toot.wales is one of the many independent Mastodon servers you can use to participate in the fediverse.
We are the Open Social network for Wales and the Welsh, at home and abroad! Y rhwydwaith cymdeithasol annibynnol i Gymru, wedi'i bweru gan Mastodon!

Administered by:

Server stats:

624
active users

@marcan@treehouse.systems @sven @Rairii @foone Say what you will about the Wii's security, but at least BroadOn had figured out that OTP needs to be read-only by that point.

@Jhynjhiruu @marcan @sven @foone virage2 being rw on ique player lol

did anyone actually exploit that successfully?

@Rairii @marcan@treehouse.systems @sven @foone As of a couple of weeks ago, yes! ...though, we managed to brick two more consoles in the process, since the kernel code that normally writes v2 is broken.

@Jhynjhiruu @Rairii @marcan @foone wait, they had a writable storage and pretended it was OTP and stored their first stage bootloader hash, etc there? lol

Jhynjhiruu

@sven @Rairii @marcan@treehouse.systems @foone Essentially, yeah, though it's actually the kernel hash since there are fewer boot stages. Seems they fully intended to make it read-only, and just *forgot* to add the code to do that.
The more useful thing to overwrite is the bootrom patches, rather than the kernel hash, since with those it's trivial to just disable the hash check entirely.

@Jhynjhiruu @sven @marcan @foone yeah i was about to mention there's also a space there for code jumped to by the bootrom in about the tenth instruction after reset (after verifying the checksum)

@Rairii @sven @marcan@treehouse.systems @foone There are two sets of rompatch code that get run, one before the kernel hashing code is bootstrapped and one after. The code that runs after is more useful, since you can add a single instruction into the delay slot of the jr $t0 that the kernel checks and nop out the panic() call when the hash fails, so it falls through and boots normally.