22/08 17:56:15 64M ) | |||
ES ( 02/23/08 13:25:41 64M ) | |||
IOSP ( 02/23/08 13:29:22 64M ) | |||
Found new-school ES hash check @ 0x5aea, patching. | |||
Updating TMD. | |||
Changing titleid from 00000001-00000025 to 00000001-00000005 | |||
forging tmd sig | |||
forging tik sig | |||
Download complete. Installing: | |||
Installing ticket... | |||
Adding title... | |||
Adding content ID 00000000 (cfd 0): done! (0x40 bytes) | |||
Adding content ID 00000001 (cfd 1): done! (0x8350 bytes) | |||
Adding content ID 00000002 (cfd 1): done! (0x6630 bytes) | |||
Adding content ID 00000003 (cfd 1): done! (0x3c00 bytes) | |||
Adding content ID 00000004 (cfd 1): done! (0x2a30 bytes) | |||
Adding content ID 00000005 (cfd 1): done! (0x29f80 bytes) | |||
Adding content ID 00000006 (cfd 1): done! (0x58010 bytes) | |||
Adding content ID 00000007 (cfd 1): done! (0xf520 bytes) | |||
Adding content ID 00000008 (cfd 1): done! (0x6d4f0 bytes) | |||
Adding content ID 00000009 (cfd 1): done! (0xa650 bytes) | |||
Adding content ID 0000000a (cfd 1): done! (0x7780 bytes) | |||
Adding content ID 0000000b (cfd 1): done! (0x4aa0 bytes) | |||
Adding content ID 0000000c (cfd 1): done! (0x2490 bytes) | |||
Adding content ID 0000000d (cfd 1): done! (0x7f330 bytes) | |||
Adding content ID 0000000e (cfd 1): done! (0x27910 bytes) | |||
Done! | |||
</pre> | |||
==Screenshot== | ==Screenshot== |
Revision as of 05:44, 4 February 2023
PatchMii | |
---|---|
File:Patchmiiwii.PNG | |
General | |
Author | bushing |
Type | Utilities |
Version | 0.1 |
License | GPL-2.0 |
Last Updated | 2008/08/12 |
Links | |
Download | |
Website | |
Source | |
PatchMii is a software tool designed to make the process of patching IOS more automated and convenient. It is equipped with a framework for working with IOS, as well as a specific piece of code for downloading and patching IOS37. The software patches the IOS and installs the updated version in the IOS254 slot (IOS5 on older versions).
The two patches made by PatchMii include the signature patch and the DI patch. The signature patch modifies the IOS signature checking function to return 0 instead of 7 when the hash comparison fails. This is done by changing the instruction "mov r0, #0x7" to "mov r0, #0x0". The code checks for either 0x23a2 (found in vulnerable IOSes) or 0x4b0b (found in fixed IOSes).
The DI patch, also known as the drive chip patch, changes the length of the DVDLowUnencryptedRead 00000000 region to allow unencrypted discs to be read. The length is changed from 00014000 to FFFFFFFF. The software matches the entire region whitelist but only modifies the first region.
By using PatchMii, the process of downloading and patching IOS becomes much more efficient and streamlined, saving users time and effort.
PatchMii-core will do the following things:
- Download the ticket and TMD for IOS37 from the Nintendo Update Server.
- Decode the title key using the built-in key-management functions of IOS, eliminating the need for a common key.
- Download all encrypted contents from NUS, verified against the hashes in the TMD.
- Decrypt each content, display versioning tags inside the binaries.
- Patch out the signature check, accommodating all versions of IOS.
- Re-encrypt the contents, recompute the hashes if necessary, and modify the TMD.
- Change the title ID in the TMD and ticket to IOS5.
- Fakesign the TMD and ticket.
- Install the patched IOS37 as IOS5.
This configuration ensures a seamless process of downloading, patching, and installing IOS, making it easier and more efficient for users.
The output of this process looks like this:
IOS Version: 00240412 Downloading IOS37 metadata: . ..tmd. ..ticket..Title ID: 0000000100000025 Number of parts: 15. Total size: 1868K Downloading contents: Downloading part 1/15 (0K): hash OK. Firmware version: firmware.64.0802290707 Builder: admin@FWPUBLISH Downloading part 2/15 (33536K): hash OK. DIP ( 06/08/07 18:17:09 64M ) Downloading part 3/15 (26112K): hash OK. OH0 ( 07/12/07 14:30:33 64M ) Downloading part 4/15 (15104K): hash OK. OH1 ( 06/08/07 18:17:21 64M ) Downloading part 5/15 (10752K): hash OK. SDI ( 02/22/08 17:57:15 64M ) Downloading part 6/15 (171776K): hash OK. SO ( 06/28/07 02:37:15 64M Release/apricot-win/HEAD ) Downloading part 7/15 (360448K): hash OK. KD ( 08/30/07 04:58:02 64M Release/apricot-win/SDK_FW_30_4_13_branch ) Downloading part 8/15 (62720K): hash OK. WD ( 12/12/07 16:13:56 64M Release/apricot-win/SDK_FW_30_4_13_branch ) Downloading part 9/15 (447488K): hash OK. WL ( 12/12/07 16:14:06 64M Ver.4.30.47.0/Release ) Downloading part 10/15 (42496K): hash OK. NCD ( 06/28/07 02:37:17 64M Release/apricot-win/HEAD ) Downloading part 11/15 (30464K): hash OK. ETH ( 08/09/07 18:09:02 64M Release/apricot-win/SDK_FW_30_4_13_branch ) Downloading part 12/15 (18944K): hash OK. STM ( 06/28/07 02:37:18 64M Release/apricot-win/HEAD ) Downloading part 13/15 (9216K): hash OK. USB_HID ( 2008-01-30-15-59 64M ) Downloading part 14/15 (520960K): hash OK. SSL ( 02/27/08 19:26:09 64M Release/builder/HEAD ) Downloading part 15/15 (162048K): hash OK. FFS ( 02/22/08 17:56:15 64M ) ES ( 02/23/08 13:25:41 64M ) IOSP ( 02/23/08 13:29:22 64M ) Found new-school ES hash check @ 0x5aea, patching. Updating TMD. Changing titleid from 00000001-00000025 to 00000001-00000005 forging tmd sig forging tik sig Download complete. Installing: Installing ticket... Adding title... Adding content ID 00000000 (cfd 0): done! (0x40 bytes) Adding content ID 00000001 (cfd 1): done! (0x8350 bytes) Adding content ID 00000002 (cfd 1): done! (0x6630 bytes) Adding content ID 00000003 (cfd 1): done! (0x3c00 bytes) Adding content ID 00000004 (cfd 1): done! (0x2a30 bytes) Adding content ID 00000005 (cfd 1): done! (0x29f80 bytes) Adding content ID 00000006 (cfd 1): done! (0x58010 bytes) Adding content ID 00000007 (cfd 1): done! (0xf520 bytes) Adding content ID 00000008 (cfd 1): done! (0x6d4f0 bytes) Adding content ID 00000009 (cfd 1): done! (0xa650 bytes) Adding content ID 0000000a (cfd 1): done! (0x7780 bytes) Adding content ID 0000000b (cfd 1): done! (0x4aa0 bytes) Adding content ID 0000000c (cfd 1): done! (0x2490 bytes) Adding content ID 0000000d (cfd 1): done! (0x7f330 bytes) Adding content ID 0000000e (cfd 1): done! (0x27910 bytes) Done!
Screenshot
External Links
- Official Site - https://hackmii.com/2008/07/patchmii/
- Google Source - https://code.google.com/archive/p/patchmii-core/
- WiiBrew - https://wiibrew.org/wiki/PatchMii